--- /dev/null
+From c4a6b94485456fd667aafdf5db226c09239e20e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Dec 2023 13:22:39 -0800
+Subject: ACPI: extlog: Clear Extended Error Log status when RAS_CEC handled
+ the error
+
+From: Tony Luck <tony.luck@intel.com>
+
+[ Upstream commit 38c872a9e96f72f2947affc0526cc05659367d3d ]
+
+When both CONFIG_RAS_CEC and CONFIG_ACPI_EXTLOG are enabled, Linux does
+not clear the status word of the BIOS supplied error record for corrected
+errors. This may prevent logging of subsequent uncorrected errors.
+
+Fix by clearing the status.
+
+Fixes: 23ba710a0864 ("x86/mce: Fix all mce notifiers to update the mce->kflags bitmask")
+Reported-by: Erwin Tsaur <erwin.tsaur@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_extlog.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpi_extlog.c b/drivers/acpi/acpi_extlog.c
+index e648158368a7..088db2356998 100644
+--- a/drivers/acpi/acpi_extlog.c
++++ b/drivers/acpi/acpi_extlog.c
+@@ -145,9 +145,14 @@ static int extlog_print(struct notifier_block *nb, unsigned long val,
+ static u32 err_seq;
+
+ estatus = extlog_elog_entry_check(cpu, bank);
+- if (estatus == NULL || (mce->kflags & MCE_HANDLED_CEC))
++ if (!estatus)
+ return NOTIFY_DONE;
+
++ if (mce->kflags & MCE_HANDLED_CEC) {
++ estatus->block_status = 0;
++ return NOTIFY_DONE;
++ }
++
+ memcpy(elog_buf, (void *)estatus, ELOG_ENTRY_LEN);
+ /* clear record status to enable BIOS to update it again */
+ estatus->block_status = 0;
+--
+2.43.0
+
--- /dev/null
+From 65f72de704e0ef516ab235445c3360183e56a38d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Nov 2023 21:08:59 +0300
+Subject: ACPI: LPIT: Avoid u32 multiplication overflow
+
+From: Nikita Kiryushin <kiryushin@ancud.ru>
+
+[ Upstream commit 56d2eeda87995245300836ee4dbd13b002311782 ]
+
+In lpit_update_residency() there is a possibility of overflow
+in multiplication, if tsc_khz is large enough (> UINT_MAX/1000).
+
+Change multiplication to mul_u32_u32().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: eeb2d80d502a ("ACPI / LPIT: Add Low Power Idle Table (LPIT) support")
+Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_lpit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpi_lpit.c b/drivers/acpi/acpi_lpit.c
+index 48e5059d67ca..7de59730030c 100644
+--- a/drivers/acpi/acpi_lpit.c
++++ b/drivers/acpi/acpi_lpit.c
+@@ -98,7 +98,7 @@ static void lpit_update_residency(struct lpit_residency_info *info,
+ struct acpi_lpit_native *lpit_native)
+ {
+ info->frequency = lpit_native->counter_frequency ?
+- lpit_native->counter_frequency : tsc_khz * 1000;
++ lpit_native->counter_frequency : mul_u32_u32(tsc_khz, 1000U);
+ if (!info->frequency)
+ info->frequency = 1;
+
+--
+2.43.0
+
--- /dev/null
+From da3f377f41a2952123cd9717aac94b64a8d081a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Nov 2023 16:49:25 +0300
+Subject: ACPI: video: check for error while searching for backlight device
+ parent
+
+From: Nikita Kiryushin <kiryushin@ancud.ru>
+
+[ Upstream commit ccd45faf4973746c4f30ea41eec864e5cf191099 ]
+
+If acpi_get_parent() called in acpi_video_dev_register_backlight()
+fails, for example, because acpi_ut_acquire_mutex() fails inside
+acpi_get_parent), this can lead to incorrect (uninitialized)
+acpi_parent handle being passed to acpi_get_pci_dev() for detecting
+the parent pci device.
+
+Check acpi_get_parent() result and set parent device only in case of success.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 9661e92c10a9 ("acpi: tie ACPI backlight devices to PCI devices if possible")
+Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_video.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
+index cf6c9ffe04a2..9d384656323a 100644
+--- a/drivers/acpi/acpi_video.c
++++ b/drivers/acpi/acpi_video.c
+@@ -1788,12 +1788,12 @@ static void acpi_video_dev_register_backlight(struct acpi_video_device *device)
+ return;
+ count++;
+
+- acpi_get_parent(device->dev->handle, &acpi_parent);
+-
+- pdev = acpi_get_pci_dev(acpi_parent);
+- if (pdev) {
+- parent = &pdev->dev;
+- pci_dev_put(pdev);
++ if (ACPI_SUCCESS(acpi_get_parent(device->dev->handle, &acpi_parent))) {
++ pdev = acpi_get_pci_dev(acpi_parent);
++ if (pdev) {
++ parent = &pdev->dev;
++ pci_dev_put(pdev);
++ }
+ }
+
+ memset(&props, 0, sizeof(struct backlight_properties));
+--
+2.43.0
+
--- /dev/null
+From 6247b8e61f11c8d017a9bedd6c113ce16748510e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jan 2024 12:00:36 +0100
+Subject: ARM: davinci: always select CONFIG_CPU_ARM926T
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 40974ee421b4d1fc74ac733d86899ce1b83d8f65 ]
+
+The select was lost by accident during the multiplatform conversion.
+Any davinci-only
+
+arm-linux-gnueabi-ld: arch/arm/mach-davinci/sleep.o: in function `CACHE_FLUSH':
+(.text+0x168): undefined reference to `arm926_flush_kern_cache_all'
+
+Fixes: f962396ce292 ("ARM: davinci: support multiplatform build for ARM v5")
+Acked-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Link: https://lore.kernel.org/r/20240108110055.1531153-1-arnd@kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-davinci/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/mach-davinci/Kconfig b/arch/arm/mach-davinci/Kconfig
+index de11030748d0..b30221f7dfa4 100644
+--- a/arch/arm/mach-davinci/Kconfig
++++ b/arch/arm/mach-davinci/Kconfig
+@@ -3,6 +3,7 @@
+ menuconfig ARCH_DAVINCI
+ bool "TI DaVinci"
+ depends on ARCH_MULTI_V5
++ select CPU_ARM926T
+ select DAVINCI_TIMER
+ select ZONE_DMA
+ select PM_GENERIC_DOMAINS if PM
+--
+2.43.0
+
--- /dev/null
+From b84a6da7c8d8f89451c678b0569d069158127e86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 14:02:35 +0300
+Subject: ARM: dts: qcom: apq8064: correct XOADC register address
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 554557542e709e190eff8a598f0cde02647d533a ]
+
+The XOADC is present at the address 0x197 rather than just 197. It
+doesn't change a lot (since the driver hardcodes all register
+addresses), but the DT should present correct address anyway.
+
+Fixes: c4b70883ee33 ("ARM: dts: add XOADC and IIO HWMON to APQ8064")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20230928110309.1212221-3-dmitry.baryshkov@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom-apq8064.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
+index fb25ede1ce9f..3f1002c34446 100644
+--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
+@@ -760,7 +760,7 @@ pwrkey@1c {
+
+ xoadc: xoadc@197 {
+ compatible = "qcom,pm8921-adc";
+- reg = <197>;
++ reg = <0x197>;
+ interrupts-extended = <&pmicintc 78 IRQ_TYPE_EDGE_RISING>;
+ #address-cells = <2>;
+ #size-cells = <0>;
+--
+2.43.0
+
--- /dev/null
+From c69be50a21688bca90f1f6792100e789789550f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Nov 2023 10:46:23 +0100
+Subject: arm64: dts: qcom: qrb5165-rb5: correct LED panic indicator
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit dc6b5562acbac0285ab3b2dad23930b6434bdfc6 ]
+
+There is no "panic-indicator" default trigger but a property with that
+name:
+
+ qrb5165-rb5.dtb: leds: led-user4: Unevaluated properties are not allowed ('linux,default-trigger' was unexpected)
+
+Fixes: b5cbd84e499a ("arm64: dts: qcom: qrb5165-rb5: Add onboard LED support")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20231111094623.12476-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/qrb5165-rb5.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts b/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts
+index 949fee6949e6..5516d2067c82 100644
+--- a/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts
++++ b/arch/arm64/boot/dts/qcom/qrb5165-rb5.dts
+@@ -38,8 +38,8 @@ leds {
+ user4 {
+ label = "green:user4";
+ gpios = <&pm8150_gpios 10 GPIO_ACTIVE_HIGH>;
+- linux,default-trigger = "panic-indicator";
+ default-state = "off";
++ panic-indicator;
+ };
+
+ wlan {
+--
+2.43.0
+
--- /dev/null
+From 8dc09c68ec930562daff71e635efdd4f2592fe0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Nov 2023 10:56:16 +0100
+Subject: arm64: dts: qcom: sdm845-db845c: correct LED panic indicator
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 0c90c75e663246203a2b7f6dd9e08a110f4c3c43 ]
+
+There is no "panic-indicator" default trigger but a property with that
+name:
+
+ sdm845-db845c.dtb: leds: led-0: Unevaluated properties are not allowed ('linux,default-trigger' was unexpected)
+
+Fixes: 3f72e2d3e682 ("arm64: dts: qcom: Add Dragonboard 845c")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20231111095617.16496-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845-db845c.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
+index 1e889ca932e4..31f4f0575094 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
+@@ -55,8 +55,8 @@ leds {
+ user4 {
+ label = "green:user4";
+ gpios = <&pm8998_gpio 13 GPIO_ACTIVE_HIGH>;
+- linux,default-trigger = "panic-indicator";
+ default-state = "off";
++ panic-indicator;
+ };
+
+ wlan {
+--
+2.43.0
+
--- /dev/null
+From 41f90ed367a5fe6760dd01ad54c371eb75b3182e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Nov 2023 11:57:48 +0200
+Subject: arm64: dts: ti: k3-am65-main: Fix DSS irq trigger type
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit b57160859263c083c49482b0d083a586b1517f78 ]
+
+DSS irq trigger type is set to IRQ_TYPE_EDGE_RISING in the DT file, but
+the TRM says it is level triggered.
+
+For some reason triggering on rising edge results in double the amount
+of expected interrupts, e.g. for normal page flipping test the number of
+interrupts per second is 2 * fps. It is as if the IRQ triggers on both
+edges. There are no other side effects to this issue than slightly
+increased CPU & power consumption due to the extra interrupt.
+
+Switching to IRQ_TYPE_LEVEL_HIGH is correct and fixes the issue, so
+let's do that.
+
+Fixes: fc539b90eda2 ("arm64: dts: ti: am654: Add DSS node")
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Reviewed-by: Aradhya Bhatia <a-bhatia1@ti.com>
+Link: https://lore.kernel.org/r/20231106-am65-dss-clk-edge-v1-1-4a959fec0e1e@ideasonboard.com
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+index 4265f627ca16..a3538279d710 100644
+--- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+@@ -865,7 +865,7 @@ dss: dss@4a00000 {
+ assigned-clocks = <&k3_clks 67 2>;
+ assigned-clock-parents = <&k3_clks 67 5>;
+
+- interrupts = <GIC_SPI 166 IRQ_TYPE_EDGE_RISING>;
++ interrupts = <GIC_SPI 166 IRQ_TYPE_LEVEL_HIGH>;
+
+ status = "disabled";
+
+--
+2.43.0
+
--- /dev/null
+From ba4aafc894a311d3664837525650e68bf3e35118 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 14:20:31 +0100
+Subject: ASoC: cs35l33: Fix GPIO name and drop legacy include
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 50678d339d670a92658e5538ebee30447c88ccb3 ]
+
+This driver includes the legacy GPIO APIs <linux/gpio.h> and
+<linux/of_gpio.h> but does not use any symbols from any of
+them.
+
+Drop the includes.
+
+Further the driver is requesting "reset-gpios" rather than
+just "reset" from the GPIO framework. This is wrong because
+the gpiolib core will add "-gpios" before processing the
+request from e.g. device tree. Drop the suffix.
+
+The last problem means that the optional RESET GPIO has
+never been properly retrieved and used even if it existed,
+but nobody noticed.
+
+Fixes: 3333cb7187b9 ("ASoC: cs35l33: Initial commit of the cs35l33 CODEC driver.")
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20231201-descriptors-sound-cirrus-v2-2-ee9f9d4655eb@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs35l33.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/cs35l33.c b/sound/soc/codecs/cs35l33.c
+index 8894369e329a..87b299d24bd8 100644
+--- a/sound/soc/codecs/cs35l33.c
++++ b/sound/soc/codecs/cs35l33.c
+@@ -22,13 +22,11 @@
+ #include <sound/soc-dapm.h>
+ #include <sound/initval.h>
+ #include <sound/tlv.h>
+-#include <linux/gpio.h>
+ #include <linux/gpio/consumer.h>
+ #include <sound/cs35l33.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/regulator/consumer.h>
+ #include <linux/regulator/machine.h>
+-#include <linux/of_gpio.h>
+ #include <linux/of.h>
+ #include <linux/of_device.h>
+ #include <linux/of_irq.h>
+@@ -1168,7 +1166,7 @@ static int cs35l33_i2c_probe(struct i2c_client *i2c_client,
+
+ /* We could issue !RST or skip it based on AMP topology */
+ cs35l33->reset_gpio = devm_gpiod_get_optional(&i2c_client->dev,
+- "reset-gpios", GPIOD_OUT_HIGH);
++ "reset", GPIOD_OUT_HIGH);
+ if (IS_ERR(cs35l33->reset_gpio)) {
+ dev_err(&i2c_client->dev, "%s ERROR: Can't get reset GPIO\n",
+ __func__);
+--
+2.43.0
+
--- /dev/null
+From 8cd76dcdc52776f4a676dbed00d461a0dd46ecd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 14:20:32 +0100
+Subject: ASoC: cs35l34: Fix GPIO name and drop legacy include
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit a6122b0b4211d132934ef99e7b737910e6d54d2f ]
+
+This driver includes the legacy GPIO APIs <linux/gpio.h> and
+<linux/of_gpio.h> but does not use any symbols from any of
+them.
+
+Drop the includes.
+
+Further the driver is requesting "reset-gpios" rather than
+just "reset" from the GPIO framework. This is wrong because
+the gpiolib core will add "-gpios" before processing the
+request from e.g. device tree. Drop the suffix.
+
+The last problem means that the optional RESET GPIO has
+never been properly retrieved and used even if it existed,
+but nobody noticed.
+
+Fixes: c1124c09e103 ("ASoC: cs35l34: Initial commit of the cs35l34 CODEC driver.")
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20231201-descriptors-sound-cirrus-v2-3-ee9f9d4655eb@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs35l34.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/cs35l34.c b/sound/soc/codecs/cs35l34.c
+index b792c006e530..d9f975b52b21 100644
+--- a/sound/soc/codecs/cs35l34.c
++++ b/sound/soc/codecs/cs35l34.c
+@@ -20,14 +20,12 @@
+ #include <linux/regulator/machine.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/of_device.h>
+-#include <linux/of_gpio.h>
+ #include <linux/of_irq.h>
+ #include <sound/core.h>
+ #include <sound/pcm.h>
+ #include <sound/pcm_params.h>
+ #include <sound/soc.h>
+ #include <sound/soc-dapm.h>
+-#include <linux/gpio.h>
+ #include <linux/gpio/consumer.h>
+ #include <sound/initval.h>
+ #include <sound/tlv.h>
+@@ -1058,7 +1056,7 @@ static int cs35l34_i2c_probe(struct i2c_client *i2c_client,
+ dev_err(&i2c_client->dev, "Failed to request IRQ: %d\n", ret);
+
+ cs35l34->reset_gpio = devm_gpiod_get_optional(&i2c_client->dev,
+- "reset-gpios", GPIOD_OUT_LOW);
++ "reset", GPIOD_OUT_LOW);
+ if (IS_ERR(cs35l34->reset_gpio))
+ return PTR_ERR(cs35l34->reset_gpio);
+
+--
+2.43.0
+
--- /dev/null
+From 214bd3a37ee7b3a1327721de743a3a5d7c4470b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Dec 2023 10:05:01 -0500
+Subject: blocklayoutdriver: Fix reference leak of pnfs_device_node
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+[ Upstream commit 1530827b90025cdf80c9b0d07a166d045a0a7b81 ]
+
+The error path for blocklayout's device lookup is missing a reference drop
+for the case where a lookup finds the device, but the device is marked with
+NFS_DEVICEID_UNAVAILABLE.
+
+Fixes: b3dce6a2f060 ("pnfs/blocklayout: handle transient devices")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/blocklayout/blocklayout.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
+index 08108b6d2fa1..73000aa2d220 100644
+--- a/fs/nfs/blocklayout/blocklayout.c
++++ b/fs/nfs/blocklayout/blocklayout.c
+@@ -604,6 +604,8 @@ bl_find_get_deviceid(struct nfs_server *server,
+ nfs4_delete_deviceid(node->ld, node->nfs_client, id);
+ goto retry;
+ }
++
++ nfs4_put_deviceid_node(node);
+ return ERR_PTR(-ENODEV);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 8da22e1df7f0c9d32c7e25dfca61c4d768841eb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 17:40:19 +0100
+Subject: Bluetooth: btmtkuart: fix recv_buf() return value
+
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+
+[ Upstream commit 64057f051f20c2a2184b9db7f8037d928d68a4f4 ]
+
+Serdev recv_buf() callback is supposed to return the amount of bytes
+consumed, therefore an int in between 0 and count.
+
+Do not return negative number in case of issue, just print an error and
+return count. This fixes a WARN in ttyport_receive_buf().
+
+Link: https://lore.kernel.org/all/087be419-ec6b-47ad-851a-5e1e3ea5cfcc@kernel.org/
+Fixes: 7237c4c9ec92 ("Bluetooth: mediatek: Add protocol support for MediaTek serial devices")
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmtkuart.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c
+index 719d4685a2dd..1a908827b1f2 100644
+--- a/drivers/bluetooth/btmtkuart.c
++++ b/drivers/bluetooth/btmtkuart.c
+@@ -471,7 +471,7 @@ mtk_stp_split(struct btmtkuart_dev *bdev, const unsigned char *data, int count,
+ return data;
+ }
+
+-static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count)
++static void btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count)
+ {
+ struct btmtkuart_dev *bdev = hci_get_drvdata(hdev);
+ const unsigned char *p_left = data, *p_h4;
+@@ -510,25 +510,20 @@ static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count)
+ bt_dev_err(bdev->hdev,
+ "Frame reassembly failed (%d)", err);
+ bdev->rx_skb = NULL;
+- return err;
++ return;
+ }
+
+ sz_left -= sz_h4;
+ p_left += sz_h4;
+ }
+-
+- return 0;
+ }
+
+ static int btmtkuart_receive_buf(struct serdev_device *serdev, const u8 *data,
+ size_t count)
+ {
+ struct btmtkuart_dev *bdev = serdev_device_get_drvdata(serdev);
+- int err;
+
+- err = btmtkuart_recv(bdev->hdev, data, count);
+- if (err < 0)
+- return err;
++ btmtkuart_recv(bdev->hdev, data, count);
+
+ bdev->hdev->stat.byte_rx += count;
+
+--
+2.43.0
+
--- /dev/null
+From e4ecc3ceabe0502924a70cfce65d83c51437bd5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 14:58:03 +0100
+Subject: Bluetooth: Fix bogus check for re-auth no supported with non-ssp
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit d03376c185926098cb4d668d6458801eb785c0a5 ]
+
+This reverts 19f8def031bfa50c579149b200bfeeb919727b27
+"Bluetooth: Fix auth_complete_evt for legacy units" which seems to be
+working around a bug on a broken controller rather then any limitation
+imposed by the Bluetooth spec, in fact if there ws not possible to
+re-auth the command shall fail not succeed.
+
+Fixes: 19f8def031bf ("Bluetooth: Fix auth_complete_evt for legacy units")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 1 -
+ net/bluetooth/hci_conn.c | 8 +++-----
+ net/bluetooth/hci_event.c | 11 ++---------
+ 3 files changed, 5 insertions(+), 15 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index a168a64696b6..33873266b2bc 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -819,7 +819,6 @@ void hci_inquiry_cache_flush(struct hci_dev *hdev);
+ /* ----- HCI Connections ----- */
+ enum {
+ HCI_CONN_AUTH_PEND,
+- HCI_CONN_REAUTH_PEND,
+ HCI_CONN_ENCRYPT_PEND,
+ HCI_CONN_RSWITCH_PEND,
+ HCI_CONN_MODE_CHANGE_PEND,
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 74721c3e49b3..52e512f41da3 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1385,12 +1385,10 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
+ hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
+ sizeof(cp), &cp);
+
+- /* If we're already encrypted set the REAUTH_PEND flag,
+- * otherwise set the ENCRYPT_PEND.
++ /* Set the ENCRYPT_PEND to trigger encryption after
++ * authentication.
+ */
+- if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
+- set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
+- else
++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
+ set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
+ }
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index ee2c1a17366a..4027c79786fd 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2924,14 +2924,8 @@ static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
+
+ if (!ev->status) {
+ clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
+-
+- if (!hci_conn_ssp_enabled(conn) &&
+- test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
+- bt_dev_info(hdev, "re-auth of legacy device is not possible.");
+- } else {
+- set_bit(HCI_CONN_AUTH, &conn->flags);
+- conn->sec_level = conn->pending_sec_level;
+- }
++ set_bit(HCI_CONN_AUTH, &conn->flags);
++ conn->sec_level = conn->pending_sec_level;
+ } else {
+ if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
+ set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
+@@ -2940,7 +2934,6 @@ static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
+ }
+
+ clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
+- clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
+
+ if (conn->state == BT_CONFIG) {
+ if (!ev->status && hci_conn_ssp_enabled(conn)) {
+--
+2.43.0
+
--- /dev/null
+From 5bd104386354ee4678843f41b961b36e3dcc6264 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Nov 2023 03:23:34 -0800
+Subject: bpf: Add crosstask check to __bpf_get_stack
+
+From: Jordan Rome <jordalgo@meta.com>
+
+[ Upstream commit b8e3a87a627b575896e448021e5c2f8a3bc19931 ]
+
+Currently get_perf_callchain only supports user stack walking for
+the current task. Passing the correct *crosstask* param will return
+0 frames if the task passed to __bpf_get_stack isn't the current
+one instead of a single incorrect frame/address. This change
+passes the correct *crosstask* param but also does a preemptive
+check in __bpf_get_stack if the task is current and returns
+-EOPNOTSUPP if it is not.
+
+This issue was found using bpf_get_task_stack inside a BPF
+iterator ("iter/task"), which iterates over all tasks.
+bpf_get_task_stack works fine for fetching kernel stacks
+but because get_perf_callchain relies on the caller to know
+if the requested *task* is the current one (via *crosstask*)
+it was failing in a confusing way.
+
+It might be possible to get user stacks for all tasks utilizing
+something like access_process_vm but that requires the bpf
+program calling bpf_get_task_stack to be sleepable and would
+therefore be a breaking change.
+
+Fixes: fa28dcb82a38 ("bpf: Introduce helper bpf_get_task_stack()")
+Signed-off-by: Jordan Rome <jordalgo@meta.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20231108112334.3433136-1-jordalgo@meta.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/bpf.h | 3 +++
+ kernel/bpf/stackmap.c | 11 ++++++++++-
+ tools/include/uapi/linux/bpf.h | 3 +++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index 36ddfb98b70e..29cc0eb2e488 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -3424,6 +3424,8 @@ union bpf_attr {
+ * long bpf_get_task_stack(struct task_struct *task, void *buf, u32 size, u64 flags)
+ * Description
+ * Return a user or a kernel stack in bpf program provided buffer.
++ * Note: the user stack will only be populated if the *task* is
++ * the current task; all other tasks will return -EOPNOTSUPP.
+ * To achieve this, the helper needs *task*, which is a valid
+ * pointer to **struct task_struct**. To store the stacktrace, the
+ * bpf program provides *buf* with a nonnegative *size*.
+@@ -3435,6 +3437,7 @@ union bpf_attr {
+ *
+ * **BPF_F_USER_STACK**
+ * Collect a user space stack instead of a kernel stack.
++ * The *task* must be the current task.
+ * **BPF_F_USER_BUILD_ID**
+ * Collect buildid+offset instead of ips for user stack,
+ * only valid if **BPF_F_USER_STACK** is also specified.
+diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
+index 0c5bf98d5576..b8afea2ceeeb 100644
+--- a/kernel/bpf/stackmap.c
++++ b/kernel/bpf/stackmap.c
+@@ -575,6 +575,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
+ {
+ u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
+ bool user_build_id = flags & BPF_F_USER_BUILD_ID;
++ bool crosstask = task && task != current;
+ u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+ bool user = flags & BPF_F_USER_STACK;
+ struct perf_callchain_entry *trace;
+@@ -597,6 +598,14 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
+ if (task && user && !user_mode(regs))
+ goto err_fault;
+
++ /* get_perf_callchain does not support crosstask user stack walking
++ * but returns an empty stack instead of NULL.
++ */
++ if (crosstask && user) {
++ err = -EOPNOTSUPP;
++ goto clear;
++ }
++
+ num_elem = size / elem_size;
+ max_depth = num_elem + skip;
+ if (sysctl_perf_event_max_stack < max_depth)
+@@ -608,7 +617,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
+ trace = get_callchain_entry_for_task(task, max_depth);
+ else
+ trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
+- false, false);
++ crosstask, false);
+ if (unlikely(!trace))
+ goto err_fault;
+
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
+index fd1a4d843e6f..63ea5bc6f1c4 100644
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -3424,6 +3424,8 @@ union bpf_attr {
+ * long bpf_get_task_stack(struct task_struct *task, void *buf, u32 size, u64 flags)
+ * Description
+ * Return a user or a kernel stack in bpf program provided buffer.
++ * Note: the user stack will only be populated if the *task* is
++ * the current task; all other tasks will return -EOPNOTSUPP.
+ * To achieve this, the helper needs *task*, which is a valid
+ * pointer to **struct task_struct**. To store the stacktrace, the
+ * bpf program provides *buf* with a nonnegative *size*.
+@@ -3435,6 +3437,7 @@ union bpf_attr {
+ *
+ * **BPF_F_USER_STACK**
+ * Collect a user space stack instead of a kernel stack.
++ * The *task* must be the current task.
+ * **BPF_F_USER_BUILD_ID**
+ * Collect buildid+offset instead of ips for user stack,
+ * only valid if **BPF_F_USER_STACK** is also specified.
+--
+2.43.0
+
--- /dev/null
+From ef3a7bfc613a490b82e7bb619e9e14a5be765e46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Dec 2023 10:42:41 -0800
+Subject: bpf: fix check for attempt to corrupt spilled pointer
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit ab125ed3ec1c10ccc36bc98c7a4256ad114a3dae ]
+
+When register is spilled onto a stack as a 1/2/4-byte register, we set
+slot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,
+depending on actual spill size). So to check if some stack slot has
+spilled register we need to consult slot_type[7], not slot_type[0].
+
+To avoid the need to remember and double-check this in the future, just
+use is_spilled_reg() helper.
+
+Fixes: 27113c59b6d0 ("bpf: Check the other end of slot_type for STACK_SPILL")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20231205184248.1502704-4-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 45c50ee9b037..ddfd33703f4d 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2493,7 +2493,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ * so it's aligned access and [off, off + size) are within stack limits
+ */
+ if (!env->allow_ptr_leaks &&
+- state->stack[spi].slot_type[0] == STACK_SPILL &&
++ is_spilled_reg(&state->stack[spi]) &&
+ size != BPF_REG_SIZE) {
+ verbose(env, "attempt to corrupt spilled pointer on stack\n");
+ return -EACCES;
+--
+2.43.0
+
--- /dev/null
+From ae32a5893bad021acb819bbd161420332d5c0c7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Dec 2023 23:11:48 -0500
+Subject: bpf: Fix verification of indirect var-off stack access
+
+From: Andrei Matei <andreimatei1@gmail.com>
+
+[ Upstream commit a833a17aeac73b33f79433d7cee68d5cafd71e4f ]
+
+This patch fixes a bug around the verification of possibly-zero-sized
+stack accesses. When the access was done through a var-offset stack
+pointer, check_stack_access_within_bounds was incorrectly computing the
+maximum-offset of a zero-sized read to be the same as the register's min
+offset. Instead, we have to take in account the register's maximum
+possible value. The patch also simplifies how the max offset is checked;
+the check is now simpler than for min offset.
+
+The bug was allowing accesses to erroneously pass the
+check_stack_access_within_bounds() checks, only to later crash in
+check_stack_range_initialized() when all the possibly-affected stack
+slots are iterated (this time with a correct max offset).
+check_stack_range_initialized() is relying on
+check_stack_access_within_bounds() for its accesses to the
+stack-tracking vector to be within bounds; in the case of zero-sized
+accesses, we were essentially only verifying that the lowest possible
+slot was within bounds. We would crash when the max-offset of the stack
+pointer was >= 0 (which shouldn't pass verification, and hopefully is
+not something anyone's code attempts to do in practice).
+
+Thanks Hao for reporting!
+
+Fixes: 01f810ace9ed3 ("bpf: Allow variable-offset stack access")
+Reported-by: Hao Sun <sunhao.th@gmail.com>
+Signed-off-by: Andrei Matei <andreimatei1@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20231207041150.229139-2-andreimatei1@gmail.com
+
+Closes: https://lore.kernel.org/bpf/CACkBjsZGEUaRCHsmaX=h-efVogsRfK1FPxmkgb0Os_frnHiNdw@mail.gmail.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index ddfd33703f4d..fce2345f600f 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -3926,10 +3926,7 @@ static int check_stack_access_within_bounds(
+
+ if (tnum_is_const(reg->var_off)) {
+ min_off = reg->var_off.value + off;
+- if (access_size > 0)
+- max_off = min_off + access_size - 1;
+- else
+- max_off = min_off;
++ max_off = min_off + access_size;
+ } else {
+ if (reg->smax_value >= BPF_MAX_VAR_OFF ||
+ reg->smin_value <= -BPF_MAX_VAR_OFF) {
+@@ -3938,15 +3935,12 @@ static int check_stack_access_within_bounds(
+ return -EACCES;
+ }
+ min_off = reg->smin_value + off;
+- if (access_size > 0)
+- max_off = reg->smax_value + off + access_size - 1;
+- else
+- max_off = min_off;
++ max_off = reg->smax_value + off + access_size;
+ }
+
+ err = check_stack_slot_within_bounds(min_off, state, type);
+- if (!err)
+- err = check_stack_slot_within_bounds(max_off, state, type);
++ if (!err && max_off > 0)
++ err = -EINVAL; /* out of stack access into non-negative offsets */
+
+ if (err) {
+ if (tnum_is_const(reg->var_off)) {
+--
+2.43.0
+
--- /dev/null
+From 3ab3de8b089ba3f213fa8914b3e2b5c86af516b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Nov 2023 09:58:01 +0100
+Subject: bpf, lpm: Fix check prefixlen before walking trie
+
+From: Florian Lehner <dev@der-flo.net>
+
+[ Upstream commit 9b75dbeb36fcd9fc7ed51d370310d0518a387769 ]
+
+When looking up an element in LPM trie, the condition 'matchlen ==
+trie->max_prefixlen' will never return true, if key->prefixlen is larger
+than trie->max_prefixlen. Consequently all elements in the LPM trie will
+be visited and no element is returned in the end.
+
+To resolve this, check key->prefixlen first before walking the LPM trie.
+
+Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation")
+Signed-off-by: Florian Lehner <dev@der-flo.net>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20231105085801.3742-1-dev@der-flo.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/lpm_trie.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c
+index 00e32f2ec3e6..3c2d8722d45b 100644
+--- a/kernel/bpf/lpm_trie.c
++++ b/kernel/bpf/lpm_trie.c
+@@ -230,6 +230,9 @@ static void *trie_lookup_elem(struct bpf_map *map, void *_key)
+ struct lpm_trie_node *node, *found = NULL;
+ struct bpf_lpm_trie_key *key = _key;
+
++ if (key->prefixlen > trie->max_prefixlen)
++ return NULL;
++
+ /* Start walking the trie from the root node ... */
+
+ for (node = rcu_dereference(trie->root); node;) {
+--
+2.43.0
+
--- /dev/null
+From 877f66047a4ec4a257854abcd3541440e77ecf47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Nov 2023 09:25:54 +0000
+Subject: calipso: fix memory leak in netlbl_calipso_add_pass()
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit ec4e9d630a64df500641892f4e259e8149594a99 ]
+
+If IPv6 support is disabled at boot (ipv6.disable=1),
+the calipso_init() -> netlbl_calipso_ops_register() function isn't called,
+and the netlbl_calipso_ops_get() function always returns NULL.
+In this case, the netlbl_calipso_add_pass() function allocates memory
+for the doi_def variable but doesn't free it with the calipso_doi_free().
+
+BUG: memory leak
+unreferenced object 0xffff888011d68180 (size 64):
+ comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<...>] kmalloc include/linux/slab.h:552 [inline]
+ [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline]
+ [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111
+ [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739
+ [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+ [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800
+ [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515
+ [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811
+ [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
+ [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339
+ [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934
+ [<...>] sock_sendmsg_nosec net/socket.c:651 [inline]
+ [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671
+ [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342
+ [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396
+ [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429
+ [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
+ [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with Syzkaller
+
+Fixes: cb72d38211ea ("netlabel: Initial support for the CALIPSO netlink protocol.")
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+[PM: merged via the LSM tree at Jakub Kicinski request]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_calipso.c | 49 +++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 23 deletions(-)
+
+diff --git a/net/netlabel/netlabel_calipso.c b/net/netlabel/netlabel_calipso.c
+index 91a19c3ea1a3..84ef4a29864b 100644
+--- a/net/netlabel/netlabel_calipso.c
++++ b/net/netlabel/netlabel_calipso.c
+@@ -54,6 +54,28 @@ static const struct nla_policy calipso_genl_policy[NLBL_CALIPSO_A_MAX + 1] = {
+ [NLBL_CALIPSO_A_MTYPE] = { .type = NLA_U32 },
+ };
+
++static const struct netlbl_calipso_ops *calipso_ops;
++
++/**
++ * netlbl_calipso_ops_register - Register the CALIPSO operations
++ * @ops: ops to register
++ *
++ * Description:
++ * Register the CALIPSO packet engine operations.
++ *
++ */
++const struct netlbl_calipso_ops *
++netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops)
++{
++ return xchg(&calipso_ops, ops);
++}
++EXPORT_SYMBOL(netlbl_calipso_ops_register);
++
++static const struct netlbl_calipso_ops *netlbl_calipso_ops_get(void)
++{
++ return READ_ONCE(calipso_ops);
++}
++
+ /* NetLabel Command Handlers
+ */
+ /**
+@@ -96,15 +118,18 @@ static int netlbl_calipso_add_pass(struct genl_info *info,
+ *
+ */
+ static int netlbl_calipso_add(struct sk_buff *skb, struct genl_info *info)
+-
+ {
+ int ret_val = -EINVAL;
+ struct netlbl_audit audit_info;
++ const struct netlbl_calipso_ops *ops = netlbl_calipso_ops_get();
+
+ if (!info->attrs[NLBL_CALIPSO_A_DOI] ||
+ !info->attrs[NLBL_CALIPSO_A_MTYPE])
+ return -EINVAL;
+
++ if (!ops)
++ return -EOPNOTSUPP;
++
+ netlbl_netlink_auditinfo(&audit_info);
+ switch (nla_get_u32(info->attrs[NLBL_CALIPSO_A_MTYPE])) {
+ case CALIPSO_MAP_PASS:
+@@ -362,28 +387,6 @@ int __init netlbl_calipso_genl_init(void)
+ return genl_register_family(&netlbl_calipso_gnl_family);
+ }
+
+-static const struct netlbl_calipso_ops *calipso_ops;
+-
+-/**
+- * netlbl_calipso_ops_register - Register the CALIPSO operations
+- * @ops: ops to register
+- *
+- * Description:
+- * Register the CALIPSO packet engine operations.
+- *
+- */
+-const struct netlbl_calipso_ops *
+-netlbl_calipso_ops_register(const struct netlbl_calipso_ops *ops)
+-{
+- return xchg(&calipso_ops, ops);
+-}
+-EXPORT_SYMBOL(netlbl_calipso_ops_register);
+-
+-static const struct netlbl_calipso_ops *netlbl_calipso_ops_get(void)
+-{
+- return READ_ONCE(calipso_ops);
+-}
+-
+ /**
+ * calipso_doi_add - Add a new DOI to the CALIPSO protocol engine
+ * @doi_def: the DOI structure
+--
+2.43.0
+
--- /dev/null
+From 6cd9edd71abde2b142e8016afe59973a6743b7f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 09:17:39 +0300
+Subject: clk: fixed-rate: add devm_clk_hw_register_fixed_rate
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 1d7d20658534c7d36fe6f4252f6f1a27d9631a99 ]
+
+Add devm_clk_hw_register_fixed_rate(), devres-managed helper to register
+fixed-rate clock.
+
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20220916061740.87167-3-dmitry.baryshkov@linaro.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Stable-dep-of: ee0cf5e07f44 ("clk: fixed-rate: fix clk_hw_register_fixed_rate_with_accuracy_parent_hw")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-fixed-rate.c | 28 ++++++++++++++++++++++++----
+ include/linux/clk-provider.h | 29 +++++++++++++++++++++--------
+ 2 files changed, 45 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/clk/clk-fixed-rate.c b/drivers/clk/clk-fixed-rate.c
+index 45501637705c..62e994d18fe2 100644
+--- a/drivers/clk/clk-fixed-rate.c
++++ b/drivers/clk/clk-fixed-rate.c
+@@ -49,12 +49,24 @@ const struct clk_ops clk_fixed_rate_ops = {
+ };
+ EXPORT_SYMBOL_GPL(clk_fixed_rate_ops);
+
++static void devm_clk_hw_register_fixed_rate_release(struct device *dev, void *res)
++{
++ struct clk_fixed_rate *fix = res;
++
++ /*
++ * We can not use clk_hw_unregister_fixed_rate, since it will kfree()
++ * the hw, resulting in double free. Just unregister the hw and let
++ * devres code kfree() it.
++ */
++ clk_hw_unregister(&fix->hw);
++}
++
+ struct clk_hw *__clk_hw_register_fixed_rate(struct device *dev,
+ struct device_node *np, const char *name,
+ const char *parent_name, const struct clk_hw *parent_hw,
+ const struct clk_parent_data *parent_data, unsigned long flags,
+ unsigned long fixed_rate, unsigned long fixed_accuracy,
+- unsigned long clk_fixed_flags)
++ unsigned long clk_fixed_flags, bool devm)
+ {
+ struct clk_fixed_rate *fixed;
+ struct clk_hw *hw;
+@@ -62,7 +74,11 @@ struct clk_hw *__clk_hw_register_fixed_rate(struct device *dev,
+ int ret = -EINVAL;
+
+ /* allocate fixed-rate clock */
+- fixed = kzalloc(sizeof(*fixed), GFP_KERNEL);
++ if (devm)
++ fixed = devres_alloc(devm_clk_hw_register_fixed_rate_release,
++ sizeof(*fixed), GFP_KERNEL);
++ else
++ fixed = kzalloc(sizeof(*fixed), GFP_KERNEL);
+ if (!fixed)
+ return ERR_PTR(-ENOMEM);
+
+@@ -90,9 +106,13 @@ struct clk_hw *__clk_hw_register_fixed_rate(struct device *dev,
+ else if (np)
+ ret = of_clk_hw_register(np, hw);
+ if (ret) {
+- kfree(fixed);
++ if (devm)
++ devres_free(fixed);
++ else
++ kfree(fixed);
+ hw = ERR_PTR(ret);
+- }
++ } else if (devm)
++ devres_add(dev, fixed);
+
+ return hw;
+ }
+diff --git a/include/linux/clk-provider.h b/include/linux/clk-provider.h
+index aa8cbf882914..76f02b214f39 100644
+--- a/include/linux/clk-provider.h
++++ b/include/linux/clk-provider.h
+@@ -350,7 +350,7 @@ struct clk_hw *__clk_hw_register_fixed_rate(struct device *dev,
+ const char *parent_name, const struct clk_hw *parent_hw,
+ const struct clk_parent_data *parent_data, unsigned long flags,
+ unsigned long fixed_rate, unsigned long fixed_accuracy,
+- unsigned long clk_fixed_flags);
++ unsigned long clk_fixed_flags, bool devm);
+ struct clk *clk_register_fixed_rate(struct device *dev, const char *name,
+ const char *parent_name, unsigned long flags,
+ unsigned long fixed_rate);
+@@ -365,7 +365,20 @@ struct clk *clk_register_fixed_rate(struct device *dev, const char *name,
+ */
+ #define clk_hw_register_fixed_rate(dev, name, parent_name, flags, fixed_rate) \
+ __clk_hw_register_fixed_rate((dev), NULL, (name), (parent_name), NULL, \
+- NULL, (flags), (fixed_rate), 0, 0)
++ NULL, (flags), (fixed_rate), 0, 0, false)
++
++/**
++ * devm_clk_hw_register_fixed_rate - register fixed-rate clock with the clock
++ * framework
++ * @dev: device that is registering this clock
++ * @name: name of this clock
++ * @parent_name: name of clock's parent
++ * @flags: framework-specific flags
++ * @fixed_rate: non-adjustable clock rate
++ */
++#define devm_clk_hw_register_fixed_rate(dev, name, parent_name, flags, fixed_rate) \
++ __clk_hw_register_fixed_rate((dev), NULL, (name), (parent_name), NULL, \
++ NULL, (flags), (fixed_rate), 0, 0, true)
+ /**
+ * clk_hw_register_fixed_rate_parent_hw - register fixed-rate clock with
+ * the clock framework
+@@ -378,7 +391,7 @@ struct clk *clk_register_fixed_rate(struct device *dev, const char *name,
+ #define clk_hw_register_fixed_rate_parent_hw(dev, name, parent_hw, flags, \
+ fixed_rate) \
+ __clk_hw_register_fixed_rate((dev), NULL, (name), NULL, (parent_hw), \
+- NULL, (flags), (fixed_rate), 0, 0)
++ NULL, (flags), (fixed_rate), 0, 0, false)
+ /**
+ * clk_hw_register_fixed_rate_parent_data - register fixed-rate clock with
+ * the clock framework
+@@ -392,7 +405,7 @@ struct clk *clk_register_fixed_rate(struct device *dev, const char *name,
+ fixed_rate) \
+ __clk_hw_register_fixed_rate((dev), NULL, (name), NULL, NULL, \
+ (parent_data), (flags), (fixed_rate), 0, \
+- 0)
++ 0, false)
+ /**
+ * clk_hw_register_fixed_rate_with_accuracy - register fixed-rate clock with
+ * the clock framework
+@@ -408,7 +421,7 @@ struct clk *clk_register_fixed_rate(struct device *dev, const char *name,
+ fixed_accuracy) \
+ __clk_hw_register_fixed_rate((dev), NULL, (name), (parent_name), \
+ NULL, NULL, (flags), (fixed_rate), \
+- (fixed_accuracy), 0)
++ (fixed_accuracy), 0, false)
+ /**
+ * clk_hw_register_fixed_rate_with_accuracy_parent_hw - register fixed-rate
+ * clock with the clock framework
+@@ -423,7 +436,7 @@ struct clk *clk_register_fixed_rate(struct device *dev, const char *name,
+ parent_hw, flags, fixed_rate, fixed_accuracy) \
+ __clk_hw_register_fixed_rate((dev), NULL, (name), NULL, (parent_hw) \
+ NULL, NULL, (flags), (fixed_rate), \
+- (fixed_accuracy), 0)
++ (fixed_accuracy), 0, false)
+ /**
+ * clk_hw_register_fixed_rate_with_accuracy_parent_data - register fixed-rate
+ * clock with the clock framework
+@@ -438,7 +451,7 @@ struct clk *clk_register_fixed_rate(struct device *dev, const char *name,
+ parent_data, flags, fixed_rate, fixed_accuracy) \
+ __clk_hw_register_fixed_rate((dev), NULL, (name), NULL, NULL, \
+ (parent_data), NULL, (flags), \
+- (fixed_rate), (fixed_accuracy), 0)
++ (fixed_rate), (fixed_accuracy), 0, false)
+ /**
+ * clk_hw_register_fixed_rate_parent_accuracy - register fixed-rate clock with
+ * the clock framework
+@@ -452,7 +465,7 @@ struct clk *clk_register_fixed_rate(struct device *dev, const char *name,
+ flags, fixed_rate) \
+ __clk_hw_register_fixed_rate((dev), NULL, (name), NULL, NULL, \
+ (parent_data), (flags), (fixed_rate), 0, \
+- CLK_FIXED_RATE_PARENT_ACCURACY)
++ CLK_FIXED_RATE_PARENT_ACCURACY, false)
+
+ void clk_unregister_fixed_rate(struct clk *clk);
+ void clk_hw_unregister_fixed_rate(struct clk_hw *hw);
+--
+2.43.0
+
--- /dev/null
+From d7be4fd99bf79671d4cc1be1e2276cb9af0ab0ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 18:14:16 +0100
+Subject: clk: fixed-rate: fix
+ clk_hw_register_fixed_rate_with_accuracy_parent_hw
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Théo Lebrun <theo.lebrun@bootlin.com>
+
+[ Upstream commit ee0cf5e07f44a10fce8f1bfa9db226c0b5ecf880 ]
+
+Add missing comma and remove extraneous NULL argument. The macro is
+currently used by no one which explains why the typo slipped by.
+
+Fixes: 2d34f09e79c9 ("clk: fixed-rate: Add support for specifying parents via DT/pointers")
+Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
+Link: https://lore.kernel.org/r/20231218-mbly-clk-v1-1-44ce54108f06@bootlin.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/clk-provider.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/clk-provider.h b/include/linux/clk-provider.h
+index 76f02b214f39..6fa85be64b89 100644
+--- a/include/linux/clk-provider.h
++++ b/include/linux/clk-provider.h
+@@ -434,8 +434,8 @@ struct clk *clk_register_fixed_rate(struct device *dev, const char *name,
+ */
+ #define clk_hw_register_fixed_rate_with_accuracy_parent_hw(dev, name, \
+ parent_hw, flags, fixed_rate, fixed_accuracy) \
+- __clk_hw_register_fixed_rate((dev), NULL, (name), NULL, (parent_hw) \
+- NULL, NULL, (flags), (fixed_rate), \
++ __clk_hw_register_fixed_rate((dev), NULL, (name), NULL, (parent_hw), \
++ NULL, (flags), (fixed_rate), \
+ (fixed_accuracy), 0, false)
+ /**
+ * clk_hw_register_fixed_rate_with_accuracy_parent_data - register fixed-rate
+--
+2.43.0
+
--- /dev/null
+From 00e0440718c2e234bd3a01e327a2fcb5a8bd2690 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 09:58:14 +0530
+Subject: clk: qcom: gpucc-sm8150: Update the gpu_cc_pll1 config
+
+From: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
+
+[ Upstream commit 6ebd9a4f8b8d2b35cf965a04849c4ba763722f13 ]
+
+Update the test_ctl_hi_val and test_ctl_hi1_val of gpu_cc_pll1
+as per latest HW recommendation.
+
+Fixes: 0cef71f2ccc8 ("clk: qcom: Add graphics clock controller driver for SM8150")
+Signed-off-by: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20231122042814.4158076-1-quic_skakitap@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gpucc-sm8150.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/gpucc-sm8150.c b/drivers/clk/qcom/gpucc-sm8150.c
+index 27c40754b2c7..3d9b296a6e4a 100644
+--- a/drivers/clk/qcom/gpucc-sm8150.c
++++ b/drivers/clk/qcom/gpucc-sm8150.c
+@@ -38,8 +38,8 @@ static struct alpha_pll_config gpu_cc_pll1_config = {
+ .config_ctl_hi_val = 0x00002267,
+ .config_ctl_hi1_val = 0x00000024,
+ .test_ctl_val = 0x00000000,
+- .test_ctl_hi_val = 0x00000002,
+- .test_ctl_hi1_val = 0x00000000,
++ .test_ctl_hi_val = 0x00000000,
++ .test_ctl_hi1_val = 0x00000020,
+ .user_ctl_val = 0x00000000,
+ .user_ctl_hi_val = 0x00000805,
+ .user_ctl_hi1_val = 0x000000d0,
+--
+2.43.0
+
--- /dev/null
+From a5edaf46b3db3d1f9bae15bc6bb666cc8a359b48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 15:20:26 +0530
+Subject: clk: qcom: videocc-sm8150: Add missing PLL config property
+
+From: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
+
+[ Upstream commit 71f130c9193f613d497f7245365ed05ffdb0a401 ]
+
+When the driver was ported upstream, PLL test_ctl_hi1 register value
+was omitted. Add it to ensure the PLLs are fully configured.
+
+Fixes: 5658e8cf1a8a ("clk: qcom: add video clock controller driver for SM8150")
+Signed-off-by: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20231201-videocc-8150-v3-3-56bec3a5e443@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/videocc-sm8150.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/qcom/videocc-sm8150.c b/drivers/clk/qcom/videocc-sm8150.c
+index 03697a7910fa..61089cde4222 100644
+--- a/drivers/clk/qcom/videocc-sm8150.c
++++ b/drivers/clk/qcom/videocc-sm8150.c
+@@ -37,6 +37,7 @@ static struct alpha_pll_config video_pll0_config = {
+ .config_ctl_val = 0x20485699,
+ .config_ctl_hi_val = 0x00002267,
+ .config_ctl_hi1_val = 0x00000024,
++ .test_ctl_hi1_val = 0x00000020,
+ .user_ctl_val = 0x00000000,
+ .user_ctl_hi_val = 0x00000805,
+ .user_ctl_hi1_val = 0x000000D0,
+--
+2.43.0
+
--- /dev/null
+From 603d621ac2ca0c891128d5b8740fb3853b4d590c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 15:20:25 +0530
+Subject: clk: qcom: videocc-sm8150: Update the videocc resets
+
+From: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
+
+[ Upstream commit 1fd9a939db24d2f66e48f8bca3e3654add3fa205 ]
+
+Add all the available resets for the video clock controller
+on sm8150.
+
+Fixes: 5658e8cf1a8a ("clk: qcom: add video clock controller driver for SM8150")
+Signed-off-by: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20231201-videocc-8150-v3-2-56bec3a5e443@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/videocc-sm8150.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/clk/qcom/videocc-sm8150.c b/drivers/clk/qcom/videocc-sm8150.c
+index 3087e2ec8fd4..03697a7910fa 100644
+--- a/drivers/clk/qcom/videocc-sm8150.c
++++ b/drivers/clk/qcom/videocc-sm8150.c
+@@ -218,6 +218,10 @@ static const struct regmap_config video_cc_sm8150_regmap_config = {
+
+ static const struct qcom_reset_map video_cc_sm8150_resets[] = {
+ [VIDEO_CC_MVSC_CORE_CLK_BCR] = { 0x850, 2 },
++ [VIDEO_CC_INTERFACE_BCR] = { 0x8f0 },
++ [VIDEO_CC_MVS0_BCR] = { 0x870 },
++ [VIDEO_CC_MVS1_BCR] = { 0x8b0 },
++ [VIDEO_CC_MVSC_BCR] = { 0x810 },
+ };
+
+ static const struct qcom_cc_desc video_cc_sm8150_desc = {
+--
+2.43.0
+
--- /dev/null
+From 92277aeb7d3a5641233d22afc748106e94cf4d88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Nov 2023 11:16:36 +0800
+Subject: clk: si5341: fix an error code problem in si5341_output_clk_set_rate
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 5607068ae5ab02c3ac9cabc6859d36e98004c341 ]
+
+regmap_bulk_write() return zero or negative error code, return the value
+of regmap_bulk_write() rather than '0'.
+
+Fixes: 3044a860fd09 ("clk: Add Si5341/Si5340 driver")
+Acked-by: Mike Looijmans <mike.looijmans@topic.nl>
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Link: https://lore.kernel.org/r/20231101031633.996124-1-suhui@nfschina.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-si5341.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/clk/clk-si5341.c b/drivers/clk/clk-si5341.c
+index 4dea29fa901d..d6515661580c 100644
+--- a/drivers/clk/clk-si5341.c
++++ b/drivers/clk/clk-si5341.c
+@@ -888,10 +888,8 @@ static int si5341_output_clk_set_rate(struct clk_hw *hw, unsigned long rate,
+ r[0] = r_div ? (r_div & 0xff) : 1;
+ r[1] = (r_div >> 8) & 0xff;
+ r[2] = (r_div >> 16) & 0xff;
+- err = regmap_bulk_write(output->data->regmap,
++ return regmap_bulk_write(output->data->regmap,
+ SI5341_OUT_R_REG(output), r, 3);
+-
+- return 0;
+ }
+
+ static int si5341_output_reparent(struct clk_si5341_output *output, u8 index)
+--
+2.43.0
+
--- /dev/null
+From ef06938397fce4e95bfca701ccb677e7d55d1604 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 May 2022 11:23:14 +0530
+Subject: clk: zynqmp: Add a check for NULL pointer
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+
+[ Upstream commit 6ab9810cfe6c8f3d8b8750c827d7870abd3751b9 ]
+
+Add a NULL pointer check as clk_hw_get_parent can return NULL.
+
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Link: https://lore.kernel.org/r/20220518055314.2486-1-shubhrajyoti.datta@xilinx.com
+Acked-by: Michal Simek <michal.simek@amd.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Stable-dep-of: 1fe15be1fb61 ("drivers: clk: zynqmp: update divider round rate logic")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/zynqmp/divider.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/zynqmp/divider.c b/drivers/clk/zynqmp/divider.c
+index 57bf381f630d..acdd5e48e147 100644
+--- a/drivers/clk/zynqmp/divider.c
++++ b/drivers/clk/zynqmp/divider.c
+@@ -119,10 +119,13 @@ static void zynqmp_get_divider2_val(struct clk_hw *hw,
+ long error = LONG_MAX;
+ unsigned long div1_prate;
+ struct clk_hw *div1_parent_hw;
++ struct zynqmp_clk_divider *pdivider;
+ struct clk_hw *div2_parent_hw = clk_hw_get_parent(hw);
+- struct zynqmp_clk_divider *pdivider =
+- to_zynqmp_clk_divider(div2_parent_hw);
+
++ if (!div2_parent_hw)
++ return;
++
++ pdivider = to_zynqmp_clk_divider(div2_parent_hw);
+ if (!pdivider)
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From 8df4c5785e30ab6c4a7611b284964493f6a860a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 17:01:53 +0530
+Subject: clk: zynqmp: make bestdiv unsigned
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+
+[ Upstream commit d3954b51b475c4848179cd90b24ac73684cdc76b ]
+
+Divisor is always positive make it u32 *.
+Also the arguments passed are currently of u32 pointers.
+
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+Link: https://lore.kernel.org/r/20220818113153.14431-1-shubhrajyoti.datta@amd.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Stable-dep-of: 1fe15be1fb61 ("drivers: clk: zynqmp: update divider round rate logic")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/zynqmp/divider.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/zynqmp/divider.c b/drivers/clk/zynqmp/divider.c
+index 66da02b83d39..57bf381f630d 100644
+--- a/drivers/clk/zynqmp/divider.c
++++ b/drivers/clk/zynqmp/divider.c
+@@ -112,7 +112,7 @@ static unsigned long zynqmp_clk_divider_recalc_rate(struct clk_hw *hw,
+ static void zynqmp_get_divider2_val(struct clk_hw *hw,
+ unsigned long rate,
+ struct zynqmp_clk_divider *divider,
+- int *bestdiv)
++ u32 *bestdiv)
+ {
+ int div1;
+ int div2;
+--
+2.43.0
+
--- /dev/null
+From 41f865aadbe7c65d288123001a1716a46d1aee33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Dec 2023 18:12:20 +0300
+Subject: cpufreq: scmi: process the result of devm_of_clk_add_hw_provider()
+
+From: Alexandra Diupina <adiupina@astralinux.ru>
+
+[ Upstream commit c4a5118a3ae1eadc687d84eef9431f9e13eb015c ]
+
+devm_of_clk_add_hw_provider() may return an errno, so
+add a return value check
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 8410e7f3b31e ("cpufreq: scmi: Fix OPP addition failure with a dummy clock provider")
+Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/scmi-cpufreq.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c
+index ca95b538c48a..bb1389f276d7 100644
+--- a/drivers/cpufreq/scmi-cpufreq.c
++++ b/drivers/cpufreq/scmi-cpufreq.c
+@@ -238,8 +238,11 @@ static int scmi_cpufreq_probe(struct scmi_device *sdev)
+
+ #ifdef CONFIG_COMMON_CLK
+ /* dummy clock provider as needed by OPP if clocks property is used */
+- if (of_property_present(dev->of_node, "#clock-cells"))
+- devm_of_clk_add_hw_provider(dev, of_clk_hw_simple_get, NULL);
++ if (of_property_present(dev->of_node, "#clock-cells")) {
++ ret = devm_of_clk_add_hw_provider(dev, of_clk_hw_simple_get, NULL);
++ if (ret)
++ return dev_err_probe(dev, ret, "%s: registering clock provider failed\n", __func__);
++ }
+ #endif
+
+ ret = cpufreq_register_driver(&scmi_cpufreq_driver);
+--
+2.43.0
+
--- /dev/null
+From e15e29d71855a222270159f6ce29c3b876b96c80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 08:47:02 -0600
+Subject: cpufreq: Use of_property_present() for testing DT property presence
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit b8f3a396a7ee43e6079176cc0fb8de2b95a23681 ]
+
+It is preferred to use typed property access functions (i.e.
+of_property_read_<type> functions) rather than low-level
+of_get_property/of_find_property functions for reading properties. As
+part of this, convert of_get_property/of_find_property calls to the
+recently added of_property_present() helper when we just want to test
+for presence of a property and nothing more.
+
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Stable-dep-of: c4a5118a3ae1 ("cpufreq: scmi: process the result of devm_of_clk_add_hw_provider()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq-dt-platdev.c | 2 +-
+ drivers/cpufreq/imx-cpufreq-dt.c | 2 +-
+ drivers/cpufreq/imx6q-cpufreq.c | 4 ++--
+ drivers/cpufreq/scmi-cpufreq.c | 2 +-
+ drivers/cpufreq/tegra20-cpufreq.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq-dt-platdev.c b/drivers/cpufreq/cpufreq-dt-platdev.c
+index aea285651fba..e1dcdb0ea1c4 100644
+--- a/drivers/cpufreq/cpufreq-dt-platdev.c
++++ b/drivers/cpufreq/cpufreq-dt-platdev.c
+@@ -163,7 +163,7 @@ static bool __init cpu0_node_has_opp_v2_prop(void)
+ struct device_node *np = of_cpu_device_node_get(0);
+ bool ret = false;
+
+- if (of_get_property(np, "operating-points-v2", NULL))
++ if (of_property_present(np, "operating-points-v2"))
+ ret = true;
+
+ of_node_put(np);
+diff --git a/drivers/cpufreq/imx-cpufreq-dt.c b/drivers/cpufreq/imx-cpufreq-dt.c
+index 3fe9125156b4..0942498b348c 100644
+--- a/drivers/cpufreq/imx-cpufreq-dt.c
++++ b/drivers/cpufreq/imx-cpufreq-dt.c
+@@ -89,7 +89,7 @@ static int imx_cpufreq_dt_probe(struct platform_device *pdev)
+
+ cpu_dev = get_cpu_device(0);
+
+- if (!of_find_property(cpu_dev->of_node, "cpu-supply", NULL))
++ if (!of_property_present(cpu_dev->of_node, "cpu-supply"))
+ return -ENODEV;
+
+ if (of_machine_is_compatible("fsl,imx7ulp")) {
+diff --git a/drivers/cpufreq/imx6q-cpufreq.c b/drivers/cpufreq/imx6q-cpufreq.c
+index 00f7ad746668..49cbc43f1fa9 100644
+--- a/drivers/cpufreq/imx6q-cpufreq.c
++++ b/drivers/cpufreq/imx6q-cpufreq.c
+@@ -230,7 +230,7 @@ static int imx6q_opp_check_speed_grading(struct device *dev)
+ u32 val;
+ int ret;
+
+- if (of_find_property(dev->of_node, "nvmem-cells", NULL)) {
++ if (of_property_present(dev->of_node, "nvmem-cells")) {
+ ret = nvmem_cell_read_u32(dev, "speed_grade", &val);
+ if (ret)
+ return ret;
+@@ -285,7 +285,7 @@ static int imx6ul_opp_check_speed_grading(struct device *dev)
+ u32 val;
+ int ret = 0;
+
+- if (of_find_property(dev->of_node, "nvmem-cells", NULL)) {
++ if (of_property_present(dev->of_node, "nvmem-cells")) {
+ ret = nvmem_cell_read_u32(dev, "speed_grade", &val);
+ if (ret)
+ return ret;
+diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c
+index 8286205c7165..ca95b538c48a 100644
+--- a/drivers/cpufreq/scmi-cpufreq.c
++++ b/drivers/cpufreq/scmi-cpufreq.c
+@@ -238,7 +238,7 @@ static int scmi_cpufreq_probe(struct scmi_device *sdev)
+
+ #ifdef CONFIG_COMMON_CLK
+ /* dummy clock provider as needed by OPP if clocks property is used */
+- if (of_find_property(dev->of_node, "#clock-cells", NULL))
++ if (of_property_present(dev->of_node, "#clock-cells"))
+ devm_of_clk_add_hw_provider(dev, of_clk_hw_simple_get, NULL);
+ #endif
+
+diff --git a/drivers/cpufreq/tegra20-cpufreq.c b/drivers/cpufreq/tegra20-cpufreq.c
+index 8c893043953e..111d4ff6fe86 100644
+--- a/drivers/cpufreq/tegra20-cpufreq.c
++++ b/drivers/cpufreq/tegra20-cpufreq.c
+@@ -25,7 +25,7 @@ static bool cpu0_node_has_opp_v2_prop(void)
+ struct device_node *np = of_cpu_device_node_get(0);
+ bool ret = false;
+
+- if (of_get_property(np, "operating-points-v2", NULL))
++ if (of_property_present(np, "operating-points-v2"))
+ ret = true;
+
+ of_node_put(np);
+--
+2.43.0
+
--- /dev/null
+From f5bc5eee94428864967586c64cd077093b18c885 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 16:25:49 +0800
+Subject: crypto: af_alg - Disallow multiple in-flight AIO requests
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 67b164a871af1d736f131fd6fe78a610909f06f3 ]
+
+Having multiple in-flight AIO requests results in unpredictable
+output because they all share the same IV. Fix this by only allowing
+one request at a time.
+
+Fixes: 83094e5e9e49 ("crypto: af_alg - add async support to algif_aead")
+Fixes: a596999b7ddf ("crypto: algif - change algif_skcipher to be asynchronous")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/af_alg.c | 14 +++++++++++++-
+ include/crypto/if_alg.h | 3 +++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index 9acb9d2c4bcf..755e6caf18d2 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -1039,9 +1039,13 @@ EXPORT_SYMBOL_GPL(af_alg_sendpage);
+ void af_alg_free_resources(struct af_alg_async_req *areq)
+ {
+ struct sock *sk = areq->sk;
++ struct af_alg_ctx *ctx;
+
+ af_alg_free_areq_sgls(areq);
+ sock_kfree_s(sk, areq, areq->areqlen);
++
++ ctx = alg_sk(sk)->private;
++ ctx->inflight = false;
+ }
+ EXPORT_SYMBOL_GPL(af_alg_free_resources);
+
+@@ -1105,11 +1109,19 @@ EXPORT_SYMBOL_GPL(af_alg_poll);
+ struct af_alg_async_req *af_alg_alloc_areq(struct sock *sk,
+ unsigned int areqlen)
+ {
+- struct af_alg_async_req *areq = sock_kmalloc(sk, areqlen, GFP_KERNEL);
++ struct af_alg_ctx *ctx = alg_sk(sk)->private;
++ struct af_alg_async_req *areq;
++
++ /* Only one AIO request can be in flight. */
++ if (ctx->inflight)
++ return ERR_PTR(-EBUSY);
+
++ areq = sock_kmalloc(sk, areqlen, GFP_KERNEL);
+ if (unlikely(!areq))
+ return ERR_PTR(-ENOMEM);
+
++ ctx->inflight = true;
++
+ areq->areqlen = areqlen;
+ areq->sk = sk;
+ areq->last_rsgl = NULL;
+diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h
+index a5db86670bdf..a406e281ae57 100644
+--- a/include/crypto/if_alg.h
++++ b/include/crypto/if_alg.h
+@@ -138,6 +138,7 @@ struct af_alg_async_req {
+ * recvmsg is invoked.
+ * @init: True if metadata has been sent.
+ * @len: Length of memory allocated for this data structure.
++ * @inflight: Non-zero when AIO requests are in flight.
+ */
+ struct af_alg_ctx {
+ struct list_head tsgl_list;
+@@ -156,6 +157,8 @@ struct af_alg_ctx {
+ bool init;
+
+ unsigned int len;
++
++ unsigned int inflight;
+ };
+
+ int af_alg_register_type(const struct af_alg_type *type);
+--
+2.43.0
+
--- /dev/null
+From da03bbe88691bd0bef81ef8f7fe8c69b906af966 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Nov 2023 11:47:10 +0800
+Subject: crypto: ccp - fix memleak in ccp_init_dm_workarea
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit a1c95dd5bc1d6a5d7a75a376c2107421b7d6240d ]
+
+When dma_map_single() fails, wa->address is supposed to be freed
+by the callers of ccp_init_dm_workarea() through ccp_dm_free().
+However, many of the call spots don't expect to have to call
+ccp_dm_free() on failure of ccp_init_dm_workarea(), which may
+lead to a memleak. Let's free wa->address in ccp_init_dm_workarea()
+when dma_map_single() fails.
+
+Fixes: 63b945091a07 ("crypto: ccp - CCP device driver and interface support")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/ccp-ops.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
+index c15625e8ff66..7e2fbba945cd 100644
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -179,8 +179,11 @@ static int ccp_init_dm_workarea(struct ccp_dm_workarea *wa,
+
+ wa->dma.address = dma_map_single(wa->dev, wa->address, len,
+ dir);
+- if (dma_mapping_error(wa->dev, wa->dma.address))
++ if (dma_mapping_error(wa->dev, wa->dma.address)) {
++ kfree(wa->address);
++ wa->address = NULL;
+ return -ENOMEM;
++ }
+
+ wa->dma.length = len;
+ }
+--
+2.43.0
+
--- /dev/null
+From b59602b87bfe67394e9d25c5f7fb7d9bbf457b6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Nov 2023 02:03:01 +0000
+Subject: crypto: sa2ul - Return crypto_aead_setkey to transfer the error
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit ce852f1308ac738e61c5b2502517deea593a1554 ]
+
+Return crypto_aead_setkey() in order to transfer the error if
+it fails.
+
+Fixes: d2c8ac187fc9 ("crypto: sa2ul - Add AEAD algorithm support")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sa2ul.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/sa2ul.c b/drivers/crypto/sa2ul.c
+index f15fc1fb3707..0888f4489a76 100644
+--- a/drivers/crypto/sa2ul.c
++++ b/drivers/crypto/sa2ul.c
+@@ -1848,9 +1848,8 @@ static int sa_aead_setkey(struct crypto_aead *authenc,
+ crypto_aead_set_flags(ctx->fallback.aead,
+ crypto_aead_get_flags(authenc) &
+ CRYPTO_TFM_REQ_MASK);
+- crypto_aead_setkey(ctx->fallback.aead, key, keylen);
+
+- return 0;
++ return crypto_aead_setkey(ctx->fallback.aead, key, keylen);
+ }
+
+ static int sa_aead_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
+--
+2.43.0
+
--- /dev/null
+From 15afc3f37ed234fd86912823cd2dd603a2353907 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 19:06:25 +0200
+Subject: crypto: sahara - avoid skcipher fallback code duplication
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit 01d70a4bbff20ea05cadb4c208841985a7cc6596 ]
+
+Factor out duplicated skcipher fallback handling code to a helper function
+sahara_aes_fallback(). Also, keep a single check if fallback is required in
+sahara_aes_crypt().
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: d1d6351e37aa ("crypto: sahara - handle zero-length aes requests")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 85 ++++++++++++-----------------------------
+ 1 file changed, 25 insertions(+), 60 deletions(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index 3cd872d282b4..b584dd086989 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -648,12 +648,37 @@ static int sahara_aes_setkey(struct crypto_skcipher *tfm, const u8 *key,
+ return crypto_skcipher_setkey(ctx->fallback, key, keylen);
+ }
+
++static int sahara_aes_fallback(struct skcipher_request *req, unsigned long mode)
++{
++ struct sahara_aes_reqctx *rctx = skcipher_request_ctx(req);
++ struct sahara_ctx *ctx = crypto_skcipher_ctx(
++ crypto_skcipher_reqtfm(req));
++
++ skcipher_request_set_tfm(&rctx->fallback_req, ctx->fallback);
++ skcipher_request_set_callback(&rctx->fallback_req,
++ req->base.flags,
++ req->base.complete,
++ req->base.data);
++ skcipher_request_set_crypt(&rctx->fallback_req, req->src,
++ req->dst, req->cryptlen, req->iv);
++
++ if (mode & FLAGS_ENCRYPT)
++ return crypto_skcipher_encrypt(&rctx->fallback_req);
++
++ return crypto_skcipher_decrypt(&rctx->fallback_req);
++}
++
+ static int sahara_aes_crypt(struct skcipher_request *req, unsigned long mode)
+ {
+ struct sahara_aes_reqctx *rctx = skcipher_request_ctx(req);
++ struct sahara_ctx *ctx = crypto_skcipher_ctx(
++ crypto_skcipher_reqtfm(req));
+ struct sahara_dev *dev = dev_ptr;
+ int err = 0;
+
++ if (unlikely(ctx->keylen != AES_KEYSIZE_128))
++ return sahara_aes_fallback(req, mode);
++
+ dev_dbg(dev->device, "nbytes: %d, enc: %d, cbc: %d\n",
+ req->cryptlen, !!(mode & FLAGS_ENCRYPT), !!(mode & FLAGS_CBC));
+
+@@ -676,81 +701,21 @@ static int sahara_aes_crypt(struct skcipher_request *req, unsigned long mode)
+
+ static int sahara_aes_ecb_encrypt(struct skcipher_request *req)
+ {
+- struct sahara_aes_reqctx *rctx = skcipher_request_ctx(req);
+- struct sahara_ctx *ctx = crypto_skcipher_ctx(
+- crypto_skcipher_reqtfm(req));
+-
+- if (unlikely(ctx->keylen != AES_KEYSIZE_128)) {
+- skcipher_request_set_tfm(&rctx->fallback_req, ctx->fallback);
+- skcipher_request_set_callback(&rctx->fallback_req,
+- req->base.flags,
+- req->base.complete,
+- req->base.data);
+- skcipher_request_set_crypt(&rctx->fallback_req, req->src,
+- req->dst, req->cryptlen, req->iv);
+- return crypto_skcipher_encrypt(&rctx->fallback_req);
+- }
+-
+ return sahara_aes_crypt(req, FLAGS_ENCRYPT);
+ }
+
+ static int sahara_aes_ecb_decrypt(struct skcipher_request *req)
+ {
+- struct sahara_aes_reqctx *rctx = skcipher_request_ctx(req);
+- struct sahara_ctx *ctx = crypto_skcipher_ctx(
+- crypto_skcipher_reqtfm(req));
+-
+- if (unlikely(ctx->keylen != AES_KEYSIZE_128)) {
+- skcipher_request_set_tfm(&rctx->fallback_req, ctx->fallback);
+- skcipher_request_set_callback(&rctx->fallback_req,
+- req->base.flags,
+- req->base.complete,
+- req->base.data);
+- skcipher_request_set_crypt(&rctx->fallback_req, req->src,
+- req->dst, req->cryptlen, req->iv);
+- return crypto_skcipher_decrypt(&rctx->fallback_req);
+- }
+-
+ return sahara_aes_crypt(req, 0);
+ }
+
+ static int sahara_aes_cbc_encrypt(struct skcipher_request *req)
+ {
+- struct sahara_aes_reqctx *rctx = skcipher_request_ctx(req);
+- struct sahara_ctx *ctx = crypto_skcipher_ctx(
+- crypto_skcipher_reqtfm(req));
+-
+- if (unlikely(ctx->keylen != AES_KEYSIZE_128)) {
+- skcipher_request_set_tfm(&rctx->fallback_req, ctx->fallback);
+- skcipher_request_set_callback(&rctx->fallback_req,
+- req->base.flags,
+- req->base.complete,
+- req->base.data);
+- skcipher_request_set_crypt(&rctx->fallback_req, req->src,
+- req->dst, req->cryptlen, req->iv);
+- return crypto_skcipher_encrypt(&rctx->fallback_req);
+- }
+-
+ return sahara_aes_crypt(req, FLAGS_ENCRYPT | FLAGS_CBC);
+ }
+
+ static int sahara_aes_cbc_decrypt(struct skcipher_request *req)
+ {
+- struct sahara_aes_reqctx *rctx = skcipher_request_ctx(req);
+- struct sahara_ctx *ctx = crypto_skcipher_ctx(
+- crypto_skcipher_reqtfm(req));
+-
+- if (unlikely(ctx->keylen != AES_KEYSIZE_128)) {
+- skcipher_request_set_tfm(&rctx->fallback_req, ctx->fallback);
+- skcipher_request_set_callback(&rctx->fallback_req,
+- req->base.flags,
+- req->base.complete,
+- req->base.data);
+- skcipher_request_set_crypt(&rctx->fallback_req, req->src,
+- req->dst, req->cryptlen, req->iv);
+- return crypto_skcipher_decrypt(&rctx->fallback_req);
+- }
+-
+ return sahara_aes_crypt(req, FLAGS_CBC);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 2712dbd4b62851c562af8b3372e837bd38d223ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Dec 2023 10:21:36 +0200
+Subject: crypto: sahara - do not resize req->src when doing hash operations
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit a3c6f4f4d249cecaf2f34471aadbfb4f4ef57298 ]
+
+When testing sahara sha256 speed performance with tcrypt (mode=404) on
+imx53-qsrb board, multiple "Invalid numbers of src SG." errors are
+reported. This was traced to sahara_walk_and_recalc() resizing req->src
+and causing the subsequent dma_map_sg() call to fail.
+
+Now that the previous commit fixed sahara_sha_hw_links_create() to take
+into account the actual request size, rather than relying on sg->length
+values, the resize operation is no longer necessary.
+
+Therefore, remove sahara_walk_and_recalc() and simplify associated logic.
+
+Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256")
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 38 ++------------------------------------
+ 1 file changed, 2 insertions(+), 36 deletions(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index cdf16e2a81d1..c2a3a10c3484 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -886,24 +886,6 @@ static int sahara_sha_hw_context_descriptor_create(struct sahara_dev *dev,
+ return 0;
+ }
+
+-static int sahara_walk_and_recalc(struct scatterlist *sg, unsigned int nbytes)
+-{
+- if (!sg || !sg->length)
+- return nbytes;
+-
+- while (nbytes && sg) {
+- if (nbytes <= sg->length) {
+- sg->length = nbytes;
+- sg_mark_end(sg);
+- break;
+- }
+- nbytes -= sg->length;
+- sg = sg_next(sg);
+- }
+-
+- return nbytes;
+-}
+-
+ static int sahara_sha_prepare_request(struct ahash_request *req)
+ {
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+@@ -940,36 +922,20 @@ static int sahara_sha_prepare_request(struct ahash_request *req)
+ hash_later, 0);
+ }
+
+- /* nbytes should now be multiple of blocksize */
+- req->nbytes = req->nbytes - hash_later;
+-
+- sahara_walk_and_recalc(req->src, req->nbytes);
+-
++ rctx->total = len - hash_later;
+ /* have data from previous operation and current */
+ if (rctx->buf_cnt && req->nbytes) {
+ sg_init_table(rctx->in_sg_chain, 2);
+ sg_set_buf(rctx->in_sg_chain, rctx->rembuf, rctx->buf_cnt);
+-
+ sg_chain(rctx->in_sg_chain, 2, req->src);
+-
+- rctx->total = req->nbytes + rctx->buf_cnt;
+ rctx->in_sg = rctx->in_sg_chain;
+-
+- req->src = rctx->in_sg_chain;
+ /* only data from previous operation */
+ } else if (rctx->buf_cnt) {
+- if (req->src)
+- rctx->in_sg = req->src;
+- else
+- rctx->in_sg = rctx->in_sg_chain;
+- /* buf was copied into rembuf above */
++ rctx->in_sg = rctx->in_sg_chain;
+ sg_init_one(rctx->in_sg, rctx->rembuf, rctx->buf_cnt);
+- rctx->total = rctx->buf_cnt;
+ /* no data from previous operation */
+ } else {
+ rctx->in_sg = req->src;
+- rctx->total = req->nbytes;
+- req->src = rctx->in_sg;
+ }
+
+ /* on next call, we only have the remaining data in the buffer */
+--
+2.43.0
+
--- /dev/null
+From c6d2a251fff12636e0cb147f6fc54f3ef57d2991 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Dec 2023 10:21:32 +0200
+Subject: crypto: sahara - fix ahash reqsize
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit efcb50f41740ac55e6ccc4986c1a7740e21c62b4 ]
+
+Set the reqsize for sha algorithms to sizeof(struct sahara_sha_reqctx), the
+extra space is not needed.
+
+Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256")
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index d6510e169c8e..a97b1dadf6a4 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -1162,8 +1162,7 @@ static int sahara_sha_import(struct ahash_request *req, const void *in)
+ static int sahara_sha_cra_init(struct crypto_tfm *tfm)
+ {
+ crypto_ahash_set_reqsize(__crypto_ahash_cast(tfm),
+- sizeof(struct sahara_sha_reqctx) +
+- SHA_BUFFER_LEN + SHA256_BLOCK_SIZE);
++ sizeof(struct sahara_sha_reqctx));
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From f0845d17cc8abccdf3745a606ec98328215f63e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 19:06:21 +0200
+Subject: crypto: sahara - fix ahash selftest failure
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit afffcf3db98b9495114b79d5381f8cc3f69476fb ]
+
+update() calls should not modify the result buffer, so add an additional
+check for "rctx->last" to make sure that only the final hash value is
+copied into the buffer.
+
+Fixes the following selftest failure:
+alg: ahash: sahara-sha256 update() used result buffer on test vector 3,
+cfg="init+update+final aligned buffer"
+
+Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256")
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index 0b6e63a763ca..2ef177680b2f 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -1047,7 +1047,7 @@ static int sahara_sha_process(struct ahash_request *req)
+
+ memcpy(rctx->context, dev->context_base, rctx->context_size);
+
+- if (req->result)
++ if (req->result && rctx->last)
+ memcpy(req->result, rctx->context, rctx->digest_size);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From f526c44e5a2f1e0ff9b7ced3cb0d4fd30cf2aaa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 19:06:20 +0200
+Subject: crypto: sahara - fix cbc selftest failure
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit 9f10bc28c0fb676ae58aa3bfa358db8f5de124bb ]
+
+The kernel crypto API requires that all CBC implementations update the IV
+buffer to contain the last ciphertext block.
+
+This fixes the following cbc selftest error:
+alg: skcipher: sahara-cbc-aes encryption test failed (wrong output IV) on
+test vector 0, cfg="in-place (one sglist)"
+
+Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.")
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 33 +++++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index 0ae95767bb76..0b6e63a763ca 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -148,6 +148,7 @@ struct sahara_ctx {
+
+ struct sahara_aes_reqctx {
+ unsigned long mode;
++ u8 iv_out[AES_BLOCK_SIZE];
+ struct skcipher_request fallback_req; // keep at the end
+ };
+
+@@ -541,8 +542,24 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev)
+ return -EINVAL;
+ }
+
++static void sahara_aes_cbc_update_iv(struct skcipher_request *req)
++{
++ struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req);
++ struct sahara_aes_reqctx *rctx = skcipher_request_ctx(req);
++ unsigned int ivsize = crypto_skcipher_ivsize(skcipher);
++
++ /* Update IV buffer to contain the last ciphertext block */
++ if (rctx->mode & FLAGS_ENCRYPT) {
++ sg_pcopy_to_buffer(req->dst, sg_nents(req->dst), req->iv,
++ ivsize, req->cryptlen - ivsize);
++ } else {
++ memcpy(req->iv, rctx->iv_out, ivsize);
++ }
++}
++
+ static int sahara_aes_process(struct skcipher_request *req)
+ {
++ struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req);
+ struct sahara_dev *dev = dev_ptr;
+ struct sahara_ctx *ctx;
+ struct sahara_aes_reqctx *rctx;
+@@ -564,8 +581,17 @@ static int sahara_aes_process(struct skcipher_request *req)
+ rctx->mode &= FLAGS_MODE_MASK;
+ dev->flags = (dev->flags & ~FLAGS_MODE_MASK) | rctx->mode;
+
+- if ((dev->flags & FLAGS_CBC) && req->iv)
+- memcpy(dev->iv_base, req->iv, AES_KEYSIZE_128);
++ if ((dev->flags & FLAGS_CBC) && req->iv) {
++ unsigned int ivsize = crypto_skcipher_ivsize(skcipher);
++
++ memcpy(dev->iv_base, req->iv, ivsize);
++
++ if (!(dev->flags & FLAGS_ENCRYPT)) {
++ sg_pcopy_to_buffer(req->src, sg_nents(req->src),
++ rctx->iv_out, ivsize,
++ req->cryptlen - ivsize);
++ }
++ }
+
+ /* assign new context to device */
+ dev->ctx = ctx;
+@@ -588,6 +614,9 @@ static int sahara_aes_process(struct skcipher_request *req)
+ dma_unmap_sg(dev->device, dev->in_sg, dev->nb_in_sg,
+ DMA_TO_DEVICE);
+
++ if ((dev->flags & FLAGS_CBC) && req->iv)
++ sahara_aes_cbc_update_iv(req);
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From a2d98fa64b56c30d4d46a031f4f69569652670ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 19:06:23 +0200
+Subject: crypto: sahara - fix error handling in sahara_hw_descriptor_create()
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit ee6e6f0a7f5b39d50a5ef5fcc006f4f693db18a7 ]
+
+Do not call dma_unmap_sg() for scatterlists that were not mapped
+successfully.
+
+Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.")
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index 855c232d66a2..3cd872d282b4 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -483,13 +483,14 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev)
+ DMA_TO_DEVICE);
+ if (ret != dev->nb_in_sg) {
+ dev_err(dev->device, "couldn't map in sg\n");
+- goto unmap_in;
++ return -EINVAL;
+ }
++
+ ret = dma_map_sg(dev->device, dev->out_sg, dev->nb_out_sg,
+ DMA_FROM_DEVICE);
+ if (ret != dev->nb_out_sg) {
+ dev_err(dev->device, "couldn't map out sg\n");
+- goto unmap_out;
++ goto unmap_in;
+ }
+
+ /* Create input links */
+@@ -537,9 +538,6 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev)
+
+ return 0;
+
+-unmap_out:
+- dma_unmap_sg(dev->device, dev->out_sg, dev->nb_out_sg,
+- DMA_FROM_DEVICE);
+ unmap_in:
+ dma_unmap_sg(dev->device, dev->in_sg, dev->nb_in_sg,
+ DMA_TO_DEVICE);
+--
+2.43.0
+
--- /dev/null
+From eed0e984ca4bbfe641cf10abb4badfc2aaabdd33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Dec 2023 10:21:35 +0200
+Subject: crypto: sahara - fix processing hash requests with req->nbytes <
+ sg->length
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit 7bafa74d1ba35dcc173e1ce915e983d65905f77e ]
+
+It's not always the case that the entire sg entry needs to be processed.
+Currently, when nbytes is less than sg->length, "Descriptor length" errors
+are encountered.
+
+To fix this, take the actual request size into account when populating the
+hw links.
+
+Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256")
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index 0ac793f03e28..cdf16e2a81d1 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -776,6 +776,7 @@ static int sahara_sha_hw_links_create(struct sahara_dev *dev,
+ int start)
+ {
+ struct scatterlist *sg;
++ unsigned int len;
+ unsigned int i;
+ int ret;
+
+@@ -797,12 +798,14 @@ static int sahara_sha_hw_links_create(struct sahara_dev *dev,
+ if (!ret)
+ return -EFAULT;
+
++ len = rctx->total;
+ for (i = start; i < dev->nb_in_sg + start; i++) {
+- dev->hw_link[i]->len = sg->length;
++ dev->hw_link[i]->len = min(len, sg->length);
+ dev->hw_link[i]->p = sg->dma_address;
+ if (i == (dev->nb_in_sg + start - 1)) {
+ dev->hw_link[i]->next = 0;
+ } else {
++ len -= min(len, sg->length);
+ dev->hw_link[i]->next = dev->hw_phys_link[i + 1];
+ sg = sg_next(sg);
+ }
+--
+2.43.0
+
--- /dev/null
+From a661ea4d45264ad0d90b9c26390715098542e79b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 19:06:22 +0200
+Subject: crypto: sahara - fix processing requests with cryptlen < sg->length
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit 5b8668ce3452827d27f8c34ff6ba080a8f983ed0 ]
+
+It's not always the case that the entire sg entry needs to be processed.
+Currently, when cryptlen is less than sg->legth, "Descriptor length" errors
+are encountered.
+
+The error was noticed when testing xts(sahara-ecb-aes) with arbitrary sized
+input data. To fix this, take the actual request size into account when
+populating the hw links.
+
+Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.")
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index 2ef177680b2f..855c232d66a2 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -444,6 +444,7 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev)
+ int ret;
+ int i, j;
+ int idx = 0;
++ u32 len;
+
+ memcpy(dev->key_base, ctx->key, ctx->keylen);
+
+@@ -494,12 +495,14 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev)
+ /* Create input links */
+ dev->hw_desc[idx]->p1 = dev->hw_phys_link[0];
+ sg = dev->in_sg;
++ len = dev->total;
+ for (i = 0; i < dev->nb_in_sg; i++) {
+- dev->hw_link[i]->len = sg->length;
++ dev->hw_link[i]->len = min(len, sg->length);
+ dev->hw_link[i]->p = sg->dma_address;
+ if (i == (dev->nb_in_sg - 1)) {
+ dev->hw_link[i]->next = 0;
+ } else {
++ len -= min(len, sg->length);
+ dev->hw_link[i]->next = dev->hw_phys_link[i + 1];
+ sg = sg_next(sg);
+ }
+@@ -508,12 +511,14 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev)
+ /* Create output links */
+ dev->hw_desc[idx]->p2 = dev->hw_phys_link[i];
+ sg = dev->out_sg;
++ len = dev->total;
+ for (j = i; j < dev->nb_out_sg + i; j++) {
+- dev->hw_link[j]->len = sg->length;
++ dev->hw_link[j]->len = min(len, sg->length);
+ dev->hw_link[j]->p = sg->dma_address;
+ if (j == (dev->nb_out_sg + i - 1)) {
+ dev->hw_link[j]->next = 0;
+ } else {
++ len -= min(len, sg->length);
+ dev->hw_link[j]->next = dev->hw_phys_link[j + 1];
+ sg = sg_next(sg);
+ }
+--
+2.43.0
+
--- /dev/null
+From cedbca62ad57be928ce0331d08b173ea138d4aed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Dec 2023 10:21:33 +0200
+Subject: crypto: sahara - fix wait_for_completion_timeout() error handling
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit 2dba8e1d1a7957dcbe7888846268538847b471d1 ]
+
+The sg lists are not unmapped in case of timeout errors. Fix this.
+
+Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256")
+Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.")
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index a97b1dadf6a4..67960acd786a 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -607,16 +607,17 @@ static int sahara_aes_process(struct skcipher_request *req)
+
+ timeout = wait_for_completion_timeout(&dev->dma_completion,
+ msecs_to_jiffies(SAHARA_TIMEOUT_MS));
+- if (!timeout) {
+- dev_err(dev->device, "AES timeout\n");
+- return -ETIMEDOUT;
+- }
+
+ dma_unmap_sg(dev->device, dev->out_sg, dev->nb_out_sg,
+ DMA_FROM_DEVICE);
+ dma_unmap_sg(dev->device, dev->in_sg, dev->nb_in_sg,
+ DMA_TO_DEVICE);
+
++ if (!timeout) {
++ dev_err(dev->device, "AES timeout\n");
++ return -ETIMEDOUT;
++ }
++
+ if ((dev->flags & FLAGS_CBC) && req->iv)
+ sahara_aes_cbc_update_iv(req);
+
+@@ -1007,15 +1008,16 @@ static int sahara_sha_process(struct ahash_request *req)
+
+ timeout = wait_for_completion_timeout(&dev->dma_completion,
+ msecs_to_jiffies(SAHARA_TIMEOUT_MS));
+- if (!timeout) {
+- dev_err(dev->device, "SHA timeout\n");
+- return -ETIMEDOUT;
+- }
+
+ if (rctx->sg_in_idx)
+ dma_unmap_sg(dev->device, dev->in_sg, dev->nb_in_sg,
+ DMA_TO_DEVICE);
+
++ if (!timeout) {
++ dev_err(dev->device, "SHA timeout\n");
++ return -ETIMEDOUT;
++ }
++
+ memcpy(rctx->context, dev->context_base, rctx->context_size);
+
+ if (req->result && rctx->last)
+--
+2.43.0
+
--- /dev/null
+From 0b1810b6dbf6358514f414db6a8e38a7f61a3178 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Dec 2023 10:21:31 +0200
+Subject: crypto: sahara - handle zero-length aes requests
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit d1d6351e37aac14b32a291731d0855996c459d11 ]
+
+In case of a zero-length input, exit gracefully from sahara_aes_crypt().
+
+Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.")
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index b584dd086989..d6510e169c8e 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -676,6 +676,9 @@ static int sahara_aes_crypt(struct skcipher_request *req, unsigned long mode)
+ struct sahara_dev *dev = dev_ptr;
+ int err = 0;
+
++ if (!req->cryptlen)
++ return 0;
++
+ if (unlikely(ctx->keylen != AES_KEYSIZE_128))
+ return sahara_aes_fallback(req, mode);
+
+--
+2.43.0
+
--- /dev/null
+From e88e03020957cd80d4c4beff2d7beed2b06031f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Dec 2023 10:21:34 +0200
+Subject: crypto: sahara - improve error handling in sahara_sha_process()
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit 5deff027fca49a1eb3b20359333cf2ae562a2343 ]
+
+sahara_sha_hw_data_descriptor_create() returns negative error codes on
+failure, so make sure the errors are correctly handled / propagated.
+
+Fixes: 5a2bb93f5992 ("crypto: sahara - add support for SHA1/256")
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index 67960acd786a..0ac793f03e28 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -987,7 +987,10 @@ static int sahara_sha_process(struct ahash_request *req)
+ return ret;
+
+ if (rctx->first) {
+- sahara_sha_hw_data_descriptor_create(dev, rctx, req, 0);
++ ret = sahara_sha_hw_data_descriptor_create(dev, rctx, req, 0);
++ if (ret)
++ return ret;
++
+ dev->hw_desc[0]->next = 0;
+ rctx->first = 0;
+ } else {
+@@ -995,7 +998,10 @@ static int sahara_sha_process(struct ahash_request *req)
+
+ sahara_sha_hw_context_descriptor_create(dev, rctx, req, 0);
+ dev->hw_desc[0]->next = dev->hw_phys_desc[1];
+- sahara_sha_hw_data_descriptor_create(dev, rctx, req, 1);
++ ret = sahara_sha_hw_data_descriptor_create(dev, rctx, req, 1);
++ if (ret)
++ return ret;
++
+ dev->hw_desc[1]->next = 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From dea5c28bccf33a76affd84fd34f42a18f0f443b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 19:06:19 +0200
+Subject: crypto: sahara - remove FLAGS_NEW_KEY logic
+
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+
+[ Upstream commit 8fd183435728b139248a77978ea3732039341779 ]
+
+Remove the FLAGS_NEW_KEY logic as it has the following issues:
+- the wrong key may end up being used when there are multiple data streams:
+ t1 t2
+ setkey()
+ encrypt()
+ setkey()
+ encrypt()
+
+ encrypt() <--- key from t2 is used
+- switching between encryption and decryption with the same key is not
+ possible, as the hdr flags are only updated when a new setkey() is
+ performed
+
+With this change, the key is always sent along with the cryptdata when
+performing encryption/decryption operations.
+
+Fixes: 5de8875281e1 ("crypto: sahara - Add driver for SAHARA2 accelerator.")
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 34 +++++++++++++---------------------
+ 1 file changed, 13 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index 2043dd061121..0ae95767bb76 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -43,7 +43,6 @@
+ #define FLAGS_MODE_MASK 0x000f
+ #define FLAGS_ENCRYPT BIT(0)
+ #define FLAGS_CBC BIT(1)
+-#define FLAGS_NEW_KEY BIT(3)
+
+ #define SAHARA_HDR_BASE 0x00800000
+ #define SAHARA_HDR_SKHA_ALG_AES 0
+@@ -141,8 +140,6 @@ struct sahara_hw_link {
+ };
+
+ struct sahara_ctx {
+- unsigned long flags;
+-
+ /* AES-specific context */
+ int keylen;
+ u8 key[AES_KEYSIZE_128];
+@@ -447,26 +444,22 @@ static int sahara_hw_descriptor_create(struct sahara_dev *dev)
+ int i, j;
+ int idx = 0;
+
+- /* Copy new key if necessary */
+- if (ctx->flags & FLAGS_NEW_KEY) {
+- memcpy(dev->key_base, ctx->key, ctx->keylen);
+- ctx->flags &= ~FLAGS_NEW_KEY;
++ memcpy(dev->key_base, ctx->key, ctx->keylen);
+
+- if (dev->flags & FLAGS_CBC) {
+- dev->hw_desc[idx]->len1 = AES_BLOCK_SIZE;
+- dev->hw_desc[idx]->p1 = dev->iv_phys_base;
+- } else {
+- dev->hw_desc[idx]->len1 = 0;
+- dev->hw_desc[idx]->p1 = 0;
+- }
+- dev->hw_desc[idx]->len2 = ctx->keylen;
+- dev->hw_desc[idx]->p2 = dev->key_phys_base;
+- dev->hw_desc[idx]->next = dev->hw_phys_desc[1];
++ if (dev->flags & FLAGS_CBC) {
++ dev->hw_desc[idx]->len1 = AES_BLOCK_SIZE;
++ dev->hw_desc[idx]->p1 = dev->iv_phys_base;
++ } else {
++ dev->hw_desc[idx]->len1 = 0;
++ dev->hw_desc[idx]->p1 = 0;
++ }
++ dev->hw_desc[idx]->len2 = ctx->keylen;
++ dev->hw_desc[idx]->p2 = dev->key_phys_base;
++ dev->hw_desc[idx]->next = dev->hw_phys_desc[1];
++ dev->hw_desc[idx]->hdr = sahara_aes_key_hdr(dev);
+
+- dev->hw_desc[idx]->hdr = sahara_aes_key_hdr(dev);
++ idx++;
+
+- idx++;
+- }
+
+ dev->nb_in_sg = sg_nents_for_len(dev->in_sg, dev->total);
+ if (dev->nb_in_sg < 0) {
+@@ -608,7 +601,6 @@ static int sahara_aes_setkey(struct crypto_skcipher *tfm, const u8 *key,
+ /* SAHARA only supports 128bit keys */
+ if (keylen == AES_KEYSIZE_128) {
+ memcpy(ctx->key, key, keylen);
+- ctx->flags |= FLAGS_NEW_KEY;
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From cd7f8d799c6fe1bb4e7e02667faa9f7d517c5c91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Dec 2023 09:35:23 +0000
+Subject: crypto: scomp - fix req->dst buffer overflow
+
+From: Chengming Zhou <zhouchengming@bytedance.com>
+
+[ Upstream commit 744e1885922a9943458954cfea917b31064b4131 ]
+
+The req->dst buffer size should be checked before copying from the
+scomp_scratch->dst to avoid req->dst buffer overflow problem.
+
+Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface")
+Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@google.com/
+Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
+Reviewed-by: Barry Song <v-songbaohua@oppo.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/scompress.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/crypto/scompress.c b/crypto/scompress.c
+index 738f4f8f0f41..4d6366a44400 100644
+--- a/crypto/scompress.c
++++ b/crypto/scompress.c
+@@ -124,6 +124,7 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
+ struct crypto_scomp *scomp = *tfm_ctx;
+ void **ctx = acomp_request_ctx(req);
+ struct scomp_scratch *scratch;
++ unsigned int dlen;
+ int ret;
+
+ if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE)
+@@ -135,6 +136,8 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
+ if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE)
+ req->dlen = SCOMP_SCRATCH_SIZE;
+
++ dlen = req->dlen;
++
+ scratch = raw_cpu_ptr(&scomp_scratch);
+ spin_lock(&scratch->lock);
+
+@@ -152,6 +155,9 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
+ ret = -ENOMEM;
+ goto out;
+ }
++ } else if (req->dlen > dlen) {
++ ret = -ENOSPC;
++ goto out;
+ }
+ scatterwalk_map_and_copy(scratch->dst, req->dst, 0, req->dlen,
+ 1);
+--
+2.43.0
+
--- /dev/null
+From 3d98e0925ac103743959cf053c5ad16901630762 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Nov 2023 11:49:45 +0000
+Subject: crypto: virtio - Handle dataq logic with tasklet
+
+From: Gonglei (Arei) <arei.gonglei@huawei.com>
+
+[ Upstream commit fed93fb62e05c38152b0fc1dc9609639e63eed76 ]
+
+Doing ipsec produces a spinlock recursion warning.
+This is due to crypto_finalize_request() being called in the upper half.
+Move virtual data queue processing of virtio-crypto driver to tasklet.
+
+Fixes: dbaf0624ffa57 ("crypto: add virtio-crypto driver")
+Reported-by: Halil Pasic <pasic@linux.ibm.com>
+Signed-off-by: wangyangxin <wangyangxin1@huawei.com>
+Signed-off-by: Gonglei <arei.gonglei@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/virtio/virtio_crypto_common.h | 2 ++
+ drivers/crypto/virtio/virtio_crypto_core.c | 23 +++++++++++---------
+ 2 files changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/crypto/virtio/virtio_crypto_common.h b/drivers/crypto/virtio/virtio_crypto_common.h
+index e0dcb247840a..d61c991d7773 100644
+--- a/drivers/crypto/virtio/virtio_crypto_common.h
++++ b/drivers/crypto/virtio/virtio_crypto_common.h
+@@ -10,6 +10,7 @@
+ #include <linux/virtio.h>
+ #include <linux/crypto.h>
+ #include <linux/spinlock.h>
++#include <linux/interrupt.h>
+ #include <crypto/aead.h>
+ #include <crypto/aes.h>
+ #include <crypto/engine.h>
+@@ -28,6 +29,7 @@ struct data_queue {
+ char name[32];
+
+ struct crypto_engine *engine;
++ struct tasklet_struct done_task;
+ };
+
+ struct virtio_crypto {
+diff --git a/drivers/crypto/virtio/virtio_crypto_core.c b/drivers/crypto/virtio/virtio_crypto_core.c
+index 94624f469985..630af33929ef 100644
+--- a/drivers/crypto/virtio/virtio_crypto_core.c
++++ b/drivers/crypto/virtio/virtio_crypto_core.c
+@@ -72,27 +72,28 @@ int virtio_crypto_ctrl_vq_request(struct virtio_crypto *vcrypto, struct scatterl
+ return 0;
+ }
+
+-static void virtcrypto_dataq_callback(struct virtqueue *vq)
++static void virtcrypto_done_task(unsigned long data)
+ {
+- struct virtio_crypto *vcrypto = vq->vdev->priv;
++ struct data_queue *data_vq = (struct data_queue *)data;
++ struct virtqueue *vq = data_vq->vq;
+ struct virtio_crypto_request *vc_req;
+- unsigned long flags;
+ unsigned int len;
+- unsigned int qid = vq->index;
+
+- spin_lock_irqsave(&vcrypto->data_vq[qid].lock, flags);
+ do {
+ virtqueue_disable_cb(vq);
+ while ((vc_req = virtqueue_get_buf(vq, &len)) != NULL) {
+- spin_unlock_irqrestore(
+- &vcrypto->data_vq[qid].lock, flags);
+ if (vc_req->alg_cb)
+ vc_req->alg_cb(vc_req, len);
+- spin_lock_irqsave(
+- &vcrypto->data_vq[qid].lock, flags);
+ }
+ } while (!virtqueue_enable_cb(vq));
+- spin_unlock_irqrestore(&vcrypto->data_vq[qid].lock, flags);
++}
++
++static void virtcrypto_dataq_callback(struct virtqueue *vq)
++{
++ struct virtio_crypto *vcrypto = vq->vdev->priv;
++ struct data_queue *dq = &vcrypto->data_vq[vq->index];
++
++ tasklet_schedule(&dq->done_task);
+ }
+
+ static int virtcrypto_find_vqs(struct virtio_crypto *vi)
+@@ -149,6 +150,8 @@ static int virtcrypto_find_vqs(struct virtio_crypto *vi)
+ ret = -ENOMEM;
+ goto err_engine;
+ }
++ tasklet_init(&vi->data_vq[i].done_task, virtcrypto_done_task,
++ (unsigned long)&vi->data_vq[i]);
+ }
+
+ kfree(names);
+--
+2.43.0
+
--- /dev/null
+From 34ddd6b4f559dff264bbed379ab81d9e7df195ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 19:42:15 +0800
+Subject: crypto: virtio - Wait for tasklet to complete on device remove
+
+From: wangyangxin <wangyangxin1@huawei.com>
+
+[ Upstream commit 67cc511e8d436456cc98033e6d4ba83ebfc8e672 ]
+
+The scheduled tasklet needs to be executed on device remove.
+
+Fixes: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet")
+Signed-off-by: wangyangxin <wangyangxin1@huawei.com>
+Signed-off-by: Gonglei <arei.gonglei@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/virtio/virtio_crypto_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/crypto/virtio/virtio_crypto_core.c b/drivers/crypto/virtio/virtio_crypto_core.c
+index 630af33929ef..3da956145892 100644
+--- a/drivers/crypto/virtio/virtio_crypto_core.c
++++ b/drivers/crypto/virtio/virtio_crypto_core.c
+@@ -488,11 +488,14 @@ static void virtcrypto_free_unused_reqs(struct virtio_crypto *vcrypto)
+ static void virtcrypto_remove(struct virtio_device *vdev)
+ {
+ struct virtio_crypto *vcrypto = vdev->priv;
++ int i;
+
+ dev_info(&vdev->dev, "Start virtcrypto_remove.\n");
+
+ if (virtcrypto_dev_started(vcrypto))
+ virtcrypto_dev_stop(vcrypto);
++ for (i = 0; i < vcrypto->max_data_queues; i++)
++ tasklet_kill(&vcrypto->data_vq[i].done_task);
+ vdev->config->reset(vdev);
+ virtcrypto_free_unused_reqs(vcrypto);
+ virtcrypto_clear_crypto_engines(vcrypto);
+--
+2.43.0
+
--- /dev/null
+From c4add56db4906e76e5246579f96de242261dde22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Apr 2022 14:24:35 +0800
+Subject: dma-mapping: Add dma_release_coherent_memory to DMA API
+
+From: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
+
+[ Upstream commit e61c451476e61450f6771ce03bbc01210a09be16 ]
+
+Add dma_release_coherent_memory to DMA API to allow dma
+user call it to release dev->dma_mem when the device is
+removed.
+
+Signed-off-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
+Acked-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20220422062436.14384-2-mark-pk.tsai@mediatek.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Stable-dep-of: b07bc2347672 ("dma-mapping: clear dev->dma_mem to NULL after freeing it")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/dma-map-ops.h | 3 +++
+ kernel/dma/coherent.c | 10 ++++++++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/dma-map-ops.h b/include/linux/dma-map-ops.h
+index a5f89fc4d6df..22e3bfebdc34 100644
+--- a/include/linux/dma-map-ops.h
++++ b/include/linux/dma-map-ops.h
+@@ -165,6 +165,7 @@ static inline void dma_pernuma_cma_reserve(void) { }
+ #ifdef CONFIG_DMA_DECLARE_COHERENT
+ int dma_declare_coherent_memory(struct device *dev, phys_addr_t phys_addr,
+ dma_addr_t device_addr, size_t size);
++void dma_release_coherent_memory(struct device *dev);
+ int dma_alloc_from_dev_coherent(struct device *dev, ssize_t size,
+ dma_addr_t *dma_handle, void **ret);
+ int dma_release_from_dev_coherent(struct device *dev, int order, void *vaddr);
+@@ -183,6 +184,8 @@ static inline int dma_declare_coherent_memory(struct device *dev,
+ {
+ return -ENOSYS;
+ }
++
++#define dma_release_coherent_memory(dev) (0)
+ #define dma_alloc_from_dev_coherent(dev, size, handle, ret) (0)
+ #define dma_release_from_dev_coherent(dev, order, vaddr) (0)
+ #define dma_mmap_from_dev_coherent(dev, vma, vaddr, order, ret) (0)
+diff --git a/kernel/dma/coherent.c b/kernel/dma/coherent.c
+index 5b5b6c7ec7f2..b79d8d0433dd 100644
+--- a/kernel/dma/coherent.c
++++ b/kernel/dma/coherent.c
+@@ -84,7 +84,7 @@ static int dma_init_coherent_memory(phys_addr_t phys_addr,
+ return ret;
+ }
+
+-static void dma_release_coherent_memory(struct dma_coherent_mem *mem)
++static void _dma_release_coherent_memory(struct dma_coherent_mem *mem)
+ {
+ if (!mem)
+ return;
+@@ -136,10 +136,16 @@ int dma_declare_coherent_memory(struct device *dev, phys_addr_t phys_addr,
+
+ ret = dma_assign_coherent_memory(dev, mem);
+ if (ret)
+- dma_release_coherent_memory(mem);
++ _dma_release_coherent_memory(mem);
+ return ret;
+ }
+
++void dma_release_coherent_memory(struct device *dev)
++{
++ if (dev)
++ _dma_release_coherent_memory(dev->dma_mem);
++}
++
+ static void *__dma_alloc_from_coherent(struct device *dev,
+ struct dma_coherent_mem *mem,
+ ssize_t size, dma_addr_t *dma_handle)
+--
+2.43.0
+
--- /dev/null
+From c7aeb8fdc50cd7b2216999d072fe691672cb4cd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 16:25:26 +0800
+Subject: dma-mapping: clear dev->dma_mem to NULL after freeing it
+
+From: Joakim Zhang <joakim.zhang@cixtech.com>
+
+[ Upstream commit b07bc2347672cc8c7293c64499f1488278c5ca3d ]
+
+Reproduced with below sequence:
+dma_declare_coherent_memory()->dma_release_coherent_memory()
+->dma_declare_coherent_memory()->"return -EBUSY" error
+
+It will return -EBUSY from the dma_assign_coherent_memory()
+in dma_declare_coherent_memory(), the reason is that dev->dma_mem
+pointer has not been set to NULL after it's freed.
+
+Fixes: cf65a0f6f6ff ("dma-mapping: move all DMA mapping code to kernel/dma")
+Signed-off-by: Joakim Zhang <joakim.zhang@cixtech.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/coherent.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/dma/coherent.c b/kernel/dma/coherent.c
+index b79d8d0433dd..49aaad3936f1 100644
+--- a/kernel/dma/coherent.c
++++ b/kernel/dma/coherent.c
+@@ -142,8 +142,10 @@ int dma_declare_coherent_memory(struct device *dev, phys_addr_t phys_addr,
+
+ void dma_release_coherent_memory(struct device *dev)
+ {
+- if (dev)
++ if (dev) {
+ _dma_release_coherent_memory(dev->dma_mem);
++ dev->dma_mem = NULL;
++ }
+ }
+
+ static void *__dma_alloc_from_coherent(struct device *dev,
+--
+2.43.0
+
--- /dev/null
+From 7012b46c7d83520d7154b93515a6565f9690108c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Dec 2023 00:24:58 +0800
+Subject: drivers/amd/pm: fix a use-after-free in kv_parse_power_table
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 28dd788382c43b330480f57cd34cde0840896743 ]
+
+When ps allocated by kzalloc equals to NULL, kv_parse_power_table
+frees adev->pm.dpm.ps that allocated before. However, after the control
+flow goes through the following call chains:
+
+kv_parse_power_table
+ |-> kv_dpm_init
+ |-> kv_dpm_sw_init
+ |-> kv_dpm_fini
+
+The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its
+first free in kv_parse_power_table and causes a use-after-free bug.
+
+Fixes: a2e73f56fa62 ("drm/amdgpu: Add support for CIK parts")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c b/drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c
+index c8a5a5698edd..6eb6f05c1136 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/kv_dpm.c
+@@ -2733,10 +2733,8 @@ static int kv_parse_power_table(struct amdgpu_device *adev)
+ non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *)
+ &non_clock_info_array->nonClockInfo[non_clock_array_index];
+ ps = kzalloc(sizeof(struct kv_ps), GFP_KERNEL);
+- if (ps == NULL) {
+- kfree(adev->pm.dpm.ps);
++ if (ps == NULL)
+ return -ENOMEM;
+- }
+ adev->pm.dpm.ps[i].ps_priv = ps;
+ k = 0;
+ idx = (u8 *)&power_state->v2.clockInfoIndex[0];
+--
+2.43.0
+
--- /dev/null
+From 4fbce49fbe001ada9532d6704420769a10bd4070 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 03:29:15 -0800
+Subject: drivers: clk: zynqmp: calculate closest mux rate
+
+From: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
+
+[ Upstream commit b782921ddd7f84f524723090377903f399fdbbcb ]
+
+Currently zynqmp clock driver is not calculating closest mux rate and
+because of that Linux is not setting proper frequency for CPU and
+not able to set given frequency for dynamic frequency scaling.
+
+E.g., In current logic initial acpu clock parent and frequency as below
+apll1 0 0 0 2199999978 0 0 50000 Y
+ acpu0_mux 0 0 0 2199999978 0 0 50000 Y
+ acpu0_idiv1 0 0 0 2199999978 0 0 50000 Y
+ acpu0 0 0 0 2199999978 0 0 50000 Y
+
+After changing acpu frequency to 549999994 Hz using CPU freq scaling its
+selecting incorrect parent which is not closest frequency.
+rpll_to_xpd 0 0 0 1599999984 0 0 50000 Y
+ acpu0_mux 0 0 0 1599999984 0 0 50000 Y
+ acpu0_div1 0 0 0 533333328 0 0 50000 Y
+ acpu0 0 0 0 533333328 0 0 50000 Y
+
+Parent should remain same since 549999994 = 2199999978 / 4.
+
+So use __clk_mux_determine_rate_closest() generic function to calculate
+closest rate for mux clock. After this change its selecting correct
+parent and correct clock rate.
+apll1 0 0 0 2199999978 0 0 50000 Y
+ acpu0_mux 0 0 0 2199999978 0 0 50000 Y
+ acpu0_div1 0 0 0 549999995 0 0 50000 Y
+ acpu0 0 0 0 549999995 0 0 50000 Y
+
+Fixes: 3fde0e16d016 ("drivers: clk: Add ZynqMP clock driver")
+Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
+Link: https://lore.kernel.org/r/20231129112916.23125-2-jay.buddhabhatti@amd.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/zynqmp/clk-mux-zynqmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/zynqmp/clk-mux-zynqmp.c b/drivers/clk/zynqmp/clk-mux-zynqmp.c
+index 06194149be83..46ff5cb733ee 100644
+--- a/drivers/clk/zynqmp/clk-mux-zynqmp.c
++++ b/drivers/clk/zynqmp/clk-mux-zynqmp.c
+@@ -83,7 +83,7 @@ static int zynqmp_clk_mux_set_parent(struct clk_hw *hw, u8 index)
+ static const struct clk_ops zynqmp_clk_mux_ops = {
+ .get_parent = zynqmp_clk_mux_get_parent,
+ .set_parent = zynqmp_clk_mux_set_parent,
+- .determine_rate = __clk_mux_determine_rate,
++ .determine_rate = __clk_mux_determine_rate_closest,
+ };
+
+ static const struct clk_ops zynqmp_clk_mux_ro_ops = {
+--
+2.43.0
+
--- /dev/null
+From 52f11151b23eb58d29f6fd19c01c9f8d4cf27f90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 03:29:16 -0800
+Subject: drivers: clk: zynqmp: update divider round rate logic
+
+From: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
+
+[ Upstream commit 1fe15be1fb613534ecbac5f8c3f8744f757d237d ]
+
+Currently zynqmp divider round rate is considering single parent and
+calculating rate and parent rate accordingly. But if divider clock flag
+is set to SET_RATE_PARENT then its not trying to traverse through all
+parent rate and not selecting best parent rate from that. So use common
+divider_round_rate() which is traversing through all clock parents and
+its rate and calculating proper parent rate.
+
+Fixes: 3fde0e16d016 ("drivers: clk: Add ZynqMP clock driver")
+Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
+Link: https://lore.kernel.org/r/20231129112916.23125-3-jay.buddhabhatti@amd.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/zynqmp/divider.c | 66 +++---------------------------------
+ 1 file changed, 5 insertions(+), 61 deletions(-)
+
+diff --git a/drivers/clk/zynqmp/divider.c b/drivers/clk/zynqmp/divider.c
+index acdd5e48e147..acfd4878cce2 100644
+--- a/drivers/clk/zynqmp/divider.c
++++ b/drivers/clk/zynqmp/divider.c
+@@ -109,52 +109,6 @@ static unsigned long zynqmp_clk_divider_recalc_rate(struct clk_hw *hw,
+ return DIV_ROUND_UP_ULL(parent_rate, value);
+ }
+
+-static void zynqmp_get_divider2_val(struct clk_hw *hw,
+- unsigned long rate,
+- struct zynqmp_clk_divider *divider,
+- u32 *bestdiv)
+-{
+- int div1;
+- int div2;
+- long error = LONG_MAX;
+- unsigned long div1_prate;
+- struct clk_hw *div1_parent_hw;
+- struct zynqmp_clk_divider *pdivider;
+- struct clk_hw *div2_parent_hw = clk_hw_get_parent(hw);
+-
+- if (!div2_parent_hw)
+- return;
+-
+- pdivider = to_zynqmp_clk_divider(div2_parent_hw);
+- if (!pdivider)
+- return;
+-
+- div1_parent_hw = clk_hw_get_parent(div2_parent_hw);
+- if (!div1_parent_hw)
+- return;
+-
+- div1_prate = clk_hw_get_rate(div1_parent_hw);
+- *bestdiv = 1;
+- for (div1 = 1; div1 <= pdivider->max_div;) {
+- for (div2 = 1; div2 <= divider->max_div;) {
+- long new_error = ((div1_prate / div1) / div2) - rate;
+-
+- if (abs(new_error) < abs(error)) {
+- *bestdiv = div2;
+- error = new_error;
+- }
+- if (divider->flags & CLK_DIVIDER_POWER_OF_TWO)
+- div2 = div2 << 1;
+- else
+- div2++;
+- }
+- if (pdivider->flags & CLK_DIVIDER_POWER_OF_TWO)
+- div1 = div1 << 1;
+- else
+- div1++;
+- }
+-}
+-
+ /**
+ * zynqmp_clk_divider_round_rate() - Round rate of divider clock
+ * @hw: handle between common and hardware-specific interfaces
+@@ -173,6 +127,7 @@ static long zynqmp_clk_divider_round_rate(struct clk_hw *hw,
+ u32 div_type = divider->div_type;
+ u32 bestdiv;
+ int ret;
++ u8 width;
+
+ /* if read only, just return current value */
+ if (divider->flags & CLK_DIVIDER_READ_ONLY) {
+@@ -192,23 +147,12 @@ static long zynqmp_clk_divider_round_rate(struct clk_hw *hw,
+ return DIV_ROUND_UP_ULL((u64)*prate, bestdiv);
+ }
+
+- bestdiv = zynqmp_divider_get_val(*prate, rate, divider->flags);
+-
+- /*
+- * In case of two divisors, compute best divider values and return
+- * divider2 value based on compute value. div1 will be automatically
+- * set to optimum based on required total divider value.
+- */
+- if (div_type == TYPE_DIV2 &&
+- (clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT)) {
+- zynqmp_get_divider2_val(hw, rate, divider, &bestdiv);
+- }
++ width = fls(divider->max_div);
+
+- if ((clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT) && divider->is_frac)
+- bestdiv = rate % *prate ? 1 : bestdiv;
++ rate = divider_round_rate(hw, rate, prate, NULL, width, divider->flags);
+
+- bestdiv = min_t(u32, bestdiv, divider->max_div);
+- *prate = rate * bestdiv;
++ if (divider->is_frac && (clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT) && (rate % *prate))
++ *prate = rate;
+
+ return rate;
+ }
+--
+2.43.0
+
--- /dev/null
+From cdaa917ce8803b7b2ff28f9fb33e5c013320ce63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 23:24:11 +0800
+Subject: drm/amd/pm: fix a double-free in si_dpm_init
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit ac16667237a82e2597e329eb9bc520d1cf9dff30 ]
+
+When the allocation of
+adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,
+amdgpu_free_extended_power_table is called to free some fields of adev.
+However, when the control flow returns to si_dpm_sw_init, it goes to
+label dpm_failed and calls si_dpm_fini, which calls
+amdgpu_free_extended_power_table again and free those fields again. Thus
+a double-free is triggered.
+
+Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/si_dpm.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c
+index d6544a6dabc7..6f0653c81f8f 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c
+@@ -7349,10 +7349,9 @@ static int si_dpm_init(struct amdgpu_device *adev)
+ kcalloc(4,
+ sizeof(struct amdgpu_clock_voltage_dependency_entry),
+ GFP_KERNEL);
+- if (!adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries) {
+- amdgpu_free_extended_power_table(adev);
++ if (!adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries)
+ return -ENOMEM;
+- }
++
+ adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.count = 4;
+ adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries[0].clk = 0;
+ adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries[0].v = 0;
+--
+2.43.0
+
--- /dev/null
+From eed0f10dcce4c582f8e4b0962539e82b2c6646f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Nov 2023 17:26:29 -0500
+Subject: drm/amdgpu/debugfs: fix error code when smc register accessors are
+ NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit afe58346d5d3887b3e49ff623d2f2e471f232a8d ]
+
+Should be -EOPNOTSUPP.
+
+Fixes: 5104fdf50d32 ("drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+index 3e573077368b..8a1cb1de2b13 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+@@ -582,7 +582,7 @@ static ssize_t amdgpu_debugfs_regs_smc_read(struct file *f, char __user *buf,
+ int r;
+
+ if (!adev->smc_rreg)
+- return -EPERM;
++ return -EOPNOTSUPP;
+
+ if (size & 0x3 || *pos & 0x3)
+ return -EINVAL;
+@@ -644,7 +644,7 @@ static ssize_t amdgpu_debugfs_regs_smc_write(struct file *f, const char __user *
+ int r;
+
+ if (!adev->smc_wreg)
+- return -EPERM;
++ return -EOPNOTSUPP;
+
+ if (size & 0x3 || *pos & 0x3)
+ return -EINVAL;
+--
+2.43.0
+
--- /dev/null
+From 44b937a77a874dce5352b290281c1b446cf16b22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Nov 2023 10:42:30 +0100
+Subject: drm/bridge: Fix typo in post_disable() description
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit 288b039db225676e0c520c981a1b5a2562d893a3 ]
+
+s/singals/signals/
+
+Fixes: 199e4e967af4 ("drm: Extract drm_bridge.h")
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231124094253.658064-1-dario.binacchi@amarulasolutions.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/drm/drm_bridge.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h
+index 055486e35e68..3826cf9553c0 100644
+--- a/include/drm/drm_bridge.h
++++ b/include/drm/drm_bridge.h
+@@ -186,7 +186,7 @@ struct drm_bridge_funcs {
+ * or &drm_encoder_helper_funcs.dpms hook.
+ *
+ * The bridge must assume that the display pipe (i.e. clocks and timing
+- * singals) feeding it is no longer running when this callback is
++ * signals) feeding it is no longer running when this callback is
+ * called.
+ *
+ * The @post_disable callback is optional.
+--
+2.43.0
+
--- /dev/null
+From 385e1593d4727b0e11e594c9b2d4cb2a1febe219 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Nov 2023 15:14:06 +0200
+Subject: drm/bridge: tc358767: Fix return value on error case
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit 32bd29b619638256c5b75fb021d6d9f12fc4a984 ]
+
+If the hpd_pin is invalid, the driver returns 'ret'. But 'ret' contains
+0, instead of an error value.
+
+Return -EINVAL instead.
+
+Fixes: f25ee5017e4f ("drm/bridge: tc358767: add IRQ and HPD support")
+Acked-by: Maxime Ripard <mripard@kernel.org>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231103-uninit-fixes-v2-4-c22b2444f5f5@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/tc358767.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c
+index b4f7e7a7f7c5..9c905634fec7 100644
+--- a/drivers/gpu/drm/bridge/tc358767.c
++++ b/drivers/gpu/drm/bridge/tc358767.c
+@@ -1637,7 +1637,7 @@ static int tc_probe(struct i2c_client *client, const struct i2c_device_id *id)
+ } else {
+ if (tc->hpd_pin < 0 || tc->hpd_pin > 1) {
+ dev_err(dev, "failed to parse HPD number\n");
+- return ret;
++ return -EINVAL;
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 12c2e76c85a444ca8ba3fad2ddb9a317766a9ce2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Nov 2023 17:56:42 +0100
+Subject: drm/bridge: tpd12s015: Drop buggy __exit annotation for remove
+ function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit ce3e112e7ae854249d8755906acc5f27e1542114 ]
+
+With tpd12s015_remove() marked with __exit this function is discarded
+when the driver is compiled as a built-in. The result is that when the
+driver unbinds there is no cleanup done which results in resource
+leakage or worse.
+
+Fixes: cff5e6f7e83f ("drm/bridge: Add driver for the TI TPD12S015 HDMI level shifter")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231102165640.3307820-19-u.kleine-koenig@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ti-tpd12s015.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/ti-tpd12s015.c b/drivers/gpu/drm/bridge/ti-tpd12s015.c
+index e0e015243a60..b588fea12502 100644
+--- a/drivers/gpu/drm/bridge/ti-tpd12s015.c
++++ b/drivers/gpu/drm/bridge/ti-tpd12s015.c
+@@ -179,7 +179,7 @@ static int tpd12s015_probe(struct platform_device *pdev)
+ return 0;
+ }
+
+-static int __exit tpd12s015_remove(struct platform_device *pdev)
++static int tpd12s015_remove(struct platform_device *pdev)
+ {
+ struct tpd12s015_device *tpd = platform_get_drvdata(pdev);
+
+@@ -197,7 +197,7 @@ MODULE_DEVICE_TABLE(of, tpd12s015_of_match);
+
+ static struct platform_driver tpd12s015_driver = {
+ .probe = tpd12s015_probe,
+- .remove = __exit_p(tpd12s015_remove),
++ .remove = tpd12s015_remove,
+ .driver = {
+ .name = "tpd12s015",
+ .of_match_table = tpd12s015_of_match,
+--
+2.43.0
+
--- /dev/null
+From 05f2c0d8e445ce20d4af1535f3a07298f7d934ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Dec 2023 01:55:52 +0300
+Subject: drm/drv: propagate errors from drm_modeset_register_all()
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 5f8dec200923a76dc57187965fd59c1136f5d085 ]
+
+In case the drm_modeset_register_all() function fails, its error code
+will be ignored. Instead make the drm_dev_register() bail out in case of
+such an error.
+
+Fixes: 79190ea2658a ("drm: Add callbacks for late registering")
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Maxime Ripard <mripard@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231202225552.1283638-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_drv.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
+index 4ca995ce19af..10831d8d7148 100644
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -892,8 +892,11 @@ int drm_dev_register(struct drm_device *dev, unsigned long flags)
+ goto err_minors;
+ }
+
+- if (drm_core_check_feature(dev, DRIVER_MODESET))
+- drm_modeset_register_all(dev);
++ if (drm_core_check_feature(dev, DRIVER_MODESET)) {
++ ret = drm_modeset_register_all(dev);
++ if (ret)
++ goto err_unload;
++ }
+
+ ret = 0;
+
+@@ -905,6 +908,9 @@ int drm_dev_register(struct drm_device *dev, unsigned long flags)
+
+ goto out_unlock;
+
++err_unload:
++ if (dev->driver->unload)
++ dev->driver->unload(dev);
+ err_minors:
+ remove_compat_control_link(dev);
+ drm_minor_unregister(dev, DRM_MINOR_PRIMARY);
+--
+2.43.0
+
--- /dev/null
+From b2e58269a6e29910e0dc889ebf7cf096e6565577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jun 2023 13:43:20 +0200
+Subject: drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks
+
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+
+[ Upstream commit 3d07a411b4faaf2b498760ccf12888f8de529de0 ]
+
+This helper has been introduced to avoid programmer errors (missing
+_put calls leading to dangling refcnt) when using pm_runtime_get, use it.
+
+While at it, start checking the return value.
+
+Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Fixes: 5c8290284402 ("drm/msm/dsi: Split PHY drivers to separate files")
+Patchwork: https://patchwork.freedesktop.org/patch/543350/
+Link: https://lore.kernel.org/r/20230620-topic-dsiphy_rpm-v2-1-a11a751f34f0@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
+index 2e0be85ec394..10eacfd95fb1 100644
+--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
+@@ -558,7 +558,9 @@ static int dsi_phy_enable_resource(struct msm_dsi_phy *phy)
+ struct device *dev = &phy->pdev->dev;
+ int ret;
+
+- pm_runtime_get_sync(dev);
++ ret = pm_runtime_resume_and_get(dev);
++ if (ret)
++ return ret;
+
+ ret = clk_prepare_enable(phy->ahb_clk);
+ if (ret) {
+--
+2.43.0
+
--- /dev/null
+From 9e0063a664cbf86e7dbca68b364a694d78f2b449 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 00:54:01 +0300
+Subject: drm/msm/mdp4: flush vblank event on disable
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit c6721b3c6423d8a348ae885a0f4c85e14f9bf85c ]
+
+Flush queued events when disabling the crtc. This avoids timeouts when
+we come back and wait for dependencies (like the previous frame's
+flip_done).
+
+Fixes: c8afe684c95c ("drm/msm: basic KMS driver for snapdragon")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/569127/
+Link: https://lore.kernel.org/r/20231127215401.4064128-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c b/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c
+index a0253297bc76..bf54b9e4fd61 100644
+--- a/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c
++++ b/drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c
+@@ -268,6 +268,7 @@ static void mdp4_crtc_atomic_disable(struct drm_crtc *crtc,
+ {
+ struct mdp4_crtc *mdp4_crtc = to_mdp4_crtc(crtc);
+ struct mdp4_kms *mdp4_kms = get_kms(crtc);
++ unsigned long flags;
+
+ DBG("%s", mdp4_crtc->name);
+
+@@ -280,6 +281,14 @@ static void mdp4_crtc_atomic_disable(struct drm_crtc *crtc,
+ mdp_irq_unregister(&mdp4_kms->base, &mdp4_crtc->err);
+ mdp4_disable(mdp4_kms);
+
++ if (crtc->state->event && !crtc->state->active) {
++ WARN_ON(mdp4_crtc->event);
++ spin_lock_irqsave(&mdp4_kms->dev->event_lock, flags);
++ drm_crtc_send_vblank_event(crtc, crtc->state->event);
++ crtc->state->event = NULL;
++ spin_unlock_irqrestore(&mdp4_kms->dev->event_lock, flags);
++ }
++
+ mdp4_crtc->enabled = false;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 81e1fdddb48e7417938c7cdef66ed42c5858a0e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Nov 2023 00:43:03 +0530
+Subject: drm/nouveau/fence:: fix warning directly dereferencing a rcu pointer
+
+From: Abhinav Singh <singhabhinav9051571833@gmail.com>
+
+[ Upstream commit 5f35a624c1e30b5bae5023b3c256e94e0ad4f806 ]
+
+Fix a sparse warning with this message
+"warning:dereference of noderef expression". In this context it means we
+are dereferencing a __rcu tagged pointer directly.
+
+We should not be directly dereferencing a rcu pointer. To get a normal
+(non __rcu tagged pointer) from a __rcu tagged pointer we are using the
+function unrcu_pointer(...). The non __rcu tagged pointer then can be
+dereferenced just like a normal pointer.
+
+I tested with qemu with this command
+qemu-system-x86_64 \
+ -m 2G \
+ -smp 2 \
+ -kernel bzImage \
+ -append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0" \
+ -drive file=bullseye.img,format=raw \
+ -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \
+ -net nic,model=e1000 \
+ -enable-kvm \
+ -nographic \
+ -pidfile vm.pid \
+ 2>&1 | tee vm.log
+with lockdep enabled.
+
+Fixes: 0ec5f02f0e2c ("drm/nouveau: prevent stale fence->channel pointers, and protect with rcu")
+Signed-off-by: Abhinav Singh <singhabhinav9051571833@gmail.com>
+Signed-off-by: Danilo Krummrich <dakr@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231113191303.3277733-1-singhabhinav9051571833@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nv04_fence.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nv04_fence.c b/drivers/gpu/drm/nouveau/nv04_fence.c
+index 5b71a5a5cd85..cdbc75e3d1f6 100644
+--- a/drivers/gpu/drm/nouveau/nv04_fence.c
++++ b/drivers/gpu/drm/nouveau/nv04_fence.c
+@@ -39,7 +39,7 @@ struct nv04_fence_priv {
+ static int
+ nv04_fence_emit(struct nouveau_fence *fence)
+ {
+- struct nvif_push *push = fence->channel->chan.push;
++ struct nvif_push *push = unrcu_pointer(fence->channel)->chan.push;
+ int ret = PUSH_WAIT(push, 2);
+ if (ret == 0) {
+ PUSH_NVSQ(push, NV_SW, 0x0150, fence->base.seqno);
+--
+2.43.0
+
--- /dev/null
+From de8e52cf2225c9ed8a29a41a72fcc8af7e01aa69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Nov 2023 13:44:02 -0600
+Subject: drm/panel-elida-kd35t133: hold panel in reset for unprepare
+
+From: Chris Morgan <macromorgan@hotmail.com>
+
+[ Upstream commit 03c5b2a5f6c39fe4e090346536cf1c14ee18b61e ]
+
+For devices like the Anbernic RG351M and RG351P the panel is wired to
+an always on regulator. When the device suspends and wakes up, there
+are some slight artifacts on the screen that go away over time. If
+instead we hold the panel in reset status after it is unprepared,
+this does not happen.
+
+Fixes: 5b6603360c12 ("drm/panel: add panel driver for Elida KD35T133 panels")
+Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
+Reviewed-by: Jessica Zhang <quic_jesszhan@quicinc.com>
+Link: https://lore.kernel.org/r/20231117194405.1386265-3-macroalpha82@gmail.com
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231117194405.1386265-3-macroalpha82@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-elida-kd35t133.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/panel/panel-elida-kd35t133.c b/drivers/gpu/drm/panel/panel-elida-kd35t133.c
+index fe5ac3ef9018..9c1591f2920c 100644
+--- a/drivers/gpu/drm/panel/panel-elida-kd35t133.c
++++ b/drivers/gpu/drm/panel/panel-elida-kd35t133.c
+@@ -111,6 +111,8 @@ static int kd35t133_unprepare(struct drm_panel *panel)
+ return ret;
+ }
+
++ gpiod_set_value_cansleep(ctx->reset_gpio, 1);
++
+ regulator_disable(ctx->iovcc);
+ regulator_disable(ctx->vdd);
+
+--
+2.43.0
+
--- /dev/null
+From 7a75fca65a47616f447ea934e9b45faa3097e82e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Aug 2023 11:04:16 -0700
+Subject: drm/radeon: check return value of radeon_ring_lock()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 71225e1c930942cb1e042fc08c5cc0c4ef30e95e ]
+
+In the unlikely event of radeon_ring_lock() failing, its errno return
+value should be processed. This patch checks said return value and
+prints a debug message in case of an error.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 48c0c902e2e6 ("drm/radeon/kms: add support for CP setup on SI")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/si.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c
+index 31e2c1083b08..e2eac766666e 100644
+--- a/drivers/gpu/drm/radeon/si.c
++++ b/drivers/gpu/drm/radeon/si.c
+@@ -3616,6 +3616,10 @@ static int si_cp_start(struct radeon_device *rdev)
+ for (i = RADEON_RING_TYPE_GFX_INDEX; i <= CAYMAN_RING_TYPE_CP2_INDEX; ++i) {
+ ring = &rdev->ring[i];
+ r = radeon_ring_lock(rdev, ring, 2);
++ if (r) {
++ DRM_ERROR("radeon: cp failed to lock ring (%d).\n", r);
++ return r;
++ }
+
+ /* clear the compute context state */
+ radeon_ring_write(ring, PACKET3_COMPUTE(PACKET3_CLEAR_STATE, 0));
+--
+2.43.0
+
--- /dev/null
+From 7cc6430774d0ed21a2d1feaf57f4646427d8c658 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 15:50:16 +0800
+Subject: drm/radeon: check the alloc_workqueue return value in
+ radeon_crtc_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7a2464fac80d42f6f8819fed97a553e9c2f43310 ]
+
+check the alloc_workqueue return value in radeon_crtc_init()
+to avoid null-ptr-deref.
+
+Fixes: fa7f517cb26e ("drm/radeon: rework page flip handling v4")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_display.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
+index 71bdafac9210..07d23a1e62a0 100644
+--- a/drivers/gpu/drm/radeon/radeon_display.c
++++ b/drivers/gpu/drm/radeon/radeon_display.c
+@@ -689,11 +689,16 @@ static void radeon_crtc_init(struct drm_device *dev, int index)
+ if (radeon_crtc == NULL)
+ return;
+
++ radeon_crtc->flip_queue = alloc_workqueue("radeon-crtc", WQ_HIGHPRI, 0);
++ if (!radeon_crtc->flip_queue) {
++ kfree(radeon_crtc);
++ return;
++ }
++
+ drm_crtc_init(dev, &radeon_crtc->base, &radeon_crtc_funcs);
+
+ drm_mode_crtc_set_gamma_size(&radeon_crtc->base, 256);
+ radeon_crtc->crtc_id = index;
+- radeon_crtc->flip_queue = alloc_workqueue("radeon-crtc", WQ_HIGHPRI, 0);
+ rdev->mode_info.crtcs[index] = radeon_crtc;
+
+ if (rdev->family >= CHIP_BONAIRE) {
+--
+2.43.0
+
--- /dev/null
+From b17be348fc462121ec664540ddcc463e8133a850 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Dec 2023 16:57:56 +0800
+Subject: drm/radeon/dpm: fix a memleak in sumo_parse_power_table
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 0737df9ed0997f5b8addd6e2b9699a8c6edba2e4 ]
+
+The rdev->pm.dpm.ps allocated by kcalloc should be freed in every
+following error-handling path. However, in the error-handling of
+rdev->pm.power_state[i].clock_info the rdev->pm.dpm.ps is not freed,
+resulting in a memleak in this function.
+
+Fixes: 80ea2c129c76 ("drm/radeon/kms: add dpm support for sumo asics (v2)")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/sumo_dpm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/sumo_dpm.c b/drivers/gpu/drm/radeon/sumo_dpm.c
+index b95d5d390caf..45d04996adf5 100644
+--- a/drivers/gpu/drm/radeon/sumo_dpm.c
++++ b/drivers/gpu/drm/radeon/sumo_dpm.c
+@@ -1493,8 +1493,10 @@ static int sumo_parse_power_table(struct radeon_device *rdev)
+ non_clock_array_index = power_state->v2.nonClockInfoIndex;
+ non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *)
+ &non_clock_info_array->nonClockInfo[non_clock_array_index];
+- if (!rdev->pm.power_state[i].clock_info)
++ if (!rdev->pm.power_state[i].clock_info) {
++ kfree(rdev->pm.dpm.ps);
+ return -EINVAL;
++ }
+ ps = kzalloc(sizeof(struct sumo_ps), GFP_KERNEL);
+ if (ps == NULL) {
+ kfree(rdev->pm.dpm.ps);
+--
+2.43.0
+
--- /dev/null
+From 9752e3a7a9f27145a745a113bbc3e287bc2a7657 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 07:22:12 -0800
+Subject: drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit b5c5baa458faa5430c445acd9a17481274d77ccf ]
+
+It may be possible, albeit unlikely, to encounter integer overflow
+during the multiplication of several unsigned int variables, the
+result being assigned to a variable 'size' of wider type.
+
+Prevent this potential behaviour by converting one of the multiples
+to unsigned long.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 0242f74d29df ("drm/radeon: clean up CS functions in r100.c")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/r100.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
+index 24c8db673931..6e4600c21697 100644
+--- a/drivers/gpu/drm/radeon/r100.c
++++ b/drivers/gpu/drm/radeon/r100.c
+@@ -2313,7 +2313,7 @@ int r100_cs_track_check(struct radeon_device *rdev, struct r100_cs_track *track)
+ switch (prim_walk) {
+ case 1:
+ for (i = 0; i < track->num_arrays; i++) {
+- size = track->arrays[i].esize * track->max_indx * 4;
++ size = track->arrays[i].esize * track->max_indx * 4UL;
+ if (track->arrays[i].robj == NULL) {
+ DRM_ERROR("(PW %u) Vertex array %u no buffer "
+ "bound\n", prim_walk, i);
+@@ -2332,7 +2332,7 @@ int r100_cs_track_check(struct radeon_device *rdev, struct r100_cs_track *track)
+ break;
+ case 2:
+ for (i = 0; i < track->num_arrays; i++) {
+- size = track->arrays[i].esize * (nverts - 1) * 4;
++ size = track->arrays[i].esize * (nverts - 1) * 4UL;
+ if (track->arrays[i].robj == NULL) {
+ DRM_ERROR("(PW %u) Vertex array %u no buffer "
+ "bound\n", prim_walk, i);
+--
+2.43.0
+
--- /dev/null
+From 2815e47bb592ac0ff2ce81b38d4dcb4f4332ba6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 07:22:30 -0800
+Subject: drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 39c960bbf9d9ea862398759e75736cfb68c3446f ]
+
+While improbable, there may be a chance of hitting integer
+overflow when the result of radeon_get_ib_value() gets shifted
+left.
+
+Avoid it by casting one of the operands to larger data type (u64).
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 1729dd33d20b ("drm/radeon/kms: r600 CS parser fixes")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/r600_cs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c
+index 390a9621604a..1e6ad9daff53 100644
+--- a/drivers/gpu/drm/radeon/r600_cs.c
++++ b/drivers/gpu/drm/radeon/r600_cs.c
+@@ -1276,7 +1276,7 @@ static int r600_cs_check_reg(struct radeon_cs_parser *p, u32 reg, u32 idx)
+ return -EINVAL;
+ }
+ tmp = (reg - CB_COLOR0_BASE) / 4;
+- track->cb_color_bo_offset[tmp] = radeon_get_ib_value(p, idx) << 8;
++ track->cb_color_bo_offset[tmp] = (u64)radeon_get_ib_value(p, idx) << 8;
+ ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff);
+ track->cb_color_base_last[tmp] = ib[idx];
+ track->cb_color_bo[tmp] = reloc->robj;
+@@ -1303,7 +1303,7 @@ static int r600_cs_check_reg(struct radeon_cs_parser *p, u32 reg, u32 idx)
+ "0x%04X\n", reg);
+ return -EINVAL;
+ }
+- track->htile_offset = radeon_get_ib_value(p, idx) << 8;
++ track->htile_offset = (u64)radeon_get_ib_value(p, idx) << 8;
+ ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff);
+ track->htile_bo = reloc->robj;
+ track->db_dirty = true;
+--
+2.43.0
+
--- /dev/null
+From 6403fa5511c244b1f02f4e815c0dd34ce5a02c3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Dec 2023 18:21:54 +0800
+Subject: drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 28c28d7f77c06ac2c0b8f9c82bc04eba22912b3b ]
+
+The rdev->pm.dpm.ps allocated by kcalloc should be freed in every
+following error-handling path. However, in the error-handling of
+rdev->pm.power_state[i].clock_info the rdev->pm.dpm.ps is not freed,
+resulting in a memleak in this function.
+
+Fixes: d70229f70447 ("drm/radeon/kms: add dpm support for trinity asics")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/trinity_dpm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/trinity_dpm.c b/drivers/gpu/drm/radeon/trinity_dpm.c
+index 4d93b84aa739..49c28fbe366e 100644
+--- a/drivers/gpu/drm/radeon/trinity_dpm.c
++++ b/drivers/gpu/drm/radeon/trinity_dpm.c
+@@ -1770,8 +1770,10 @@ static int trinity_parse_power_table(struct radeon_device *rdev)
+ non_clock_array_index = power_state->v2.nonClockInfoIndex;
+ non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *)
+ &non_clock_info_array->nonClockInfo[non_clock_array_index];
+- if (!rdev->pm.power_state[i].clock_info)
++ if (!rdev->pm.power_state[i].clock_info) {
++ kfree(rdev->pm.dpm.ps);
+ return -EINVAL;
++ }
+ ps = kzalloc(sizeof(struct sumo_ps), GFP_KERNEL);
+ if (ps == NULL) {
+ kfree(rdev->pm.dpm.ps);
+--
+2.43.0
+
--- /dev/null
+From 1b1f388420e1a4dc6c25773f42521b71fd1b922d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 15:20:24 +0530
+Subject: dt-bindings: clock: Update the videocc resets for sm8150
+
+From: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
+
+[ Upstream commit 3185f96968eedd117ec72ee7b87ead44b6d1bbbd ]
+
+Add all the available resets for the video clock controller
+on sm8150.
+
+Signed-off-by: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20231201-videocc-8150-v3-1-56bec3a5e443@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Stable-dep-of: 1fd9a939db24 ("clk: qcom: videocc-sm8150: Update the videocc resets")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/dt-bindings/clock/qcom,videocc-sm8150.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/include/dt-bindings/clock/qcom,videocc-sm8150.h b/include/dt-bindings/clock/qcom,videocc-sm8150.h
+index e24ee840cfdb..c557b78dc572 100644
+--- a/include/dt-bindings/clock/qcom,videocc-sm8150.h
++++ b/include/dt-bindings/clock/qcom,videocc-sm8150.h
+@@ -16,6 +16,10 @@
+
+ /* VIDEO_CC Resets */
+ #define VIDEO_CC_MVSC_CORE_CLK_BCR 0
++#define VIDEO_CC_INTERFACE_BCR 1
++#define VIDEO_CC_MVS0_BCR 2
++#define VIDEO_CC_MVS1_BCR 3
++#define VIDEO_CC_MVSC_BCR 4
+
+ /* VIDEO_CC GDSCRs */
+ #define VENUS_GDSC 0
+--
+2.43.0
+
--- /dev/null
+From 1212fd2b3a09a38e80d69077b7189545cefc782d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 23:19:53 +0100
+Subject: EDAC/thunderx: Fix possible out-of-bounds string access
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 475c58e1a471e9b873e3e39958c64a2d278275c8 ]
+
+Enabling -Wstringop-overflow globally exposes a warning for a common bug
+in the usage of strncat():
+
+ drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
+ drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
+ 1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ...
+ 1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
+ ...
+ 1150 | strncat(msg, other, OCX_MESSAGE_SIZE);
+
+ ...
+
+Apparently the author of this driver expected strncat() to behave the
+way that strlcat() does, which uses the size of the destination buffer
+as its third argument rather than the length of the source buffer. The
+result is that there is no check on the size of the allocated buffer.
+
+Change it to strlcat().
+
+ [ bp: Trim compiler output, fixup commit message. ]
+
+Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/20231122222007.3199885-1-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/thunderx_edac.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c
+index 0eb5eb97fd74..3b0e1fe27d93 100644
+--- a/drivers/edac/thunderx_edac.c
++++ b/drivers/edac/thunderx_edac.c
+@@ -1133,7 +1133,7 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
+ decode_register(other, OCX_OTHER_SIZE,
+ ocx_com_errors, ctx->reg_com_int);
+
+- strncat(msg, other, OCX_MESSAGE_SIZE);
++ strlcat(msg, other, OCX_MESSAGE_SIZE);
+
+ for (lane = 0; lane < OCX_RX_LANES; lane++)
+ if (ctx->reg_com_int & BIT(lane)) {
+@@ -1142,12 +1142,12 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
+ lane, ctx->reg_lane_int[lane],
+ lane, ctx->reg_lane_stat11[lane]);
+
+- strncat(msg, other, OCX_MESSAGE_SIZE);
++ strlcat(msg, other, OCX_MESSAGE_SIZE);
+
+ decode_register(other, OCX_OTHER_SIZE,
+ ocx_lane_errors,
+ ctx->reg_lane_int[lane]);
+- strncat(msg, other, OCX_MESSAGE_SIZE);
++ strlcat(msg, other, OCX_MESSAGE_SIZE);
+ }
+
+ if (ctx->reg_com_int & OCX_COM_INT_CE)
+@@ -1217,7 +1217,7 @@ static irqreturn_t thunderx_ocx_lnk_threaded_isr(int irq, void *irq_id)
+ decode_register(other, OCX_OTHER_SIZE,
+ ocx_com_link_errors, ctx->reg_com_link_int);
+
+- strncat(msg, other, OCX_MESSAGE_SIZE);
++ strlcat(msg, other, OCX_MESSAGE_SIZE);
+
+ if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE)
+ edac_device_handle_ue(ocx->edac_dev, 0, 0, msg);
+@@ -1896,7 +1896,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
+
+ decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int);
+
+- strncat(msg, other, L2C_MESSAGE_SIZE);
++ strlcat(msg, other, L2C_MESSAGE_SIZE);
+
+ if (ctx->reg_int & mask_ue)
+ edac_device_handle_ue(l2c->edac_dev, 0, 0, msg);
+--
+2.43.0
+
--- /dev/null
+From 468d7422b1cf608c94548d7914dcdd9c8e84e6ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Nov 2023 14:40:56 +0900
+Subject: efivarfs: force RO when remounting if SetVariable is not supported
+
+From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+
+[ Upstream commit 0e8d2444168dd519fea501599d150e62718ed2fe ]
+
+If SetVariable at runtime is not supported by the firmware we never assign
+a callback for that function. At the same time mount the efivarfs as
+RO so no one can call that. However, we never check the permission flags
+when someone remounts the filesystem as RW. As a result this leads to a
+crash looking like this:
+
+$ mount -o remount,rw /sys/firmware/efi/efivars
+$ efi-updatevar -f PK.auth PK
+
+[ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+[ 303.280482] Mem abort info:
+[ 303.280854] ESR = 0x0000000086000004
+[ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits
+[ 303.282016] SET = 0, FnV = 0
+[ 303.282414] EA = 0, S1PTW = 0
+[ 303.282821] FSC = 0x04: level 0 translation fault
+[ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000
+[ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
+[ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
+[ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6
+[ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1
+[ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023
+[ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 303.292123] pc : 0x0
+[ 303.292443] lr : efivar_set_variable_locked+0x74/0xec
+[ 303.293156] sp : ffff800008673c10
+[ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000
+[ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027
+[ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000
+[ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000
+[ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54
+[ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4
+[ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002
+[ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201
+[ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc
+[ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000
+[ 303.303341] Call trace:
+[ 303.303679] 0x0
+[ 303.303938] efivar_entry_set_get_size+0x98/0x16c
+[ 303.304585] efivarfs_file_write+0xd0/0x1a4
+[ 303.305148] vfs_write+0xc4/0x2e4
+[ 303.305601] ksys_write+0x70/0x104
+[ 303.306073] __arm64_sys_write+0x1c/0x28
+[ 303.306622] invoke_syscall+0x48/0x114
+[ 303.307156] el0_svc_common.constprop.0+0x44/0xec
+[ 303.307803] do_el0_svc+0x38/0x98
+[ 303.308268] el0_svc+0x2c/0x84
+[ 303.308702] el0t_64_sync_handler+0xf4/0x120
+[ 303.309293] el0t_64_sync+0x190/0x194
+[ 303.309794] Code: ???????? ???????? ???????? ???????? (????????)
+[ 303.310612] ---[ end trace 0000000000000000 ]---
+
+Fix this by adding a .reconfigure() function to the fs operations which
+we can use to check the requested flags and deny anything that's not RO
+if the firmware doesn't implement SetVariable at runtime.
+
+Fixes: f88814cc2578 ("efi/efivars: Expose RT service availability via efivars abstraction")
+Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/efivarfs/super.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
+index 15880a68faad..3626816b174a 100644
+--- a/fs/efivarfs/super.c
++++ b/fs/efivarfs/super.c
+@@ -13,6 +13,7 @@
+ #include <linux/ucs2_string.h>
+ #include <linux/slab.h>
+ #include <linux/magic.h>
++#include <linux/printk.h>
+
+ #include "internal.h"
+
+@@ -231,8 +232,19 @@ static int efivarfs_get_tree(struct fs_context *fc)
+ return get_tree_single(fc, efivarfs_fill_super);
+ }
+
++static int efivarfs_reconfigure(struct fs_context *fc)
++{
++ if (!efivar_supports_writes() && !(fc->sb_flags & SB_RDONLY)) {
++ pr_err("Firmware does not support SetVariableRT. Can not remount with rw\n");
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ static const struct fs_context_operations efivarfs_context_ops = {
+ .get_tree = efivarfs_get_tree,
++ .reconfigure = efivarfs_reconfigure,
+ };
+
+ static int efivarfs_init_fs_context(struct fs_context *fc)
+--
+2.43.0
+
--- /dev/null
+From d7475aa3ef1ae34df8ea194a381e5822c29d63b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 17:25:16 +0800
+Subject: f2fs: fix to avoid dirent corruption
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 53edb549565f55ccd0bdf43be3d66ce4c2d48b28 ]
+
+As Al reported in link[1]:
+
+f2fs_rename()
+...
+ if (old_dir != new_dir && !whiteout)
+ f2fs_set_link(old_inode, old_dir_entry,
+ old_dir_page, new_dir);
+ else
+ f2fs_put_page(old_dir_page, 0);
+
+You want correct inumber in the ".." link. And cross-directory
+rename does move the source to new parent, even if you'd been asked
+to leave a whiteout in the old place.
+
+[1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/
+
+With below testcase, it may cause dirent corruption, due to it missed
+to call f2fs_set_link() to update ".." link to new directory.
+- mkdir -p dir/foo
+- renameat2 -w dir/foo bar
+
+[ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3]
+[FSCK] other corrupted bugs [Fail]
+
+Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT")
+Cc: Jan Kara <jack@suse.cz>
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index 72b109685db4..99e4ec48d2a4 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -1066,7 +1066,7 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ }
+
+ if (old_dir_entry) {
+- if (old_dir != new_dir && !whiteout)
++ if (old_dir != new_dir)
+ f2fs_set_link(old_inode, old_dir_entry,
+ old_dir_page, new_dir);
+ else
+--
+2.43.0
+
--- /dev/null
+From 1f4ce35a468cf2c68ae18019928850b48eb42bac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Dec 2023 19:35:44 +0800
+Subject: f2fs: fix to check compress file in f2fs_move_file_range()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit fb9b65340c818875ea86464faf3c744bdce0055c ]
+
+f2fs_move_file_range() doesn't support migrating compressed cluster
+data, let's add the missing check condition and return -EOPNOTSUPP
+for the case until we support it.
+
+Fixes: 4c8ff7095bef ("f2fs: support data compression")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 4e6b93f16758..98960c8d72c0 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2816,6 +2816,11 @@ static int f2fs_move_file_range(struct file *file_in, loff_t pos_in,
+ goto out;
+ }
+
++ if (f2fs_compressed_file(src) || f2fs_compressed_file(dst)) {
++ ret = -EOPNOTSUPP;
++ goto out_unlock;
++ }
++
+ ret = -EINVAL;
+ if (pos_in + len > src->i_size || pos_in + len < pos_in)
+ goto out_unlock;
+--
+2.43.0
+
--- /dev/null
+From 9b72d201e973ab817e165931d2e796bafc12d11d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Dec 2023 19:35:47 +0800
+Subject: f2fs: fix to update iostat correctly in f2fs_filemap_fault()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit bb34cc6ca87ff78f9fb5913d7619dc1389554da6 ]
+
+In f2fs_filemap_fault(), it fixes to update iostat info only if
+VM_FAULT_LOCKED is tagged in return value of filemap_fault().
+
+Fixes: 8b83ac81f428 ("f2fs: support read iostat")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 98960c8d72c0..55818bd510fb 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -42,7 +42,7 @@ static vm_fault_t f2fs_filemap_fault(struct vm_fault *vmf)
+ ret = filemap_fault(vmf);
+ up_read(&F2FS_I(inode)->i_mmap_sem);
+
+- if (!ret)
++ if (ret & VM_FAULT_LOCKED)
+ f2fs_update_iostat(F2FS_I_SB(inode), APP_MAPPED_READ_IO,
+ F2FS_BLKSIZE);
+
+--
+2.43.0
+
--- /dev/null
+From cadf8e63a64249541a25ffa7f430f86359265764 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 17:55:57 +0300
+Subject: firmware: meson_sm: populate platform devices from sm device tree
+ data
+
+From: Dmitry Rokosov <ddrokosov@sberdevices.ru>
+
+[ Upstream commit e45f243409db98d610248c843b25435e7fb0baf3 ]
+
+In some meson boards, secure monitor device has children, for example,
+power secure controller. By default, secure monitor isn't the bus in terms
+of device tree subsystem, so the of_platform initialization code doesn't
+populate its device tree data. As a result, secure monitor's children
+aren't probed at all.
+
+Run the 'of_platform_populate()' routine manually to resolve such issues.
+
+Signed-off-by: Dmitry Rokosov <ddrokosov@sberdevices.ru>
+Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://lore.kernel.org/r/20230324145557.27797-1-ddrokosov@sberdevices.ru
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Stable-dep-of: d8385d7433f9 ("firmware: meson-sm: unmap out_base shmem in error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/meson/meson_sm.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/meson/meson_sm.c b/drivers/firmware/meson/meson_sm.c
+index ed27ff2e503e..7dff8833132d 100644
+--- a/drivers/firmware/meson/meson_sm.c
++++ b/drivers/firmware/meson/meson_sm.c
+@@ -313,11 +313,14 @@ static int __init meson_sm_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, fw);
+
+- pr_info("secure-monitor enabled\n");
++ if (devm_of_platform_populate(dev))
++ goto out_in_base;
+
+ if (sysfs_create_group(&pdev->dev.kobj, &meson_sm_sysfs_attr_group))
+ goto out_in_base;
+
++ pr_info("secure-monitor enabled\n");
++
+ return 0;
+
+ out_in_base:
+--
+2.43.0
+
--- /dev/null
+From 85fe206fefc9e005cf25c2a1003f7d6394d96b67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Oct 2023 11:12:26 +0100
+Subject: firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 964946b88887089f447a9b6a28c39ee97dc76360 ]
+
+The ending NULL is not taken into account by strncat(), so switch to
+snprintf() to correctly build 'debug_name'.
+
+Using snprintf() also makes the code more readable.
+
+Fixes: aa276781a64a ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/7158db0a4d7b19855ddd542ec61b666973aad8dc.1698660720.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/ti_sci.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c
+index fe6be0771a07..b0576cec263b 100644
+--- a/drivers/firmware/ti_sci.c
++++ b/drivers/firmware/ti_sci.c
+@@ -161,7 +161,7 @@ static int ti_sci_debugfs_create(struct platform_device *pdev,
+ {
+ struct device *dev = &pdev->dev;
+ struct resource *res;
+- char debug_name[50] = "ti_sci_debug@";
++ char debug_name[50];
+
+ /* Debug region is optional */
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
+@@ -178,10 +178,10 @@ static int ti_sci_debugfs_create(struct platform_device *pdev,
+ /* Setup NULL termination */
+ info->debug_buffer[info->debug_region_size] = 0;
+
+- info->d = debugfs_create_file(strncat(debug_name, dev_name(dev),
+- sizeof(debug_name) -
+- sizeof("ti_sci_debug@")),
+- 0444, NULL, info, &ti_sci_debug_fops);
++ snprintf(debug_name, sizeof(debug_name), "ti_sci_debug@%s",
++ dev_name(dev));
++ info->d = debugfs_create_file(debug_name, 0444, NULL, info,
++ &ti_sci_debug_fops);
+ if (IS_ERR(info->d))
+ return PTR_ERR(info->d);
+
+--
+2.43.0
+
--- /dev/null
+From b92696060da3966278fba1f0b2e5fe8ad8455052 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 12:17:37 -0500
+Subject: fs: indicate request originates from old mount API
+
+From: Christian Brauner <brauner@kernel.org>
+
+[ Upstream commit f67d922edb4e95a4a56d07d5d40a76dd4f23a85b ]
+
+We already communicate to filesystems when a remount request comes from
+the old mount API as some filesystems choose to implement different
+behavior in the new mount API than the old mount API to e.g., take the
+chance to fix significant API bugs. Allow the same for regular mount
+requests.
+
+Fixes: b330966f79fb ("fuse: reject options on reconfigure via fsconfig(2)")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 046b084136c5..b020a12c53a2 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2627,7 +2627,12 @@ static int do_remount(struct path *path, int ms_flags, int sb_flags,
+ if (IS_ERR(fc))
+ return PTR_ERR(fc);
+
++ /*
++ * Indicate to the filesystem that the remount request is coming
++ * from the legacy mount system call.
++ */
+ fc->oldapi = true;
++
+ err = parse_monolithic_mount_data(fc, data);
+ if (!err) {
+ down_write(&sb->s_umount);
+@@ -2886,6 +2891,12 @@ static int do_new_mount(struct path *path, const char *fstype, int sb_flags,
+ if (IS_ERR(fc))
+ return PTR_ERR(fc);
+
++ /*
++ * Indicate to the filesystem that the mount request is coming
++ * from the legacy mount system call.
++ */
++ fc->oldapi = true;
++
+ if (subtype)
+ err = vfs_parse_fs_string(fc, "subtype",
+ subtype, strlen(subtype));
+--
+2.43.0
+
--- /dev/null
+From ecbebfaab08a9a55e22285c665e8dc97135828af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Oct 2020 19:39:18 +0200
+Subject: gfs2: Also reflect single-block allocations in rgd->rd_extfail_pt
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit f38e998fbbb5da6a097ecd4b2700ba95eabab0c9 ]
+
+Pass a non-NULL minext to gfs2_rbm_find even for single-block allocations. In
+gfs2_rbm_find, also set rgd->rd_extfail_pt when a single-block allocation
+fails in a resource group: there is no reason for treating that case
+differently. In gfs2_reservation_check_and_update, only check how many free
+blocks we have if more than one block is requested; we already know there's at
+least one free block.
+
+In addition, when allocating N blocks fails in gfs2_rbm_find, we need to set
+rd_extfail_pt to N - 1 rather than N: rd_extfail_pt defines the biggest
+allocation that might still succeed.
+
+Finally, reset rd_extfail_pt when updating the resource group statistics in
+update_rgrp_lvb, as we already do in gfs2_rgrp_bh_get.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Stable-dep-of: 8877243beafa ("gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/rgrp.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
+index e05c01d5b9e6..ac0715aafa8e 100644
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -1247,6 +1247,8 @@ static int update_rgrp_lvb(struct gfs2_rgrpd *rgd)
+ rgd->rd_flags &= ~GFS2_RDF_CHECK;
+ rgd->rd_free = be32_to_cpu(rgd->rd_rgl->rl_free);
+ rgd->rd_free_clone = rgd->rd_free;
++ /* max out the rgrp allocation failure point */
++ rgd->rd_extfail_pt = rgd->rd_free;
+ rgd->rd_dinodes = be32_to_cpu(rgd->rd_rgl->rl_dinodes);
+ rgd->rd_igeneration = be64_to_cpu(rgd->rd_rgl->rl_igeneration);
+ return 0;
+@@ -1648,7 +1650,7 @@ static int gfs2_reservation_check_and_update(struct gfs2_rbm *rbm,
+ * If we have a minimum extent length, then skip over any extent
+ * which is less than the min extent length in size.
+ */
+- if (minext) {
++ if (minext > 1) {
+ extlen = gfs2_free_extlen(rbm, minext);
+ if (extlen <= maxext->len)
+ goto fail;
+@@ -1680,7 +1682,7 @@ static int gfs2_reservation_check_and_update(struct gfs2_rbm *rbm,
+ * gfs2_rbm_find - Look for blocks of a particular state
+ * @rbm: Value/result starting position and final position
+ * @state: The state which we want to find
+- * @minext: Pointer to the requested extent length (NULL for a single block)
++ * @minext: Pointer to the requested extent length
+ * This is updated to be the actual reservation size.
+ * @ip: If set, check for reservations
+ * @nowrap: Stop looking at the end of the rgrp, rather than wrapping
+@@ -1736,8 +1738,7 @@ static int gfs2_rbm_find(struct gfs2_rbm *rbm, u8 state, u32 *minext,
+ if (ip == NULL)
+ return 0;
+
+- ret = gfs2_reservation_check_and_update(rbm, ip,
+- minext ? *minext : 0,
++ ret = gfs2_reservation_check_and_update(rbm, ip, *minext,
+ &maxext);
+ if (ret == 0)
+ return 0;
+@@ -1769,7 +1770,7 @@ static int gfs2_rbm_find(struct gfs2_rbm *rbm, u8 state, u32 *minext,
+ break;
+ }
+
+- if (minext == NULL || state != GFS2_BLKST_FREE)
++ if (state != GFS2_BLKST_FREE)
+ return -ENOSPC;
+
+ /* If the extent was too small, and it's smaller than the smallest
+@@ -1777,7 +1778,7 @@ static int gfs2_rbm_find(struct gfs2_rbm *rbm, u8 state, u32 *minext,
+ useless to search this rgrp again for this amount or more. */
+ if (wrapped && (scan_from_start || rbm->bii > last_bii) &&
+ *minext < rbm->rgd->rd_extfail_pt)
+- rbm->rgd->rd_extfail_pt = *minext;
++ rbm->rgd->rd_extfail_pt = *minext - 1;
+
+ /* If the maximum extent we found is big enough to fulfill the
+ minimum requirements, use it anyway. */
+@@ -2351,14 +2352,15 @@ int gfs2_alloc_blocks(struct gfs2_inode *ip, u64 *bn, unsigned int *nblocks,
+ struct gfs2_rbm rbm = { .rgd = ip->i_res.rs_rbm.rgd, };
+ unsigned int ndata;
+ u64 block; /* block, within the file system scope */
++ u32 minext = 1;
+ int error;
+
+ gfs2_set_alloc_start(&rbm, ip, dinode);
+- error = gfs2_rbm_find(&rbm, GFS2_BLKST_FREE, NULL, ip, false);
++ error = gfs2_rbm_find(&rbm, GFS2_BLKST_FREE, &minext, ip, false);
+
+ if (error == -ENOSPC) {
+ gfs2_set_alloc_start(&rbm, ip, dinode);
+- error = gfs2_rbm_find(&rbm, GFS2_BLKST_FREE, NULL, NULL, false);
++ error = gfs2_rbm_find(&rbm, GFS2_BLKST_FREE, &minext, NULL, false);
+ }
+
+ /* Since all blocks are reserved in advance, this shouldn't happen */
+--
+2.43.0
+
--- /dev/null
+From 1568020ca079cd598a4f2fc8f0db3e9f9df0642d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Nov 2023 21:21:29 +0500
+Subject: gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
+
+From: Osama Muhammad <osmtendev@gmail.com>
+
+[ Upstream commit 8877243beafa7c6bfc42022cbfdf9e39b25bd4fa ]
+
+Syzkaller has reported a NULL pointer dereference when accessing
+rgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating
+rgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in
+gfs2_rgrp_dump() to prevent that.
+
+Reported-and-tested-by: syzbot+da0fc229cc1ff4bb2e6d@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=da0fc229cc1ff4bb2e6d
+Fixes: 72244b6bc752 ("gfs2: improve debug information when lvb mismatches are found")
+Signed-off-by: Osama Muhammad <osmtendev@gmail.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/rgrp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
+index ac0715aafa8e..1ffdc4ad6246 100644
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -2231,7 +2231,7 @@ void gfs2_rgrp_dump(struct seq_file *seq, struct gfs2_rgrpd *rgd,
+ (unsigned long long)rgd->rd_addr, rgd->rd_flags,
+ rgd->rd_free, rgd->rd_free_clone, rgd->rd_dinodes,
+ rgd->rd_reserved, rgd->rd_extfail_pt);
+- if (rgd->rd_sbd->sd_args.ar_rgrplvb) {
++ if (rgd->rd_sbd->sd_args.ar_rgrplvb && rgd->rd_rgl) {
+ struct gfs2_rgrp_lvb *rgl = rgd->rd_rgl;
+
+ gfs2_print_dbg(seq, "%s L: f:%02x b:%u i:%u\n", fs_id_buf,
+--
+2.43.0
+
--- /dev/null
+From 62d8aab4e922043f97a2e9a45c31971681158aef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Dec 2023 00:58:42 +0800
+Subject: gpu/drm/radeon: fix two memleaks in radeon_vm_init
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit c2709b2d6a537ca0fa0f1da36fdaf07e48ef447d ]
+
+When radeon_bo_create and radeon_vm_clear_bo fail, the vm->page_tables
+allocated before need to be freed. However, neither radeon_vm_init
+itself nor its caller have done such deallocation.
+
+Fixes: 6d2f2944e95e ("drm/radeon: use normal BOs for the page tables v4")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_vm.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_vm.c b/drivers/gpu/drm/radeon/radeon_vm.c
+index 27b14eff532c..cb75ff1f6f2c 100644
+--- a/drivers/gpu/drm/radeon/radeon_vm.c
++++ b/drivers/gpu/drm/radeon/radeon_vm.c
+@@ -1206,13 +1206,17 @@ int radeon_vm_init(struct radeon_device *rdev, struct radeon_vm *vm)
+ r = radeon_bo_create(rdev, pd_size, align, true,
+ RADEON_GEM_DOMAIN_VRAM, 0, NULL,
+ NULL, &vm->page_directory);
+- if (r)
++ if (r) {
++ kfree(vm->page_tables);
++ vm->page_tables = NULL;
+ return r;
+-
++ }
+ r = radeon_vm_clear_bo(rdev, vm->page_directory);
+ if (r) {
+ radeon_bo_unref(&vm->page_directory);
+ vm->page_directory = NULL;
++ kfree(vm->page_tables);
++ vm->page_tables = NULL;
+ return r;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 0fc9120917fb49409b2d76deced92700893d2839 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 09:23:11 +0200
+Subject: IB/iser: Prevent invalidating wrong MR
+
+From: Sergey Gorenko <sergeygo@nvidia.com>
+
+[ Upstream commit 2f1888281e67205bd80d3e8f54dbd519a9653f26 ]
+
+The iser_reg_resources structure has two pointers to MR but only one
+mr_valid field. The implementation assumes that we use only *sig_mr when
+pi_enable is true. Otherwise, we use only *mr. However, it is only
+sometimes correct. Read commands without protection information occur even
+when pi_enble is true. For example, the following SCSI commands have a
+Data-In buffer but never have protection information: READ CAPACITY (16),
+INQUIRY, MODE SENSE(6), MAINTENANCE IN. So, we use
+*sig_mr for some SCSI commands and *mr for the other SCSI commands.
+
+In most cases, it works fine because the remote invalidation is applied.
+However, there are two cases when the remote invalidation is not
+applicable.
+ 1. Small write commands when all data is sent as an immediate.
+ 2. The target does not support the remote invalidation feature.
+
+The lazy invalidation is used if the remote invalidation is impossible.
+Since, at the lazy invalidation, we always invalidate the MR we want to
+use, the wrong MR may be invalidated.
+
+To fix the issue, we need a field per MR that indicates the MR needs
+invalidation. Since the ib_mr structure already has such a field, let's
+use ib_mr.need_inval instead of iser_reg_resources.mr_valid.
+
+Fixes: b76a439982f8 ("IB/iser: Use IB_WR_REG_MR_INTEGRITY for PI handover")
+Link: https://lore.kernel.org/r/20231219072311.40989-1-sergeygo@nvidia.com
+Acked-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Signed-off-by: Sergey Gorenko <sergeygo@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/iser/iscsi_iser.h | 2 --
+ drivers/infiniband/ulp/iser/iser_initiator.c | 5 ++++-
+ drivers/infiniband/ulp/iser/iser_memory.c | 8 ++++----
+ drivers/infiniband/ulp/iser/iser_verbs.c | 1 -
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/iser/iscsi_iser.h b/drivers/infiniband/ulp/iser/iscsi_iser.h
+index 78ee9445f801..45a2d2b82b09 100644
+--- a/drivers/infiniband/ulp/iser/iscsi_iser.h
++++ b/drivers/infiniband/ulp/iser/iscsi_iser.h
+@@ -322,12 +322,10 @@ struct iser_device {
+ *
+ * @mr: memory region
+ * @sig_mr: signature memory region
+- * @mr_valid: is mr valid indicator
+ */
+ struct iser_reg_resources {
+ struct ib_mr *mr;
+ struct ib_mr *sig_mr;
+- u8 mr_valid:1;
+ };
+
+ /**
+diff --git a/drivers/infiniband/ulp/iser/iser_initiator.c b/drivers/infiniband/ulp/iser/iser_initiator.c
+index 27a6f75a9912..9ea88dd6a414 100644
+--- a/drivers/infiniband/ulp/iser/iser_initiator.c
++++ b/drivers/infiniband/ulp/iser/iser_initiator.c
+@@ -602,7 +602,10 @@ iser_inv_desc(struct iser_fr_desc *desc, u32 rkey)
+ return -EINVAL;
+ }
+
+- desc->rsc.mr_valid = 0;
++ if (desc->sig_protected)
++ desc->rsc.sig_mr->need_inval = false;
++ else
++ desc->rsc.mr->need_inval = false;
+
+ return 0;
+ }
+diff --git a/drivers/infiniband/ulp/iser/iser_memory.c b/drivers/infiniband/ulp/iser/iser_memory.c
+index d4e057fac219..519fea5ec3a1 100644
+--- a/drivers/infiniband/ulp/iser/iser_memory.c
++++ b/drivers/infiniband/ulp/iser/iser_memory.c
+@@ -250,7 +250,7 @@ iser_reg_sig_mr(struct iscsi_iser_task *iser_task,
+
+ iser_set_prot_checks(iser_task->sc, &sig_attrs->check_mask);
+
+- if (rsc->mr_valid)
++ if (rsc->sig_mr->need_inval)
+ iser_inv_rkey(&tx_desc->inv_wr, mr, cqe, &wr->wr);
+
+ ib_update_fast_reg_key(mr, ib_inc_rkey(mr->rkey));
+@@ -274,7 +274,7 @@ iser_reg_sig_mr(struct iscsi_iser_task *iser_task,
+ wr->access = IB_ACCESS_LOCAL_WRITE |
+ IB_ACCESS_REMOTE_READ |
+ IB_ACCESS_REMOTE_WRITE;
+- rsc->mr_valid = 1;
++ rsc->sig_mr->need_inval = true;
+
+ sig_reg->sge.lkey = mr->lkey;
+ sig_reg->rkey = mr->rkey;
+@@ -299,7 +299,7 @@ static int iser_fast_reg_mr(struct iscsi_iser_task *iser_task,
+ struct ib_reg_wr *wr = &tx_desc->reg_wr;
+ int n;
+
+- if (rsc->mr_valid)
++ if (rsc->mr->need_inval)
+ iser_inv_rkey(&tx_desc->inv_wr, mr, cqe, &wr->wr);
+
+ ib_update_fast_reg_key(mr, ib_inc_rkey(mr->rkey));
+@@ -322,7 +322,7 @@ static int iser_fast_reg_mr(struct iscsi_iser_task *iser_task,
+ IB_ACCESS_REMOTE_WRITE |
+ IB_ACCESS_REMOTE_READ;
+
+- rsc->mr_valid = 1;
++ rsc->mr->need_inval = true;
+
+ reg->sge.lkey = mr->lkey;
+ reg->rkey = mr->rkey;
+diff --git a/drivers/infiniband/ulp/iser/iser_verbs.c b/drivers/infiniband/ulp/iser/iser_verbs.c
+index 2bd18b006893..b5127479860d 100644
+--- a/drivers/infiniband/ulp/iser/iser_verbs.c
++++ b/drivers/infiniband/ulp/iser/iser_verbs.c
+@@ -136,7 +136,6 @@ iser_create_fastreg_desc(struct iser_device *device,
+ goto err_alloc_mr_integrity;
+ }
+ }
+- desc->rsc.mr_valid = 0;
+
+ return desc;
+
+--
+2.43.0
+
--- /dev/null
+From 04aeadcf5397e48bade698ee6a02c0a24cfc917b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jan 2024 17:03:13 +0000
+Subject: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in
+ ip6_tnl_parse_tlv_enc_lim()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d375b98e0248980681e5e56b712026174d617198 ]
+
+syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.
+
+Reading frag_off can only be done if we pulled enough bytes
+to skb->head. Currently we might access garbage.
+
+[1]
+BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0
+ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0
+ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]
+ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432
+__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
+netdev_start_xmit include/linux/netdevice.h:4954 [inline]
+xmit_one net/core/dev.c:3548 [inline]
+dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
+__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
+dev_queue_xmit include/linux/netdevice.h:3134 [inline]
+neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592
+neigh_output include/net/neighbour.h:542 [inline]
+ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137
+ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222
+NF_HOOK_COND include/linux/netfilter.h:303 [inline]
+ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243
+dst_output include/net/dst.h:451 [inline]
+ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155
+ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]
+ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972
+rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582
+rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920
+inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg net/socket.c:745 [inline]
+____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
+___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
+__sys_sendmsg net/socket.c:2667 [inline]
+__do_sys_sendmsg net/socket.c:2676 [inline]
+__se_sys_sendmsg net/socket.c:2674 [inline]
+__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
+do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Uninit was created at:
+slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
+slab_alloc_node mm/slub.c:3478 [inline]
+__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
+__do_kmalloc_node mm/slab_common.c:1006 [inline]
+__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027
+kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
+pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098
+__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655
+pskb_may_pull_reason include/linux/skbuff.h:2673 [inline]
+pskb_may_pull include/linux/skbuff.h:2681 [inline]
+ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408
+ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]
+ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432
+__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
+netdev_start_xmit include/linux/netdevice.h:4954 [inline]
+xmit_one net/core/dev.c:3548 [inline]
+dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
+__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
+dev_queue_xmit include/linux/netdevice.h:3134 [inline]
+neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592
+neigh_output include/net/neighbour.h:542 [inline]
+ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137
+ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222
+NF_HOOK_COND include/linux/netfilter.h:303 [inline]
+ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243
+dst_output include/net/dst.h:451 [inline]
+ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155
+ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]
+ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972
+rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582
+rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920
+inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg net/socket.c:745 [inline]
+____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
+___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
+__sys_sendmsg net/socket.c:2667 [inline]
+__do_sys_sendmsg net/socket.c:2676 [inline]
+__se_sys_sendmsg net/socket.c:2674 [inline]
+__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
+do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+CPU: 0 PID: 7345 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00024-gac865f00af29 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
+
+Fixes: fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_tunnel.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index a03a322e0cc1..edf4a842506f 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -427,7 +427,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
+ const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw;
+ unsigned int nhoff = raw - skb->data;
+ unsigned int off = nhoff + sizeof(*ipv6h);
+- u8 next, nexthdr = ipv6h->nexthdr;
++ u8 nexthdr = ipv6h->nexthdr;
+
+ while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) {
+ struct ipv6_opt_hdr *hdr;
+@@ -438,25 +438,25 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
+
+ hdr = (struct ipv6_opt_hdr *)(skb->data + off);
+ if (nexthdr == NEXTHDR_FRAGMENT) {
+- struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr;
+- if (frag_hdr->frag_off)
+- break;
+ optlen = 8;
+ } else if (nexthdr == NEXTHDR_AUTH) {
+ optlen = ipv6_authlen(hdr);
+ } else {
+ optlen = ipv6_optlen(hdr);
+ }
+- /* cache hdr->nexthdr, since pskb_may_pull() might
+- * invalidate hdr
+- */
+- next = hdr->nexthdr;
+- if (nexthdr == NEXTHDR_DEST) {
+- u16 i = 2;
+
+- /* Remember : hdr is no longer valid at this point. */
+- if (!pskb_may_pull(skb, off + optlen))
++ if (!pskb_may_pull(skb, off + optlen))
++ break;
++
++ hdr = (struct ipv6_opt_hdr *)(skb->data + off);
++ if (nexthdr == NEXTHDR_FRAGMENT) {
++ struct frag_hdr *frag_hdr = (struct frag_hdr *)hdr;
++
++ if (frag_hdr->frag_off)
+ break;
++ }
++ if (nexthdr == NEXTHDR_DEST) {
++ u16 i = 2;
+
+ while (1) {
+ struct ipv6_tlv_tnl_enc_lim *tel;
+@@ -477,7 +477,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
+ i++;
+ }
+ }
+- nexthdr = next;
++ nexthdr = hdr->nexthdr;
+ off += optlen;
+ }
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From a60969707c7a58e91bf88e88e7562eab4f3c9c28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 21:22:55 +0800
+Subject: media: cx231xx: fix a memleak in cx231xx_init_isoc
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 5d3c8990e2bbf929cb211563dadd70708f42e4e6 ]
+
+The dma_q->p_left_data alloced by kzalloc should be freed in all the
+following error handling paths. However, it hasn't been freed in the
+allocation error paths of dev->video_mode.isoc_ctl.urb and
+dev->video_mode.isoc_ctl.transfer_buffer.
+
+On the other hand, the dma_q->p_left_data did be freed in the
+error-handling paths after that of dev->video_mode.isoc_ctl.urb and
+dev->video_mode.isoc_ctl.transfer_buffer, by calling
+cx231xx_uninit_isoc(dev). So the same free operation should be done in
+error-handling paths of those two allocation.
+
+Fixes: 64fbf4445526 ("[media] cx231xx: Added support for Carraera, Shelby, RDx_253S and VIDEO_GRABBER")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/cx231xx/cx231xx-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/usb/cx231xx/cx231xx-core.c b/drivers/media/usb/cx231xx/cx231xx-core.c
+index 05d91caaed0c..46e34225b45c 100644
+--- a/drivers/media/usb/cx231xx/cx231xx-core.c
++++ b/drivers/media/usb/cx231xx/cx231xx-core.c
+@@ -1024,6 +1024,7 @@ int cx231xx_init_isoc(struct cx231xx *dev, int max_packets,
+ if (!dev->video_mode.isoc_ctl.urb) {
+ dev_err(dev->dev,
+ "cannot alloc memory for usb buffers\n");
++ kfree(dma_q->p_left_data);
+ return -ENOMEM;
+ }
+
+@@ -1033,6 +1034,7 @@ int cx231xx_init_isoc(struct cx231xx *dev, int max_packets,
+ dev_err(dev->dev,
+ "cannot allocate memory for usbtransfer\n");
+ kfree(dev->video_mode.isoc_ctl.urb);
++ kfree(dma_q->p_left_data);
+ return -ENOMEM;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 912a747847943f76603a0d6af53846568fddf7d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Oct 2023 08:20:26 +0100
+Subject: media: dvb-frontends: m88ds3103: Fix a memory leak in an error
+ handling path of m88ds3103_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 5b2f885e2f6f482d05c23f04c8240f7b4fc5bdb5 ]
+
+If an error occurs after a successful i2c_mux_add_adapter(), then
+i2c_mux_del_adapters() should be called to free some resources, as
+already done in the remove function.
+
+Fixes: e6089feca460 ("media: m88ds3103: Add support for ds3103b demod")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/m88ds3103.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c
+index ff106d6ece68..94c6cc59372c 100644
+--- a/drivers/media/dvb-frontends/m88ds3103.c
++++ b/drivers/media/dvb-frontends/m88ds3103.c
+@@ -1898,7 +1898,7 @@ static int m88ds3103_probe(struct i2c_client *client,
+ /* get frontend address */
+ ret = regmap_read(dev->regmap, 0x29, &utmp);
+ if (ret)
+- goto err_kfree;
++ goto err_del_adapters;
+ dev->dt_addr = ((utmp & 0x80) == 0) ? 0x42 >> 1 : 0x40 >> 1;
+ dev_dbg(&client->dev, "dt addr is 0x%02x\n", dev->dt_addr);
+
+@@ -1906,11 +1906,14 @@ static int m88ds3103_probe(struct i2c_client *client,
+ dev->dt_addr);
+ if (IS_ERR(dev->dt_client)) {
+ ret = PTR_ERR(dev->dt_client);
+- goto err_kfree;
++ goto err_del_adapters;
+ }
+ }
+
+ return 0;
++
++err_del_adapters:
++ i2c_mux_del_adapters(dev->muxc);
+ err_kfree:
+ kfree(dev);
+ err:
+--
+2.43.0
+
--- /dev/null
+From 6ec86f0c356864a08cbdcf8ff69ff7d1cab7fdde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Oct 2023 12:53:33 +0300
+Subject: media: dvbdev: drop refcount on error path in dvb_device_open()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit a2dd235df435a05d389240be748909ada91201d2 ]
+
+If call to file->f_op->open() fails, then call dvb_device_put(dvbdev).
+
+Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvbdev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
+index 2ff8a1b776fb..3a83e8e09256 100644
+--- a/drivers/media/dvb-core/dvbdev.c
++++ b/drivers/media/dvb-core/dvbdev.c
+@@ -114,6 +114,8 @@ static int dvb_device_open(struct inode *inode, struct file *file)
+ err = file->f_op->open(inode, file);
+ up_read(&minor_rwsem);
+ mutex_unlock(&dvbdev_mutex);
++ if (err)
++ dvb_device_put(dvbdev);
+ return err;
+ }
+ fail:
+--
+2.43.0
+
--- /dev/null
+From 4c48d7ab51eb2c240bde3cb3697e01c5aa88286f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Oct 2023 01:09:12 +0200
+Subject: media: pvrusb2: fix use after free on context disconnection
+
+From: Ricardo B. Marliere <ricardo@marliere.net>
+
+[ Upstream commit ded85b0c0edd8f45fec88783d7555a5b982449c1 ]
+
+Upon module load, a kthread is created targeting the
+pvr2_context_thread_func function, which may call pvr2_context_destroy
+and thus call kfree() on the context object. However, that might happen
+before the usb hub_event handler is able to notify the driver. This
+patch adds a sanity check before the invalid read reported by syzbot,
+within the context disconnection call stack.
+
+Reported-and-tested-by: syzbot+621409285c4156a009b3@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000a02a4205fff8eb92@google.com/
+
+Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload")
+Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
+Acked-by: Mike Isely <isely@pobox.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-context.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c
+index 14170a5d72b3..1764674de98b 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-context.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c
+@@ -268,7 +268,8 @@ void pvr2_context_disconnect(struct pvr2_context *mp)
+ {
+ pvr2_hdw_disconnect(mp->hdw);
+ mp->disconnect_flag = !0;
+- pvr2_context_notify(mp);
++ if (!pvr2_context_shutok())
++ pvr2_context_notify(mp);
+ }
+
+
+--
+2.43.0
+
--- /dev/null
+From c88e19047b16523c389a08e779334ccc6990ccfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jun 2022 20:10:36 +0100
+Subject: media: rkisp1: Disable runtime PM in probe error path
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit 13c9810281f8b24af9b7712cd84a1fce61843e93 ]
+
+If the v4l2_device_register() call fails, runtime PM is left enabled.
+Fix it.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Dafna Hirschfeld <dafna@fastmail.com>
+Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Stable-dep-of: 452f604a4683 ("media: rkisp1: Fix media device memory leak")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/rkisp1/rkisp1-dev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/rkisp1/rkisp1-dev.c b/drivers/staging/media/rkisp1/rkisp1-dev.c
+index 06de5540c8af..663b2efec9b0 100644
+--- a/drivers/staging/media/rkisp1/rkisp1-dev.c
++++ b/drivers/staging/media/rkisp1/rkisp1-dev.c
+@@ -518,7 +518,7 @@ static int rkisp1_probe(struct platform_device *pdev)
+
+ ret = v4l2_device_register(rkisp1->dev, &rkisp1->v4l2_dev);
+ if (ret)
+- return ret;
++ goto err_pm_runtime_disable;
+
+ ret = media_device_register(&rkisp1->media_dev);
+ if (ret) {
+@@ -538,6 +538,7 @@ static int rkisp1_probe(struct platform_device *pdev)
+ media_device_unregister(&rkisp1->media_dev);
+ err_unreg_v4l2_dev:
+ v4l2_device_unregister(&rkisp1->v4l2_dev);
++err_pm_runtime_disable:
+ pm_runtime_disable(&pdev->dev);
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 5b7e2370560b8a6ce5f3b72ae431f12b0e27b7de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 16:50:07 +0100
+Subject: media: rkisp1: Fix media device memory leak
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit 452f604a4683654f4d9472b3126d8da61d748443 ]
+
+Add missing calls to media_device_cleanup() to fix memory leak.
+
+Link: https://lore.kernel.org/r/20231122-rkisp-fixes-v2-1-78bfb63cdcf8@ideasonboard.com
+
+Fixes: d65dd85281fb ("media: staging: rkisp1: add Rockchip ISP1 base driver")
+Reviewed-by: Tommaso Merciai <tomm.merciai@gmail.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/rkisp1/rkisp1-dev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/rkisp1/rkisp1-dev.c b/drivers/staging/media/rkisp1/rkisp1-dev.c
+index 663b2efec9b0..a43eda2a6d2e 100644
+--- a/drivers/staging/media/rkisp1/rkisp1-dev.c
++++ b/drivers/staging/media/rkisp1/rkisp1-dev.c
+@@ -518,7 +518,7 @@ static int rkisp1_probe(struct platform_device *pdev)
+
+ ret = v4l2_device_register(rkisp1->dev, &rkisp1->v4l2_dev);
+ if (ret)
+- goto err_pm_runtime_disable;
++ goto err_media_dev_cleanup;
+
+ ret = media_device_register(&rkisp1->media_dev);
+ if (ret) {
+@@ -538,6 +538,8 @@ static int rkisp1_probe(struct platform_device *pdev)
+ media_device_unregister(&rkisp1->media_dev);
+ err_unreg_v4l2_dev:
+ v4l2_device_unregister(&rkisp1->v4l2_dev);
++err_media_dev_cleanup:
++ media_device_cleanup(&rkisp1->media_dev);
+ err_pm_runtime_disable:
+ pm_runtime_disable(&pdev->dev);
+ return ret;
+@@ -559,6 +561,8 @@ static int rkisp1_remove(struct platform_device *pdev)
+ media_device_unregister(&rkisp1->media_dev);
+ v4l2_device_unregister(&rkisp1->v4l2_dev);
+
++ media_device_cleanup(&rkisp1->media_dev);
++
+ pm_runtime_disable(&pdev->dev);
+
+ debugfs_remove_recursive(rkisp1->debug.debugfs_dir);
+--
+2.43.0
+
--- /dev/null
+From f386557b5d36b69f1d147a8b0be14adac0111e80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Dec 2023 13:59:46 +0000
+Subject: mmc: sdhci_am654: Fix TI SoC dependencies
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+[ Upstream commit cb052da7f031b0d2309a4895ca236afb3b4bbf50 ]
+
+The sdhci_am654 is specific to recent TI SoCs, update the
+dependencies for those SoCs and compile testing. While we're
+at it update the text to reflect the wider range of
+supported TI SoCS the driver now supports.
+
+Fixes: 41fd4caeb00b ("mmc: sdhci_am654: Add Initial Support for AM654 SDHCI driver")
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Link: https://lore.kernel.org/r/20231220135950.433588-1-pbrobinson@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/Kconfig | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/Kconfig b/drivers/mmc/host/Kconfig
+index a5b2bf0e40cc..1b12c9fa3048 100644
+--- a/drivers/mmc/host/Kconfig
++++ b/drivers/mmc/host/Kconfig
+@@ -1080,14 +1080,15 @@ config MMC_SDHCI_OMAP
+
+ config MMC_SDHCI_AM654
+ tristate "Support for the SDHCI Controller in TI's AM654 SOCs"
++ depends on ARCH_K3 || COMPILE_TEST
+ depends on MMC_SDHCI_PLTFM && OF
+ select MMC_SDHCI_IO_ACCESSORS
+ select MMC_CQHCI
+ select REGMAP_MMIO
+ help
+ This selects the Secure Digital Host Controller Interface (SDHCI)
+- support present in TI's AM654 SOCs. The controller supports
+- SD/MMC/SDIO devices.
++ support present in TI's AM65x/AM64x/AM62x/J721E SOCs. The controller
++ supports SD/MMC/SDIO devices.
+
+ If you have a controller with this interface, say Y or M here.
+
+--
+2.43.0
+
--- /dev/null
+From 31d0ed038eb272552e61dc5fbbb04aab97619675 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Dec 2023 13:59:47 +0000
+Subject: mmc: sdhci_omap: Fix TI SoC dependencies
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+[ Upstream commit 09f164d393a6671e5ff8342ba6b3cb7fe3f20208 ]
+
+The sdhci_omap is specific to older TI SoCs, update the
+dependencies for those SoCs and compile testing. While we're
+at it update the text to reflect the wider range of
+supported TI SoCS the driver now supports.
+
+Fixes: 7d326930d352 ("mmc: sdhci-omap: Add OMAP SDHCI driver")
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Link: https://lore.kernel.org/r/20231220135950.433588-2-pbrobinson@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/Kconfig | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/Kconfig b/drivers/mmc/host/Kconfig
+index 1b12c9fa3048..8fe4a0fd6ef1 100644
+--- a/drivers/mmc/host/Kconfig
++++ b/drivers/mmc/host/Kconfig
+@@ -1065,14 +1065,15 @@ config MMC_SDHCI_XENON
+
+ config MMC_SDHCI_OMAP
+ tristate "TI SDHCI Controller Support"
++ depends on ARCH_OMAP2PLUS || ARCH_KEYSTONE || COMPILE_TEST
+ depends on MMC_SDHCI_PLTFM && OF
+ select THERMAL
+ imply TI_SOC_THERMAL
+ select MMC_SDHCI_EXTERNAL_DMA if DMA_ENGINE
+ help
+ This selects the Secure Digital Host Controller Interface (SDHCI)
+- support present in TI's DRA7 SOCs. The controller supports
+- SD/MMC/SDIO devices.
++ support present in TI's Keystone/OMAP2+/DRA7 SOCs. The controller
++ supports SD/MMC/SDIO devices.
+
+ If you have a controller with this interface, say Y or M here.
+
+--
+2.43.0
+
--- /dev/null
+From 30d8e2824277808634fa3d4d54d78a29bae8b64a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Dec 2023 10:46:19 +0800
+Subject: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: ZhaoLong Wang <wangzhaolong1@huawei.com>
+
+[ Upstream commit a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6 ]
+
+If both ftl.ko and gluebi.ko are loaded, the notifier of ftl
+triggers NULL pointer dereference when trying to access
+‘gluebi->desc’ in gluebi_read().
+
+ubi_gluebi_init
+ ubi_register_volume_notifier
+ ubi_enumerate_volumes
+ ubi_notify_all
+ gluebi_notify nb->notifier_call()
+ gluebi_create
+ mtd_device_register
+ mtd_device_parse_register
+ add_mtd_device
+ blktrans_notify_add not->add()
+ ftl_add_mtd tr->add_mtd()
+ scan_header
+ mtd_read
+ mtd_read_oob
+ mtd_read_oob_std
+ gluebi_read mtd->read()
+ gluebi->desc - NULL
+
+Detailed reproduction information available at the Link [1],
+
+In the normal case, obtain gluebi->desc in the gluebi_get_device(),
+and access gluebi->desc in the gluebi_read(). However,
+gluebi_get_device() is not executed in advance in the
+ftl_add_mtd() process, which leads to NULL pointer dereference.
+
+The solution for the gluebi module is to run jffs2 on the UBI
+volume without considering working with ftl or mtdblock [2].
+Therefore, this problem can be avoided by preventing gluebi from
+creating the mtdblock device after creating mtd partition of the
+type MTD_UBIVOLUME.
+
+Fixes: 2ba3d76a1e29 ("UBI: make gluebi a separate module")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217992 [1]
+Link: https://lore.kernel.org/lkml/441107100.23734.1697904580252.JavaMail.zimbra@nod.at/ [2]
+Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
+Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Acked-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20231220024619.2138625-1-wangzhaolong1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/mtd_blkdevs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c
+index 0c05f77f9b21..dd0d0bf5f57f 100644
+--- a/drivers/mtd/mtd_blkdevs.c
++++ b/drivers/mtd/mtd_blkdevs.c
+@@ -533,7 +533,7 @@ static void blktrans_notify_add(struct mtd_info *mtd)
+ {
+ struct mtd_blktrans_ops *tr;
+
+- if (mtd->type == MTD_ABSENT)
++ if (mtd->type == MTD_ABSENT || mtd->type == MTD_UBIVOLUME)
+ return;
+
+ list_for_each_entry(tr, &blktrans_majors, list)
+@@ -576,7 +576,7 @@ int register_mtd_blktrans(struct mtd_blktrans_ops *tr)
+ list_add(&tr->list, &blktrans_majors);
+
+ mtd_for_each_device(mtd)
+- if (mtd->type != MTD_ABSENT)
++ if (mtd->type != MTD_ABSENT && mtd->type != MTD_UBIVOLUME)
+ tr->add_mtd(tr, mtd);
+
+ mutex_unlock(&mtd_table_mutex);
+--
+2.43.0
+
--- /dev/null
+From bb2f97f63f407cc3342c4d0a372e0e2fb44aa911 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Nov 2023 18:31:51 +1000
+Subject: mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller
+ response
+
+From: Ronald Monthero <debug.penguin32@gmail.com>
+
+[ Upstream commit 923fb6238cb3ac529aa2bf13b3b1e53762186a8b ]
+
+Under heavy load it is likely that the controller is done
+with its own task but the thread unlocking the wait is not
+scheduled in time. Increasing IFC_TIMEOUT_MSECS allows the
+controller to respond within allowable timeslice of 1 sec.
+
+fsl,ifc-nand 7e800000.nand: Controller is not responding
+
+[<804b2047>] (nand_get_device) from [<804b5335>] (nand_write_oob+0x1b/0x4a)
+[<804b5335>] (nand_write_oob) from [<804a3585>] (mtd_write+0x41/0x5c)
+[<804a3585>] (mtd_write) from [<804c1d47>] (ubi_io_write+0x17f/0x22c)
+[<804c1d47>] (ubi_io_write) from [<804c047b>] (ubi_eba_write_leb+0x5b/0x1d0)
+
+Fixes: 82771882d960 ("NAND Machine support for Integrated Flash Controller")
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20231118083156.776887-1-debug.penguin32@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/fsl_ifc_nand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/raw/fsl_ifc_nand.c b/drivers/mtd/nand/raw/fsl_ifc_nand.c
+index e345f9d9f8e8..fcda744e8a40 100644
+--- a/drivers/mtd/nand/raw/fsl_ifc_nand.c
++++ b/drivers/mtd/nand/raw/fsl_ifc_nand.c
+@@ -21,7 +21,7 @@
+
+ #define ERR_BYTE 0xFF /* Value returned for read
+ bytes when read failed */
+-#define IFC_TIMEOUT_MSECS 500 /* Maximum number of mSecs to wait
++#define IFC_TIMEOUT_MSECS 1000 /* Maximum timeout to wait
+ for IFC NAND Machine */
+
+ struct fsl_ifc_ctrl;
+--
+2.43.0
+
--- /dev/null
+From cc2b2a0ac6de8a3a19e66bbd773f541d84b97959 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Mar 2021 04:42:47 +0530
+Subject: ncsi: internal.h: Fix a spello
+
+From: Bhaskar Chowdhury <unixbhaskar@gmail.com>
+
+[ Upstream commit 195a8ec4033b4124f6864892e71dcef24ba74a5a ]
+
+s/Firware/Firmware/
+
+Signed-off-by: Bhaskar Chowdhury <unixbhaskar@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 3084b58bfd0b ("net/ncsi: Fix netlink major/minor version numbers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/internal.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
+index e37102546be6..49031f804276 100644
+--- a/net/ncsi/internal.h
++++ b/net/ncsi/internal.h
+@@ -100,7 +100,7 @@ enum {
+ struct ncsi_channel_version {
+ u32 version; /* Supported BCD encoded NCSI version */
+ u32 alpha2; /* Supported BCD encoded NCSI version */
+- u8 fw_name[12]; /* Firware name string */
++ u8 fw_name[12]; /* Firmware name string */
+ u32 fw_version; /* Firmware version */
+ u16 pci_ids[4]; /* PCI identification */
+ u32 mf_id; /* Manufacture ID */
+--
+2.43.0
+
--- /dev/null
+From 90aac19429c564c584e5d522a3e3ab29b2533c2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Nov 2023 10:07:34 -0600
+Subject: net/ncsi: Fix netlink major/minor version numbers
+
+From: Peter Delevoryas <peter@pjd.dev>
+
+[ Upstream commit 3084b58bfd0b9e4b5e034f31f31b42977db35f12 ]
+
+The netlink interface for major and minor version numbers doesn't actually
+return the major and minor version numbers.
+
+It reports a u32 that contains the (major, minor, update, alpha1)
+components as the major version number, and then alpha2 as the minor
+version number.
+
+For whatever reason, the u32 byte order was reversed (ntohl): maybe it was
+assumed that the encoded value was a single big-endian u32, and alpha2 was
+the minor version.
+
+The correct way to get the supported NC-SI version from the network
+controller is to parse the Get Version ID response as described in 8.4.44
+of the NC-SI spec[1].
+
+ Get Version ID Response Packet Format
+
+ Bits
+ +--------+--------+--------+--------+
+ Bytes | 31..24 | 23..16 | 15..8 | 7..0 |
+ +-------+--------+--------+--------+--------+
+ | 0..15 | NC-SI Header |
+ +-------+--------+--------+--------+--------+
+ | 16..19| Response code | Reason code |
+ +-------+--------+--------+--------+--------+
+ |20..23 | Major | Minor | Update | Alpha1 |
+ +-------+--------+--------+--------+--------+
+ |24..27 | reserved | Alpha2 |
+ +-------+--------+--------+--------+--------+
+ | .... other stuff .... |
+
+The major, minor, and update fields are all binary-coded decimal (BCD)
+encoded [2]. The spec provides examples below the Get Version ID response
+format in section 8.4.44.1, but for practical purposes, this is an example
+from a live network card:
+
+ root@bmc:~# ncsi-util 0x15
+ NC-SI Command Response:
+ cmd: GET_VERSION_ID(0x15)
+ Response: COMMAND_COMPLETED(0x0000) Reason: NO_ERROR(0x0000)
+ Payload length = 40
+
+ 20: 0xf1 0xf1 0xf0 0x00 <<<<<<<<< (major, minor, update, alpha1)
+ 24: 0x00 0x00 0x00 0x00 <<<<<<<<< (_, _, _, alpha2)
+
+ 28: 0x6d 0x6c 0x78 0x30
+ 32: 0x2e 0x31 0x00 0x00
+ 36: 0x00 0x00 0x00 0x00
+ 40: 0x16 0x1d 0x07 0xd2
+ 44: 0x10 0x1d 0x15 0xb3
+ 48: 0x00 0x17 0x15 0xb3
+ 52: 0x00 0x00 0x81 0x19
+
+This should be parsed as "1.1.0".
+
+"f" in the upper-nibble means to ignore it, contributing zero.
+
+If both nibbles are "f", I think the whole field is supposed to be ignored.
+Major and minor are "required", meaning they're not supposed to be "ff",
+but the update field is "optional" so I think it can be ff. I think the
+simplest thing to do is just set the major and minor to zero instead of
+juggling some conditional logic or something.
+
+bcd2bin() from "include/linux/bcd.h" seems to assume both nibbles are 0-9,
+so I've provided a custom BCD decoding function.
+
+Alpha1 and alpha2 are ISO/IEC 8859-1 encoded, which just means ASCII
+characters as far as I can tell, although the full encoding table for
+non-alphabetic characters is slightly different (I think).
+
+I imagine the alpha fields are just supposed to be alphabetic characters,
+but I haven't seen any network cards actually report a non-zero value for
+either.
+
+If people wrote software against this netlink behavior, and were parsing
+the major and minor versions themselves from the u32, then this would
+definitely break their code.
+
+[1] https://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.0.0.pdf
+[2] https://en.wikipedia.org/wiki/Binary-coded_decimal
+[2] https://en.wikipedia.org/wiki/ISO/IEC_8859-1
+
+Signed-off-by: Peter Delevoryas <peter@pjd.dev>
+Fixes: 138635cc27c9 ("net/ncsi: NCSI response packet handler")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/internal.h | 7 +++++--
+ net/ncsi/ncsi-netlink.c | 4 ++--
+ net/ncsi/ncsi-pkt.h | 7 +++++--
+ net/ncsi/ncsi-rsp.c | 26 ++++++++++++++++++++++++--
+ 4 files changed, 36 insertions(+), 8 deletions(-)
+
+diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
+index 49031f804276..ec765f2a7569 100644
+--- a/net/ncsi/internal.h
++++ b/net/ncsi/internal.h
+@@ -98,8 +98,11 @@ enum {
+
+
+ struct ncsi_channel_version {
+- u32 version; /* Supported BCD encoded NCSI version */
+- u32 alpha2; /* Supported BCD encoded NCSI version */
++ u8 major; /* NCSI version major */
++ u8 minor; /* NCSI version minor */
++ u8 update; /* NCSI version update */
++ char alpha1; /* NCSI version alpha1 */
++ char alpha2; /* NCSI version alpha2 */
+ u8 fw_name[12]; /* Firmware name string */
+ u32 fw_version; /* Firmware version */
+ u16 pci_ids[4]; /* PCI identification */
+diff --git a/net/ncsi/ncsi-netlink.c b/net/ncsi/ncsi-netlink.c
+index c189b4c8a182..db350b8f5d88 100644
+--- a/net/ncsi/ncsi-netlink.c
++++ b/net/ncsi/ncsi-netlink.c
+@@ -71,8 +71,8 @@ static int ncsi_write_channel_info(struct sk_buff *skb,
+ if (nc == nc->package->preferred_channel)
+ nla_put_flag(skb, NCSI_CHANNEL_ATTR_FORCED);
+
+- nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MAJOR, nc->version.version);
+- nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MINOR, nc->version.alpha2);
++ nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MAJOR, nc->version.major);
++ nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MINOR, nc->version.minor);
+ nla_put_string(skb, NCSI_CHANNEL_ATTR_VERSION_STR, nc->version.fw_name);
+
+ vid_nest = nla_nest_start_noflag(skb, NCSI_CHANNEL_ATTR_VLAN_LIST);
+diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h
+index 80938b338fee..3fbea7e74fb1 100644
+--- a/net/ncsi/ncsi-pkt.h
++++ b/net/ncsi/ncsi-pkt.h
+@@ -191,9 +191,12 @@ struct ncsi_rsp_gls_pkt {
+ /* Get Version ID */
+ struct ncsi_rsp_gvi_pkt {
+ struct ncsi_rsp_pkt_hdr rsp; /* Response header */
+- __be32 ncsi_version; /* NCSI version */
++ unsigned char major; /* NCSI version major */
++ unsigned char minor; /* NCSI version minor */
++ unsigned char update; /* NCSI version update */
++ unsigned char alpha1; /* NCSI version alpha1 */
+ unsigned char reserved[3]; /* Reserved */
+- unsigned char alpha2; /* NCSI version */
++ unsigned char alpha2; /* NCSI version alpha2 */
+ unsigned char fw_name[12]; /* f/w name string */
+ __be32 fw_version; /* f/w version */
+ __be16 pci_ids[4]; /* PCI IDs */
+diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
+index 888ccc2d4e34..6a4638811660 100644
+--- a/net/ncsi/ncsi-rsp.c
++++ b/net/ncsi/ncsi-rsp.c
+@@ -19,6 +19,19 @@
+ #include "ncsi-pkt.h"
+ #include "ncsi-netlink.h"
+
++/* Nibbles within [0xA, 0xF] add zero "0" to the returned value.
++ * Optional fields (encoded as 0xFF) will default to zero.
++ */
++static u8 decode_bcd_u8(u8 x)
++{
++ int lo = x & 0xF;
++ int hi = x >> 4;
++
++ lo = lo < 0xA ? lo : 0;
++ hi = hi < 0xA ? hi : 0;
++ return lo + hi * 10;
++}
++
+ static int ncsi_validate_rsp_pkt(struct ncsi_request *nr,
+ unsigned short payload)
+ {
+@@ -755,9 +768,18 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr)
+ if (!nc)
+ return -ENODEV;
+
+- /* Update to channel's version info */
++ /* Update channel's version info
++ *
++ * Major, minor, and update fields are supposed to be
++ * unsigned integers encoded as packed BCD.
++ *
++ * Alpha1 and alpha2 are ISO/IEC 8859-1 characters.
++ */
+ ncv = &nc->version;
+- ncv->version = ntohl(rsp->ncsi_version);
++ ncv->major = decode_bcd_u8(rsp->major);
++ ncv->minor = decode_bcd_u8(rsp->minor);
++ ncv->update = decode_bcd_u8(rsp->update);
++ ncv->alpha1 = rsp->alpha1;
+ ncv->alpha2 = rsp->alpha2;
+ memcpy(ncv->fw_name, rsp->fw_name, 12);
+ ncv->fw_version = ntohl(rsp->fw_version);
+--
+2.43.0
+
--- /dev/null
+From ec1b7714bbe5f90c8011f69011eb66fb3edd204e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 01:53:50 +0100
+Subject: net: netlabel: Fix kerneldoc warnings
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+[ Upstream commit 294ea29113104487a905d0f81c00dfd64121b3d9 ]
+
+net/netlabel/netlabel_calipso.c:376: warning: Function parameter or member 'ops' not described in 'netlbl_calipso_ops_register'
+
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Link: https://lore.kernel.org/r/20201028005350.930299-1-andrew@lunn.ch
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: ec4e9d630a64 ("calipso: fix memory leak in netlbl_calipso_add_pass()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_calipso.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netlabel/netlabel_calipso.c b/net/netlabel/netlabel_calipso.c
+index 4e62f2ad3575..f28c8947c730 100644
+--- a/net/netlabel/netlabel_calipso.c
++++ b/net/netlabel/netlabel_calipso.c
+@@ -366,6 +366,7 @@ static const struct netlbl_calipso_ops *calipso_ops;
+
+ /**
+ * netlbl_calipso_ops_register - Register the CALIPSO operations
++ * @ops: ops to register
+ *
+ * Description:
+ * Register the CALIPSO packet engine operations.
+--
+2.43.0
+
--- /dev/null
+From 4a96a0394b23a2eb8a200d12541f581352c82b6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Nov 2023 11:00:37 +0100
+Subject: netfilter: nf_tables: mark newset as dead on transaction abort
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 08e4c8c5919fd405a4d709b4ba43d836894a26eb ]
+
+If a transaction is aborted, we should mark the to-be-released NEWSET dead,
+just like commit path does for DEL and DESTROYSET commands.
+
+In both cases all remaining elements will be released via
+set->ops->destroy().
+
+The existing abort code does NOT post the actual release to the work queue.
+Also the entire __nf_tables_abort() function is wrapped in gc_seq
+begin/end pair.
+
+Therefore, async gc worker will never try to release the pending set
+elements, as gc sequence is always stale.
+
+It might be possible to speed up transaction aborts via work queue too,
+this would result in a race and a possible use-after-free.
+
+So fix this before it becomes an issue.
+
+Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4d1a009dab45..6e91c743a4d4 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8840,6 +8840,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+ nft_trans_destroy(trans);
+ break;
+ }
++ nft_trans_set(trans)->dead = 1;
+ list_del_rcu(&nft_trans_set(trans)->list);
+ break;
+ case NFT_MSG_DELSET:
+--
+2.43.0
+
--- /dev/null
+From 43fd4a2943ac0951c5342decb13e016e291b1745 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 15:34:38 +0800
+Subject: netlabel: remove unused parameter in netlbl_netlink_auditinfo()
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+[ Upstream commit f7e0318a314f9271b0f0cdd4bfdc691976976d8c ]
+
+loginuid/sessionid/secid have been read from 'current' instead of struct
+netlink_skb_parms, the parameter 'skb' seems no longer needed.
+
+Fixes: c53fa1ed92cd ("netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms")
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: ec4e9d630a64 ("calipso: fix memory leak in netlbl_calipso_add_pass()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_calipso.c | 4 ++--
+ net/netlabel/netlabel_cipso_v4.c | 4 ++--
+ net/netlabel/netlabel_mgmt.c | 8 ++++----
+ net/netlabel/netlabel_unlabeled.c | 10 +++++-----
+ net/netlabel/netlabel_user.h | 4 +---
+ 5 files changed, 14 insertions(+), 16 deletions(-)
+
+diff --git a/net/netlabel/netlabel_calipso.c b/net/netlabel/netlabel_calipso.c
+index f28c8947c730..91a19c3ea1a3 100644
+--- a/net/netlabel/netlabel_calipso.c
++++ b/net/netlabel/netlabel_calipso.c
+@@ -105,7 +105,7 @@ static int netlbl_calipso_add(struct sk_buff *skb, struct genl_info *info)
+ !info->attrs[NLBL_CALIPSO_A_MTYPE])
+ return -EINVAL;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+ switch (nla_get_u32(info->attrs[NLBL_CALIPSO_A_MTYPE])) {
+ case CALIPSO_MAP_PASS:
+ ret_val = netlbl_calipso_add_pass(info, &audit_info);
+@@ -287,7 +287,7 @@ static int netlbl_calipso_remove(struct sk_buff *skb, struct genl_info *info)
+ if (!info->attrs[NLBL_CALIPSO_A_DOI])
+ return -EINVAL;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+ cb_arg.doi = nla_get_u32(info->attrs[NLBL_CALIPSO_A_DOI]);
+ cb_arg.audit_info = &audit_info;
+ ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain,
+diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
+index f3f1df1b0f8e..894e6b8f1a86 100644
+--- a/net/netlabel/netlabel_cipso_v4.c
++++ b/net/netlabel/netlabel_cipso_v4.c
+@@ -410,7 +410,7 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
+ !info->attrs[NLBL_CIPSOV4_A_MTYPE])
+ return -EINVAL;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+ switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) {
+ case CIPSO_V4_MAP_TRANS:
+ ret_val = netlbl_cipsov4_add_std(info, &audit_info);
+@@ -709,7 +709,7 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
+ if (!info->attrs[NLBL_CIPSOV4_A_DOI])
+ return -EINVAL;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+ cb_arg.doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
+ cb_arg.audit_info = &audit_info;
+ ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain,
+diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
+index 02a97bca1a1a..750a7a842ab9 100644
+--- a/net/netlabel/netlabel_mgmt.c
++++ b/net/netlabel/netlabel_mgmt.c
+@@ -435,7 +435,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info)
+ (info->attrs[NLBL_MGMT_A_IPV6MASK] != NULL)))
+ return -EINVAL;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+
+ return netlbl_mgmt_add_common(info, &audit_info);
+ }
+@@ -458,7 +458,7 @@ static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info)
+ if (!info->attrs[NLBL_MGMT_A_DOMAIN])
+ return -EINVAL;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+
+ domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]);
+ return netlbl_domhsh_remove(domain, AF_UNSPEC, &audit_info);
+@@ -558,7 +558,7 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info)
+ (info->attrs[NLBL_MGMT_A_IPV6MASK] != NULL)))
+ return -EINVAL;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+
+ return netlbl_mgmt_add_common(info, &audit_info);
+ }
+@@ -577,7 +577,7 @@ static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct netlbl_audit audit_info;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+
+ return netlbl_domhsh_remove_default(AF_UNSPEC, &audit_info);
+ }
+diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
+index ccb491642811..3049fff0b7f8 100644
+--- a/net/netlabel/netlabel_unlabeled.c
++++ b/net/netlabel/netlabel_unlabeled.c
+@@ -814,7 +814,7 @@ static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
+ if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
+ value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
+ if (value == 1 || value == 0) {
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+ netlbl_unlabel_acceptflg_set(value, &audit_info);
+ return 0;
+ }
+@@ -897,7 +897,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
+ !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
+ return -EINVAL;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+
+ ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
+ if (ret_val != 0)
+@@ -947,7 +947,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
+ !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
+ return -EINVAL;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+
+ ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
+ if (ret_val != 0)
+@@ -994,7 +994,7 @@ static int netlbl_unlabel_staticremove(struct sk_buff *skb,
+ !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
+ return -EINVAL;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+
+ ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
+ if (ret_val != 0)
+@@ -1034,7 +1034,7 @@ static int netlbl_unlabel_staticremovedef(struct sk_buff *skb,
+ !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
+ return -EINVAL;
+
+- netlbl_netlink_auditinfo(skb, &audit_info);
++ netlbl_netlink_auditinfo(&audit_info);
+
+ ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
+ if (ret_val != 0)
+diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
+index 3c67afce64f1..32d8f92c9a20 100644
+--- a/net/netlabel/netlabel_user.h
++++ b/net/netlabel/netlabel_user.h
+@@ -28,11 +28,9 @@
+
+ /**
+ * netlbl_netlink_auditinfo - Fetch the audit information from a NETLINK msg
+- * @skb: the packet
+ * @audit_info: NetLabel audit information
+ */
+-static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
+- struct netlbl_audit *audit_info)
++static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info)
+ {
+ security_task_getsecid(current, &audit_info->secid);
+ audit_info->loginuid = audit_get_loginuid(current);
+--
+2.43.0
+
--- /dev/null
+From ab4d514a7fc98a9dffe44be5e0cd389a8e3c7440 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Nov 2023 13:55:29 -0500
+Subject: NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 037e56a22ff37f9a9c2330b66cff55d3d1ff9b90 ]
+
+Once the client has processed the CB_LAYOUTRECALL, but has not yet
+successfully returned the layout, the server is supposed to switch to
+returning NFS4ERR_RETURNCONFLICT. This patch ensures that we handle
+that return value correctly.
+
+Fixes: 183d9e7b112a ("pnfs: rework LAYOUTGET retry handling")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index f3f41027f697..7c3c96ed6085 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -177,6 +177,7 @@ static int nfs4_map_errors(int err)
+ case -NFS4ERR_RESOURCE:
+ case -NFS4ERR_LAYOUTTRYLATER:
+ case -NFS4ERR_RECALLCONFLICT:
++ case -NFS4ERR_RETURNCONFLICT:
+ return -EREMOTEIO;
+ case -NFS4ERR_WRONGSEC:
+ case -NFS4ERR_WRONG_CRED:
+@@ -563,6 +564,7 @@ static int nfs4_do_handle_exception(struct nfs_server *server,
+ case -NFS4ERR_GRACE:
+ case -NFS4ERR_LAYOUTTRYLATER:
+ case -NFS4ERR_RECALLCONFLICT:
++ case -NFS4ERR_RETURNCONFLICT:
+ exception->delay = 1;
+ return 0;
+
+@@ -9445,6 +9447,7 @@ nfs4_layoutget_handle_exception(struct rpc_task *task,
+ status = -EBUSY;
+ break;
+ case -NFS4ERR_RECALLCONFLICT:
++ case -NFS4ERR_RETURNCONFLICT:
+ status = -ERECALLCONFLICT;
+ break;
+ case -NFS4ERR_DELEG_REVOKED:
+--
+2.43.0
+
--- /dev/null
+From bf63c419d77f56a5422ea725ac3523cc785711eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Feb 2023 15:35:01 -0600
+Subject: of: Add of_property_present() helper
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit 9cbad37ce8122de32a1529e394b468bc101c9e7f ]
+
+Add an of_property_present() function similar to
+fwnode_property_present(). of_property_read_bool() could be used
+directly, but it is cleaner to not use it on non-boolean properties.
+
+Reviewed-by: Frank Rowand <frowand.list@gmail.com>
+Tested-by: Frank Rowand <frowand.list@gmail.com>
+Link: https://lore.kernel.org/all/20230215215547.691573-1-robh@kernel.org/
+Signed-off-by: Rob Herring <robh@kernel.org>
+Stable-dep-of: c4a5118a3ae1 ("cpufreq: scmi: process the result of devm_of_clk_add_hw_provider()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/of.h | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/of.h b/include/linux/of.h
+index 13d6243d202d..4ed8dce624e7 100644
+--- a/include/linux/of.h
++++ b/include/linux/of.h
+@@ -1061,7 +1061,8 @@ static inline int of_property_read_string_index(const struct device_node *np,
+ * @np: device node from which the property value is to be read.
+ * @propname: name of the property to be searched.
+ *
+- * Search for a property in a device node.
++ * Search for a boolean property in a device node. Usage on non-boolean
++ * property types is deprecated.
+ *
+ * Return: true if the property exists false otherwise.
+ */
+@@ -1073,6 +1074,20 @@ static inline bool of_property_read_bool(const struct device_node *np,
+ return prop ? true : false;
+ }
+
++/**
++ * of_property_present - Test if a property is present in a node
++ * @np: device node to search for the property.
++ * @propname: name of the property to be searched.
++ *
++ * Test for a property present in a device node.
++ *
++ * Return: true if the property exists false otherwise.
++ */
++static inline bool of_property_present(const struct device_node *np, const char *propname)
++{
++ return of_property_read_bool(np, propname);
++}
++
+ /**
+ * of_property_read_u8_array - Find and read an array of u8 from a property.
+ *
+--
+2.43.0
+
--- /dev/null
+From 5d3347c7fa1aa5c9dc8cd0368561cbc8ef5bfa62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Dec 2023 11:54:11 +0100
+Subject: of: Fix double free in of_parse_phandle_with_args_map
+
+From: Christian A. Ehrhardt <lk@c--e.de>
+
+[ Upstream commit 4dde83569832f9377362e50f7748463340c5db6b ]
+
+In of_parse_phandle_with_args_map() the inner loop that
+iterates through the map entries calls of_node_put(new)
+to free the reference acquired by the previous iteration
+of the inner loop. This assumes that the value of "new" is
+NULL on the first iteration of the inner loop.
+
+Make sure that this is true in all iterations of the outer
+loop by setting "new" to NULL after its value is assigned to "cur".
+
+Extend the unittest to detect the double free and add an additional
+test case that actually triggers this path.
+
+Fixes: bd6f2fd5a1 ("of: Support parsing phandle argument lists through a nexus node")
+Cc: Stephen Boyd <stephen.boyd@linaro.org>
+Signed-off-by: "Christian A. Ehrhardt" <lk@c--e.de>
+Link: https://lore.kernel.org/r/20231229105411.1603434-1-lk@c--e.de
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/base.c | 1 +
+ drivers/of/unittest-data/tests-phandle.dtsi | 10 ++-
+ drivers/of/unittest.c | 74 ++++++++++++---------
+ 3 files changed, 53 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/of/base.c b/drivers/of/base.c
+index eb02974f36bd..0e428880d88b 100644
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -1670,6 +1670,7 @@ int of_parse_phandle_with_args_map(const struct device_node *np,
+ out_args->np = new;
+ of_node_put(cur);
+ cur = new;
++ new = NULL;
+ }
+ put:
+ of_node_put(cur);
+diff --git a/drivers/of/unittest-data/tests-phandle.dtsi b/drivers/of/unittest-data/tests-phandle.dtsi
+index 6b33be4c4416..aa0d7027ffa6 100644
+--- a/drivers/of/unittest-data/tests-phandle.dtsi
++++ b/drivers/of/unittest-data/tests-phandle.dtsi
+@@ -38,6 +38,13 @@ provider4: provider4 {
+ phandle-map-pass-thru = <0x0 0xf0>;
+ };
+
++ provider5: provider5 {
++ #phandle-cells = <2>;
++ phandle-map = <2 7 &provider4 2 3>;
++ phandle-map-mask = <0xff 0xf>;
++ phandle-map-pass-thru = <0x0 0xf0>;
++ };
++
+ consumer-a {
+ phandle-list = <&provider1 1>,
+ <&provider2 2 0>,
+@@ -64,7 +71,8 @@ consumer-b {
+ <&provider4 4 0x100>,
+ <&provider4 0 0x61>,
+ <&provider0>,
+- <&provider4 19 0x20>;
++ <&provider4 19 0x20>,
++ <&provider5 2 7>;
+ phandle-list-bad-phandle = <12345678 0 0>;
+ phandle-list-bad-args = <&provider2 1 0>,
+ <&provider4 0>;
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index 412d7ddb3b8b..197abe33b65c 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -447,6 +447,9 @@ static void __init of_unittest_parse_phandle_with_args(void)
+
+ unittest(passed, "index %i - data error on node %pOF rc=%i\n",
+ i, args.np, rc);
++
++ if (rc == 0)
++ of_node_put(args.np);
+ }
+
+ /* Check for missing list property */
+@@ -536,8 +539,9 @@ static void __init of_unittest_parse_phandle_with_args(void)
+
+ static void __init of_unittest_parse_phandle_with_args_map(void)
+ {
+- struct device_node *np, *p0, *p1, *p2, *p3;
++ struct device_node *np, *p[6] = {};
+ struct of_phandle_args args;
++ unsigned int prefs[6];
+ int i, rc;
+
+ np = of_find_node_by_path("/testcase-data/phandle-tests/consumer-b");
+@@ -546,34 +550,24 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
+ return;
+ }
+
+- p0 = of_find_node_by_path("/testcase-data/phandle-tests/provider0");
+- if (!p0) {
+- pr_err("missing testcase data\n");
+- return;
+- }
+-
+- p1 = of_find_node_by_path("/testcase-data/phandle-tests/provider1");
+- if (!p1) {
+- pr_err("missing testcase data\n");
+- return;
+- }
+-
+- p2 = of_find_node_by_path("/testcase-data/phandle-tests/provider2");
+- if (!p2) {
+- pr_err("missing testcase data\n");
+- return;
+- }
+-
+- p3 = of_find_node_by_path("/testcase-data/phandle-tests/provider3");
+- if (!p3) {
+- pr_err("missing testcase data\n");
+- return;
++ p[0] = of_find_node_by_path("/testcase-data/phandle-tests/provider0");
++ p[1] = of_find_node_by_path("/testcase-data/phandle-tests/provider1");
++ p[2] = of_find_node_by_path("/testcase-data/phandle-tests/provider2");
++ p[3] = of_find_node_by_path("/testcase-data/phandle-tests/provider3");
++ p[4] = of_find_node_by_path("/testcase-data/phandle-tests/provider4");
++ p[5] = of_find_node_by_path("/testcase-data/phandle-tests/provider5");
++ for (i = 0; i < ARRAY_SIZE(p); ++i) {
++ if (!p[i]) {
++ pr_err("missing testcase data\n");
++ return;
++ }
++ prefs[i] = kref_read(&p[i]->kobj.kref);
+ }
+
+ rc = of_count_phandle_with_args(np, "phandle-list", "#phandle-cells");
+- unittest(rc == 7, "of_count_phandle_with_args() returned %i, expected 7\n", rc);
++ unittest(rc == 8, "of_count_phandle_with_args() returned %i, expected 7\n", rc);
+
+- for (i = 0; i < 8; i++) {
++ for (i = 0; i < 9; i++) {
+ bool passed = true;
+
+ memset(&args, 0, sizeof(args));
+@@ -584,13 +578,13 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
+ switch (i) {
+ case 0:
+ passed &= !rc;
+- passed &= (args.np == p1);
++ passed &= (args.np == p[1]);
+ passed &= (args.args_count == 1);
+ passed &= (args.args[0] == 1);
+ break;
+ case 1:
+ passed &= !rc;
+- passed &= (args.np == p3);
++ passed &= (args.np == p[3]);
+ passed &= (args.args_count == 3);
+ passed &= (args.args[0] == 2);
+ passed &= (args.args[1] == 5);
+@@ -601,28 +595,36 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
+ break;
+ case 3:
+ passed &= !rc;
+- passed &= (args.np == p0);
++ passed &= (args.np == p[0]);
+ passed &= (args.args_count == 0);
+ break;
+ case 4:
+ passed &= !rc;
+- passed &= (args.np == p1);
++ passed &= (args.np == p[1]);
+ passed &= (args.args_count == 1);
+ passed &= (args.args[0] == 3);
+ break;
+ case 5:
+ passed &= !rc;
+- passed &= (args.np == p0);
++ passed &= (args.np == p[0]);
+ passed &= (args.args_count == 0);
+ break;
+ case 6:
+ passed &= !rc;
+- passed &= (args.np == p2);
++ passed &= (args.np == p[2]);
+ passed &= (args.args_count == 2);
+ passed &= (args.args[0] == 15);
+ passed &= (args.args[1] == 0x20);
+ break;
+ case 7:
++ passed &= !rc;
++ passed &= (args.np == p[3]);
++ passed &= (args.args_count == 3);
++ passed &= (args.args[0] == 2);
++ passed &= (args.args[1] == 5);
++ passed &= (args.args[2] == 3);
++ break;
++ case 8:
+ passed &= (rc == -ENOENT);
+ break;
+ default:
+@@ -631,6 +633,9 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
+
+ unittest(passed, "index %i - data error on node %s rc=%i\n",
+ i, args.np->full_name, rc);
++
++ if (rc == 0)
++ of_node_put(args.np);
+ }
+
+ /* Check for missing list property */
+@@ -677,6 +682,13 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
+ "OF: /testcase-data/phandle-tests/consumer-b: #phandle-cells = 2 found -1");
+
+ unittest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc);
++
++ for (i = 0; i < ARRAY_SIZE(p); ++i) {
++ unittest(prefs[i] == kref_read(&p[i]->kobj.kref),
++ "provider%d: expected:%d got:%d\n",
++ i, prefs[i], kref_read(&p[i]->kobj.kref));
++ of_node_put(p[i]);
++ }
+ }
+
+ static void __init of_unittest_property_string(void)
+--
+2.43.0
+
--- /dev/null
+From de3096e41aa0492a0564812016a319a74bf3892a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Jan 2022 18:35:03 +0100
+Subject: of: property: define of_property_read_u{8,16,32,64}_array()
+ unconditionally
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit 2ca42c3ad9ed875b136065b010753a4caaaa1d38 ]
+
+We can get rid of all the empty stubs because all these functions call
+of_property_read_variable_u{8,16,32,64}_array() which already have an
+empty stub if CONFIG_OF is not defined.
+
+Signed-off-by: Michael Walle <michael@walle.cc>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20220118173504.2867523-3-michael@walle.cc
+Stable-dep-of: c4a5118a3ae1 ("cpufreq: scmi: process the result of devm_of_clk_add_hw_provider()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/of.h | 274 ++++++++++++++++++++-------------------------
+ 1 file changed, 124 insertions(+), 150 deletions(-)
+
+diff --git a/include/linux/of.h b/include/linux/of.h
+index 57f2d3dddc0c..13d6243d202d 100644
+--- a/include/linux/of.h
++++ b/include/linux/of.h
+@@ -415,130 +415,6 @@ extern int of_detach_node(struct device_node *);
+
+ #define of_match_ptr(_ptr) (_ptr)
+
+-/**
+- * of_property_read_u8_array - Find and read an array of u8 from a property.
+- *
+- * @np: device node from which the property value is to be read.
+- * @propname: name of the property to be searched.
+- * @out_values: pointer to return value, modified only if return value is 0.
+- * @sz: number of array elements to read
+- *
+- * Search for a property in a device node and read 8-bit value(s) from
+- * it.
+- *
+- * dts entry of array should be like:
+- * ``property = /bits/ 8 <0x50 0x60 0x70>;``
+- *
+- * Return: 0 on success, -EINVAL if the property does not exist,
+- * -ENODATA if property does not have a value, and -EOVERFLOW if the
+- * property data isn't large enough.
+- *
+- * The out_values is modified only if a valid u8 value can be decoded.
+- */
+-static inline int of_property_read_u8_array(const struct device_node *np,
+- const char *propname,
+- u8 *out_values, size_t sz)
+-{
+- int ret = of_property_read_variable_u8_array(np, propname, out_values,
+- sz, 0);
+- if (ret >= 0)
+- return 0;
+- else
+- return ret;
+-}
+-
+-/**
+- * of_property_read_u16_array - Find and read an array of u16 from a property.
+- *
+- * @np: device node from which the property value is to be read.
+- * @propname: name of the property to be searched.
+- * @out_values: pointer to return value, modified only if return value is 0.
+- * @sz: number of array elements to read
+- *
+- * Search for a property in a device node and read 16-bit value(s) from
+- * it.
+- *
+- * dts entry of array should be like:
+- * ``property = /bits/ 16 <0x5000 0x6000 0x7000>;``
+- *
+- * Return: 0 on success, -EINVAL if the property does not exist,
+- * -ENODATA if property does not have a value, and -EOVERFLOW if the
+- * property data isn't large enough.
+- *
+- * The out_values is modified only if a valid u16 value can be decoded.
+- */
+-static inline int of_property_read_u16_array(const struct device_node *np,
+- const char *propname,
+- u16 *out_values, size_t sz)
+-{
+- int ret = of_property_read_variable_u16_array(np, propname, out_values,
+- sz, 0);
+- if (ret >= 0)
+- return 0;
+- else
+- return ret;
+-}
+-
+-/**
+- * of_property_read_u32_array - Find and read an array of 32 bit integers
+- * from a property.
+- *
+- * @np: device node from which the property value is to be read.
+- * @propname: name of the property to be searched.
+- * @out_values: pointer to return value, modified only if return value is 0.
+- * @sz: number of array elements to read
+- *
+- * Search for a property in a device node and read 32-bit value(s) from
+- * it.
+- *
+- * Return: 0 on success, -EINVAL if the property does not exist,
+- * -ENODATA if property does not have a value, and -EOVERFLOW if the
+- * property data isn't large enough.
+- *
+- * The out_values is modified only if a valid u32 value can be decoded.
+- */
+-static inline int of_property_read_u32_array(const struct device_node *np,
+- const char *propname,
+- u32 *out_values, size_t sz)
+-{
+- int ret = of_property_read_variable_u32_array(np, propname, out_values,
+- sz, 0);
+- if (ret >= 0)
+- return 0;
+- else
+- return ret;
+-}
+-
+-/**
+- * of_property_read_u64_array - Find and read an array of 64 bit integers
+- * from a property.
+- *
+- * @np: device node from which the property value is to be read.
+- * @propname: name of the property to be searched.
+- * @out_values: pointer to return value, modified only if return value is 0.
+- * @sz: number of array elements to read
+- *
+- * Search for a property in a device node and read 64-bit value(s) from
+- * it.
+- *
+- * Return: 0 on success, -EINVAL if the property does not exist,
+- * -ENODATA if property does not have a value, and -EOVERFLOW if the
+- * property data isn't large enough.
+- *
+- * The out_values is modified only if a valid u64 value can be decoded.
+- */
+-static inline int of_property_read_u64_array(const struct device_node *np,
+- const char *propname,
+- u64 *out_values, size_t sz)
+-{
+- int ret = of_property_read_variable_u64_array(np, propname, out_values,
+- sz, 0);
+- if (ret >= 0)
+- return 0;
+- else
+- return ret;
+-}
+-
+ /*
+ * struct property *prop;
+ * const __be32 *p;
+@@ -726,32 +602,6 @@ static inline int of_property_count_elems_of_size(const struct device_node *np,
+ return -ENOSYS;
+ }
+
+-static inline int of_property_read_u8_array(const struct device_node *np,
+- const char *propname, u8 *out_values, size_t sz)
+-{
+- return -ENOSYS;
+-}
+-
+-static inline int of_property_read_u16_array(const struct device_node *np,
+- const char *propname, u16 *out_values, size_t sz)
+-{
+- return -ENOSYS;
+-}
+-
+-static inline int of_property_read_u32_array(const struct device_node *np,
+- const char *propname,
+- u32 *out_values, size_t sz)
+-{
+- return -ENOSYS;
+-}
+-
+-static inline int of_property_read_u64_array(const struct device_node *np,
+- const char *propname,
+- u64 *out_values, size_t sz)
+-{
+- return -ENOSYS;
+-}
+-
+ static inline int of_property_read_u32_index(const struct device_node *np,
+ const char *propname, u32 index, u32 *out_value)
+ {
+@@ -1223,6 +1073,130 @@ static inline bool of_property_read_bool(const struct device_node *np,
+ return prop ? true : false;
+ }
+
++/**
++ * of_property_read_u8_array - Find and read an array of u8 from a property.
++ *
++ * @np: device node from which the property value is to be read.
++ * @propname: name of the property to be searched.
++ * @out_values: pointer to return value, modified only if return value is 0.
++ * @sz: number of array elements to read
++ *
++ * Search for a property in a device node and read 8-bit value(s) from
++ * it.
++ *
++ * dts entry of array should be like:
++ * ``property = /bits/ 8 <0x50 0x60 0x70>;``
++ *
++ * Return: 0 on success, -EINVAL if the property does not exist,
++ * -ENODATA if property does not have a value, and -EOVERFLOW if the
++ * property data isn't large enough.
++ *
++ * The out_values is modified only if a valid u8 value can be decoded.
++ */
++static inline int of_property_read_u8_array(const struct device_node *np,
++ const char *propname,
++ u8 *out_values, size_t sz)
++{
++ int ret = of_property_read_variable_u8_array(np, propname, out_values,
++ sz, 0);
++ if (ret >= 0)
++ return 0;
++ else
++ return ret;
++}
++
++/**
++ * of_property_read_u16_array - Find and read an array of u16 from a property.
++ *
++ * @np: device node from which the property value is to be read.
++ * @propname: name of the property to be searched.
++ * @out_values: pointer to return value, modified only if return value is 0.
++ * @sz: number of array elements to read
++ *
++ * Search for a property in a device node and read 16-bit value(s) from
++ * it.
++ *
++ * dts entry of array should be like:
++ * ``property = /bits/ 16 <0x5000 0x6000 0x7000>;``
++ *
++ * Return: 0 on success, -EINVAL if the property does not exist,
++ * -ENODATA if property does not have a value, and -EOVERFLOW if the
++ * property data isn't large enough.
++ *
++ * The out_values is modified only if a valid u16 value can be decoded.
++ */
++static inline int of_property_read_u16_array(const struct device_node *np,
++ const char *propname,
++ u16 *out_values, size_t sz)
++{
++ int ret = of_property_read_variable_u16_array(np, propname, out_values,
++ sz, 0);
++ if (ret >= 0)
++ return 0;
++ else
++ return ret;
++}
++
++/**
++ * of_property_read_u32_array - Find and read an array of 32 bit integers
++ * from a property.
++ *
++ * @np: device node from which the property value is to be read.
++ * @propname: name of the property to be searched.
++ * @out_values: pointer to return value, modified only if return value is 0.
++ * @sz: number of array elements to read
++ *
++ * Search for a property in a device node and read 32-bit value(s) from
++ * it.
++ *
++ * Return: 0 on success, -EINVAL if the property does not exist,
++ * -ENODATA if property does not have a value, and -EOVERFLOW if the
++ * property data isn't large enough.
++ *
++ * The out_values is modified only if a valid u32 value can be decoded.
++ */
++static inline int of_property_read_u32_array(const struct device_node *np,
++ const char *propname,
++ u32 *out_values, size_t sz)
++{
++ int ret = of_property_read_variable_u32_array(np, propname, out_values,
++ sz, 0);
++ if (ret >= 0)
++ return 0;
++ else
++ return ret;
++}
++
++/**
++ * of_property_read_u64_array - Find and read an array of 64 bit integers
++ * from a property.
++ *
++ * @np: device node from which the property value is to be read.
++ * @propname: name of the property to be searched.
++ * @out_values: pointer to return value, modified only if return value is 0.
++ * @sz: number of array elements to read
++ *
++ * Search for a property in a device node and read 64-bit value(s) from
++ * it.
++ *
++ * Return: 0 on success, -EINVAL if the property does not exist,
++ * -ENODATA if property does not have a value, and -EOVERFLOW if the
++ * property data isn't large enough.
++ *
++ * The out_values is modified only if a valid u64 value can be decoded.
++ */
++static inline int of_property_read_u64_array(const struct device_node *np,
++ const char *propname,
++ u64 *out_values, size_t sz)
++{
++ int ret = of_property_read_variable_u64_array(np, propname, out_values,
++ sz, 0);
++ if (ret >= 0)
++ return 0;
++ else
++ return ret;
++}
++
+ static inline int of_property_read_u8(const struct device_node *np,
+ const char *propname,
+ u8 *out_value)
+--
+2.43.0
+
--- /dev/null
+From 264c6cb33d73f6e9968d4eb122673003543b7d4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jan 2024 09:50:25 +0100
+Subject: of: unittest: Fix of_count_phandle_with_args() expected value message
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 716089b417cf98d01f0dc1b39f9c47e1d7b4c965 ]
+
+The expected result value for the call to of_count_phandle_with_args()
+was updated from 7 to 8, but the accompanying error message was
+forgotten.
+
+Fixes: 4dde83569832f937 ("of: Fix double free in of_parse_phandle_with_args_map")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20240111085025.2073894-1-geert+renesas@glider.be
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/unittest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index 197abe33b65c..f9083c868a36 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -565,7 +565,7 @@ static void __init of_unittest_parse_phandle_with_args_map(void)
+ }
+
+ rc = of_count_phandle_with_args(np, "phandle-list", "#phandle-cells");
+- unittest(rc == 8, "of_count_phandle_with_args() returned %i, expected 7\n", rc);
++ unittest(rc == 8, "of_count_phandle_with_args() returned %i, expected 8\n", rc);
+
+ for (i = 0; i < 9; i++) {
+ bool passed = true;
+--
+2.43.0
+
--- /dev/null
+From 3701b726e3c7ed4f5671d9032cc66df1ef1969e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 21:51:59 -0800
+Subject: powerpc/44x: select I2C for CURRITUCK
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 4a74197b65e69c46fe6e53f7df2f4d6ce9ffe012 ]
+
+Fix build errors when CURRITUCK=y and I2C is not builtin (=m or is
+not set). Fixes these build errors:
+
+powerpc-linux-ld: arch/powerpc/platforms/44x/ppc476.o: in function `avr_halt_system':
+ppc476.c:(.text+0x58): undefined reference to `i2c_smbus_write_byte_data'
+powerpc-linux-ld: arch/powerpc/platforms/44x/ppc476.o: in function `ppc47x_device_probe':
+ppc476.c:(.init.text+0x18): undefined reference to `i2c_register_driver'
+
+Fixes: 2a2c74b2efcb ("IBM Akebono: Add the Akebono platform")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: lore.kernel.org/r/202312010820.cmdwF5X9-lkp@intel.com
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231201055159.8371-1-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/44x/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/platforms/44x/Kconfig b/arch/powerpc/platforms/44x/Kconfig
+index 78ac6d67a935..9bc852c7e92f 100644
+--- a/arch/powerpc/platforms/44x/Kconfig
++++ b/arch/powerpc/platforms/44x/Kconfig
+@@ -177,6 +177,7 @@ config ISS4xx
+ config CURRITUCK
+ bool "IBM Currituck (476fpe) Support"
+ depends on PPC_47x
++ select I2C
+ select SWIOTLB
+ select 476FPE
+ select FORCE_PCI
+--
+2.43.0
+
--- /dev/null
+From 40b46d4036563e8ccf728ebe4887ba9e2c348182 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 08:23:32 +0900
+Subject: powerpc: add crtsavres.o to always-y instead of extra-y
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 1b1e38002648819c04773647d5242990e2824264 ]
+
+crtsavres.o is linked to modules. However, as explained in commit
+d0e628cd817f ("kbuild: doc: clarify the difference between extra-y
+and always-y"), 'make modules' does not build extra-y.
+
+For example, the following command fails:
+
+ $ make ARCH=powerpc LLVM=1 KBUILD_MODPOST_WARN=1 mrproper ps3_defconfig modules
+ [snip]
+ LD [M] arch/powerpc/platforms/cell/spufs/spufs.ko
+ ld.lld: error: cannot open arch/powerpc/lib/crtsavres.o: No such file or directory
+ make[3]: *** [scripts/Makefile.modfinal:56: arch/powerpc/platforms/cell/spufs/spufs.ko] Error 1
+ make[2]: *** [Makefile:1844: modules] Error 2
+ make[1]: *** [/home/masahiro/workspace/linux-kbuild/Makefile:350: __build_one_by_one] Error 2
+ make: *** [Makefile:234: __sub-make] Error 2
+
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Fixes: baa25b571a16 ("powerpc/64: Do not link crtsavres.o in vmlinux")
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231120232332.4100288-1-masahiroy@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/lib/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/lib/Makefile b/arch/powerpc/lib/Makefile
+index 0697a0e014ae..321cab5c3ea0 100644
+--- a/arch/powerpc/lib/Makefile
++++ b/arch/powerpc/lib/Makefile
+@@ -38,7 +38,7 @@ obj-$(CONFIG_FUNCTION_ERROR_INJECTION) += error-inject.o
+ # so it is only needed for modules, and only for older linkers which
+ # do not support --save-restore-funcs
+ ifeq ($(call ld-ifversion, -lt, 225000000, y),y)
+-extra-$(CONFIG_PPC64) += crtsavres.o
++always-$(CONFIG_PPC64) += crtsavres.o
+ endif
+
+ obj-$(CONFIG_PPC_BOOK3S_64) += copyuser_power7.o copypage_power7.o \
+--
+2.43.0
+
--- /dev/null
+From a019402b4a3ed6906a993615a6f83154eef690a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Nov 2023 17:37:19 +0800
+Subject: powerpc/imc-pmu: Add a null pointer check in update_events_in_group()
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit 0a233867a39078ebb0f575e2948593bbff5826b3 ]
+
+kasprintf() returns a pointer to dynamically allocated memory
+which can be NULL upon failure.
+
+Fixes: 885dcd709ba9 ("powerpc/perf: Add nest IMC PMU support")
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231126093719.1440305-1-chentao@kylinos.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/imc-pmu.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c
+index 3e15d0d054b2..5464c87511fa 100644
+--- a/arch/powerpc/perf/imc-pmu.c
++++ b/arch/powerpc/perf/imc-pmu.c
+@@ -292,6 +292,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu)
+ attr_group->attrs = attrs;
+ do {
+ ev_val_str = kasprintf(GFP_KERNEL, "event=0x%x", pmu->events[i].value);
++ if (!ev_val_str)
++ continue;
+ dev_str = device_str_attr_create(pmu->events[i].name, ev_val_str);
+ if (!dev_str)
+ continue;
+@@ -299,6 +301,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu)
+ attrs[j++] = dev_str;
+ if (pmu->events[i].scale) {
+ ev_scale_str = kasprintf(GFP_KERNEL, "%s.scale", pmu->events[i].name);
++ if (!ev_scale_str)
++ continue;
+ dev_str = device_str_attr_create(ev_scale_str, pmu->events[i].scale);
+ if (!dev_str)
+ continue;
+@@ -308,6 +312,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu)
+
+ if (pmu->events[i].unit) {
+ ev_unit_str = kasprintf(GFP_KERNEL, "%s.unit", pmu->events[i].name);
++ if (!ev_unit_str)
++ continue;
+ dev_str = device_str_attr_create(ev_unit_str, pmu->events[i].unit);
+ if (!dev_str)
+ continue;
+--
+2.43.0
+
--- /dev/null
+From 3a586e3776ccd7506d3978f3426377721fc8dbed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Nov 2023 11:07:55 +0800
+Subject: powerpc/powernv: Add a null pointer check in opal_event_init()
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit 8649829a1dd25199bbf557b2621cedb4bf9b3050 ]
+
+kasprintf() returns a pointer to dynamically allocated memory
+which can be NULL upon failure.
+
+Fixes: 2717a33d6074 ("powerpc/opal-irqchip: Use interrupt names if present")
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231127030755.1546750-1-chentao@kylinos.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/opal-irqchip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/platforms/powernv/opal-irqchip.c b/arch/powerpc/platforms/powernv/opal-irqchip.c
+index c164419e254d..dcec0f760c8f 100644
+--- a/arch/powerpc/platforms/powernv/opal-irqchip.c
++++ b/arch/powerpc/platforms/powernv/opal-irqchip.c
+@@ -278,6 +278,8 @@ int __init opal_event_init(void)
+ else
+ name = kasprintf(GFP_KERNEL, "opal");
+
++ if (!name)
++ continue;
+ /* Install interrupt handler */
+ rc = request_irq(r->start, opal_interrupt, r->flags & IRQD_TRIGGER_MASK,
+ name, NULL);
+--
+2.43.0
+
--- /dev/null
+From b76d353fcc669f1dc8254f9f4c2b965784cb053f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Nov 2023 17:57:39 +0800
+Subject: powerpc/powernv: Add a null pointer check in opal_powercap_init()
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit e123015c0ba859cf48aa7f89c5016cc6e98e018d ]
+
+kasprintf() returns a pointer to dynamically allocated memory
+which can be NULL upon failure.
+
+Fixes: b9ef7b4b867f ("powerpc: Convert to using %pOFn instead of device_node.name")
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231126095739.1501990-1-chentao@kylinos.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/opal-powercap.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/powerpc/platforms/powernv/opal-powercap.c b/arch/powerpc/platforms/powernv/opal-powercap.c
+index c16d44f6f1d1..ce9ec3962cef 100644
+--- a/arch/powerpc/platforms/powernv/opal-powercap.c
++++ b/arch/powerpc/platforms/powernv/opal-powercap.c
+@@ -196,6 +196,12 @@ void __init opal_powercap_init(void)
+
+ j = 0;
+ pcaps[i].pg.name = kasprintf(GFP_KERNEL, "%pOFn", node);
++ if (!pcaps[i].pg.name) {
++ kfree(pcaps[i].pattrs);
++ kfree(pcaps[i].pg.attrs);
++ goto out_pcaps_pattrs;
++ }
++
+ if (has_min) {
+ powercap_add_attr(min, "powercap-min",
+ &pcaps[i].pattrs[j]);
+--
+2.43.0
+
--- /dev/null
+From 488c6c4e868a60503c480659fcf479c041aac192 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Dec 2023 16:59:37 +0800
+Subject: powerpc/powernv: Add a null pointer check to scom_debug_init_one()
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit 9a260f2dd827bbc82cc60eb4f4d8c22707d80742 ]
+
+kasprintf() returns a pointer to dynamically allocated memory
+which can be NULL upon failure.
+Add a null pointer check, and release 'ent' to avoid memory leaks.
+
+Fixes: bfd2f0d49aef ("powerpc/powernv: Get rid of old scom_controller abstraction")
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231208085937.107210-1-chentao@kylinos.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/opal-xscom.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/powerpc/platforms/powernv/opal-xscom.c b/arch/powerpc/platforms/powernv/opal-xscom.c
+index fd510d961b8c..d5814c5046ba 100644
+--- a/arch/powerpc/platforms/powernv/opal-xscom.c
++++ b/arch/powerpc/platforms/powernv/opal-xscom.c
+@@ -165,6 +165,11 @@ static int scom_debug_init_one(struct dentry *root, struct device_node *dn,
+ ent->chip = chip;
+ snprintf(ent->name, 16, "%08x", chip);
+ ent->path.data = (void *)kasprintf(GFP_KERNEL, "%pOF", dn);
++ if (!ent->path.data) {
++ kfree(ent);
++ return -ENOMEM;
++ }
++
+ ent->path.size = strlen((char *)ent->path.data);
+
+ dir = debugfs_create_dir(ent->name, root);
+--
+2.43.0
+
--- /dev/null
+From c48ad95b1ce1aa55d94c25601aea06b5b8b5b041 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Dec 2020 15:59:54 +0100
+Subject: powerpc/pseries/memhotplug: Quieten some DLPAR operations
+
+From: Laurent Dufour <ldufour@linux.ibm.com>
+
+[ Upstream commit 20e9de85edae3a5866f29b6cce87c9ec66d62a1b ]
+
+When attempting to remove by index a set of LMBs a lot of messages are
+displayed on the console, even when everything goes fine:
+
+ pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 8000002d
+ Offlined Pages 4096
+ pseries-hotplug-mem: Memory at 2d0000000 was hot-removed
+
+The 2 messages prefixed by "pseries-hotplug-mem" are not really
+helpful for the end user, they should be debug outputs.
+
+In case of error, because some of the LMB's pages couldn't be
+offlined, the following is displayed on the console:
+
+ pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 8000003e
+ pseries-hotplug-mem: Failed to hot-remove memory at 3e0000000
+ dlpar: Could not handle DLPAR request "memory remove index 0x8000003e"
+
+Again, the 2 messages prefixed by "pseries-hotplug-mem" are useless,
+and the generic DLPAR prefixed message should be enough.
+
+These 2 first changes are mainly triggered by the changes introduced
+in drmgr:
+ https://groups.google.com/g/powerpc-utils-devel/c/Y6ef4NB3EzM/m/9cu5JHRxAQAJ
+
+Also, when adding a bunch of LMBs, a message is displayed in the console per LMB
+like these ones:
+ pseries-hotplug-mem: Memory at 7e0000000 (drc index 8000007e) was hot-added
+ pseries-hotplug-mem: Memory at 7f0000000 (drc index 8000007f) was hot-added
+ pseries-hotplug-mem: Memory at 800000000 (drc index 80000080) was hot-added
+ pseries-hotplug-mem: Memory at 810000000 (drc index 80000081) was hot-added
+
+When adding 1TB of memory and LMB size is 256MB, this leads to 4096
+messages to be displayed on the console. These messages are not really
+helpful for the end user, so moving them to the DEBUG level.
+
+Signed-off-by: Laurent Dufour <ldufour@linux.ibm.com>
+[mpe: Tweak change log wording]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201211145954.90143-1-ldufour@linux.ibm.com
+Stable-dep-of: bd68ffce69f6 ("powerpc/pseries/memhp: Fix access beyond end of drmem array")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/hotplug-memory.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c
+index a5f968b5fa3a..0e602c3b01ea 100644
+--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -481,7 +481,7 @@ static int dlpar_memory_remove_by_index(u32 drc_index)
+ int lmb_found;
+ int rc;
+
+- pr_info("Attempting to hot-remove LMB, drc index %x\n", drc_index);
++ pr_debug("Attempting to hot-remove LMB, drc index %x\n", drc_index);
+
+ lmb_found = 0;
+ for_each_drmem_lmb(lmb) {
+@@ -499,10 +499,10 @@ static int dlpar_memory_remove_by_index(u32 drc_index)
+ rc = -EINVAL;
+
+ if (rc)
+- pr_info("Failed to hot-remove memory at %llx\n",
+- lmb->base_addr);
++ pr_debug("Failed to hot-remove memory at %llx\n",
++ lmb->base_addr);
+ else
+- pr_info("Memory at %llx was hot-removed\n", lmb->base_addr);
++ pr_debug("Memory at %llx was hot-removed\n", lmb->base_addr);
+
+ return rc;
+ }
+@@ -719,8 +719,8 @@ static int dlpar_memory_add_by_count(u32 lmbs_to_add)
+ if (!drmem_lmb_reserved(lmb))
+ continue;
+
+- pr_info("Memory at %llx (drc index %x) was hot-added\n",
+- lmb->base_addr, lmb->drc_index);
++ pr_debug("Memory at %llx (drc index %x) was hot-added\n",
++ lmb->base_addr, lmb->drc_index);
+ drmem_remove_lmb_reservation(lmb);
+ }
+ rc = 0;
+--
+2.43.0
+
--- /dev/null
+From 30a32056db601c853cdc87f60979f411f8212254 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Nov 2023 11:01:53 -0600
+Subject: powerpc/pseries/memhp: Fix access beyond end of drmem array
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+[ Upstream commit bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5 ]
+
+dlpar_memory_remove_by_index() may access beyond the bounds of the
+drmem lmb array when the LMB lookup fails to match an entry with the
+given DRC index. When the search fails, the cursor is left pointing to
+&drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the
+last valid entry in the array. The debug message at the end of the
+function then dereferences this pointer:
+
+ pr_debug("Failed to hot-remove memory at %llx\n",
+ lmb->base_addr);
+
+This was found by inspection and confirmed with KASAN:
+
+ pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234
+ ==================================================================
+ BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658
+ Read of size 8 at addr c000000364e97fd0 by task bash/949
+
+ dump_stack_lvl+0xa4/0xfc (unreliable)
+ print_report+0x214/0x63c
+ kasan_report+0x140/0x2e0
+ __asan_load8+0xa8/0xe0
+ dlpar_memory+0x298/0x1658
+ handle_dlpar_errorlog+0x130/0x1d0
+ dlpar_store+0x18c/0x3e0
+ kobj_attr_store+0x68/0xa0
+ sysfs_kf_write+0xc4/0x110
+ kernfs_fop_write_iter+0x26c/0x390
+ vfs_write+0x2d4/0x4e0
+ ksys_write+0xac/0x1a0
+ system_call_exception+0x268/0x530
+ system_call_vectored_common+0x15c/0x2ec
+
+ Allocated by task 1:
+ kasan_save_stack+0x48/0x80
+ kasan_set_track+0x34/0x50
+ kasan_save_alloc_info+0x34/0x50
+ __kasan_kmalloc+0xd0/0x120
+ __kmalloc+0x8c/0x320
+ kmalloc_array.constprop.0+0x48/0x5c
+ drmem_init+0x2a0/0x41c
+ do_one_initcall+0xe0/0x5c0
+ kernel_init_freeable+0x4ec/0x5a0
+ kernel_init+0x30/0x1e0
+ ret_from_kernel_user_thread+0x14/0x1c
+
+ The buggy address belongs to the object at c000000364e80000
+ which belongs to the cache kmalloc-128k of size 131072
+ The buggy address is located 0 bytes to the right of
+ allocated 98256-byte region [c000000364e80000, c000000364e97fd0)
+
+ ==================================================================
+ pseries-hotplug-mem: Failed to hot-remove memory at 0
+
+Log failed lookups with a separate message and dereference the
+cursor only when it points to a valid entry.
+
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Fixes: 51925fb3c5c9 ("powerpc/pseries: Implement memory hotplug remove in the kernel")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231114-pseries-memhp-fixes-v1-1-fb8f2bb7c557@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/hotplug-memory.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c
+index 0e602c3b01ea..96dd82d63e98 100644
+--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -495,14 +495,15 @@ static int dlpar_memory_remove_by_index(u32 drc_index)
+ }
+ }
+
+- if (!lmb_found)
++ if (!lmb_found) {
++ pr_debug("Failed to look up LMB for drc index %x\n", drc_index);
+ rc = -EINVAL;
+-
+- if (rc)
++ } else if (rc) {
+ pr_debug("Failed to hot-remove memory at %llx\n",
+ lmb->base_addr);
+- else
++ } else {
+ pr_debug("Memory at %llx was hot-removed\n", lmb->base_addr);
++ }
+
+ return rc;
+ }
+--
+2.43.0
+
--- /dev/null
+From e8185ec052a8e32ca388c1b5627042479546fc64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jun 2021 17:09:18 +0000
+Subject: powerpc: Remove in_kernel_text()
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 09ca497528dac12cbbceab8197011c875a96d053 ]
+
+Last user of in_kernel_text() stopped using in with
+commit 549e8152de80 ("powerpc: Make the 64-bit kernel as a
+position-independent executable").
+
+Generic function is_kernel_text() does the same.
+
+So remote it.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/2a3a5b6f8cc0ef4e854d7b764f66aa8d2ee270d2.1624813698.git.christophe.leroy@csgroup.eu
+Stable-dep-of: 1b1e38002648 ("powerpc: add crtsavres.o to always-y instead of extra-y")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/sections.h | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/sections.h b/arch/powerpc/include/asm/sections.h
+index 324d7b298ec3..6e4af4492a14 100644
+--- a/arch/powerpc/include/asm/sections.h
++++ b/arch/powerpc/include/asm/sections.h
+@@ -38,14 +38,6 @@ extern char start_virt_trampolines[];
+ extern char end_virt_trampolines[];
+ #endif
+
+-static inline int in_kernel_text(unsigned long addr)
+-{
+- if (addr >= (unsigned long)_stext && addr < (unsigned long)__init_end)
+- return 1;
+-
+- return 0;
+-}
+-
+ static inline unsigned long kernel_toc_addr(void)
+ {
+ /* Defined by the linker, see vmlinux.lds.S */
+--
+2.43.0
+
--- /dev/null
+From 82e5c878d2b4196722d9b202ade8915baaef80ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Nov 2023 23:29:36 +0300
+Subject: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc()
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 86222a8fc16ec517de8da2604d904c9df3a08e5d ]
+
+In persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return
+64-bit value since persistent_ram_zone::buffer_size has type size_t which
+is derived from the 64-bit *unsigned long*, while the ecc_blocks variable
+this value gets assigned to has (always 32-bit) *int* type. Even if that
+value fits into *int* type, an overflow is still possible when calculating
+the size_t typed ecc_total variable further below since there's no cast to
+any 64-bit type before multiplication. Declaring the ecc_blocks variable
+as *size_t* should fix this mess...
+
+Found by Linux Verification Center (linuxtesting.org) with the SVACE static
+analysis tool.
+
+Fixes: 9cc05ad97c57 ("staging: android: persistent_ram: refactor ecc support")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20231105202936.25694-1-s.shtylyov@omp.ru
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/pstore/ram_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
+index a0fa3820ef2a..5ac9b1f155a8 100644
+--- a/fs/pstore/ram_core.c
++++ b/fs/pstore/ram_core.c
+@@ -190,7 +190,7 @@ static int persistent_ram_init_ecc(struct persistent_ram_zone *prz,
+ {
+ int numerr;
+ struct persistent_ram_buffer *buffer = prz->buffer;
+- int ecc_blocks;
++ size_t ecc_blocks;
+ size_t ecc_total;
+
+ if (!ecc_info || !ecc_info->ecc_size)
+--
+2.43.0
+
--- /dev/null
+From def4d3c0f0d699df14e82ed4a7d952b48c4dd71e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 22:07:04 +0200
+Subject: pwm: stm32: Fix enable count for clk in .probe()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+[ Upstream commit 19f1016ea9600ed89bc24247c36ff5934ad94fbb ]
+
+Make the driver take over hardware state without disabling in .probe()
+and enable the clock for each enabled channel.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+[ukleinek: split off from a patch that also implemented .get_state()]
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm")
+Reviewed-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-stm32.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c
+index 31843cc4ca76..69b7bc604946 100644
+--- a/drivers/pwm/pwm-stm32.c
++++ b/drivers/pwm/pwm-stm32.c
+@@ -575,17 +575,21 @@ static void stm32_pwm_detect_complementary(struct stm32_pwm *priv)
+ priv->have_complementary_output = (ccer != 0);
+ }
+
+-static unsigned int stm32_pwm_detect_channels(struct stm32_pwm *priv)
++static unsigned int stm32_pwm_detect_channels(struct stm32_pwm *priv,
++ unsigned int *num_enabled)
+ {
+- u32 ccer;
++ u32 ccer, ccer_backup;
+
+ /*
+ * If channels enable bits don't exist writing 1 will have no
+ * effect so we can detect and count them.
+ */
++ regmap_read(priv->regmap, TIM_CCER, &ccer_backup);
+ regmap_set_bits(priv->regmap, TIM_CCER, TIM_CCER_CCXE);
+ regmap_read(priv->regmap, TIM_CCER, &ccer);
+- regmap_clear_bits(priv->regmap, TIM_CCER, TIM_CCER_CCXE);
++ regmap_write(priv->regmap, TIM_CCER, ccer_backup);
++
++ *num_enabled = hweight32(ccer_backup & TIM_CCER_CCXE);
+
+ return hweight32(ccer & TIM_CCER_CCXE);
+ }
+@@ -596,6 +600,8 @@ static int stm32_pwm_probe(struct platform_device *pdev)
+ struct device_node *np = dev->of_node;
+ struct stm32_timers *ddata = dev_get_drvdata(pdev->dev.parent);
+ struct stm32_pwm *priv;
++ unsigned int num_enabled;
++ unsigned int i;
+ int ret;
+
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
+@@ -621,7 +627,11 @@ static int stm32_pwm_probe(struct platform_device *pdev)
+ priv->chip.base = -1;
+ priv->chip.dev = dev;
+ priv->chip.ops = &stm32pwm_ops;
+- priv->chip.npwm = stm32_pwm_detect_channels(priv);
++ priv->chip.npwm = stm32_pwm_detect_channels(priv, &num_enabled);
++
++ /* Initialize clock refcount to number of enabled PWM channels. */
++ for (i = 0; i < num_enabled; i++)
++ clk_enable(priv->clk);
+
+ ret = pwmchip_add(&priv->chip);
+ if (ret < 0)
+--
+2.43.0
+
--- /dev/null
+From 0beeba5ebdc7d950539be235d0c409bb77063f66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 22:07:02 +0200
+Subject: pwm: stm32: Use hweight32 in stm32_pwm_detect_channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+[ Upstream commit 41fa8f57c0d269243fe3bde2bce71e82c884b9ad ]
+
+Use hweight32() to count the CCxE bits in stm32_pwm_detect_channels().
+Since the return value is assigned to chip.npwm, change it to unsigned
+int as well.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Stable-dep-of: 19f1016ea960 ("pwm: stm32: Fix enable count for clk in .probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-stm32.c | 17 ++---------------
+ 1 file changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c
+index 945eed3ffb81..31843cc4ca76 100644
+--- a/drivers/pwm/pwm-stm32.c
++++ b/drivers/pwm/pwm-stm32.c
+@@ -575,10 +575,9 @@ static void stm32_pwm_detect_complementary(struct stm32_pwm *priv)
+ priv->have_complementary_output = (ccer != 0);
+ }
+
+-static int stm32_pwm_detect_channels(struct stm32_pwm *priv)
++static unsigned int stm32_pwm_detect_channels(struct stm32_pwm *priv)
+ {
+ u32 ccer;
+- int npwm = 0;
+
+ /*
+ * If channels enable bits don't exist writing 1 will have no
+@@ -588,19 +587,7 @@ static int stm32_pwm_detect_channels(struct stm32_pwm *priv)
+ regmap_read(priv->regmap, TIM_CCER, &ccer);
+ regmap_clear_bits(priv->regmap, TIM_CCER, TIM_CCER_CCXE);
+
+- if (ccer & TIM_CCER_CC1E)
+- npwm++;
+-
+- if (ccer & TIM_CCER_CC2E)
+- npwm++;
+-
+- if (ccer & TIM_CCER_CC3E)
+- npwm++;
+-
+- if (ccer & TIM_CCER_CC4E)
+- npwm++;
+-
+- return npwm;
++ return hweight32(ccer & TIM_CCER_CCXE);
+ }
+
+ static int stm32_pwm_probe(struct platform_device *pdev)
+--
+2.43.0
+
--- /dev/null
+From 7a204970a61102eb5a7fe4e2048cb1f6aaf46390 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 19:35:18 +0100
+Subject: pwm: stm32: Use regmap_clear_bits and regmap_set_bits where
+ applicable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 632ae5d7eb348b3ef88552ec0999260b6f9d6ab1 ]
+
+Found using coccinelle and the following semantic patch:
+
+@@
+expression map, reg, bits;
+@@
+
+- regmap_update_bits(map, reg, bits, bits)
++ regmap_set_bits(map, reg, bits)
+
+@@
+expression map, reg, bits;
+@@
+
+- regmap_update_bits(map, reg, bits, 0)
++ regmap_clear_bits(map, reg, bits)
+
+Tested-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Link: https://lore.kernel.org/r/20221115111347.3705732-6-u.kleine-koenig@pengutronix.de
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Stable-dep-of: 19f1016ea960 ("pwm: stm32: Fix enable count for clk in .probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-stm32.c | 34 ++++++++++++++++------------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c
+index d3be944f2ae9..945eed3ffb81 100644
+--- a/drivers/pwm/pwm-stm32.c
++++ b/drivers/pwm/pwm-stm32.c
+@@ -115,14 +115,14 @@ static int stm32_pwm_raw_capture(struct stm32_pwm *priv, struct pwm_device *pwm,
+ int ret;
+
+ /* Ensure registers have been updated, enable counter and capture */
+- regmap_update_bits(priv->regmap, TIM_EGR, TIM_EGR_UG, TIM_EGR_UG);
+- regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_CEN, TIM_CR1_CEN);
++ regmap_set_bits(priv->regmap, TIM_EGR, TIM_EGR_UG);
++ regmap_set_bits(priv->regmap, TIM_CR1, TIM_CR1_CEN);
+
+ /* Use cc1 or cc3 DMA resp for PWM input channels 1 & 2 or 3 & 4 */
+ dma_id = pwm->hwpwm < 2 ? STM32_TIMERS_DMA_CH1 : STM32_TIMERS_DMA_CH3;
+ ccen = pwm->hwpwm < 2 ? TIM_CCER_CC12E : TIM_CCER_CC34E;
+ ccr = pwm->hwpwm < 2 ? TIM_CCR1 : TIM_CCR3;
+- regmap_update_bits(priv->regmap, TIM_CCER, ccen, ccen);
++ regmap_set_bits(priv->regmap, TIM_CCER, ccen);
+
+ /*
+ * Timer DMA burst mode. Request 2 registers, 2 bursts, to get both
+@@ -160,8 +160,8 @@ static int stm32_pwm_raw_capture(struct stm32_pwm *priv, struct pwm_device *pwm,
+ }
+
+ stop:
+- regmap_update_bits(priv->regmap, TIM_CCER, ccen, 0);
+- regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_CEN, 0);
++ regmap_clear_bits(priv->regmap, TIM_CCER, ccen);
++ regmap_clear_bits(priv->regmap, TIM_CR1, TIM_CR1_CEN);
+
+ return ret;
+ }
+@@ -359,7 +359,7 @@ static int stm32_pwm_config(struct stm32_pwm *priv, int ch,
+
+ regmap_write(priv->regmap, TIM_PSC, prescaler);
+ regmap_write(priv->regmap, TIM_ARR, prd - 1);
+- regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_ARPE, TIM_CR1_ARPE);
++ regmap_set_bits(priv->regmap, TIM_CR1, TIM_CR1_ARPE);
+
+ /* Calculate the duty cycles */
+ dty = prd * duty_ns;
+@@ -377,7 +377,7 @@ static int stm32_pwm_config(struct stm32_pwm *priv, int ch,
+ else
+ regmap_update_bits(priv->regmap, TIM_CCMR2, mask, ccmr);
+
+- regmap_update_bits(priv->regmap, TIM_BDTR, TIM_BDTR_MOE, TIM_BDTR_MOE);
++ regmap_set_bits(priv->regmap, TIM_BDTR, TIM_BDTR_MOE);
+
+ return 0;
+ }
+@@ -411,13 +411,13 @@ static int stm32_pwm_enable(struct stm32_pwm *priv, int ch)
+ if (priv->have_complementary_output)
+ mask |= TIM_CCER_CC1NE << (ch * 4);
+
+- regmap_update_bits(priv->regmap, TIM_CCER, mask, mask);
++ regmap_set_bits(priv->regmap, TIM_CCER, mask);
+
+ /* Make sure that registers are updated */
+- regmap_update_bits(priv->regmap, TIM_EGR, TIM_EGR_UG, TIM_EGR_UG);
++ regmap_set_bits(priv->regmap, TIM_EGR, TIM_EGR_UG);
+
+ /* Enable controller */
+- regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_CEN, TIM_CR1_CEN);
++ regmap_set_bits(priv->regmap, TIM_CR1, TIM_CR1_CEN);
+
+ return 0;
+ }
+@@ -431,11 +431,11 @@ static void stm32_pwm_disable(struct stm32_pwm *priv, int ch)
+ if (priv->have_complementary_output)
+ mask |= TIM_CCER_CC1NE << (ch * 4);
+
+- regmap_update_bits(priv->regmap, TIM_CCER, mask, 0);
++ regmap_clear_bits(priv->regmap, TIM_CCER, mask);
+
+ /* When all channels are disabled, we can disable the controller */
+ if (!active_channels(priv))
+- regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_CEN, 0);
++ regmap_clear_bits(priv->regmap, TIM_CR1, TIM_CR1_CEN);
+
+ clk_disable(priv->clk);
+ }
+@@ -568,10 +568,9 @@ static void stm32_pwm_detect_complementary(struct stm32_pwm *priv)
+ * If complementary bit doesn't exist writing 1 will have no
+ * effect so we can detect it.
+ */
+- regmap_update_bits(priv->regmap,
+- TIM_CCER, TIM_CCER_CC1NE, TIM_CCER_CC1NE);
++ regmap_set_bits(priv->regmap, TIM_CCER, TIM_CCER_CC1NE);
+ regmap_read(priv->regmap, TIM_CCER, &ccer);
+- regmap_update_bits(priv->regmap, TIM_CCER, TIM_CCER_CC1NE, 0);
++ regmap_clear_bits(priv->regmap, TIM_CCER, TIM_CCER_CC1NE);
+
+ priv->have_complementary_output = (ccer != 0);
+ }
+@@ -585,10 +584,9 @@ static int stm32_pwm_detect_channels(struct stm32_pwm *priv)
+ * If channels enable bits don't exist writing 1 will have no
+ * effect so we can detect and count them.
+ */
+- regmap_update_bits(priv->regmap,
+- TIM_CCER, TIM_CCER_CCXE, TIM_CCER_CCXE);
++ regmap_set_bits(priv->regmap, TIM_CCER, TIM_CCER_CCXE);
+ regmap_read(priv->regmap, TIM_CCER, &ccer);
+- regmap_update_bits(priv->regmap, TIM_CCER, TIM_CCER_CCXE, 0);
++ regmap_clear_bits(priv->regmap, TIM_CCER, TIM_CCER_CCXE);
+
+ if (ccer & TIM_CCER_CC1E)
+ npwm++;
+--
+2.43.0
+
--- /dev/null
+From 7a28fd18ef02bc626536fc8a5d34e7fd479f39f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 18:05:51 +0200
+Subject: rcu: Create an unrcu_pointer() to remove __rcu from a pointer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 76c8eaafe4f061f3790112842a2fbb297e4bea88 ]
+
+The xchg() and cmpxchg() functions are sometimes used to carry out RCU
+updates. Unfortunately, this can result in sparse warnings for both
+the old-value and new-value arguments, as well as for the return value.
+The arguments can be dealt with using RCU_INITIALIZER():
+
+ old_p = xchg(&p, RCU_INITIALIZER(new_p));
+
+But a sparse warning still remains due to assigning the __rcu pointer
+returned from xchg to the (most likely) non-__rcu pointer old_p.
+
+This commit therefore provides an unrcu_pointer() macro that strips
+the __rcu. This macro can be used as follows:
+
+ old_p = unrcu_pointer(xchg(&p, RCU_INITIALIZER(new_p)));
+
+Reported-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Stable-dep-of: 5f35a624c1e3 ("drm/nouveau/fence:: fix warning directly dereferencing a rcu pointer")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rcupdate.h | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
+index ef8d56b18da6..8716a1706351 100644
+--- a/include/linux/rcupdate.h
++++ b/include/linux/rcupdate.h
+@@ -366,6 +366,20 @@ static inline void rcu_preempt_sleep_check(void) { }
+ #define rcu_check_sparse(p, space)
+ #endif /* #else #ifdef __CHECKER__ */
+
++/**
++ * unrcu_pointer - mark a pointer as not being RCU protected
++ * @p: pointer needing to lose its __rcu property
++ *
++ * Converts @p from an __rcu pointer to a __kernel pointer.
++ * This allows an __rcu pointer to be used with xchg() and friends.
++ */
++#define unrcu_pointer(p) \
++({ \
++ typeof(*p) *_________p1 = (typeof(*p) *__force)(p); \
++ rcu_check_sparse(p, __rcu); \
++ ((typeof(*p) __force __kernel *)(_________p1)); \
++})
++
+ #define __rcu_access_pointer(p, space) \
+ ({ \
+ typeof(*p) *_________p1 = (typeof(*p) *__force)READ_ONCE(p); \
+--
+2.43.0
+
--- /dev/null
+From 79e7f3097ef66e1375cc6d9b7101d5be79d22ae9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Nov 2023 11:28:02 +0200
+Subject: RDMA/usnic: Silence uninitialized symbol smatch warnings
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit b9a85e5eec126d6ae6c362f94b447c223e8fe6e4 ]
+
+The patch 1da177e4c3f4: "Linux-2.6.12-rc2" from Apr 16, 2005
+(linux-next), leads to the following Smatch static checker warning:
+
+ drivers/infiniband/hw/mthca/mthca_cmd.c:644 mthca_SYS_EN()
+ error: uninitialized symbol 'out'.
+
+drivers/infiniband/hw/mthca/mthca_cmd.c
+ 636 int mthca_SYS_EN(struct mthca_dev *dev)
+ 637 {
+ 638 u64 out;
+ 639 int ret;
+ 640
+ 641 ret = mthca_cmd_imm(dev, 0, &out, 0, 0, CMD_SYS_EN, CMD_TIME_CLASS_D);
+
+We pass out here and it gets used without being initialized.
+
+ err = mthca_cmd_post(dev, in_param,
+ out_param ? *out_param : 0,
+ ^^^^^^^^^^
+ in_modifier, op_modifier,
+ op, context->token, 1);
+
+It's the same in mthca_cmd_wait() and mthca_cmd_poll().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/533bc3df-8078-4397-b93d-d1f6cec9b636@moroto.mountain
+Link: https://lore.kernel.org/r/c559cb7113158c02d75401ac162652072ef1b5f0.1699867650.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 4 ++--
+ drivers/infiniband/hw/mthca/mthca_main.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c
+index bdf5ed38de22..0307c45aa6d3 100644
+--- a/drivers/infiniband/hw/mthca/mthca_cmd.c
++++ b/drivers/infiniband/hw/mthca/mthca_cmd.c
+@@ -635,7 +635,7 @@ void mthca_free_mailbox(struct mthca_dev *dev, struct mthca_mailbox *mailbox)
+
+ int mthca_SYS_EN(struct mthca_dev *dev)
+ {
+- u64 out;
++ u64 out = 0;
+ int ret;
+
+ ret = mthca_cmd_imm(dev, 0, &out, 0, 0, CMD_SYS_EN, CMD_TIME_CLASS_D);
+@@ -1955,7 +1955,7 @@ int mthca_WRITE_MGM(struct mthca_dev *dev, int index,
+ int mthca_MGID_HASH(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
+ u16 *hash)
+ {
+- u64 imm;
++ u64 imm = 0;
+ int err;
+
+ err = mthca_cmd_imm(dev, mailbox->dma, &imm, 0, 0, CMD_MGID_HASH,
+diff --git a/drivers/infiniband/hw/mthca/mthca_main.c b/drivers/infiniband/hw/mthca/mthca_main.c
+index fe9654a7af71..3acd1372c814 100644
+--- a/drivers/infiniband/hw/mthca/mthca_main.c
++++ b/drivers/infiniband/hw/mthca/mthca_main.c
+@@ -382,7 +382,7 @@ static int mthca_init_icm(struct mthca_dev *mdev,
+ struct mthca_init_hca_param *init_hca,
+ u64 icm_size)
+ {
+- u64 aux_pages;
++ u64 aux_pages = 0;
+ int err;
+
+ err = mthca_SET_ICM_SIZE(mdev, icm_size, &aux_pages);
+--
+2.43.0
+
--- /dev/null
+From 9764a6e2e7a1bf627c845eb52b3a620369182525 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Oct 2020 14:29:04 +0200
+Subject: Revert "gfs2: Don't reject a supposedly full bitmap if we have blocks
+ reserved"
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 2fdc2fa21bc72ec06c0c9f0e30b88fe1f2486b75 ]
+
+This reverts commit e79e0e1428188b24c3b57309ffa54a33c4ae40c4.
+
+It turns out that we're only setting the GBF_FULL flag of a bitmap if we've
+been scanning from the beginning of the bitmap until the end and we haven't
+found a single free block, and we're not skipping reservations in that process,
+either. This means that in gfs2_rbm_find, we can always skip bitmaps with the
+GBF_FULL flag set.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Stable-dep-of: 8877243beafa ("gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/rgrp.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
+index c5bde789a16d..e05c01d5b9e6 100644
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -1717,8 +1717,7 @@ static int gfs2_rbm_find(struct gfs2_rbm *rbm, u8 state, u32 *minext,
+
+ while(1) {
+ bi = rbm_bi(rbm);
+- if ((ip == NULL || !gfs2_rs_active(&ip->i_res)) &&
+- test_bit(GBF_FULL, &bi->bi_flags) &&
++ if (test_bit(GBF_FULL, &bi->bi_flags) &&
+ (state == GFS2_BLKST_FREE))
+ goto next_bitmap;
+
+--
+2.43.0
+
--- /dev/null
+From 2529ae5bd398c6f55a6ce183a4e677a2004103e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 15:49:48 +0100
+Subject: rtlwifi: rtl8192de: make arrays static const, makes object smaller
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit b05897ca8c821a16ac03850c4704fe460b3f21a0 ]
+
+Don't populate arrays the stack but instead make them static const. Replace
+array channel_info with channel_all since it contains the same data as
+channel_all. Makes object code smaller by 961 bytes.
+
+Before:
+ text data bss dec hex filename
+ 128147 44250 1024 173421 2a56d ../realtek/rtlwifi/rtl8192de/phy.o
+
+After
+ text data bss dec hex filename
+ 127122 44314 1024 172460 2a1ac ../realtek/rtlwifi/rtl8192de/phy.o
+
+(gcc version 10.2.0)
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210803144949.79433-2-colin.king@canonical.com
+Stable-dep-of: b8b2baad2e65 ("wifi: rtlwifi: rtl8192de: using calculate_bit_shift()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/realtek/rtlwifi/rtl8192de/phy.c | 48 ++++++++-----------
+ 1 file changed, 20 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
+index d3027f8fbd38..f0692d67b300 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
+@@ -160,6 +160,15 @@ static u32 targetchnl_2g[TARGET_CHNL_NUM_2G] = {
+ 25711, 25658, 25606, 25554, 25502, 25451, 25328
+ };
+
++static const u8 channel_all[59] = {
++ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
++ 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58,
++ 60, 62, 64, 100, 102, 104, 106, 108, 110, 112,
++ 114, 116, 118, 120, 122, 124, 126, 128, 130,
++ 132, 134, 136, 138, 140, 149, 151, 153, 155,
++ 157, 159, 161, 163, 165
++};
++
+ static u32 _rtl92d_phy_calculate_bit_shift(u32 bitmask)
+ {
+ u32 i = ffs(bitmask);
+@@ -1354,14 +1363,6 @@ static void _rtl92d_phy_switch_rf_setting(struct ieee80211_hw *hw, u8 channel)
+
+ u8 rtl92d_get_rightchnlplace_for_iqk(u8 chnl)
+ {
+- u8 channel_all[59] = {
+- 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
+- 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58,
+- 60, 62, 64, 100, 102, 104, 106, 108, 110, 112,
+- 114, 116, 118, 120, 122, 124, 126, 128, 130,
+- 132, 134, 136, 138, 140, 149, 151, 153, 155,
+- 157, 159, 161, 163, 165
+- };
+ u8 place = chnl;
+
+ if (chnl > 14) {
+@@ -3216,37 +3217,28 @@ void rtl92d_phy_config_macphymode_info(struct ieee80211_hw *hw)
+ u8 rtl92d_get_chnlgroup_fromarray(u8 chnl)
+ {
+ u8 group;
+- u8 channel_info[59] = {
+- 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
+- 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56,
+- 58, 60, 62, 64, 100, 102, 104, 106, 108,
+- 110, 112, 114, 116, 118, 120, 122, 124,
+- 126, 128, 130, 132, 134, 136, 138, 140,
+- 149, 151, 153, 155, 157, 159, 161, 163,
+- 165
+- };
+
+- if (channel_info[chnl] <= 3)
++ if (channel_all[chnl] <= 3)
+ group = 0;
+- else if (channel_info[chnl] <= 9)
++ else if (channel_all[chnl] <= 9)
+ group = 1;
+- else if (channel_info[chnl] <= 14)
++ else if (channel_all[chnl] <= 14)
+ group = 2;
+- else if (channel_info[chnl] <= 44)
++ else if (channel_all[chnl] <= 44)
+ group = 3;
+- else if (channel_info[chnl] <= 54)
++ else if (channel_all[chnl] <= 54)
+ group = 4;
+- else if (channel_info[chnl] <= 64)
++ else if (channel_all[chnl] <= 64)
+ group = 5;
+- else if (channel_info[chnl] <= 112)
++ else if (channel_all[chnl] <= 112)
+ group = 6;
+- else if (channel_info[chnl] <= 126)
++ else if (channel_all[chnl] <= 126)
+ group = 7;
+- else if (channel_info[chnl] <= 140)
++ else if (channel_all[chnl] <= 140)
+ group = 8;
+- else if (channel_info[chnl] <= 153)
++ else if (channel_all[chnl] <= 153)
+ group = 9;
+- else if (channel_info[chnl] <= 159)
++ else if (channel_all[chnl] <= 159)
+ group = 10;
+ else
+ group = 11;
+--
+2.43.0
+
--- /dev/null
+From 6ec3277122e92030cd80cf23363487515121dbac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 14:10:08 +0300
+Subject: scsi: fnic: Return error if vmalloc() failed
+
+From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+
+[ Upstream commit f5f27a332a14f43463aa0075efa3a0c662c0f4a8 ]
+
+In fnic_init_module() exists redundant check for return value from
+fnic_debugfs_init(), because at moment it only can return zero. It make
+sense to process theoretical vmalloc() failure.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 9730ddfb123d ("scsi: fnic: remove redundant assignment of variable rc")
+Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+Link: https://lore.kernel.org/r/20231128111008.2280507-1-artem.chernyshev@red-soft.ru
+Reviewed-by: Karan Tilak Kumar <kartilak@cisco.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/fnic/fnic_debugfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/fnic/fnic_debugfs.c b/drivers/scsi/fnic/fnic_debugfs.c
+index 6c049360f136..56d52efc7314 100644
+--- a/drivers/scsi/fnic/fnic_debugfs.c
++++ b/drivers/scsi/fnic/fnic_debugfs.c
+@@ -67,9 +67,10 @@ int fnic_debugfs_init(void)
+ fc_trc_flag->fnic_trace = 2;
+ fc_trc_flag->fc_trace = 3;
+ fc_trc_flag->fc_clear = 4;
++ return 0;
+ }
+
+- return 0;
++ return -ENOMEM;
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 3a4757ea0480ee2cb36ece09b849047027cf43ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 11:45:13 +0800
+Subject: scsi: hisi_sas: Replace with standard error code return value
+
+From: Yihang Li <liyihang9@huawei.com>
+
+[ Upstream commit d34ee535705eb43885bc0f561c63046f697355ad ]
+
+In function hisi_sas_controller_prereset(), -ENOSYS (Function not
+implemented) should be returned if the driver does not support .soft_reset.
+Returns -EPERM (Operation not permitted) if HISI_SAS_RESETTING_BIT is
+already be set.
+
+In function _suspend_v3_hw(), returns -EPERM (Operation not permitted) if
+HISI_SAS_RESETTING_BIT is already be set.
+
+Fixes: 4522204ab218 ("scsi: hisi_sas: tidy host controller reset function a bit")
+Signed-off-by: Yihang Li <liyihang9@huawei.com>
+Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
+Link: https://lore.kernel.org/r/1702525516-51258-3-git-send-email-chenxiang66@hisilicon.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_main.c | 4 ++--
+ drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
+index e5b9229310a0..8e5d23c6b8de 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -1584,10 +1584,10 @@ static int hisi_sas_controller_reset(struct hisi_hba *hisi_hba)
+ queue_work(hisi_hba->wq, &hisi_hba->debugfs_work);
+
+ if (!hisi_hba->hw->soft_reset)
+- return -1;
++ return -ENOENT;
+
+ if (test_and_set_bit(HISI_SAS_RESET_BIT, &hisi_hba->flags))
+- return -1;
++ return -EPERM;
+
+ dev_info(dev, "controller resetting...\n");
+ hisi_sas_controller_reset_prepare(hisi_hba);
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+index 0d21c64efa81..f03a09c9e865 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+@@ -3479,7 +3479,7 @@ static int _suspend_v3_hw(struct device *device)
+ }
+
+ if (test_and_set_bit(HISI_SAS_RESET_BIT, &hisi_hba->flags))
+- return -1;
++ return -EPERM;
+
+ scsi_block_requests(shost);
+ set_bit(HISI_SAS_REJECT_CMD_BIT, &hisi_hba->flags);
+--
+2.43.0
+
--- /dev/null
+From 1a62c9148ca0af2dea67e71b768ec6e668d9d8a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 14:08:49 +0800
+Subject: selftests/net: fix grep checking for fib_nexthop_multiprefix
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit a33e9da3470499e9ff476138f271fb52d6bfe767 ]
+
+When running fib_nexthop_multiprefix test I saw all IPv6 test failed.
+e.g.
+
+ ]# ./fib_nexthop_multiprefix.sh
+ TEST: IPv4: host 0 to host 1, mtu 1300 [ OK ]
+ TEST: IPv6: host 0 to host 1, mtu 1300 [FAIL]
+
+ With -v it shows
+
+ COMMAND: ip netns exec h0 /usr/sbin/ping6 -s 1350 -c5 -w5 2001:db8:101::1
+ PING 2001:db8:101::1(2001:db8:101::1) 1350 data bytes
+ From 2001:db8:100::64 icmp_seq=1 Packet too big: mtu=1300
+
+ --- 2001:db8:101::1 ping statistics ---
+ 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
+
+ Route get
+ 2001:db8:101::1 via 2001:db8:100::64 dev eth0 src 2001:db8:100::1 metric 1024 expires 599sec mtu 1300 pref medium
+ Searching for:
+ 2001:db8:101::1 from :: via 2001:db8:100::64 dev eth0 src 2001:db8:100::1 .* mtu 1300
+
+The reason is when CONFIG_IPV6_SUBTREES is not enabled, rt6_fill_node() will
+not put RTA_SRC info. After fix:
+
+]# ./fib_nexthop_multiprefix.sh
+TEST: IPv4: host 0 to host 1, mtu 1300 [ OK ]
+TEST: IPv6: host 0 to host 1, mtu 1300 [ OK ]
+
+Fixes: 735ab2f65dce ("selftests: Add test with multiple prefixes using single nexthop")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://lore.kernel.org/r/20231213060856.4030084-7-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib_nexthop_multiprefix.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib_nexthop_multiprefix.sh b/tools/testing/selftests/net/fib_nexthop_multiprefix.sh
+index 51df5e305855..b52d59547fc5 100755
+--- a/tools/testing/selftests/net/fib_nexthop_multiprefix.sh
++++ b/tools/testing/selftests/net/fib_nexthop_multiprefix.sh
+@@ -209,12 +209,12 @@ validate_v6_exception()
+ echo "Route get"
+ ip -netns h0 -6 ro get ${dst}
+ echo "Searching for:"
+- echo " ${dst} from :: via ${r1} dev eth0 src ${h0} .* mtu ${mtu}"
++ echo " ${dst}.* via ${r1} dev eth0 src ${h0} .* mtu ${mtu}"
+ echo
+ fi
+
+ ip -netns h0 -6 ro get ${dst} | \
+- grep -q "${dst} from :: via ${r1} dev eth0 src ${h0} .* mtu ${mtu}"
++ grep -q "${dst}.* via ${r1} dev eth0 src ${h0} .* mtu ${mtu}"
+ rc=$?
+
+ log_test $rc 0 "IPv6: host 0 to host ${i}, mtu ${mtu}"
+--
+2.43.0
+
--- /dev/null
+From 49751a392351789e314e55d619c3be3801221ad7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 00:27:44 +1100
+Subject: selftests/powerpc: Fix error handling in FPU/VMX preemption tests
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 9dbd5927408c4a0707de73ae9dd9306b184e8fee ]
+
+The FPU & VMX preemption tests do not check for errors returned by the
+low-level asm routines, preempt_fpu() / preempt_vsx() respectively.
+That means any register corruption detected by the asm routines does not
+result in a test failure.
+
+Fix it by returning the return value of the asm routines from the
+pthread child routines.
+
+Fixes: e5ab8be68e44 ("selftests/powerpc: Test preservation of FPU and VMX regs across preemption")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231128132748.1990179-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/powerpc/math/fpu_preempt.c | 9 +++++----
+ tools/testing/selftests/powerpc/math/vmx_preempt.c | 10 ++++++----
+ 2 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/tools/testing/selftests/powerpc/math/fpu_preempt.c b/tools/testing/selftests/powerpc/math/fpu_preempt.c
+index 5235bdc8c0b1..3e5b5663d244 100644
+--- a/tools/testing/selftests/powerpc/math/fpu_preempt.c
++++ b/tools/testing/selftests/powerpc/math/fpu_preempt.c
+@@ -37,19 +37,20 @@ __thread double darray[] = {0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 1.0,
+ int threads_starting;
+ int running;
+
+-extern void preempt_fpu(double *darray, int *threads_starting, int *running);
++extern int preempt_fpu(double *darray, int *threads_starting, int *running);
+
+ void *preempt_fpu_c(void *p)
+ {
++ long rc;
+ int i;
++
+ srand(pthread_self());
+ for (i = 0; i < 21; i++)
+ darray[i] = rand();
+
+- /* Test failed if it ever returns */
+- preempt_fpu(darray, &threads_starting, &running);
++ rc = preempt_fpu(darray, &threads_starting, &running);
+
+- return p;
++ return (void *)rc;
+ }
+
+ int test_preempt_fpu(void)
+diff --git a/tools/testing/selftests/powerpc/math/vmx_preempt.c b/tools/testing/selftests/powerpc/math/vmx_preempt.c
+index 6761d6ce30ec..6f7cf400c687 100644
+--- a/tools/testing/selftests/powerpc/math/vmx_preempt.c
++++ b/tools/testing/selftests/powerpc/math/vmx_preempt.c
+@@ -37,19 +37,21 @@ __thread vector int varray[] = {{1, 2, 3, 4}, {5, 6, 7, 8}, {9, 10,11,12},
+ int threads_starting;
+ int running;
+
+-extern void preempt_vmx(vector int *varray, int *threads_starting, int *running);
++extern int preempt_vmx(vector int *varray, int *threads_starting, int *running);
+
+ void *preempt_vmx_c(void *p)
+ {
+ int i, j;
++ long rc;
++
+ srand(pthread_self());
+ for (i = 0; i < 12; i++)
+ for (j = 0; j < 4; j++)
+ varray[i][j] = rand();
+
+- /* Test fails if it ever returns */
+- preempt_vmx(varray, &threads_starting, &running);
+- return p;
++ rc = preempt_vmx(varray, &threads_starting, &running);
++
++ return (void *)rc;
+ }
+
+ int test_preempt_vmx(void)
+--
+2.43.0
+
--- /dev/null
+From deb27feb3834f04c8137162c5ac728075042402f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jan 2024 17:34:15 +0100
+Subject: selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6
+ socket
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+[ Upstream commit bbf5a1d0e5d0fb3bdf90205aa872636122692a50 ]
+
+The IPv6 network stack first checks the sockaddr length (-EINVAL error)
+before checking the family (-EAFNOSUPPORT error).
+
+This was discovered thanks to commit a549d055a22e ("selftests/landlock:
+Add network tests").
+
+Cc: Eric Paris <eparis@parisplace.org>
+Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+Cc: Paul Moore <paul@paul-moore.com>
+Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
+Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Closes: https://lore.kernel.org/r/0584f91c-537c-4188-9e4f-04f192565667@collabora.com
+Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()")
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Tested-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/hooks.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index ee37ce2e2619..f545321d96dc 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -4620,6 +4620,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
+ return -EINVAL;
+ addr4 = (struct sockaddr_in *)address;
+ if (family_sa == AF_UNSPEC) {
++ if (family == PF_INET6) {
++ /* Length check from inet6_bind_sk() */
++ if (addrlen < SIN6_LEN_RFC2133)
++ return -EINVAL;
++ /* Family check from __inet6_bind() */
++ goto err_af;
++ }
+ /* see __inet_bind(), we only want to allow
+ * AF_UNSPEC if the address is INADDR_ANY
+ */
+--
+2.43.0
+
parport-parport_serial-add-brainboxes-device-ids-and-geometry.patch
pci-add-acs-quirk-for-more-zhaoxin-root-ports.patch
coresight-etm4x-fix-width-of-ccitmin-field.patch
+x86-lib-fix-overflow-when-counting-digits.patch
+edac-thunderx-fix-possible-out-of-bounds-string-acce.patch
+powerpc-add-crtsavres.o-to-always-y-instead-of-extra.patch
+powerpc-remove-in_kernel_text.patch
+powerpc-44x-select-i2c-for-currituck.patch
+powerpc-pseries-memhotplug-quieten-some-dlpar-operat.patch
+powerpc-pseries-memhp-fix-access-beyond-end-of-drmem.patch
+selftests-powerpc-fix-error-handling-in-fpu-vmx-pree.patch
+powerpc-powernv-add-a-null-pointer-check-to-scom_deb.patch
+powerpc-powernv-add-a-null-pointer-check-in-opal_eve.patch
+powerpc-powernv-add-a-null-pointer-check-in-opal_pow.patch
+powerpc-imc-pmu-add-a-null-pointer-check-in-update_e.patch
+spi-spi-zynqmp-gqspi-fix-driver-kconfig-dependencies.patch
+mtd-rawnand-increment-ifc_timeout_msecs-for-nand-con.patch
+acpi-video-check-for-error-while-searching-for-backl.patch
+acpi-lpit-avoid-u32-multiplication-overflow.patch
+of-property-define-of_property_read_u-8-16-32-64-_ar.patch
+of-add-of_property_present-helper.patch
+cpufreq-use-of_property_present-for-testing-dt-prope.patch
+cpufreq-scmi-process-the-result-of-devm_of_clk_add_h.patch
+net-netlabel-fix-kerneldoc-warnings.patch
+netlabel-remove-unused-parameter-in-netlbl_netlink_a.patch
+calipso-fix-memory-leak-in-netlbl_calipso_add_pass.patch
+efivarfs-force-ro-when-remounting-if-setvariable-is-.patch
+spi-sh-msiof-enforce-fixed-dtdl-for-r-car-h3.patch
+acpi-extlog-clear-extended-error-log-status-when-ras.patch
+mtd-fix-gluebi-null-pointer-dereference-caused-by-ft.patch
+selinux-fix-error-priority-for-bind-with-af_unspec-o.patch
+virtio_crypto-introduce-virtio_crypto_nospc.patch
+virtio-crypto-introduce-akcipher-service.patch
+virtio-crypto-implement-rsa-algorithm.patch
+virtio-crypto-change-code-style.patch
+virtio-crypto-use-private-buffer-for-control-request.patch
+virtio-crypto-wait-ctrl-queue-instead-of-busy-pollin.patch
+crypto-virtio-handle-dataq-logic-with-tasklet.patch
+crypto-sa2ul-return-crypto_aead_setkey-to-transfer-t.patch
+crypto-ccp-fix-memleak-in-ccp_init_dm_workarea.patch
+crypto-af_alg-disallow-multiple-in-flight-aio-reques.patch
+crypto-sahara-remove-flags_new_key-logic.patch
+crypto-sahara-fix-cbc-selftest-failure.patch
+crypto-sahara-fix-ahash-selftest-failure.patch
+crypto-sahara-fix-processing-requests-with-cryptlen-.patch
+crypto-sahara-fix-error-handling-in-sahara_hw_descri.patch
+pstore-ram_core-fix-possible-overflow-in-persistent_.patch
+fs-indicate-request-originates-from-old-mount-api.patch
+revert-gfs2-don-t-reject-a-supposedly-full-bitmap-if.patch
+gfs2-also-reflect-single-block-allocations-in-rgd-rd.patch
+gfs2-fix-kernel-null-pointer-dereference-in-gfs2_rgr.patch
+crypto-virtio-wait-for-tasklet-to-complete-on-device.patch
+crypto-sahara-avoid-skcipher-fallback-code-duplicati.patch
+crypto-sahara-handle-zero-length-aes-requests.patch
+crypto-sahara-fix-ahash-reqsize.patch
+crypto-sahara-fix-wait_for_completion_timeout-error-.patch
+crypto-sahara-improve-error-handling-in-sahara_sha_p.patch
+crypto-sahara-fix-processing-hash-requests-with-req-.patch
+crypto-sahara-do-not-resize-req-src-when-doing-hash-.patch
+crypto-scomp-fix-req-dst-buffer-overflow.patch
+blocklayoutdriver-fix-reference-leak-of-pnfs_device_.patch
+nfsv4.1-pnfs-ensure-we-handle-the-error-nfs4err_retu.patch
+wifi-rtw88-fix-rx-filter-in-fif_allmulti-flag.patch
+bpf-lpm-fix-check-prefixlen-before-walking-trie.patch
+bpf-add-crosstask-check-to-__bpf_get_stack.patch
+wifi-ath11k-defer-on-rproc_get-failure.patch
+wifi-libertas-stop-selecting-wext.patch
+arm-dts-qcom-apq8064-correct-xoadc-register-address.patch
+ncsi-internal.h-fix-a-spello.patch
+net-ncsi-fix-netlink-major-minor-version-numbers.patch
+firmware-ti_sci-fix-an-off-by-one-in-ti_sci_debugfs_.patch
+firmware-meson_sm-populate-platform-devices-from-sm-.patch
+wifi-rtlwifi-rtl8821ae-phy-fix-an-undefined-bitwise-.patch
+arm64-dts-ti-k3-am65-main-fix-dss-irq-trigger-type.patch
+bpf-fix-check-for-attempt-to-corrupt-spilled-pointer.patch
+scsi-fnic-return-error-if-vmalloc-failed.patch
+arm64-dts-qcom-qrb5165-rb5-correct-led-panic-indicat.patch
+arm64-dts-qcom-sdm845-db845c-correct-led-panic-indic.patch
+bpf-fix-verification-of-indirect-var-off-stack-acces.patch
+scsi-hisi_sas-replace-with-standard-error-code-retur.patch
+selftests-net-fix-grep-checking-for-fib_nexthop_mult.patch
+virtio-vsock-fix-logic-which-reduces-credit-update-m.patch
+dma-mapping-add-dma_release_coherent_memory-to-dma-a.patch
+dma-mapping-clear-dev-dma_mem-to-null-after-freeing-.patch
+wifi-rtlwifi-add-calculate_bit_shift.patch
+wifi-rtlwifi-rtl8188ee-phy-using-calculate_bit_shift.patch
+wifi-rtlwifi-rtl8192c-using-calculate_bit_shift.patch
+wifi-rtlwifi-rtl8192cu-using-calculate_bit_shift.patch
+wifi-rtlwifi-rtl8192ce-using-calculate_bit_shift.patch
+rtlwifi-rtl8192de-make-arrays-static-const-makes-obj.patch
+wifi-rtlwifi-rtl8192de-using-calculate_bit_shift.patch
+wifi-rtlwifi-rtl8192ee-using-calculate_bit_shift.patch
+wifi-rtlwifi-rtl8192se-using-calculate_bit_shift.patch
+netfilter-nf_tables-mark-newset-as-dead-on-transacti.patch
+bluetooth-fix-bogus-check-for-re-auth-no-supported-w.patch
+bluetooth-btmtkuart-fix-recv_buf-return-value.patch
+ip6_tunnel-fix-nexthdr_fragment-handling-in-ip6_tnl_.patch
+arm-davinci-always-select-config_cpu_arm926t.patch
+rdma-usnic-silence-uninitialized-symbol-smatch-warni.patch
+drm-panel-elida-kd35t133-hold-panel-in-reset-for-unp.patch
+rcu-create-an-unrcu_pointer-to-remove-__rcu-from-a-p.patch
+drm-nouveau-fence-fix-warning-directly-dereferencing.patch
+drm-bridge-tpd12s015-drop-buggy-__exit-annotation-fo.patch
+media-pvrusb2-fix-use-after-free-on-context-disconne.patch
+drm-bridge-fix-typo-in-post_disable-description.patch
+f2fs-fix-to-avoid-dirent-corruption.patch
+drm-radeon-r600_cs-fix-possible-int-overflows-in-r60.patch
+drm-radeon-r100-fix-integer-overflow-issues-in-r100_.patch
+drm-radeon-check-return-value-of-radeon_ring_lock.patch
+asoc-cs35l33-fix-gpio-name-and-drop-legacy-include.patch
+asoc-cs35l34-fix-gpio-name-and-drop-legacy-include.patch
+drm-msm-mdp4-flush-vblank-event-on-disable.patch
+drm-msm-dsi-use-pm_runtime_resume_and_get-to-prevent.patch
+drm-drv-propagate-errors-from-drm_modeset_register_a.patch
+drm-radeon-check-the-alloc_workqueue-return-value-in.patch
+drm-radeon-dpm-fix-a-memleak-in-sumo_parse_power_tab.patch
+drm-radeon-trinity_dpm-fix-a-memleak-in-trinity_pars.patch
+drm-bridge-tc358767-fix-return-value-on-error-case.patch
+media-cx231xx-fix-a-memleak-in-cx231xx_init_isoc.patch
+clk-qcom-gpucc-sm8150-update-the-gpu_cc_pll1-config.patch
+media-rkisp1-disable-runtime-pm-in-probe-error-path.patch
+media-rkisp1-fix-media-device-memory-leak.patch
+f2fs-fix-to-check-compress-file-in-f2fs_move_file_ra.patch
+f2fs-fix-to-update-iostat-correctly-in-f2fs_filemap_.patch
+media-dvbdev-drop-refcount-on-error-path-in-dvb_devi.patch
+media-dvb-frontends-m88ds3103-fix-a-memory-leak-in-a.patch
+drm-amdgpu-debugfs-fix-error-code-when-smc-register-.patch
+drm-amd-pm-fix-a-double-free-in-si_dpm_init.patch
+drivers-amd-pm-fix-a-use-after-free-in-kv_parse_powe.patch
+gpu-drm-radeon-fix-two-memleaks-in-radeon_vm_init.patch
+dt-bindings-clock-update-the-videocc-resets-for-sm81.patch
+clk-qcom-videocc-sm8150-update-the-videocc-resets.patch
+clk-qcom-videocc-sm8150-add-missing-pll-config-prope.patch
+drivers-clk-zynqmp-calculate-closest-mux-rate.patch
+clk-zynqmp-make-bestdiv-unsigned.patch
+clk-zynqmp-add-a-check-for-null-pointer.patch
+drivers-clk-zynqmp-update-divider-round-rate-logic.patch
+watchdog-set-cdev-owner-before-adding.patch
+watchdog-hpwdt-only-claim-unknown-nmi-if-from-ilo.patch
+watchdog-bcm2835_wdt-fix-wdioc_settimeout-handling.patch
+watchdog-rti_wdt-drop-runtime-pm-reference-count-whe.patch
+clk-si5341-fix-an-error-code-problem-in-si5341_outpu.patch
+clk-fixed-rate-add-devm_clk_hw_register_fixed_rate.patch
+clk-fixed-rate-fix-clk_hw_register_fixed_rate_with_a.patch
+pwm-stm32-use-regmap_clear_bits-and-regmap_set_bits-.patch
+pwm-stm32-use-hweight32-in-stm32_pwm_detect_channels.patch
+pwm-stm32-fix-enable-count-for-clk-in-.probe.patch
+mmc-sdhci_am654-fix-ti-soc-dependencies.patch
+mmc-sdhci_omap-fix-ti-soc-dependencies.patch
+ib-iser-prevent-invalidating-wrong-mr.patch
+of-fix-double-free-in-of_parse_phandle_with_args_map.patch
+of-unittest-fix-of_count_phandle_with_args-expected-.patch
--- /dev/null
+From a3eaa3f2331afcee84c94dfb9542964a4b6d7228 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Dec 2023 09:12:38 +0100
+Subject: spi: sh-msiof: Enforce fixed DTDL for R-Car H3
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit e5c7bcb499840551cfbe85c6df177ebc50432bf0 ]
+
+Documentation says only DTDL of 200 is allowed for this SoC.
+
+Fixes: 4286db8456f4 ("spi: sh-msiof: Add R-Car Gen 2 and 3 fallback bindings")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://msgid.link/r/20231212081239.14254-1-wsa+renesas@sang-engineering.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-sh-msiof.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c
+index b2579af0e3eb..35d30378256f 100644
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -30,12 +30,15 @@
+
+ #include <asm/unaligned.h>
+
++#define SH_MSIOF_FLAG_FIXED_DTDL_200 BIT(0)
++
+ struct sh_msiof_chipdata {
+ u32 bits_per_word_mask;
+ u16 tx_fifo_size;
+ u16 rx_fifo_size;
+ u16 ctlr_flags;
+ u16 min_div_pow;
++ u32 flags;
+ };
+
+ struct sh_msiof_spi_priv {
+@@ -1069,6 +1072,16 @@ static const struct sh_msiof_chipdata rcar_gen3_data = {
+ .min_div_pow = 1,
+ };
+
++static const struct sh_msiof_chipdata rcar_r8a7795_data = {
++ .bits_per_word_mask = SPI_BPW_MASK(8) | SPI_BPW_MASK(16) |
++ SPI_BPW_MASK(24) | SPI_BPW_MASK(32),
++ .tx_fifo_size = 64,
++ .rx_fifo_size = 64,
++ .ctlr_flags = SPI_CONTROLLER_MUST_TX,
++ .min_div_pow = 1,
++ .flags = SH_MSIOF_FLAG_FIXED_DTDL_200,
++};
++
+ static const struct of_device_id sh_msiof_match[] = {
+ { .compatible = "renesas,sh-mobile-msiof", .data = &sh_data },
+ { .compatible = "renesas,msiof-r8a7743", .data = &rcar_gen2_data },
+@@ -1079,6 +1092,7 @@ static const struct of_device_id sh_msiof_match[] = {
+ { .compatible = "renesas,msiof-r8a7793", .data = &rcar_gen2_data },
+ { .compatible = "renesas,msiof-r8a7794", .data = &rcar_gen2_data },
+ { .compatible = "renesas,rcar-gen2-msiof", .data = &rcar_gen2_data },
++ { .compatible = "renesas,msiof-r8a7795", .data = &rcar_r8a7795_data },
+ { .compatible = "renesas,msiof-r8a7796", .data = &rcar_gen3_data },
+ { .compatible = "renesas,rcar-gen3-msiof", .data = &rcar_gen3_data },
+ { .compatible = "renesas,sh-msiof", .data = &sh_data }, /* Deprecated */
+@@ -1274,6 +1288,9 @@ static int sh_msiof_spi_probe(struct platform_device *pdev)
+ return -ENXIO;
+ }
+
++ if (chipdata->flags & SH_MSIOF_FLAG_FIXED_DTDL_200)
++ info->dtdl = 200;
++
+ if (info->mode == MSIOF_SPI_SLAVE)
+ ctlr = spi_alloc_slave(&pdev->dev,
+ sizeof(struct sh_msiof_spi_priv));
+--
+2.43.0
+
--- /dev/null
+From 6b5cc1bd4fdf1878cd2354cef3ef0d37570cf2e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Nov 2023 20:23:55 +0530
+Subject: spi: spi-zynqmp-gqspi: fix driver kconfig dependencies
+
+From: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
+
+[ Upstream commit 424a8166764e462258fdccaaefbdeb07517c8b21 ]
+
+ZynqMP GQSPI driver no longer uses spi-master framework. It had been
+converted to use spi-mem framework. So remove driver dependency from
+spi-master and replace it with spi-mem.
+
+Fixes: 1c26372e5aa9 ("spi: spi-zynqmp-gqspi: Update driver to use spi-mem framework")
+Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
+Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Link: https://lore.kernel.org/r/1699282435-884917-1-git-send-email-radhey.shyam.pandey@amd.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/Kconfig b/drivers/spi/Kconfig
+index 5fd9b515f6f1..74ea6b6b5f74 100644
+--- a/drivers/spi/Kconfig
++++ b/drivers/spi/Kconfig
+@@ -957,9 +957,10 @@ config SPI_ZYNQ_QSPI
+
+ config SPI_ZYNQMP_GQSPI
+ tristate "Xilinx ZynqMP GQSPI controller"
+- depends on (SPI_MASTER && HAS_DMA) || COMPILE_TEST
++ depends on (SPI_MEM && HAS_DMA) || COMPILE_TEST
+ help
+ Enables Xilinx GQSPI controller driver for Zynq UltraScale+ MPSoC.
++ This controller only supports SPI memory interface.
+
+ config SPI_AMD
+ tristate "AMD SPI controller"
+--
+2.43.0
+
--- /dev/null
+From 9e5afd75565d61c475ca535e1effd694d3016f9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 May 2022 21:16:23 +0800
+Subject: virtio-crypto: change code style
+
+From: zhenwei pi <pizhenwei@bytedance.com>
+
+[ Upstream commit 6fd763d155860eb7ea3a93c8b3bf926940ffa3fb ]
+
+Use temporary variable to make code easy to read and maintain.
+ /* Pad cipher's parameters */
+ vcrypto->ctrl.u.sym_create_session.op_type =
+ cpu_to_le32(VIRTIO_CRYPTO_SYM_OP_CIPHER);
+ vcrypto->ctrl.u.sym_create_session.u.cipher.para.algo =
+ vcrypto->ctrl.header.algo;
+ vcrypto->ctrl.u.sym_create_session.u.cipher.para.keylen =
+ cpu_to_le32(keylen);
+ vcrypto->ctrl.u.sym_create_session.u.cipher.para.op =
+ cpu_to_le32(op);
+-->
+ sym_create_session = &ctrl->u.sym_create_session;
+ sym_create_session->op_type = cpu_to_le32(VIRTIO_CRYPTO_SYM_OP_CIPHER);
+ sym_create_session->u.cipher.para.algo = ctrl->header.algo;
+ sym_create_session->u.cipher.para.keylen = cpu_to_le32(keylen);
+ sym_create_session->u.cipher.para.op = cpu_to_le32(op);
+
+The new style shows more obviously:
+- the variable we want to operate.
+- an assignment statement in a single line.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Gonglei <arei.gonglei@huawei.com>
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Message-Id: <20220506131627.180784-2-pizhenwei@bytedance.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../virtio/virtio_crypto_akcipher_algs.c | 40 ++++++-----
+ drivers/crypto/virtio/virtio_crypto_algs.c | 72 +++++++++----------
+ 2 files changed, 59 insertions(+), 53 deletions(-)
+
+diff --git a/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
+index f3ec9420215e..20901a263fc8 100644
+--- a/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
++++ b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
+@@ -106,23 +106,27 @@ static int virtio_crypto_alg_akcipher_init_session(struct virtio_crypto_akcipher
+ unsigned int inlen;
+ int err;
+ unsigned int num_out = 0, num_in = 0;
++ struct virtio_crypto_op_ctrl_req *ctrl;
++ struct virtio_crypto_session_input *input;
+
+ pkey = kmemdup(key, keylen, GFP_ATOMIC);
+ if (!pkey)
+ return -ENOMEM;
+
+ spin_lock(&vcrypto->ctrl_lock);
+- memcpy(&vcrypto->ctrl.header, header, sizeof(vcrypto->ctrl.header));
+- memcpy(&vcrypto->ctrl.u, para, sizeof(vcrypto->ctrl.u));
+- vcrypto->input.status = cpu_to_le32(VIRTIO_CRYPTO_ERR);
++ ctrl = &vcrypto->ctrl;
++ memcpy(&ctrl->header, header, sizeof(ctrl->header));
++ memcpy(&ctrl->u, para, sizeof(ctrl->u));
++ input = &vcrypto->input;
++ input->status = cpu_to_le32(VIRTIO_CRYPTO_ERR);
+
+- sg_init_one(&outhdr_sg, &vcrypto->ctrl, sizeof(vcrypto->ctrl));
++ sg_init_one(&outhdr_sg, ctrl, sizeof(*ctrl));
+ sgs[num_out++] = &outhdr_sg;
+
+ sg_init_one(&key_sg, pkey, keylen);
+ sgs[num_out++] = &key_sg;
+
+- sg_init_one(&inhdr_sg, &vcrypto->input, sizeof(vcrypto->input));
++ sg_init_one(&inhdr_sg, input, sizeof(*input));
+ sgs[num_out + num_in++] = &inhdr_sg;
+
+ err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out, num_in, vcrypto, GFP_ATOMIC);
+@@ -134,12 +138,12 @@ static int virtio_crypto_alg_akcipher_init_session(struct virtio_crypto_akcipher
+ !virtqueue_is_broken(vcrypto->ctrl_vq))
+ cpu_relax();
+
+- if (le32_to_cpu(vcrypto->input.status) != VIRTIO_CRYPTO_OK) {
++ if (le32_to_cpu(input->status) != VIRTIO_CRYPTO_OK) {
+ err = -EINVAL;
+ goto out;
+ }
+
+- ctx->session_id = le64_to_cpu(vcrypto->input.session_id);
++ ctx->session_id = le64_to_cpu(input->session_id);
+ ctx->session_valid = true;
+ err = 0;
+
+@@ -149,7 +153,7 @@ static int virtio_crypto_alg_akcipher_init_session(struct virtio_crypto_akcipher
+
+ if (err < 0)
+ pr_err("virtio_crypto: Create session failed status: %u\n",
+- le32_to_cpu(vcrypto->input.status));
++ le32_to_cpu(input->status));
+
+ return err;
+ }
+@@ -161,23 +165,27 @@ static int virtio_crypto_alg_akcipher_close_session(struct virtio_crypto_akciphe
+ struct virtio_crypto *vcrypto = ctx->vcrypto;
+ unsigned int num_out = 0, num_in = 0, inlen;
+ int err;
++ struct virtio_crypto_op_ctrl_req *ctrl;
++ struct virtio_crypto_inhdr *ctrl_status;
+
+ spin_lock(&vcrypto->ctrl_lock);
+ if (!ctx->session_valid) {
+ err = 0;
+ goto out;
+ }
+- vcrypto->ctrl_status.status = VIRTIO_CRYPTO_ERR;
+- vcrypto->ctrl.header.opcode = cpu_to_le32(VIRTIO_CRYPTO_AKCIPHER_DESTROY_SESSION);
+- vcrypto->ctrl.header.queue_id = 0;
++ ctrl_status = &vcrypto->ctrl_status;
++ ctrl_status->status = VIRTIO_CRYPTO_ERR;
++ ctrl = &vcrypto->ctrl;
++ ctrl->header.opcode = cpu_to_le32(VIRTIO_CRYPTO_AKCIPHER_DESTROY_SESSION);
++ ctrl->header.queue_id = 0;
+
+- destroy_session = &vcrypto->ctrl.u.destroy_session;
++ destroy_session = &ctrl->u.destroy_session;
+ destroy_session->session_id = cpu_to_le64(ctx->session_id);
+
+- sg_init_one(&outhdr_sg, &vcrypto->ctrl, sizeof(vcrypto->ctrl));
++ sg_init_one(&outhdr_sg, ctrl, sizeof(*ctrl));
+ sgs[num_out++] = &outhdr_sg;
+
+- sg_init_one(&inhdr_sg, &vcrypto->ctrl_status.status, sizeof(vcrypto->ctrl_status.status));
++ sg_init_one(&inhdr_sg, &ctrl_status->status, sizeof(ctrl_status->status));
+ sgs[num_out + num_in++] = &inhdr_sg;
+
+ err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out, num_in, vcrypto, GFP_ATOMIC);
+@@ -189,7 +197,7 @@ static int virtio_crypto_alg_akcipher_close_session(struct virtio_crypto_akciphe
+ !virtqueue_is_broken(vcrypto->ctrl_vq))
+ cpu_relax();
+
+- if (vcrypto->ctrl_status.status != VIRTIO_CRYPTO_OK) {
++ if (ctrl_status->status != VIRTIO_CRYPTO_OK) {
+ err = -EINVAL;
+ goto out;
+ }
+@@ -201,7 +209,7 @@ static int virtio_crypto_alg_akcipher_close_session(struct virtio_crypto_akciphe
+ spin_unlock(&vcrypto->ctrl_lock);
+ if (err < 0) {
+ pr_err("virtio_crypto: Close session failed status: %u, session_id: 0x%llx\n",
+- vcrypto->ctrl_status.status, destroy_session->session_id);
++ ctrl_status->status, destroy_session->session_id);
+ }
+
+ return err;
+diff --git a/drivers/crypto/virtio/virtio_crypto_algs.c b/drivers/crypto/virtio/virtio_crypto_algs.c
+index 583c0b535d13..12e2001235a6 100644
+--- a/drivers/crypto/virtio/virtio_crypto_algs.c
++++ b/drivers/crypto/virtio/virtio_crypto_algs.c
+@@ -123,6 +123,9 @@ static int virtio_crypto_alg_skcipher_init_session(
+ int op = encrypt ? VIRTIO_CRYPTO_OP_ENCRYPT : VIRTIO_CRYPTO_OP_DECRYPT;
+ int err;
+ unsigned int num_out = 0, num_in = 0;
++ struct virtio_crypto_op_ctrl_req *ctrl;
++ struct virtio_crypto_session_input *input;
++ struct virtio_crypto_sym_create_session_req *sym_create_session;
+
+ /*
+ * Avoid to do DMA from the stack, switch to using
+@@ -135,24 +138,22 @@ static int virtio_crypto_alg_skcipher_init_session(
+
+ spin_lock(&vcrypto->ctrl_lock);
+ /* Pad ctrl header */
+- vcrypto->ctrl.header.opcode =
+- cpu_to_le32(VIRTIO_CRYPTO_CIPHER_CREATE_SESSION);
+- vcrypto->ctrl.header.algo = cpu_to_le32(alg);
++ ctrl = &vcrypto->ctrl;
++ ctrl->header.opcode = cpu_to_le32(VIRTIO_CRYPTO_CIPHER_CREATE_SESSION);
++ ctrl->header.algo = cpu_to_le32(alg);
+ /* Set the default dataqueue id to 0 */
+- vcrypto->ctrl.header.queue_id = 0;
++ ctrl->header.queue_id = 0;
+
+- vcrypto->input.status = cpu_to_le32(VIRTIO_CRYPTO_ERR);
++ input = &vcrypto->input;
++ input->status = cpu_to_le32(VIRTIO_CRYPTO_ERR);
+ /* Pad cipher's parameters */
+- vcrypto->ctrl.u.sym_create_session.op_type =
+- cpu_to_le32(VIRTIO_CRYPTO_SYM_OP_CIPHER);
+- vcrypto->ctrl.u.sym_create_session.u.cipher.para.algo =
+- vcrypto->ctrl.header.algo;
+- vcrypto->ctrl.u.sym_create_session.u.cipher.para.keylen =
+- cpu_to_le32(keylen);
+- vcrypto->ctrl.u.sym_create_session.u.cipher.para.op =
+- cpu_to_le32(op);
+-
+- sg_init_one(&outhdr, &vcrypto->ctrl, sizeof(vcrypto->ctrl));
++ sym_create_session = &ctrl->u.sym_create_session;
++ sym_create_session->op_type = cpu_to_le32(VIRTIO_CRYPTO_SYM_OP_CIPHER);
++ sym_create_session->u.cipher.para.algo = ctrl->header.algo;
++ sym_create_session->u.cipher.para.keylen = cpu_to_le32(keylen);
++ sym_create_session->u.cipher.para.op = cpu_to_le32(op);
++
++ sg_init_one(&outhdr, ctrl, sizeof(*ctrl));
+ sgs[num_out++] = &outhdr;
+
+ /* Set key */
+@@ -160,7 +161,7 @@ static int virtio_crypto_alg_skcipher_init_session(
+ sgs[num_out++] = &key_sg;
+
+ /* Return status and session id back */
+- sg_init_one(&inhdr, &vcrypto->input, sizeof(vcrypto->input));
++ sg_init_one(&inhdr, input, sizeof(*input));
+ sgs[num_out + num_in++] = &inhdr;
+
+ err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out,
+@@ -180,20 +181,18 @@ static int virtio_crypto_alg_skcipher_init_session(
+ !virtqueue_is_broken(vcrypto->ctrl_vq))
+ cpu_relax();
+
+- if (le32_to_cpu(vcrypto->input.status) != VIRTIO_CRYPTO_OK) {
++ if (le32_to_cpu(input->status) != VIRTIO_CRYPTO_OK) {
+ spin_unlock(&vcrypto->ctrl_lock);
+ pr_err("virtio_crypto: Create session failed status: %u\n",
+- le32_to_cpu(vcrypto->input.status));
++ le32_to_cpu(input->status));
+ kfree_sensitive(cipher_key);
+ return -EINVAL;
+ }
+
+ if (encrypt)
+- ctx->enc_sess_info.session_id =
+- le64_to_cpu(vcrypto->input.session_id);
++ ctx->enc_sess_info.session_id = le64_to_cpu(input->session_id);
+ else
+- ctx->dec_sess_info.session_id =
+- le64_to_cpu(vcrypto->input.session_id);
++ ctx->dec_sess_info.session_id = le64_to_cpu(input->session_id);
+
+ spin_unlock(&vcrypto->ctrl_lock);
+
+@@ -211,30 +210,30 @@ static int virtio_crypto_alg_skcipher_close_session(
+ struct virtio_crypto *vcrypto = ctx->vcrypto;
+ int err;
+ unsigned int num_out = 0, num_in = 0;
++ struct virtio_crypto_op_ctrl_req *ctrl;
++ struct virtio_crypto_inhdr *ctrl_status;
+
+ spin_lock(&vcrypto->ctrl_lock);
+- vcrypto->ctrl_status.status = VIRTIO_CRYPTO_ERR;
++ ctrl_status = &vcrypto->ctrl_status;
++ ctrl_status->status = VIRTIO_CRYPTO_ERR;
+ /* Pad ctrl header */
+- vcrypto->ctrl.header.opcode =
+- cpu_to_le32(VIRTIO_CRYPTO_CIPHER_DESTROY_SESSION);
++ ctrl = &vcrypto->ctrl;
++ ctrl->header.opcode = cpu_to_le32(VIRTIO_CRYPTO_CIPHER_DESTROY_SESSION);
+ /* Set the default virtqueue id to 0 */
+- vcrypto->ctrl.header.queue_id = 0;
++ ctrl->header.queue_id = 0;
+
+- destroy_session = &vcrypto->ctrl.u.destroy_session;
++ destroy_session = &ctrl->u.destroy_session;
+
+ if (encrypt)
+- destroy_session->session_id =
+- cpu_to_le64(ctx->enc_sess_info.session_id);
++ destroy_session->session_id = cpu_to_le64(ctx->enc_sess_info.session_id);
+ else
+- destroy_session->session_id =
+- cpu_to_le64(ctx->dec_sess_info.session_id);
++ destroy_session->session_id = cpu_to_le64(ctx->dec_sess_info.session_id);
+
+- sg_init_one(&outhdr, &vcrypto->ctrl, sizeof(vcrypto->ctrl));
++ sg_init_one(&outhdr, ctrl, sizeof(*ctrl));
+ sgs[num_out++] = &outhdr;
+
+ /* Return status and session id back */
+- sg_init_one(&status_sg, &vcrypto->ctrl_status.status,
+- sizeof(vcrypto->ctrl_status.status));
++ sg_init_one(&status_sg, &ctrl_status->status, sizeof(ctrl_status->status));
+ sgs[num_out + num_in++] = &status_sg;
+
+ err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out,
+@@ -249,11 +248,10 @@ static int virtio_crypto_alg_skcipher_close_session(
+ !virtqueue_is_broken(vcrypto->ctrl_vq))
+ cpu_relax();
+
+- if (vcrypto->ctrl_status.status != VIRTIO_CRYPTO_OK) {
++ if (ctrl_status->status != VIRTIO_CRYPTO_OK) {
+ spin_unlock(&vcrypto->ctrl_lock);
+ pr_err("virtio_crypto: Close session failed status: %u, session_id: 0x%llx\n",
+- vcrypto->ctrl_status.status,
+- destroy_session->session_id);
++ ctrl_status->status, destroy_session->session_id);
+
+ return -EINVAL;
+ }
+--
+2.43.0
+
--- /dev/null
+From 3cf22eaa5cc7b2e136dc40de9dfcb8e417e926e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Mar 2022 11:39:16 +0800
+Subject: virtio-crypto: implement RSA algorithm
+
+From: zhenwei pi <pizhenwei@bytedance.com>
+
+[ Upstream commit 59ca6c93387d325e96577d8bd4c23c78c1491c11 ]
+
+Support rsa & pkcs1pad(rsa,sha1) with priority 150.
+
+Test with QEMU built-in backend, it works fine.
+1, The self-test framework of crypto layer works fine in guest kernel
+2, Test with Linux guest(with asym support), the following script
+test(note that pkey_XXX is supported only in a newer version of keyutils):
+ - both public key & private key
+ - create/close session
+ - encrypt/decrypt/sign/verify basic driver operation
+ - also test with kernel crypto layer(pkey add/query)
+
+All the cases work fine.
+
+rm -rf *.der *.pem *.pfx
+modprobe pkcs8_key_parser # if CONFIG_PKCS8_PRIVATE_KEY_PARSER=m
+rm -rf /tmp/data
+dd if=/dev/random of=/tmp/data count=1 bs=226
+
+openssl req -nodes -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -subj "/C=CN/ST=BJ/L=HD/O=qemu/OU=dev/CN=qemu/emailAddress=qemu@qemu.org"
+openssl pkcs8 -in key.pem -topk8 -nocrypt -outform DER -out key.der
+openssl x509 -in cert.pem -inform PEM -outform DER -out cert.der
+
+PRIV_KEY_ID=`cat key.der | keyctl padd asymmetric test_priv_key @s`
+echo "priv key id = "$PRIV_KEY_ID
+PUB_KEY_ID=`cat cert.der | keyctl padd asymmetric test_pub_key @s`
+echo "pub key id = "$PUB_KEY_ID
+
+keyctl pkey_query $PRIV_KEY_ID 0
+keyctl pkey_query $PUB_KEY_ID 0
+
+echo "Enc with priv key..."
+keyctl pkey_encrypt $PRIV_KEY_ID 0 /tmp/data enc=pkcs1 >/tmp/enc.priv
+echo "Dec with pub key..."
+keyctl pkey_decrypt $PRIV_KEY_ID 0 /tmp/enc.priv enc=pkcs1 >/tmp/dec
+cmp /tmp/data /tmp/dec
+
+echo "Sign with priv key..."
+keyctl pkey_sign $PRIV_KEY_ID 0 /tmp/data enc=pkcs1 hash=sha1 > /tmp/sig
+echo "Verify with pub key..."
+keyctl pkey_verify $PRIV_KEY_ID 0 /tmp/data /tmp/sig enc=pkcs1 hash=sha1
+
+echo "Enc with pub key..."
+keyctl pkey_encrypt $PUB_KEY_ID 0 /tmp/data enc=pkcs1 >/tmp/enc.pub
+echo "Dec with priv key..."
+keyctl pkey_decrypt $PRIV_KEY_ID 0 /tmp/enc.pub enc=pkcs1 >/tmp/dec
+cmp /tmp/data /tmp/dec
+
+echo "Verify with pub key..."
+keyctl pkey_verify $PUB_KEY_ID 0 /tmp/data /tmp/sig enc=pkcs1 hash=sha1
+
+[1 compiling warning during development]
+Reported-by: kernel test robot <lkp@intel.com>
+
+Co-developed-by: lei he <helei.sig11@bytedance.com>
+Signed-off-by: lei he <helei.sig11@bytedance.com>
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Link: https://lore.kernel.org/r/20220302033917.1295334-4-pizhenwei@bytedance.com
+Reviewed-by: Gonglei <arei.gonglei@huawei.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org> #Kconfig tweaks
+Link: https://lore.kernel.org/r/20220308205309.2192502-1-nathan@kernel.org
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/virtio/Kconfig | 3 +
+ drivers/crypto/virtio/Makefile | 1 +
+ .../virtio/virtio_crypto_akcipher_algs.c | 585 ++++++++++++++++++
+ drivers/crypto/virtio/virtio_crypto_common.h | 3 +
+ drivers/crypto/virtio/virtio_crypto_core.c | 6 +-
+ drivers/crypto/virtio/virtio_crypto_mgr.c | 11 +
+ 6 files changed, 608 insertions(+), 1 deletion(-)
+ create mode 100644 drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
+
+diff --git a/drivers/crypto/virtio/Kconfig b/drivers/crypto/virtio/Kconfig
+index b894e3a8be4f..5f8915f4a9ff 100644
+--- a/drivers/crypto/virtio/Kconfig
++++ b/drivers/crypto/virtio/Kconfig
+@@ -3,8 +3,11 @@ config CRYPTO_DEV_VIRTIO
+ tristate "VirtIO crypto driver"
+ depends on VIRTIO
+ select CRYPTO_AEAD
++ select CRYPTO_AKCIPHER2
+ select CRYPTO_SKCIPHER
+ select CRYPTO_ENGINE
++ select CRYPTO_RSA
++ select MPILIB
+ help
+ This driver provides support for virtio crypto device. If you
+ choose 'M' here, this module will be called virtio_crypto.
+diff --git a/drivers/crypto/virtio/Makefile b/drivers/crypto/virtio/Makefile
+index cbfccccfa135..f2b839473d61 100644
+--- a/drivers/crypto/virtio/Makefile
++++ b/drivers/crypto/virtio/Makefile
+@@ -2,5 +2,6 @@
+ obj-$(CONFIG_CRYPTO_DEV_VIRTIO) += virtio_crypto.o
+ virtio_crypto-objs := \
+ virtio_crypto_algs.o \
++ virtio_crypto_akcipher_algs.o \
+ virtio_crypto_mgr.o \
+ virtio_crypto_core.o
+diff --git a/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
+new file mode 100644
+index 000000000000..f3ec9420215e
+--- /dev/null
++++ b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
+@@ -0,0 +1,585 @@
++// SPDX-License-Identifier: GPL-2.0-or-later
++ /* Asymmetric algorithms supported by virtio crypto device
++ *
++ * Authors: zhenwei pi <pizhenwei@bytedance.com>
++ * lei he <helei.sig11@bytedance.com>
++ *
++ * Copyright 2022 Bytedance CO., LTD.
++ */
++
++#include <linux/mpi.h>
++#include <linux/scatterlist.h>
++#include <crypto/algapi.h>
++#include <crypto/internal/akcipher.h>
++#include <crypto/internal/rsa.h>
++#include <linux/err.h>
++#include <crypto/scatterwalk.h>
++#include <linux/atomic.h>
++
++#include <uapi/linux/virtio_crypto.h>
++#include "virtio_crypto_common.h"
++
++struct virtio_crypto_rsa_ctx {
++ MPI n;
++};
++
++struct virtio_crypto_akcipher_ctx {
++ struct crypto_engine_ctx enginectx;
++ struct virtio_crypto *vcrypto;
++ struct crypto_akcipher *tfm;
++ bool session_valid;
++ __u64 session_id;
++ union {
++ struct virtio_crypto_rsa_ctx rsa_ctx;
++ };
++};
++
++struct virtio_crypto_akcipher_request {
++ struct virtio_crypto_request base;
++ struct virtio_crypto_akcipher_ctx *akcipher_ctx;
++ struct akcipher_request *akcipher_req;
++ void *src_buf;
++ void *dst_buf;
++ uint32_t opcode;
++};
++
++struct virtio_crypto_akcipher_algo {
++ uint32_t algonum;
++ uint32_t service;
++ unsigned int active_devs;
++ struct akcipher_alg algo;
++};
++
++static DEFINE_MUTEX(algs_lock);
++
++static void virtio_crypto_akcipher_finalize_req(
++ struct virtio_crypto_akcipher_request *vc_akcipher_req,
++ struct akcipher_request *req, int err)
++{
++ virtcrypto_clear_request(&vc_akcipher_req->base);
++
++ crypto_finalize_akcipher_request(vc_akcipher_req->base.dataq->engine, req, err);
++}
++
++static void virtio_crypto_dataq_akcipher_callback(struct virtio_crypto_request *vc_req, int len)
++{
++ struct virtio_crypto_akcipher_request *vc_akcipher_req =
++ container_of(vc_req, struct virtio_crypto_akcipher_request, base);
++ struct akcipher_request *akcipher_req;
++ int error;
++
++ switch (vc_req->status) {
++ case VIRTIO_CRYPTO_OK:
++ error = 0;
++ break;
++ case VIRTIO_CRYPTO_INVSESS:
++ case VIRTIO_CRYPTO_ERR:
++ error = -EINVAL;
++ break;
++ case VIRTIO_CRYPTO_BADMSG:
++ error = -EBADMSG;
++ break;
++
++ case VIRTIO_CRYPTO_KEY_REJECTED:
++ error = -EKEYREJECTED;
++ break;
++
++ default:
++ error = -EIO;
++ break;
++ }
++
++ akcipher_req = vc_akcipher_req->akcipher_req;
++ if (vc_akcipher_req->opcode != VIRTIO_CRYPTO_AKCIPHER_VERIFY)
++ sg_copy_from_buffer(akcipher_req->dst, sg_nents(akcipher_req->dst),
++ vc_akcipher_req->dst_buf, akcipher_req->dst_len);
++ virtio_crypto_akcipher_finalize_req(vc_akcipher_req, akcipher_req, error);
++}
++
++static int virtio_crypto_alg_akcipher_init_session(struct virtio_crypto_akcipher_ctx *ctx,
++ struct virtio_crypto_ctrl_header *header, void *para,
++ const uint8_t *key, unsigned int keylen)
++{
++ struct scatterlist outhdr_sg, key_sg, inhdr_sg, *sgs[3];
++ struct virtio_crypto *vcrypto = ctx->vcrypto;
++ uint8_t *pkey;
++ unsigned int inlen;
++ int err;
++ unsigned int num_out = 0, num_in = 0;
++
++ pkey = kmemdup(key, keylen, GFP_ATOMIC);
++ if (!pkey)
++ return -ENOMEM;
++
++ spin_lock(&vcrypto->ctrl_lock);
++ memcpy(&vcrypto->ctrl.header, header, sizeof(vcrypto->ctrl.header));
++ memcpy(&vcrypto->ctrl.u, para, sizeof(vcrypto->ctrl.u));
++ vcrypto->input.status = cpu_to_le32(VIRTIO_CRYPTO_ERR);
++
++ sg_init_one(&outhdr_sg, &vcrypto->ctrl, sizeof(vcrypto->ctrl));
++ sgs[num_out++] = &outhdr_sg;
++
++ sg_init_one(&key_sg, pkey, keylen);
++ sgs[num_out++] = &key_sg;
++
++ sg_init_one(&inhdr_sg, &vcrypto->input, sizeof(vcrypto->input));
++ sgs[num_out + num_in++] = &inhdr_sg;
++
++ err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out, num_in, vcrypto, GFP_ATOMIC);
++ if (err < 0)
++ goto out;
++
++ virtqueue_kick(vcrypto->ctrl_vq);
++ while (!virtqueue_get_buf(vcrypto->ctrl_vq, &inlen) &&
++ !virtqueue_is_broken(vcrypto->ctrl_vq))
++ cpu_relax();
++
++ if (le32_to_cpu(vcrypto->input.status) != VIRTIO_CRYPTO_OK) {
++ err = -EINVAL;
++ goto out;
++ }
++
++ ctx->session_id = le64_to_cpu(vcrypto->input.session_id);
++ ctx->session_valid = true;
++ err = 0;
++
++out:
++ spin_unlock(&vcrypto->ctrl_lock);
++ kfree_sensitive(pkey);
++
++ if (err < 0)
++ pr_err("virtio_crypto: Create session failed status: %u\n",
++ le32_to_cpu(vcrypto->input.status));
++
++ return err;
++}
++
++static int virtio_crypto_alg_akcipher_close_session(struct virtio_crypto_akcipher_ctx *ctx)
++{
++ struct scatterlist outhdr_sg, inhdr_sg, *sgs[2];
++ struct virtio_crypto_destroy_session_req *destroy_session;
++ struct virtio_crypto *vcrypto = ctx->vcrypto;
++ unsigned int num_out = 0, num_in = 0, inlen;
++ int err;
++
++ spin_lock(&vcrypto->ctrl_lock);
++ if (!ctx->session_valid) {
++ err = 0;
++ goto out;
++ }
++ vcrypto->ctrl_status.status = VIRTIO_CRYPTO_ERR;
++ vcrypto->ctrl.header.opcode = cpu_to_le32(VIRTIO_CRYPTO_AKCIPHER_DESTROY_SESSION);
++ vcrypto->ctrl.header.queue_id = 0;
++
++ destroy_session = &vcrypto->ctrl.u.destroy_session;
++ destroy_session->session_id = cpu_to_le64(ctx->session_id);
++
++ sg_init_one(&outhdr_sg, &vcrypto->ctrl, sizeof(vcrypto->ctrl));
++ sgs[num_out++] = &outhdr_sg;
++
++ sg_init_one(&inhdr_sg, &vcrypto->ctrl_status.status, sizeof(vcrypto->ctrl_status.status));
++ sgs[num_out + num_in++] = &inhdr_sg;
++
++ err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out, num_in, vcrypto, GFP_ATOMIC);
++ if (err < 0)
++ goto out;
++
++ virtqueue_kick(vcrypto->ctrl_vq);
++ while (!virtqueue_get_buf(vcrypto->ctrl_vq, &inlen) &&
++ !virtqueue_is_broken(vcrypto->ctrl_vq))
++ cpu_relax();
++
++ if (vcrypto->ctrl_status.status != VIRTIO_CRYPTO_OK) {
++ err = -EINVAL;
++ goto out;
++ }
++
++ err = 0;
++ ctx->session_valid = false;
++
++out:
++ spin_unlock(&vcrypto->ctrl_lock);
++ if (err < 0) {
++ pr_err("virtio_crypto: Close session failed status: %u, session_id: 0x%llx\n",
++ vcrypto->ctrl_status.status, destroy_session->session_id);
++ }
++
++ return err;
++}
++
++static int __virtio_crypto_akcipher_do_req(struct virtio_crypto_akcipher_request *vc_akcipher_req,
++ struct akcipher_request *req, struct data_queue *data_vq)
++{
++ struct virtio_crypto_akcipher_ctx *ctx = vc_akcipher_req->akcipher_ctx;
++ struct virtio_crypto_request *vc_req = &vc_akcipher_req->base;
++ struct virtio_crypto *vcrypto = ctx->vcrypto;
++ struct virtio_crypto_op_data_req *req_data = vc_req->req_data;
++ struct scatterlist *sgs[4], outhdr_sg, inhdr_sg, srcdata_sg, dstdata_sg;
++ void *src_buf = NULL, *dst_buf = NULL;
++ unsigned int num_out = 0, num_in = 0;
++ int node = dev_to_node(&vcrypto->vdev->dev);
++ unsigned long flags;
++ int ret = -ENOMEM;
++ bool verify = vc_akcipher_req->opcode == VIRTIO_CRYPTO_AKCIPHER_VERIFY;
++ unsigned int src_len = verify ? req->src_len + req->dst_len : req->src_len;
++
++ /* out header */
++ sg_init_one(&outhdr_sg, req_data, sizeof(*req_data));
++ sgs[num_out++] = &outhdr_sg;
++
++ /* src data */
++ src_buf = kcalloc_node(src_len, 1, GFP_KERNEL, node);
++ if (!src_buf)
++ goto err;
++
++ if (verify) {
++ /* for verify operation, both src and dst data work as OUT direction */
++ sg_copy_to_buffer(req->src, sg_nents(req->src), src_buf, src_len);
++ sg_init_one(&srcdata_sg, src_buf, src_len);
++ sgs[num_out++] = &srcdata_sg;
++ } else {
++ sg_copy_to_buffer(req->src, sg_nents(req->src), src_buf, src_len);
++ sg_init_one(&srcdata_sg, src_buf, src_len);
++ sgs[num_out++] = &srcdata_sg;
++
++ /* dst data */
++ dst_buf = kcalloc_node(req->dst_len, 1, GFP_KERNEL, node);
++ if (!dst_buf)
++ goto err;
++
++ sg_init_one(&dstdata_sg, dst_buf, req->dst_len);
++ sgs[num_out + num_in++] = &dstdata_sg;
++ }
++
++ vc_akcipher_req->src_buf = src_buf;
++ vc_akcipher_req->dst_buf = dst_buf;
++
++ /* in header */
++ sg_init_one(&inhdr_sg, &vc_req->status, sizeof(vc_req->status));
++ sgs[num_out + num_in++] = &inhdr_sg;
++
++ spin_lock_irqsave(&data_vq->lock, flags);
++ ret = virtqueue_add_sgs(data_vq->vq, sgs, num_out, num_in, vc_req, GFP_ATOMIC);
++ virtqueue_kick(data_vq->vq);
++ spin_unlock_irqrestore(&data_vq->lock, flags);
++ if (ret)
++ goto err;
++
++ return 0;
++
++err:
++ kfree(src_buf);
++ kfree(dst_buf);
++
++ return -ENOMEM;
++}
++
++static int virtio_crypto_rsa_do_req(struct crypto_engine *engine, void *vreq)
++{
++ struct akcipher_request *req = container_of(vreq, struct akcipher_request, base);
++ struct virtio_crypto_akcipher_request *vc_akcipher_req = akcipher_request_ctx(req);
++ struct virtio_crypto_request *vc_req = &vc_akcipher_req->base;
++ struct virtio_crypto_akcipher_ctx *ctx = vc_akcipher_req->akcipher_ctx;
++ struct virtio_crypto *vcrypto = ctx->vcrypto;
++ struct data_queue *data_vq = vc_req->dataq;
++ struct virtio_crypto_op_header *header;
++ struct virtio_crypto_akcipher_data_req *akcipher_req;
++ int ret;
++
++ vc_req->sgs = NULL;
++ vc_req->req_data = kzalloc_node(sizeof(*vc_req->req_data),
++ GFP_KERNEL, dev_to_node(&vcrypto->vdev->dev));
++ if (!vc_req->req_data)
++ return -ENOMEM;
++
++ /* build request header */
++ header = &vc_req->req_data->header;
++ header->opcode = cpu_to_le32(vc_akcipher_req->opcode);
++ header->algo = cpu_to_le32(VIRTIO_CRYPTO_AKCIPHER_RSA);
++ header->session_id = cpu_to_le64(ctx->session_id);
++
++ /* build request akcipher data */
++ akcipher_req = &vc_req->req_data->u.akcipher_req;
++ akcipher_req->para.src_data_len = cpu_to_le32(req->src_len);
++ akcipher_req->para.dst_data_len = cpu_to_le32(req->dst_len);
++
++ ret = __virtio_crypto_akcipher_do_req(vc_akcipher_req, req, data_vq);
++ if (ret < 0) {
++ kfree_sensitive(vc_req->req_data);
++ vc_req->req_data = NULL;
++ return ret;
++ }
++
++ return 0;
++}
++
++static int virtio_crypto_rsa_req(struct akcipher_request *req, uint32_t opcode)
++{
++ struct crypto_akcipher *atfm = crypto_akcipher_reqtfm(req);
++ struct virtio_crypto_akcipher_ctx *ctx = akcipher_tfm_ctx(atfm);
++ struct virtio_crypto_akcipher_request *vc_akcipher_req = akcipher_request_ctx(req);
++ struct virtio_crypto_request *vc_req = &vc_akcipher_req->base;
++ struct virtio_crypto *vcrypto = ctx->vcrypto;
++ /* Use the first data virtqueue as default */
++ struct data_queue *data_vq = &vcrypto->data_vq[0];
++
++ vc_req->dataq = data_vq;
++ vc_req->alg_cb = virtio_crypto_dataq_akcipher_callback;
++ vc_akcipher_req->akcipher_ctx = ctx;
++ vc_akcipher_req->akcipher_req = req;
++ vc_akcipher_req->opcode = opcode;
++
++ return crypto_transfer_akcipher_request_to_engine(data_vq->engine, req);
++}
++
++static int virtio_crypto_rsa_encrypt(struct akcipher_request *req)
++{
++ return virtio_crypto_rsa_req(req, VIRTIO_CRYPTO_AKCIPHER_ENCRYPT);
++}
++
++static int virtio_crypto_rsa_decrypt(struct akcipher_request *req)
++{
++ return virtio_crypto_rsa_req(req, VIRTIO_CRYPTO_AKCIPHER_DECRYPT);
++}
++
++static int virtio_crypto_rsa_sign(struct akcipher_request *req)
++{
++ return virtio_crypto_rsa_req(req, VIRTIO_CRYPTO_AKCIPHER_SIGN);
++}
++
++static int virtio_crypto_rsa_verify(struct akcipher_request *req)
++{
++ return virtio_crypto_rsa_req(req, VIRTIO_CRYPTO_AKCIPHER_VERIFY);
++}
++
++static int virtio_crypto_rsa_set_key(struct crypto_akcipher *tfm,
++ const void *key,
++ unsigned int keylen,
++ bool private,
++ int padding_algo,
++ int hash_algo)
++{
++ struct virtio_crypto_akcipher_ctx *ctx = akcipher_tfm_ctx(tfm);
++ struct virtio_crypto_rsa_ctx *rsa_ctx = &ctx->rsa_ctx;
++ struct virtio_crypto *vcrypto;
++ struct virtio_crypto_ctrl_header header;
++ struct virtio_crypto_akcipher_session_para para;
++ struct rsa_key rsa_key = {0};
++ int node = virtio_crypto_get_current_node();
++ uint32_t keytype;
++ int ret;
++
++ /* mpi_free will test n, just free it. */
++ mpi_free(rsa_ctx->n);
++ rsa_ctx->n = NULL;
++
++ if (private) {
++ keytype = VIRTIO_CRYPTO_AKCIPHER_KEY_TYPE_PRIVATE;
++ ret = rsa_parse_priv_key(&rsa_key, key, keylen);
++ } else {
++ keytype = VIRTIO_CRYPTO_AKCIPHER_KEY_TYPE_PUBLIC;
++ ret = rsa_parse_pub_key(&rsa_key, key, keylen);
++ }
++
++ if (ret)
++ return ret;
++
++ rsa_ctx->n = mpi_read_raw_data(rsa_key.n, rsa_key.n_sz);
++ if (!rsa_ctx->n)
++ return -ENOMEM;
++
++ if (!ctx->vcrypto) {
++ vcrypto = virtcrypto_get_dev_node(node, VIRTIO_CRYPTO_SERVICE_AKCIPHER,
++ VIRTIO_CRYPTO_AKCIPHER_RSA);
++ if (!vcrypto) {
++ pr_err("virtio_crypto: Could not find a virtio device in the system or unsupported algo\n");
++ return -ENODEV;
++ }
++
++ ctx->vcrypto = vcrypto;
++ } else {
++ virtio_crypto_alg_akcipher_close_session(ctx);
++ }
++
++ /* set ctrl header */
++ header.opcode = cpu_to_le32(VIRTIO_CRYPTO_AKCIPHER_CREATE_SESSION);
++ header.algo = cpu_to_le32(VIRTIO_CRYPTO_AKCIPHER_RSA);
++ header.queue_id = 0;
++
++ /* set RSA para */
++ para.algo = cpu_to_le32(VIRTIO_CRYPTO_AKCIPHER_RSA);
++ para.keytype = cpu_to_le32(keytype);
++ para.keylen = cpu_to_le32(keylen);
++ para.u.rsa.padding_algo = cpu_to_le32(padding_algo);
++ para.u.rsa.hash_algo = cpu_to_le32(hash_algo);
++
++ return virtio_crypto_alg_akcipher_init_session(ctx, &header, ¶, key, keylen);
++}
++
++static int virtio_crypto_rsa_raw_set_priv_key(struct crypto_akcipher *tfm,
++ const void *key,
++ unsigned int keylen)
++{
++ return virtio_crypto_rsa_set_key(tfm, key, keylen, 1,
++ VIRTIO_CRYPTO_RSA_RAW_PADDING,
++ VIRTIO_CRYPTO_RSA_NO_HASH);
++}
++
++
++static int virtio_crypto_p1pad_rsa_sha1_set_priv_key(struct crypto_akcipher *tfm,
++ const void *key,
++ unsigned int keylen)
++{
++ return virtio_crypto_rsa_set_key(tfm, key, keylen, 1,
++ VIRTIO_CRYPTO_RSA_PKCS1_PADDING,
++ VIRTIO_CRYPTO_RSA_SHA1);
++}
++
++static int virtio_crypto_rsa_raw_set_pub_key(struct crypto_akcipher *tfm,
++ const void *key,
++ unsigned int keylen)
++{
++ return virtio_crypto_rsa_set_key(tfm, key, keylen, 0,
++ VIRTIO_CRYPTO_RSA_RAW_PADDING,
++ VIRTIO_CRYPTO_RSA_NO_HASH);
++}
++
++static int virtio_crypto_p1pad_rsa_sha1_set_pub_key(struct crypto_akcipher *tfm,
++ const void *key,
++ unsigned int keylen)
++{
++ return virtio_crypto_rsa_set_key(tfm, key, keylen, 0,
++ VIRTIO_CRYPTO_RSA_PKCS1_PADDING,
++ VIRTIO_CRYPTO_RSA_SHA1);
++}
++
++static unsigned int virtio_crypto_rsa_max_size(struct crypto_akcipher *tfm)
++{
++ struct virtio_crypto_akcipher_ctx *ctx = akcipher_tfm_ctx(tfm);
++ struct virtio_crypto_rsa_ctx *rsa_ctx = &ctx->rsa_ctx;
++
++ return mpi_get_size(rsa_ctx->n);
++}
++
++static int virtio_crypto_rsa_init_tfm(struct crypto_akcipher *tfm)
++{
++ struct virtio_crypto_akcipher_ctx *ctx = akcipher_tfm_ctx(tfm);
++
++ ctx->tfm = tfm;
++ ctx->enginectx.op.do_one_request = virtio_crypto_rsa_do_req;
++ ctx->enginectx.op.prepare_request = NULL;
++ ctx->enginectx.op.unprepare_request = NULL;
++
++ return 0;
++}
++
++static void virtio_crypto_rsa_exit_tfm(struct crypto_akcipher *tfm)
++{
++ struct virtio_crypto_akcipher_ctx *ctx = akcipher_tfm_ctx(tfm);
++ struct virtio_crypto_rsa_ctx *rsa_ctx = &ctx->rsa_ctx;
++
++ virtio_crypto_alg_akcipher_close_session(ctx);
++ virtcrypto_dev_put(ctx->vcrypto);
++ mpi_free(rsa_ctx->n);
++ rsa_ctx->n = NULL;
++}
++
++static struct virtio_crypto_akcipher_algo virtio_crypto_akcipher_algs[] = {
++ {
++ .algonum = VIRTIO_CRYPTO_AKCIPHER_RSA,
++ .service = VIRTIO_CRYPTO_SERVICE_AKCIPHER,
++ .algo = {
++ .encrypt = virtio_crypto_rsa_encrypt,
++ .decrypt = virtio_crypto_rsa_decrypt,
++ .set_pub_key = virtio_crypto_rsa_raw_set_pub_key,
++ .set_priv_key = virtio_crypto_rsa_raw_set_priv_key,
++ .max_size = virtio_crypto_rsa_max_size,
++ .init = virtio_crypto_rsa_init_tfm,
++ .exit = virtio_crypto_rsa_exit_tfm,
++ .reqsize = sizeof(struct virtio_crypto_akcipher_request),
++ .base = {
++ .cra_name = "rsa",
++ .cra_driver_name = "virtio-crypto-rsa",
++ .cra_priority = 150,
++ .cra_module = THIS_MODULE,
++ .cra_ctxsize = sizeof(struct virtio_crypto_akcipher_ctx),
++ },
++ },
++ },
++ {
++ .algonum = VIRTIO_CRYPTO_AKCIPHER_RSA,
++ .service = VIRTIO_CRYPTO_SERVICE_AKCIPHER,
++ .algo = {
++ .encrypt = virtio_crypto_rsa_encrypt,
++ .decrypt = virtio_crypto_rsa_decrypt,
++ .sign = virtio_crypto_rsa_sign,
++ .verify = virtio_crypto_rsa_verify,
++ .set_pub_key = virtio_crypto_p1pad_rsa_sha1_set_pub_key,
++ .set_priv_key = virtio_crypto_p1pad_rsa_sha1_set_priv_key,
++ .max_size = virtio_crypto_rsa_max_size,
++ .init = virtio_crypto_rsa_init_tfm,
++ .exit = virtio_crypto_rsa_exit_tfm,
++ .reqsize = sizeof(struct virtio_crypto_akcipher_request),
++ .base = {
++ .cra_name = "pkcs1pad(rsa,sha1)",
++ .cra_driver_name = "virtio-pkcs1-rsa-with-sha1",
++ .cra_priority = 150,
++ .cra_module = THIS_MODULE,
++ .cra_ctxsize = sizeof(struct virtio_crypto_akcipher_ctx),
++ },
++ },
++ },
++};
++
++int virtio_crypto_akcipher_algs_register(struct virtio_crypto *vcrypto)
++{
++ int ret = 0;
++ int i = 0;
++
++ mutex_lock(&algs_lock);
++
++ for (i = 0; i < ARRAY_SIZE(virtio_crypto_akcipher_algs); i++) {
++ uint32_t service = virtio_crypto_akcipher_algs[i].service;
++ uint32_t algonum = virtio_crypto_akcipher_algs[i].algonum;
++
++ if (!virtcrypto_algo_is_supported(vcrypto, service, algonum))
++ continue;
++
++ if (virtio_crypto_akcipher_algs[i].active_devs == 0) {
++ ret = crypto_register_akcipher(&virtio_crypto_akcipher_algs[i].algo);
++ if (ret)
++ goto unlock;
++ }
++
++ virtio_crypto_akcipher_algs[i].active_devs++;
++ dev_info(&vcrypto->vdev->dev, "Registered akcipher algo %s\n",
++ virtio_crypto_akcipher_algs[i].algo.base.cra_name);
++ }
++
++unlock:
++ mutex_unlock(&algs_lock);
++ return ret;
++}
++
++void virtio_crypto_akcipher_algs_unregister(struct virtio_crypto *vcrypto)
++{
++ int i = 0;
++
++ mutex_lock(&algs_lock);
++
++ for (i = 0; i < ARRAY_SIZE(virtio_crypto_akcipher_algs); i++) {
++ uint32_t service = virtio_crypto_akcipher_algs[i].service;
++ uint32_t algonum = virtio_crypto_akcipher_algs[i].algonum;
++
++ if (virtio_crypto_akcipher_algs[i].active_devs == 0 ||
++ !virtcrypto_algo_is_supported(vcrypto, service, algonum))
++ continue;
++
++ if (virtio_crypto_akcipher_algs[i].active_devs == 1)
++ crypto_unregister_akcipher(&virtio_crypto_akcipher_algs[i].algo);
++
++ virtio_crypto_akcipher_algs[i].active_devs--;
++ }
++
++ mutex_unlock(&algs_lock);
++}
+diff --git a/drivers/crypto/virtio/virtio_crypto_common.h b/drivers/crypto/virtio/virtio_crypto_common.h
+index a24f85c589e7..214f9a6fcf84 100644
+--- a/drivers/crypto/virtio/virtio_crypto_common.h
++++ b/drivers/crypto/virtio/virtio_crypto_common.h
+@@ -56,6 +56,7 @@ struct virtio_crypto {
+ u32 mac_algo_l;
+ u32 mac_algo_h;
+ u32 aead_algo;
++ u32 akcipher_algo;
+
+ /* Maximum length of cipher key */
+ u32 max_cipher_key_len;
+@@ -131,5 +132,7 @@ static inline int virtio_crypto_get_current_node(void)
+
+ int virtio_crypto_algs_register(struct virtio_crypto *vcrypto);
+ void virtio_crypto_algs_unregister(struct virtio_crypto *vcrypto);
++int virtio_crypto_akcipher_algs_register(struct virtio_crypto *vcrypto);
++void virtio_crypto_akcipher_algs_unregister(struct virtio_crypto *vcrypto);
+
+ #endif /* _VIRTIO_CRYPTO_COMMON_H */
+diff --git a/drivers/crypto/virtio/virtio_crypto_core.c b/drivers/crypto/virtio/virtio_crypto_core.c
+index 080955a1dd9c..f6eb6d064fbd 100644
+--- a/drivers/crypto/virtio/virtio_crypto_core.c
++++ b/drivers/crypto/virtio/virtio_crypto_core.c
+@@ -297,6 +297,7 @@ static int virtcrypto_probe(struct virtio_device *vdev)
+ u32 mac_algo_l = 0;
+ u32 mac_algo_h = 0;
+ u32 aead_algo = 0;
++ u32 akcipher_algo = 0;
+ u32 crypto_services = 0;
+
+ if (!virtio_has_feature(vdev, VIRTIO_F_VERSION_1))
+@@ -348,6 +349,9 @@ static int virtcrypto_probe(struct virtio_device *vdev)
+ mac_algo_h, &mac_algo_h);
+ virtio_cread_le(vdev, struct virtio_crypto_config,
+ aead_algo, &aead_algo);
++ if (crypto_services & (1 << VIRTIO_CRYPTO_SERVICE_AKCIPHER))
++ virtio_cread_le(vdev, struct virtio_crypto_config,
++ akcipher_algo, &akcipher_algo);
+
+ /* Add virtio crypto device to global table */
+ err = virtcrypto_devmgr_add_dev(vcrypto);
+@@ -374,7 +378,7 @@ static int virtcrypto_probe(struct virtio_device *vdev)
+ vcrypto->mac_algo_h = mac_algo_h;
+ vcrypto->hash_algo = hash_algo;
+ vcrypto->aead_algo = aead_algo;
+-
++ vcrypto->akcipher_algo = akcipher_algo;
+
+ dev_info(&vdev->dev,
+ "max_queues: %u, max_cipher_key_len: %u, max_auth_key_len: %u, max_size 0x%llx\n",
+diff --git a/drivers/crypto/virtio/virtio_crypto_mgr.c b/drivers/crypto/virtio/virtio_crypto_mgr.c
+index 6860f8180c7c..1cb92418b321 100644
+--- a/drivers/crypto/virtio/virtio_crypto_mgr.c
++++ b/drivers/crypto/virtio/virtio_crypto_mgr.c
+@@ -242,6 +242,12 @@ int virtcrypto_dev_start(struct virtio_crypto *vcrypto)
+ return -EFAULT;
+ }
+
++ if (virtio_crypto_akcipher_algs_register(vcrypto)) {
++ pr_err("virtio_crypto: Failed to register crypto akcipher algs\n");
++ virtio_crypto_algs_unregister(vcrypto);
++ return -EFAULT;
++ }
++
+ return 0;
+ }
+
+@@ -258,6 +264,7 @@ int virtcrypto_dev_start(struct virtio_crypto *vcrypto)
+ void virtcrypto_dev_stop(struct virtio_crypto *vcrypto)
+ {
+ virtio_crypto_algs_unregister(vcrypto);
++ virtio_crypto_akcipher_algs_unregister(vcrypto);
+ }
+
+ /*
+@@ -312,6 +319,10 @@ bool virtcrypto_algo_is_supported(struct virtio_crypto *vcrypto,
+ case VIRTIO_CRYPTO_SERVICE_AEAD:
+ algo_mask = vcrypto->aead_algo;
+ break;
++
++ case VIRTIO_CRYPTO_SERVICE_AKCIPHER:
++ algo_mask = vcrypto->akcipher_algo;
++ break;
+ }
+
+ if (!(algo_mask & (1u << algo)))
+--
+2.43.0
+
--- /dev/null
+From 312e53f3ae3c61219cc5a665eca7303bcc59acd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Mar 2022 11:39:15 +0800
+Subject: virtio-crypto: introduce akcipher service
+
+From: zhenwei pi <pizhenwei@bytedance.com>
+
+[ Upstream commit 24e19590628b58578748eeaec8140bf9c9dc00d9 ]
+
+Introduce asymmetric service definition, asymmetric operations and
+several well known algorithms.
+
+Co-developed-by: lei he <helei.sig11@bytedance.com>
+Signed-off-by: lei he <helei.sig11@bytedance.com>
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Link: https://lore.kernel.org/r/20220302033917.1295334-3-pizhenwei@bytedance.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Gonglei <arei.gonglei@huawei.com>
+Stable-dep-of: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/virtio_crypto.h | 81 +++++++++++++++++++++++++++++-
+ 1 file changed, 80 insertions(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/virtio_crypto.h b/include/uapi/linux/virtio_crypto.h
+index 1166a49084b0..71a54a6849ca 100644
+--- a/include/uapi/linux/virtio_crypto.h
++++ b/include/uapi/linux/virtio_crypto.h
+@@ -37,6 +37,7 @@
+ #define VIRTIO_CRYPTO_SERVICE_HASH 1
+ #define VIRTIO_CRYPTO_SERVICE_MAC 2
+ #define VIRTIO_CRYPTO_SERVICE_AEAD 3
++#define VIRTIO_CRYPTO_SERVICE_AKCIPHER 4
+
+ #define VIRTIO_CRYPTO_OPCODE(service, op) (((service) << 8) | (op))
+
+@@ -57,6 +58,10 @@ struct virtio_crypto_ctrl_header {
+ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AEAD, 0x02)
+ #define VIRTIO_CRYPTO_AEAD_DESTROY_SESSION \
+ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AEAD, 0x03)
++#define VIRTIO_CRYPTO_AKCIPHER_CREATE_SESSION \
++ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AKCIPHER, 0x04)
++#define VIRTIO_CRYPTO_AKCIPHER_DESTROY_SESSION \
++ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AKCIPHER, 0x05)
+ __le32 opcode;
+ __le32 algo;
+ __le32 flag;
+@@ -180,6 +185,58 @@ struct virtio_crypto_aead_create_session_req {
+ __u8 padding[32];
+ };
+
++struct virtio_crypto_rsa_session_para {
++#define VIRTIO_CRYPTO_RSA_RAW_PADDING 0
++#define VIRTIO_CRYPTO_RSA_PKCS1_PADDING 1
++ __le32 padding_algo;
++
++#define VIRTIO_CRYPTO_RSA_NO_HASH 0
++#define VIRTIO_CRYPTO_RSA_MD2 1
++#define VIRTIO_CRYPTO_RSA_MD3 2
++#define VIRTIO_CRYPTO_RSA_MD4 3
++#define VIRTIO_CRYPTO_RSA_MD5 4
++#define VIRTIO_CRYPTO_RSA_SHA1 5
++#define VIRTIO_CRYPTO_RSA_SHA256 6
++#define VIRTIO_CRYPTO_RSA_SHA384 7
++#define VIRTIO_CRYPTO_RSA_SHA512 8
++#define VIRTIO_CRYPTO_RSA_SHA224 9
++ __le32 hash_algo;
++};
++
++struct virtio_crypto_ecdsa_session_para {
++#define VIRTIO_CRYPTO_CURVE_UNKNOWN 0
++#define VIRTIO_CRYPTO_CURVE_NIST_P192 1
++#define VIRTIO_CRYPTO_CURVE_NIST_P224 2
++#define VIRTIO_CRYPTO_CURVE_NIST_P256 3
++#define VIRTIO_CRYPTO_CURVE_NIST_P384 4
++#define VIRTIO_CRYPTO_CURVE_NIST_P521 5
++ __le32 curve_id;
++ __le32 padding;
++};
++
++struct virtio_crypto_akcipher_session_para {
++#define VIRTIO_CRYPTO_NO_AKCIPHER 0
++#define VIRTIO_CRYPTO_AKCIPHER_RSA 1
++#define VIRTIO_CRYPTO_AKCIPHER_DSA 2
++#define VIRTIO_CRYPTO_AKCIPHER_ECDSA 3
++ __le32 algo;
++
++#define VIRTIO_CRYPTO_AKCIPHER_KEY_TYPE_PUBLIC 1
++#define VIRTIO_CRYPTO_AKCIPHER_KEY_TYPE_PRIVATE 2
++ __le32 keytype;
++ __le32 keylen;
++
++ union {
++ struct virtio_crypto_rsa_session_para rsa;
++ struct virtio_crypto_ecdsa_session_para ecdsa;
++ } u;
++};
++
++struct virtio_crypto_akcipher_create_session_req {
++ struct virtio_crypto_akcipher_session_para para;
++ __u8 padding[36];
++};
++
+ struct virtio_crypto_alg_chain_session_para {
+ #define VIRTIO_CRYPTO_SYM_ALG_CHAIN_ORDER_HASH_THEN_CIPHER 1
+ #define VIRTIO_CRYPTO_SYM_ALG_CHAIN_ORDER_CIPHER_THEN_HASH 2
+@@ -247,6 +304,8 @@ struct virtio_crypto_op_ctrl_req {
+ mac_create_session;
+ struct virtio_crypto_aead_create_session_req
+ aead_create_session;
++ struct virtio_crypto_akcipher_create_session_req
++ akcipher_create_session;
+ struct virtio_crypto_destroy_session_req
+ destroy_session;
+ __u8 padding[56];
+@@ -266,6 +325,14 @@ struct virtio_crypto_op_header {
+ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AEAD, 0x00)
+ #define VIRTIO_CRYPTO_AEAD_DECRYPT \
+ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AEAD, 0x01)
++#define VIRTIO_CRYPTO_AKCIPHER_ENCRYPT \
++ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AKCIPHER, 0x00)
++#define VIRTIO_CRYPTO_AKCIPHER_DECRYPT \
++ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AKCIPHER, 0x01)
++#define VIRTIO_CRYPTO_AKCIPHER_SIGN \
++ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AKCIPHER, 0x02)
++#define VIRTIO_CRYPTO_AKCIPHER_VERIFY \
++ VIRTIO_CRYPTO_OPCODE(VIRTIO_CRYPTO_SERVICE_AKCIPHER, 0x03)
+ __le32 opcode;
+ /* algo should be service-specific algorithms */
+ __le32 algo;
+@@ -390,6 +457,16 @@ struct virtio_crypto_aead_data_req {
+ __u8 padding[32];
+ };
+
++struct virtio_crypto_akcipher_para {
++ __le32 src_data_len;
++ __le32 dst_data_len;
++};
++
++struct virtio_crypto_akcipher_data_req {
++ struct virtio_crypto_akcipher_para para;
++ __u8 padding[40];
++};
++
+ /* The request of the data virtqueue's packet */
+ struct virtio_crypto_op_data_req {
+ struct virtio_crypto_op_header header;
+@@ -399,6 +476,7 @@ struct virtio_crypto_op_data_req {
+ struct virtio_crypto_hash_data_req hash_req;
+ struct virtio_crypto_mac_data_req mac_req;
+ struct virtio_crypto_aead_data_req aead_req;
++ struct virtio_crypto_akcipher_data_req akcipher_req;
+ __u8 padding[48];
+ } u;
+ };
+@@ -409,6 +487,7 @@ struct virtio_crypto_op_data_req {
+ #define VIRTIO_CRYPTO_NOTSUPP 3
+ #define VIRTIO_CRYPTO_INVSESS 4 /* Invalid session id */
+ #define VIRTIO_CRYPTO_NOSPC 5 /* no free session ID */
++#define VIRTIO_CRYPTO_KEY_REJECTED 6 /* Signature verification failed */
+
+ /* The accelerator hardware is ready */
+ #define VIRTIO_CRYPTO_S_HW_READY (1 << 0)
+@@ -439,7 +518,7 @@ struct virtio_crypto_config {
+ __le32 max_cipher_key_len;
+ /* Maximum length of authenticated key */
+ __le32 max_auth_key_len;
+- __le32 reserve;
++ __le32 akcipher_algo;
+ /* Maximum size of each crypto request's content */
+ __le64 max_size;
+ };
+--
+2.43.0
+
--- /dev/null
+From 88130f162ffefd18cbc873394b9978c355e8b558 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 May 2022 21:16:24 +0800
+Subject: virtio-crypto: use private buffer for control request
+
+From: zhenwei pi <pizhenwei@bytedance.com>
+
+[ Upstream commit 0756ad15b1fef287d4d8fa11bc36ea77a5c42e4a ]
+
+Originally, all of the control requests share a single buffer(
+ctrl & input & ctrl_status fields in struct virtio_crypto), this
+allows queue depth 1 only, the performance of control queue gets
+limited by this design.
+
+In this patch, each request allocates request buffer dynamically, and
+free buffer after request, so the scope protected by ctrl_lock also
+get optimized here.
+It's possible to optimize control queue depth in the next step.
+
+A necessary comment is already in code, still describe it again:
+/*
+ * Note: there are padding fields in request, clear them to zero before
+ * sending to host to avoid to divulge any information.
+ * Ex, virtio_crypto_ctrl_request::ctrl::u::destroy_session::padding[48]
+ */
+So use kzalloc to allocate buffer of struct virtio_crypto_ctrl_request.
+
+Potentially dereferencing uninitialized variables:
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Gonglei <arei.gonglei@huawei.com>
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Message-Id: <20220506131627.180784-3-pizhenwei@bytedance.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../virtio/virtio_crypto_akcipher_algs.c | 57 ++++++++++++-------
+ drivers/crypto/virtio/virtio_crypto_algs.c | 50 ++++++++++------
+ drivers/crypto/virtio/virtio_crypto_common.h | 17 ++++--
+ 3 files changed, 79 insertions(+), 45 deletions(-)
+
+diff --git a/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
+index 20901a263fc8..698ea57e2649 100644
+--- a/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
++++ b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
+@@ -108,16 +108,22 @@ static int virtio_crypto_alg_akcipher_init_session(struct virtio_crypto_akcipher
+ unsigned int num_out = 0, num_in = 0;
+ struct virtio_crypto_op_ctrl_req *ctrl;
+ struct virtio_crypto_session_input *input;
++ struct virtio_crypto_ctrl_request *vc_ctrl_req;
+
+ pkey = kmemdup(key, keylen, GFP_ATOMIC);
+ if (!pkey)
+ return -ENOMEM;
+
+- spin_lock(&vcrypto->ctrl_lock);
+- ctrl = &vcrypto->ctrl;
++ vc_ctrl_req = kzalloc(sizeof(*vc_ctrl_req), GFP_KERNEL);
++ if (!vc_ctrl_req) {
++ err = -ENOMEM;
++ goto out;
++ }
++
++ ctrl = &vc_ctrl_req->ctrl;
+ memcpy(&ctrl->header, header, sizeof(ctrl->header));
+ memcpy(&ctrl->u, para, sizeof(ctrl->u));
+- input = &vcrypto->input;
++ input = &vc_ctrl_req->input;
+ input->status = cpu_to_le32(VIRTIO_CRYPTO_ERR);
+
+ sg_init_one(&outhdr_sg, ctrl, sizeof(*ctrl));
+@@ -129,16 +135,22 @@ static int virtio_crypto_alg_akcipher_init_session(struct virtio_crypto_akcipher
+ sg_init_one(&inhdr_sg, input, sizeof(*input));
+ sgs[num_out + num_in++] = &inhdr_sg;
+
++ spin_lock(&vcrypto->ctrl_lock);
+ err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out, num_in, vcrypto, GFP_ATOMIC);
+- if (err < 0)
++ if (err < 0) {
++ spin_unlock(&vcrypto->ctrl_lock);
+ goto out;
++ }
+
+ virtqueue_kick(vcrypto->ctrl_vq);
+ while (!virtqueue_get_buf(vcrypto->ctrl_vq, &inlen) &&
+ !virtqueue_is_broken(vcrypto->ctrl_vq))
+ cpu_relax();
++ spin_unlock(&vcrypto->ctrl_lock);
+
+ if (le32_to_cpu(input->status) != VIRTIO_CRYPTO_OK) {
++ pr_err("virtio_crypto: Create session failed status: %u\n",
++ le32_to_cpu(input->status));
+ err = -EINVAL;
+ goto out;
+ }
+@@ -148,13 +160,9 @@ static int virtio_crypto_alg_akcipher_init_session(struct virtio_crypto_akcipher
+ err = 0;
+
+ out:
+- spin_unlock(&vcrypto->ctrl_lock);
++ kfree(vc_ctrl_req);
+ kfree_sensitive(pkey);
+
+- if (err < 0)
+- pr_err("virtio_crypto: Create session failed status: %u\n",
+- le32_to_cpu(input->status));
+-
+ return err;
+ }
+
+@@ -167,15 +175,18 @@ static int virtio_crypto_alg_akcipher_close_session(struct virtio_crypto_akciphe
+ int err;
+ struct virtio_crypto_op_ctrl_req *ctrl;
+ struct virtio_crypto_inhdr *ctrl_status;
++ struct virtio_crypto_ctrl_request *vc_ctrl_req;
+
+- spin_lock(&vcrypto->ctrl_lock);
+- if (!ctx->session_valid) {
+- err = 0;
+- goto out;
+- }
+- ctrl_status = &vcrypto->ctrl_status;
++ if (!ctx->session_valid)
++ return 0;
++
++ vc_ctrl_req = kzalloc(sizeof(*vc_ctrl_req), GFP_KERNEL);
++ if (!vc_ctrl_req)
++ return -ENOMEM;
++
++ ctrl_status = &vc_ctrl_req->ctrl_status;
+ ctrl_status->status = VIRTIO_CRYPTO_ERR;
+- ctrl = &vcrypto->ctrl;
++ ctrl = &vc_ctrl_req->ctrl;
+ ctrl->header.opcode = cpu_to_le32(VIRTIO_CRYPTO_AKCIPHER_DESTROY_SESSION);
+ ctrl->header.queue_id = 0;
+
+@@ -188,16 +199,22 @@ static int virtio_crypto_alg_akcipher_close_session(struct virtio_crypto_akciphe
+ sg_init_one(&inhdr_sg, &ctrl_status->status, sizeof(ctrl_status->status));
+ sgs[num_out + num_in++] = &inhdr_sg;
+
++ spin_lock(&vcrypto->ctrl_lock);
+ err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out, num_in, vcrypto, GFP_ATOMIC);
+- if (err < 0)
++ if (err < 0) {
++ spin_unlock(&vcrypto->ctrl_lock);
+ goto out;
++ }
+
+ virtqueue_kick(vcrypto->ctrl_vq);
+ while (!virtqueue_get_buf(vcrypto->ctrl_vq, &inlen) &&
+ !virtqueue_is_broken(vcrypto->ctrl_vq))
+ cpu_relax();
++ spin_unlock(&vcrypto->ctrl_lock);
+
+ if (ctrl_status->status != VIRTIO_CRYPTO_OK) {
++ pr_err("virtio_crypto: Close session failed status: %u, session_id: 0x%llx\n",
++ ctrl_status->status, destroy_session->session_id);
+ err = -EINVAL;
+ goto out;
+ }
+@@ -206,11 +223,7 @@ static int virtio_crypto_alg_akcipher_close_session(struct virtio_crypto_akciphe
+ ctx->session_valid = false;
+
+ out:
+- spin_unlock(&vcrypto->ctrl_lock);
+- if (err < 0) {
+- pr_err("virtio_crypto: Close session failed status: %u, session_id: 0x%llx\n",
+- ctrl_status->status, destroy_session->session_id);
+- }
++ kfree(vc_ctrl_req);
+
+ return err;
+ }
+diff --git a/drivers/crypto/virtio/virtio_crypto_algs.c b/drivers/crypto/virtio/virtio_crypto_algs.c
+index 12e2001235a6..50601398f35c 100644
+--- a/drivers/crypto/virtio/virtio_crypto_algs.c
++++ b/drivers/crypto/virtio/virtio_crypto_algs.c
+@@ -126,6 +126,7 @@ static int virtio_crypto_alg_skcipher_init_session(
+ struct virtio_crypto_op_ctrl_req *ctrl;
+ struct virtio_crypto_session_input *input;
+ struct virtio_crypto_sym_create_session_req *sym_create_session;
++ struct virtio_crypto_ctrl_request *vc_ctrl_req;
+
+ /*
+ * Avoid to do DMA from the stack, switch to using
+@@ -136,15 +137,20 @@ static int virtio_crypto_alg_skcipher_init_session(
+ if (!cipher_key)
+ return -ENOMEM;
+
+- spin_lock(&vcrypto->ctrl_lock);
++ vc_ctrl_req = kzalloc(sizeof(*vc_ctrl_req), GFP_KERNEL);
++ if (!vc_ctrl_req) {
++ err = -ENOMEM;
++ goto out;
++ }
++
+ /* Pad ctrl header */
+- ctrl = &vcrypto->ctrl;
++ ctrl = &vc_ctrl_req->ctrl;
+ ctrl->header.opcode = cpu_to_le32(VIRTIO_CRYPTO_CIPHER_CREATE_SESSION);
+ ctrl->header.algo = cpu_to_le32(alg);
+ /* Set the default dataqueue id to 0 */
+ ctrl->header.queue_id = 0;
+
+- input = &vcrypto->input;
++ input = &vc_ctrl_req->input;
+ input->status = cpu_to_le32(VIRTIO_CRYPTO_ERR);
+ /* Pad cipher's parameters */
+ sym_create_session = &ctrl->u.sym_create_session;
+@@ -164,12 +170,12 @@ static int virtio_crypto_alg_skcipher_init_session(
+ sg_init_one(&inhdr, input, sizeof(*input));
+ sgs[num_out + num_in++] = &inhdr;
+
++ spin_lock(&vcrypto->ctrl_lock);
+ err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out,
+ num_in, vcrypto, GFP_ATOMIC);
+ if (err < 0) {
+ spin_unlock(&vcrypto->ctrl_lock);
+- kfree_sensitive(cipher_key);
+- return err;
++ goto out;
+ }
+ virtqueue_kick(vcrypto->ctrl_vq);
+
+@@ -180,13 +186,13 @@ static int virtio_crypto_alg_skcipher_init_session(
+ while (!virtqueue_get_buf(vcrypto->ctrl_vq, &tmp) &&
+ !virtqueue_is_broken(vcrypto->ctrl_vq))
+ cpu_relax();
++ spin_unlock(&vcrypto->ctrl_lock);
+
+ if (le32_to_cpu(input->status) != VIRTIO_CRYPTO_OK) {
+- spin_unlock(&vcrypto->ctrl_lock);
+ pr_err("virtio_crypto: Create session failed status: %u\n",
+ le32_to_cpu(input->status));
+- kfree_sensitive(cipher_key);
+- return -EINVAL;
++ err = -EINVAL;
++ goto out;
+ }
+
+ if (encrypt)
+@@ -194,10 +200,11 @@ static int virtio_crypto_alg_skcipher_init_session(
+ else
+ ctx->dec_sess_info.session_id = le64_to_cpu(input->session_id);
+
+- spin_unlock(&vcrypto->ctrl_lock);
+-
++ err = 0;
++out:
++ kfree(vc_ctrl_req);
+ kfree_sensitive(cipher_key);
+- return 0;
++ return err;
+ }
+
+ static int virtio_crypto_alg_skcipher_close_session(
+@@ -212,12 +219,16 @@ static int virtio_crypto_alg_skcipher_close_session(
+ unsigned int num_out = 0, num_in = 0;
+ struct virtio_crypto_op_ctrl_req *ctrl;
+ struct virtio_crypto_inhdr *ctrl_status;
++ struct virtio_crypto_ctrl_request *vc_ctrl_req;
+
+- spin_lock(&vcrypto->ctrl_lock);
+- ctrl_status = &vcrypto->ctrl_status;
++ vc_ctrl_req = kzalloc(sizeof(*vc_ctrl_req), GFP_KERNEL);
++ if (!vc_ctrl_req)
++ return -ENOMEM;
++
++ ctrl_status = &vc_ctrl_req->ctrl_status;
+ ctrl_status->status = VIRTIO_CRYPTO_ERR;
+ /* Pad ctrl header */
+- ctrl = &vcrypto->ctrl;
++ ctrl = &vc_ctrl_req->ctrl;
+ ctrl->header.opcode = cpu_to_le32(VIRTIO_CRYPTO_CIPHER_DESTROY_SESSION);
+ /* Set the default virtqueue id to 0 */
+ ctrl->header.queue_id = 0;
+@@ -236,28 +247,31 @@ static int virtio_crypto_alg_skcipher_close_session(
+ sg_init_one(&status_sg, &ctrl_status->status, sizeof(ctrl_status->status));
+ sgs[num_out + num_in++] = &status_sg;
+
++ spin_lock(&vcrypto->ctrl_lock);
+ err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out,
+ num_in, vcrypto, GFP_ATOMIC);
+ if (err < 0) {
+ spin_unlock(&vcrypto->ctrl_lock);
+- return err;
++ goto out;
+ }
+ virtqueue_kick(vcrypto->ctrl_vq);
+
+ while (!virtqueue_get_buf(vcrypto->ctrl_vq, &tmp) &&
+ !virtqueue_is_broken(vcrypto->ctrl_vq))
+ cpu_relax();
++ spin_unlock(&vcrypto->ctrl_lock);
+
+ if (ctrl_status->status != VIRTIO_CRYPTO_OK) {
+- spin_unlock(&vcrypto->ctrl_lock);
+ pr_err("virtio_crypto: Close session failed status: %u, session_id: 0x%llx\n",
+ ctrl_status->status, destroy_session->session_id);
+
+ return -EINVAL;
+ }
+- spin_unlock(&vcrypto->ctrl_lock);
+
+- return 0;
++ err = 0;
++out:
++ kfree(vc_ctrl_req);
++ return err;
+ }
+
+ static int virtio_crypto_alg_skcipher_init_sessions(
+diff --git a/drivers/crypto/virtio/virtio_crypto_common.h b/drivers/crypto/virtio/virtio_crypto_common.h
+index 214f9a6fcf84..e9ecbda6affe 100644
+--- a/drivers/crypto/virtio/virtio_crypto_common.h
++++ b/drivers/crypto/virtio/virtio_crypto_common.h
+@@ -13,6 +13,7 @@
+ #include <crypto/aead.h>
+ #include <crypto/aes.h>
+ #include <crypto/engine.h>
++#include <uapi/linux/virtio_crypto.h>
+
+
+ /* Internal representation of a data virtqueue */
+@@ -65,11 +66,6 @@ struct virtio_crypto {
+ /* Maximum size of per request */
+ u64 max_size;
+
+- /* Control VQ buffers: protected by the ctrl_lock */
+- struct virtio_crypto_op_ctrl_req ctrl;
+- struct virtio_crypto_session_input input;
+- struct virtio_crypto_inhdr ctrl_status;
+-
+ unsigned long status;
+ atomic_t ref_count;
+ struct list_head list;
+@@ -85,6 +81,17 @@ struct virtio_crypto_sym_session_info {
+ __u64 session_id;
+ };
+
++/*
++ * Note: there are padding fields in request, clear them to zero before
++ * sending to host to avoid to divulge any information.
++ * Ex, virtio_crypto_ctrl_request::ctrl::u::destroy_session::padding[48]
++ */
++struct virtio_crypto_ctrl_request {
++ struct virtio_crypto_op_ctrl_req ctrl;
++ struct virtio_crypto_session_input input;
++ struct virtio_crypto_inhdr ctrl_status;
++};
++
+ struct virtio_crypto_request;
+ typedef void (*virtio_crypto_data_callback)
+ (struct virtio_crypto_request *vc_req, int len);
+--
+2.43.0
+
--- /dev/null
+From 7523651d4f51181d4ce3beae00c3af770779bc58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 May 2022 21:16:25 +0800
+Subject: virtio-crypto: wait ctrl queue instead of busy polling
+
+From: zhenwei pi <pizhenwei@bytedance.com>
+
+[ Upstream commit 977231e8d45657871a86fe3c7bed94921d04e447 ]
+
+Originally, after submitting request into virtio crypto control
+queue, the guest side polls the result from the virt queue. This
+works like following:
+ CPU0 CPU1 ... CPUx CPUy
+ | | | |
+ \ \ / /
+ \--------spin_lock(&vcrypto->ctrl_lock)-------/
+ |
+ virtqueue add & kick
+ |
+ busy poll virtqueue
+ |
+ spin_unlock(&vcrypto->ctrl_lock)
+ ...
+
+There are two problems:
+1, The queue depth is always 1, the performance of a virtio crypto
+ device gets limited. Multi user processes share a single control
+ queue, and hit spin lock race from control queue. Test on Intel
+ Platinum 8260, a single worker gets ~35K/s create/close session
+ operations, and 8 workers get ~40K/s operations with 800% CPU
+ utilization.
+2, The control request is supposed to get handled immediately, but
+ in the current implementation of QEMU(v6.2), the vCPU thread kicks
+ another thread to do this work, the latency also gets unstable.
+ Tracking latency of virtio_crypto_alg_akcipher_close_session in 5s:
+ usecs : count distribution
+ 0 -> 1 : 0 | |
+ 2 -> 3 : 7 | |
+ 4 -> 7 : 72 | |
+ 8 -> 15 : 186485 |************************|
+ 16 -> 31 : 687 | |
+ 32 -> 63 : 5 | |
+ 64 -> 127 : 3 | |
+ 128 -> 255 : 1 | |
+ 256 -> 511 : 0 | |
+ 512 -> 1023 : 0 | |
+ 1024 -> 2047 : 0 | |
+ 2048 -> 4095 : 0 | |
+ 4096 -> 8191 : 0 | |
+ 8192 -> 16383 : 2 | |
+This means that a CPU may hold vcrypto->ctrl_lock as long as 8192~16383us.
+
+To improve the performance of control queue, a request on control queue
+waits completion instead of busy polling to reduce lock racing, and gets
+completed by control queue callback.
+ CPU0 CPU1 ... CPUx CPUy
+ | | | |
+ \ \ / /
+ \--------spin_lock(&vcrypto->ctrl_lock)-------/
+ |
+ virtqueue add & kick
+ |
+ ---------spin_unlock(&vcrypto->ctrl_lock)------
+ / / \ \
+ | | | |
+ wait wait wait wait
+
+Test this patch, the guest side get ~200K/s operations with 300% CPU
+utilization.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Gonglei <arei.gonglei@huawei.com>
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Message-Id: <20220506131627.180784-4-pizhenwei@bytedance.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../virtio/virtio_crypto_akcipher_algs.c | 29 ++---------
+ drivers/crypto/virtio/virtio_crypto_algs.c | 34 ++----------
+ drivers/crypto/virtio/virtio_crypto_common.h | 4 ++
+ drivers/crypto/virtio/virtio_crypto_core.c | 52 ++++++++++++++++++-
+ 4 files changed, 64 insertions(+), 55 deletions(-)
+
+diff --git a/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
+index 698ea57e2649..382ccec9ab12 100644
+--- a/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
++++ b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
+@@ -103,7 +103,6 @@ static int virtio_crypto_alg_akcipher_init_session(struct virtio_crypto_akcipher
+ struct scatterlist outhdr_sg, key_sg, inhdr_sg, *sgs[3];
+ struct virtio_crypto *vcrypto = ctx->vcrypto;
+ uint8_t *pkey;
+- unsigned int inlen;
+ int err;
+ unsigned int num_out = 0, num_in = 0;
+ struct virtio_crypto_op_ctrl_req *ctrl;
+@@ -135,18 +134,9 @@ static int virtio_crypto_alg_akcipher_init_session(struct virtio_crypto_akcipher
+ sg_init_one(&inhdr_sg, input, sizeof(*input));
+ sgs[num_out + num_in++] = &inhdr_sg;
+
+- spin_lock(&vcrypto->ctrl_lock);
+- err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out, num_in, vcrypto, GFP_ATOMIC);
+- if (err < 0) {
+- spin_unlock(&vcrypto->ctrl_lock);
++ err = virtio_crypto_ctrl_vq_request(vcrypto, sgs, num_out, num_in, vc_ctrl_req);
++ if (err < 0)
+ goto out;
+- }
+-
+- virtqueue_kick(vcrypto->ctrl_vq);
+- while (!virtqueue_get_buf(vcrypto->ctrl_vq, &inlen) &&
+- !virtqueue_is_broken(vcrypto->ctrl_vq))
+- cpu_relax();
+- spin_unlock(&vcrypto->ctrl_lock);
+
+ if (le32_to_cpu(input->status) != VIRTIO_CRYPTO_OK) {
+ pr_err("virtio_crypto: Create session failed status: %u\n",
+@@ -171,7 +161,7 @@ static int virtio_crypto_alg_akcipher_close_session(struct virtio_crypto_akciphe
+ struct scatterlist outhdr_sg, inhdr_sg, *sgs[2];
+ struct virtio_crypto_destroy_session_req *destroy_session;
+ struct virtio_crypto *vcrypto = ctx->vcrypto;
+- unsigned int num_out = 0, num_in = 0, inlen;
++ unsigned int num_out = 0, num_in = 0;
+ int err;
+ struct virtio_crypto_op_ctrl_req *ctrl;
+ struct virtio_crypto_inhdr *ctrl_status;
+@@ -199,18 +189,9 @@ static int virtio_crypto_alg_akcipher_close_session(struct virtio_crypto_akciphe
+ sg_init_one(&inhdr_sg, &ctrl_status->status, sizeof(ctrl_status->status));
+ sgs[num_out + num_in++] = &inhdr_sg;
+
+- spin_lock(&vcrypto->ctrl_lock);
+- err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out, num_in, vcrypto, GFP_ATOMIC);
+- if (err < 0) {
+- spin_unlock(&vcrypto->ctrl_lock);
++ err = virtio_crypto_ctrl_vq_request(vcrypto, sgs, num_out, num_in, vc_ctrl_req);
++ if (err < 0)
+ goto out;
+- }
+-
+- virtqueue_kick(vcrypto->ctrl_vq);
+- while (!virtqueue_get_buf(vcrypto->ctrl_vq, &inlen) &&
+- !virtqueue_is_broken(vcrypto->ctrl_vq))
+- cpu_relax();
+- spin_unlock(&vcrypto->ctrl_lock);
+
+ if (ctrl_status->status != VIRTIO_CRYPTO_OK) {
+ pr_err("virtio_crypto: Close session failed status: %u, session_id: 0x%llx\n",
+diff --git a/drivers/crypto/virtio/virtio_crypto_algs.c b/drivers/crypto/virtio/virtio_crypto_algs.c
+index 50601398f35c..32c73e7d8243 100644
+--- a/drivers/crypto/virtio/virtio_crypto_algs.c
++++ b/drivers/crypto/virtio/virtio_crypto_algs.c
+@@ -118,7 +118,6 @@ static int virtio_crypto_alg_skcipher_init_session(
+ int encrypt)
+ {
+ struct scatterlist outhdr, key_sg, inhdr, *sgs[3];
+- unsigned int tmp;
+ struct virtio_crypto *vcrypto = ctx->vcrypto;
+ int op = encrypt ? VIRTIO_CRYPTO_OP_ENCRYPT : VIRTIO_CRYPTO_OP_DECRYPT;
+ int err;
+@@ -170,23 +169,9 @@ static int virtio_crypto_alg_skcipher_init_session(
+ sg_init_one(&inhdr, input, sizeof(*input));
+ sgs[num_out + num_in++] = &inhdr;
+
+- spin_lock(&vcrypto->ctrl_lock);
+- err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out,
+- num_in, vcrypto, GFP_ATOMIC);
+- if (err < 0) {
+- spin_unlock(&vcrypto->ctrl_lock);
++ err = virtio_crypto_ctrl_vq_request(vcrypto, sgs, num_out, num_in, vc_ctrl_req);
++ if (err < 0)
+ goto out;
+- }
+- virtqueue_kick(vcrypto->ctrl_vq);
+-
+- /*
+- * Trapping into the hypervisor, so the request should be
+- * handled immediately.
+- */
+- while (!virtqueue_get_buf(vcrypto->ctrl_vq, &tmp) &&
+- !virtqueue_is_broken(vcrypto->ctrl_vq))
+- cpu_relax();
+- spin_unlock(&vcrypto->ctrl_lock);
+
+ if (le32_to_cpu(input->status) != VIRTIO_CRYPTO_OK) {
+ pr_err("virtio_crypto: Create session failed status: %u\n",
+@@ -212,7 +197,6 @@ static int virtio_crypto_alg_skcipher_close_session(
+ int encrypt)
+ {
+ struct scatterlist outhdr, status_sg, *sgs[2];
+- unsigned int tmp;
+ struct virtio_crypto_destroy_session_req *destroy_session;
+ struct virtio_crypto *vcrypto = ctx->vcrypto;
+ int err;
+@@ -247,19 +231,9 @@ static int virtio_crypto_alg_skcipher_close_session(
+ sg_init_one(&status_sg, &ctrl_status->status, sizeof(ctrl_status->status));
+ sgs[num_out + num_in++] = &status_sg;
+
+- spin_lock(&vcrypto->ctrl_lock);
+- err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, num_out,
+- num_in, vcrypto, GFP_ATOMIC);
+- if (err < 0) {
+- spin_unlock(&vcrypto->ctrl_lock);
++ err = virtio_crypto_ctrl_vq_request(vcrypto, sgs, num_out, num_in, vc_ctrl_req);
++ if (err < 0)
+ goto out;
+- }
+- virtqueue_kick(vcrypto->ctrl_vq);
+-
+- while (!virtqueue_get_buf(vcrypto->ctrl_vq, &tmp) &&
+- !virtqueue_is_broken(vcrypto->ctrl_vq))
+- cpu_relax();
+- spin_unlock(&vcrypto->ctrl_lock);
+
+ if (ctrl_status->status != VIRTIO_CRYPTO_OK) {
+ pr_err("virtio_crypto: Close session failed status: %u, session_id: 0x%llx\n",
+diff --git a/drivers/crypto/virtio/virtio_crypto_common.h b/drivers/crypto/virtio/virtio_crypto_common.h
+index e9ecbda6affe..e0dcb247840a 100644
+--- a/drivers/crypto/virtio/virtio_crypto_common.h
++++ b/drivers/crypto/virtio/virtio_crypto_common.h
+@@ -90,6 +90,7 @@ struct virtio_crypto_ctrl_request {
+ struct virtio_crypto_op_ctrl_req ctrl;
+ struct virtio_crypto_session_input input;
+ struct virtio_crypto_inhdr ctrl_status;
++ struct completion compl;
+ };
+
+ struct virtio_crypto_request;
+@@ -141,5 +142,8 @@ int virtio_crypto_algs_register(struct virtio_crypto *vcrypto);
+ void virtio_crypto_algs_unregister(struct virtio_crypto *vcrypto);
+ int virtio_crypto_akcipher_algs_register(struct virtio_crypto *vcrypto);
+ void virtio_crypto_akcipher_algs_unregister(struct virtio_crypto *vcrypto);
++int virtio_crypto_ctrl_vq_request(struct virtio_crypto *vcrypto, struct scatterlist *sgs[],
++ unsigned int out_sgs, unsigned int in_sgs,
++ struct virtio_crypto_ctrl_request *vc_ctrl_req);
+
+ #endif /* _VIRTIO_CRYPTO_COMMON_H */
+diff --git a/drivers/crypto/virtio/virtio_crypto_core.c b/drivers/crypto/virtio/virtio_crypto_core.c
+index f6eb6d064fbd..94624f469985 100644
+--- a/drivers/crypto/virtio/virtio_crypto_core.c
++++ b/drivers/crypto/virtio/virtio_crypto_core.c
+@@ -22,6 +22,56 @@ virtcrypto_clear_request(struct virtio_crypto_request *vc_req)
+ }
+ }
+
++static void virtio_crypto_ctrlq_callback(struct virtio_crypto_ctrl_request *vc_ctrl_req)
++{
++ complete(&vc_ctrl_req->compl);
++}
++
++static void virtcrypto_ctrlq_callback(struct virtqueue *vq)
++{
++ struct virtio_crypto *vcrypto = vq->vdev->priv;
++ struct virtio_crypto_ctrl_request *vc_ctrl_req;
++ unsigned long flags;
++ unsigned int len;
++
++ spin_lock_irqsave(&vcrypto->ctrl_lock, flags);
++ do {
++ virtqueue_disable_cb(vq);
++ while ((vc_ctrl_req = virtqueue_get_buf(vq, &len)) != NULL) {
++ spin_unlock_irqrestore(&vcrypto->ctrl_lock, flags);
++ virtio_crypto_ctrlq_callback(vc_ctrl_req);
++ spin_lock_irqsave(&vcrypto->ctrl_lock, flags);
++ }
++ if (unlikely(virtqueue_is_broken(vq)))
++ break;
++ } while (!virtqueue_enable_cb(vq));
++ spin_unlock_irqrestore(&vcrypto->ctrl_lock, flags);
++}
++
++int virtio_crypto_ctrl_vq_request(struct virtio_crypto *vcrypto, struct scatterlist *sgs[],
++ unsigned int out_sgs, unsigned int in_sgs,
++ struct virtio_crypto_ctrl_request *vc_ctrl_req)
++{
++ int err;
++ unsigned long flags;
++
++ init_completion(&vc_ctrl_req->compl);
++
++ spin_lock_irqsave(&vcrypto->ctrl_lock, flags);
++ err = virtqueue_add_sgs(vcrypto->ctrl_vq, sgs, out_sgs, in_sgs, vc_ctrl_req, GFP_ATOMIC);
++ if (err < 0) {
++ spin_unlock_irqrestore(&vcrypto->ctrl_lock, flags);
++ return err;
++ }
++
++ virtqueue_kick(vcrypto->ctrl_vq);
++ spin_unlock_irqrestore(&vcrypto->ctrl_lock, flags);
++
++ wait_for_completion(&vc_ctrl_req->compl);
++
++ return 0;
++}
++
+ static void virtcrypto_dataq_callback(struct virtqueue *vq)
+ {
+ struct virtio_crypto *vcrypto = vq->vdev->priv;
+@@ -73,7 +123,7 @@ static int virtcrypto_find_vqs(struct virtio_crypto *vi)
+ goto err_names;
+
+ /* Parameters for control virtqueue */
+- callbacks[total_vqs - 1] = NULL;
++ callbacks[total_vqs - 1] = virtcrypto_ctrlq_callback;
+ names[total_vqs - 1] = "controlq";
+
+ /* Allocate/initialize parameters for data virtqueues */
+--
+2.43.0
+
--- /dev/null
+From b44ee569427a8d13d0c125ba08839286e9195bc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 15:52:28 +0300
+Subject: virtio/vsock: fix logic which reduces credit update messages
+
+From: Arseniy Krasnov <avkrasnov@salutedevices.com>
+
+[ Upstream commit 93b80887668226180ea5f5349cc728ca6dc700ab ]
+
+Add one more condition for sending credit update during dequeue from
+stream socket: when number of bytes in the rx queue is smaller than
+SO_RCVLOWAT value of the socket. This is actual for non-default value
+of SO_RCVLOWAT (e.g. not 1) - idea is to "kick" peer to continue data
+transmission, because we need at least SO_RCVLOWAT bytes in our rx
+queue to wake up user for reading data (in corner case it is also
+possible to stuck both tx and rx sides, this is why 'Fixes' is used).
+
+Fixes: b89d882dc9fc ("vsock/virtio: reduce credit update messages")
+Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
+index 080e8f2bf985..4102689b3348 100644
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -340,6 +340,8 @@ virtio_transport_stream_do_dequeue(struct vsock_sock *vsk,
+ struct virtio_vsock_pkt *pkt;
+ size_t bytes, total = 0;
+ u32 free_space;
++ u32 fwd_cnt_delta;
++ bool low_rx_bytes;
+ int err = -EFAULT;
+
+ spin_lock_bh(&vvs->rx_lock);
+@@ -371,7 +373,10 @@ virtio_transport_stream_do_dequeue(struct vsock_sock *vsk,
+ }
+ }
+
+- free_space = vvs->buf_alloc - (vvs->fwd_cnt - vvs->last_fwd_cnt);
++ fwd_cnt_delta = vvs->fwd_cnt - vvs->last_fwd_cnt;
++ free_space = vvs->buf_alloc - fwd_cnt_delta;
++ low_rx_bytes = (vvs->rx_bytes <
++ sock_rcvlowat(sk_vsock(vsk), 0, INT_MAX));
+
+ spin_unlock_bh(&vvs->rx_lock);
+
+@@ -381,9 +386,11 @@ virtio_transport_stream_do_dequeue(struct vsock_sock *vsk,
+ * too high causes extra messages. Too low causes transmitter
+ * stalls. As stalls are in theory more expensive than extra
+ * messages, we set the limit to a high value. TODO: experiment
+- * with different values.
++ * with different values. Also send credit update message when
++ * number of bytes in rx queue is not enough to wake up reader.
+ */
+- if (free_space < VIRTIO_VSOCK_MAX_PKT_BUF_SIZE) {
++ if (fwd_cnt_delta &&
++ (free_space < VIRTIO_VSOCK_MAX_PKT_BUF_SIZE || low_rx_bytes)) {
+ virtio_transport_send_credit_update(vsk,
+ VIRTIO_VSOCK_TYPE_STREAM,
+ NULL);
+--
+2.43.0
+
--- /dev/null
+From 8d32d45349ac528ce1e25ab8b2b5037f22f76412 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Mar 2022 11:39:14 +0800
+Subject: virtio_crypto: Introduce VIRTIO_CRYPTO_NOSPC
+
+From: zhenwei pi <pizhenwei@bytedance.com>
+
+[ Upstream commit 13d640a3e9a3ac7ec694843d3d3b785e85fb8cb8 ]
+
+Base on the lastest virtio crypto spec, define VIRTIO_CRYPTO_NOSPC.
+
+Reviewed-by: Gonglei <arei.gonglei@huawei.com>
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Link: https://lore.kernel.org/r/20220302033917.1295334-2-pizhenwei@bytedance.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: fed93fb62e05 ("crypto: virtio - Handle dataq logic with tasklet")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/virtio_crypto.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/uapi/linux/virtio_crypto.h b/include/uapi/linux/virtio_crypto.h
+index a03932f10565..1166a49084b0 100644
+--- a/include/uapi/linux/virtio_crypto.h
++++ b/include/uapi/linux/virtio_crypto.h
+@@ -408,6 +408,7 @@ struct virtio_crypto_op_data_req {
+ #define VIRTIO_CRYPTO_BADMSG 2
+ #define VIRTIO_CRYPTO_NOTSUPP 3
+ #define VIRTIO_CRYPTO_INVSESS 4 /* Invalid session id */
++#define VIRTIO_CRYPTO_NOSPC 5 /* no free session ID */
+
+ /* The accelerator hardware is ready */
+ #define VIRTIO_CRYPTO_S_HW_READY (1 << 0)
+--
+2.43.0
+
--- /dev/null
+From 8f9ed4aa9ba164f030e4c822a993f9099536f02b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Nov 2023 18:32:51 +0100
+Subject: watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit f33f5b1fd1be5f5106d16f831309648cb0f1c31d ]
+
+Users report about the unexpected behavior for setting timeouts above
+15 sec on Raspberry Pi. According to watchdog-api.rst the ioctl
+WDIOC_SETTIMEOUT shouldn't fail because of hardware limitations.
+But looking at the code shows that max_timeout based on the
+register value PM_WDOG_TIME_SET, which is the maximum.
+
+Since 664a39236e71 ("watchdog: Introduce hardware maximum heartbeat
+in watchdog core") the watchdog core is able to handle this problem.
+
+This fix has been tested with watchdog-test from selftests.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217374
+Fixes: 664a39236e71 ("watchdog: Introduce hardware maximum heartbeat in watchdog core")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20231112173251.4827-1-wahrenst@gmx.net
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/bcm2835_wdt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/bcm2835_wdt.c b/drivers/watchdog/bcm2835_wdt.c
+index dec6ca019bea..3a8dec05b591 100644
+--- a/drivers/watchdog/bcm2835_wdt.c
++++ b/drivers/watchdog/bcm2835_wdt.c
+@@ -42,6 +42,7 @@
+
+ #define SECS_TO_WDOG_TICKS(x) ((x) << 16)
+ #define WDOG_TICKS_TO_SECS(x) ((x) >> 16)
++#define WDOG_TICKS_TO_MSECS(x) ((x) * 1000 >> 16)
+
+ struct bcm2835_wdt {
+ void __iomem *base;
+@@ -140,7 +141,7 @@ static struct watchdog_device bcm2835_wdt_wdd = {
+ .info = &bcm2835_wdt_info,
+ .ops = &bcm2835_wdt_ops,
+ .min_timeout = 1,
+- .max_timeout = WDOG_TICKS_TO_SECS(PM_WDOG_TIME_SET),
++ .max_hw_heartbeat_ms = WDOG_TICKS_TO_MSECS(PM_WDOG_TIME_SET),
+ .timeout = WDOG_TICKS_TO_SECS(PM_WDOG_TIME_SET),
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 3b13fffec7931890b7768f83da1ab0d4e6ac30fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 14:53:38 -0700
+Subject: watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO
+
+From: Jerry Hoemann <jerry.hoemann@hpe.com>
+
+[ Upstream commit dced0b3e51dd2af3730efe14dd86b5e3173f0a65 ]
+
+Avoid unnecessary crashes by claiming only NMIs that are due to
+ERROR signalling or generated by the hpwdt hardware device.
+
+The code does this, but only for iLO5.
+
+The intent was to preserve legacy, Gen9 and earlier, semantics of
+using hpwdt for error containtment as hardware/firmware would signal
+fatal IO errors as an NMI with the expectation of hpwdt crashing
+the system. Howerver, these IO errors should be received by hpwdt
+as an NMI_IO_CHECK. So the test is overly permissive and should
+not be limited to only ilo5.
+
+We need to enable this protection for future iLOs not matching the
+current PCI IDs.
+
+Fixes: 62290a5c194b ("watchdog: hpwdt: Claim NMIs generated by iLO5")
+Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20231213215340.495734-2-jerry.hoemann@hpe.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/hpwdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/hpwdt.c b/drivers/watchdog/hpwdt.c
+index 7d34bcf1c45b..53573c3ddd1a 100644
+--- a/drivers/watchdog/hpwdt.c
++++ b/drivers/watchdog/hpwdt.c
+@@ -174,7 +174,7 @@ static int hpwdt_pretimeout(unsigned int ulReason, struct pt_regs *regs)
+ "3. OA Forward Progress Log\n"
+ "4. iLO Event Log";
+
+- if (ilo5 && ulReason == NMI_UNKNOWN && !mynmi)
++ if (ulReason == NMI_UNKNOWN && !mynmi)
+ return NMI_DONE;
+
+ if (ilo5 && !pretimeout && !mynmi)
+--
+2.43.0
+
--- /dev/null
+From 6926c4e37cd17b0efe4d9efeb1c67a6051baa468 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 19:31:10 +0530
+Subject: watchdog: rti_wdt: Drop runtime pm reference count when watchdog is
+ unused
+
+From: Vignesh Raghavendra <vigneshr@ti.com>
+
+[ Upstream commit c1a6edf3b541e44e78f10bc6024df779715723f1 ]
+
+Call runtime_pm_put*() if watchdog is not already started during probe and re
+enable it in watchdog start as required.
+
+On K3 SoCs, watchdogs and their corresponding CPUs are under same
+power-domain, so if the reference count of unused watchdogs aren't
+dropped, it will lead to CPU hotplug failures as Device Management
+firmware won't allow to turn off the power-domain due to dangling
+reference count.
+
+Fixes: 2d63908bdbfb ("watchdog: Add K3 RTI watchdog support")
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Tested-by: Manorit Chawdhry <m-chawdhry@ti.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20231213140110.938129-1-vigneshr@ti.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/rti_wdt.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/rti_wdt.c b/drivers/watchdog/rti_wdt.c
+index 46c2a4bd9ebe..daa00f3c5a6a 100644
+--- a/drivers/watchdog/rti_wdt.c
++++ b/drivers/watchdog/rti_wdt.c
+@@ -70,6 +70,11 @@ static int rti_wdt_start(struct watchdog_device *wdd)
+ {
+ u32 timer_margin;
+ struct rti_wdt_device *wdt = watchdog_get_drvdata(wdd);
++ int ret;
++
++ ret = pm_runtime_resume_and_get(wdd->parent);
++ if (ret)
++ return ret;
+
+ /* set timeout period */
+ timer_margin = (u64)wdd->timeout * wdt->freq;
+@@ -296,6 +301,9 @@ static int rti_wdt_probe(struct platform_device *pdev)
+ if (last_ping)
+ watchdog_set_last_hw_keepalive(wdd, last_ping);
+
++ if (!watchdog_hw_running(wdd))
++ pm_runtime_put_sync(&pdev->dev);
++
+ return 0;
+
+ err_iomap:
+@@ -310,7 +318,10 @@ static int rti_wdt_remove(struct platform_device *pdev)
+ struct rti_wdt_device *wdt = platform_get_drvdata(pdev);
+
+ watchdog_unregister_device(&wdt->wdd);
+- pm_runtime_put(&pdev->dev);
++
++ if (!pm_runtime_suspended(&pdev->dev))
++ pm_runtime_put(&pdev->dev);
++
+ pm_runtime_disable(&pdev->dev);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 4461a80c254371c64f5c5737ee372c466f2e59d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Dec 2023 11:05:22 -0800
+Subject: watchdog: set cdev owner before adding
+
+From: Curtis Klein <curtis.klein@hpe.com>
+
+[ Upstream commit 38d75297745f04206db9c29bdd75557f0344c7cc ]
+
+When the new watchdog character device is registered, it becomes
+available for opening. This creates a race where userspace may open the
+device before the character device's owner is set. This results in an
+imbalance in module_get calls as the cdev_get in cdev_open will not
+increment the reference count on the watchdog driver module.
+
+This causes problems when the watchdog character device is released as
+the module loader's reference will also be released. This makes it
+impossible to open the watchdog device later on as it now appears that
+the module is being unloaded. The open will fail with -ENXIO from
+chrdev_open.
+
+The legacy watchdog device will fail with -EBUSY from the try_module_get
+in watchdog_open because it's module owner is the watchdog core module
+so it can still be opened but it will fail to get a refcount on the
+underlying watchdog device driver.
+
+Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev")
+Signed-off-by: Curtis Klein <curtis.klein@hpe.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20231205190522.55153-1-curtis.klein@hpe.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/watchdog_dev.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
+index f37255cd75fd..24d0470af81c 100644
+--- a/drivers/watchdog/watchdog_dev.c
++++ b/drivers/watchdog/watchdog_dev.c
+@@ -1028,6 +1028,7 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
+
+ /* Fill in the data structures */
+ cdev_init(&wd_data->cdev, &watchdog_fops);
++ wd_data->cdev.owner = wdd->ops->owner;
+
+ /* Add the device */
+ err = cdev_device_add(&wd_data->cdev, &wd_data->dev);
+@@ -1042,8 +1043,6 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
+ return err;
+ }
+
+- wd_data->cdev.owner = wdd->ops->owner;
+-
+ /* Record time of most recent heartbeat as 'just before now'. */
+ wd_data->last_hw_keepalive = ktime_sub(ktime_get(), 1);
+ watchdog_set_open_deadline(wd_data);
+--
+2.43.0
+
--- /dev/null
+From 8c0e8fae48e27b35b857221d982c1c127c02e470 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Oct 2023 08:57:18 +0200
+Subject: wifi: ath11k: Defer on rproc_get failure
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit 2a3ec40b98b46c339adb57313d3b933ee5e7a8e8 ]
+
+If we already have gotten the rproc_handle (meaning the "qcom,rproc"
+property is defined in the devicetree), it's a valid state that the
+remoteproc module hasn't probed yet so we should defer probing instead
+of just failing to probe.
+
+This resolves a race condition when the ath11k driver probes and fails
+before the wpss remoteproc driver has probed, like the following:
+
+ [ 6.232360] ath11k 17a10040.wifi: failed to get rproc
+ [ 6.232366] ath11k 17a10040.wifi: failed to get rproc: -22
+ [ 6.232478] ath11k: probe of 17a10040.wifi failed with error -22
+ ...
+ [ 6.252415] remoteproc remoteproc2: 8a00000.remoteproc is available
+ [ 6.252776] remoteproc remoteproc2: powering up 8a00000.remoteproc
+ [ 6.252781] remoteproc remoteproc2: Booting fw image qcom/qcm6490/fairphone5/wpss.mdt, size 7188
+
+So, defer the probe if we hit that so we can retry later once the wpss
+remoteproc is available.
+
+Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-01264-QCAMSLSWPLZ-1.37886.3
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20231027-ath11k-rproc-defer-v1-1-f6b6a812cd18@fairphone.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/ahb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/ahb.c b/drivers/net/wireless/ath/ath11k/ahb.c
+index 190bc5712e96..24006ddfba89 100644
+--- a/drivers/net/wireless/ath/ath11k/ahb.c
++++ b/drivers/net/wireless/ath/ath11k/ahb.c
+@@ -625,8 +625,8 @@ static int ath11k_core_get_rproc(struct ath11k_base *ab)
+
+ prproc = rproc_get_by_phandle(rproc_phandle);
+ if (!prproc) {
+- ath11k_err(ab, "failed to get rproc\n");
+- return -EINVAL;
++ ath11k_dbg(ab, ATH11K_DBG_AHB, "failed to get rproc, deferring\n");
++ return -EPROBE_DEFER;
+ }
+ ab_ahb->tgt_rproc = prproc;
+
+--
+2.43.0
+
--- /dev/null
+From 6dd690d3b8020a4645dede6873ad73ec99b70914 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Nov 2023 16:34:03 +0100
+Subject: wifi: libertas: stop selecting wext
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 8170b04c2c92eee52ea50b96db4c54662197e512 ]
+
+Libertas no longer references the iw_handler infrastructure or wext_spy,
+so neither of the 'select' statements are used any more.
+
+Fixes: e86dc1ca4676 ("Libertas: cfg80211 support")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20231108153409.1065286-1-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/libertas/Kconfig | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/libertas/Kconfig b/drivers/net/wireless/marvell/libertas/Kconfig
+index 6d62ab49aa8d..c7d02adb3eea 100644
+--- a/drivers/net/wireless/marvell/libertas/Kconfig
++++ b/drivers/net/wireless/marvell/libertas/Kconfig
+@@ -2,8 +2,6 @@
+ config LIBERTAS
+ tristate "Marvell 8xxx Libertas WLAN driver support"
+ depends on CFG80211
+- select WIRELESS_EXT
+- select WEXT_SPY
+ select LIB80211
+ select FW_LOADER
+ help
+--
+2.43.0
+
--- /dev/null
+From fe77939f82f119749a4de8bb03f4c8cc255a60e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 14:57:29 +0800
+Subject: wifi: rtlwifi: add calculate_bit_shift()
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 52221dfddbbfb5b4e029bb2efe9bb7da33ec1e46 ]
+
+There are many same functions like _rtl88e_phy_calculate_bit_shift(),
+_rtl92c_phy_calculate_bit_shift() and so on. And these functions can
+cause undefined bitwise shift behavior. Add calculate_bit_shift() to
+replace them and fix undefined behavior in subsequent patches.
+
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231219065739.1895666-2-suhui@nfschina.com
+Stable-dep-of: 969bc926f04b ("wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/wifi.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+index fdccfd29fd61..a89e232d6963 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+@@ -3111,4 +3111,11 @@ static inline struct ieee80211_sta *rtl_find_sta(struct ieee80211_hw *hw,
+ return ieee80211_find_sta(mac->vif, mac_addr);
+ }
+
++static inline u32 calculate_bit_shift(u32 bitmask)
++{
++ if (WARN_ON_ONCE(!bitmask))
++ return 0;
++
++ return __ffs(bitmask);
++}
+ #endif
+--
+2.43.0
+
--- /dev/null
+From 4be4b555b8df5e08ac9bca7c39411b171e28a48e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 14:57:31 +0800
+Subject: wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift()
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 969bc926f04b438676768aeffffffb050e480b62 ]
+
+Using calculate_bit_shift() to replace _rtl88e_phy_calculate_bit_shift().
+And fix the undefined bitwise shift behavior problem.
+
+Fixes: f0eb856e0b6c ("rtlwifi: rtl8188ee: Add new driver")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231219065739.1895666-4-suhui@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/realtek/rtlwifi/rtl8188ee/phy.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c
+index 9be032e8ec95..3395601eaa59 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/phy.c
+@@ -16,12 +16,6 @@ static u32 _rtl88e_phy_rf_serial_read(struct ieee80211_hw *hw,
+ static void _rtl88e_phy_rf_serial_write(struct ieee80211_hw *hw,
+ enum radio_path rfpath, u32 offset,
+ u32 data);
+-static u32 _rtl88e_phy_calculate_bit_shift(u32 bitmask)
+-{
+- u32 i = ffs(bitmask);
+-
+- return i ? i - 1 : 32;
+-}
+ static bool _rtl88e_phy_bb8188e_config_parafile(struct ieee80211_hw *hw);
+ static bool _rtl88e_phy_config_mac_with_headerfile(struct ieee80211_hw *hw);
+ static bool phy_config_bb_with_headerfile(struct ieee80211_hw *hw,
+@@ -51,7 +45,7 @@ u32 rtl88e_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask)
+ rtl_dbg(rtlpriv, COMP_RF, DBG_TRACE,
+ "regaddr(%#x), bitmask(%#x)\n", regaddr, bitmask);
+ originalvalue = rtl_read_dword(rtlpriv, regaddr);
+- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ returnvalue = (originalvalue & bitmask) >> bitshift;
+
+ rtl_dbg(rtlpriv, COMP_RF, DBG_TRACE,
+@@ -74,7 +68,7 @@ void rtl88e_phy_set_bb_reg(struct ieee80211_hw *hw,
+
+ if (bitmask != MASKDWORD) {
+ originalvalue = rtl_read_dword(rtlpriv, regaddr);
+- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data = ((originalvalue & (~bitmask)) | (data << bitshift));
+ }
+
+@@ -99,7 +93,7 @@ u32 rtl88e_phy_query_rf_reg(struct ieee80211_hw *hw,
+
+
+ original_value = _rtl88e_phy_rf_serial_read(hw, rfpath, regaddr);
+- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ readback_value = (original_value & bitmask) >> bitshift;
+
+ spin_unlock(&rtlpriv->locks.rf_lock);
+@@ -127,7 +121,7 @@ void rtl88e_phy_set_rf_reg(struct ieee80211_hw *hw,
+ original_value = _rtl88e_phy_rf_serial_read(hw,
+ rfpath,
+ regaddr);
+- bitshift = _rtl88e_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data =
+ ((original_value & (~bitmask)) |
+ (data << bitshift));
+--
+2.43.0
+
--- /dev/null
+From b51ee3fb4415b3f330d076a11c3f1728e3a5f601 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 14:57:32 +0800
+Subject: wifi: rtlwifi: rtl8192c: using calculate_bit_shift()
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 1dedc3a6699d827d345019e921b8d8f37f694333 ]
+
+Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift().
+And fix the undefined bitwise shift behavior problem.
+
+Fixes: 4295cd254af3 ("rtlwifi: Move common parts of rtl8192ce/phy.c")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231219065739.1895666-5-suhui@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/realtek/rtlwifi/rtl8192c/phy_common.c | 12 ++----------
+ .../wireless/realtek/rtlwifi/rtl8192c/phy_common.h | 1 -
+ 2 files changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c
+index 3d29c8dbb255..144ee780e1b6 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.c
+@@ -17,7 +17,7 @@ u32 rtl92c_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask)
+ rtl_dbg(rtlpriv, COMP_RF, DBG_TRACE, "regaddr(%#x), bitmask(%#x)\n",
+ regaddr, bitmask);
+ originalvalue = rtl_read_dword(rtlpriv, regaddr);
+- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ returnvalue = (originalvalue & bitmask) >> bitshift;
+
+ rtl_dbg(rtlpriv, COMP_RF, DBG_TRACE,
+@@ -40,7 +40,7 @@ void rtl92c_phy_set_bb_reg(struct ieee80211_hw *hw,
+
+ if (bitmask != MASKDWORD) {
+ originalvalue = rtl_read_dword(rtlpriv, regaddr);
+- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data = ((originalvalue & (~bitmask)) | (data << bitshift));
+ }
+
+@@ -143,14 +143,6 @@ void _rtl92c_phy_rf_serial_write(struct ieee80211_hw *hw,
+ }
+ EXPORT_SYMBOL(_rtl92c_phy_rf_serial_write);
+
+-u32 _rtl92c_phy_calculate_bit_shift(u32 bitmask)
+-{
+- u32 i = ffs(bitmask);
+-
+- return i ? i - 1 : 32;
+-}
+-EXPORT_SYMBOL(_rtl92c_phy_calculate_bit_shift);
+-
+ static void _rtl92c_phy_bb_config_1t(struct ieee80211_hw *hw)
+ {
+ rtl_set_bbreg(hw, RFPGA0_TXINFO, 0x3, 0x2);
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h
+index 75afa6253ad0..e64d377dfe9e 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/phy_common.h
+@@ -196,7 +196,6 @@ bool rtl92c_phy_set_rf_power_state(struct ieee80211_hw *hw,
+ void rtl92ce_phy_set_rf_on(struct ieee80211_hw *hw);
+ void rtl92c_phy_set_io(struct ieee80211_hw *hw);
+ void rtl92c_bb_block_on(struct ieee80211_hw *hw);
+-u32 _rtl92c_phy_calculate_bit_shift(u32 bitmask);
+ long _rtl92c_phy_txpwr_idx_to_dbm(struct ieee80211_hw *hw,
+ enum wireless_mode wirelessmode,
+ u8 txpwridx);
+--
+2.43.0
+
--- /dev/null
+From 45db9c2e481b7dd3ec50f60e00eb7386ead17c0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 14:57:34 +0800
+Subject: wifi: rtlwifi: rtl8192ce: using calculate_bit_shift()
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 3d03e8231031bcc65a48cd88ef9c71b6524ce70b ]
+
+Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift().
+And fix the undefined bitwise shift behavior problem.
+
+Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231219065739.1895666-7-suhui@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c | 6 +++---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h | 1 -
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c
+index 04735da11168..6b98e77768e9 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.c
+@@ -39,7 +39,7 @@ u32 rtl92c_phy_query_rf_reg(struct ieee80211_hw *hw,
+ rfpath, regaddr);
+ }
+
+- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ readback_value = (original_value & bitmask) >> bitshift;
+
+ spin_unlock(&rtlpriv->locks.rf_lock);
+@@ -110,7 +110,7 @@ void rtl92ce_phy_set_rf_reg(struct ieee80211_hw *hw,
+ original_value = _rtl92c_phy_rf_serial_read(hw,
+ rfpath,
+ regaddr);
+- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data =
+ ((original_value & (~bitmask)) |
+ (data << bitshift));
+@@ -122,7 +122,7 @@ void rtl92ce_phy_set_rf_reg(struct ieee80211_hw *hw,
+ original_value = _rtl92c_phy_fw_rf_serial_read(hw,
+ rfpath,
+ regaddr);
+- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data =
+ ((original_value & (~bitmask)) |
+ (data << bitshift));
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h
+index 7582a162bd11..c7a0d4c776f0 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/phy.h
+@@ -94,7 +94,6 @@ u32 _rtl92c_phy_rf_serial_read(struct ieee80211_hw *hw, enum radio_path rfpath,
+ u32 offset);
+ u32 _rtl92c_phy_fw_rf_serial_read(struct ieee80211_hw *hw,
+ enum radio_path rfpath, u32 offset);
+-u32 _rtl92c_phy_calculate_bit_shift(u32 bitmask);
+ void _rtl92c_phy_rf_serial_write(struct ieee80211_hw *hw,
+ enum radio_path rfpath, u32 offset, u32 data);
+ void _rtl92c_phy_fw_rf_serial_write(struct ieee80211_hw *hw,
+--
+2.43.0
+
--- /dev/null
+From c0fd509b4f9cdc1e1b9930579319d89e514a46e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 14:57:33 +0800
+Subject: wifi: rtlwifi: rtl8192cu: using calculate_bit_shift()
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit f4088c8fcbabadad9dd17d17ae9ba24e9e3221ec ]
+
+Using calculate_bit_shift() to replace _rtl92c_phy_calculate_bit_shift().
+And fix an undefined bitwise shift behavior problem.
+
+Fixes: f0a39ae738d6 ("rtlwifi: rtl8192cu: Add routine phy")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231219065739.1895666-6-suhui@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c
+index a8d9fe269f31..0b8cb7e61fd8 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/phy.c
+@@ -32,7 +32,7 @@ u32 rtl92cu_phy_query_rf_reg(struct ieee80211_hw *hw,
+ original_value = _rtl92c_phy_fw_rf_serial_read(hw,
+ rfpath, regaddr);
+ }
+- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ readback_value = (original_value & bitmask) >> bitshift;
+ rtl_dbg(rtlpriv, COMP_RF, DBG_TRACE,
+ "regaddr(%#x), rfpath(%#x), bitmask(%#x), original_value(%#x)\n",
+@@ -56,7 +56,7 @@ void rtl92cu_phy_set_rf_reg(struct ieee80211_hw *hw,
+ original_value = _rtl92c_phy_rf_serial_read(hw,
+ rfpath,
+ regaddr);
+- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data =
+ ((original_value & (~bitmask)) |
+ (data << bitshift));
+@@ -67,7 +67,7 @@ void rtl92cu_phy_set_rf_reg(struct ieee80211_hw *hw,
+ original_value = _rtl92c_phy_fw_rf_serial_read(hw,
+ rfpath,
+ regaddr);
+- bitshift = _rtl92c_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data =
+ ((original_value & (~bitmask)) |
+ (data << bitshift));
+--
+2.43.0
+
--- /dev/null
+From 3898bbea183b50f454c4bfd1204e5e5a41a3f9e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 14:57:35 +0800
+Subject: wifi: rtlwifi: rtl8192de: using calculate_bit_shift()
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit b8b2baad2e652042cf8b6339939ac2f4e6f53de4 ]
+
+Using calculate_bit_shift() to replace _rtl92d_phy_calculate_bit_shift().
+And fix the undefined bitwise shift behavior problem.
+
+Fixes: 7274a8c22980 ("rtlwifi: rtl8192de: Merge phy routines")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231219065739.1895666-8-suhui@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
+index f0692d67b300..af0c7d74b3f5 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
+@@ -169,13 +169,6 @@ static const u8 channel_all[59] = {
+ 157, 159, 161, 163, 165
+ };
+
+-static u32 _rtl92d_phy_calculate_bit_shift(u32 bitmask)
+-{
+- u32 i = ffs(bitmask);
+-
+- return i ? i - 1 : 32;
+-}
+-
+ u32 rtl92d_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask)
+ {
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+@@ -198,7 +191,7 @@ u32 rtl92d_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask)
+ } else {
+ originalvalue = rtl_read_dword(rtlpriv, regaddr);
+ }
+- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ returnvalue = (originalvalue & bitmask) >> bitshift;
+ rtl_dbg(rtlpriv, COMP_RF, DBG_TRACE,
+ "BBR MASK=0x%x Addr[0x%x]=0x%x\n",
+@@ -230,7 +223,7 @@ void rtl92d_phy_set_bb_reg(struct ieee80211_hw *hw,
+ dbi_direct);
+ else
+ originalvalue = rtl_read_dword(rtlpriv, regaddr);
+- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data = ((originalvalue & (~bitmask)) | (data << bitshift));
+ }
+ if (rtlhal->during_mac1init_radioa || rtlhal->during_mac0init_radiob)
+@@ -317,7 +310,7 @@ u32 rtl92d_phy_query_rf_reg(struct ieee80211_hw *hw,
+ regaddr, rfpath, bitmask);
+ spin_lock(&rtlpriv->locks.rf_lock);
+ original_value = _rtl92d_phy_rf_serial_read(hw, rfpath, regaddr);
+- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ readback_value = (original_value & bitmask) >> bitshift;
+ spin_unlock(&rtlpriv->locks.rf_lock);
+ rtl_dbg(rtlpriv, COMP_RF, DBG_TRACE,
+@@ -343,7 +336,7 @@ void rtl92d_phy_set_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath,
+ if (bitmask != RFREG_OFFSET_MASK) {
+ original_value = _rtl92d_phy_rf_serial_read(hw,
+ rfpath, regaddr);
+- bitshift = _rtl92d_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data = ((original_value & (~bitmask)) |
+ (data << bitshift));
+ }
+--
+2.43.0
+
--- /dev/null
+From c45a892fdcd32cc0ff140f5949264e4470e85103 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 14:57:36 +0800
+Subject: wifi: rtlwifi: rtl8192ee: using calculate_bit_shift()
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 63526897fc0d086069bcab67c3a112caaec751cb ]
+
+Using calculate_bit_shift() to replace _rtl92ee_phy_calculate_bit_shift().
+And fix the undefined bitwise shift behavior problem.
+
+Fixes: b1a3bfc97cd9 ("rtlwifi: rtl8192ee: Move driver from staging to the regular tree")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231219065739.1895666-9-suhui@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/realtek/rtlwifi/rtl8192ee/phy.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c
+index cc0bcaf13e96..73ef602bfb01 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/phy.c
+@@ -16,7 +16,6 @@ static u32 _rtl92ee_phy_rf_serial_read(struct ieee80211_hw *hw,
+ static void _rtl92ee_phy_rf_serial_write(struct ieee80211_hw *hw,
+ enum radio_path rfpath, u32 offset,
+ u32 data);
+-static u32 _rtl92ee_phy_calculate_bit_shift(u32 bitmask);
+ static bool _rtl92ee_phy_bb8192ee_config_parafile(struct ieee80211_hw *hw);
+ static bool _rtl92ee_phy_config_mac_with_headerfile(struct ieee80211_hw *hw);
+ static bool phy_config_bb_with_hdr_file(struct ieee80211_hw *hw,
+@@ -46,7 +45,7 @@ u32 rtl92ee_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask)
+ rtl_dbg(rtlpriv, COMP_RF, DBG_TRACE,
+ "regaddr(%#x), bitmask(%#x)\n", regaddr, bitmask);
+ originalvalue = rtl_read_dword(rtlpriv, regaddr);
+- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ returnvalue = (originalvalue & bitmask) >> bitshift;
+
+ rtl_dbg(rtlpriv, COMP_RF, DBG_TRACE,
+@@ -68,7 +67,7 @@ void rtl92ee_phy_set_bb_reg(struct ieee80211_hw *hw, u32 regaddr,
+
+ if (bitmask != MASKDWORD) {
+ originalvalue = rtl_read_dword(rtlpriv, regaddr);
+- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data = ((originalvalue & (~bitmask)) | (data << bitshift));
+ }
+
+@@ -92,7 +91,7 @@ u32 rtl92ee_phy_query_rf_reg(struct ieee80211_hw *hw,
+ spin_lock(&rtlpriv->locks.rf_lock);
+
+ original_value = _rtl92ee_phy_rf_serial_read(hw , rfpath, regaddr);
+- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ readback_value = (original_value & bitmask) >> bitshift;
+
+ spin_unlock(&rtlpriv->locks.rf_lock);
+@@ -119,7 +118,7 @@ void rtl92ee_phy_set_rf_reg(struct ieee80211_hw *hw,
+
+ if (bitmask != RFREG_OFFSET_MASK) {
+ original_value = _rtl92ee_phy_rf_serial_read(hw, rfpath, addr);
+- bitshift = _rtl92ee_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data = (original_value & (~bitmask)) | (data << bitshift);
+ }
+
+@@ -201,13 +200,6 @@ static void _rtl92ee_phy_rf_serial_write(struct ieee80211_hw *hw,
+ pphyreg->rf3wire_offset, data_and_addr);
+ }
+
+-static u32 _rtl92ee_phy_calculate_bit_shift(u32 bitmask)
+-{
+- u32 i = ffs(bitmask);
+-
+- return i ? i - 1 : 32;
+-}
+-
+ bool rtl92ee_phy_mac_config(struct ieee80211_hw *hw)
+ {
+ return _rtl92ee_phy_config_mac_with_headerfile(hw);
+--
+2.43.0
+
--- /dev/null
+From 41a566a611a22446c74c5e8617aa48d68821ef0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 14:57:37 +0800
+Subject: wifi: rtlwifi: rtl8192se: using calculate_bit_shift()
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit ac32b9317063b101a8ff3d3e885f76f87a280419 ]
+
+Using calculate_bit_shift() to replace _rtl92s_phy_calculate_bit_shift().
+And fix the undefined bitwise shift behavior problem.
+
+Fixes: d15853163bea ("rtlwifi: rtl8192se: Merge phy routines")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://msgid.link/20231219065739.1895666-10-suhui@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/realtek/rtlwifi/rtl8192se/phy.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c
+index 63283d9e7485..cd735d61f630 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/phy.c
+@@ -14,13 +14,6 @@
+ #include "hw.h"
+ #include "table.h"
+
+-static u32 _rtl92s_phy_calculate_bit_shift(u32 bitmask)
+-{
+- u32 i = ffs(bitmask);
+-
+- return i ? i - 1 : 32;
+-}
+-
+ u32 rtl92s_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask)
+ {
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+@@ -30,7 +23,7 @@ u32 rtl92s_phy_query_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask)
+ regaddr, bitmask);
+
+ originalvalue = rtl_read_dword(rtlpriv, regaddr);
+- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ returnvalue = (originalvalue & bitmask) >> bitshift;
+
+ rtl_dbg(rtlpriv, COMP_RF, DBG_TRACE, "BBR MASK=0x%x Addr[0x%x]=0x%x\n",
+@@ -52,7 +45,7 @@ void rtl92s_phy_set_bb_reg(struct ieee80211_hw *hw, u32 regaddr, u32 bitmask,
+
+ if (bitmask != MASKDWORD) {
+ originalvalue = rtl_read_dword(rtlpriv, regaddr);
+- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data = ((originalvalue & (~bitmask)) | (data << bitshift));
+ }
+
+@@ -160,7 +153,7 @@ u32 rtl92s_phy_query_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath,
+
+ original_value = _rtl92s_phy_rf_serial_read(hw, rfpath, regaddr);
+
+- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ readback_value = (original_value & bitmask) >> bitshift;
+
+ spin_unlock(&rtlpriv->locks.rf_lock);
+@@ -191,7 +184,7 @@ void rtl92s_phy_set_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath,
+ if (bitmask != RFREG_OFFSET_MASK) {
+ original_value = _rtl92s_phy_rf_serial_read(hw, rfpath,
+ regaddr);
+- bitshift = _rtl92s_phy_calculate_bit_shift(bitmask);
++ bitshift = calculate_bit_shift(bitmask);
+ data = ((original_value & (~bitmask)) | (data << bitshift));
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 5764449cdd0c2b94b74dafe84bda8a37265e6127 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Nov 2023 09:35:13 +0800
+Subject: wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift
+ behavior
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit bc8263083af60e7e57c6120edbc1f75d6c909a35 ]
+
+Clang static checker warns:
+
+drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c:184:49:
+ The result of the left shift is undefined due to shifting by '32',
+ which is greater or equal to the width of type 'u32'.
+ [core.UndefinedBinaryOperatorResult]
+
+If the value of the right operand is negative or is greater than or
+equal to the width of the promoted left operand, the behavior is
+undefined.[1][2]
+
+For example, when using different gcc's compilation optimization options
+(-O0 or -O2), the result of '(u32)data << 32' is different. One is 0, the
+other is old value of data. Let _rtl8821ae_phy_calculate_bit_shift()'s
+return value less than 32 to fix this problem. Warn if bitmask is zero.
+
+[1] https://stackoverflow.com/questions/11270492/what-does-the-c-standard-say-about-bitshifting-more-bits-than-the-width-of-type
+[2] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf
+
+Fixes: 21e4b0726dc6 ("rtlwifi: rtl8821ae: Move driver from staging to regular tree")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20231127013511.26694-2-suhui@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
+index c0c06ab6d3e7..fb143a5f9cc3 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c
+@@ -29,9 +29,10 @@ static void _rtl8821ae_phy_rf_serial_write(struct ieee80211_hw *hw,
+ u32 data);
+ static u32 _rtl8821ae_phy_calculate_bit_shift(u32 bitmask)
+ {
+- u32 i = ffs(bitmask);
++ if (WARN_ON_ONCE(!bitmask))
++ return 0;
+
+- return i ? i - 1 : 32;
++ return __ffs(bitmask);
+ }
+ static bool _rtl8821ae_phy_bb8821a_config_parafile(struct ieee80211_hw *hw);
+ /*static bool _rtl8812ae_phy_config_mac_with_headerfile(struct ieee80211_hw *hw);*/
+--
+2.43.0
+
--- /dev/null
+From f6c86475929aa0d2ec0e34b783372f27d0776f1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Nov 2023 10:08:51 +0800
+Subject: wifi: rtw88: fix RX filter in FIF_ALLMULTI flag
+
+From: Chih-Kang Chang <gary.chang@realtek.com>
+
+[ Upstream commit 53ee0b3b99edc6a47096bffef15695f5a895386f ]
+
+The broadcast packets will be filtered in the FIF_ALLMULTI flag in
+the original code, which causes beacon packets to be filtered out
+and disconnection. Therefore, we fix it.
+
+Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver")
+Signed-off-by: Chih-Kang Chang <gary.chang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20231103020851.102238-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/mac80211.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/mac80211.c b/drivers/net/wireless/realtek/rtw88/mac80211.c
+index c92fba2fa480..0a3766781347 100644
+--- a/drivers/net/wireless/realtek/rtw88/mac80211.c
++++ b/drivers/net/wireless/realtek/rtw88/mac80211.c
+@@ -264,9 +264,9 @@ static void rtw_ops_configure_filter(struct ieee80211_hw *hw,
+
+ if (changed_flags & FIF_ALLMULTI) {
+ if (*new_flags & FIF_ALLMULTI)
+- rtwdev->hal.rcr |= BIT_AM | BIT_AB;
++ rtwdev->hal.rcr |= BIT_AM;
+ else
+- rtwdev->hal.rcr &= ~(BIT_AM | BIT_AB);
++ rtwdev->hal.rcr &= ~(BIT_AM);
+ }
+ if (changed_flags & FIF_FCSFAIL) {
+ if (*new_flags & FIF_FCSFAIL)
+--
+2.43.0
+
--- /dev/null
+From d00d8ae99bbc77b371a088b61e10a822b7e0fbec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Nov 2023 17:49:01 +0000
+Subject: x86/lib: Fix overflow when counting digits
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+[ Upstream commit a24d61c609813963aacc9f6ec8343f4fcaac7243 ]
+
+tl;dr: The num_digits() function has a theoretical overflow issue.
+But it doesn't affect any actual in-tree users. Fix it by using
+a larger type for one of the local variables.
+
+Long version:
+
+There is an overflow in variable m in function num_digits when val
+is >= 1410065408 which leads to the digit calculation loop to
+iterate more times than required. This results in either more
+digits being counted or in some cases (for example where val is
+1932683193) the value of m eventually overflows to zero and the
+while loop spins forever).
+
+Currently the function num_digits is currently only being used for
+small values of val in the SMP boot stage for digit counting on the
+number of cpus and NUMA nodes, so the overflow is never encountered.
+However it is useful to fix the overflow issue in case the function
+is used for other purposes in the future. (The issue was discovered
+while investigating the digit counting performance in various
+kernel helper functions rather than any real-world use-case).
+
+The simplest fix is to make m a long long, the overhead in
+multiplication speed for a long long is very minor for small values
+of val less than 10000 on modern processors. The alternative
+fix is to replace the multiplication with a constant division
+by 10 loop (this compiles down to an multiplication and shift)
+without needing to make m a long long, but this is slightly slower
+than the fix in this commit when measured on a range of x86
+processors).
+
+[ dhansen: subject and changelog tweaks ]
+
+Fixes: 646e29a1789a ("x86: Improve the printout of the SMP bootup CPU table")
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Link: https://lore.kernel.org/all/20231102174901.2590325-1-colin.i.king%40gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/lib/misc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/lib/misc.c b/arch/x86/lib/misc.c
+index a018ec4fba53..c97be9a1430a 100644
+--- a/arch/x86/lib/misc.c
++++ b/arch/x86/lib/misc.c
+@@ -6,7 +6,7 @@
+ */
+ int num_digits(int val)
+ {
+- int m = 10;
++ long long m = 10;
+ int d = 1;
+
+ if (val < 0) {
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
