--- /dev/null
+From ad22051afdad962b6012f3823d0ed1a735935386 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pablo=20Ca=C3=B1o?= <pablocpascual@gmail.com>
+Date: Thu, 20 Jun 2024 17:25:33 +0200
+Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14AHP9
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pablo Caño <pablocpascual@gmail.com>
+
+commit ad22051afdad962b6012f3823d0ed1a735935386 upstream.
+
+Lenovo Yoga Pro 7 14AHP9 (PCI SSID 17aa:3891) seems requiring a similar workaround like Yoga 9 model and Yoga 7 Pro 14APH8 for the bass speaker.
+
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/all/20231207182035.30248-1-tiwai@suse.de/
+Signed-off-by: Pablo Caño <pablocpascual@gmail.com>
+Link: https://patch.msgid.link/20240620152533.76712-1-pablocpascual@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10518,6 +10518,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x3882, "Lenovo Yoga Pro 7 14APH8", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3884, "Y780 YG DUAL", ALC287_FIXUP_TAS2781_I2C),
+ SND_PCI_QUIRK(0x17aa, 0x3886, "Y780 VECO DUAL", ALC287_FIXUP_TAS2781_I2C),
++ SND_PCI_QUIRK(0x17aa, 0x3891, "Lenovo Yoga Pro 7 14AHP9", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x38a7, "Y780P AMD YG dual", ALC287_FIXUP_TAS2781_I2C),
+ SND_PCI_QUIRK(0x17aa, 0x38a8, "Y780P AMD VECO dual", ALC287_FIXUP_TAS2781_I2C),
+ SND_PCI_QUIRK(0x17aa, 0x38a9, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD),
--- /dev/null
+From ea5f8c4cffcd8a6b62b3a3bd5008275218c9d02a Mon Sep 17 00:00:00 2001
+From: Andy Chi <andy.chi@canonical.com>
+Date: Wed, 5 Jun 2024 17:22:41 +0800
+Subject: ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 445/465 G11.
+
+From: Andy Chi <andy.chi@canonical.com>
+
+commit ea5f8c4cffcd8a6b62b3a3bd5008275218c9d02a upstream.
+
+HP ProBook 445/465 G11 needs ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to
+make mic-mute/audio-mute working.
+
+Signed-off-by: Andy Chi <andy.chi@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20240605092243.41963-1-andy.chi@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10183,6 +10183,10 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8c70, "HP EliteBook 835 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c71, "HP EliteBook 845 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c72, "HP EliteBook 865 G11", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8c7b, "HP ProBook 445 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8c7c, "HP ProBook 445 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8c7d, "HP ProBook 465 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8c7e, "HP ProBook 465 G11", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8c89, "HP ProBook 460 G11", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c8a, "HP EliteBook 630", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c8c, "HP EliteBook 660", ALC236_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 86a433862912f52597263aa224a9ed82bcd533bf Mon Sep 17 00:00:00 2001
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Date: Wed, 5 Jun 2024 12:39:23 -0300
+Subject: ALSA: hda/realtek: Limit mic boost on N14AP7
+
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+
+commit 86a433862912f52597263aa224a9ed82bcd533bf upstream.
+
+The internal mic boost on the N14AP7 is too high. Fix this by applying the
+ALC269_FIXUP_LIMIT_INT_MIC_BOOST fixup to the machine to limit the gain.
+
+Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20240605153923.2837-1-edson.drosdeck@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10572,6 +10572,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */
+ SND_PCI_QUIRK(0x1c06, 0x2013, "Lemote A1802", ALC269_FIXUP_LEMOTE_A1802),
+ SND_PCI_QUIRK(0x1c06, 0x2015, "Lemote A190X", ALC269_FIXUP_LEMOTE_A190X),
++ SND_PCI_QUIRK(0x1c6c, 0x122a, "Positivo N14AP7", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x1c6c, 0x1251, "Positivo N14KP6-TG", ALC288_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1d05, 0x1132, "TongFang PHxTxX1", ALC256_FIXUP_SET_COEF_DEFAULTS),
+ SND_PCI_QUIRK(0x1d05, 0x1096, "TongFang GMxMRxx", ALC269_FIXUP_NO_SHUTUP),
--- /dev/null
+From fa997b0576c9df635ee363406f5e014dba0f9264 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Tue, 18 Jun 2024 17:28:29 +0200
+Subject: ata: ahci: Do not enable LPM if no LPM states are supported by the HBA
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit fa997b0576c9df635ee363406f5e014dba0f9264 upstream.
+
+LPM consists of HIPM (host initiated power management) and DIPM
+(device initiated power management).
+
+ata_eh_set_lpm() will only enable HIPM if both the HBA and the device
+supports it.
+
+However, DIPM will be enabled as long as the device supports it.
+The HBA will later reject the device's request to enter a power state
+that it does not support (Slumber/Partial/DevSleep) (DevSleep is never
+initiated by the device).
+
+For a HBA that doesn't support any LPM states, simply don't set a LPM
+policy such that all the HIPM/DIPM probing/enabling will be skipped.
+
+Not enabling HIPM or DIPM in the first place is safer than relying on
+the device following the AHCI specification and respecting the NAK.
+(There are comments in the code that some devices misbehave when
+receiving a NAK.)
+
+Performing this check in ahci_update_initial_lpm_policy() also has the
+advantage that a HBA that doesn't support any LPM states will take the
+exact same code paths as a port that is external/hot plug capable.
+
+Side note: the port in ata_port_dbg() has not been given a unique id yet,
+but this is not overly important as the debug print is disabled unless
+explicitly enabled using dynamic debug. A follow-up series will make sure
+that the unique id assignment will be done earlier. For now, the important
+thing is that the function returns before setting the LPM policy.
+
+Fixes: 7627a0edef54 ("ata: ahci: Drop low power policy board type")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20240618152828.2686771-2-cassel@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/ahci.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 07d66d2c5f0d..5eb38fbbbecd 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -1735,6 +1735,14 @@ static void ahci_update_initial_lpm_policy(struct ata_port *ap)
+ if (ap->pflags & ATA_PFLAG_EXTERNAL)
+ return;
+
++ /* If no LPM states are supported by the HBA, do not bother with LPM */
++ if ((ap->host->flags & ATA_HOST_NO_PART) &&
++ (ap->host->flags & ATA_HOST_NO_SSC) &&
++ (ap->host->flags & ATA_HOST_NO_DEVSLP)) {
++ ata_port_dbg(ap, "no LPM states supported, not enabling LPM\n");
++ return;
++ }
++
+ /* user modified policy via module param */
+ if (mobile_lpm_policy != -1) {
+ policy = mobile_lpm_policy;
+--
+2.45.2
+
--- /dev/null
+From 4eb4e85c4f818491efc67e9373aa16b123c3f522 Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Fri, 7 Jun 2024 12:50:14 -0700
+Subject: btrfs: retry block group reclaim without infinite loop
+
+From: Boris Burkov <boris@bur.io>
+
+commit 4eb4e85c4f818491efc67e9373aa16b123c3f522 upstream.
+
+If inc_block_group_ro systematically fails (e.g. due to ETXTBUSY from
+swap) or btrfs_relocate_chunk systematically fails (from lack of
+space), then this worker becomes an infinite loop.
+
+At the very least, this strands the cleaner thread, but can also result
+in hung tasks/RCU stalls on PREEMPT_NONE kernels and if the
+reclaim_bgs_lock mutex is not contended.
+
+I believe the best long term fix is to manage reclaim via work queue,
+where we queue up a relocation on the triggering condition and re-queue
+on failure. In the meantime, this is an easy fix to apply to avoid the
+immediate pain.
+
+Fixes: 7e2718099438 ("btrfs: reinsert BGs failed to reclaim")
+CC: stable@vger.kernel.org # 6.6+
+Signed-off-by: Boris Burkov <boris@bur.io>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/block-group.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/block-group.c
++++ b/fs/btrfs/block-group.c
+@@ -1785,6 +1785,7 @@ void btrfs_reclaim_bgs_work(struct work_
+ container_of(work, struct btrfs_fs_info, reclaim_bgs_work);
+ struct btrfs_block_group *bg;
+ struct btrfs_space_info *space_info;
++ LIST_HEAD(retry_list);
+
+ if (!test_bit(BTRFS_FS_OPEN, &fs_info->flags))
+ return;
+@@ -1921,8 +1922,11 @@ void btrfs_reclaim_bgs_work(struct work_
+ }
+
+ next:
+- if (ret)
+- btrfs_mark_bg_to_reclaim(bg);
++ if (ret) {
++ /* Refcount held by the reclaim_bgs list after splice. */
++ btrfs_get_block_group(bg);
++ list_add_tail(&bg->bg_list, &retry_list);
++ }
+ btrfs_put_block_group(bg);
+
+ mutex_unlock(&fs_info->reclaim_bgs_lock);
+@@ -1942,6 +1946,9 @@ next:
+ spin_unlock(&fs_info->unused_bgs_lock);
+ mutex_unlock(&fs_info->reclaim_bgs_lock);
+ end:
++ spin_lock(&fs_info->unused_bgs_lock);
++ list_splice_tail(&retry_list, &fs_info->reclaim_bgs);
++ spin_unlock(&fs_info->unused_bgs_lock);
+ btrfs_exclop_finish(fs_info);
+ sb_end_write(fs_info->sb);
+ }
--- /dev/null
+From 8bf0287528da1992c5e49d757b99ad6bbc34b522 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Wed, 19 Jun 2024 14:46:48 -0500
+Subject: cifs: fix typo in module parameter enable_gcm_256
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 8bf0287528da1992c5e49d757b99ad6bbc34b522 upstream.
+
+enable_gcm_256 (which allows the server to require the strongest
+encryption) is enabled by default, but the modinfo description
+incorrectly showed it disabled by default. Fix the typo.
+
+Cc: stable@vger.kernel.org
+Fixes: fee742b50289 ("smb3.1.1: enable negotiating stronger encryption by default")
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifsfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/client/cifsfs.c
++++ b/fs/smb/client/cifsfs.c
+@@ -134,7 +134,7 @@ module_param(enable_oplocks, bool, 0644)
+ MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1");
+
+ module_param(enable_gcm_256, bool, 0644);
+-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: n/N/0");
++MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0");
+
+ module_param(require_gcm_256, bool, 0644);
+ MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0");
--- /dev/null
+From 462237d2d93fc9e9221d1cf9f773954d27da83c0 Mon Sep 17 00:00:00 2001
+From: Louis Chauvet <louis.chauvet@bootlin.com>
+Date: Fri, 7 Jun 2024 10:34:38 +0200
+Subject: dmaengine: xilinx: xdma: Fix data synchronisation in xdma_channel_isr()
+
+From: Louis Chauvet <louis.chauvet@bootlin.com>
+
+commit 462237d2d93fc9e9221d1cf9f773954d27da83c0 upstream.
+
+Requests the vchan lock before using xdma->stop_request.
+
+Fixes: 6a40fb824596 ("dmaengine: xilinx: xdma: Fix synchronization issue")
+Cc: stable@vger.kernel.org
+Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Link: https://lore.kernel.org/r/20240607-xdma-fixes-v2-1-0282319ce345@bootlin.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/xilinx/xdma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/xilinx/xdma.c b/drivers/dma/xilinx/xdma.c
+index e143a7330816..718842fdaf98 100644
+--- a/drivers/dma/xilinx/xdma.c
++++ b/drivers/dma/xilinx/xdma.c
+@@ -885,11 +885,11 @@ static irqreturn_t xdma_channel_isr(int irq, void *dev_id)
+ u32 st;
+ bool repeat_tx;
+
++ spin_lock(&xchan->vchan.lock);
++
+ if (xchan->stop_requested)
+ complete(&xchan->last_interrupt);
+
+- spin_lock(&xchan->vchan.lock);
+-
+ /* get submitted request */
+ vd = vchan_next_desc(&xchan->vchan);
+ if (!vd)
+--
+2.45.2
+
--- /dev/null
+From c03d770c0b014a3007a5874bf6b3c3e64d32aaac Mon Sep 17 00:00:00 2001
+From: Michael Strauss <michael.strauss@amd.com>
+Date: Tue, 7 May 2024 12:03:15 -0400
+Subject: drm/amd/display: Attempt to avoid empty TUs when endpoint is DPIA
+
+From: Michael Strauss <michael.strauss@amd.com>
+
+commit c03d770c0b014a3007a5874bf6b3c3e64d32aaac upstream.
+
+[WHY]
+Empty SST TUs are illegal to transmit over a USB4 DP tunnel.
+Current policy is to configure stream encoder to pack 2 pixels per pclk
+even when ODM combine is not in use, allowing seamless dynamic ODM
+reconfiguration. However, in extreme edge cases where average pixel
+count per TU is less than 2, this can lead to unexpected empty TU
+generation during compliance testing. For example, VIC 1 with a 1xHBR3
+link configuration will average 1.98 pix/TU.
+
+[HOW]
+Calculate average pixel count per TU, and block 2 pixels per clock if
+endpoint is a DPIA tunnel and pixel clock is low enough that we will
+never require 2:1 ODM combine.
+
+Cc: stable@vger.kernel.org # 6.6+
+Reviewed-by: Wenjing Liu <wenjing.liu@amd.com>
+Acked-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Michael Strauss <michael.strauss@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 72 ++++++++++++++++
+ drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h | 2
+ drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c | 2
+ 3 files changed, 75 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c
+@@ -1373,3 +1373,75 @@ void dcn35_set_static_screen_control(str
+ set_static_screen_control(pipe_ctx[i]->stream_res.tg,
+ triggers, params->num_frames);
+ }
++
++static bool should_avoid_empty_tu(struct pipe_ctx *pipe_ctx)
++{
++ /* Calculate average pixel count per TU, return false if under ~2.00 to
++ * avoid empty TUs. This is only required for DPIA tunneling as empty TUs
++ * are legal to generate for native DP links. Assume TU size 64 as there
++ * is currently no scenario where it's reprogrammed from HW default.
++ * MTPs have no such limitation, so this does not affect MST use cases.
++ */
++ unsigned int pix_clk_mhz;
++ unsigned int symclk_mhz;
++ unsigned int avg_pix_per_tu_x1000;
++ unsigned int tu_size_bytes = 64;
++ struct dc_crtc_timing *timing = &pipe_ctx->stream->timing;
++ struct dc_link_settings *link_settings = &pipe_ctx->link_config.dp_link_settings;
++ const struct dc *dc = pipe_ctx->stream->link->dc;
++
++ if (pipe_ctx->stream->link->ep_type != DISPLAY_ENDPOINT_USB4_DPIA)
++ return false;
++
++ // Not necessary for MST configurations
++ if (pipe_ctx->stream->signal == SIGNAL_TYPE_DISPLAY_PORT_MST)
++ return false;
++
++ pix_clk_mhz = timing->pix_clk_100hz / 10000;
++
++ // If this is true, can't block due to dynamic ODM
++ if (pix_clk_mhz > dc->clk_mgr->bw_params->clk_table.entries[0].dispclk_mhz)
++ return false;
++
++ switch (link_settings->link_rate) {
++ case LINK_RATE_LOW:
++ symclk_mhz = 162;
++ break;
++ case LINK_RATE_HIGH:
++ symclk_mhz = 270;
++ break;
++ case LINK_RATE_HIGH2:
++ symclk_mhz = 540;
++ break;
++ case LINK_RATE_HIGH3:
++ symclk_mhz = 810;
++ break;
++ default:
++ // We shouldn't be tunneling any other rates, something is wrong
++ ASSERT(0);
++ return false;
++ }
++
++ avg_pix_per_tu_x1000 = (1000 * pix_clk_mhz * tu_size_bytes)
++ / (symclk_mhz * link_settings->lane_count);
++
++ // Add small empirically-decided margin to account for potential jitter
++ return (avg_pix_per_tu_x1000 < 2020);
++}
++
++bool dcn35_is_dp_dig_pixel_rate_div_policy(struct pipe_ctx *pipe_ctx)
++{
++ struct dc *dc = pipe_ctx->stream->ctx->dc;
++
++ if (!is_h_timing_divisible_by_2(pipe_ctx->stream))
++ return false;
++
++ if (should_avoid_empty_tu(pipe_ctx))
++ return false;
++
++ if (dc_is_dp_signal(pipe_ctx->stream->signal) && !dc->link_srv->dp_is_128b_132b_signal(pipe_ctx) &&
++ dc->debug.enable_dp_dig_pixel_rate_div_policy)
++ return true;
++
++ return false;
++}
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h
+@@ -93,4 +93,6 @@ void dcn35_set_drr(struct pipe_ctx **pip
+ void dcn35_set_static_screen_control(struct pipe_ctx **pipe_ctx,
+ int num_pipes, const struct dc_static_screen_params *params);
+
++bool dcn35_is_dp_dig_pixel_rate_div_policy(struct pipe_ctx *pipe_ctx);
++
+ #endif /* __DC_HWSS_DCN35_H__ */
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c
+@@ -158,7 +158,7 @@ static const struct hwseq_private_funcs
+ .setup_hpo_hw_control = dcn35_setup_hpo_hw_control,
+ .calculate_dccg_k1_k2_values = dcn32_calculate_dccg_k1_k2_values,
+ .set_pixels_per_cycle = dcn32_set_pixels_per_cycle,
+- .is_dp_dig_pixel_rate_div_policy = dcn32_is_dp_dig_pixel_rate_div_policy,
++ .is_dp_dig_pixel_rate_div_policy = dcn35_is_dp_dig_pixel_rate_div_policy,
+ .dsc_pg_control = dcn35_dsc_pg_control,
+ .dsc_pg_status = dcn32_dsc_pg_status,
+ .enable_plane = dcn35_enable_plane,
--- /dev/null
+From e2654a4453ba3dac9baacf9980d841d84e15b869 Mon Sep 17 00:00:00 2001
+From: Roman Li <roman.li@amd.com>
+Date: Tue, 7 May 2024 16:26:08 -0400
+Subject: drm/amd/display: Remove redundant idle optimization check
+
+From: Roman Li <roman.li@amd.com>
+
+commit e2654a4453ba3dac9baacf9980d841d84e15b869 upstream.
+
+[Why]
+Disable idle optimization for each atomic commit is unnecessary,
+and can lead to a potential race condition.
+
+[How]
+Remove idle optimization check from amdgpu_dm_atomic_commit_tail()
+
+Fixes: 196107eb1e15 ("drm/amd/display: Add IPS checks before dcn register access")
+Cc: stable@vger.kernel.org
+Reviewed-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Acked-by: Roman Li <roman.li@amd.com>
+Signed-off-by: Roman Li <roman.li@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -9149,9 +9149,6 @@ static void amdgpu_dm_atomic_commit_tail
+
+ trace_amdgpu_dm_atomic_commit_tail_begin(state);
+
+- if (dm->dc->caps.ips_support && dm->dc->idle_optimizations_allowed)
+- dc_allow_idle_optimizations(dm->dc, false);
+-
+ drm_atomic_helper_update_legacy_modeset_state(dev, state);
+ drm_dp_mst_atomic_wait_for_dependencies(state);
+
--- /dev/null
+From 84801d4f1e4fbd2c44dddecaec9099bdff100a42 Mon Sep 17 00:00:00 2001
+From: Yunxiang Li <Yunxiang.Li@amd.com>
+Date: Thu, 23 May 2024 07:48:19 -0400
+Subject: drm/amdgpu: fix locking scope when flushing tlb
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yunxiang Li <Yunxiang.Li@amd.com>
+
+commit 84801d4f1e4fbd2c44dddecaec9099bdff100a42 upstream.
+
+Which method is used to flush tlb does not depend on whether a reset is
+in progress or not. We should skip flush altogether if the GPU will get
+reset. So put both path under reset_domain read lock.
+
+Signed-off-by: Yunxiang Li <Yunxiang.Li@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 70 ++++++++++++++++----------------
+ 1 file changed, 36 insertions(+), 34 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
+@@ -684,12 +684,17 @@ int amdgpu_gmc_flush_gpu_tlb_pasid(struc
+ struct amdgpu_ring *ring = &adev->gfx.kiq[inst].ring;
+ struct amdgpu_kiq *kiq = &adev->gfx.kiq[inst];
+ unsigned int ndw;
+- signed long r;
++ int r;
+ uint32_t seq;
+
+- if (!adev->gmc.flush_pasid_uses_kiq || !ring->sched.ready ||
+- !down_read_trylock(&adev->reset_domain->sem)) {
++ /*
++ * A GPU reset should flush all TLBs anyway, so no need to do
++ * this while one is ongoing.
++ */
++ if (!down_read_trylock(&adev->reset_domain->sem))
++ return 0;
+
++ if (!adev->gmc.flush_pasid_uses_kiq || !ring->sched.ready) {
+ if (adev->gmc.flush_tlb_needs_extra_type_2)
+ adev->gmc.gmc_funcs->flush_gpu_tlb_pasid(adev, pasid,
+ 2, all_hub,
+@@ -703,43 +708,40 @@ int amdgpu_gmc_flush_gpu_tlb_pasid(struc
+ adev->gmc.gmc_funcs->flush_gpu_tlb_pasid(adev, pasid,
+ flush_type, all_hub,
+ inst);
+- return 0;
+- }
++ r = 0;
++ } else {
++ /* 2 dwords flush + 8 dwords fence */
++ ndw = kiq->pmf->invalidate_tlbs_size + 8;
+
+- /* 2 dwords flush + 8 dwords fence */
+- ndw = kiq->pmf->invalidate_tlbs_size + 8;
++ if (adev->gmc.flush_tlb_needs_extra_type_2)
++ ndw += kiq->pmf->invalidate_tlbs_size;
+
+- if (adev->gmc.flush_tlb_needs_extra_type_2)
+- ndw += kiq->pmf->invalidate_tlbs_size;
++ if (adev->gmc.flush_tlb_needs_extra_type_0)
++ ndw += kiq->pmf->invalidate_tlbs_size;
+
+- if (adev->gmc.flush_tlb_needs_extra_type_0)
+- ndw += kiq->pmf->invalidate_tlbs_size;
++ spin_lock(&adev->gfx.kiq[inst].ring_lock);
++ amdgpu_ring_alloc(ring, ndw);
++ if (adev->gmc.flush_tlb_needs_extra_type_2)
++ kiq->pmf->kiq_invalidate_tlbs(ring, pasid, 2, all_hub);
+
+- spin_lock(&adev->gfx.kiq[inst].ring_lock);
+- amdgpu_ring_alloc(ring, ndw);
+- if (adev->gmc.flush_tlb_needs_extra_type_2)
+- kiq->pmf->kiq_invalidate_tlbs(ring, pasid, 2, all_hub);
+-
+- if (flush_type == 2 && adev->gmc.flush_tlb_needs_extra_type_0)
+- kiq->pmf->kiq_invalidate_tlbs(ring, pasid, 0, all_hub);
+-
+- kiq->pmf->kiq_invalidate_tlbs(ring, pasid, flush_type, all_hub);
+- r = amdgpu_fence_emit_polling(ring, &seq, MAX_KIQ_REG_WAIT);
+- if (r) {
+- amdgpu_ring_undo(ring);
+- spin_unlock(&adev->gfx.kiq[inst].ring_lock);
+- goto error_unlock_reset;
+- }
++ if (flush_type == 2 && adev->gmc.flush_tlb_needs_extra_type_0)
++ kiq->pmf->kiq_invalidate_tlbs(ring, pasid, 0, all_hub);
+
+- amdgpu_ring_commit(ring);
+- spin_unlock(&adev->gfx.kiq[inst].ring_lock);
+- r = amdgpu_fence_wait_polling(ring, seq, usec_timeout);
+- if (r < 1) {
+- dev_err(adev->dev, "wait for kiq fence error: %ld.\n", r);
+- r = -ETIME;
+- goto error_unlock_reset;
++ kiq->pmf->kiq_invalidate_tlbs(ring, pasid, flush_type, all_hub);
++ r = amdgpu_fence_emit_polling(ring, &seq, MAX_KIQ_REG_WAIT);
++ if (r) {
++ amdgpu_ring_undo(ring);
++ spin_unlock(&adev->gfx.kiq[inst].ring_lock);
++ goto error_unlock_reset;
++ }
++
++ amdgpu_ring_commit(ring);
++ spin_unlock(&adev->gfx.kiq[inst].ring_lock);
++ if (amdgpu_fence_wait_polling(ring, seq, usec_timeout) < 1) {
++ dev_err(adev->dev, "timeout waiting for kiq fence\n");
++ r = -ETIME;
++ }
+ }
+- r = 0;
+
+ error_unlock_reset:
+ up_read(&adev->reset_domain->sem);
--- /dev/null
+From f0d576f840153392d04b2d52cf3adab8f62e8cb6 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 20 May 2024 09:05:21 -0400
+Subject: drm/amdgpu: fix UBSAN warning in kv_dpm.c
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit f0d576f840153392d04b2d52cf3adab8f62e8cb6 upstream.
+
+Adds bounds check for sumo_vid_mapping_entry.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3392
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c
++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c
+@@ -164,6 +164,8 @@ static void sumo_construct_vid_mapping_t
+
+ for (i = 0; i < SUMO_MAX_HARDWARE_POWERLEVELS; i++) {
+ if (table[i].ulSupportedSCLK != 0) {
++ if (table[i].usVoltageIndex >= SUMO_MAX_NUMBER_VOLTAGES)
++ continue;
+ vid_mapping_table->entries[table[i].usVoltageIndex].vid_7bit =
+ table[i].usVoltageID;
+ vid_mapping_table->entries[table[i].usVoltageIndex].vid_2bit =
--- /dev/null
+From 49cc17967be95d64606d5684416ee51eec35e84a Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Fri, 14 Jun 2024 17:23:11 +0300
+Subject: drm/i915/mso: using joiner is not possible with eDP MSO
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit 49cc17967be95d64606d5684416ee51eec35e84a upstream.
+
+It's not possible to use the joiner at the same time with eDP MSO. When
+a panel needs MSO, it's not optional, so MSO trumps joiner.
+
+v3: Only change intel_dp_has_joiner(), leave debugfs alone (Ville)
+
+Fixes: bc71194e8897 ("drm/i915/edp: enable eDP MSO during link training")
+Cc: <stable@vger.kernel.org> # v5.13+
+Cc: Ville Syrjala <ville.syrjala@linux.intel.com>
+Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1668
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240614142311.589089-1-jani.nikula@intel.com
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit 8b5a92ca24eb96bb71e2a55e352687487d87687f)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_dp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_dp.c
++++ b/drivers/gpu/drm/i915/display/intel_dp.c
+@@ -431,6 +431,10 @@ bool intel_dp_can_bigjoiner(struct intel
+ struct intel_encoder *encoder = &intel_dig_port->base;
+ struct drm_i915_private *dev_priv = to_i915(encoder->base.dev);
+
++ /* eDP MSO is not compatible with joiner */
++ if (intel_dp->mso_link_count)
++ return false;
++
+ return DISPLAY_VER(dev_priv) >= 12 ||
+ (DISPLAY_VER(dev_priv) == 11 &&
+ encoder->port != PORT_A);
--- /dev/null
+From a498df5421fd737d11bfd152428ba6b1c8538321 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 20 May 2024 09:11:45 -0400
+Subject: drm/radeon: fix UBSAN warning in kv_dpm.c
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit a498df5421fd737d11bfd152428ba6b1c8538321 upstream.
+
+Adds bounds check for sumo_vid_mapping_entry.
+
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/sumo_dpm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/sumo_dpm.c
++++ b/drivers/gpu/drm/radeon/sumo_dpm.c
+@@ -1619,6 +1619,8 @@ void sumo_construct_vid_mapping_table(st
+
+ for (i = 0; i < SUMO_MAX_HARDWARE_POWERLEVELS; i++) {
+ if (table[i].ulSupportedSCLK != 0) {
++ if (table[i].usVoltageIndex >= SUMO_MAX_NUMBER_VOLTAGES)
++ continue;
+ vid_mapping_table->entries[table[i].usVoltageIndex].vid_7bit =
+ table[i].usVoltageID;
+ vid_mapping_table->entries[table[i].usVoltageIndex].vid_2bit =
--- /dev/null
+From 1345a13f18370ad9e5bc98995959a27f9bd71464 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Tue, 21 May 2024 10:30:02 +0200
+Subject: dt-bindings: dma: fsl-edma: fix dma-channels constraints
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 1345a13f18370ad9e5bc98995959a27f9bd71464 upstream.
+
+dma-channels is a number, not a list. Apply proper constraints on the
+actual number.
+
+Fixes: 6eb439dff645 ("dt-bindings: fsl-dma: fsl-edma: add edma3 compatible string")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Acked-by: Rob Herring (Arm) <robh@kernel.org>
+Link: https://lore.kernel.org/r/20240521083002.23262-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/dma/fsl,edma.yaml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/Documentation/devicetree/bindings/dma/fsl,edma.yaml
++++ b/Documentation/devicetree/bindings/dma/fsl,edma.yaml
+@@ -48,8 +48,8 @@ properties:
+ - 3
+
+ dma-channels:
+- minItems: 1
+- maxItems: 64
++ minimum: 1
++ maximum: 64
+
+ clocks:
+ minItems: 1
--- /dev/null
+From c1558bc57b8e5b4da5d821537cd30e2e660861d8 Mon Sep 17 00:00:00 2001
+From: Peter Oberparleiter <oberpar@linux.ibm.com>
+Date: Mon, 10 Jun 2024 11:27:43 +0200
+Subject: gcov: add support for GCC 14
+
+From: Peter Oberparleiter <oberpar@linux.ibm.com>
+
+commit c1558bc57b8e5b4da5d821537cd30e2e660861d8 upstream.
+
+Using gcov on kernels compiled with GCC 14 results in truncated 16-byte
+long .gcda files with no usable data. To fix this, update GCOV_COUNTERS
+to match the value defined by GCC 14.
+
+Tested with GCC versions 14.1.0 and 13.2.0.
+
+Link: https://lkml.kernel.org/r/20240610092743.1609845-1-oberpar@linux.ibm.com
+Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Reported-by: Allison Henderson <allison.henderson@oracle.com>
+Reported-by: Chuck Lever III <chuck.lever@oracle.com>
+Tested-by: Chuck Lever <chuck.lever@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/gcov/gcc_4_7.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/gcov/gcc_4_7.c
++++ b/kernel/gcov/gcc_4_7.c
+@@ -18,7 +18,9 @@
+ #include <linux/mm.h>
+ #include "gcov.h"
+
+-#if (__GNUC__ >= 10)
++#if (__GNUC__ >= 14)
++#define GCOV_COUNTERS 9
++#elif (__GNUC__ >= 10)
+ #define GCOV_COUNTERS 8
+ #elif (__GNUC__ >= 7)
+ #define GCOV_COUNTERS 9
--- /dev/null
+From 01c8f9806bde438ca1c8cbbc439f0a14a6694f6c Mon Sep 17 00:00:00 2001
+From: Aleksandr Nogikh <nogikh@google.com>
+Date: Tue, 11 Jun 2024 15:32:29 +0200
+Subject: kcov: don't lose track of remote references during softirqs
+
+From: Aleksandr Nogikh <nogikh@google.com>
+
+commit 01c8f9806bde438ca1c8cbbc439f0a14a6694f6c upstream.
+
+In kcov_remote_start()/kcov_remote_stop(), we swap the previous KCOV
+metadata of the current task into a per-CPU variable. However, the
+kcov_mode_enabled(mode) check is not sufficient in the case of remote KCOV
+coverage: current->kcov_mode always remains KCOV_MODE_DISABLED for remote
+KCOV objects.
+
+If the original task that has invoked the KCOV_REMOTE_ENABLE ioctl happens
+to get interrupted and kcov_remote_start() is called, it ultimately leads
+to kcov_remote_stop() NOT restoring the original KCOV reference. So when
+the task exits, all registered remote KCOV handles remain active forever.
+
+The most uncomfortable effect (at least for syzkaller) is that the bug
+prevents the reuse of the same /sys/kernel/debug/kcov descriptor. If
+we obtain it in the parent process and then e.g. drop some
+capabilities and continuously fork to execute individual programs, at
+some point current->kcov of the forked process is lost,
+kcov_task_exit() takes no action, and all KCOV_REMOTE_ENABLE ioctls
+calls from subsequent forks fail.
+
+And, yes, the efficiency is also affected if we keep on losing remote
+kcov objects.
+a) kcov_remote_map keeps on growing forever.
+b) (If I'm not mistaken), we're also not freeing the memory referenced
+by kcov->area.
+
+Fix it by introducing a special kcov_mode that is assigned to the task
+that owns a KCOV remote object. It makes kcov_mode_enabled() return true
+and yet does not trigger coverage collection in __sanitizer_cov_trace_pc()
+and write_comp_data().
+
+[nogikh@google.com: replace WRITE_ONCE() with an ordinary assignment]
+ Link: https://lkml.kernel.org/r/20240614171221.2837584-1-nogikh@google.com
+Link: https://lkml.kernel.org/r/20240611133229.527822-1-nogikh@google.com
+Fixes: 5ff3b30ab57d ("kcov: collect coverage from interrupts")
+Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Marco Elver <elver@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kcov.h | 2 ++
+ kernel/kcov.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/include/linux/kcov.h
++++ b/include/linux/kcov.h
+@@ -21,6 +21,8 @@ enum kcov_mode {
+ KCOV_MODE_TRACE_PC = 2,
+ /* Collecting comparison operands mode. */
+ KCOV_MODE_TRACE_CMP = 3,
++ /* The process owns a KCOV remote reference. */
++ KCOV_MODE_REMOTE = 4,
+ };
+
+ #define KCOV_IN_CTXSW (1 << 30)
+--- a/kernel/kcov.c
++++ b/kernel/kcov.c
+@@ -631,6 +631,7 @@ static int kcov_ioctl_locked(struct kcov
+ return -EINVAL;
+ kcov->mode = mode;
+ t->kcov = kcov;
++ t->kcov_mode = KCOV_MODE_REMOTE;
+ kcov->t = t;
+ kcov->remote = true;
+ kcov->remote_size = remote_arg->area_size;
--- /dev/null
+From 0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Wed, 5 Jun 2024 18:56:37 +0100
+Subject: KVM: arm64: Disassociate vcpus from redistributor region on teardown
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 0d92e4a7ffd5c42b9fa864692f82476c0bf8bcc8 upstream.
+
+When tearing down a redistributor region, make sure we don't have
+any dangling pointer to that region stored in a vcpu.
+
+Fixes: e5a35635464b ("kvm: arm64: vgic-v3: Introduce vgic_v3_free_redist_region()")
+Reported-by: Alexander Potapenko <glider@google.com>
+Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20240605175637.1635653-1-maz@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/vgic/vgic-init.c | 2 +-
+ arch/arm64/kvm/vgic/vgic-mmio-v3.c | 15 +++++++++++++--
+ arch/arm64/kvm/vgic/vgic.h | 2 +-
+ 3 files changed, 15 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/kvm/vgic/vgic-init.c
++++ b/arch/arm64/kvm/vgic/vgic-init.c
+@@ -355,7 +355,7 @@ static void kvm_vgic_dist_destroy(struct
+
+ if (dist->vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) {
+ list_for_each_entry_safe(rdreg, next, &dist->rd_regions, list)
+- vgic_v3_free_redist_region(rdreg);
++ vgic_v3_free_redist_region(kvm, rdreg);
+ INIT_LIST_HEAD(&dist->rd_regions);
+ } else {
+ dist->vgic_cpu_base = VGIC_ADDR_UNDEF;
+--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c
++++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c
+@@ -919,8 +919,19 @@ free:
+ return ret;
+ }
+
+-void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg)
++void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg)
+ {
++ struct kvm_vcpu *vcpu;
++ unsigned long c;
++
++ lockdep_assert_held(&kvm->arch.config_lock);
++
++ /* Garbage collect the region */
++ kvm_for_each_vcpu(c, vcpu, kvm) {
++ if (vcpu->arch.vgic_cpu.rdreg == rdreg)
++ vcpu->arch.vgic_cpu.rdreg = NULL;
++ }
++
+ list_del(&rdreg->list);
+ kfree(rdreg);
+ }
+@@ -945,7 +956,7 @@ int vgic_v3_set_redist_base(struct kvm *
+
+ mutex_lock(&kvm->arch.config_lock);
+ rdreg = vgic_v3_rdist_region_from_index(kvm, index);
+- vgic_v3_free_redist_region(rdreg);
++ vgic_v3_free_redist_region(kvm, rdreg);
+ mutex_unlock(&kvm->arch.config_lock);
+ return ret;
+ }
+--- a/arch/arm64/kvm/vgic/vgic.h
++++ b/arch/arm64/kvm/vgic/vgic.h
+@@ -317,7 +317,7 @@ vgic_v3_rd_region_size(struct kvm *kvm,
+
+ struct vgic_redist_region *vgic_v3_rdist_region_from_index(struct kvm *kvm,
+ u32 index);
+-void vgic_v3_free_redist_region(struct vgic_redist_region *rdreg);
++void vgic_v3_free_redist_region(struct kvm *kvm, struct vgic_redist_region *rdreg);
+
+ bool vgic_v3_rdist_overlap(struct kvm *kvm, gpa_t base, size_t size);
+
--- /dev/null
+From 49f683b41f28918df3e51ddc0d928cb2e934ccdb Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Fri, 10 May 2024 02:23:52 -0700
+Subject: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()
+
+From: Breno Leitao <leitao@debian.org>
+
+commit 49f683b41f28918df3e51ddc0d928cb2e934ccdb upstream.
+
+Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the
+loads and stores are atomic. In the extremely unlikely scenario the
+compiler tears the stores, it's theoretically possible for KVM to attempt
+to get a vCPU using an out-of-bounds index, e.g. if the write is split
+into multiple 8-bit stores, and is paired with a 32-bit load on a VM with
+257 vCPUs:
+
+ CPU0 CPU1
+ last_boosted_vcpu = 0xff;
+
+ (last_boosted_vcpu = 0x100)
+ last_boosted_vcpu[15:8] = 0x01;
+ i = (last_boosted_vcpu = 0x1ff)
+ last_boosted_vcpu[7:0] = 0x00;
+
+ vcpu = kvm->vcpu_array[0x1ff];
+
+As detected by KCSAN:
+
+ BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]
+
+ write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:
+ kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm
+ handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel
+ vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?
+ arch/x86/kvm/vmx/vmx.c:6606) kvm_intel
+ vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm
+ kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm
+ kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm
+ __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)
+ __x64_sys_ioctl (fs/ioctl.c:890)
+ x64_sys_call (arch/x86/entry/syscall_64.c:33)
+ do_syscall_64 (arch/x86/entry/common.c:?)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+ read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:
+ kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm
+ handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel
+ vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?
+ arch/x86/kvm/vmx/vmx.c:6606) kvm_intel
+ vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm
+ kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm
+ kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm
+ __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)
+ __x64_sys_ioctl (fs/ioctl.c:890)
+ x64_sys_call (arch/x86/entry/syscall_64.c:33)
+ do_syscall_64 (arch/x86/entry/common.c:?)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+ value changed: 0x00000012 -> 0x00000000
+
+Fixes: 217ece6129f2 ("KVM: use yield_to instead of sleep in kvm_vcpu_on_spin")
+Cc: stable@vger.kernel.org
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Link: https://lore.kernel.org/r/20240510092353.2261824-1-leitao@debian.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -4067,12 +4067,13 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m
+ {
+ struct kvm *kvm = me->kvm;
+ struct kvm_vcpu *vcpu;
+- int last_boosted_vcpu = me->kvm->last_boosted_vcpu;
++ int last_boosted_vcpu;
+ unsigned long i;
+ int yielded = 0;
+ int try = 3;
+ int pass;
+
++ last_boosted_vcpu = READ_ONCE(kvm->last_boosted_vcpu);
+ kvm_vcpu_set_in_spin_loop(me, true);
+ /*
+ * We boost the priority of a VCPU that is runnable but not
+@@ -4110,7 +4111,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m
+
+ yielded = kvm_vcpu_yield_to(vcpu);
+ if (yielded > 0) {
+- kvm->last_boosted_vcpu = i;
++ WRITE_ONCE(kvm->last_boosted_vcpu, i);
+ break;
+ } else if (yielded < 0) {
+ try--;
--- /dev/null
+From f3ced000a2df53f4b12849e121769045a81a3b22 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Mon, 10 Jun 2024 18:48:45 -0700
+Subject: KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit f3ced000a2df53f4b12849e121769045a81a3b22 upstream.
+
+Sync pending posted interrupts to the IRR prior to re-scanning I/O APIC
+routes, irrespective of whether the I/O APIC is emulated by userspace or
+by KVM. If a level-triggered interrupt routed through the I/O APIC is
+pending or in-service for a vCPU, KVM needs to intercept EOIs on said
+vCPU even if the vCPU isn't the destination for the new routing, e.g. if
+servicing an interrupt using the old routing races with I/O APIC
+reconfiguration.
+
+Commit fceb3a36c29a ("KVM: x86: ioapic: Fix level-triggered EOI and
+userspace I/OAPIC reconfigure race") fixed the common cases, but
+kvm_apic_pending_eoi() only checks if an interrupt is in the local
+APIC's IRR or ISR, i.e. misses the uncommon case where an interrupt is
+pending in the PIR.
+
+Failure to intercept EOI can manifest as guest hangs with Windows 11 if
+the guest uses the RTC as its timekeeping source, e.g. if the VMM doesn't
+expose a more modern form of time to the guest.
+
+Cc: stable@vger.kernel.org
+Cc: Adamos Ttofari <attofari@amazon.de>
+Cc: Raghavendra Rao Ananta <rananta@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20240611014845.82795-1-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -10677,13 +10677,12 @@ static void vcpu_scan_ioapic(struct kvm_
+
+ bitmap_zero(vcpu->arch.ioapic_handled_vectors, 256);
+
++ static_call_cond(kvm_x86_sync_pir_to_irr)(vcpu);
++
+ if (irqchip_split(vcpu->kvm))
+ kvm_scan_ioapic_routes(vcpu, vcpu->arch.ioapic_handled_vectors);
+- else {
+- static_call_cond(kvm_x86_sync_pir_to_irr)(vcpu);
+- if (ioapic_in_kernel(vcpu->kvm))
+- kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
+- }
++ else if (ioapic_in_kernel(vcpu->kvm))
++ kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
+
+ if (is_guest_mode(vcpu))
+ vcpu->arch.load_eoi_exitmap_pending = true;
--- /dev/null
+From 3eb2a8b23598e90fda43abb0f23cb267bd5018ba Mon Sep 17 00:00:00 2001
+From: Hui Li <lihui@loongson.cn>
+Date: Fri, 21 Jun 2024 10:18:40 +0800
+Subject: LoongArch: Fix multiple hardware watchpoint issues
+
+From: Hui Li <lihui@loongson.cn>
+
+commit 3eb2a8b23598e90fda43abb0f23cb267bd5018ba upstream.
+
+In the current code, if multiple hardware breakpoints/watchpoints in
+a user-space thread, some of them will not be triggered.
+
+When debugging the following code using gdb.
+
+lihui@bogon:~$ cat test.c
+ #include <stdio.h>
+ int a = 0;
+ int main()
+ {
+ printf("start test\n");
+ a = 1;
+ printf("a = %d\n", a);
+ printf("end test\n");
+ return 0;
+ }
+lihui@bogon:~$ gcc -g test.c -o test
+lihui@bogon:~$ gdb test
+...
+(gdb) start
+...
+Temporary breakpoint 1, main () at test.c:5
+5 printf("start test\n");
+(gdb) watch a
+Hardware watchpoint 2: a
+(gdb) hbreak 8
+Hardware assisted breakpoint 3 at 0x1200006ec: file test.c, line 8.
+(gdb) c
+Continuing.
+start test
+a = 1
+
+Breakpoint 3, main () at test.c:8
+8 printf("end test\n");
+...
+
+The first hardware watchpoint is not triggered, the root causes are:
+
+1. In hw_breakpoint_control(), The FWPnCFG1.2.4/MWPnCFG1.2.4 register
+ settings are not distinguished. They should be set based on hardware
+ watchpoint functions (fetch or load/store operations).
+
+2. In breakpoint_handler() and watchpoint_handler(), it doesn't identify
+ which watchpoint is triggered. So, all watchpoint-related perf_event
+ callbacks are called and siginfo is sent to the user space. This will
+ cause user-space unable to determine which watchpoint is triggered.
+ The kernel need to identity which watchpoint is triggered via MWPS/
+ FWPS registers, and then call the corresponding perf event callbacks
+ to report siginfo to the user-space.
+
+Modify the relevant code to solve above issues.
+
+All changes according to the LoongArch Reference Manual:
+https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers-related-to-watchpoints
+
+With this patch:
+
+lihui@bogon:~$ gdb test
+...
+(gdb) start
+...
+Temporary breakpoint 1, main () at test.c:5
+5 printf("start test\n");
+(gdb) watch a
+Hardware watchpoint 2: a
+(gdb) hbreak 8
+Hardware assisted breakpoint 3 at 0x1200006ec: file test.c, line 8.
+(gdb) c
+Continuing.
+start test
+
+Hardware watchpoint 2: a
+
+Old value = 0
+New value = 1
+main () at test.c:7
+7 printf("a = %d\n", a);
+(gdb) c
+Continuing.
+a = 1
+
+Breakpoint 3, main () at test.c:8
+8 printf("end test\n");
+(gdb) c
+Continuing.
+end test
+[Inferior 1 (process 778) exited normally]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Li <lihui@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/hw_breakpoint.c | 57 +++++++++++++++++++---------------
+ 1 file changed, 33 insertions(+), 24 deletions(-)
+
+--- a/arch/loongarch/kernel/hw_breakpoint.c
++++ b/arch/loongarch/kernel/hw_breakpoint.c
+@@ -207,15 +207,15 @@ static int hw_breakpoint_control(struct
+ switch (ops) {
+ case HW_BREAKPOINT_INSTALL:
+ /* Set the FWPnCFG/MWPnCFG 1~4 register. */
+- write_wb_reg(CSR_CFG_ADDR, i, 0, info->address);
+- write_wb_reg(CSR_CFG_ADDR, i, 1, info->address);
+- write_wb_reg(CSR_CFG_MASK, i, 0, info->mask);
+- write_wb_reg(CSR_CFG_MASK, i, 1, info->mask);
+- write_wb_reg(CSR_CFG_ASID, i, 0, 0);
+- write_wb_reg(CSR_CFG_ASID, i, 1, 0);
+ if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) {
++ write_wb_reg(CSR_CFG_ADDR, i, 0, info->address);
++ write_wb_reg(CSR_CFG_MASK, i, 0, info->mask);
++ write_wb_reg(CSR_CFG_ASID, i, 0, 0);
+ write_wb_reg(CSR_CFG_CTRL, i, 0, privilege);
+ } else {
++ write_wb_reg(CSR_CFG_ADDR, i, 1, info->address);
++ write_wb_reg(CSR_CFG_MASK, i, 1, info->mask);
++ write_wb_reg(CSR_CFG_ASID, i, 1, 0);
+ ctrl = encode_ctrl_reg(info->ctrl);
+ write_wb_reg(CSR_CFG_CTRL, i, 1, ctrl | privilege);
+ }
+@@ -226,14 +226,17 @@ static int hw_breakpoint_control(struct
+ break;
+ case HW_BREAKPOINT_UNINSTALL:
+ /* Reset the FWPnCFG/MWPnCFG 1~4 register. */
+- write_wb_reg(CSR_CFG_ADDR, i, 0, 0);
+- write_wb_reg(CSR_CFG_ADDR, i, 1, 0);
+- write_wb_reg(CSR_CFG_MASK, i, 0, 0);
+- write_wb_reg(CSR_CFG_MASK, i, 1, 0);
+- write_wb_reg(CSR_CFG_CTRL, i, 0, 0);
+- write_wb_reg(CSR_CFG_CTRL, i, 1, 0);
+- write_wb_reg(CSR_CFG_ASID, i, 0, 0);
+- write_wb_reg(CSR_CFG_ASID, i, 1, 0);
++ if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) {
++ write_wb_reg(CSR_CFG_ADDR, i, 0, 0);
++ write_wb_reg(CSR_CFG_MASK, i, 0, 0);
++ write_wb_reg(CSR_CFG_CTRL, i, 0, 0);
++ write_wb_reg(CSR_CFG_ASID, i, 0, 0);
++ } else {
++ write_wb_reg(CSR_CFG_ADDR, i, 1, 0);
++ write_wb_reg(CSR_CFG_MASK, i, 1, 0);
++ write_wb_reg(CSR_CFG_CTRL, i, 1, 0);
++ write_wb_reg(CSR_CFG_ASID, i, 1, 0);
++ }
+ if (bp->hw.target)
+ regs->csr_prmd &= ~CSR_PRMD_PWE;
+ break;
+@@ -476,12 +479,15 @@ void breakpoint_handler(struct pt_regs *
+ slots = this_cpu_ptr(bp_on_reg);
+
+ for (i = 0; i < boot_cpu_data.watch_ireg_count; ++i) {
+- bp = slots[i];
+- if (bp == NULL)
+- continue;
+- perf_bp_event(bp, regs);
++ if ((csr_read32(LOONGARCH_CSR_FWPS) & (0x1 << i))) {
++ bp = slots[i];
++ if (bp == NULL)
++ continue;
++ perf_bp_event(bp, regs);
++ csr_write32(0x1 << i, LOONGARCH_CSR_FWPS);
++ update_bp_registers(regs, 0, 0);
++ }
+ }
+- update_bp_registers(regs, 0, 0);
+ }
+ NOKPROBE_SYMBOL(breakpoint_handler);
+
+@@ -493,12 +499,15 @@ void watchpoint_handler(struct pt_regs *
+ slots = this_cpu_ptr(wp_on_reg);
+
+ for (i = 0; i < boot_cpu_data.watch_dreg_count; ++i) {
+- wp = slots[i];
+- if (wp == NULL)
+- continue;
+- perf_bp_event(wp, regs);
++ if ((csr_read32(LOONGARCH_CSR_MWPS) & (0x1 << i))) {
++ wp = slots[i];
++ if (wp == NULL)
++ continue;
++ perf_bp_event(wp, regs);
++ csr_write32(0x1 << i, LOONGARCH_CSR_MWPS);
++ update_bp_registers(regs, 0, 1);
++ }
+ }
+- update_bp_registers(regs, 0, 1);
+ }
+ NOKPROBE_SYMBOL(watchpoint_handler);
+
--- /dev/null
+From f63a47b34b140ed1ca39d7e4bd4f1cdc617fc316 Mon Sep 17 00:00:00 2001
+From: Hui Li <lihui@loongson.cn>
+Date: Fri, 21 Jun 2024 10:18:40 +0800
+Subject: LoongArch: Fix watchpoint setting error
+
+From: Hui Li <lihui@loongson.cn>
+
+commit f63a47b34b140ed1ca39d7e4bd4f1cdc617fc316 upstream.
+
+In the current code, when debugging the following code using gdb,
+"invalid argument ..." message will be displayed.
+
+lihui@bogon:~$ cat test.c
+ #include <stdio.h>
+ int a = 0;
+ int main()
+ {
+ a = 1;
+ return 0;
+ }
+lihui@bogon:~$ gcc -g test.c -o test
+lihui@bogon:~$ gdb test
+...
+(gdb) watch a
+Hardware watchpoint 1: a
+(gdb) r
+...
+Invalid argument setting hardware debug registers
+
+There are mainly two types of issues.
+
+1. Some incorrect judgment condition existed in user_watch_state
+ argument parsing, causing -EINVAL to be returned.
+
+When setting up a watchpoint, gdb uses the ptrace interface,
+ptrace(PTRACE_SETREGSET, tid, NT_LOONGARCH_HW_WATCH, (void *) &iov)).
+Register values in user_watch_state as follows:
+
+ addr[0] = 0x0, mask[0] = 0x0, ctrl[0] = 0x0
+ addr[1] = 0x0, mask[1] = 0x0, ctrl[1] = 0x0
+ addr[2] = 0x0, mask[2] = 0x0, ctrl[2] = 0x0
+ addr[3] = 0x0, mask[3] = 0x0, ctrl[3] = 0x0
+ addr[4] = 0x0, mask[4] = 0x0, ctrl[4] = 0x0
+ addr[5] = 0x0, mask[5] = 0x0, ctrl[5] = 0x0
+ addr[6] = 0x0, mask[6] = 0x0, ctrl[6] = 0x0
+ addr[7] = 0x12000803c, mask[7] = 0x0, ctrl[7] = 0x610
+
+In arch_bp_generic_fields(), return -EINVAL when ctrl.len is
+LOONGARCH_BREAKPOINT_LEN_8(0b00). So delete the incorrect judgment here.
+
+In ptrace_hbp_fill_attr_ctrl(), when note_type is NT_LOONGARCH_HW_WATCH
+and ctrl[0] == 0x0, if ((type & HW_BREAKPOINT_RW) != type) will return
+-EINVAL. Here ctrl.type should be set based on note_type, and unnecessary
+judgments can be removed.
+
+2. The watchpoint argument was not set correctly due to unnecessary
+ offset and alignment_mask.
+
+Modify ptrace_hbp_fill_attr_ctrl() and hw_breakpoint_arch_parse(), which
+ensure the watchpont argument is set correctly.
+
+All changes according to the LoongArch Reference Manual:
+https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers-related-to-watchpoints
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Li <lihui@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/hw_breakpoint.h | 2 -
+ arch/loongarch/kernel/hw_breakpoint.c | 19 ++++-------------
+ arch/loongarch/kernel/ptrace.c | 32 +++++++++++++----------------
+ 3 files changed, 21 insertions(+), 32 deletions(-)
+
+--- a/arch/loongarch/include/asm/hw_breakpoint.h
++++ b/arch/loongarch/include/asm/hw_breakpoint.h
+@@ -101,7 +101,7 @@ struct perf_event;
+ struct perf_event_attr;
+
+ extern int arch_bp_generic_fields(struct arch_hw_breakpoint_ctrl ctrl,
+- int *gen_len, int *gen_type, int *offset);
++ int *gen_len, int *gen_type);
+ extern int arch_check_bp_in_kernelspace(struct arch_hw_breakpoint *hw);
+ extern int hw_breakpoint_arch_parse(struct perf_event *bp,
+ const struct perf_event_attr *attr,
+--- a/arch/loongarch/kernel/hw_breakpoint.c
++++ b/arch/loongarch/kernel/hw_breakpoint.c
+@@ -283,7 +283,7 @@ int arch_check_bp_in_kernelspace(struct
+ * to generic breakpoint descriptions.
+ */
+ int arch_bp_generic_fields(struct arch_hw_breakpoint_ctrl ctrl,
+- int *gen_len, int *gen_type, int *offset)
++ int *gen_len, int *gen_type)
+ {
+ /* Type */
+ switch (ctrl.type) {
+@@ -303,11 +303,6 @@ int arch_bp_generic_fields(struct arch_h
+ return -EINVAL;
+ }
+
+- if (!ctrl.len)
+- return -EINVAL;
+-
+- *offset = __ffs(ctrl.len);
+-
+ /* Len */
+ switch (ctrl.len) {
+ case LOONGARCH_BREAKPOINT_LEN_1:
+@@ -386,21 +381,17 @@ int hw_breakpoint_arch_parse(struct perf
+ struct arch_hw_breakpoint *hw)
+ {
+ int ret;
+- u64 alignment_mask, offset;
++ u64 alignment_mask;
+
+ /* Build the arch_hw_breakpoint. */
+ ret = arch_build_bp_info(bp, attr, hw);
+ if (ret)
+ return ret;
+
+- if (hw->ctrl.type != LOONGARCH_BREAKPOINT_EXECUTE)
+- alignment_mask = 0x7;
+- else
++ if (hw->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) {
+ alignment_mask = 0x3;
+- offset = hw->address & alignment_mask;
+-
+- hw->address &= ~alignment_mask;
+- hw->ctrl.len <<= offset;
++ hw->address &= ~alignment_mask;
++ }
+
+ return 0;
+ }
+--- a/arch/loongarch/kernel/ptrace.c
++++ b/arch/loongarch/kernel/ptrace.c
+@@ -494,28 +494,14 @@ static int ptrace_hbp_fill_attr_ctrl(uns
+ struct arch_hw_breakpoint_ctrl ctrl,
+ struct perf_event_attr *attr)
+ {
+- int err, len, type, offset;
++ int err, len, type;
+
+- err = arch_bp_generic_fields(ctrl, &len, &type, &offset);
++ err = arch_bp_generic_fields(ctrl, &len, &type);
+ if (err)
+ return err;
+
+- switch (note_type) {
+- case NT_LOONGARCH_HW_BREAK:
+- if ((type & HW_BREAKPOINT_X) != type)
+- return -EINVAL;
+- break;
+- case NT_LOONGARCH_HW_WATCH:
+- if ((type & HW_BREAKPOINT_RW) != type)
+- return -EINVAL;
+- break;
+- default:
+- return -EINVAL;
+- }
+-
+ attr->bp_len = len;
+ attr->bp_type = type;
+- attr->bp_addr += offset;
+
+ return 0;
+ }
+@@ -609,7 +595,19 @@ static int ptrace_hbp_set_ctrl(unsigned
+ return PTR_ERR(bp);
+
+ attr = bp->attr;
+- decode_ctrl_reg(uctrl, &ctrl);
++
++ switch (note_type) {
++ case NT_LOONGARCH_HW_BREAK:
++ ctrl.type = LOONGARCH_BREAKPOINT_EXECUTE;
++ ctrl.len = LOONGARCH_BREAKPOINT_LEN_4;
++ break;
++ case NT_LOONGARCH_HW_WATCH:
++ decode_ctrl_reg(uctrl, &ctrl);
++ break;
++ default:
++ return -EINVAL;
++ }
++
+ err = ptrace_hbp_fill_attr_ctrl(note_type, ctrl, &attr);
+ if (err)
+ return err;
--- /dev/null
+From c8e57ab0995c5b443d3c81c8a36b588776dcd0c3 Mon Sep 17 00:00:00 2001
+From: Hui Li <lihui@loongson.cn>
+Date: Fri, 21 Jun 2024 10:18:40 +0800
+Subject: LoongArch: Trigger user-space watchpoints correctly
+
+From: Hui Li <lihui@loongson.cn>
+
+commit c8e57ab0995c5b443d3c81c8a36b588776dcd0c3 upstream.
+
+In the current code, gdb can set the watchpoint successfully through
+ptrace interface, but watchpoint will not be triggered.
+
+When debugging the following code using gdb.
+
+lihui@bogon:~$ cat test.c
+ #include <stdio.h>
+ int a = 0;
+ int main()
+ {
+ a = 1;
+ printf("a = %d\n", a);
+ return 0;
+ }
+lihui@bogon:~$ gcc -g test.c -o test
+lihui@bogon:~$ gdb test
+...
+(gdb) watch a
+...
+(gdb) r
+...
+a = 1
+[Inferior 1 (process 4650) exited normally]
+
+No watchpoints were triggered, the root causes are:
+
+1. Kernel uses perf_event and hw_breakpoint framework to control
+ watchpoint, but the perf_event corresponding to watchpoint is
+ not enabled. So it needs to be enabled according to MWPnCFG3
+ or FWPnCFG3 PLV bit field in ptrace_hbp_set_ctrl(), and privilege
+ is set according to the monitored addr in hw_breakpoint_control().
+ Furthermore, add a judgment in ptrace_hbp_set_addr() to ensure
+ kernel-space addr cannot be monitored in user mode.
+
+2. The global enable control for all watchpoints is the WE bit of
+ CSR.CRMD, and hardware sets the value to 0 when an exception is
+ triggered. When the ERTN instruction is executed to return, the
+ hardware restores the value of the PWE field of CSR.PRMD here.
+ So, before a thread containing watchpoints be scheduled, the PWE
+ field of CSR.PRMD needs to be set to 1. Add this modification in
+ hw_breakpoint_control().
+
+All changes according to the LoongArch Reference Manual:
+https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers-related-to-watchpoints
+https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#basic-control-and-status-registers
+
+With this patch:
+
+lihui@bogon:~$ gdb test
+...
+(gdb) watch a
+Hardware watchpoint 1: a
+(gdb) r
+...
+Hardware watchpoint 1: a
+
+Old value = 0
+New value = 1
+main () at test.c:6
+6 printf("a = %d\n", a);
+(gdb) c
+Continuing.
+a = 1
+[Inferior 1 (process 775) exited normally]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Li <lihui@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/hw_breakpoint.h | 2 ++
+ arch/loongarch/kernel/hw_breakpoint.c | 20 +++++++++++++++++---
+ arch/loongarch/kernel/ptrace.c | 15 ++++++++++++---
+ 3 files changed, 31 insertions(+), 6 deletions(-)
+
+--- a/arch/loongarch/include/asm/hw_breakpoint.h
++++ b/arch/loongarch/include/asm/hw_breakpoint.h
+@@ -75,6 +75,8 @@ do { \
+ #define CSR_MWPC_NUM 0x3f
+
+ #define CTRL_PLV_ENABLE 0x1e
++#define CTRL_PLV0_ENABLE 0x02
++#define CTRL_PLV3_ENABLE 0x10
+
+ #define MWPnCFG3_LoadEn 8
+ #define MWPnCFG3_StoreEn 9
+--- a/arch/loongarch/kernel/hw_breakpoint.c
++++ b/arch/loongarch/kernel/hw_breakpoint.c
+@@ -174,11 +174,21 @@ void flush_ptrace_hw_breakpoint(struct t
+ static int hw_breakpoint_control(struct perf_event *bp,
+ enum hw_breakpoint_ops ops)
+ {
+- u32 ctrl;
++ u32 ctrl, privilege;
+ int i, max_slots, enable;
++ struct pt_regs *regs;
+ struct perf_event **slots;
+ struct arch_hw_breakpoint *info = counter_arch_bp(bp);
+
++ if (arch_check_bp_in_kernelspace(info))
++ privilege = CTRL_PLV0_ENABLE;
++ else
++ privilege = CTRL_PLV3_ENABLE;
++
++ /* Whether bp belongs to a task. */
++ if (bp->hw.target)
++ regs = task_pt_regs(bp->hw.target);
++
+ if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) {
+ /* Breakpoint */
+ slots = this_cpu_ptr(bp_on_reg);
+@@ -204,13 +214,15 @@ static int hw_breakpoint_control(struct
+ write_wb_reg(CSR_CFG_ASID, i, 0, 0);
+ write_wb_reg(CSR_CFG_ASID, i, 1, 0);
+ if (info->ctrl.type == LOONGARCH_BREAKPOINT_EXECUTE) {
+- write_wb_reg(CSR_CFG_CTRL, i, 0, CTRL_PLV_ENABLE);
++ write_wb_reg(CSR_CFG_CTRL, i, 0, privilege);
+ } else {
+ ctrl = encode_ctrl_reg(info->ctrl);
+- write_wb_reg(CSR_CFG_CTRL, i, 1, ctrl | CTRL_PLV_ENABLE);
++ write_wb_reg(CSR_CFG_CTRL, i, 1, ctrl | privilege);
+ }
+ enable = csr_read64(LOONGARCH_CSR_CRMD);
+ csr_write64(CSR_CRMD_WE | enable, LOONGARCH_CSR_CRMD);
++ if (bp->hw.target)
++ regs->csr_prmd |= CSR_PRMD_PWE;
+ break;
+ case HW_BREAKPOINT_UNINSTALL:
+ /* Reset the FWPnCFG/MWPnCFG 1~4 register. */
+@@ -222,6 +234,8 @@ static int hw_breakpoint_control(struct
+ write_wb_reg(CSR_CFG_CTRL, i, 1, 0);
+ write_wb_reg(CSR_CFG_ASID, i, 0, 0);
+ write_wb_reg(CSR_CFG_ASID, i, 1, 0);
++ if (bp->hw.target)
++ regs->csr_prmd &= ~CSR_PRMD_PWE;
+ break;
+ }
+
+--- a/arch/loongarch/kernel/ptrace.c
++++ b/arch/loongarch/kernel/ptrace.c
+@@ -608,9 +608,14 @@ static int ptrace_hbp_set_ctrl(unsigned
+ return -EINVAL;
+ }
+
+- err = ptrace_hbp_fill_attr_ctrl(note_type, ctrl, &attr);
+- if (err)
+- return err;
++ if (uctrl & CTRL_PLV_ENABLE) {
++ err = ptrace_hbp_fill_attr_ctrl(note_type, ctrl, &attr);
++ if (err)
++ return err;
++ attr.disabled = 0;
++ } else {
++ attr.disabled = 1;
++ }
+
+ return modify_user_hw_breakpoint(bp, &attr);
+ }
+@@ -641,6 +646,10 @@ static int ptrace_hbp_set_addr(unsigned
+ struct perf_event *bp;
+ struct perf_event_attr attr;
+
++ /* Kernel-space address cannot be monitored by user-space */
++ if ((unsigned long)addr >= XKPRANGE)
++ return -EINVAL;
++
+ bp = ptrace_hbp_get_initialised_bp(note_type, tsk, idx);
+ if (IS_ERR(bp))
+ return PTR_ERR(bp);
--- /dev/null
+From 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2 Mon Sep 17 00:00:00 2001
+From: Ignat Korchagin <ignat@cloudflare.com>
+Date: Mon, 17 Jun 2024 22:02:05 +0100
+Subject: net: do not leave a dangling sk pointer, when socket creation fails
+
+From: Ignat Korchagin <ignat@cloudflare.com>
+
+commit 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2 upstream.
+
+It is possible to trigger a use-after-free by:
+ * attaching an fentry probe to __sock_release() and the probe calling the
+ bpf_get_socket_cookie() helper
+ * running traceroute -I 1.1.1.1 on a freshly booted VM
+
+A KASAN enabled kernel will log something like below (decoded and stripped):
+==================================================================
+BUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
+Read of size 8 at addr ffff888007110dd8 by task traceroute/299
+
+CPU: 2 PID: 299 Comm: traceroute Tainted: G E 6.10.0-rc2+ #2
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+Call Trace:
+ <TASK>
+dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))
+print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
+? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
+kasan_report (mm/kasan/report.c:603)
+? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
+kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
+__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)
+bpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)
+bpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e
+bpf_trampoline_6442506592+0x47/0xaf
+__sock_release (net/socket.c:652)
+__sock_create (net/socket.c:1601)
+...
+Allocated by task 299 on cpu 2 at 78.328492s:
+kasan_save_stack (mm/kasan/common.c:48)
+kasan_save_track (mm/kasan/common.c:68)
+__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)
+kmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)
+sk_prot_alloc (net/core/sock.c:2075)
+sk_alloc (net/core/sock.c:2134)
+inet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)
+__sock_create (net/socket.c:1572)
+__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
+__x64_sys_socket (net/socket.c:1718)
+do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Freed by task 299 on cpu 2 at 78.328502s:
+kasan_save_stack (mm/kasan/common.c:48)
+kasan_save_track (mm/kasan/common.c:68)
+kasan_save_free_info (mm/kasan/generic.c:582)
+poison_slab_object (mm/kasan/common.c:242)
+__kasan_slab_free (mm/kasan/common.c:256)
+kmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)
+__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)
+inet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)
+__sock_create (net/socket.c:1572)
+__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)
+__x64_sys_socket (net/socket.c:1718)
+do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Fix this by clearing the struct socket reference in sk_common_release() to cover
+all protocol families create functions, which may already attached the
+reference to the sk object with sock_init_data().
+
+Fixes: c5dbb89fc2ac ("bpf: Expose bpf_get_socket_cookie to tracing programs")
+Suggested-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/netdev/20240613194047.36478-1-kuniyu@amazon.com/T/
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20240617210205.67311-1-ignat@cloudflare.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -3743,6 +3743,9 @@ void sk_common_release(struct sock *sk)
+
+ sk->sk_prot->unhash(sk);
+
++ if (sk->sk_socket)
++ sk->sk_socket->sk = NULL;
++
+ /*
+ * In this point socket cannot receive new packets, but it is possible
+ * that some packets are in flight because some CPU runs receiver and
--- /dev/null
+From 40a64cc9679540ff7c46ecc51178b07d42abbb1c Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Fri, 14 Jun 2024 11:45:16 +0200
+Subject: net: phy: dp83tg720: get master/slave configuration in link down state
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 40a64cc9679540ff7c46ecc51178b07d42abbb1c upstream.
+
+Get master/slave configuration for initial system start with the link in
+down state. This ensures ethtool shows current configuration. Also
+fixes link reconfiguration with ethtool while in down state, preventing
+ethtool from displaying outdated configuration.
+
+Even though dp83tg720_config_init() is executed periodically as long as
+the link is in admin up state but no carrier is detected, this is not
+sufficient for the link in admin down state where
+dp83tg720_read_status() is not periodically executed. To cover this
+case, we need an extra read role configuration in
+dp83tg720_config_aneg().
+
+Fixes: cb80ee2f9bee1 ("net: phy: Add support for the DP83TG720S Ethernet PHY")
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20240614094516.1481231-2-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83tg720.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/phy/dp83tg720.c b/drivers/net/phy/dp83tg720.c
+index 1186dfc70fb3..c706429b225a 100644
+--- a/drivers/net/phy/dp83tg720.c
++++ b/drivers/net/phy/dp83tg720.c
+@@ -36,11 +36,20 @@
+
+ static int dp83tg720_config_aneg(struct phy_device *phydev)
+ {
++ int ret;
++
+ /* Autoneg is not supported and this PHY supports only one speed.
+ * We need to care only about master/slave configuration if it was
+ * changed by user.
+ */
+- return genphy_c45_pma_baset1_setup_master_slave(phydev);
++ ret = genphy_c45_pma_baset1_setup_master_slave(phydev);
++ if (ret)
++ return ret;
++
++ /* Re-read role configuration to make changes visible even if
++ * the link is in administrative down state.
++ */
++ return genphy_c45_pma_baset1_read_master_slave(phydev);
+ }
+
+ static int dp83tg720_read_status(struct phy_device *phydev)
+@@ -69,6 +78,8 @@ static int dp83tg720_read_status(struct phy_device *phydev)
+ return ret;
+
+ /* After HW reset we need to restore master/slave configuration.
++ * genphy_c45_pma_baset1_read_master_slave() call will be done
++ * by the dp83tg720_config_aneg() function.
+ */
+ ret = dp83tg720_config_aneg(phydev);
+ if (ret)
+@@ -168,8 +179,15 @@ static int dp83tg720_config_init(struct phy_device *phydev)
+ /* In case the PHY is bootstrapped in managed mode, we need to
+ * wake it.
+ */
+- return phy_write_mmd(phydev, MDIO_MMD_VEND2, DP83TG720S_LPS_CFG3,
+- DP83TG720S_LPS_CFG3_PWR_MODE_0);
++ ret = phy_write_mmd(phydev, MDIO_MMD_VEND2, DP83TG720S_LPS_CFG3,
++ DP83TG720S_LPS_CFG3_PWR_MODE_0);
++ if (ret)
++ return ret;
++
++ /* Make role configuration visible for ethtool on init and after
++ * rest.
++ */
++ return genphy_c45_pma_baset1_read_master_slave(phydev);
+ }
+
+ static struct phy_driver dp83tg720_driver[] = {
+--
+2.45.2
+
--- /dev/null
+From cd6f12e173df44a20c2ac2ac110007dc14968088 Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Fri, 14 Jun 2024 11:45:15 +0200
+Subject: net: phy: dp83tg720: wake up PHYs in managed mode
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit cd6f12e173df44a20c2ac2ac110007dc14968088 upstream.
+
+In case this PHY is bootstrapped for managed mode, we need to manually
+wake it. Otherwise no link will be detected.
+
+Cc: stable@vger.kernel.org
+Fixes: cb80ee2f9bee1 ("net: phy: Add support for the DP83TG720S Ethernet PHY")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20240614094516.1481231-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83tg720.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/phy/dp83tg720.c b/drivers/net/phy/dp83tg720.c
+index 326c9770a6dc..1186dfc70fb3 100644
+--- a/drivers/net/phy/dp83tg720.c
++++ b/drivers/net/phy/dp83tg720.c
+@@ -17,6 +17,11 @@
+ #define DP83TG720S_PHY_RESET 0x1f
+ #define DP83TG720S_HW_RESET BIT(15)
+
++#define DP83TG720S_LPS_CFG3 0x18c
++/* Power modes are documented as bit fields but used as values */
++/* Power Mode 0 is Normal mode */
++#define DP83TG720S_LPS_CFG3_PWR_MODE_0 BIT(0)
++
+ #define DP83TG720S_RGMII_DELAY_CTRL 0x602
+ /* In RGMII mode, Enable or disable the internal delay for RXD */
+ #define DP83TG720S_RGMII_RX_CLK_SEL BIT(1)
+@@ -154,10 +159,17 @@ static int dp83tg720_config_init(struct phy_device *phydev)
+ */
+ usleep_range(1000, 2000);
+
+- if (phy_interface_is_rgmii(phydev))
+- return dp83tg720_config_rgmii_delay(phydev);
++ if (phy_interface_is_rgmii(phydev)) {
++ ret = dp83tg720_config_rgmii_delay(phydev);
++ if (ret)
++ return ret;
++ }
+
+- return 0;
++ /* In case the PHY is bootstrapped in managed mode, we need to
++ * wake it.
++ */
++ return phy_write_mmd(phydev, MDIO_MMD_VEND2, DP83TG720S_LPS_CFG3,
++ DP83TG720S_LPS_CFG3_PWR_MODE_0);
+ }
+
+ static struct phy_driver dp83tg720_driver[] = {
+--
+2.45.2
+
--- /dev/null
+From 8851346912a1fa33e7a5966fe51f07313b274627 Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Tue, 18 Jun 2024 09:38:21 +0200
+Subject: net: stmmac: Assign configured channel value to EXTTS event
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 8851346912a1fa33e7a5966fe51f07313b274627 upstream.
+
+Assign the configured channel value to the EXTTS event in the timestamp
+interrupt handler. Without assigning the correct channel, applications
+like ts2phc will refuse to accept the event, resulting in errors such
+as:
+...
+ts2phc[656.834]: config item end1.ts2phc.pin_index is 0
+ts2phc[656.834]: config item end1.ts2phc.channel is 3
+ts2phc[656.834]: config item end1.ts2phc.extts_polarity is 2
+ts2phc[656.834]: config item end1.ts2phc.extts_correction is 0
+...
+ts2phc[656.862]: extts on unexpected channel
+ts2phc[658.141]: extts on unexpected channel
+ts2phc[659.140]: extts on unexpected channel
+
+Fixes: f4da56529da60 ("net: stmmac: Add support for external trigger timestamping")
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Link: https://lore.kernel.org/r/20240618073821.619751-1-o.rempel@pengutronix.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
+@@ -218,6 +218,7 @@ static void timestamp_interrupt(struct s
+ {
+ u32 num_snapshot, ts_status, tsync_int;
+ struct ptp_clock_event event;
++ u32 acr_value, channel;
+ unsigned long flags;
+ u64 ptp_time;
+ int i;
+@@ -243,12 +244,15 @@ static void timestamp_interrupt(struct s
+ num_snapshot = (ts_status & GMAC_TIMESTAMP_ATSNS_MASK) >>
+ GMAC_TIMESTAMP_ATSNS_SHIFT;
+
++ acr_value = readl(priv->ptpaddr + PTP_ACR);
++ channel = ilog2(FIELD_GET(PTP_ACR_MASK, acr_value));
++
+ for (i = 0; i < num_snapshot; i++) {
+ read_lock_irqsave(&priv->ptp_lock, flags);
+ get_ptptime(priv->ptpaddr, &ptp_time);
+ read_unlock_irqrestore(&priv->ptp_lock, flags);
+ event.type = PTP_CLOCK_EXTTS;
+- event.index = 0;
++ event.index = channel;
+ event.timestamp = ptp_time;
+ ptp_clock_event(priv->ptp_clock, &event);
+ }
--- /dev/null
+From f9ae848904289ddb16c7c9e4553ed4c64300de49 Mon Sep 17 00:00:00 2001
+From: Dmitry Safonov <0x7f454c46@gmail.com>
+Date: Wed, 19 Jun 2024 01:29:04 +0100
+Subject: net/tcp_ao: Don't leak ao_info on error-path
+
+From: Dmitry Safonov <0x7f454c46@gmail.com>
+
+commit f9ae848904289ddb16c7c9e4553ed4c64300de49 upstream.
+
+It seems I introduced it together with TCP_AO_CMDF_AO_REQUIRED, on
+version 5 [1] of TCP-AO patches. Quite frustrative that having all these
+selftests that I've written, running kmemtest & kcov was always in todo.
+
+[1]: https://lore.kernel.org/netdev/20230215183335.800122-5-dima@arista.com/
+
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/netdev/20240617072451.1403e1d2@kernel.org/
+Fixes: 0aadc73995d0 ("net/tcp: Prevent TCP-MD5 with TCP-AO being set")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Safonov <0x7f454c46@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20240619-tcp-ao-required-leak-v1-1-6408f3c94247@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_ao.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
+index 37c42b63ff99..09c0fa6756b7 100644
+--- a/net/ipv4/tcp_ao.c
++++ b/net/ipv4/tcp_ao.c
+@@ -1968,8 +1968,10 @@ static int tcp_ao_info_cmd(struct sock *sk, unsigned short int family,
+ first = true;
+ }
+
+- if (cmd.ao_required && tcp_ao_required_verify(sk))
+- return -EKEYREJECTED;
++ if (cmd.ao_required && tcp_ao_required_verify(sk)) {
++ err = -EKEYREJECTED;
++ goto out;
++ }
+
+ /* For sockets in TCP_CLOSED it's possible set keys that aren't
+ * matching the future peer (address/port/VRF/etc),
+--
+2.45.2
+
--- /dev/null
+From 7be4cb7189f747b4e5b6977d0e4387bde3204e62 Mon Sep 17 00:00:00 2001
+From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Date: Mon, 17 Jun 2024 12:28:21 +0200
+Subject: net: usb: ax88179_178a: improve reset check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+
+commit 7be4cb7189f747b4e5b6977d0e4387bde3204e62 upstream.
+
+After ecf848eb934b ("net: usb: ax88179_178a: fix link status when link is
+set to down/up") to not reset from usbnet_open after the reset from
+usbnet_probe at initialization stage to speed up this, some issues have
+been reported.
+
+It seems to happen that if the initialization is slower, and some time
+passes between the probe operation and the open operation, the second reset
+from open is necessary too to have the device working. The reason is that
+if there is no activity with the phy, this is "disconnected".
+
+In order to improve this, the solution is to detect when the phy is
+"disconnected", and we can use the phy status register for this. So we will
+only reset the device from reset operation in this situation, that is, only
+if necessary.
+
+The same bahavior is happening when the device is stopped (link set to
+down) and later is restarted (link set to up), so if the phy keeps working
+we only need to enable the mac again, but if enough time passes between the
+device stop and restart, reset is necessary, and we can detect the
+situation checking the phy status register too.
+
+cc: stable@vger.kernel.org # 6.6+
+Fixes: ecf848eb934b ("net: usb: ax88179_178a: fix link status when link is set to down/up")
+Reported-by: Yongqin Liu <yongqin.liu@linaro.org>
+Reported-by: Antje Miederhöfer <a.miederhoefer@gmx.de>
+Reported-by: Arne Fitzenreiter <arne_f@ipfire.org>
+Tested-by: Yongqin Liu <yongqin.liu@linaro.org>
+Tested-by: Antje Miederhöfer <a.miederhoefer@gmx.de>
+Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ax88179_178a.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/usb/ax88179_178a.c
++++ b/drivers/net/usb/ax88179_178a.c
+@@ -174,7 +174,6 @@ struct ax88179_data {
+ u32 wol_supported;
+ u32 wolopts;
+ u8 disconnecting;
+- u8 initialized;
+ };
+
+ struct ax88179_int_data {
+@@ -1676,12 +1675,21 @@ static int ax88179_reset(struct usbnet *
+
+ static int ax88179_net_reset(struct usbnet *dev)
+ {
+- struct ax88179_data *ax179_data = dev->driver_priv;
++ u16 tmp16;
+
+- if (ax179_data->initialized)
++ ax88179_read_cmd(dev, AX_ACCESS_PHY, AX88179_PHY_ID, GMII_PHY_PHYSR,
++ 2, &tmp16);
++ if (tmp16) {
++ ax88179_read_cmd(dev, AX_ACCESS_MAC, AX_MEDIUM_STATUS_MODE,
++ 2, 2, &tmp16);
++ if (!(tmp16 & AX_MEDIUM_RECEIVE_EN)) {
++ tmp16 |= AX_MEDIUM_RECEIVE_EN;
++ ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_MEDIUM_STATUS_MODE,
++ 2, 2, &tmp16);
++ }
++ } else {
+ ax88179_reset(dev);
+- else
+- ax179_data->initialized = 1;
++ }
+
+ return 0;
+ }
--- /dev/null
+From 685d03c3795378fca6a1b3d43581f7f1a3fc095f Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+Date: Thu, 30 May 2024 19:06:30 +0800
+Subject: ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+commit 685d03c3795378fca6a1b3d43581f7f1a3fc095f upstream.
+
+bdev->bd_super has been removed and commit 8887b94d9322 change the usage
+from bdev->bd_super to b_assoc_map->host->i_sb. Since ocfs2 hasn't set
+bh->b_assoc_map, it will trigger NULL pointer dereference when calling
+into ocfs2_abort_trigger().
+
+Actually this was pointed out in history, see commit 74e364ad1b13. But
+I've made a mistake when reviewing commit 8887b94d9322 and then
+re-introduce this regression.
+
+Since we cannot revive bdev in buffer head, so fix this issue by
+initializing all types of ocfs2 triggers when fill super, and then get the
+specific ocfs2 trigger from ocfs2_caching_info when access journal.
+
+[joseph.qi@linux.alibaba.com: v2]
+ Link: https://lkml.kernel.org/r/20240602112045.1112708-1-joseph.qi@linux.alibaba.com
+Link: https://lkml.kernel.org/r/20240530110630.3933832-2-joseph.qi@linux.alibaba.com
+Fixes: 8887b94d9322 ("ocfs2: stop using bdev->bd_super for journal error logging")
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reviewed-by: Heming Zhao <heming.zhao@suse.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org> [6.6+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/journal.c | 190 +++++++++++++++++++++++++++++------------------------
+ fs/ocfs2/ocfs2.h | 27 +++++++
+ fs/ocfs2/super.c | 4 -
+ 3 files changed, 135 insertions(+), 86 deletions(-)
+
+--- a/fs/ocfs2/journal.c
++++ b/fs/ocfs2/journal.c
+@@ -479,12 +479,6 @@ bail:
+ return status;
+ }
+
+-
+-struct ocfs2_triggers {
+- struct jbd2_buffer_trigger_type ot_triggers;
+- int ot_offset;
+-};
+-
+ static inline struct ocfs2_triggers *to_ocfs2_trigger(struct jbd2_buffer_trigger_type *triggers)
+ {
+ return container_of(triggers, struct ocfs2_triggers, ot_triggers);
+@@ -548,85 +542,76 @@ static void ocfs2_db_frozen_trigger(stru
+ static void ocfs2_abort_trigger(struct jbd2_buffer_trigger_type *triggers,
+ struct buffer_head *bh)
+ {
++ struct ocfs2_triggers *ot = to_ocfs2_trigger(triggers);
++
+ mlog(ML_ERROR,
+ "ocfs2_abort_trigger called by JBD2. bh = 0x%lx, "
+ "bh->b_blocknr = %llu\n",
+ (unsigned long)bh,
+ (unsigned long long)bh->b_blocknr);
+
+- ocfs2_error(bh->b_assoc_map->host->i_sb,
++ ocfs2_error(ot->sb,
+ "JBD2 has aborted our journal, ocfs2 cannot continue\n");
+ }
+
+-static struct ocfs2_triggers di_triggers = {
+- .ot_triggers = {
+- .t_frozen = ocfs2_frozen_trigger,
+- .t_abort = ocfs2_abort_trigger,
+- },
+- .ot_offset = offsetof(struct ocfs2_dinode, i_check),
+-};
+-
+-static struct ocfs2_triggers eb_triggers = {
+- .ot_triggers = {
+- .t_frozen = ocfs2_frozen_trigger,
+- .t_abort = ocfs2_abort_trigger,
+- },
+- .ot_offset = offsetof(struct ocfs2_extent_block, h_check),
+-};
+-
+-static struct ocfs2_triggers rb_triggers = {
+- .ot_triggers = {
+- .t_frozen = ocfs2_frozen_trigger,
+- .t_abort = ocfs2_abort_trigger,
+- },
+- .ot_offset = offsetof(struct ocfs2_refcount_block, rf_check),
+-};
+-
+-static struct ocfs2_triggers gd_triggers = {
+- .ot_triggers = {
+- .t_frozen = ocfs2_frozen_trigger,
+- .t_abort = ocfs2_abort_trigger,
+- },
+- .ot_offset = offsetof(struct ocfs2_group_desc, bg_check),
+-};
+-
+-static struct ocfs2_triggers db_triggers = {
+- .ot_triggers = {
+- .t_frozen = ocfs2_db_frozen_trigger,
+- .t_abort = ocfs2_abort_trigger,
+- },
+-};
+-
+-static struct ocfs2_triggers xb_triggers = {
+- .ot_triggers = {
+- .t_frozen = ocfs2_frozen_trigger,
+- .t_abort = ocfs2_abort_trigger,
+- },
+- .ot_offset = offsetof(struct ocfs2_xattr_block, xb_check),
+-};
+-
+-static struct ocfs2_triggers dq_triggers = {
+- .ot_triggers = {
+- .t_frozen = ocfs2_dq_frozen_trigger,
+- .t_abort = ocfs2_abort_trigger,
+- },
+-};
+-
+-static struct ocfs2_triggers dr_triggers = {
+- .ot_triggers = {
+- .t_frozen = ocfs2_frozen_trigger,
+- .t_abort = ocfs2_abort_trigger,
+- },
+- .ot_offset = offsetof(struct ocfs2_dx_root_block, dr_check),
+-};
+-
+-static struct ocfs2_triggers dl_triggers = {
+- .ot_triggers = {
+- .t_frozen = ocfs2_frozen_trigger,
+- .t_abort = ocfs2_abort_trigger,
+- },
+- .ot_offset = offsetof(struct ocfs2_dx_leaf, dl_check),
+-};
++static void ocfs2_setup_csum_triggers(struct super_block *sb,
++ enum ocfs2_journal_trigger_type type,
++ struct ocfs2_triggers *ot)
++{
++ BUG_ON(type >= OCFS2_JOURNAL_TRIGGER_COUNT);
++
++ switch (type) {
++ case OCFS2_JTR_DI:
++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger;
++ ot->ot_offset = offsetof(struct ocfs2_dinode, i_check);
++ break;
++ case OCFS2_JTR_EB:
++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger;
++ ot->ot_offset = offsetof(struct ocfs2_extent_block, h_check);
++ break;
++ case OCFS2_JTR_RB:
++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger;
++ ot->ot_offset = offsetof(struct ocfs2_refcount_block, rf_check);
++ break;
++ case OCFS2_JTR_GD:
++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger;
++ ot->ot_offset = offsetof(struct ocfs2_group_desc, bg_check);
++ break;
++ case OCFS2_JTR_DB:
++ ot->ot_triggers.t_frozen = ocfs2_db_frozen_trigger;
++ break;
++ case OCFS2_JTR_XB:
++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger;
++ ot->ot_offset = offsetof(struct ocfs2_xattr_block, xb_check);
++ break;
++ case OCFS2_JTR_DQ:
++ ot->ot_triggers.t_frozen = ocfs2_dq_frozen_trigger;
++ break;
++ case OCFS2_JTR_DR:
++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger;
++ ot->ot_offset = offsetof(struct ocfs2_dx_root_block, dr_check);
++ break;
++ case OCFS2_JTR_DL:
++ ot->ot_triggers.t_frozen = ocfs2_frozen_trigger;
++ ot->ot_offset = offsetof(struct ocfs2_dx_leaf, dl_check);
++ break;
++ case OCFS2_JTR_NONE:
++ /* To make compiler happy... */
++ return;
++ }
++
++ ot->ot_triggers.t_abort = ocfs2_abort_trigger;
++ ot->sb = sb;
++}
++
++void ocfs2_initialize_journal_triggers(struct super_block *sb,
++ struct ocfs2_triggers triggers[])
++{
++ enum ocfs2_journal_trigger_type type;
++
++ for (type = OCFS2_JTR_DI; type < OCFS2_JOURNAL_TRIGGER_COUNT; type++)
++ ocfs2_setup_csum_triggers(sb, type, &triggers[type]);
++}
+
+ static int __ocfs2_journal_access(handle_t *handle,
+ struct ocfs2_caching_info *ci,
+@@ -708,56 +693,91 @@ static int __ocfs2_journal_access(handle
+ int ocfs2_journal_access_di(handle_t *handle, struct ocfs2_caching_info *ci,
+ struct buffer_head *bh, int type)
+ {
+- return __ocfs2_journal_access(handle, ci, bh, &di_triggers, type);
++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci));
++
++ return __ocfs2_journal_access(handle, ci, bh,
++ &osb->s_journal_triggers[OCFS2_JTR_DI],
++ type);
+ }
+
+ int ocfs2_journal_access_eb(handle_t *handle, struct ocfs2_caching_info *ci,
+ struct buffer_head *bh, int type)
+ {
+- return __ocfs2_journal_access(handle, ci, bh, &eb_triggers, type);
++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci));
++
++ return __ocfs2_journal_access(handle, ci, bh,
++ &osb->s_journal_triggers[OCFS2_JTR_EB],
++ type);
+ }
+
+ int ocfs2_journal_access_rb(handle_t *handle, struct ocfs2_caching_info *ci,
+ struct buffer_head *bh, int type)
+ {
+- return __ocfs2_journal_access(handle, ci, bh, &rb_triggers,
++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci));
++
++ return __ocfs2_journal_access(handle, ci, bh,
++ &osb->s_journal_triggers[OCFS2_JTR_RB],
+ type);
+ }
+
+ int ocfs2_journal_access_gd(handle_t *handle, struct ocfs2_caching_info *ci,
+ struct buffer_head *bh, int type)
+ {
+- return __ocfs2_journal_access(handle, ci, bh, &gd_triggers, type);
++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci));
++
++ return __ocfs2_journal_access(handle, ci, bh,
++ &osb->s_journal_triggers[OCFS2_JTR_GD],
++ type);
+ }
+
+ int ocfs2_journal_access_db(handle_t *handle, struct ocfs2_caching_info *ci,
+ struct buffer_head *bh, int type)
+ {
+- return __ocfs2_journal_access(handle, ci, bh, &db_triggers, type);
++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci));
++
++ return __ocfs2_journal_access(handle, ci, bh,
++ &osb->s_journal_triggers[OCFS2_JTR_DB],
++ type);
+ }
+
+ int ocfs2_journal_access_xb(handle_t *handle, struct ocfs2_caching_info *ci,
+ struct buffer_head *bh, int type)
+ {
+- return __ocfs2_journal_access(handle, ci, bh, &xb_triggers, type);
++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci));
++
++ return __ocfs2_journal_access(handle, ci, bh,
++ &osb->s_journal_triggers[OCFS2_JTR_XB],
++ type);
+ }
+
+ int ocfs2_journal_access_dq(handle_t *handle, struct ocfs2_caching_info *ci,
+ struct buffer_head *bh, int type)
+ {
+- return __ocfs2_journal_access(handle, ci, bh, &dq_triggers, type);
++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci));
++
++ return __ocfs2_journal_access(handle, ci, bh,
++ &osb->s_journal_triggers[OCFS2_JTR_DQ],
++ type);
+ }
+
+ int ocfs2_journal_access_dr(handle_t *handle, struct ocfs2_caching_info *ci,
+ struct buffer_head *bh, int type)
+ {
+- return __ocfs2_journal_access(handle, ci, bh, &dr_triggers, type);
++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci));
++
++ return __ocfs2_journal_access(handle, ci, bh,
++ &osb->s_journal_triggers[OCFS2_JTR_DR],
++ type);
+ }
+
+ int ocfs2_journal_access_dl(handle_t *handle, struct ocfs2_caching_info *ci,
+ struct buffer_head *bh, int type)
+ {
+- return __ocfs2_journal_access(handle, ci, bh, &dl_triggers, type);
++ struct ocfs2_super *osb = OCFS2_SB(ocfs2_metadata_cache_get_super(ci));
++
++ return __ocfs2_journal_access(handle, ci, bh,
++ &osb->s_journal_triggers[OCFS2_JTR_DL],
++ type);
+ }
+
+ int ocfs2_journal_access(handle_t *handle, struct ocfs2_caching_info *ci,
+--- a/fs/ocfs2/ocfs2.h
++++ b/fs/ocfs2/ocfs2.h
+@@ -284,6 +284,30 @@ enum ocfs2_mount_options
+ #define OCFS2_OSB_ERROR_FS 0x0004
+ #define OCFS2_DEFAULT_ATIME_QUANTUM 60
+
++struct ocfs2_triggers {
++ struct jbd2_buffer_trigger_type ot_triggers;
++ int ot_offset;
++ struct super_block *sb;
++};
++
++enum ocfs2_journal_trigger_type {
++ OCFS2_JTR_DI,
++ OCFS2_JTR_EB,
++ OCFS2_JTR_RB,
++ OCFS2_JTR_GD,
++ OCFS2_JTR_DB,
++ OCFS2_JTR_XB,
++ OCFS2_JTR_DQ,
++ OCFS2_JTR_DR,
++ OCFS2_JTR_DL,
++ OCFS2_JTR_NONE /* This must be the last entry */
++};
++
++#define OCFS2_JOURNAL_TRIGGER_COUNT OCFS2_JTR_NONE
++
++void ocfs2_initialize_journal_triggers(struct super_block *sb,
++ struct ocfs2_triggers triggers[]);
++
+ struct ocfs2_journal;
+ struct ocfs2_slot_info;
+ struct ocfs2_recovery_map;
+@@ -351,6 +375,9 @@ struct ocfs2_super
+ struct ocfs2_journal *journal;
+ unsigned long osb_commit_interval;
+
++ /* Journal triggers for checksum */
++ struct ocfs2_triggers s_journal_triggers[OCFS2_JOURNAL_TRIGGER_COUNT];
++
+ struct delayed_work la_enable_wq;
+
+ /*
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -1075,9 +1075,11 @@ static int ocfs2_fill_super(struct super
+ debugfs_create_file("fs_state", S_IFREG|S_IRUSR, osb->osb_debug_root,
+ osb, &ocfs2_osb_debug_fops);
+
+- if (ocfs2_meta_ecc(osb))
++ if (ocfs2_meta_ecc(osb)) {
++ ocfs2_initialize_journal_triggers(sb, osb->s_journal_triggers);
+ ocfs2_blockcheck_stats_debugfs_install( &osb->osb_ecc_stats,
+ osb->osb_debug_root);
++ }
+
+ status = ocfs2_mount_volume(sb);
+ if (status < 0)
--- /dev/null
+From 58f7e1e2c9e72c7974054c64c3abeac81c11f822 Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+Date: Thu, 30 May 2024 19:06:29 +0800
+Subject: ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+commit 58f7e1e2c9e72c7974054c64c3abeac81c11f822 upstream.
+
+bdev->bd_super has been removed and commit 8887b94d9322 change the usage
+from bdev->bd_super to b_assoc_map->host->i_sb. This introduces the
+following NULL pointer dereference in ocfs2_journal_dirty() since
+b_assoc_map is still not initialized. This can be easily reproduced by
+running xfstests generic/186, which simulate no more credits.
+
+[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000
+...
+[ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2]
+...
+[ 134.365071] Call Trace:
+[ 134.365312] <TASK>
+[ 134.365524] ? __die_body+0x1e/0x60
+[ 134.365868] ? page_fault_oops+0x13d/0x4f0
+[ 134.366265] ? __pfx_bit_wait_io+0x10/0x10
+[ 134.366659] ? schedule+0x27/0xb0
+[ 134.366981] ? exc_page_fault+0x6a/0x140
+[ 134.367356] ? asm_exc_page_fault+0x26/0x30
+[ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2]
+[ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2]
+[ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2]
+[ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2]
+[ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2]
+[ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2]
+[ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2]
+[ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2]
+[ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2]
+[ 134.372994] ? inode_update_timestamps+0x4a/0x120
+[ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]
+[ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]
+[ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2]
+[ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2]
+[ 134.376971] ? security_file_permission+0x29/0x50
+[ 134.377644] vfs_clone_file_range+0xfe/0x320
+[ 134.378268] ioctl_file_clone+0x45/0xa0
+[ 134.378853] do_vfs_ioctl+0x457/0x990
+[ 134.379422] __x64_sys_ioctl+0x6e/0xd0
+[ 134.379987] do_syscall_64+0x5d/0x170
+[ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 134.381231] RIP: 0033:0x7fa4926397cb
+[ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48
+[ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb
+[ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003
+[ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000
+[ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+[ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000
+[ 134.389207] </TASK>
+
+Fix it by only aborting transaction and journal in ocfs2_journal_dirty()
+now, and leave ocfs2_abort() later when detecting an aborted handle,
+e.g. start next transaction. Also log the handle details in this case.
+
+Link: https://lkml.kernel.org/r/20240530110630.3933832-1-joseph.qi@linux.alibaba.com
+Fixes: 8887b94d9322 ("ocfs2: stop using bdev->bd_super for journal error logging")
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reviewed-by: Heming Zhao <heming.zhao@suse.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org> [6.6+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/journal.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/ocfs2/journal.c
++++ b/fs/ocfs2/journal.c
+@@ -778,13 +778,15 @@ void ocfs2_journal_dirty(handle_t *handl
+ if (!is_handle_aborted(handle)) {
+ journal_t *journal = handle->h_transaction->t_journal;
+
+- mlog(ML_ERROR, "jbd2_journal_dirty_metadata failed. "
+- "Aborting transaction and journal.\n");
++ mlog(ML_ERROR, "jbd2_journal_dirty_metadata failed: "
++ "handle type %u started at line %u, credits %u/%u "
++ "errcode %d. Aborting transaction and journal.\n",
++ handle->h_type, handle->h_line_no,
++ handle->h_requested_credits,
++ jbd2_handle_buffer_credits(handle), status);
+ handle->h_err = status;
+ jbd2_journal_abort_handle(handle);
+ jbd2_journal_abort(journal, status);
+- ocfs2_abort(bh->b_assoc_map->host->i_sb,
+- "Journal already aborted.\n");
+ }
+ }
+ }
--- /dev/null
+From 004b8d1491b4bcbb7da1a3206d1e7e66822d47c6 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 14 Jun 2024 09:55:58 +0200
+Subject: ovl: fix encoding fid for lower only root
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 004b8d1491b4bcbb7da1a3206d1e7e66822d47c6 upstream.
+
+ovl_check_encode_origin() should return a positive number if the lower
+dentry is to be encoded, zero otherwise. If there's no upper layer at all
+(read-only overlay), then it obviously needs to return positive.
+
+This was broken by commit 16aac5ad1fa9 ("ovl: support encoding
+non-decodable file handles"), which didn't take the lower-only
+configuration into account.
+
+Fix by checking the no-upper-layer case up-front.
+
+Reported-and-tested-by: Youzhong Yang <youzhong@gmail.com>
+Closes: https://lore.kernel.org/all/CADpNCvaBimi+zCYfRJHvCOhMih8OU0rmZkwLuh24MKKroRuT8Q@mail.gmail.com/
+Fixes: 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles")
+Cc: <stable@vger.kernel.org> # v6.6
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/export.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/export.c
++++ b/fs/overlayfs/export.c
+@@ -181,6 +181,10 @@ static int ovl_check_encode_origin(struc
+ struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
+ bool decodable = ofs->config.nfs_export;
+
++ /* No upper layer? */
++ if (!ovl_upper_mnt(ofs))
++ return 1;
++
+ /* Lower file handle for non-upper non-decodable */
+ if (!ovl_dentry_upper(dentry) && !decodable)
+ return 1;
+@@ -209,7 +213,7 @@ static int ovl_check_encode_origin(struc
+ * ovl_connect_layer() will try to make origin's layer "connected" by
+ * copying up a "connectable" ancestor.
+ */
+- if (d_is_dir(dentry) && ovl_upper_mnt(ofs) && decodable)
++ if (d_is_dir(dentry) && decodable)
+ return ovl_connect_layer(dentry);
+
+ /* Lower file handle for indexed and non-upper dir/non-dir */
--- /dev/null
+From 2e4c02fdecf2f6f55cefe48cb82d93fa4f8e2204 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Tue, 28 May 2024 15:52:54 +0300
+Subject: RDMA/mlx5: Ensure created mkeys always have a populated rb_key
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 2e4c02fdecf2f6f55cefe48cb82d93fa4f8e2204 upstream.
+
+cachable and mmkey.rb_key together are used by mlx5_revoke_mr() to put the
+MR/mkey back into the cache. In all cases they should be set correctly.
+
+alloc_cacheable_mr() was setting cachable but not filling rb_key,
+resulting in cache_ent_find_and_store() bucketing them all into a 0 length
+entry.
+
+implicit_get_child_mr()/mlx5_ib_alloc_implicit_mr() failed to set cachable
+or rb_key at all, so the cache was not working at all for implicit ODP.
+
+Cc: stable@vger.kernel.org
+Fixes: 8c1185fef68c ("RDMA/mlx5: Change check for cacheable mkeys")
+Fixes: dd1b913fb0d0 ("RDMA/mlx5: Cache all user cacheable mkeys on dereg MR flow")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/7778c02dfa0999a30d6746c79a23dd7140a9c729.1716900410.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -718,6 +718,8 @@ static struct mlx5_ib_mr *_mlx5_mr_cache
+ }
+ mr->mmkey.cache_ent = ent;
+ mr->mmkey.type = MLX5_MKEY_MR;
++ mr->mmkey.rb_key = ent->rb_key;
++ mr->mmkey.cacheable = true;
+ init_waitqueue_head(&mr->mmkey.wait);
+ return mr;
+ }
+@@ -1168,7 +1170,6 @@ static struct mlx5_ib_mr *alloc_cacheabl
+ mr->ibmr.pd = pd;
+ mr->umem = umem;
+ mr->page_shift = order_base_2(page_size);
+- mr->mmkey.cacheable = true;
+ set_mr_fields(dev, mr, umem->length, access_flags, iova);
+
+ return mr;
--- /dev/null
+From f637040c3339a2ed8c12d65ad03f9552386e2fe7 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Tue, 28 May 2024 15:52:53 +0300
+Subject: RDMA/mlx5: Follow rb_key.ats when creating new mkeys
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit f637040c3339a2ed8c12d65ad03f9552386e2fe7 upstream.
+
+When a cache ent already exists but doesn't have any mkeys in it the cache
+will automatically create a new one based on the specification in the
+ent->rb_key.
+
+ent->ats was missed when creating the new key and so ma_translation_mode
+was not being set even though the ent requires it.
+
+Cc: stable@vger.kernel.org
+Fixes: 73d09b2fe833 ("RDMA/mlx5: Introduce mlx5r_cache_rb_key")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://lore.kernel.org/r/7c5613458ecb89fbe5606b7aa4c8d990bdea5b9a.1716900410.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -246,6 +246,7 @@ static void set_cache_mkc(struct mlx5_ca
+ MLX5_SET(mkc, mkc, access_mode_1_0, ent->rb_key.access_mode & 0x3);
+ MLX5_SET(mkc, mkc, access_mode_4_2,
+ (ent->rb_key.access_mode >> 2) & 0x7);
++ MLX5_SET(mkc, mkc, ma_translation_mode, !!ent->rb_key.ats);
+
+ MLX5_SET(mkc, mkc, translations_octword_size,
+ get_mkc_octo_size(ent->rb_key.access_mode,
--- /dev/null
+From c1eb2512596fb3542357bb6c34c286f5e0374538 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Tue, 28 May 2024 15:52:52 +0300
+Subject: RDMA/mlx5: Remove extra unlock on error path
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit c1eb2512596fb3542357bb6c34c286f5e0374538 upstream.
+
+The below commit lifted the locking out of this function but left this
+error path unlock behind resulting in unbalanced locking. Remove the
+missed unlock too.
+
+Cc: stable@vger.kernel.org
+Fixes: 627122280c87 ("RDMA/mlx5: Add work to remove temporary entries from the cache")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://lore.kernel.org/r/78090c210c750f47219b95248f9f782f34548bb1.1716900410.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -641,10 +641,8 @@ static int mlx5_cache_ent_insert(struct
+ new = &((*new)->rb_left);
+ if (cmp < 0)
+ new = &((*new)->rb_right);
+- if (cmp == 0) {
+- mutex_unlock(&cache->rb_lock);
++ if (cmp == 0)
+ return -EEXIST;
+- }
+ }
+
+ /* Add new node and rebalance tree. */
--- /dev/null
+From 03fa18a992d5626fd7bf3557a52e826bf8b326b3 Mon Sep 17 00:00:00 2001
+From: Honggang LI <honggangli@163.com>
+Date: Thu, 16 May 2024 17:50:52 +0800
+Subject: RDMA/rxe: Fix data copy for IB_SEND_INLINE
+
+From: Honggang LI <honggangli@163.com>
+
+commit 03fa18a992d5626fd7bf3557a52e826bf8b326b3 upstream.
+
+For RDMA Send and Write with IB_SEND_INLINE, the memory buffers
+specified in sge list will be placed inline in the Send Request.
+
+The data should be copied by CPU from the virtual addresses of
+corresponding sge list DMA addresses.
+
+Cc: stable@kernel.org
+Fixes: 8d7c7c0eeb74 ("RDMA: Add ib_virt_dma_to_page()")
+Signed-off-by: Honggang LI <honggangli@163.com>
+Link: https://lore.kernel.org/r/20240516095052.542767-1-honggangli@163.com
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Li Zhijian <lizhijian@fujitsu.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
+@@ -812,7 +812,7 @@ static void copy_inline_data_to_wqe(stru
+ int i;
+
+ for (i = 0; i < ibwr->num_sge; i++, sge++) {
+- memcpy(p, ib_virt_dma_to_page(sge->addr), sge->length);
++ memcpy(p, ib_virt_dma_to_ptr(sge->addr), sge->length);
+ p += sge->length;
+ }
+ }
--- /dev/null
+From 633aeefafc9c2a07a76a62be6aac1d73c3e3defa Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 13 Jun 2024 14:18:26 -0700
+Subject: scsi: core: Introduce the BLIST_SKIP_IO_HINTS flag
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 633aeefafc9c2a07a76a62be6aac1d73c3e3defa upstream.
+
+Prepare for skipping the IO Advice Hints Grouping mode page for USB storage
+devices.
+
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Cc: Joao Machado <jocrismachado@gmail.com>
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: Christian Heusel <christian@heusel.eu>
+Cc: stable@vger.kernel.org
+Fixes: 4f53138fffc2 ("scsi: sd: Translate data lifetime information")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20240613211828.2077477-2-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 4 ++++
+ include/scsi/scsi_devinfo.h | 4 +++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -63,6 +63,7 @@
+ #include <scsi/scsi_cmnd.h>
+ #include <scsi/scsi_dbg.h>
+ #include <scsi/scsi_device.h>
++#include <scsi/scsi_devinfo.h>
+ #include <scsi/scsi_driver.h>
+ #include <scsi/scsi_eh.h>
+ #include <scsi/scsi_host.h>
+@@ -3125,6 +3126,9 @@ static void sd_read_io_hints(struct scsi
+ struct scsi_mode_data data;
+ int res;
+
++ if (sdp->sdev_bflags & BLIST_SKIP_IO_HINTS)
++ return;
++
+ res = scsi_mode_sense(sdp, /*dbd=*/0x8, /*modepage=*/0x0a,
+ /*subpage=*/0x05, buffer, SD_BUF_SIZE, SD_TIMEOUT,
+ sdkp->max_retries, &data, &sshdr);
+--- a/include/scsi/scsi_devinfo.h
++++ b/include/scsi/scsi_devinfo.h
+@@ -69,8 +69,10 @@
+ #define BLIST_RETRY_ITF ((__force blist_flags_t)(1ULL << 32))
+ /* Always retry ABORTED_COMMAND with ASC 0xc1 */
+ #define BLIST_RETRY_ASC_C1 ((__force blist_flags_t)(1ULL << 33))
++/* Do not query the IO Advice Hints Grouping mode page */
++#define BLIST_SKIP_IO_HINTS ((__force blist_flags_t)(1ULL << 34))
+
+-#define __BLIST_LAST_USED BLIST_RETRY_ASC_C1
++#define __BLIST_LAST_USED BLIST_SKIP_IO_HINTS
+
+ #define __BLIST_HIGH_UNUSED (~(__BLIST_LAST_USED | \
+ (__force blist_flags_t) \
--- /dev/null
+From 135c6eb27a85c8b261a2cc1f5093abcda6ee9010 Mon Sep 17 00:00:00 2001
+From: Joel Slebodnick <jslebodn@redhat.com>
+Date: Thu, 13 Jun 2024 14:27:28 -0400
+Subject: scsi: ufs: core: Free memory allocated for model before reinit
+
+From: Joel Slebodnick <jslebodn@redhat.com>
+
+commit 135c6eb27a85c8b261a2cc1f5093abcda6ee9010 upstream.
+
+Under the conditions that a device is to be reinitialized within
+ufshcd_probe_hba(), the device must first be fully reset.
+
+Resetting the device should include freeing U8 model (member of dev_info)
+but does not, and this causes a memory leak. ufs_put_device_desc() is
+responsible for freeing model.
+
+unreferenced object 0xffff3f63008bee60 (size 32):
+ comm "kworker/u33:1", pid 60, jiffies 4294892642
+ hex dump (first 32 bytes):
+ 54 48 47 4a 46 47 54 30 54 32 35 42 41 5a 5a 41 THGJFGT0T25BAZZA
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc ed7ff1a9):
+ [<ffffb86705f1243c>] kmemleak_alloc+0x34/0x40
+ [<ffffb8670511cee4>] __kmalloc_noprof+0x1e4/0x2fc
+ [<ffffb86705c247fc>] ufshcd_read_string_desc+0x94/0x190
+ [<ffffb86705c26854>] ufshcd_device_init+0x480/0xdf8
+ [<ffffb86705c27b68>] ufshcd_probe_hba+0x3c/0x404
+ [<ffffb86705c29264>] ufshcd_async_scan+0x40/0x370
+ [<ffffb86704f43e9c>] async_run_entry_fn+0x34/0xe0
+ [<ffffb86704f34638>] process_one_work+0x154/0x298
+ [<ffffb86704f34a74>] worker_thread+0x2f8/0x408
+ [<ffffb86704f3cfa4>] kthread+0x114/0x118
+ [<ffffb86704e955a0>] ret_from_fork+0x10/0x20
+
+Fixes: 96a7141da332 ("scsi: ufs: core: Add support for reinitializing the UFS device")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Andrew Halaney <ahalaney@redhat.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Joel Slebodnick <jslebodn@redhat.com>
+Link: https://lore.kernel.org/r/20240613200202.2524194-1-jslebodn@redhat.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -8972,6 +8972,7 @@ static int ufshcd_probe_hba(struct ufs_h
+ (hba->quirks & UFSHCD_QUIRK_REINIT_AFTER_MAX_GEAR_SWITCH)) {
+ /* Reset the device and controller before doing reinit */
+ ufshcd_device_reset(hba);
++ ufs_put_device_desc(hba);
+ ufshcd_hba_stop(hba);
+ ufshcd_vops_reinit_notify(hba);
+ ret = ufshcd_hba_enable(hba);
--- /dev/null
+From 57619f3cdeb5ae9f4252833b0ed600e9f81da722 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 13 Jun 2024 14:18:27 -0700
+Subject: scsi: usb: uas: Do not query the IO Advice Hints Grouping mode page for USB/UAS devices
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit 57619f3cdeb5ae9f4252833b0ed600e9f81da722 upstream.
+
+Recently it was reported that the following USB storage devices are
+unusable with Linux kernel 6.9:
+
+ * Kingston DataTraveler G2
+ * Garmin FR35
+
+This is because attempting to read the IO Advice Hints Grouping mode page
+causes these devices to reset. Hence do not read the IO Advice Hints
+Grouping mode page from USB/UAS storage devices.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable@vger.kernel.org
+Fixes: 4f53138fffc2 ("scsi: sd: Translate data lifetime information")
+Reported-by: Joao Machado <jocrismachado@gmail.com>
+Closes: https://lore.kernel.org/linux-scsi/20240130214911.1863909-1-bvanassche@acm.org/T/#mf4e3410d8f210454d7e4c3d1fb5c0f41e651b85f
+Tested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Bisected-by: Christian Heusel <christian@heusel.eu>
+Reported-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Closes: https://lore.kernel.org/linux-scsi/CACLx9VdpUanftfPo2jVAqXdcWe8Y43MsDeZmMPooTzVaVJAh2w@mail.gmail.com/
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20240613211828.2077477-3-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/scsiglue.c | 6 ++++++
+ drivers/usb/storage/uas.c | 7 +++++++
+ 2 files changed, 13 insertions(+)
+
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -86,6 +86,12 @@ static int slave_alloc (struct scsi_devi
+ if (us->protocol == USB_PR_BULK && us->max_lun > 0)
+ sdev->sdev_bflags |= BLIST_FORCELUN;
+
++ /*
++ * Some USB storage devices reset if the IO advice hints grouping mode
++ * page is queried. Hence skip that mode page.
++ */
++ sdev->sdev_bflags |= BLIST_SKIP_IO_HINTS;
++
+ return 0;
+ }
+
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -21,6 +21,7 @@
+ #include <scsi/scsi.h>
+ #include <scsi/scsi_eh.h>
+ #include <scsi/scsi_dbg.h>
++#include <scsi/scsi_devinfo.h>
+ #include <scsi/scsi_cmnd.h>
+ #include <scsi/scsi_device.h>
+ #include <scsi/scsi_host.h>
+@@ -820,6 +821,12 @@ static int uas_slave_alloc(struct scsi_d
+ struct uas_dev_info *devinfo =
+ (struct uas_dev_info *)sdev->host->hostdata;
+
++ /*
++ * Some USB storage devices reset if the IO advice hints grouping mode
++ * page is queried. Hence skip that mode page.
++ */
++ sdev->sdev_bflags |= BLIST_SKIP_IO_HINTS;
++
+ sdev->hostdata = devinfo;
+
+ /*
acpi-ec-evaluate-orphan-_reg-under-ec-device.patch
ext4-avoid-overflow-when-setting-values-via-sysfs.patch
ext4-fix-slab-out-of-bounds-in-ext4_mb_find_good_group_avg_frag_lists.patch
+net-phy-dp83tg720-wake-up-phys-in-managed-mode.patch
+net-stmmac-assign-configured-channel-value-to-extts-event.patch
+net-usb-ax88179_178a-improve-reset-check.patch
+net-phy-dp83tg720-get-master-slave-configuration-in-link-down-state.patch
+net-do-not-leave-a-dangling-sk-pointer-when-socket-creation-fails.patch
+btrfs-retry-block-group-reclaim-without-infinite-loop.patch
+scsi-ufs-core-free-memory-allocated-for-model-before-reinit.patch
+cifs-fix-typo-in-module-parameter-enable_gcm_256.patch
+loongarch-fix-watchpoint-setting-error.patch
+loongarch-trigger-user-space-watchpoints-correctly.patch
+loongarch-fix-multiple-hardware-watchpoint-issues.patch
+kvm-fix-a-data-race-on-last_boosted_vcpu-in-kvm_vcpu_on_spin.patch
+kvm-arm64-disassociate-vcpus-from-redistributor-region-on-teardown.patch
+kvm-x86-always-sync-pir-to-irr-prior-to-scanning-i-o-apic-routes.patch
+rdma-rxe-fix-data-copy-for-ib_send_inline.patch
+rdma-mlx5-remove-extra-unlock-on-error-path.patch
+rdma-mlx5-follow-rb_key.ats-when-creating-new-mkeys.patch
+rdma-mlx5-ensure-created-mkeys-always-have-a-populated-rb_key.patch
+ovl-fix-encoding-fid-for-lower-only-root.patch
+wifi-mac80211-fix-monitor-channel-with-chanctx-emulation.patch
+alsa-hda-realtek-fix-mute-micmute-leds-don-t-work-for-probook-445-465-g11.patch
+alsa-hda-realtek-limit-mic-boost-on-n14ap7.patch
+alsa-hda-realtek-add-quirk-for-lenovo-yoga-pro-7-14ahp9.patch
+drm-i915-mso-using-joiner-is-not-possible-with-edp-mso.patch
+drm-radeon-fix-ubsan-warning-in-kv_dpm.c.patch
+drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch
+drm-amdgpu-fix-locking-scope-when-flushing-tlb.patch
+drm-amd-display-remove-redundant-idle-optimization-check.patch
+drm-amd-display-attempt-to-avoid-empty-tus-when-endpoint-is-dpia.patch
+dt-bindings-dma-fsl-edma-fix-dma-channels-constraints.patch
+ocfs2-fix-null-pointer-dereference-in-ocfs2_journal_dirty.patch
+ocfs2-fix-null-pointer-dereference-in-ocfs2_abort_trigger.patch
+scsi-core-introduce-the-blist_skip_io_hints-flag.patch
+scsi-usb-uas-do-not-query-the-io-advice-hints-grouping-mode-page-for-usb-uas-devices.patch
+ata-ahci-do-not-enable-lpm-if-no-lpm-states-are-supported-by-the-hba.patch
+dmaengine-xilinx-xdma-fix-data-synchronisation-in-xdma_channel_isr.patch
+net-tcp_ao-don-t-leak-ao_info-on-error-path.patch
+gcov-add-support-for-gcc-14.patch
+kcov-don-t-lose-track-of-remote-references-during-softirqs.patch
--- /dev/null
+From 0d9c2beed116e623ac30810d382bd67163650f98 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 12 Jun 2024 12:23:51 +0200
+Subject: wifi: mac80211: fix monitor channel with chanctx emulation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 0d9c2beed116e623ac30810d382bd67163650f98 upstream.
+
+After the channel context emulation, there were reports that
+changing the monitor channel no longer works. This is because
+those drivers don't have WANT_MONITOR_VIF, so the setting the
+channel always exits out quickly.
+
+Fix this by always allocating the virtual monitor sdata, and
+simply not telling the driver about it unless it wanted to.
+This way, we have an interface/sdata to bind the chanctx to,
+and the emulation can work correctly.
+
+Cc: stable@vger.kernel.org
+Fixes: 0a44dfc07074 ("wifi: mac80211: simplify non-chanctx drivers")
+Reported-and-tested-by: Savyasaachi Vanga <savyasaachiv@gmail.com>
+Closes: https://lore.kernel.org/r/chwoymvpzwtbmzryrlitpwmta5j6mtndocxsyqvdyikqu63lon@gfds653hkknl
+Link: https://msgid.link/20240612122351.b12d4a109dde.I1831a44417faaab92bea1071209abbe4efbe3fba@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/driver-ops.c | 17 +++++++++++++++++
+ net/mac80211/iface.c | 21 +++++++++------------
+ net/mac80211/util.c | 2 +-
+ 3 files changed, 27 insertions(+), 13 deletions(-)
+
+--- a/net/mac80211/driver-ops.c
++++ b/net/mac80211/driver-ops.c
+@@ -311,6 +311,18 @@ int drv_assign_vif_chanctx(struct ieee80
+ might_sleep();
+ lockdep_assert_wiphy(local->hw.wiphy);
+
++ /*
++ * We should perhaps push emulate chanctx down and only
++ * make it call ->config() when the chanctx is actually
++ * assigned here (and unassigned below), but that's yet
++ * another change to all drivers to add assign/unassign
++ * emulation callbacks. Maybe later.
++ */
++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR &&
++ local->emulate_chanctx &&
++ !ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF))
++ return 0;
++
+ if (!check_sdata_in_driver(sdata))
+ return -EIO;
+
+@@ -338,6 +350,11 @@ void drv_unassign_vif_chanctx(struct iee
+ might_sleep();
+ lockdep_assert_wiphy(local->hw.wiphy);
+
++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR &&
++ local->emulate_chanctx &&
++ !ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF))
++ return;
++
+ if (!check_sdata_in_driver(sdata))
+ return;
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1122,9 +1122,6 @@ int ieee80211_add_virtual_monitor(struct
+ struct ieee80211_sub_if_data *sdata;
+ int ret;
+
+- if (!ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF))
+- return 0;
+-
+ ASSERT_RTNL();
+ lockdep_assert_wiphy(local->hw.wiphy);
+
+@@ -1146,11 +1143,13 @@ int ieee80211_add_virtual_monitor(struct
+
+ ieee80211_set_default_queues(sdata);
+
+- ret = drv_add_interface(local, sdata);
+- if (WARN_ON(ret)) {
+- /* ok .. stupid driver, it asked for this! */
+- kfree(sdata);
+- return ret;
++ if (ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF)) {
++ ret = drv_add_interface(local, sdata);
++ if (WARN_ON(ret)) {
++ /* ok .. stupid driver, it asked for this! */
++ kfree(sdata);
++ return ret;
++ }
+ }
+
+ set_bit(SDATA_STATE_RUNNING, &sdata->state);
+@@ -1188,9 +1187,6 @@ void ieee80211_del_virtual_monitor(struc
+ {
+ struct ieee80211_sub_if_data *sdata;
+
+- if (!ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF))
+- return;
+-
+ ASSERT_RTNL();
+ lockdep_assert_wiphy(local->hw.wiphy);
+
+@@ -1210,7 +1206,8 @@ void ieee80211_del_virtual_monitor(struc
+
+ ieee80211_link_release_channel(&sdata->deflink);
+
+- drv_remove_interface(local, sdata);
++ if (ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF))
++ drv_remove_interface(local, sdata);
+
+ kfree(sdata);
+ }
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -1841,7 +1841,7 @@ int ieee80211_reconfig(struct ieee80211_
+
+ /* add interfaces */
+ sdata = wiphy_dereference(local->hw.wiphy, local->monitor_sdata);
+- if (sdata) {
++ if (sdata && ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF)) {
+ /* in HW restart it exists already */
+ WARN_ON(local->resuming);
+ res = drv_add_interface(local, sdata);
projects / thirdparty / kernel / stable-queue.git / commitdiff
