--- /dev/null
+From d35686444fc80950c731e33a2f6ad4a55822be9b Mon Sep 17 00:00:00 2001
+From: Maria Yu <quic_aiquny@quicinc.com>
+Date: Tue, 24 Oct 2023 09:09:54 +0800
+Subject: arm64: module: Fix PLT counting when CONFIG_RANDOMIZE_BASE=n
+
+From: Maria Yu <quic_aiquny@quicinc.com>
+
+commit d35686444fc80950c731e33a2f6ad4a55822be9b upstream.
+
+The counting of module PLTs has been broken when CONFIG_RANDOMIZE_BASE=n
+since commit:
+
+ 3e35d303ab7d22c4 ("arm64: module: rework module VA range selection")
+
+Prior to that commit, when CONFIG_RANDOMIZE_BASE=n, the kernel image and
+all modules were placed within a 128M region, and no PLTs were necessary
+for B or BL. Hence count_plts() and partition_branch_plt_relas() skipped
+handling B and BL when CONFIG_RANDOMIZE_BASE=n.
+
+After that commit, modules can be placed anywhere within a 2G window
+regardless of CONFIG_RANDOMIZE_BASE, and hence PLTs may be necessary for
+B and BL even when CONFIG_RANDOMIZE_BASE=n. Unfortunately that commit
+failed to update count_plts() and partition_branch_plt_relas()
+accordingly.
+
+Due to this, module_emit_plt_entry() may fail if an insufficient number
+of PLT entries have been reserved, resulting in modules failing to load
+with -ENOEXEC.
+
+Fix this by counting PLTs regardless of CONFIG_RANDOMIZE_BASE in
+count_plts() and partition_branch_plt_relas().
+
+Fixes: 3e35d303ab7d ("arm64: module: rework module VA range selection")
+Signed-off-by: Maria Yu <quic_aiquny@quicinc.com>
+Cc: <stable@vger.kernel.org> # 6.5.x
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Fixes: 3e35d303ab7d ("arm64: module: rework module VA range selection")
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20231024010954.6768-1-quic_aiquny@quicinc.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/module-plts.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/arch/arm64/kernel/module-plts.c
++++ b/arch/arm64/kernel/module-plts.c
+@@ -167,9 +167,6 @@ static unsigned int count_plts(Elf64_Sym
+ switch (ELF64_R_TYPE(rela[i].r_info)) {
+ case R_AARCH64_JUMP26:
+ case R_AARCH64_CALL26:
+- if (!IS_ENABLED(CONFIG_RANDOMIZE_BASE))
+- break;
+-
+ /*
+ * We only have to consider branch targets that resolve
+ * to symbols that are defined in a different section.
+@@ -269,9 +266,6 @@ static int partition_branch_plt_relas(El
+ {
+ int i = 0, j = numrels - 1;
+
+- if (!IS_ENABLED(CONFIG_RANDOMIZE_BASE))
+- return 0;
+-
+ while (i < j) {
+ if (branch_rela_needs_plt(syms, &rela[i], dstidx))
+ i++;
--- /dev/null
+From 146a15b873353f8ac28dc281c139ff611a3c4848 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 25 Oct 2023 10:21:28 -0700
+Subject: arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 146a15b873353f8ac28dc281c139ff611a3c4848 upstream.
+
+Prior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly
+byte-swap NOP when compiling for big-endian, and the resulting series of
+bytes happened to match the encoding of FNMADD S21, S30, S0, S0.
+
+This went unnoticed until commit:
+
+ 34f66c4c4d5518c1 ("arm64: Use a positive cpucap for FP/SIMD")
+
+Prior to that commit, the kernel would always enable the use of FPSIMD
+early in boot when __cpu_setup() initialized CPACR_EL1, and so usage of
+FNMADD within the kernel was not detected, but could result in the
+corruption of user or kernel FPSIMD state.
+
+After that commit, the instructions happen to trap during boot prior to
+FPSIMD being detected and enabled, e.g.
+
+| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD
+| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1
+| Hardware name: linux,dummy-virt (DT)
+| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+| pc : __pi_strcmp+0x1c/0x150
+| lr : populate_properties+0xe4/0x254
+| sp : ffffd014173d3ad0
+| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000
+| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008
+| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044
+| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005
+| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000
+| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000
+| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000
+| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000
+| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a
+| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8
+| Kernel panic - not syncing: Unhandled exception
+| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1
+| Hardware name: linux,dummy-virt (DT)
+| Call trace:
+| dump_backtrace+0xec/0x108
+| show_stack+0x18/0x2c
+| dump_stack_lvl+0x50/0x68
+| dump_stack+0x18/0x24
+| panic+0x13c/0x340
+| el1t_64_irq_handler+0x0/0x1c
+| el1_abort+0x0/0x5c
+| el1h_64_sync+0x64/0x68
+| __pi_strcmp+0x1c/0x150
+| unflatten_dt_nodes+0x1e8/0x2d8
+| __unflatten_device_tree+0x5c/0x15c
+| unflatten_device_tree+0x38/0x50
+| setup_arch+0x164/0x1e0
+| start_kernel+0x64/0x38c
+| __primary_switched+0xbc/0xc4
+
+Restrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is
+either GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked
+commit.
+
+Closes: https://github.com/ClangBuiltLinux/linux/issues/1948
+Link: https://github.com/llvm/llvm-project/commit/1379b150991f70a5782e9a143c2ba5308da1161c
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Cc: stable@vger.kernel.org
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20231025-disable-arm64-be-ias-b4-llvm-15-v1-1-b25263ed8b23@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -1368,6 +1368,8 @@ choice
+ config CPU_BIG_ENDIAN
+ bool "Build big-endian kernel"
+ depends on !LD_IS_LLD || LLD_VERSION >= 130000
++ # https://github.com/llvm/llvm-project/commit/1379b150991f70a5782e9a143c2ba5308da1161c
++ depends on AS_IS_GNU || AS_VERSION >= 150000
+ help
+ Say Y if you plan on running a kernel with a big-endian userspace.
+
--- /dev/null
+From 99cd4935cb972d0aafb16838bb2aeadbcaf196ce Mon Sep 17 00:00:00 2001
+From: Kathiravan Thirumoorthy <quic_kathirav@quicinc.com>
+Date: Thu, 14 Sep 2023 12:29:52 +0530
+Subject: clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks
+
+From: Kathiravan Thirumoorthy <quic_kathirav@quicinc.com>
+
+commit 99cd4935cb972d0aafb16838bb2aeadbcaf196ce upstream.
+
+GPLL, NSS crypto PLL clock rates are fixed and shouldn't be scaled based
+on the request from dependent clocks. Doing so will result in the
+unexpected behaviour. So drop the CLK_SET_RATE_PARENT flag from the PLL
+clocks.
+
+Cc: stable@vger.kernel.org
+Fixes: d9db07f088af ("clk: qcom: Add ipq6018 Global Clock Controller support")
+Signed-off-by: Kathiravan Thirumoorthy <quic_kathirav@quicinc.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20230913-gpll_cleanup-v2-2-c8ceb1a37680@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/gcc-ipq6018.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/clk/qcom/gcc-ipq6018.c
++++ b/drivers/clk/qcom/gcc-ipq6018.c
+@@ -72,7 +72,6 @@ static struct clk_fixed_factor gpll0_out
+ &gpll0_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_fixed_factor_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+@@ -86,7 +85,6 @@ static struct clk_alpha_pll_postdiv gpll
+ &gpll0_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_alpha_pll_postdiv_ro_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+@@ -161,7 +159,6 @@ static struct clk_alpha_pll_postdiv gpll
+ &gpll6_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_alpha_pll_postdiv_ro_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+@@ -192,7 +189,6 @@ static struct clk_alpha_pll_postdiv gpll
+ &gpll4_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_alpha_pll_postdiv_ro_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+@@ -243,7 +239,6 @@ static struct clk_alpha_pll_postdiv gpll
+ &gpll2_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_alpha_pll_postdiv_ro_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+@@ -274,7 +269,6 @@ static struct clk_alpha_pll_postdiv nss_
+ &nss_crypto_pll_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_alpha_pll_postdiv_ro_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
--- /dev/null
+From e641a070137dd959932c7c222e000d9d941167a2 Mon Sep 17 00:00:00 2001
+From: Kathiravan Thirumoorthy <quic_kathirav@quicinc.com>
+Date: Thu, 14 Sep 2023 12:29:51 +0530
+Subject: clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kathiravan Thirumoorthy <quic_kathirav@quicinc.com>
+
+commit e641a070137dd959932c7c222e000d9d941167a2 upstream.
+
+GPLL, NSS crypto PLL clock rates are fixed and shouldn't be scaled based
+on the request from dependent clocks. Doing so will result in the
+unexpected behaviour. So drop the CLK_SET_RATE_PARENT flag from the PLL
+clocks.
+
+Cc: stable@vger.kernel.org
+Fixes: b8e7e519625f ("clk: qcom: ipq8074: add remaining PLL’s")
+Signed-off-by: Kathiravan Thirumoorthy <quic_kathirav@quicinc.com>
+Link: https://lore.kernel.org/r/20230913-gpll_cleanup-v2-1-c8ceb1a37680@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/gcc-ipq8074.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/clk/qcom/gcc-ipq8074.c
++++ b/drivers/clk/qcom/gcc-ipq8074.c
+@@ -75,7 +75,6 @@ static struct clk_fixed_factor gpll0_out
+ &gpll0_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_fixed_factor_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+@@ -121,7 +120,6 @@ static struct clk_alpha_pll_postdiv gpll
+ &gpll2_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_alpha_pll_postdiv_ro_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+@@ -154,7 +152,6 @@ static struct clk_alpha_pll_postdiv gpll
+ &gpll4_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_alpha_pll_postdiv_ro_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+@@ -188,7 +185,6 @@ static struct clk_alpha_pll_postdiv gpll
+ &gpll6_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_alpha_pll_postdiv_ro_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+@@ -201,7 +197,6 @@ static struct clk_fixed_factor gpll6_out
+ &gpll6_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_fixed_factor_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+@@ -266,7 +261,6 @@ static struct clk_alpha_pll_postdiv nss_
+ &nss_crypto_pll_main.clkr.hw },
+ .num_parents = 1,
+ .ops = &clk_alpha_pll_postdiv_ro_ops,
+- .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
--- /dev/null
+From d761bb01c85b22d5b44abe283eb89019693f6595 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Mon, 23 Oct 2023 21:30:52 -0600
+Subject: clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit d761bb01c85b22d5b44abe283eb89019693f6595 upstream.
+
+`struct clk_hw_onecell_data` is a flexible structure, which means that
+it contains flexible-array member at the bottom, in this case array
+`hws`:
+
+include/linux/clk-provider.h:
+1380 struct clk_hw_onecell_data {
+1381 unsigned int num;
+1382 struct clk_hw *hws[] __counted_by(num);
+1383 };
+
+This could potentially lead to an overwrite of the objects following
+`clk_data` in `struct stratix10_clock_data`, in this case
+`void __iomem *base;` at run-time:
+
+drivers/clk/socfpga/stratix10-clk.h:
+ 9 struct stratix10_clock_data {
+ 10 struct clk_hw_onecell_data clk_data;
+ 11 void __iomem *base;
+ 12 };
+
+There are currently three different places where memory is allocated for
+`struct stratix10_clock_data`, including the flex-array `hws` in
+`struct clk_hw_onecell_data`:
+
+drivers/clk/socfpga/clk-agilex.c:
+469 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws,
+470 num_clks), GFP_KERNEL);
+
+drivers/clk/socfpga/clk-agilex.c:
+509 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws,
+510 num_clks), GFP_KERNEL);
+
+drivers/clk/socfpga/clk-s10.c:
+400 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws,
+401 num_clks), GFP_KERNEL);
+
+I'll use just one of them to describe the issue. See below.
+
+Notice that a total of 440 bytes are allocated for flexible-array member
+`hws` at line 469:
+
+include/dt-bindings/clock/agilex-clock.h:
+ 70 #define AGILEX_NUM_CLKS 55
+
+drivers/clk/socfpga/clk-agilex.c:
+459 struct stratix10_clock_data *clk_data;
+460 void __iomem *base;
+...
+466
+467 num_clks = AGILEX_NUM_CLKS;
+468
+469 clk_data = devm_kzalloc(dev, struct_size(clk_data, clk_data.hws,
+470 num_clks), GFP_KERNEL);
+
+`struct_size(clk_data, clk_data.hws, num_clks)` above translates to
+sizeof(struct stratix10_clock_data) + sizeof(struct clk_hw *) * 55 ==
+16 + 8 * 55 == 16 + 440
+ ^^^
+ |
+ allocated bytes for flex-array `hws`
+
+474 for (i = 0; i < num_clks; i++)
+475 clk_data->clk_data.hws[i] = ERR_PTR(-ENOENT);
+476
+477 clk_data->base = base;
+
+and then some data is written into both `hws` and `base` objects.
+
+Fix this by placing the declaration of object `clk_data` at the end of
+`struct stratix10_clock_data`. Also, add a comment to make it clear
+that this object must always be last in the structure.
+
+-Wflex-array-member-not-at-end is coming in GCC-14, and we are getting
+ready to enable it globally.
+
+Fixes: ba7e258425ac ("clk: socfpga: Convert to s10/agilex/n5x to use clk_hw")
+Cc: stable@vger.kernel.org
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/1da736106d8e0806aeafa6e471a13ced490eae22.1698117815.git.gustavoars@kernel.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/socfpga/stratix10-clk.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/socfpga/stratix10-clk.h
++++ b/drivers/clk/socfpga/stratix10-clk.h
+@@ -7,8 +7,10 @@
+ #define __STRATIX10_CLK_H
+
+ struct stratix10_clock_data {
+- struct clk_hw_onecell_data clk_data;
+ void __iomem *base;
++
++ /* Must be last */
++ struct clk_hw_onecell_data clk_data;
+ };
+
+ struct stratix10_pll_clock {
--- /dev/null
+From 5ad1e217a2b23aa046b241183bd9452d259d70d0 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Mon, 16 Oct 2023 16:05:27 -0600
+Subject: clk: visconti: Fix undefined behavior bug in struct visconti_pll_provider
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit 5ad1e217a2b23aa046b241183bd9452d259d70d0 upstream.
+
+`struct clk_hw_onecell_data` is a flexible structure, which means that
+it contains flexible-array member at the bottom, in this case array
+`hws`:
+
+include/linux/clk-provider.h:
+1380 struct clk_hw_onecell_data {
+1381 unsigned int num;
+1382 struct clk_hw *hws[] __counted_by(num);
+1383 };
+
+This could potentially lead to an overwrite of the objects following
+`clk_data` in `struct visconti_pll_provider`, in this case
+`struct device_node *node;`, at run-time:
+
+drivers/clk/visconti/pll.h:
+ 16 struct visconti_pll_provider {
+ 17 void __iomem *reg_base;
+ 18 struct clk_hw_onecell_data clk_data;
+ 19 struct device_node *node;
+ 20 };
+
+Notice that a total of 56 bytes are allocated for flexible-array `hws`
+at line 328. See below:
+
+include/dt-bindings/clock/toshiba,tmpv770x.h:
+ 14 #define TMPV770X_NR_PLL 7
+
+drivers/clk/visconti/pll-tmpv770x.c:
+ 69 ctx = visconti_init_pll(np, reg_base, TMPV770X_NR_PLL);
+
+drivers/clk/visconti/pll.c:
+321 struct visconti_pll_provider * __init visconti_init_pll(struct device_node *np,
+322 void __iomem *base,
+323 unsigned long nr_plls)
+324 {
+325 struct visconti_pll_provider *ctx;
+...
+328 ctx = kzalloc(struct_size(ctx, clk_data.hws, nr_plls), GFP_KERNEL);
+
+`struct_size(ctx, clk_data.hws, nr_plls)` above translates to
+sizeof(struct visconti_pll_provider) + sizeof(struct clk_hw *) * 7 ==
+24 + 8 * 7 == 24 + 56
+ ^^^^
+ |
+ allocated bytes for flex array `hws`
+
+$ pahole -C visconti_pll_provider drivers/clk/visconti/pll.o
+struct visconti_pll_provider {
+ void * reg_base; /* 0 8 */
+ struct clk_hw_onecell_data clk_data; /* 8 8 */
+ struct device_node * node; /* 16 8 */
+
+ /* size: 24, cachelines: 1, members: 3 */
+ /* last cacheline: 24 bytes */
+};
+
+And then, after the allocation, some data is written into all members
+of `struct visconti_pll_provider`:
+
+332 for (i = 0; i < nr_plls; ++i)
+333 ctx->clk_data.hws[i] = ERR_PTR(-ENOENT);
+334
+335 ctx->node = np;
+336 ctx->reg_base = base;
+337 ctx->clk_data.num = nr_plls;
+
+Fix all these by placing the declaration of object `clk_data` at the
+end of `struct visconti_pll_provider`. Also, add a comment to make it
+clear that this object must always be last in the structure, and
+prevent this bug from being introduced again in the future.
+
+-Wflex-array-member-not-at-end is coming in GCC-14, and we are getting
+ready to enable it globally.
+
+Fixes: b4cbe606dc36 ("clk: visconti: Add support common clock driver and reset driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/57a831d94ee2b3889b11525d4ad500356f89576f.1697492890.git.gustavoars@kernel.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/visconti/pll.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/visconti/pll.h
++++ b/drivers/clk/visconti/pll.h
+@@ -15,8 +15,10 @@
+
+ struct visconti_pll_provider {
+ void __iomem *reg_base;
+- struct clk_hw_onecell_data clk_data;
+ struct device_node *node;
++
++ /* Must be last */
++ struct clk_hw_onecell_data clk_data;
+ };
+
+ #define VISCONTI_PLL_RATE(_rate, _dacen, _dsmen, \
--- /dev/null
+From ea167a7fc2426f7685c3735e104921c1a20a6d3f Mon Sep 17 00:00:00 2001
+From: Christian Marangi <ansuelsmth@gmail.com>
+Date: Tue, 24 Oct 2023 20:30:14 +0200
+Subject: cpufreq: stats: Fix buffer overflow detection in trans_stats()
+
+From: Christian Marangi <ansuelsmth@gmail.com>
+
+commit ea167a7fc2426f7685c3735e104921c1a20a6d3f upstream.
+
+Commit 3c0897c180c6 ("cpufreq: Use scnprintf() for avoiding potential
+buffer overflow") switched from snprintf to the more secure scnprintf
+but never updated the exit condition for PAGE_SIZE.
+
+As the commit say and as scnprintf document, what scnprintf returns what
+is actually written not counting the '\0' end char. This results in the
+case of len exceeding the size, len set to PAGE_SIZE - 1, as it can be
+written at max PAGE_SIZE - 1 (as '\0' is not counted)
+
+Because of len is never set to PAGE_SIZE, the function never break early,
+never prints the warning and never return -EFBIG.
+
+Fix this by changing the condition to PAGE_SIZE - 1 to correctly trigger
+the error.
+
+Cc: 5.10+ <stable@vger.kernel.org> # 5.10+
+Fixes: 3c0897c180c6 ("cpufreq: Use scnprintf() for avoiding potential buffer overflow")
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq_stats.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq_stats.c
++++ b/drivers/cpufreq/cpufreq_stats.c
+@@ -131,23 +131,23 @@ static ssize_t show_trans_table(struct c
+ len += sysfs_emit_at(buf, len, " From : To\n");
+ len += sysfs_emit_at(buf, len, " : ");
+ for (i = 0; i < stats->state_num; i++) {
+- if (len >= PAGE_SIZE)
++ if (len >= PAGE_SIZE - 1)
+ break;
+ len += sysfs_emit_at(buf, len, "%9u ", stats->freq_table[i]);
+ }
+- if (len >= PAGE_SIZE)
+- return PAGE_SIZE;
++ if (len >= PAGE_SIZE - 1)
++ return PAGE_SIZE - 1;
+
+ len += sysfs_emit_at(buf, len, "\n");
+
+ for (i = 0; i < stats->state_num; i++) {
+- if (len >= PAGE_SIZE)
++ if (len >= PAGE_SIZE - 1)
+ break;
+
+ len += sysfs_emit_at(buf, len, "%9u: ", stats->freq_table[i]);
+
+ for (j = 0; j < stats->state_num; j++) {
+- if (len >= PAGE_SIZE)
++ if (len >= PAGE_SIZE - 1)
+ break;
+
+ if (pending)
+@@ -157,12 +157,12 @@ static ssize_t show_trans_table(struct c
+
+ len += sysfs_emit_at(buf, len, "%9u ", count);
+ }
+- if (len >= PAGE_SIZE)
++ if (len >= PAGE_SIZE - 1)
+ break;
+ len += sysfs_emit_at(buf, len, "\n");
+ }
+
+- if (len >= PAGE_SIZE) {
++ if (len >= PAGE_SIZE - 1) {
+ pr_warn_once("cpufreq transition table exceeds PAGE_SIZE. Disabling\n");
+ return -EFBIG;
+ }
--- /dev/null
+From 3edc22655647378dea01900f7b04e017ff96bda9 Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Thu, 7 Sep 2023 18:52:19 +0200
+Subject: integrity: powerpc: Do not select CA_MACHINE_KEYRING
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+commit 3edc22655647378dea01900f7b04e017ff96bda9 upstream.
+
+No other platform needs CA_MACHINE_KEYRING, either.
+
+This is policy that should be decided by the administrator, not Kconfig
+dependencies.
+
+Cc: stable@vger.kernel.org # v6.6+
+Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/Kconfig | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
+index 232191ee09e3..b6e074ac0227 100644
+--- a/security/integrity/Kconfig
++++ b/security/integrity/Kconfig
+@@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
+ depends on INTEGRITY_ASYMMETRIC_KEYS
+ depends on SYSTEM_BLACKLIST_KEYRING
+ depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
+- select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
+- select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
+ help
+ If set, provide a keyring to which Machine Owner Keys (MOK) may
+ be added. This keyring shall contain just MOK keys. Unlike keys
+--
+2.43.0
+
--- /dev/null
+From 807252f028c59b9a3bac4d62ad84761548c10f11 Mon Sep 17 00:00:00 2001
+From: Marios Makassikis <mmakassikis@freebox.fr>
+Date: Sat, 14 Oct 2023 12:48:25 +0900
+Subject: ksmbd: fix recursive locking in vfs helpers
+
+From: Marios Makassikis <mmakassikis@freebox.fr>
+
+commit 807252f028c59b9a3bac4d62ad84761548c10f11 upstream.
+
+Running smb2.rename test from Samba smbtorture suite against a kernel built
+with lockdep triggers a "possible recursive locking detected" warning.
+
+This is because mnt_want_write() is called twice with no mnt_drop_write()
+in between:
+ -> ksmbd_vfs_mkdir()
+ -> ksmbd_vfs_kern_path_create()
+ -> kern_path_create()
+ -> filename_create()
+ -> mnt_want_write()
+ -> mnt_want_write()
+
+Fix this by removing the mnt_want_write/mnt_drop_write calls from vfs
+helpers that call kern_path_create().
+
+Full lockdep trace below:
+
+============================================
+WARNING: possible recursive locking detected
+6.6.0-rc5 #775 Not tainted
+--------------------------------------------
+kworker/1:1/32 is trying to acquire lock:
+ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: ksmbd_vfs_mkdir+0xe1/0x410
+
+but task is already holding lock:
+ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(sb_writers#5);
+ lock(sb_writers#5);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+4 locks held by kworker/1:1/32:
+ #0: ffff8880064e4138 ((wq_completion)ksmbd-io){+.+.}-{0:0}, at: process_one_work+0x40e/0x980
+ #1: ffff888005b0fdd0 ((work_completion)(&work->work)){+.+.}-{0:0}, at: process_one_work+0x40e/0x980
+ #2: ffff888005ac83f8 (sb_writers#5){.+.+}-{0:0}, at: filename_create+0xb6/0x260
+ #3: ffff8880057ce760 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: filename_create+0x123/0x260
+
+Cc: stable@vger.kernel.org
+Fixes: 40b268d384a2 ("ksmbd: add mnt_want_write to ksmbd vfs functions")
+Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c | 23 +++--------------------
+ 1 file changed, 3 insertions(+), 20 deletions(-)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -173,10 +173,6 @@ int ksmbd_vfs_create(struct ksmbd_work *
+ return err;
+ }
+
+- err = mnt_want_write(path.mnt);
+- if (err)
+- goto out_err;
+-
+ mode |= S_IFREG;
+ err = vfs_create(mnt_idmap(path.mnt), d_inode(path.dentry),
+ dentry, mode, true);
+@@ -186,9 +182,7 @@ int ksmbd_vfs_create(struct ksmbd_work *
+ } else {
+ pr_err("File(%s): creation failed (err:%d)\n", name, err);
+ }
+- mnt_drop_write(path.mnt);
+
+-out_err:
+ done_path_create(&path, dentry);
+ return err;
+ }
+@@ -219,10 +213,6 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *w
+ return err;
+ }
+
+- err = mnt_want_write(path.mnt);
+- if (err)
+- goto out_err2;
+-
+ idmap = mnt_idmap(path.mnt);
+ mode |= S_IFDIR;
+ err = vfs_mkdir(idmap, d_inode(path.dentry), dentry, mode);
+@@ -233,21 +223,19 @@ int ksmbd_vfs_mkdir(struct ksmbd_work *w
+ dentry->d_name.len);
+ if (IS_ERR(d)) {
+ err = PTR_ERR(d);
+- goto out_err1;
++ goto out_err;
+ }
+ if (unlikely(d_is_negative(d))) {
+ dput(d);
+ err = -ENOENT;
+- goto out_err1;
++ goto out_err;
+ }
+
+ ksmbd_vfs_inherit_owner(work, d_inode(path.dentry), d_inode(d));
+ dput(d);
+ }
+
+-out_err1:
+- mnt_drop_write(path.mnt);
+-out_err2:
++out_err:
+ done_path_create(&path, dentry);
+ if (err)
+ pr_err("mkdir(%s): creation failed (err:%d)\n", name, err);
+@@ -665,16 +653,11 @@ int ksmbd_vfs_link(struct ksmbd_work *wo
+ goto out3;
+ }
+
+- err = mnt_want_write(newpath.mnt);
+- if (err)
+- goto out3;
+-
+ err = vfs_link(oldpath.dentry, mnt_idmap(newpath.mnt),
+ d_inode(newpath.dentry),
+ dentry, NULL);
+ if (err)
+ ksmbd_debug(VFS, "vfs_link failed err %d\n", err);
+- mnt_drop_write(newpath.mnt);
+
+ out3:
+ done_path_create(&newpath, dentry);
--- /dev/null
+From eebff19acaa35820cb09ce2ccb3d21bee2156ffb Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 5 Nov 2023 12:46:24 +0900
+Subject: ksmbd: fix slab out of bounds write in smb_inherit_dacl()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit eebff19acaa35820cb09ce2ccb3d21bee2156ffb upstream.
+
+slab out-of-bounds write is caused by that offsets is bigger than pntsd
+allocation size. This patch add the check to validate 3 offsets using
+allocation size.
+
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-22271
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smbacl.c | 29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -1107,6 +1107,7 @@ pass:
+ struct smb_acl *pdacl;
+ struct smb_sid *powner_sid = NULL, *pgroup_sid = NULL;
+ int powner_sid_size = 0, pgroup_sid_size = 0, pntsd_size;
++ int pntsd_alloc_size;
+
+ if (parent_pntsd->osidoffset) {
+ powner_sid = (struct smb_sid *)((char *)parent_pntsd +
+@@ -1119,9 +1120,10 @@ pass:
+ pgroup_sid_size = 1 + 1 + 6 + (pgroup_sid->num_subauth * 4);
+ }
+
+- pntsd = kzalloc(sizeof(struct smb_ntsd) + powner_sid_size +
+- pgroup_sid_size + sizeof(struct smb_acl) +
+- nt_size, GFP_KERNEL);
++ pntsd_alloc_size = sizeof(struct smb_ntsd) + powner_sid_size +
++ pgroup_sid_size + sizeof(struct smb_acl) + nt_size;
++
++ pntsd = kzalloc(pntsd_alloc_size, GFP_KERNEL);
+ if (!pntsd) {
+ rc = -ENOMEM;
+ goto free_aces_base;
+@@ -1136,6 +1138,27 @@ pass:
+ pntsd->gsidoffset = parent_pntsd->gsidoffset;
+ pntsd->dacloffset = parent_pntsd->dacloffset;
+
++ if ((u64)le32_to_cpu(pntsd->osidoffset) + powner_sid_size >
++ pntsd_alloc_size) {
++ rc = -EINVAL;
++ kfree(pntsd);
++ goto free_aces_base;
++ }
++
++ if ((u64)le32_to_cpu(pntsd->gsidoffset) + pgroup_sid_size >
++ pntsd_alloc_size) {
++ rc = -EINVAL;
++ kfree(pntsd);
++ goto free_aces_base;
++ }
++
++ if ((u64)le32_to_cpu(pntsd->dacloffset) + sizeof(struct smb_acl) + nt_size >
++ pntsd_alloc_size) {
++ rc = -EINVAL;
++ kfree(pntsd);
++ goto free_aces_base;
++ }
++
+ if (pntsd->osidoffset) {
+ struct smb_sid *owner_sid = (struct smb_sid *)((char *)pntsd +
+ le32_to_cpu(pntsd->osidoffset));
--- /dev/null
+From 5a5409d90bd05f87fe5623a749ccfbf3f7c7d400 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 7 Nov 2023 21:04:31 +0900
+Subject: ksmbd: handle malformed smb1 message
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 5a5409d90bd05f87fe5623a749ccfbf3f7c7d400 upstream.
+
+If set_smb1_rsp_status() is not implemented, It will cause NULL pointer
+dereferece error when client send malformed smb1 message.
+This patch add set_smb1_rsp_status() to ignore malformed smb1 message.
+
+Cc: stable@vger.kernel.org
+Reported-by: Robert Morris <rtm@csail.mit.edu>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb_common.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/fs/smb/server/smb_common.c
++++ b/fs/smb/server/smb_common.c
+@@ -366,11 +366,22 @@ static int smb1_allocate_rsp_buf(struct
+ return 0;
+ }
+
++/**
++ * set_smb1_rsp_status() - set error type in smb response header
++ * @work: smb work containing smb response header
++ * @err: error code to set in response
++ */
++static void set_smb1_rsp_status(struct ksmbd_work *work, __le32 err)
++{
++ work->send_no_response = 1;
++}
++
+ static struct smb_version_ops smb1_server_ops = {
+ .get_cmd_val = get_smb1_cmd_val,
+ .init_rsp_hdr = init_smb1_rsp_hdr,
+ .allocate_rsp_buf = smb1_allocate_rsp_buf,
+ .check_user_session = smb1_check_user_session,
++ .set_rsp_status = set_smb1_rsp_status,
+ };
+
+ static int smb1_negotiate(struct ksmbd_work *work)
--- /dev/null
+From ed9009ad300c0f15a3ecfe9613547b1962bde02c Mon Sep 17 00:00:00 2001
+From: Bean Huo <beanhuo@micron.com>
+Date: Mon, 30 Oct 2023 23:48:09 +0100
+Subject: mmc: Add quirk MMC_QUIRK_BROKEN_CACHE_FLUSH for Micron eMMC Q2J54A
+
+From: Bean Huo <beanhuo@micron.com>
+
+commit ed9009ad300c0f15a3ecfe9613547b1962bde02c upstream.
+
+Micron MTFC4GACAJCN eMMC supports cache but requires that flush cache
+operation be allowed only after a write has occurred. Otherwise, the
+cache flush command or subsequent commands will time out.
+
+Signed-off-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Rafael Beims <rafael.beims@toradex.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20231030224809.59245-1-beanhuo@iokpp.de
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c | 4 +++-
+ drivers/mmc/core/card.h | 4 ++++
+ drivers/mmc/core/mmc.c | 8 ++++++--
+ drivers/mmc/core/quirks.h | 7 ++++---
+ include/linux/mmc/card.h | 2 ++
+ 5 files changed, 19 insertions(+), 6 deletions(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -2381,8 +2381,10 @@ enum mmc_issued mmc_blk_mq_issue_rq(stru
+ }
+ ret = mmc_blk_cqe_issue_flush(mq, req);
+ break;
+- case REQ_OP_READ:
+ case REQ_OP_WRITE:
++ card->written_flag = true;
++ fallthrough;
++ case REQ_OP_READ:
+ if (host->cqe_enabled)
+ ret = mmc_blk_cqe_issue_rw_rq(mq, req);
+ else
+--- a/drivers/mmc/core/card.h
++++ b/drivers/mmc/core/card.h
+@@ -280,4 +280,8 @@ static inline int mmc_card_broken_sd_cac
+ return c->quirks & MMC_QUIRK_BROKEN_SD_CACHE;
+ }
+
++static inline int mmc_card_broken_cache_flush(const struct mmc_card *c)
++{
++ return c->quirks & MMC_QUIRK_BROKEN_CACHE_FLUSH;
++}
+ #endif
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -2081,13 +2081,17 @@ static int _mmc_flush_cache(struct mmc_h
+ {
+ int err = 0;
+
++ if (mmc_card_broken_cache_flush(host->card) && !host->card->written_flag)
++ return 0;
++
+ if (_mmc_cache_enabled(host)) {
+ err = mmc_switch(host->card, EXT_CSD_CMD_SET_NORMAL,
+ EXT_CSD_FLUSH_CACHE, 1,
+ CACHE_FLUSH_TIMEOUT_MS);
+ if (err)
+- pr_err("%s: cache flush error %d\n",
+- mmc_hostname(host), err);
++ pr_err("%s: cache flush error %d\n", mmc_hostname(host), err);
++ else
++ host->card->written_flag = false;
+ }
+
+ return err;
+--- a/drivers/mmc/core/quirks.h
++++ b/drivers/mmc/core/quirks.h
+@@ -110,11 +110,12 @@ static const struct mmc_fixup __maybe_un
+ MMC_QUIRK_TRIM_BROKEN),
+
+ /*
+- * Micron MTFC4GACAJCN-1M advertises TRIM but it does not seems to
+- * support being used to offload WRITE_ZEROES.
++ * Micron MTFC4GACAJCN-1M supports TRIM but does not appear to support
++ * WRITE_ZEROES offloading. It also supports caching, but the cache can
++ * only be flushed after a write has occurred.
+ */
+ MMC_FIXUP("Q2J54A", CID_MANFID_MICRON, 0x014e, add_quirk_mmc,
+- MMC_QUIRK_TRIM_BROKEN),
++ MMC_QUIRK_TRIM_BROKEN | MMC_QUIRK_BROKEN_CACHE_FLUSH),
+
+ /*
+ * Kingston EMMC04G-M627 advertises TRIM but it does not seems to
+--- a/include/linux/mmc/card.h
++++ b/include/linux/mmc/card.h
+@@ -295,7 +295,9 @@ struct mmc_card {
+ #define MMC_QUIRK_BROKEN_HPI (1<<13) /* Disable broken HPI support */
+ #define MMC_QUIRK_BROKEN_SD_DISCARD (1<<14) /* Disable broken SD discard support */
+ #define MMC_QUIRK_BROKEN_SD_CACHE (1<<15) /* Disable broken SD cache support */
++#define MMC_QUIRK_BROKEN_CACHE_FLUSH (1<<16) /* Don't flush cache until the write has occurred */
+
++ bool written_flag; /* Indicates eMMC has been written since power on */
+ bool reenable_cmdq; /* Re-enable Command Queue */
+
+ unsigned int erase_size; /* erase size in sectors */
--- /dev/null
+From 71956d0cb56c1e5f9feeb4819db87a076418e930 Mon Sep 17 00:00:00 2001
+From: Nitin Yadav <n-yadav@ti.com>
+Date: Thu, 26 Oct 2023 11:44:58 +0530
+Subject: mmc: sdhci_am654: fix start loop index for TAP value parsing
+
+From: Nitin Yadav <n-yadav@ti.com>
+
+commit 71956d0cb56c1e5f9feeb4819db87a076418e930 upstream.
+
+ti,otap-del-sel-legacy/ti,itap-del-sel-legacy passed from DT
+are currently ignored for all SD/MMC and eMMC modes. Fix this
+by making start loop index to MMC_TIMING_LEGACY.
+
+Fixes: 8ee5fc0e0b3b ("mmc: sdhci_am654: Update OTAPDLY writes")
+Signed-off-by: Nitin Yadav <n-yadav@ti.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20231026061458.1116276-1-n-yadav@ti.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci_am654.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci_am654.c
++++ b/drivers/mmc/host/sdhci_am654.c
+@@ -598,7 +598,7 @@ static int sdhci_am654_get_otap_delay(st
+ return 0;
+ }
+
+- for (i = MMC_TIMING_MMC_HS; i <= MMC_TIMING_MMC_HS400; i++) {
++ for (i = MMC_TIMING_LEGACY; i <= MMC_TIMING_MMC_HS400; i++) {
+
+ ret = device_property_read_u32(dev, td[i].otap_binding,
+ &sdhci_am654->otap_del_sel[i]);
--- /dev/null
+From b44f9da81783fda72632ef9b0d05ea3f3ca447a5 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Thu, 2 Nov 2023 10:51:06 +0300
+Subject: mmc: vub300: fix an error code
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit b44f9da81783fda72632ef9b0d05ea3f3ca447a5 upstream.
+
+This error path should return -EINVAL instead of success.
+
+Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/0769d30c-ad80-421b-bf5d-7d6f5d85604e@moroto.mountain
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/vub300.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/vub300.c
++++ b/drivers/mmc/host/vub300.c
+@@ -2309,6 +2309,7 @@ static int vub300_probe(struct usb_inter
+ vub300->read_only =
+ (0x0010 & vub300->system_port_status.port_flags) ? 1 : 0;
+ } else {
++ retval = -EINVAL;
+ goto error5;
+ }
+ usb_set_intfdata(interface, vub300);
--- /dev/null
+From 86bb854d134f4429feb35d2e05f55c6e036770d2 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Wed, 18 Oct 2023 19:24:14 +0200
+Subject: parisc/agp: Use 64-bit LE values in SBA IOMMU PDIR table
+
+From: Helge Deller <deller@gmx.de>
+
+commit 86bb854d134f4429feb35d2e05f55c6e036770d2 upstream.
+
+The PDIR table of the System Bus Adapter (SBA) I/O MMU uses 64-bit
+little-endian pointers.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v6.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/agp/parisc-agp.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/char/agp/parisc-agp.c
++++ b/drivers/char/agp/parisc-agp.c
+@@ -38,7 +38,7 @@ static struct _parisc_agp_info {
+
+ int lba_cap_offset;
+
+- u64 *gatt;
++ __le64 *gatt;
+ u64 gatt_entries;
+
+ u64 gart_base;
+@@ -104,7 +104,7 @@ parisc_agp_create_gatt_table(struct agp_
+ int i;
+
+ for (i = 0; i < info->gatt_entries; i++) {
+- info->gatt[i] = (unsigned long)agp_bridge->scratch_page;
++ info->gatt[i] = cpu_to_le64(agp_bridge->scratch_page);
+ }
+
+ return 0;
+@@ -158,9 +158,9 @@ parisc_agp_insert_memory(struct agp_memo
+ for (k = 0;
+ k < info->io_pages_per_kpage;
+ k++, j++, paddr += info->io_page_size) {
+- info->gatt[j] =
++ info->gatt[j] = cpu_to_le64(
+ parisc_agp_mask_memory(agp_bridge,
+- paddr, type);
++ paddr, type));
+ asm_io_fdc(&info->gatt[j]);
+ }
+ }
+@@ -184,7 +184,7 @@ parisc_agp_remove_memory(struct agp_memo
+ io_pg_start = info->io_pages_per_kpage * pg_start;
+ io_pg_count = info->io_pages_per_kpage * mem->page_count;
+ for (i = io_pg_start; i < io_pg_count + io_pg_start; i++) {
+- info->gatt[i] = agp_bridge->scratch_page;
++ info->gatt[i] = cpu_to_le64(agp_bridge->scratch_page);
+ }
+
+ agp_bridge->driver->tlb_flush(mem);
+@@ -204,7 +204,8 @@ parisc_agp_mask_memory(struct agp_bridge
+ pa |= (ci >> PAGE_SHIFT) & 0xff;/* move CI (8 bits) into lowest byte */
+ pa |= SBA_PDIR_VALID_BIT; /* set "valid" bit */
+
+- return cpu_to_le64(pa);
++ /* return native (big-endian) PDIR entry */
++ return pa;
+ }
+
+ static void
+@@ -251,7 +252,8 @@ static int __init
+ agp_ioc_init(void __iomem *ioc_regs)
+ {
+ struct _parisc_agp_info *info = &parisc_agp_info;
+- u64 iova_base, *io_pdir, io_tlb_ps;
++ u64 iova_base, io_tlb_ps;
++ __le64 *io_pdir;
+ int io_tlb_shift;
+
+ printk(KERN_INFO DRVPFX "IO PDIR shared with sba_iommu\n");
--- /dev/null
+From 6240553b52c475d9fc9674de0521b77e692f3764 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 22 Oct 2023 11:48:11 +0200
+Subject: parisc/pdc: Add width field to struct pdc_model
+
+From: Helge Deller <deller@gmx.de>
+
+commit 6240553b52c475d9fc9674de0521b77e692f3764 upstream.
+
+PDC2.0 specifies the additional PSW-bit field.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/uapi/asm/pdc.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/parisc/include/uapi/asm/pdc.h
++++ b/arch/parisc/include/uapi/asm/pdc.h
+@@ -472,6 +472,7 @@ struct pdc_model { /* for PDC_MODEL */
+ unsigned long arch_rev;
+ unsigned long pot_key;
+ unsigned long curr_key;
++ unsigned long width; /* default of PSW_W bit (1=enabled) */
+ };
+
+ struct pdc_cache_cf { /* for PDC_CACHE (I/D-caches) */
--- /dev/null
+From d0c219472980d15f5cbc5c8aec736848bda3f235 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 17 Oct 2023 22:19:53 +0200
+Subject: parisc/power: Add power soft-off when running on qemu
+
+From: Helge Deller <deller@gmx.de>
+
+commit d0c219472980d15f5cbc5c8aec736848bda3f235 upstream.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v6.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parisc/power.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/parisc/power.c
++++ b/drivers/parisc/power.c
+@@ -197,6 +197,14 @@ static struct notifier_block parisc_pani
+ .priority = INT_MAX,
+ };
+
++/* qemu soft power-off function */
++static int qemu_power_off(struct sys_off_data *data)
++{
++ /* this turns the system off via SeaBIOS */
++ *(int *)data->cb_data = 0;
++ pdc_soft_power_button(1);
++ return NOTIFY_DONE;
++}
+
+ static int __init power_init(void)
+ {
+@@ -226,7 +234,13 @@ static int __init power_init(void)
+ soft_power_reg);
+ }
+
+- power_task = kthread_run(kpowerswd, (void*)soft_power_reg, KTHREAD_NAME);
++ power_task = NULL;
++ if (running_on_qemu && soft_power_reg)
++ register_sys_off_handler(SYS_OFF_MODE_POWER_OFF, SYS_OFF_PRIO_DEFAULT,
++ qemu_power_off, (void *)soft_power_reg);
++ else
++ power_task = kthread_run(kpowerswd, (void*)soft_power_reg,
++ KTHREAD_NAME);
+ if (IS_ERR(power_task)) {
+ printk(KERN_ERR DRIVER_NAME ": thread creation failed. Driver not loaded.\n");
+ pdc_soft_power_button(0);
--- /dev/null
+From 374de39d38f97b0e58cfee88da590b2d056ccf7f Mon Sep 17 00:00:00 2001
+From: Pengfei Li <pengfei.li_1@nxp.com>
+Date: Sat, 21 Oct 2023 02:59:49 +0800
+Subject: pmdomain: imx: Make imx pgc power domain also set the fwnode
+
+From: Pengfei Li <pengfei.li_1@nxp.com>
+
+commit 374de39d38f97b0e58cfee88da590b2d056ccf7f upstream.
+
+Currently, The imx pgc power domain doesn't set the fwnode
+pointer, which results in supply regulator device can't get
+consumer imx pgc power domain device from fwnode when creating
+a link.
+
+This causes the driver core to instead try to create a link
+between the parent gpc device of imx pgc power domain device and
+supply regulator device. However, at this point, the gpc device
+has already been bound, and the link creation will fail. So adding
+the fwnode pointer to the imx pgc power domain device will fix
+this issue.
+
+Signed-off-by: Pengfei Li <pengfei.li_1@nxp.com>
+Tested-by: Emil Kronborg <emil.kronborg@protonmail.com>
+Fixes: 3fb16866b51d ("driver core: fw_devlink: Make cycle detection more robust")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20231020185949.537083-1-pengfei.li_1@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/imx/gpc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pmdomain/imx/gpc.c
++++ b/drivers/pmdomain/imx/gpc.c
+@@ -498,6 +498,7 @@ static int imx_gpc_probe(struct platform
+
+ pd_pdev->dev.parent = &pdev->dev;
+ pd_pdev->dev.of_node = np;
++ pd_pdev->dev.fwnode = of_fwnode_handle(np);
+
+ ret = platform_device_add(pd_pdev);
+ if (ret) {
--- /dev/null
+From a60ec4485f1c72dfece365cf95e6de82bdd74300 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Tue, 24 Oct 2023 22:17:19 +0300
+Subject: powercap: intel_rapl: Downgrade BIOS locked limits pr_warn() to pr_debug()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit a60ec4485f1c72dfece365cf95e6de82bdd74300 upstream.
+
+Before the refactoring the pr_warn() only triggered when
+someone explicitly tried to write to a BIOS locked limit.
+After the refactoring the warning is also triggering during
+system resume. The user can't do anything about this so
+printing scary warnings doesn't make sense
+
+Keep the printk but make it pr_debug() instead of pr_warn()
+to make it clear it's not a serious issue.
+
+Fixes: 9050a9cd5e4c ("powercap: intel_rapl: Cleanup Power Limits support")
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: 6.5+ <stable@vger.kernel.org> # 6.5+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/powercap/intel_rapl_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/powercap/intel_rapl_common.c
++++ b/drivers/powercap/intel_rapl_common.c
+@@ -892,7 +892,7 @@ static int rapl_write_pl_data(struct rap
+ return -EINVAL;
+
+ if (rd->rpl[pl].locked) {
+- pr_warn("%s:%s:%s locked by BIOS\n", rd->rp->name, rd->name, pl_names[pl]);
++ pr_debug("%s:%s:%s locked by BIOS\n", rd->rp->name, rd->name, pl_names[pl]);
+ return -EACCES;
+ }
+
pci-keystone-don-t-discard-.remove-callback.patch
pci-keystone-don-t-discard-.probe-callback.patch
pmdomain-amlogic-fix-mask-for-the-second-nna-mem-pd-domain.patch
+arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-15.x-or-newer.patch
+arm64-module-fix-plt-counting-when-config_randomize_base-n.patch
+pmdomain-imx-make-imx-pgc-power-domain-also-set-the-fwnode.patch
+parisc-agp-use-64-bit-le-values-in-sba-iommu-pdir-table.patch
+parisc-pdc-add-width-field-to-struct-pdc_model.patch
+parisc-power-add-power-soft-off-when-running-on-qemu.patch
+cpufreq-stats-fix-buffer-overflow-detection-in-trans_stats.patch
+powercap-intel_rapl-downgrade-bios-locked-limits-pr_warn-to-pr_debug.patch
+clk-socfpga-fix-undefined-behavior-bug-in-struct-stratix10_clock_data.patch
+clk-visconti-fix-undefined-behavior-bug-in-struct-visconti_pll_provider.patch
+integrity-powerpc-do-not-select-ca_machine_keyring.patch
+clk-qcom-ipq8074-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch
+clk-qcom-ipq6018-drop-the-clk_set_rate_parent-flag-from-pll-clocks.patch
+ksmbd-fix-recursive-locking-in-vfs-helpers.patch
+ksmbd-handle-malformed-smb1-message.patch
+ksmbd-fix-slab-out-of-bounds-write-in-smb_inherit_dacl.patch
+mmc-vub300-fix-an-error-code.patch
+mmc-sdhci_am654-fix-start-loop-index-for-tap-value-parsing.patch
+mmc-add-quirk-mmc_quirk_broken_cache_flush-for-micron-emmc-q2j54a.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
