From 01965c2bbc03be88e857324e7b6c002d55089aef Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sat, 6 Jan 2024 20:58:52 -0500
Subject: [PATCH] Fixes for 5.10

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...x-array-index-out-of-bounds-read-in-.patch |  64 ++
 ...x-add-check-for-usbnet_get_endpoints.patch |  38 ++
 ...n-g12a-toacodec-fix-event-generation.patch |  39 ++
 ...toacodec-validate-written-enum-value.patch |  40 ++
 ...tohdmitx-fix-event-generation-for-s-.patch |  39 ++
 ...tohdmitx-validate-written-enum-value.patch |  50 ++
 ...is-applied-code-from-bnxt_cfg_ntp_fi.patch |  47 ++
 ...passing-the-correct-dpcd_rev-for-drm.patch |  42 ++
 ...input-checks-to-prevent-config-with-.patch |  53 ++
 ...e-after-free-in-i40e_aqc_add_filters.patch | 120 ++++
 ...tore-vf-msi-x-state-during-pci-reset.patch | 104 ++++
 ...e-check-the-mapcount-of-the-precise-.patch |  56 ++
 ...-fcs-generation-for-fragmented-skbuf.patch |  46 ++
 ...ssing-getsockopt-so_timestamping_new.patch |  60 ++
 ...ssing-so_timestamping_new-cmsg-suppo.patch |  40 ++
 ...potential-memleak-in-ql_alloc_buffer.patch |  44 ++
 ...qla3xxx-switch-from-pci_-to-dma_-api.patch | 564 ++++++++++++++++++
 ...-restore-msg_namelen-in-sock_sendmsg.patch |  55 ++
 ...t-fix-possible-memory-leak-in-em_tex.patch |  40 ++
 ...mediate-drop-chain-reference-counter.patch |  36 ++
 ...ables-add-loop-check-helper-function.patch |  74 +++
 ...ld-a-ref-to-llcp_local-dev-when-hold.patch | 128 ++++
 ...-marking-couple-of-structure-as-__pa.patch |  46 ++
 queue-5.10/series                             |  24 +
 ...double-free-bug-in-efx_probe_filters.patch |  51 ++
 25 files changed, 1900 insertions(+)
 create mode 100644 queue-5.10/arm-sun9i-smp-fix-array-index-out-of-bounds-read-in-.patch
 create mode 100644 queue-5.10/asix-add-check-for-usbnet_get_endpoints.patch
 create mode 100644 queue-5.10/asoc-meson-g12a-toacodec-fix-event-generation.patch
 create mode 100644 queue-5.10/asoc-meson-g12a-toacodec-validate-written-enum-value.patch
 create mode 100644 queue-5.10/asoc-meson-g12a-tohdmitx-fix-event-generation-for-s-.patch
 create mode 100644 queue-5.10/asoc-meson-g12a-tohdmitx-validate-written-enum-value.patch
 create mode 100644 queue-5.10/bnxt_en-remove-mis-applied-code-from-bnxt_cfg_ntp_fi.patch
 create mode 100644 queue-5.10/drm-i915-dp-fix-passing-the-correct-dpcd_rev-for-drm.patch
 create mode 100644 queue-5.10/i40e-fix-filter-input-checks-to-prevent-config-with-.patch
 create mode 100644 queue-5.10/i40e-fix-use-after-free-in-i40e_aqc_add_filters.patch
 create mode 100644 queue-5.10/i40e-restore-vf-msi-x-state-during-pci-reset.patch
 create mode 100644 queue-5.10/mm-memory-failure-check-the-mapcount-of-the-precise-.patch
 create mode 100644 queue-5.10/net-bcmgenet-fix-fcs-generation-for-fragmented-skbuf.patch
 create mode 100644 queue-5.10/net-implement-missing-getsockopt-so_timestamping_new.patch
 create mode 100644 queue-5.10/net-implement-missing-so_timestamping_new-cmsg-suppo.patch
 create mode 100644 queue-5.10/net-qla3xxx-fix-potential-memleak-in-ql_alloc_buffer.patch
 create mode 100644 queue-5.10/net-qla3xxx-switch-from-pci_-to-dma_-api.patch
 create mode 100644 queue-5.10/net-save-and-restore-msg_namelen-in-sock_sendmsg.patch
 create mode 100644 queue-5.10/net-sched-em_text-fix-possible-memory-leak-in-em_tex.patch
 create mode 100644 queue-5.10/netfilter-nft_immediate-drop-chain-reference-counter.patch
 create mode 100644 queue-5.10/netfilter-nftables-add-loop-check-helper-function.patch
 create mode 100644 queue-5.10/nfc-llcp_core-hold-a-ref-to-llcp_local-dev-when-hold.patch
 create mode 100644 queue-5.10/octeontx2-af-fix-marking-couple-of-structure-as-__pa.patch
 create mode 100644 queue-5.10/sfc-fix-a-double-free-bug-in-efx_probe_filters.patch

diff --git a/queue-5.10/arm-sun9i-smp-fix-array-index-out-of-bounds-read-in-.patch b/queue-5.10/arm-sun9i-smp-fix-array-index-out-of-bounds-read-in-.patch
new file mode 100644
index 00000000000..0920f4deff8
--- /dev/null
+++ b/queue-5.10/arm-sun9i-smp-fix-array-index-out-of-bounds-read-in-.patch
@@ -0,0 +1,64 @@
+From 3ae1b877976a9bdf468827253f52e3f016778881 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Dec 2023 20:39:02 +0100
+Subject: ARM: sun9i: smp: Fix array-index-out-of-bounds read in
+ sunxi_mc_smp_init
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit 72ad3b772b6d393701df58ba1359b0bb346a19ed ]
+
+Running a multi-arch kernel (multi_v7_defconfig) on a Raspberry Pi 3B+
+with enabled CONFIG_UBSAN triggers the following warning:
+
+ UBSAN: array-index-out-of-bounds in arch/arm/mach-sunxi/mc_smp.c:810:29
+ index 2 is out of range for type 'sunxi_mc_smp_data [2]'
+ CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc6-00248-g5254c0cbc92d
+ Hardware name: BCM2835
+  unwind_backtrace from show_stack+0x10/0x14
+  show_stack from dump_stack_lvl+0x40/0x4c
+  dump_stack_lvl from ubsan_epilogue+0x8/0x34
+  ubsan_epilogue from __ubsan_handle_out_of_bounds+0x78/0x80
+  __ubsan_handle_out_of_bounds from sunxi_mc_smp_init+0xe4/0x4cc
+  sunxi_mc_smp_init from do_one_initcall+0xa0/0x2fc
+  do_one_initcall from kernel_init_freeable+0xf4/0x2f4
+  kernel_init_freeable from kernel_init+0x18/0x158
+  kernel_init from ret_from_fork+0x14/0x28
+
+Since the enabled method couldn't match with any entry from
+sunxi_mc_smp_data, the value of the index shouldn't be used right after
+the loop. So move it after the check of ret in order to have a valid
+index.
+
+Fixes: 1631090e34f5 ("ARM: sun9i: smp: Add is_a83t field")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Link: https://lore.kernel.org/r/20231228193903.9078-1-wahrenst@gmx.net
+Reviewed-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-sunxi/mc_smp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/mach-sunxi/mc_smp.c b/arch/arm/mach-sunxi/mc_smp.c
+index 26cbce1353387..b2f5f4f28705f 100644
+--- a/arch/arm/mach-sunxi/mc_smp.c
++++ b/arch/arm/mach-sunxi/mc_smp.c
+@@ -808,12 +808,12 @@ static int __init sunxi_mc_smp_init(void)
+ 			break;
+ 	}
+ 
+-	is_a83t = sunxi_mc_smp_data[i].is_a83t;
+-
+ 	of_node_put(node);
+ 	if (ret)
+ 		return -ENODEV;
+ 
++	is_a83t = sunxi_mc_smp_data[i].is_a83t;
++
+ 	if (!sunxi_mc_smp_cpu_table_init())
+ 		return -EINVAL;
+ 
+-- 
+2.43.0
+
diff --git a/queue-5.10/asix-add-check-for-usbnet_get_endpoints.patch b/queue-5.10/asix-add-check-for-usbnet_get_endpoints.patch
new file mode 100644
index 00000000000..344fdfedf4b
--- /dev/null
+++ b/queue-5.10/asix-add-check-for-usbnet_get_endpoints.patch
@@ -0,0 +1,38 @@
+From 5ec081401a52cd91c41b6475e0ca197253df052d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jan 2024 03:35:34 +0000
+Subject: asix: Add check for usbnet_get_endpoints
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit eaac6a2d26b65511e164772bec6918fcbc61938e ]
+
+Add check for usbnet_get_endpoints() and return the error if it fails
+in order to transfer the error.
+
+Fixes: 16626b0cc3d5 ("asix: Add a new driver for the AX88172A")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ax88172a.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c
+index fd3a04d98dc14..2bdb163e458ad 100644
+--- a/drivers/net/usb/ax88172a.c
++++ b/drivers/net/usb/ax88172a.c
+@@ -175,7 +175,9 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf)
+ 	u8 buf[ETH_ALEN];
+ 	struct ax88172a_private *priv;
+ 
+-	usbnet_get_endpoints(dev, intf);
++	ret = usbnet_get_endpoints(dev, intf);
++	if (ret)
++		return ret;
+ 
+ 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ 	if (!priv)
+-- 
+2.43.0
+
diff --git a/queue-5.10/asoc-meson-g12a-toacodec-fix-event-generation.patch b/queue-5.10/asoc-meson-g12a-toacodec-fix-event-generation.patch
new file mode 100644
index 00000000000..54dc51f7829
--- /dev/null
+++ b/queue-5.10/asoc-meson-g12a-toacodec-fix-event-generation.patch
@@ -0,0 +1,39 @@
+From 23e32ed2315db2d693c2f3057f202e9f47ac6be7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jan 2024 18:34:03 +0000
+Subject: ASoC: meson: g12a-toacodec: Fix event generation
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 172c88244b5f2d3375403ebb504d407be0fded59 ]
+
+When a control changes value the return value from _put() should be 1 so
+we get events generated to userspace notifying applications of the change.
+We are checking if there has been a change and exiting early if not but we
+are not providing the correct return value in the latter case, fix this.
+
+Fixes: af2618a2eee8 ("ASoC: meson: g12a: add internal DAC glue driver")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240103-meson-enum-val-v1-3-424af7a8fb91@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/g12a-toacodec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/meson/g12a-toacodec.c b/sound/soc/meson/g12a-toacodec.c
+index 0938f590de226..5ddeb22ac685a 100644
+--- a/sound/soc/meson/g12a-toacodec.c
++++ b/sound/soc/meson/g12a-toacodec.c
+@@ -85,7 +85,7 @@ static int g12a_toacodec_mux_put_enum(struct snd_kcontrol *kcontrol,
+ 
+ 	snd_soc_dapm_mux_update_power(dapm, kcontrol, mux, e, NULL);
+ 
+-	return 0;
++	return 1;
+ }
+ 
+ static SOC_ENUM_SINGLE_DECL(g12a_toacodec_mux_enum, TOACODEC_CTRL0,
+-- 
+2.43.0
+
diff --git a/queue-5.10/asoc-meson-g12a-toacodec-validate-written-enum-value.patch b/queue-5.10/asoc-meson-g12a-toacodec-validate-written-enum-value.patch
new file mode 100644
index 00000000000..6c4ca5df97d
--- /dev/null
+++ b/queue-5.10/asoc-meson-g12a-toacodec-validate-written-enum-value.patch
@@ -0,0 +1,40 @@
+From 584651af6411cc11b0f9cc48a5d8f5a8f9c0fce9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jan 2024 18:34:01 +0000
+Subject: ASoC: meson: g12a-toacodec: Validate written enum values
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 3150b70e944ead909260285dfb5707d0bedcf87b ]
+
+When writing to an enum we need to verify that the value written is valid
+for the enumeration, the helper function snd_soc_item_enum_to_val() doesn't
+do it since it needs to return an unsigned (and in any case we'd need to
+check the return value).
+
+Fixes: af2618a2eee8 ("ASoC: meson: g12a: add internal DAC glue driver")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240103-meson-enum-val-v1-1-424af7a8fb91@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/g12a-toacodec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/meson/g12a-toacodec.c b/sound/soc/meson/g12a-toacodec.c
+index 9339fabccb796..0938f590de226 100644
+--- a/sound/soc/meson/g12a-toacodec.c
++++ b/sound/soc/meson/g12a-toacodec.c
+@@ -46,6 +46,9 @@ static int g12a_toacodec_mux_put_enum(struct snd_kcontrol *kcontrol,
+ 	struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
+ 	unsigned int mux, changed;
+ 
++	if (ucontrol->value.enumerated.item[0] >= e->items)
++		return -EINVAL;
++
+ 	mux = snd_soc_enum_item_to_val(e, ucontrol->value.enumerated.item[0]);
+ 	changed = snd_soc_component_test_bits(component, e->reg,
+ 					      CTRL0_DAT_SEL,
+-- 
+2.43.0
+
diff --git a/queue-5.10/asoc-meson-g12a-tohdmitx-fix-event-generation-for-s-.patch b/queue-5.10/asoc-meson-g12a-tohdmitx-fix-event-generation-for-s-.patch
new file mode 100644
index 00000000000..46217158d12
--- /dev/null
+++ b/queue-5.10/asoc-meson-g12a-tohdmitx-fix-event-generation-for-s-.patch
@@ -0,0 +1,39 @@
+From f8a9bde7d9892b2e9785957c3236bb17d99b0888 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jan 2024 18:34:04 +0000
+Subject: ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit b036d8ef3120b996751495ce25994eea58032a98 ]
+
+When a control changes value the return value from _put() should be 1 so
+we get events generated to userspace notifying applications of the change.
+While the I2S mux gets this right the S/PDIF mux does not, fix the return
+value.
+
+Fixes: c8609f3870f7 ("ASoC: meson: add g12a tohdmitx control")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240103-meson-enum-val-v1-4-424af7a8fb91@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/g12a-tohdmitx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/meson/g12a-tohdmitx.c b/sound/soc/meson/g12a-tohdmitx.c
+index 6b16159733f72..4a9b67421c705 100644
+--- a/sound/soc/meson/g12a-tohdmitx.c
++++ b/sound/soc/meson/g12a-tohdmitx.c
+@@ -118,7 +118,7 @@ static int g12a_tohdmitx_spdif_mux_put_enum(struct snd_kcontrol *kcontrol,
+ 
+ 	snd_soc_dapm_mux_update_power(dapm, kcontrol, mux, e, NULL);
+ 
+-	return 0;
++	return 1;
+ }
+ 
+ static SOC_ENUM_SINGLE_DECL(g12a_tohdmitx_spdif_mux_enum, TOHDMITX_CTRL0,
+-- 
+2.43.0
+
diff --git a/queue-5.10/asoc-meson-g12a-tohdmitx-validate-written-enum-value.patch b/queue-5.10/asoc-meson-g12a-tohdmitx-validate-written-enum-value.patch
new file mode 100644
index 00000000000..2df521c52e3
--- /dev/null
+++ b/queue-5.10/asoc-meson-g12a-tohdmitx-validate-written-enum-value.patch
@@ -0,0 +1,50 @@
+From 7daf8cd65d8754220d67e5bf348882f17a69fea6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jan 2024 18:34:02 +0000
+Subject: ASoC: meson: g12a-tohdmitx: Validate written enum values
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 1e001206804be3f3d21f4a1cf16e5d059d75643f ]
+
+When writing to an enum we need to verify that the value written is valid
+for the enumeration, the helper function snd_soc_item_enum_to_val() doesn't
+do it since it needs to return an unsigned (and in any case we'd need to
+check the return value).
+
+Fixes: c8609f3870f7 ("ASoC: meson: add g12a tohdmitx control")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240103-meson-enum-val-v1-2-424af7a8fb91@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/g12a-tohdmitx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sound/soc/meson/g12a-tohdmitx.c b/sound/soc/meson/g12a-tohdmitx.c
+index 6c99052feafd8..6b16159733f72 100644
+--- a/sound/soc/meson/g12a-tohdmitx.c
++++ b/sound/soc/meson/g12a-tohdmitx.c
+@@ -45,6 +45,9 @@ static int g12a_tohdmitx_i2s_mux_put_enum(struct snd_kcontrol *kcontrol,
+ 	struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
+ 	unsigned int mux, changed;
+ 
++	if (ucontrol->value.enumerated.item[0] >= e->items)
++		return -EINVAL;
++
+ 	mux = snd_soc_enum_item_to_val(e, ucontrol->value.enumerated.item[0]);
+ 	changed = snd_soc_component_test_bits(component, e->reg,
+ 					      CTRL0_I2S_DAT_SEL,
+@@ -93,6 +96,9 @@ static int g12a_tohdmitx_spdif_mux_put_enum(struct snd_kcontrol *kcontrol,
+ 	struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
+ 	unsigned int mux, changed;
+ 
++	if (ucontrol->value.enumerated.item[0] >= e->items)
++		return -EINVAL;
++
+ 	mux = snd_soc_enum_item_to_val(e, ucontrol->value.enumerated.item[0]);
+ 	changed = snd_soc_component_test_bits(component, TOHDMITX_CTRL0,
+ 					      CTRL0_SPDIF_SEL,
+-- 
+2.43.0
+
diff --git a/queue-5.10/bnxt_en-remove-mis-applied-code-from-bnxt_cfg_ntp_fi.patch b/queue-5.10/bnxt_en-remove-mis-applied-code-from-bnxt_cfg_ntp_fi.patch
new file mode 100644
index 00000000000..d89695b6c8a
--- /dev/null
+++ b/queue-5.10/bnxt_en-remove-mis-applied-code-from-bnxt_cfg_ntp_fi.patch
@@ -0,0 +1,47 @@
+From 07673286f6d4a67d8978053f6eb4ed3f40946f90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jan 2024 16:59:24 -0800
+Subject: bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters()
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit e009b2efb7a8850498796b360043ac25c8d3d28f ]
+
+The 2 lines to check for the BNXT_HWRM_PF_UNLOAD_SP_EVENT bit was
+mis-applied to bnxt_cfg_ntp_filters() and should have been applied to
+bnxt_sp_task().
+
+Fixes: 19241368443f ("bnxt_en: Send PF driver unload notification to all VFs.")
+Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index c67a108c2c07f..584f365de563f 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11143,6 +11143,8 @@ static void bnxt_sp_task(struct work_struct *work)
+ 		bnxt_cfg_ntp_filters(bp);
+ 	if (test_and_clear_bit(BNXT_HWRM_EXEC_FWD_REQ_SP_EVENT, &bp->sp_event))
+ 		bnxt_hwrm_exec_fwd_req(bp);
++	if (test_and_clear_bit(BNXT_HWRM_PF_UNLOAD_SP_EVENT, &bp->sp_event))
++		netdev_info(bp->dev, "Receive PF driver unload event!\n");
+ 	if (test_and_clear_bit(BNXT_PERIODIC_STATS_SP_EVENT, &bp->sp_event)) {
+ 		bnxt_hwrm_port_qstats(bp, 0);
+ 		bnxt_hwrm_port_qstats_ext(bp, 0);
+@@ -12097,8 +12099,6 @@ static void bnxt_cfg_ntp_filters(struct bnxt *bp)
+ 			}
+ 		}
+ 	}
+-	if (test_and_clear_bit(BNXT_HWRM_PF_UNLOAD_SP_EVENT, &bp->sp_event))
+-		netdev_info(bp->dev, "Receive PF driver unload event!\n");
+ }
+ 
+ #else
+-- 
+2.43.0
+
diff --git a/queue-5.10/drm-i915-dp-fix-passing-the-correct-dpcd_rev-for-drm.patch b/queue-5.10/drm-i915-dp-fix-passing-the-correct-dpcd_rev-for-drm.patch
new file mode 100644
index 00000000000..fb3bf263671
--- /dev/null
+++ b/queue-5.10/drm-i915-dp-fix-passing-the-correct-dpcd_rev-for-drm.patch
@@ -0,0 +1,42 @@
+From 8069d92ded5fd2de3796ae47d1c69569f2bdcda5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 13:15:42 -0800
+Subject: drm/i915/dp: Fix passing the correct DPCD_REV for
+ drm_dp_set_phy_test_pattern
+
+From: Khaled Almahallawy <khaled.almahallawy@intel.com>
+
+[ Upstream commit 2bd7a06a1208aaacb4e7a2a5436c23bce8d70801 ]
+
+Using link_status to get DPCD_REV fails when disabling/defaulting
+phy pattern. Use intel_dp->dpcd to access DPCD_REV correctly.
+
+Fixes: 8cdf72711928 ("drm/i915/dp: Program vswing, pre-emphasis, test-pattern")
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Imre Deak <imre.deak@intel.com>
+Cc: Lee Shawn C <shawn.c.lee@intel.com>
+Signed-off-by: Khaled Almahallawy <khaled.almahallawy@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231213211542.3585105-3-khaled.almahallawy@intel.com
+(cherry picked from commit 3ee302ec22d6e1d7d1e6d381b0d507ee80f2135c)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c
+index 7f633f8b3239a..a79c62c43a6ff 100644
+--- a/drivers/gpu/drm/i915/display/intel_dp.c
++++ b/drivers/gpu/drm/i915/display/intel_dp.c
+@@ -5584,7 +5584,7 @@ void intel_dp_process_phy_request(struct intel_dp *intel_dp)
+ 	intel_dp_autotest_phy_ddi_enable(intel_dp, data->num_lanes);
+ 
+ 	drm_dp_set_phy_test_pattern(&intel_dp->aux, data,
+-				    link_status[DP_DPCD_REV]);
++				    intel_dp->dpcd[DP_DPCD_REV]);
+ }
+ 
+ static u8 intel_dp_autotest_phy_pattern(struct intel_dp *intel_dp)
+-- 
+2.43.0
+
diff --git a/queue-5.10/i40e-fix-filter-input-checks-to-prevent-config-with-.patch b/queue-5.10/i40e-fix-filter-input-checks-to-prevent-config-with-.patch
new file mode 100644
index 00000000000..ffd823e25e6
--- /dev/null
+++ b/queue-5.10/i40e-fix-filter-input-checks-to-prevent-config-with-.patch
@@ -0,0 +1,53 @@
+From 86c9e2505a20c24871fff49b029d7074cee24a0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 11:23:11 +0100
+Subject: i40e: Fix filter input checks to prevent config with invalid values
+
+From: Sudheer Mogilappagari <sudheer.mogilappagari@intel.com>
+
+[ Upstream commit 3e48041d9820c17e0a51599d12e66c6e12a8d08d ]
+
+Prevent VF from configuring filters with unsupported actions or use
+REDIRECT action with invalid tc number. Current checks could cause
+out of bounds access on PF side.
+
+Fixes: e284fc280473 ("i40e: Add and delete cloud filter")
+Reviewed-by: Andrii Staikov <andrii.staikov@intel.com>
+Signed-off-by: Sudheer Mogilappagari <sudheer.mogilappagari@intel.com>
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Bharathi Sreenivas <bharathi.sreenivas@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index dfaa34f2473ab..115749e527205 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3369,16 +3369,16 @@ static int i40e_validate_cloud_filter(struct i40e_vf *vf,
+ 	bool found = false;
+ 	int bkt;
+ 
+-	if (!tc_filter->action) {
++	if (tc_filter->action != VIRTCHNL_ACTION_TC_REDIRECT) {
+ 		dev_info(&pf->pdev->dev,
+-			 "VF %d: Currently ADq doesn't support Drop Action\n",
+-			 vf->vf_id);
++			 "VF %d: ADQ doesn't support this action (%d)\n",
++			 vf->vf_id, tc_filter->action);
+ 		goto err;
+ 	}
+ 
+ 	/* action_meta is TC number here to which the filter is applied */
+ 	if (!tc_filter->action_meta ||
+-	    tc_filter->action_meta > I40E_MAX_VF_VSI) {
++	    tc_filter->action_meta > vf->num_tc) {
+ 		dev_info(&pf->pdev->dev, "VF %d: Invalid TC number %u\n",
+ 			 vf->vf_id, tc_filter->action_meta);
+ 		goto err;
+-- 
+2.43.0
+
diff --git a/queue-5.10/i40e-fix-use-after-free-in-i40e_aqc_add_filters.patch b/queue-5.10/i40e-fix-use-after-free-in-i40e_aqc_add_filters.patch
new file mode 100644
index 00000000000..63cd4b4d141
--- /dev/null
+++ b/queue-5.10/i40e-fix-use-after-free-in-i40e_aqc_add_filters.patch
@@ -0,0 +1,120 @@
+From 5eb21b42a96fcaebded94ca2be995baf6c2514e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 15:08:50 +0800
+Subject: i40e: fix use-after-free in i40e_aqc_add_filters()
+
+From: Ke Xiao <xiaoke@sangfor.com.cn>
+
+[ Upstream commit 6a15584e99db8918b60e507539c7446375dcf366 ]
+
+Commit 3116f59c12bd ("i40e: fix use-after-free in
+i40e_sync_filters_subtask()") avoided use-after-free issues,
+by increasing refcount during update the VSI filter list to
+the HW. However, it missed the unicast situation.
+
+When deleting an unicast FDB entry, the i40e driver will release
+the mac_filter, and i40e_service_task will concurrently request
+firmware to add the mac_filter, which will lead to the following
+use-after-free issue.
+
+Fix again for both netdev->uc and netdev->mc.
+
+BUG: KASAN: use-after-free in i40e_aqc_add_filters+0x55c/0x5b0 [i40e]
+Read of size 2 at addr ffff888eb3452d60 by task kworker/8:7/6379
+
+CPU: 8 PID: 6379 Comm: kworker/8:7 Kdump: loaded Tainted: G
+Workqueue: i40e i40e_service_task [i40e]
+Call Trace:
+ dump_stack+0x71/0xab
+ print_address_description+0x6b/0x290
+ kasan_report+0x14a/0x2b0
+ i40e_aqc_add_filters+0x55c/0x5b0 [i40e]
+ i40e_sync_vsi_filters+0x1676/0x39c0 [i40e]
+ i40e_service_task+0x1397/0x2bb0 [i40e]
+ process_one_work+0x56a/0x11f0
+ worker_thread+0x8f/0xf40
+ kthread+0x2a0/0x390
+ ret_from_fork+0x1f/0x40
+
+Allocated by task 21948:
+ kasan_kmalloc+0xa6/0xd0
+ kmem_cache_alloc_trace+0xdb/0x1c0
+ i40e_add_filter+0x11e/0x520 [i40e]
+ i40e_addr_sync+0x37/0x60 [i40e]
+ __hw_addr_sync_dev+0x1f5/0x2f0
+ i40e_set_rx_mode+0x61/0x1e0 [i40e]
+ dev_uc_add_excl+0x137/0x190
+ i40e_ndo_fdb_add+0x161/0x260 [i40e]
+ rtnl_fdb_add+0x567/0x950
+ rtnetlink_rcv_msg+0x5db/0x880
+ netlink_rcv_skb+0x254/0x380
+ netlink_unicast+0x454/0x610
+ netlink_sendmsg+0x747/0xb00
+ sock_sendmsg+0xe2/0x120
+ __sys_sendto+0x1ae/0x290
+ __x64_sys_sendto+0xdd/0x1b0
+ do_syscall_64+0xa0/0x370
+ entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+Freed by task 21948:
+ __kasan_slab_free+0x137/0x190
+ kfree+0x8b/0x1b0
+ __i40e_del_filter+0x116/0x1e0 [i40e]
+ i40e_del_mac_filter+0x16c/0x300 [i40e]
+ i40e_addr_unsync+0x134/0x1b0 [i40e]
+ __hw_addr_sync_dev+0xff/0x2f0
+ i40e_set_rx_mode+0x61/0x1e0 [i40e]
+ dev_uc_del+0x77/0x90
+ rtnl_fdb_del+0x6a5/0x860
+ rtnetlink_rcv_msg+0x5db/0x880
+ netlink_rcv_skb+0x254/0x380
+ netlink_unicast+0x454/0x610
+ netlink_sendmsg+0x747/0xb00
+ sock_sendmsg+0xe2/0x120
+ __sys_sendto+0x1ae/0x290
+ __x64_sys_sendto+0xdd/0x1b0
+ do_syscall_64+0xa0/0x370
+ entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+Fixes: 3116f59c12bd ("i40e: fix use-after-free in i40e_sync_filters_subtask()")
+Fixes: 41c445ff0f48 ("i40e: main driver core")
+Signed-off-by: Ke Xiao <xiaoke@sangfor.com.cn>
+Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
+Cc: Di Zhu <zhudi2@huawei.com>
+Reviewed-by: Jan Sokolowski <jan.sokolowski@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 36e387ae967f7..f4752ba8fd952 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -101,12 +101,18 @@ static struct workqueue_struct *i40e_wq;
+ static void netdev_hw_addr_refcnt(struct i40e_mac_filter *f,
+ 				  struct net_device *netdev, int delta)
+ {
++	struct netdev_hw_addr_list *ha_list;
+ 	struct netdev_hw_addr *ha;
+ 
+ 	if (!f || !netdev)
+ 		return;
+ 
+-	netdev_for_each_mc_addr(ha, netdev) {
++	if (is_unicast_ether_addr(f->macaddr) || is_link_local_ether_addr(f->macaddr))
++		ha_list = &netdev->uc;
++	else
++		ha_list = &netdev->mc;
++
++	netdev_hw_addr_list_for_each(ha, ha_list) {
+ 		if (ether_addr_equal(ha->addr, f->macaddr)) {
+ 			ha->refcount += delta;
+ 			if (ha->refcount <= 0)
+-- 
+2.43.0
+
diff --git a/queue-5.10/i40e-restore-vf-msi-x-state-during-pci-reset.patch b/queue-5.10/i40e-restore-vf-msi-x-state-during-pci-reset.patch
new file mode 100644
index 00000000000..309915fd35b
--- /dev/null
+++ b/queue-5.10/i40e-restore-vf-msi-x-state-during-pci-reset.patch
@@ -0,0 +1,104 @@
+From ebfe160c43dbb9e1ed3a48fec68182a9de337fab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Dec 2023 14:27:35 +0100
+Subject: i40e: Restore VF MSI-X state during PCI reset
+
+From: Andrii Staikov <andrii.staikov@intel.com>
+
+[ Upstream commit 371e576ff3e8580d91d49026e5d5faebf5565558 ]
+
+During a PCI FLR the MSI-X Enable flag in the VF PCI MSI-X capability
+register will be cleared. This can lead to issues when a VF is
+assigned to a VM because in these cases the VF driver receives no
+indication of the PF PCI error/reset and additionally it is incapable
+of restoring the cleared flag in the hypervisor configuration space
+without fully reinitializing the driver interrupt functionality.
+
+Since the VF driver is unable to easily resolve this condition on its own,
+restore the VF MSI-X flag during the PF PCI reset handling.
+
+Fixes: 19b7960b2da1 ("i40e: implement split PCI error reset handler")
+Co-developed-by: Karen Ostrowska <karen.ostrowska@intel.com>
+Signed-off-by: Karen Ostrowska <karen.ostrowska@intel.com>
+Co-developed-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Andrii Staikov <andrii.staikov@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c   |  3 +++
+ .../ethernet/intel/i40e/i40e_virtchnl_pf.c    | 26 +++++++++++++++++++
+ .../ethernet/intel/i40e/i40e_virtchnl_pf.h    |  3 +++
+ 3 files changed, 32 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index f4752ba8fd952..d83b96aa3e42a 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -15764,6 +15764,9 @@ static void i40e_pci_error_reset_done(struct pci_dev *pdev)
+ 	struct i40e_pf *pf = pci_get_drvdata(pdev);
+ 
+ 	i40e_reset_and_rebuild(pf, false, false);
++#ifdef CONFIG_PCI_IOV
++	i40e_restore_all_vfs_msi_state(pdev);
++#endif /* CONFIG_PCI_IOV */
+ }
+ 
+ /**
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 115749e527205..7b0ed15f4df32 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -99,6 +99,32 @@ void i40e_vc_notify_reset(struct i40e_pf *pf)
+ 			     (u8 *)&pfe, sizeof(struct virtchnl_pf_event));
+ }
+ 
++#ifdef CONFIG_PCI_IOV
++void i40e_restore_all_vfs_msi_state(struct pci_dev *pdev)
++{
++	u16 vf_id;
++	u16 pos;
++
++	/* Continue only if this is a PF */
++	if (!pdev->is_physfn)
++		return;
++
++	if (!pci_num_vf(pdev))
++		return;
++
++	pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_SRIOV);
++	if (pos) {
++		struct pci_dev *vf_dev = NULL;
++
++		pci_read_config_word(pdev, pos + PCI_SRIOV_VF_DID, &vf_id);
++		while ((vf_dev = pci_get_device(pdev->vendor, vf_id, vf_dev))) {
++			if (vf_dev->is_virtfn && vf_dev->physfn == pdev)
++				pci_restore_msi_state(vf_dev);
++		}
++	}
++}
++#endif /* CONFIG_PCI_IOV */
++
+ /**
+  * i40e_vc_notify_vf_reset
+  * @vf: pointer to the VF structure
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
+index 358bbdb587951..bd497cc5303a1 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
+@@ -135,6 +135,9 @@ int i40e_ndo_set_vf_spoofchk(struct net_device *netdev, int vf_id, bool enable);
+ 
+ void i40e_vc_notify_link_state(struct i40e_pf *pf);
+ void i40e_vc_notify_reset(struct i40e_pf *pf);
++#ifdef CONFIG_PCI_IOV
++void i40e_restore_all_vfs_msi_state(struct pci_dev *pdev);
++#endif /* CONFIG_PCI_IOV */
+ int i40e_get_vf_stats(struct net_device *netdev, int vf_id,
+ 		      struct ifla_vf_stats *vf_stats);
+ 
+-- 
+2.43.0
+
diff --git a/queue-5.10/mm-memory-failure-check-the-mapcount-of-the-precise-.patch b/queue-5.10/mm-memory-failure-check-the-mapcount-of-the-precise-.patch
new file mode 100644
index 00000000000..8f23070bdc6
--- /dev/null
+++ b/queue-5.10/mm-memory-failure-check-the-mapcount-of-the-precise-.patch
@@ -0,0 +1,56 @@
+From f614861e9c9b229d158c245dafe2e1b11e5b9768 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 13:58:36 +0000
+Subject: mm/memory-failure: check the mapcount of the precise page
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit c79c5a0a00a9457718056b588f312baadf44e471 ]
+
+A process may map only some of the pages in a folio, and might be missed
+if it maps the poisoned page but not the head page.  Or it might be
+unnecessarily hit if it maps the head page, but not the poisoned page.
+
+Link: https://lkml.kernel.org/r/20231218135837.3310403-3-willy@infradead.org
+Fixes: 7af446a841a2 ("HWPOISON, hugetlb: enable error handling path for hugepage")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memory-failure.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/mm/memory-failure.c b/mm/memory-failure.c
+index 652283a1353d7..f320ff02cc196 100644
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1010,7 +1010,7 @@ static bool hwpoison_user_mappings(struct page *p, unsigned long pfn,
+ 	 * This check implies we don't kill processes if their pages
+ 	 * are in the swap cache early. Those are always late kills.
+ 	 */
+-	if (!page_mapped(hpage))
++	if (!page_mapped(p))
+ 		return true;
+ 
+ 	if (PageKsm(p)) {
+@@ -1075,12 +1075,12 @@ static bool hwpoison_user_mappings(struct page *p, unsigned long pfn,
+ 				unmap_success = false;
+ 			}
+ 		} else {
+-			unmap_success = try_to_unmap(hpage, ttu);
++			unmap_success = try_to_unmap(p, ttu);
+ 		}
+ 	}
+ 	if (!unmap_success)
+ 		pr_err("Memory failure: %#lx: failed to unmap page (mapcount=%d)\n",
+-		       pfn, page_mapcount(hpage));
++		       pfn, page_mapcount(p));
+ 
+ 	/*
+ 	 * try_to_unmap() might put mlocked page in lru cache, so call
+-- 
+2.43.0
+
diff --git a/queue-5.10/net-bcmgenet-fix-fcs-generation-for-fragmented-skbuf.patch b/queue-5.10/net-bcmgenet-fix-fcs-generation-for-fragmented-skbuf.patch
new file mode 100644
index 00000000000..d6297450a3c
--- /dev/null
+++ b/queue-5.10/net-bcmgenet-fix-fcs-generation-for-fragmented-skbuf.patch
@@ -0,0 +1,46 @@
+From b8111b948c23c9e7f45e789a4a65c50816ea06cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Dec 2023 14:56:38 +0100
+Subject: net: bcmgenet: Fix FCS generation for fragmented skbuffs
+
+From: Adrian Cinal <adriancinal@gmail.com>
+
+[ Upstream commit e584f2ff1e6cc9b1d99e8a6b0f3415940d1b3eb3 ]
+
+The flag DMA_TX_APPEND_CRC was only written to the first DMA descriptor
+in the TX path, where each descriptor corresponds to a single skbuff
+fragment (or the skbuff head). This led to packets with no FCS appearing
+on the wire if the kernel allocated the packet in fragments, which would
+always happen when using PACKET_MMAP/TPACKET (cf. tpacket_fill_skb() in
+net/af_packet.c).
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Adrian Cinal <adriancinal1@gmail.com>
+Acked-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20231228135638.1339245-1-adriancinal1@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index 145488449f133..8edf12077e663 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -2086,8 +2086,10 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
+ 		/* Note: if we ever change from DMA_TX_APPEND_CRC below we
+ 		 * will need to restore software padding of "runt" packets
+ 		 */
++		len_stat |= DMA_TX_APPEND_CRC;
++
+ 		if (!i) {
+-			len_stat |= DMA_TX_APPEND_CRC | DMA_SOP;
++			len_stat |= DMA_SOP;
+ 			if (skb->ip_summed == CHECKSUM_PARTIAL)
+ 				len_stat |= DMA_TX_DO_CSUM;
+ 		}
+-- 
+2.43.0
+
diff --git a/queue-5.10/net-implement-missing-getsockopt-so_timestamping_new.patch b/queue-5.10/net-implement-missing-getsockopt-so_timestamping_new.patch
new file mode 100644
index 00000000000..720212813ef
--- /dev/null
+++ b/queue-5.10/net-implement-missing-getsockopt-so_timestamping_new.patch
@@ -0,0 +1,60 @@
+From c3d9ee6603aadfdabf7f95dadf4e80e595626b22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Dec 2023 00:19:01 +0100
+Subject: net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jörn-Thorben Hinz <jthinz@mailbox.tu-berlin.de>
+
+[ Upstream commit 7f6ca95d16b96567ce4cf458a2790ff17fa620c3 ]
+
+Commit 9718475e6908 ("socket: Add SO_TIMESTAMPING_NEW") added the new
+socket option SO_TIMESTAMPING_NEW. Setting the option is handled in
+sk_setsockopt(), querying it was not handled in sk_getsockopt(), though.
+
+Following remarks on an earlier submission of this patch, keep the old
+behavior of getsockopt(SO_TIMESTAMPING_OLD) which returns the active
+flags even if they actually have been set through SO_TIMESTAMPING_NEW.
+
+The new getsockopt(SO_TIMESTAMPING_NEW) is stricter, returning flags
+only if they have been set through the same option.
+
+Fixes: 9718475e6908 ("socket: Add SO_TIMESTAMPING_NEW")
+Link: https://lore.kernel.org/lkml/20230703175048.151683-1-jthinz@mailbox.tu-berlin.de/
+Link: https://lore.kernel.org/netdev/0d7cddc9-03fa-43db-a579-14f3e822615b@app.fastmail.com/
+Signed-off-by: Jörn-Thorben Hinz <jthinz@mailbox.tu-berlin.de>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index a069b5476df46..9c3bc24bfdd1f 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1383,9 +1383,16 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+ 		break;
+ 
+ 	case SO_LINGER:
++	case SO_TIMESTAMPING_NEW:
+ 		lv		= sizeof(v.ling);
+-		v.ling.l_onoff	= sock_flag(sk, SOCK_LINGER);
+-		v.ling.l_linger	= sk->sk_lingertime / HZ;
++		/* For the later-added case SO_TIMESTAMPING_NEW: Be strict about only
++		 * returning the flags when they were set through the same option.
++		 * Don't change the beviour for the old case SO_TIMESTAMPING_OLD.
++		 */
++		if (optname == SO_TIMESTAMPING_OLD || sock_flag(sk, SOCK_TSTAMP_NEW)) {
++			v.ling.l_onoff	= sock_flag(sk, SOCK_LINGER);
++			v.ling.l_linger	= sk->sk_lingertime / HZ;
++		}
+ 		break;
+ 
+ 	case SO_BSDCOMPAT:
+-- 
+2.43.0
+
diff --git a/queue-5.10/net-implement-missing-so_timestamping_new-cmsg-suppo.patch b/queue-5.10/net-implement-missing-so_timestamping_new-cmsg-suppo.patch
new file mode 100644
index 00000000000..8dd5fa6770b
--- /dev/null
+++ b/queue-5.10/net-implement-missing-so_timestamping_new-cmsg-suppo.patch
@@ -0,0 +1,40 @@
+From 08b7b156a13eef1f17283e1a2fc42b5840379588 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jan 2024 09:57:44 +0100
+Subject: net: Implement missing SO_TIMESTAMPING_NEW cmsg support
+
+From: Thomas Lange <thomas@corelatus.se>
+
+[ Upstream commit 382a32018b74f407008615e0e831d05ed28e81cd ]
+
+Commit 9718475e6908 ("socket: Add SO_TIMESTAMPING_NEW") added the new
+socket option SO_TIMESTAMPING_NEW. However, it was never implemented in
+__sock_cmsg_send thus breaking SO_TIMESTAMPING cmsg for platforms using
+SO_TIMESTAMPING_NEW.
+
+Fixes: 9718475e6908 ("socket: Add SO_TIMESTAMPING_NEW")
+Link: https://lore.kernel.org/netdev/6a7281bf-bc4a-4f75-bb88-7011908ae471@app.fastmail.com/
+Signed-off-by: Thomas Lange <thomas@corelatus.se>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20240104085744.49164-1-thomas@corelatus.se
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 9c3bc24bfdd1f..aa5237a6116e1 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2402,6 +2402,7 @@ int __sock_cmsg_send(struct sock *sk, struct msghdr *msg, struct cmsghdr *cmsg,
+ 		sockc->mark = *(u32 *)CMSG_DATA(cmsg);
+ 		break;
+ 	case SO_TIMESTAMPING_OLD:
++	case SO_TIMESTAMPING_NEW:
+ 		if (cmsg->cmsg_len != CMSG_LEN(sizeof(u32)))
+ 			return -EINVAL;
+ 
+-- 
+2.43.0
+
diff --git a/queue-5.10/net-qla3xxx-fix-potential-memleak-in-ql_alloc_buffer.patch b/queue-5.10/net-qla3xxx-fix-potential-memleak-in-ql_alloc_buffer.patch
new file mode 100644
index 00000000000..e8a138aa69c
--- /dev/null
+++ b/queue-5.10/net-qla3xxx-fix-potential-memleak-in-ql_alloc_buffer.patch
@@ -0,0 +1,44 @@
+From 3dd13ed939d323922f5bab1ba26f5c3a1842ad1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Dec 2023 15:02:27 +0800
+Subject: net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 89f45c30172c80e55c887f32f1af8e184124577b ]
+
+When dma_alloc_coherent() fails, we should free qdev->lrg_buf
+to prevent potential memleak.
+
+Fixes: 1357bfcf7106 ("qla3xxx: Dynamically size the rx buffer queue based on the MTU.")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Link: https://lore.kernel.org/r/20231227070227.10527-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qla3xxx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c
+index 29837e533cee8..127daad4410b9 100644
+--- a/drivers/net/ethernet/qlogic/qla3xxx.c
++++ b/drivers/net/ethernet/qlogic/qla3xxx.c
+@@ -2589,6 +2589,7 @@ static int ql_alloc_buffer_queues(struct ql3_adapter *qdev)
+ 
+ 	if (qdev->lrg_buf_q_alloc_virt_addr == NULL) {
+ 		netdev_err(qdev->ndev, "lBufQ failed\n");
++		kfree(qdev->lrg_buf);
+ 		return -ENOMEM;
+ 	}
+ 	qdev->lrg_buf_q_virt_addr = qdev->lrg_buf_q_alloc_virt_addr;
+@@ -2613,6 +2614,7 @@ static int ql_alloc_buffer_queues(struct ql3_adapter *qdev)
+ 				  qdev->lrg_buf_q_alloc_size,
+ 				  qdev->lrg_buf_q_alloc_virt_addr,
+ 				  qdev->lrg_buf_q_alloc_phy_addr);
++		kfree(qdev->lrg_buf);
+ 		return -ENOMEM;
+ 	}
+ 
+-- 
+2.43.0
+
diff --git a/queue-5.10/net-qla3xxx-switch-from-pci_-to-dma_-api.patch b/queue-5.10/net-qla3xxx-switch-from-pci_-to-dma_-api.patch
new file mode 100644
index 00000000000..f350e10fcd7
--- /dev/null
+++ b/queue-5.10/net-qla3xxx-switch-from-pci_-to-dma_-api.patch
@@ -0,0 +1,564 @@
+From 63b96a86d4318d97de0e4301dfebd1a0dab7834e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Jan 2021 09:15:42 +0100
+Subject: net/qla3xxx: switch from 'pci_' to 'dma_' API
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 41fb4c1ba7478fe34c7e094e124e4ee4513b9763 ]
+
+The wrappers in include/linux/pci-dma-compat.h should go away.
+
+The patch has been generated with the coccinelle script below and has been
+hand modified to replace GFP_ with a correct flag.
+It has been compile tested.
+
+When memory is allocated in 'ql_alloc_net_req_rsp_queues()' GFP_KERNEL can
+be used because it is only called from 'ql_alloc_mem_resources()' which
+already calls 'ql_alloc_buffer_queues()' which uses GFP_KERNEL. (see below)
+
+When memory is allocated in 'ql_alloc_buffer_queues()' GFP_KERNEL can be
+used because this flag is already used just a few line above.
+
+When memory is allocated in 'ql_alloc_small_buffers()' GFP_KERNEL can
+be used because it is only called from 'ql_alloc_mem_resources()' which
+already calls 'ql_alloc_buffer_queues()' which uses GFP_KERNEL. (see above)
+
+When memory is allocated in 'ql_alloc_mem_resources()' GFP_KERNEL can be
+used because this function already calls 'ql_alloc_buffer_queues()' which
+uses GFP_KERNEL. (see above)
+
+While at it, use 'dma_set_mask_and_coherent()' instead of 'dma_set_mask()/
+dma_set_coherent_mask()' in order to slightly simplify code.
+
+@@
+@@
+-    PCI_DMA_BIDIRECTIONAL
++    DMA_BIDIRECTIONAL
+
+@@
+@@
+-    PCI_DMA_TODEVICE
++    DMA_TO_DEVICE
+
+@@
+@@
+-    PCI_DMA_FROMDEVICE
++    DMA_FROM_DEVICE
+
+@@
+@@
+-    PCI_DMA_NONE
++    DMA_NONE
+
+@@
+expression e1, e2, e3;
+@@
+-    pci_alloc_consistent(e1, e2, e3)
++    dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
+
+@@
+expression e1, e2, e3;
+@@
+-    pci_zalloc_consistent(e1, e2, e3)
++    dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
+
+@@
+expression e1, e2, e3, e4;
+@@
+-    pci_free_consistent(e1, e2, e3, e4)
++    dma_free_coherent(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+-    pci_map_single(e1, e2, e3, e4)
++    dma_map_single(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+-    pci_unmap_single(e1, e2, e3, e4)
++    dma_unmap_single(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4, e5;
+@@
+-    pci_map_page(e1, e2, e3, e4, e5)
++    dma_map_page(&e1->dev, e2, e3, e4, e5)
+
+@@
+expression e1, e2, e3, e4;
+@@
+-    pci_unmap_page(e1, e2, e3, e4)
++    dma_unmap_page(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+-    pci_map_sg(e1, e2, e3, e4)
++    dma_map_sg(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+-    pci_unmap_sg(e1, e2, e3, e4)
++    dma_unmap_sg(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+-    pci_dma_sync_single_for_cpu(e1, e2, e3, e4)
++    dma_sync_single_for_cpu(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+-    pci_dma_sync_single_for_device(e1, e2, e3, e4)
++    dma_sync_single_for_device(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+-    pci_dma_sync_sg_for_cpu(e1, e2, e3, e4)
++    dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+-    pci_dma_sync_sg_for_device(e1, e2, e3, e4)
++    dma_sync_sg_for_device(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2;
+@@
+-    pci_dma_mapping_error(e1, e2)
++    dma_mapping_error(&e1->dev, e2)
+
+@@
+expression e1, e2;
+@@
+-    pci_set_dma_mask(e1, e2)
++    dma_set_mask(&e1->dev, e2)
+
+@@
+expression e1, e2;
+@@
+-    pci_set_consistent_dma_mask(e1, e2)
++    dma_set_coherent_mask(&e1->dev, e2)
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20210117081542.560021-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 89f45c30172c ("net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qla3xxx.c | 196 ++++++++++++--------------
+ 1 file changed, 87 insertions(+), 109 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c
+index 99fd35a8ca750..29837e533cee8 100644
+--- a/drivers/net/ethernet/qlogic/qla3xxx.c
++++ b/drivers/net/ethernet/qlogic/qla3xxx.c
+@@ -315,12 +315,11 @@ static void ql_release_to_lrg_buf_free_list(struct ql3_adapter *qdev,
+ 			 * buffer
+ 			 */
+ 			skb_reserve(lrg_buf_cb->skb, QL_HEADER_SPACE);
+-			map = pci_map_single(qdev->pdev,
++			map = dma_map_single(&qdev->pdev->dev,
+ 					     lrg_buf_cb->skb->data,
+-					     qdev->lrg_buffer_len -
+-					     QL_HEADER_SPACE,
+-					     PCI_DMA_FROMDEVICE);
+-			err = pci_dma_mapping_error(qdev->pdev, map);
++					     qdev->lrg_buffer_len - QL_HEADER_SPACE,
++					     DMA_FROM_DEVICE);
++			err = dma_mapping_error(&qdev->pdev->dev, map);
+ 			if (err) {
+ 				netdev_err(qdev->ndev,
+ 					   "PCI mapping failed with error: %d\n",
+@@ -1802,13 +1801,12 @@ static int ql_populate_free_queue(struct ql3_adapter *qdev)
+ 				 * first buffer
+ 				 */
+ 				skb_reserve(lrg_buf_cb->skb, QL_HEADER_SPACE);
+-				map = pci_map_single(qdev->pdev,
++				map = dma_map_single(&qdev->pdev->dev,
+ 						     lrg_buf_cb->skb->data,
+-						     qdev->lrg_buffer_len -
+-						     QL_HEADER_SPACE,
+-						     PCI_DMA_FROMDEVICE);
++						     qdev->lrg_buffer_len - QL_HEADER_SPACE,
++						     DMA_FROM_DEVICE);
+ 
+-				err = pci_dma_mapping_error(qdev->pdev, map);
++				err = dma_mapping_error(&qdev->pdev->dev, map);
+ 				if (err) {
+ 					netdev_err(qdev->ndev,
+ 						   "PCI mapping failed with error: %d\n",
+@@ -1943,18 +1941,16 @@ static void ql_process_mac_tx_intr(struct ql3_adapter *qdev,
+ 		goto invalid_seg_count;
+ 	}
+ 
+-	pci_unmap_single(qdev->pdev,
++	dma_unmap_single(&qdev->pdev->dev,
+ 			 dma_unmap_addr(&tx_cb->map[0], mapaddr),
+-			 dma_unmap_len(&tx_cb->map[0], maplen),
+-			 PCI_DMA_TODEVICE);
++			 dma_unmap_len(&tx_cb->map[0], maplen), DMA_TO_DEVICE);
+ 	tx_cb->seg_count--;
+ 	if (tx_cb->seg_count) {
+ 		for (i = 1; i < tx_cb->seg_count; i++) {
+-			pci_unmap_page(qdev->pdev,
+-				       dma_unmap_addr(&tx_cb->map[i],
+-						      mapaddr),
++			dma_unmap_page(&qdev->pdev->dev,
++				       dma_unmap_addr(&tx_cb->map[i], mapaddr),
+ 				       dma_unmap_len(&tx_cb->map[i], maplen),
+-				       PCI_DMA_TODEVICE);
++				       DMA_TO_DEVICE);
+ 		}
+ 	}
+ 	qdev->ndev->stats.tx_packets++;
+@@ -2021,10 +2017,9 @@ static void ql_process_mac_rx_intr(struct ql3_adapter *qdev,
+ 	qdev->ndev->stats.rx_bytes += length;
+ 
+ 	skb_put(skb, length);
+-	pci_unmap_single(qdev->pdev,
++	dma_unmap_single(&qdev->pdev->dev,
+ 			 dma_unmap_addr(lrg_buf_cb2, mapaddr),
+-			 dma_unmap_len(lrg_buf_cb2, maplen),
+-			 PCI_DMA_FROMDEVICE);
++			 dma_unmap_len(lrg_buf_cb2, maplen), DMA_FROM_DEVICE);
+ 	prefetch(skb->data);
+ 	skb_checksum_none_assert(skb);
+ 	skb->protocol = eth_type_trans(skb, qdev->ndev);
+@@ -2067,10 +2062,9 @@ static void ql_process_macip_rx_intr(struct ql3_adapter *qdev,
+ 	skb2 = lrg_buf_cb2->skb;
+ 
+ 	skb_put(skb2, length);	/* Just the second buffer length here. */
+-	pci_unmap_single(qdev->pdev,
++	dma_unmap_single(&qdev->pdev->dev,
+ 			 dma_unmap_addr(lrg_buf_cb2, mapaddr),
+-			 dma_unmap_len(lrg_buf_cb2, maplen),
+-			 PCI_DMA_FROMDEVICE);
++			 dma_unmap_len(lrg_buf_cb2, maplen), DMA_FROM_DEVICE);
+ 	prefetch(skb2->data);
+ 
+ 	skb_checksum_none_assert(skb2);
+@@ -2319,9 +2313,9 @@ static int ql_send_map(struct ql3_adapter *qdev,
+ 	/*
+ 	 * Map the skb buffer first.
+ 	 */
+-	map = pci_map_single(qdev->pdev, skb->data, len, PCI_DMA_TODEVICE);
++	map = dma_map_single(&qdev->pdev->dev, skb->data, len, DMA_TO_DEVICE);
+ 
+-	err = pci_dma_mapping_error(qdev->pdev, map);
++	err = dma_mapping_error(&qdev->pdev->dev, map);
+ 	if (err) {
+ 		netdev_err(qdev->ndev, "PCI mapping failed with error: %d\n",
+ 			   err);
+@@ -2357,11 +2351,11 @@ static int ql_send_map(struct ql3_adapter *qdev,
+ 		    (seg == 7 && seg_cnt > 8) ||
+ 		    (seg == 12 && seg_cnt > 13) ||
+ 		    (seg == 17 && seg_cnt > 18)) {
+-			map = pci_map_single(qdev->pdev, oal,
++			map = dma_map_single(&qdev->pdev->dev, oal,
+ 					     sizeof(struct oal),
+-					     PCI_DMA_TODEVICE);
++					     DMA_TO_DEVICE);
+ 
+-			err = pci_dma_mapping_error(qdev->pdev, map);
++			err = dma_mapping_error(&qdev->pdev->dev, map);
+ 			if (err) {
+ 				netdev_err(qdev->ndev,
+ 					   "PCI mapping outbound address list with error: %d\n",
+@@ -2423,24 +2417,24 @@ static int ql_send_map(struct ql3_adapter *qdev,
+ 		    (seg == 7 && seg_cnt > 8) ||
+ 		    (seg == 12 && seg_cnt > 13) ||
+ 		    (seg == 17 && seg_cnt > 18)) {
+-			pci_unmap_single(qdev->pdev,
+-				dma_unmap_addr(&tx_cb->map[seg], mapaddr),
+-				dma_unmap_len(&tx_cb->map[seg], maplen),
+-				 PCI_DMA_TODEVICE);
++			dma_unmap_single(&qdev->pdev->dev,
++					 dma_unmap_addr(&tx_cb->map[seg], mapaddr),
++					 dma_unmap_len(&tx_cb->map[seg], maplen),
++					 DMA_TO_DEVICE);
+ 			oal++;
+ 			seg++;
+ 		}
+ 
+-		pci_unmap_page(qdev->pdev,
++		dma_unmap_page(&qdev->pdev->dev,
+ 			       dma_unmap_addr(&tx_cb->map[seg], mapaddr),
+ 			       dma_unmap_len(&tx_cb->map[seg], maplen),
+-			       PCI_DMA_TODEVICE);
++			       DMA_TO_DEVICE);
+ 	}
+ 
+-	pci_unmap_single(qdev->pdev,
++	dma_unmap_single(&qdev->pdev->dev,
+ 			 dma_unmap_addr(&tx_cb->map[0], mapaddr),
+ 			 dma_unmap_addr(&tx_cb->map[0], maplen),
+-			 PCI_DMA_TODEVICE);
++			 DMA_TO_DEVICE);
+ 
+ 	return NETDEV_TX_BUSY;
+ 
+@@ -2526,9 +2520,8 @@ static int ql_alloc_net_req_rsp_queues(struct ql3_adapter *qdev)
+ 	wmb();
+ 
+ 	qdev->req_q_virt_addr =
+-	    pci_alloc_consistent(qdev->pdev,
+-				 (size_t) qdev->req_q_size,
+-				 &qdev->req_q_phy_addr);
++	    dma_alloc_coherent(&qdev->pdev->dev, (size_t)qdev->req_q_size,
++			       &qdev->req_q_phy_addr, GFP_KERNEL);
+ 
+ 	if ((qdev->req_q_virt_addr == NULL) ||
+ 	    LS_64BITS(qdev->req_q_phy_addr) & (qdev->req_q_size - 1)) {
+@@ -2537,16 +2530,14 @@ static int ql_alloc_net_req_rsp_queues(struct ql3_adapter *qdev)
+ 	}
+ 
+ 	qdev->rsp_q_virt_addr =
+-	    pci_alloc_consistent(qdev->pdev,
+-				 (size_t) qdev->rsp_q_size,
+-				 &qdev->rsp_q_phy_addr);
++	    dma_alloc_coherent(&qdev->pdev->dev, (size_t)qdev->rsp_q_size,
++			       &qdev->rsp_q_phy_addr, GFP_KERNEL);
+ 
+ 	if ((qdev->rsp_q_virt_addr == NULL) ||
+ 	    LS_64BITS(qdev->rsp_q_phy_addr) & (qdev->rsp_q_size - 1)) {
+ 		netdev_err(qdev->ndev, "rspQ allocation failed\n");
+-		pci_free_consistent(qdev->pdev, (size_t) qdev->req_q_size,
+-				    qdev->req_q_virt_addr,
+-				    qdev->req_q_phy_addr);
++		dma_free_coherent(&qdev->pdev->dev, (size_t)qdev->req_q_size,
++				  qdev->req_q_virt_addr, qdev->req_q_phy_addr);
+ 		return -ENOMEM;
+ 	}
+ 
+@@ -2562,15 +2553,13 @@ static void ql_free_net_req_rsp_queues(struct ql3_adapter *qdev)
+ 		return;
+ 	}
+ 
+-	pci_free_consistent(qdev->pdev,
+-			    qdev->req_q_size,
+-			    qdev->req_q_virt_addr, qdev->req_q_phy_addr);
++	dma_free_coherent(&qdev->pdev->dev, qdev->req_q_size,
++			  qdev->req_q_virt_addr, qdev->req_q_phy_addr);
+ 
+ 	qdev->req_q_virt_addr = NULL;
+ 
+-	pci_free_consistent(qdev->pdev,
+-			    qdev->rsp_q_size,
+-			    qdev->rsp_q_virt_addr, qdev->rsp_q_phy_addr);
++	dma_free_coherent(&qdev->pdev->dev, qdev->rsp_q_size,
++			  qdev->rsp_q_virt_addr, qdev->rsp_q_phy_addr);
+ 
+ 	qdev->rsp_q_virt_addr = NULL;
+ 
+@@ -2594,9 +2583,9 @@ static int ql_alloc_buffer_queues(struct ql3_adapter *qdev)
+ 		return -ENOMEM;
+ 
+ 	qdev->lrg_buf_q_alloc_virt_addr =
+-		pci_alloc_consistent(qdev->pdev,
+-				     qdev->lrg_buf_q_alloc_size,
+-				     &qdev->lrg_buf_q_alloc_phy_addr);
++		dma_alloc_coherent(&qdev->pdev->dev,
++				   qdev->lrg_buf_q_alloc_size,
++				   &qdev->lrg_buf_q_alloc_phy_addr, GFP_KERNEL);
+ 
+ 	if (qdev->lrg_buf_q_alloc_virt_addr == NULL) {
+ 		netdev_err(qdev->ndev, "lBufQ failed\n");
+@@ -2614,15 +2603,16 @@ static int ql_alloc_buffer_queues(struct ql3_adapter *qdev)
+ 		qdev->small_buf_q_alloc_size = qdev->small_buf_q_size * 2;
+ 
+ 	qdev->small_buf_q_alloc_virt_addr =
+-		pci_alloc_consistent(qdev->pdev,
+-				     qdev->small_buf_q_alloc_size,
+-				     &qdev->small_buf_q_alloc_phy_addr);
++		dma_alloc_coherent(&qdev->pdev->dev,
++				   qdev->small_buf_q_alloc_size,
++				   &qdev->small_buf_q_alloc_phy_addr, GFP_KERNEL);
+ 
+ 	if (qdev->small_buf_q_alloc_virt_addr == NULL) {
+ 		netdev_err(qdev->ndev, "Small Buffer Queue allocation failed\n");
+-		pci_free_consistent(qdev->pdev, qdev->lrg_buf_q_alloc_size,
+-				    qdev->lrg_buf_q_alloc_virt_addr,
+-				    qdev->lrg_buf_q_alloc_phy_addr);
++		dma_free_coherent(&qdev->pdev->dev,
++				  qdev->lrg_buf_q_alloc_size,
++				  qdev->lrg_buf_q_alloc_virt_addr,
++				  qdev->lrg_buf_q_alloc_phy_addr);
+ 		return -ENOMEM;
+ 	}
+ 
+@@ -2639,17 +2629,15 @@ static void ql_free_buffer_queues(struct ql3_adapter *qdev)
+ 		return;
+ 	}
+ 	kfree(qdev->lrg_buf);
+-	pci_free_consistent(qdev->pdev,
+-			    qdev->lrg_buf_q_alloc_size,
+-			    qdev->lrg_buf_q_alloc_virt_addr,
+-			    qdev->lrg_buf_q_alloc_phy_addr);
++	dma_free_coherent(&qdev->pdev->dev, qdev->lrg_buf_q_alloc_size,
++			  qdev->lrg_buf_q_alloc_virt_addr,
++			  qdev->lrg_buf_q_alloc_phy_addr);
+ 
+ 	qdev->lrg_buf_q_virt_addr = NULL;
+ 
+-	pci_free_consistent(qdev->pdev,
+-			    qdev->small_buf_q_alloc_size,
+-			    qdev->small_buf_q_alloc_virt_addr,
+-			    qdev->small_buf_q_alloc_phy_addr);
++	dma_free_coherent(&qdev->pdev->dev, qdev->small_buf_q_alloc_size,
++			  qdev->small_buf_q_alloc_virt_addr,
++			  qdev->small_buf_q_alloc_phy_addr);
+ 
+ 	qdev->small_buf_q_virt_addr = NULL;
+ 
+@@ -2667,9 +2655,9 @@ static int ql_alloc_small_buffers(struct ql3_adapter *qdev)
+ 		 QL_SMALL_BUFFER_SIZE);
+ 
+ 	qdev->small_buf_virt_addr =
+-		pci_alloc_consistent(qdev->pdev,
+-				     qdev->small_buf_total_size,
+-				     &qdev->small_buf_phy_addr);
++		dma_alloc_coherent(&qdev->pdev->dev,
++				   qdev->small_buf_total_size,
++				   &qdev->small_buf_phy_addr, GFP_KERNEL);
+ 
+ 	if (qdev->small_buf_virt_addr == NULL) {
+ 		netdev_err(qdev->ndev, "Failed to get small buffer memory\n");
+@@ -2702,10 +2690,10 @@ static void ql_free_small_buffers(struct ql3_adapter *qdev)
+ 		return;
+ 	}
+ 	if (qdev->small_buf_virt_addr != NULL) {
+-		pci_free_consistent(qdev->pdev,
+-				    qdev->small_buf_total_size,
+-				    qdev->small_buf_virt_addr,
+-				    qdev->small_buf_phy_addr);
++		dma_free_coherent(&qdev->pdev->dev,
++				  qdev->small_buf_total_size,
++				  qdev->small_buf_virt_addr,
++				  qdev->small_buf_phy_addr);
+ 
+ 		qdev->small_buf_virt_addr = NULL;
+ 	}
+@@ -2720,10 +2708,10 @@ static void ql_free_large_buffers(struct ql3_adapter *qdev)
+ 		lrg_buf_cb = &qdev->lrg_buf[i];
+ 		if (lrg_buf_cb->skb) {
+ 			dev_kfree_skb(lrg_buf_cb->skb);
+-			pci_unmap_single(qdev->pdev,
++			dma_unmap_single(&qdev->pdev->dev,
+ 					 dma_unmap_addr(lrg_buf_cb, mapaddr),
+ 					 dma_unmap_len(lrg_buf_cb, maplen),
+-					 PCI_DMA_FROMDEVICE);
++					 DMA_FROM_DEVICE);
+ 			memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb));
+ 		} else {
+ 			break;
+@@ -2775,13 +2763,11 @@ static int ql_alloc_large_buffers(struct ql3_adapter *qdev)
+ 			 * buffer
+ 			 */
+ 			skb_reserve(skb, QL_HEADER_SPACE);
+-			map = pci_map_single(qdev->pdev,
+-					     skb->data,
+-					     qdev->lrg_buffer_len -
+-					     QL_HEADER_SPACE,
+-					     PCI_DMA_FROMDEVICE);
++			map = dma_map_single(&qdev->pdev->dev, skb->data,
++					     qdev->lrg_buffer_len - QL_HEADER_SPACE,
++					     DMA_FROM_DEVICE);
+ 
+-			err = pci_dma_mapping_error(qdev->pdev, map);
++			err = dma_mapping_error(&qdev->pdev->dev, map);
+ 			if (err) {
+ 				netdev_err(qdev->ndev,
+ 					   "PCI mapping failed with error: %d\n",
+@@ -2866,8 +2852,8 @@ static int ql_alloc_mem_resources(struct ql3_adapter *qdev)
+ 	 * Network Completion Queue Producer Index Register
+ 	 */
+ 	qdev->shadow_reg_virt_addr =
+-		pci_alloc_consistent(qdev->pdev,
+-				     PAGE_SIZE, &qdev->shadow_reg_phy_addr);
++		dma_alloc_coherent(&qdev->pdev->dev, PAGE_SIZE,
++				   &qdev->shadow_reg_phy_addr, GFP_KERNEL);
+ 
+ 	if (qdev->shadow_reg_virt_addr != NULL) {
+ 		qdev->preq_consumer_index = qdev->shadow_reg_virt_addr;
+@@ -2922,10 +2908,9 @@ static int ql_alloc_mem_resources(struct ql3_adapter *qdev)
+ err_buffer_queues:
+ 	ql_free_net_req_rsp_queues(qdev);
+ err_req_rsp:
+-	pci_free_consistent(qdev->pdev,
+-			    PAGE_SIZE,
+-			    qdev->shadow_reg_virt_addr,
+-			    qdev->shadow_reg_phy_addr);
++	dma_free_coherent(&qdev->pdev->dev, PAGE_SIZE,
++			  qdev->shadow_reg_virt_addr,
++			  qdev->shadow_reg_phy_addr);
+ 
+ 	return -ENOMEM;
+ }
+@@ -2938,10 +2923,9 @@ static void ql_free_mem_resources(struct ql3_adapter *qdev)
+ 	ql_free_buffer_queues(qdev);
+ 	ql_free_net_req_rsp_queues(qdev);
+ 	if (qdev->shadow_reg_virt_addr != NULL) {
+-		pci_free_consistent(qdev->pdev,
+-				    PAGE_SIZE,
+-				    qdev->shadow_reg_virt_addr,
+-				    qdev->shadow_reg_phy_addr);
++		dma_free_coherent(&qdev->pdev->dev, PAGE_SIZE,
++				  qdev->shadow_reg_virt_addr,
++				  qdev->shadow_reg_phy_addr);
+ 		qdev->shadow_reg_virt_addr = NULL;
+ 	}
+ }
+@@ -3642,18 +3626,15 @@ static void ql_reset_work(struct work_struct *work)
+ 			if (tx_cb->skb) {
+ 				netdev_printk(KERN_DEBUG, ndev,
+ 					      "Freeing lost SKB\n");
+-				pci_unmap_single(qdev->pdev,
+-					 dma_unmap_addr(&tx_cb->map[0],
+-							mapaddr),
+-					 dma_unmap_len(&tx_cb->map[0], maplen),
+-					 PCI_DMA_TODEVICE);
++				dma_unmap_single(&qdev->pdev->dev,
++						 dma_unmap_addr(&tx_cb->map[0], mapaddr),
++						 dma_unmap_len(&tx_cb->map[0], maplen),
++						 DMA_TO_DEVICE);
+ 				for (j = 1; j < tx_cb->seg_count; j++) {
+-					pci_unmap_page(qdev->pdev,
+-					       dma_unmap_addr(&tx_cb->map[j],
+-							      mapaddr),
+-					       dma_unmap_len(&tx_cb->map[j],
+-							     maplen),
+-					       PCI_DMA_TODEVICE);
++					dma_unmap_page(&qdev->pdev->dev,
++						       dma_unmap_addr(&tx_cb->map[j], mapaddr),
++						       dma_unmap_len(&tx_cb->map[j], maplen),
++						       DMA_TO_DEVICE);
+ 				}
+ 				dev_kfree_skb(tx_cb->skb);
+ 				tx_cb->skb = NULL;
+@@ -3785,13 +3766,10 @@ static int ql3xxx_probe(struct pci_dev *pdev,
+ 
+ 	pci_set_master(pdev);
+ 
+-	if (!pci_set_dma_mask(pdev, DMA_BIT_MASK(64))) {
++	if (!dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64)))
+ 		pci_using_dac = 1;
+-		err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64));
+-	} else if (!(err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)))) {
++	else if (!(err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32))))
+ 		pci_using_dac = 0;
+-		err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(32));
+-	}
+ 
+ 	if (err) {
+ 		pr_err("%s no usable DMA configuration\n", pci_name(pdev));
+-- 
+2.43.0
+
diff --git a/queue-5.10/net-save-and-restore-msg_namelen-in-sock_sendmsg.patch b/queue-5.10/net-save-and-restore-msg_namelen-in-sock_sendmsg.patch
new file mode 100644
index 00000000000..283fbc5f261
--- /dev/null
+++ b/queue-5.10/net-save-and-restore-msg_namelen-in-sock_sendmsg.patch
@@ -0,0 +1,55 @@
+From 9ec147524a19e42445d85bafa9430332b80d1e73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Dec 2023 09:12:30 -0400
+Subject: net: Save and restore msg_namelen in sock_sendmsg
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+[ Upstream commit 01b2885d9415152bcb12ff1f7788f500a74ea0ed ]
+
+Commit 86a7e0b69bd5 ("net: prevent rewrite of msg_name in
+sock_sendmsg()") made sock_sendmsg save the incoming msg_name pointer
+and restore it before returning, to insulate the caller against
+msg_name being changed by the called code.  If the address length
+was also changed however, we may return with an inconsistent structure
+where the length doesn't match the address, and attempts to reuse it may
+lead to lost packets.
+
+For example, a kernel that doesn't have commit 1c5950fc6fe9 ("udp6: fix
+potential access to stale information") will replace a v4 mapped address
+with its ipv4 equivalent, and shorten namelen accordingly from 28 to 16.
+If the caller attempts to reuse the resulting msg structure, it will have
+the original ipv6 (v4 mapped) address but an incorrect v4 length.
+
+Fixes: 86a7e0b69bd5 ("net: prevent rewrite of msg_name in sock_sendmsg()")
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/socket.c b/net/socket.c
+index 36e38ee434ea1..2a48aa89c035b 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -675,6 +675,7 @@ int sock_sendmsg(struct socket *sock, struct msghdr *msg)
+ {
+ 	struct sockaddr_storage *save_addr = (struct sockaddr_storage *)msg->msg_name;
+ 	struct sockaddr_storage address;
++	int save_len = msg->msg_namelen;
+ 	int ret;
+ 
+ 	if (msg->msg_name) {
+@@ -684,6 +685,7 @@ int sock_sendmsg(struct socket *sock, struct msghdr *msg)
+ 
+ 	ret = __sock_sendmsg(sock, msg);
+ 	msg->msg_name = save_addr;
++	msg->msg_namelen = save_len;
+ 
+ 	return ret;
+ }
+-- 
+2.43.0
+
diff --git a/queue-5.10/net-sched-em_text-fix-possible-memory-leak-in-em_tex.patch b/queue-5.10/net-sched-em_text-fix-possible-memory-leak-in-em_tex.patch
new file mode 100644
index 00000000000..3fb7859d8cd
--- /dev/null
+++ b/queue-5.10/net-sched-em_text-fix-possible-memory-leak-in-em_tex.patch
@@ -0,0 +1,40 @@
+From 6f5c01facedbb9e1cd6fa70d7c05d503606372b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Dec 2023 10:25:31 +0800
+Subject: net: sched: em_text: fix possible memory leak in em_text_destroy()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit 8fcb0382af6f1ef50936f1be05b8149eb2f88496 ]
+
+m->data needs to be freed when em_text_destroy is called.
+
+Fixes: d675c989ed2d ("[PKT_SCHED]: Packet classification based on textsearch (ematch)")
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/em_text.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/em_text.c b/net/sched/em_text.c
+index 6f3c1fb2fb44c..f176afb70559e 100644
+--- a/net/sched/em_text.c
++++ b/net/sched/em_text.c
+@@ -97,8 +97,10 @@ static int em_text_change(struct net *net, void *data, int len,
+ 
+ static void em_text_destroy(struct tcf_ematch *m)
+ {
+-	if (EM_TEXT_PRIV(m) && EM_TEXT_PRIV(m)->config)
++	if (EM_TEXT_PRIV(m) && EM_TEXT_PRIV(m)->config) {
+ 		textsearch_destroy(EM_TEXT_PRIV(m)->config);
++		kfree(EM_TEXT_PRIV(m));
++	}
+ }
+ 
+ static int em_text_dump(struct sk_buff *skb, struct tcf_ematch *m)
+-- 
+2.43.0
+
diff --git a/queue-5.10/netfilter-nft_immediate-drop-chain-reference-counter.patch b/queue-5.10/netfilter-nft_immediate-drop-chain-reference-counter.patch
new file mode 100644
index 00000000000..26ca831e774
--- /dev/null
+++ b/queue-5.10/netfilter-nft_immediate-drop-chain-reference-counter.patch
@@ -0,0 +1,36 @@
+From 1b0e8d16b1a4a279c81d86783eff9e962d905a44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jan 2024 20:15:33 +0100
+Subject: netfilter: nft_immediate: drop chain reference counter on error
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit b29be0ca8e816119ccdf95cc7d7c7be9bde005f1 ]
+
+In the init path, nft_data_init() bumps the chain reference counter,
+decrement it on error by following the error path which calls
+nft_data_release() to restore it.
+
+Fixes: 4bedf9eee016 ("netfilter: nf_tables: fix chain binding transaction logic")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_immediate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
+index 7d5b63c5a30af..d154fe67ca8a6 100644
+--- a/net/netfilter/nft_immediate.c
++++ b/net/netfilter/nft_immediate.c
+@@ -78,7 +78,7 @@ static int nft_immediate_init(const struct nft_ctx *ctx,
+ 		case NFT_GOTO:
+ 			err = nf_tables_bind_chain(ctx, chain);
+ 			if (err < 0)
+-				return err;
++				goto err1;
+ 			break;
+ 		default:
+ 			break;
+-- 
+2.43.0
+
diff --git a/queue-5.10/netfilter-nftables-add-loop-check-helper-function.patch b/queue-5.10/netfilter-nftables-add-loop-check-helper-function.patch
new file mode 100644
index 00000000000..bef45b0f278
--- /dev/null
+++ b/queue-5.10/netfilter-nftables-add-loop-check-helper-function.patch
@@ -0,0 +1,74 @@
+From e6d71f0e7e6040606f698af0680ff75b6d9a8e81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Apr 2021 18:05:41 +0200
+Subject: netfilter: nftables: add loop check helper function
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 6387aa6e59be8d1158c5703f34553c93d7743d8c ]
+
+This patch adds nft_check_loops() to reuse it in the new catch-all
+element codebase.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Stable-dep-of: b29be0ca8e81 ("netfilter: nft_immediate: drop chain reference counter on error")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index f244a4323a43b..03189738a73b9 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8994,26 +8994,38 @@ EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
+ static int nf_tables_check_loops(const struct nft_ctx *ctx,
+ 				 const struct nft_chain *chain);
+ 
++static int nft_check_loops(const struct nft_ctx *ctx,
++			   const struct nft_set_ext *ext)
++{
++	const struct nft_data *data;
++	int ret;
++
++	data = nft_set_ext_data(ext);
++	switch (data->verdict.code) {
++	case NFT_JUMP:
++	case NFT_GOTO:
++		ret = nf_tables_check_loops(ctx, data->verdict.chain);
++		break;
++	default:
++		ret = 0;
++		break;
++	}
++
++	return ret;
++}
++
+ static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
+ 					struct nft_set *set,
+ 					const struct nft_set_iter *iter,
+ 					struct nft_set_elem *elem)
+ {
+ 	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+-	const struct nft_data *data;
+ 
+ 	if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
+ 	    *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
+ 		return 0;
+ 
+-	data = nft_set_ext_data(ext);
+-	switch (data->verdict.code) {
+-	case NFT_JUMP:
+-	case NFT_GOTO:
+-		return nf_tables_check_loops(ctx, data->verdict.chain);
+-	default:
+-		return 0;
+-	}
++	return nft_check_loops(ctx, ext);
+ }
+ 
+ static int nf_tables_check_loops(const struct nft_ctx *ctx,
+-- 
+2.43.0
+
diff --git a/queue-5.10/nfc-llcp_core-hold-a-ref-to-llcp_local-dev-when-hold.patch b/queue-5.10/nfc-llcp_core-hold-a-ref-to-llcp_local-dev-when-hold.patch
new file mode 100644
index 00000000000..2997a53a467
--- /dev/null
+++ b/queue-5.10/nfc-llcp_core-hold-a-ref-to-llcp_local-dev-when-hold.patch
@@ -0,0 +1,128 @@
+From 0bda1e04210960be60f6c608b03c3c34bf01f773 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 23:19:43 +0530
+Subject: nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to
+ llcp_local
+
+From: Siddh Raman Pant <code@siddh.me>
+
+[ Upstream commit c95f919567d6f1914f13350af61a1b044ac85014 ]
+
+llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls
+nfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for
+getting the headroom and tailroom needed for skb allocation.
+
+Parallelly the nfc_dev can be freed, as the refcount is decreased via
+nfc_free_device(), leading to a UAF reported by Syzkaller, which can
+be summarized as follows:
+
+(1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame()
+	-> nfc_alloc_send_skb() -> Dereference *nfc_dev
+(2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device()
+	-> put_device() -> nfc_release() -> Free *nfc_dev
+
+When a reference to llcp_local is acquired, we do not acquire the same
+for the nfc_dev. This leads to freeing even when the llcp_local is in
+use, and this is the case with the UAF described above too.
+
+Thus, when we acquire a reference to llcp_local, we should acquire a
+reference to nfc_dev, and release the references appropriately later.
+
+References for llcp_local is initialized in nfc_llcp_register_device()
+(which is called by nfc_register_device()). Thus, we should acquire a
+reference to nfc_dev there.
+
+nfc_unregister_device() calls nfc_llcp_unregister_device() which in
+turn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is
+appropriately released later.
+
+Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
+Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
+Reviewed-by: Suman Ghosh <sumang@marvell.com>
+Signed-off-by: Siddh Raman Pant <code@siddh.me>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_core.c | 39 ++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 36 insertions(+), 3 deletions(-)
+
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index 92f70686bee0a..da3cb0d29b972 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -147,6 +147,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
+ 
+ static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
+ {
++	/* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
++	 * we hold a reference to local, we also need to hold a reference to
++	 * the device to avoid UAF.
++	 */
++	if (!nfc_get_device(local->dev->idx))
++		return NULL;
++
+ 	kref_get(&local->ref);
+ 
+ 	return local;
+@@ -179,10 +186,18 @@ static void local_release(struct kref *ref)
+ 
+ int nfc_llcp_local_put(struct nfc_llcp_local *local)
+ {
++	struct nfc_dev *dev;
++	int ret;
++
+ 	if (local == NULL)
+ 		return 0;
+ 
+-	return kref_put(&local->ref, local_release);
++	dev = local->dev;
++
++	ret = kref_put(&local->ref, local_release);
++	nfc_put_device(dev);
++
++	return ret;
+ }
+ 
+ static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
+@@ -968,8 +983,17 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
+ 	}
+ 
+ 	new_sock = nfc_llcp_sock(new_sk);
+-	new_sock->dev = local->dev;
++
+ 	new_sock->local = nfc_llcp_local_get(local);
++	if (!new_sock->local) {
++		reason = LLCP_DM_REJ;
++		sock_put(&new_sock->sk);
++		release_sock(&sock->sk);
++		sock_put(&sock->sk);
++		goto fail;
++	}
++
++	new_sock->dev = local->dev;
+ 	new_sock->rw = sock->rw;
+ 	new_sock->miux = sock->miux;
+ 	new_sock->nfc_protocol = sock->nfc_protocol;
+@@ -1607,7 +1631,16 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
+ 	if (local == NULL)
+ 		return -ENOMEM;
+ 
+-	local->dev = ndev;
++	/* As we are going to initialize local's refcount, we need to get the
++	 * nfc_dev to avoid UAF, otherwise there is no point in continuing.
++	 * See nfc_llcp_local_get().
++	 */
++	local->dev = nfc_get_device(ndev->idx);
++	if (!local->dev) {
++		kfree(local);
++		return -ENODEV;
++	}
++
+ 	INIT_LIST_HEAD(&local->list);
+ 	kref_init(&local->ref);
+ 	mutex_init(&local->sdp_lock);
+-- 
+2.43.0
+
diff --git a/queue-5.10/octeontx2-af-fix-marking-couple-of-structure-as-__pa.patch b/queue-5.10/octeontx2-af-fix-marking-couple-of-structure-as-__pa.patch
new file mode 100644
index 00000000000..42702233c61
--- /dev/null
+++ b/queue-5.10/octeontx2-af-fix-marking-couple-of-structure-as-__pa.patch
@@ -0,0 +1,46 @@
+From 72c2291863fa067bf50a908e05d913178c818abe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 19:56:33 +0530
+Subject: octeontx2-af: Fix marking couple of structure as __packed
+
+From: Suman Ghosh <sumang@marvell.com>
+
+[ Upstream commit 0ee2384a5a0f3b4eeac8d10bb01a0609d245a4d1 ]
+
+Couple of structures was not marked as __packed. This patch
+fixes the same and mark them as __packed.
+
+Fixes: 42006910b5ea ("octeontx2-af: cleanup KPU config data")
+Signed-off-by: Suman Ghosh <sumang@marvell.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/npc.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/npc.h b/drivers/net/ethernet/marvell/octeontx2/af/npc.h
+index 407b9477da248..dc34e564c9192 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/npc.h
++++ b/drivers/net/ethernet/marvell/octeontx2/af/npc.h
+@@ -359,7 +359,7 @@ struct npc_lt_def {
+ 	u8	ltype_mask;
+ 	u8	ltype_match;
+ 	u8	lid;
+-};
++} __packed;
+ 
+ struct npc_lt_def_ipsec {
+ 	u8	ltype_mask;
+@@ -367,7 +367,7 @@ struct npc_lt_def_ipsec {
+ 	u8	lid;
+ 	u8	spi_offset;
+ 	u8	spi_nz;
+-};
++} __packed;
+ 
+ struct npc_lt_def_cfg {
+ 	struct npc_lt_def	rx_ol2;
+-- 
+2.43.0
+
diff --git a/queue-5.10/series b/queue-5.10/series
index c071d30dc1d..2f698eef0df 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -1,2 +1,26 @@
 keys-dns-fix-missing-size-check-of-v1-server-list-header.patch
 block-don-t-invalidate-pagecache-for-invalid-falloc-modes.patch
+nfc-llcp_core-hold-a-ref-to-llcp_local-dev-when-hold.patch
+octeontx2-af-fix-marking-couple-of-structure-as-__pa.patch
+drm-i915-dp-fix-passing-the-correct-dpcd_rev-for-drm.patch
+i40e-fix-filter-input-checks-to-prevent-config-with-.patch
+net-sched-em_text-fix-possible-memory-leak-in-em_tex.patch
+net-implement-missing-getsockopt-so_timestamping_new.patch
+arm-sun9i-smp-fix-array-index-out-of-bounds-read-in-.patch
+sfc-fix-a-double-free-bug-in-efx_probe_filters.patch
+net-bcmgenet-fix-fcs-generation-for-fragmented-skbuf.patch
+netfilter-nftables-add-loop-check-helper-function.patch
+netfilter-nft_immediate-drop-chain-reference-counter.patch
+net-save-and-restore-msg_namelen-in-sock_sendmsg.patch
+i40e-fix-use-after-free-in-i40e_aqc_add_filters.patch
+asoc-meson-g12a-toacodec-validate-written-enum-value.patch
+asoc-meson-g12a-tohdmitx-validate-written-enum-value.patch
+asoc-meson-g12a-toacodec-fix-event-generation.patch
+asoc-meson-g12a-tohdmitx-fix-event-generation-for-s-.patch
+i40e-restore-vf-msi-x-state-during-pci-reset.patch
+net-qla3xxx-switch-from-pci_-to-dma_-api.patch
+net-qla3xxx-fix-potential-memleak-in-ql_alloc_buffer.patch
+asix-add-check-for-usbnet_get_endpoints.patch
+bnxt_en-remove-mis-applied-code-from-bnxt_cfg_ntp_fi.patch
+net-implement-missing-so_timestamping_new-cmsg-suppo.patch
+mm-memory-failure-check-the-mapcount-of-the-precise-.patch
diff --git a/queue-5.10/sfc-fix-a-double-free-bug-in-efx_probe_filters.patch b/queue-5.10/sfc-fix-a-double-free-bug-in-efx_probe_filters.patch
new file mode 100644
index 00000000000..7e03c4c132e
--- /dev/null
+++ b/queue-5.10/sfc-fix-a-double-free-bug-in-efx_probe_filters.patch
@@ -0,0 +1,51 @@
+From 80ef06479d3e963d4e9aa2fd71e605cf4f7b5346 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Dec 2023 19:29:14 +0800
+Subject: sfc: fix a double-free bug in efx_probe_filters
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit d5a306aedba34e640b11d7026dbbafb78ee3a5f6 ]
+
+In efx_probe_filters, the channel->rps_flow_id is freed in a
+efx_for_each_channel marco  when success equals to 0.
+However, after the following call chain:
+
+ef100_net_open
+  |-> efx_probe_filters
+  |-> ef100_net_stop
+        |-> efx_remove_filters
+
+The channel->rps_flow_id is freed again in the efx_for_each_channel of
+efx_remove_filters, triggering a double-free bug.
+
+Fixes: a9dc3d5612ce ("sfc_ef100: RX filter table management and related gubbins")
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Edward Cree <ecree.xilinx@gmail.com>
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Link: https://lore.kernel.org/r/20231225112915.3544581-1-alexious@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/rx_common.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sfc/rx_common.c b/drivers/net/ethernet/sfc/rx_common.c
+index 36b46ddb67107..0ea3168e08960 100644
+--- a/drivers/net/ethernet/sfc/rx_common.c
++++ b/drivers/net/ethernet/sfc/rx_common.c
+@@ -837,8 +837,10 @@ int efx_probe_filters(struct efx_nic *efx)
+ 		}
+ 
+ 		if (!success) {
+-			efx_for_each_channel(channel, efx)
++			efx_for_each_channel(channel, efx) {
+ 				kfree(channel->rps_flow_id);
++				channel->rps_flow_id = NULL;
++			}
+ 			efx->type->filter_table_remove(efx);
+ 			rc = -ENOMEM;
+ 			goto out_unlock;
+-- 
+2.43.0
+
-- 
2.47.3