--- /dev/null
+From 1a2bef55ad3977f93114373cfe0b5e989391cb33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 11:18:50 +0300
+Subject: ABI: testing: fix admv8818 attr description
+
+From: Antoniu Miclaus <antoniu.miclaus@analog.com>
+
+[ Upstream commit 7d34b4ad8cd2867b130b5b8d7d76d0d6092bd019 ]
+
+Fix description of the filter_mode_available attribute by pointing to
+the correct name of the attribute that can be written with valid values.
+
+Fixes: bf92d87d7c67 ("iio:filter:admv8818: Add sysfs ABI documentation")
+Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
+Link: https://patch.msgid.link/20240702081851.4663-1-antoniu.miclaus@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818 b/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818
+index 31dbb390573ff..c431f0a13cf50 100644
+--- a/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818
++++ b/Documentation/ABI/testing/sysfs-bus-iio-filter-admv8818
+@@ -3,7 +3,7 @@ KernelVersion:
+ Contact: linux-iio@vger.kernel.org
+ Description:
+ Reading this returns the valid values that can be written to the
+- on_altvoltage0_mode attribute:
++ filter_mode attribute:
+
+ - auto -> Adjust bandpass filter to track changes in input clock rate.
+ - manual -> disable/unregister the clock rate notifier / input clock tracking.
+--
+2.43.0
+
--- /dev/null
+From 6edeec83fdd57d1375f6304efee01e6877f9004e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 12:16:44 +0200
+Subject: ACPI: CPPC: Fix MASK_VAL() usage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <cleger@rivosinc.com>
+
+[ Upstream commit 60949b7b805424f21326b450ca4f1806c06d982e ]
+
+MASK_VAL() was added as a way to handle bit_offset and bit_width for
+registers located in system memory address space. However, while suited
+for reading, it does not work for writing and result in corrupted
+registers when writing values with bit_offset > 0. Moreover, when a
+register is collocated with another one at the same address but with a
+different mask, the current code results in the other registers being
+overwritten with 0s. The write procedure for SYSTEM_MEMORY registers
+should actually read the value, mask it, update it and write it with the
+updated value. Moreover, since registers can be located in the same
+word, we must take care of locking the access before doing it. We should
+potentially use a global lock since we don't know in if register
+addresses aren't shared with another _CPC package but better not
+encourage vendors to do so. Assume that registers can use the same word
+inside a _CPC package and thus, use a per _CPC package lock.
+
+Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses")
+Signed-off-by: Clément Léger <cleger@rivosinc.com>
+Link: https://patch.msgid.link/20240826101648.95654-1-cleger@rivosinc.com
+[ rjw: Dropped redundant semicolon ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/cppc_acpi.c | 43 ++++++++++++++++++++++++++++++++++++----
+ include/acpi/cppc_acpi.h | 2 ++
+ 2 files changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
+index dd3d3082c8c76..28adea68e1cd6 100644
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -171,8 +171,11 @@ show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time);
+ #define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width)
+
+ /* Shift and apply the mask for CPC reads/writes */
+-#define MASK_VAL(reg, val) (((val) >> (reg)->bit_offset) & \
++#define MASK_VAL_READ(reg, val) (((val) >> (reg)->bit_offset) & \
+ GENMASK(((reg)->bit_width) - 1, 0))
++#define MASK_VAL_WRITE(reg, prev_val, val) \
++ ((((val) & GENMASK(((reg)->bit_width) - 1, 0)) << (reg)->bit_offset) | \
++ ((prev_val) & ~(GENMASK(((reg)->bit_width) - 1, 0) << (reg)->bit_offset))) \
+
+ static ssize_t show_feedback_ctrs(struct kobject *kobj,
+ struct kobj_attribute *attr, char *buf)
+@@ -859,6 +862,7 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr)
+
+ /* Store CPU Logical ID */
+ cpc_ptr->cpu_id = pr->id;
++ spin_lock_init(&cpc_ptr->rmw_lock);
+
+ /* Parse PSD data for this CPU */
+ ret = acpi_get_psd(cpc_ptr, handle);
+@@ -1064,7 +1068,7 @@ static int cpc_read(int cpu, struct cpc_register_resource *reg_res, u64 *val)
+ }
+
+ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
+- *val = MASK_VAL(reg, *val);
++ *val = MASK_VAL_READ(reg, *val);
+
+ return 0;
+ }
+@@ -1073,9 +1077,11 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val)
+ {
+ int ret_val = 0;
+ int size;
++ u64 prev_val;
+ void __iomem *vaddr = NULL;
+ int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu);
+ struct cpc_reg *reg = ®_res->cpc_entry.reg;
++ struct cpc_desc *cpc_desc;
+
+ size = GET_BIT_WIDTH(reg);
+
+@@ -1108,8 +1114,34 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val)
+ return acpi_os_write_memory((acpi_physical_address)reg->address,
+ val, size);
+
+- if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
+- val = MASK_VAL(reg, val);
++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) {
++ cpc_desc = per_cpu(cpc_desc_ptr, cpu);
++ if (!cpc_desc) {
++ pr_debug("No CPC descriptor for CPU:%d\n", cpu);
++ return -ENODEV;
++ }
++
++ spin_lock(&cpc_desc->rmw_lock);
++ switch (size) {
++ case 8:
++ prev_val = readb_relaxed(vaddr);
++ break;
++ case 16:
++ prev_val = readw_relaxed(vaddr);
++ break;
++ case 32:
++ prev_val = readl_relaxed(vaddr);
++ break;
++ case 64:
++ prev_val = readq_relaxed(vaddr);
++ break;
++ default:
++ spin_unlock(&cpc_desc->rmw_lock);
++ return -EFAULT;
++ }
++ val = MASK_VAL_WRITE(reg, prev_val, val);
++ val |= prev_val;
++ }
+
+ switch (size) {
+ case 8:
+@@ -1136,6 +1168,9 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val)
+ break;
+ }
+
++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
++ spin_unlock(&cpc_desc->rmw_lock);
++
+ return ret_val;
+ }
+
+diff --git a/include/acpi/cppc_acpi.h b/include/acpi/cppc_acpi.h
+index 930b6afba6f4d..e1720d9306669 100644
+--- a/include/acpi/cppc_acpi.h
++++ b/include/acpi/cppc_acpi.h
+@@ -64,6 +64,8 @@ struct cpc_desc {
+ int cpu_id;
+ int write_cmd_status;
+ int write_cmd_id;
++ /* Lock used for RMW operations in cpc_write() */
++ spinlock_t rmw_lock;
+ struct cpc_register_resource cpc_regs[MAX_CPC_REG_ENT];
+ struct acpi_psd_package domain_info;
+ struct kobject kobj;
+--
+2.43.0
+
--- /dev/null
+From 8027764e168562f33430d9381a77f0886d02797f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 01:53:39 +0300
+Subject: ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe()
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit 07442c46abad1d50ac82af5e0f9c5de2732c4592 ]
+
+In tps68470_pmic_opregion_probe() pointer 'dev' is compared to NULL which
+is useless.
+
+Fix this issue by removing unneeded check.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: e13452ac3790 ("ACPI / PMIC: Add TI PMIC TPS68470 operation region driver")
+Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://patch.msgid.link/20240730225339.13165-1-amishin@t-argos.ru
+[ rjw: Subject edit ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/pmic/tps68470_pmic.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/acpi/pmic/tps68470_pmic.c b/drivers/acpi/pmic/tps68470_pmic.c
+index ebd03e4729555..0d1a82eeb4b0b 100644
+--- a/drivers/acpi/pmic/tps68470_pmic.c
++++ b/drivers/acpi/pmic/tps68470_pmic.c
+@@ -376,10 +376,8 @@ static int tps68470_pmic_opregion_probe(struct platform_device *pdev)
+ struct tps68470_pmic_opregion *opregion;
+ acpi_status status;
+
+- if (!dev || !tps68470_regmap) {
+- dev_warn(dev, "dev or regmap is NULL\n");
+- return -EINVAL;
+- }
++ if (!tps68470_regmap)
++ return dev_err_probe(dev, -EINVAL, "regmap is missing\n");
+
+ if (!handle) {
+ dev_warn(dev, "acpi handle is NULL\n");
+--
+2.43.0
+
--- /dev/null
+From 8d9de3b0a7607c9bef99883dcf231c86378a4f67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 20:08:47 +0000
+Subject: ACPI: video: force native for Apple MacbookPro9,2
+
+From: Esther Shimanovich <eshimanovich@chromium.org>
+
+[ Upstream commit 7dc918daaf2994963690171584ba423f28724df5 ]
+
+It used to be that the MacbookPro9,2 used its native intel backlight
+device until the following commit was introduced:
+
+commit b1d36e73cc1c ("drm/i915: Don't register backlight when another
+backlight should be used (v2)")
+
+This commit forced this model to use its firmware acpi_video backlight
+device instead.
+
+That worked fine until an additional commit was added:
+
+commit 92714006eb4d ("drm/i915/backlight: Do not bump min brightness
+to max on enable")
+
+That commit uncovered a bug in the MacbookPro 9,2's acpi_video
+backlight firmware; the backlight does not come back up after resume.
+
+Add DMI quirk to select the working native intel interface instead
+so that the backlight successfully comes back up after resume.
+
+Fixes: 92714006eb4d ("drm/i915/backlight: Do not bump min brightness to max on enable")
+Signed-off-by: Esther Shimanovich <eshimanovich@chromium.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patch.msgid.link/20240806-acpi-video-quirk-v1-1-369d8f7abc59@chromium.org
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/video_detect.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
+index 674b9db7a1ef8..75a5f559402f8 100644
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -549,6 +549,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "MacBookAir9,1"),
+ },
+ },
++ {
++ .callback = video_detect_force_native,
++ /* Apple MacBook Pro 9,2 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "MacBookPro9,2"),
++ },
++ },
+ {
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1217249 */
+ .callback = video_detect_force_native,
+--
+2.43.0
+
--- /dev/null
+From fabe12bb6765c2bb751c2af0b7e7b66899de67d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Apr 2024 21:12:40 -0700
+Subject: ACPICA: executer/exsystem: Don't nag user about every Stall()
+ violating the spec
+
+From: Vasily Khoruzhick <anarsoul@gmail.com>
+
+[ Upstream commit c82c507126c9c9db350be28f14c83fad1c7969ae ]
+
+ACPICA commit 129b75516fc49fe1fd6b8c5798f86c13854630b3
+
+Stop nagging user about every Stall() that violates the spec
+
+On my Dell XPS 15 7590 I get hundreds of these warnings after few hours of
+uptime:
+
+$ dmesg | grep "fix the firmware" | wc -l
+261
+
+I cannot fix the firmware and I doubt that Dell cares about 4 year old
+laptop either
+
+Fixes: ace8f1c54a02 ("ACPICA: executer/exsystem: Inform users about ACPI spec violation")
+Link: https://github.com/acpica/acpica/commit/129b7551
+Signed-off-by: Vasily Khoruzhick <anarsoul@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/exsystem.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/acpi/acpica/exsystem.c b/drivers/acpi/acpica/exsystem.c
+index f665ffd9a396c..2c384bd52b9c4 100644
+--- a/drivers/acpi/acpica/exsystem.c
++++ b/drivers/acpi/acpica/exsystem.c
+@@ -133,14 +133,15 @@ acpi_status acpi_ex_system_do_stall(u32 how_long_us)
+ * (ACPI specifies 100 usec as max, but this gives some slack in
+ * order to support existing BIOSs)
+ */
+- ACPI_ERROR((AE_INFO,
+- "Time parameter is too large (%u)", how_long_us));
++ ACPI_ERROR_ONCE((AE_INFO,
++ "Time parameter is too large (%u)",
++ how_long_us));
+ status = AE_AML_OPERAND_VALUE;
+ } else {
+ if (how_long_us > 100) {
+- ACPI_WARNING((AE_INFO,
+- "Time parameter %u us > 100 us violating ACPI spec, please fix the firmware.",
+- how_long_us));
++ ACPI_WARNING_ONCE((AE_INFO,
++ "Time parameter %u us > 100 us violating ACPI spec, please fix the firmware.",
++ how_long_us));
+ }
+ acpi_os_stall(how_long_us);
+ }
+--
+2.43.0
+
--- /dev/null
+From 0dd1a21813fb691d3f7cb90fcc16e7cb6c8064cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Apr 2024 21:09:45 -0700
+Subject: ACPICA: Implement ACPI_WARNING_ONCE and ACPI_ERROR_ONCE
+
+From: Vasily Khoruzhick <anarsoul@gmail.com>
+
+[ Upstream commit 632b746b108e3c62e0795072d00ed597371c738a ]
+
+ACPICA commit 2ad4e6e7c4118f4cdfcad321c930b836cec77406
+
+In some cases it is not practical nor useful to nag user about some
+firmware errors that they cannot fix. Add a macro that will print a
+warning or error only once to be used in these cases.
+
+Link: https://github.com/acpica/acpica/commit/2ad4e6e7
+Signed-off-by: Vasily Khoruzhick <anarsoul@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Stable-dep-of: c82c507126c9 ("ACPICA: executer/exsystem: Don't nag user about every Stall() violating the spec")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/acpi/acoutput.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/include/acpi/acoutput.h b/include/acpi/acoutput.h
+index b1571dd96310a..5e0346142f983 100644
+--- a/include/acpi/acoutput.h
++++ b/include/acpi/acoutput.h
+@@ -193,6 +193,7 @@
+ */
+ #ifndef ACPI_NO_ERROR_MESSAGES
+ #define AE_INFO _acpi_module_name, __LINE__
++#define ACPI_ONCE(_fn, _plist) { static char _done; if (!_done) { _done = 1; _fn _plist; } }
+
+ /*
+ * Error reporting. Callers module and line number are inserted by AE_INFO,
+@@ -201,8 +202,10 @@
+ */
+ #define ACPI_INFO(plist) acpi_info plist
+ #define ACPI_WARNING(plist) acpi_warning plist
++#define ACPI_WARNING_ONCE(plist) ACPI_ONCE(acpi_warning, plist)
+ #define ACPI_EXCEPTION(plist) acpi_exception plist
+ #define ACPI_ERROR(plist) acpi_error plist
++#define ACPI_ERROR_ONCE(plist) ACPI_ONCE(acpi_error, plist)
+ #define ACPI_BIOS_WARNING(plist) acpi_bios_warning plist
+ #define ACPI_BIOS_EXCEPTION(plist) acpi_bios_exception plist
+ #define ACPI_BIOS_ERROR(plist) acpi_bios_error plist
+@@ -214,8 +217,10 @@
+
+ #define ACPI_INFO(plist)
+ #define ACPI_WARNING(plist)
++#define ACPI_WARNING_ONCE(plist)
+ #define ACPI_EXCEPTION(plist)
+ #define ACPI_ERROR(plist)
++#define ACPI_ERROR_ONCE(plist)
+ #define ACPI_BIOS_WARNING(plist)
+ #define ACPI_BIOS_EXCEPTION(plist)
+ #define ACPI_BIOS_ERROR(plist)
+--
+2.43.0
+
--- /dev/null
+From e64b28fd7be3f89f2c12e8ea9d1ccbb69b8802e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 16:39:21 -0700
+Subject: af_unix: Don't call skb_get() for OOB skb.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 8594d9b85c07f05e431bd07e895c2a3ad9b85d6f ]
+
+Since introduced, OOB skb holds an additional reference count with no
+special reason and caused many issues.
+
+Also, kfree_skb() and consume_skb() are used to decrement the count,
+which is confusing.
+
+Let's drop the unnecessary skb_get() in queue_oob() and corresponding
+kfree_skb(), consume_skb(), and skb_unref().
+
+Now unix_sk(sk)->oob_skb is just a pointer to skb in the receive queue,
+so special handing is no longer needed in GC.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20240816233921.57800-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 5aa57d9f2d53 ("af_unix: Don't return OOB skb in manage_oob().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 27 +++++----------------------
+ net/unix/garbage.c | 16 ++--------------
+ 2 files changed, 7 insertions(+), 36 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 0be0dcb07f7b6..a1894019ebd56 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -693,10 +693,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ unix_state_unlock(sk);
+
+ #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
+- if (u->oob_skb) {
+- kfree_skb(u->oob_skb);
+- u->oob_skb = NULL;
+- }
++ u->oob_skb = NULL;
+ #endif
+
+ wake_up_interruptible_all(&u->peer_wait);
+@@ -2226,13 +2223,9 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other
+ }
+
+ maybe_add_creds(skb, sock, other);
+- skb_get(skb);
+-
+ scm_stat_add(other, skb);
+
+ spin_lock(&other->sk_receive_queue.lock);
+- if (ousk->oob_skb)
+- consume_skb(ousk->oob_skb);
+ WRITE_ONCE(ousk->oob_skb, skb);
+ __skb_queue_tail(&other->sk_receive_queue, skb);
+ spin_unlock(&other->sk_receive_queue.lock);
+@@ -2640,8 +2633,6 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state)
+
+ if (!(state->flags & MSG_PEEK))
+ WRITE_ONCE(u->oob_skb, NULL);
+- else
+- skb_get(oob_skb);
+
+ spin_unlock(&sk->sk_receive_queue.lock);
+ unix_state_unlock(sk);
+@@ -2651,8 +2642,6 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state)
+ if (!(state->flags & MSG_PEEK))
+ UNIXCB(oob_skb).consumed += 1;
+
+- consume_skb(oob_skb);
+-
+ mutex_unlock(&u->iolock);
+
+ if (chunk < 0)
+@@ -2694,12 +2683,10 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+ if (copied) {
+ skb = NULL;
+ } else if (!(flags & MSG_PEEK)) {
+- if (sock_flag(sk, SOCK_URGINLINE)) {
+- WRITE_ONCE(u->oob_skb, NULL);
+- consume_skb(skb);
+- } else {
++ WRITE_ONCE(u->oob_skb, NULL);
++
++ if (!sock_flag(sk, SOCK_URGINLINE)) {
+ __skb_unlink(skb, &sk->sk_receive_queue);
+- WRITE_ONCE(u->oob_skb, NULL);
+ unlinked_skb = skb;
+ skb = skb_peek(&sk->sk_receive_queue);
+ }
+@@ -2710,10 +2697,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+
+ spin_unlock(&sk->sk_receive_queue.lock);
+
+- if (unlinked_skb) {
+- WARN_ON_ONCE(skb_unref(unlinked_skb));
+- kfree_skb(unlinked_skb);
+- }
++ kfree_skb(unlinked_skb);
+ }
+ return skb;
+ }
+@@ -2756,7 +2740,6 @@ static int unix_stream_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
+ unix_state_unlock(sk);
+
+ if (drop) {
+- WARN_ON_ONCE(skb_unref(skb));
+ kfree_skb(skb);
+ return -EAGAIN;
+ }
+diff --git a/net/unix/garbage.c b/net/unix/garbage.c
+index 06d94ad999e99..0068e758be4dd 100644
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -337,18 +337,6 @@ static bool unix_vertex_dead(struct unix_vertex *vertex)
+ return true;
+ }
+
+-static void unix_collect_queue(struct unix_sock *u, struct sk_buff_head *hitlist)
+-{
+- skb_queue_splice_init(&u->sk.sk_receive_queue, hitlist);
+-
+-#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
+- if (u->oob_skb) {
+- WARN_ON_ONCE(skb_unref(u->oob_skb));
+- u->oob_skb = NULL;
+- }
+-#endif
+-}
+-
+ static void unix_collect_skb(struct list_head *scc, struct sk_buff_head *hitlist)
+ {
+ struct unix_vertex *vertex;
+@@ -371,11 +359,11 @@ static void unix_collect_skb(struct list_head *scc, struct sk_buff_head *hitlist
+ struct sk_buff_head *embryo_queue = &skb->sk->sk_receive_queue;
+
+ spin_lock(&embryo_queue->lock);
+- unix_collect_queue(unix_sk(skb->sk), hitlist);
++ skb_queue_splice_init(embryo_queue, hitlist);
+ spin_unlock(&embryo_queue->lock);
+ }
+ } else {
+- unix_collect_queue(u, hitlist);
++ skb_queue_splice_init(queue, hitlist);
+ }
+
+ spin_unlock(&queue->lock);
+--
+2.43.0
+
--- /dev/null
+From 9b30d1eab037b7ce05487a4230c36547096c3109 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 12:32:40 -0700
+Subject: af_unix: Don't return OOB skb in manage_oob().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 5aa57d9f2d5311f19434d95b2a81610aa263e23b ]
+
+syzbot reported use-after-free in unix_stream_recv_urg(). [0]
+
+The scenario is
+
+ 1. send(MSG_OOB)
+ 2. recv(MSG_OOB)
+ -> The consumed OOB remains in recv queue
+ 3. send(MSG_OOB)
+ 4. recv()
+ -> manage_oob() returns the next skb of the consumed OOB
+ -> This is also OOB, but unix_sk(sk)->oob_skb is not cleared
+ 5. recv(MSG_OOB)
+ -> unix_sk(sk)->oob_skb is used but already freed
+
+The recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB
+skb.") uncovered the issue.
+
+If the OOB skb is consumed and the next skb is peeked in manage_oob(),
+we still need to check if the skb is OOB.
+
+Let's do so by falling back to the following checks in manage_oob()
+and add the test case in selftest.
+
+Note that we need to add a similar check for SIOCATMARK.
+
+[0]:
+BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959
+Read of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235
+
+CPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:93 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959
+ unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640
+ unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778
+ unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996
+ sock_recvmsg_nosec net/socket.c:1046 [inline]
+ sock_recvmsg+0x22f/0x280 net/socket.c:1068
+ ____sys_recvmsg+0x1db/0x470 net/socket.c:2816
+ ___sys_recvmsg net/socket.c:2858 [inline]
+ __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f5360d6b4e9
+Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
+RAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9
+RDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003
+RBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
+R13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001
+ </TASK>
+
+Allocated by task 5235:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ unpoison_slab_object mm/kasan/common.c:312 [inline]
+ __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
+ kasan_slab_alloc include/linux/kasan.h:201 [inline]
+ slab_post_alloc_hook mm/slub.c:3988 [inline]
+ slab_alloc_node mm/slub.c:4037 [inline]
+ kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080
+ __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667
+ alloc_skb include/linux/skbuff.h:1320 [inline]
+ alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528
+ sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815
+ sock_alloc_send_skb include/net/sock.h:1778 [inline]
+ queue_oob+0x108/0x680 net/unix/af_unix.c:2198
+ unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x221/0x270 net/socket.c:745
+ ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
+ ___sys_sendmsg net/socket.c:2651 [inline]
+ __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 5235:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
+ poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
+ __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
+ kasan_slab_free include/linux/kasan.h:184 [inline]
+ slab_free_hook mm/slub.c:2252 [inline]
+ slab_free mm/slub.c:4473 [inline]
+ kmem_cache_free+0x145/0x350 mm/slub.c:4548
+ unix_stream_read_generic+0x1ef6/0x2520 net/unix/af_unix.c:2917
+ unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996
+ sock_recvmsg_nosec net/socket.c:1046 [inline]
+ sock_recvmsg+0x22f/0x280 net/socket.c:1068
+ __sys_recvfrom+0x256/0x3e0 net/socket.c:2255
+ __do_sys_recvfrom net/socket.c:2273 [inline]
+ __se_sys_recvfrom net/socket.c:2269 [inline]
+ __x64_sys_recvfrom+0xde/0x100 net/socket.c:2269
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The buggy address belongs to the object at ffff8880326abc80
+ which belongs to the cache skbuff_head_cache of size 240
+The buggy address is located 68 bytes inside of
+ freed 240-byte region [ffff8880326abc80, ffff8880326abd70)
+
+The buggy address belongs to the physical page:
+page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x326ab
+ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
+page_type: 0xfdffffff(slab)
+raw: 00fff00000000000 ffff88801eaee780 ffffea0000b7dc80 dead000000000003
+raw: 0000000000000000 00000000800c000c 00000001fdffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4686, tgid 4686 (udevadm), ts 32357469485, free_ts 28829011109
+ set_page_owner include/linux/page_owner.h:32 [inline]
+ post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493
+ prep_new_page mm/page_alloc.c:1501 [inline]
+ get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439
+ __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695
+ __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
+ alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
+ alloc_slab_page+0x5f/0x120 mm/slub.c:2321
+ allocate_slab+0x5a/0x2f0 mm/slub.c:2484
+ new_slab mm/slub.c:2537 [inline]
+ ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3723
+ __slab_alloc+0x58/0xa0 mm/slub.c:3813
+ __slab_alloc_node mm/slub.c:3866 [inline]
+ slab_alloc_node mm/slub.c:4025 [inline]
+ kmem_cache_alloc_node_noprof+0x1fe/0x320 mm/slub.c:4080
+ __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667
+ alloc_skb include/linux/skbuff.h:1320 [inline]
+ alloc_uevent_skb+0x74/0x230 lib/kobject_uevent.c:289
+ uevent_net_broadcast_untagged lib/kobject_uevent.c:326 [inline]
+ kobject_uevent_net_broadcast+0x2fd/0x580 lib/kobject_uevent.c:410
+ kobject_uevent_env+0x57d/0x8e0 lib/kobject_uevent.c:608
+ kobject_synth_uevent+0x4ef/0xae0 lib/kobject_uevent.c:207
+ uevent_store+0x4b/0x70 drivers/base/bus.c:633
+ kernfs_fop_write_iter+0x3a1/0x500 fs/kernfs/file.c:334
+ new_sync_write fs/read_write.c:497 [inline]
+ vfs_write+0xa72/0xc90 fs/read_write.c:590
+page last free pid 1 tgid 1 stack trace:
+ reset_page_owner include/linux/page_owner.h:25 [inline]
+ free_pages_prepare mm/page_alloc.c:1094 [inline]
+ free_unref_page+0xd22/0xea0 mm/page_alloc.c:2612
+ kasan_depopulate_vmalloc_pte+0x74/0x90 mm/kasan/shadow.c:408
+ apply_to_pte_range mm/memory.c:2797 [inline]
+ apply_to_pmd_range mm/memory.c:2841 [inline]
+ apply_to_pud_range mm/memory.c:2877 [inline]
+ apply_to_p4d_range mm/memory.c:2913 [inline]
+ __apply_to_page_range+0x8a8/0xe50 mm/memory.c:2947
+ kasan_release_vmalloc+0x9a/0xb0 mm/kasan/shadow.c:525
+ purge_vmap_node+0x3e3/0x770 mm/vmalloc.c:2208
+ __purge_vmap_area_lazy+0x708/0xae0 mm/vmalloc.c:2290
+ _vm_unmap_aliases+0x79d/0x840 mm/vmalloc.c:2885
+ change_page_attr_set_clr+0x2fe/0xdb0 arch/x86/mm/pat/set_memory.c:1881
+ change_page_attr_set arch/x86/mm/pat/set_memory.c:1922 [inline]
+ set_memory_nx+0xf2/0x130 arch/x86/mm/pat/set_memory.c:2110
+ free_init_pages arch/x86/mm/init.c:924 [inline]
+ free_kernel_image_pages arch/x86/mm/init.c:943 [inline]
+ free_initmem+0x79/0x110 arch/x86/mm/init.c:970
+ kernel_init+0x31/0x2b0 init/main.c:1476
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+Memory state around the buggy address:
+ ffff8880326abb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880326abc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
+>ffff8880326abc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8880326abd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
+ ffff8880326abd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
+
+Fixes: 93c99f21db36 ("af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the head.")
+Reported-by: syzbot+8811381d455e3e9ec788@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8811381d455e3e9ec788
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20240905193240.17565-5-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 9 ++++++--
+ tools/testing/selftests/net/af_unix/msg_oob.c | 23 +++++++++++++++++++
+ 2 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 159d78fc3d14d..001ccc55ef0f9 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2673,7 +2673,8 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+ __skb_unlink(read_skb, &sk->sk_receive_queue);
+ }
+
+- goto unlock;
++ if (!skb)
++ goto unlock;
+ }
+
+ if (skb != u->oob_skb)
+@@ -3175,9 +3176,13 @@ static int unix_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+ skb = skb_peek(&sk->sk_receive_queue);
+ if (skb) {
+ struct sk_buff *oob_skb = READ_ONCE(u->oob_skb);
++ struct sk_buff *next_skb;
++
++ next_skb = skb_peek_next(skb, &sk->sk_receive_queue);
+
+ if (skb == oob_skb ||
+- (!oob_skb && !unix_skb_len(skb)))
++ (!unix_skb_len(skb) &&
++ (!oob_skb || next_skb == oob_skb)))
+ answ = 1;
+ }
+
+diff --git a/tools/testing/selftests/net/af_unix/msg_oob.c b/tools/testing/selftests/net/af_unix/msg_oob.c
+index 535eb2c3d7d1c..3ed3882a93b8b 100644
+--- a/tools/testing/selftests/net/af_unix/msg_oob.c
++++ b/tools/testing/selftests/net/af_unix/msg_oob.c
+@@ -525,6 +525,29 @@ TEST_F(msg_oob, ex_oob_drop_2)
+ }
+ }
+
++TEST_F(msg_oob, ex_oob_oob)
++{
++ sendpair("x", 1, MSG_OOB);
++ epollpair(true);
++ siocatmarkpair(true);
++
++ recvpair("x", 1, 1, MSG_OOB);
++ epollpair(false);
++ siocatmarkpair(true);
++
++ sendpair("y", 1, MSG_OOB);
++ epollpair(true);
++ siocatmarkpair(true);
++
++ recvpair("", -EAGAIN, 1, 0);
++ epollpair(false);
++ siocatmarkpair(false);
++
++ recvpair("", -EINVAL, 1, MSG_OOB);
++ epollpair(false);
++ siocatmarkpair(false);
++}
++
+ TEST_F(msg_oob, ex_oob_ahead_break)
+ {
+ sendpair("hello", 5, MSG_OOB);
+--
+2.43.0
+
--- /dev/null
+From 95a54cd681822bc2d172d06e41f42f93985cff96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 12:32:39 -0700
+Subject: af_unix: Move spin_lock() in manage_oob().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit a0264a9f51fe0d196f22efd7538eb749e3448c2d ]
+
+When OOB skb has been already consumed, manage_oob() returns the next
+skb if exists. In such a case, we need to fall back to the else branch
+below.
+
+Then, we want to keep holding spin_lock(&sk->sk_receive_queue.lock).
+
+Let's move it out of if-else branch and add lightweight check before
+spin_lock() for major use cases without OOB skb.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20240905193240.17565-4-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 5aa57d9f2d53 ("af_unix: Don't return OOB skb in manage_oob().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 91d7877a10794..159d78fc3d14d 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2657,9 +2657,12 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+ struct sk_buff *read_skb = NULL, *unread_skb = NULL;
+ struct unix_sock *u = unix_sk(sk);
+
+- if (!unix_skb_len(skb)) {
+- spin_lock(&sk->sk_receive_queue.lock);
++ if (likely(unix_skb_len(skb) && skb != READ_ONCE(u->oob_skb)))
++ return skb;
+
++ spin_lock(&sk->sk_receive_queue.lock);
++
++ if (!unix_skb_len(skb)) {
+ if (copied && (!u->oob_skb || skb == u->oob_skb)) {
+ skb = NULL;
+ } else if (flags & MSG_PEEK) {
+@@ -2670,14 +2673,9 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+ __skb_unlink(read_skb, &sk->sk_receive_queue);
+ }
+
+- spin_unlock(&sk->sk_receive_queue.lock);
+-
+- consume_skb(read_skb);
+- return skb;
++ goto unlock;
+ }
+
+- spin_lock(&sk->sk_receive_queue.lock);
+-
+ if (skb != u->oob_skb)
+ goto unlock;
+
+@@ -2698,6 +2696,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+ unlock:
+ spin_unlock(&sk->sk_receive_queue.lock);
+
++ consume_skb(read_skb);
+ kfree_skb(unread_skb);
+
+ return skb;
+--
+2.43.0
+
--- /dev/null
+From 4e75fa6e3f64bd6c71189617d256dd3c83d840e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 12:32:37 -0700
+Subject: af_unix: Remove single nest in manage_oob().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 579770dd89855915096db8364261543c37ed34ef ]
+
+This is a prep for the later fix.
+
+No functional change intended.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20240905193240.17565-2-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 5aa57d9f2d53 ("af_unix: Don't return OOB skb in manage_oob().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 45 +++++++++++++++++++++++----------------------
+ 1 file changed, 23 insertions(+), 22 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index a1894019ebd56..03820454bc723 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2654,11 +2654,10 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state)
+ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+ int flags, int copied)
+ {
++ struct sk_buff *unlinked_skb = NULL;
+ struct unix_sock *u = unix_sk(sk);
+
+ if (!unix_skb_len(skb)) {
+- struct sk_buff *unlinked_skb = NULL;
+-
+ spin_lock(&sk->sk_receive_queue.lock);
+
+ if (copied && (!u->oob_skb || skb == u->oob_skb)) {
+@@ -2674,31 +2673,33 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+ spin_unlock(&sk->sk_receive_queue.lock);
+
+ consume_skb(unlinked_skb);
+- } else {
+- struct sk_buff *unlinked_skb = NULL;
++ return skb;
++ }
+
+- spin_lock(&sk->sk_receive_queue.lock);
++ spin_lock(&sk->sk_receive_queue.lock);
+
+- if (skb == u->oob_skb) {
+- if (copied) {
+- skb = NULL;
+- } else if (!(flags & MSG_PEEK)) {
+- WRITE_ONCE(u->oob_skb, NULL);
+-
+- if (!sock_flag(sk, SOCK_URGINLINE)) {
+- __skb_unlink(skb, &sk->sk_receive_queue);
+- unlinked_skb = skb;
+- skb = skb_peek(&sk->sk_receive_queue);
+- }
+- } else if (!sock_flag(sk, SOCK_URGINLINE)) {
+- skb = skb_peek_next(skb, &sk->sk_receive_queue);
+- }
+- }
++ if (skb != u->oob_skb)
++ goto unlock;
+
+- spin_unlock(&sk->sk_receive_queue.lock);
++ if (copied) {
++ skb = NULL;
++ } else if (!(flags & MSG_PEEK)) {
++ WRITE_ONCE(u->oob_skb, NULL);
+
+- kfree_skb(unlinked_skb);
++ if (!sock_flag(sk, SOCK_URGINLINE)) {
++ __skb_unlink(skb, &sk->sk_receive_queue);
++ unlinked_skb = skb;
++ skb = skb_peek(&sk->sk_receive_queue);
++ }
++ } else if (!sock_flag(sk, SOCK_URGINLINE)) {
++ skb = skb_peek_next(skb, &sk->sk_receive_queue);
+ }
++
++unlock:
++ spin_unlock(&sk->sk_receive_queue.lock);
++
++ kfree_skb(unlinked_skb);
++
+ return skb;
+ }
+ #endif
+--
+2.43.0
+
--- /dev/null
+From fe3a7d76cd8027ce256356e02b2078e25db0301b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 12:32:38 -0700
+Subject: af_unix: Rename unlinked_skb in manage_oob().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit beb2c5f19b6ab033b187e770a659c730c3bd05ca ]
+
+When OOB skb has been already consumed, manage_oob() returns the next
+skb if exists. In such a case, we need to fall back to the else branch
+below.
+
+Then, we need to keep two skbs and free them later with consume_skb()
+and kfree_skb().
+
+Let's rename unlinked_skb accordingly.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20240905193240.17565-3-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 5aa57d9f2d53 ("af_unix: Don't return OOB skb in manage_oob().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 03820454bc723..91d7877a10794 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2654,7 +2654,7 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state)
+ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+ int flags, int copied)
+ {
+- struct sk_buff *unlinked_skb = NULL;
++ struct sk_buff *read_skb = NULL, *unread_skb = NULL;
+ struct unix_sock *u = unix_sk(sk);
+
+ if (!unix_skb_len(skb)) {
+@@ -2665,14 +2665,14 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+ } else if (flags & MSG_PEEK) {
+ skb = skb_peek_next(skb, &sk->sk_receive_queue);
+ } else {
+- unlinked_skb = skb;
++ read_skb = skb;
+ skb = skb_peek_next(skb, &sk->sk_receive_queue);
+- __skb_unlink(unlinked_skb, &sk->sk_receive_queue);
++ __skb_unlink(read_skb, &sk->sk_receive_queue);
+ }
+
+ spin_unlock(&sk->sk_receive_queue.lock);
+
+- consume_skb(unlinked_skb);
++ consume_skb(read_skb);
+ return skb;
+ }
+
+@@ -2688,7 +2688,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+
+ if (!sock_flag(sk, SOCK_URGINLINE)) {
+ __skb_unlink(skb, &sk->sk_receive_queue);
+- unlinked_skb = skb;
++ unread_skb = skb;
+ skb = skb_peek(&sk->sk_receive_queue);
+ }
+ } else if (!sock_flag(sk, SOCK_URGINLINE)) {
+@@ -2698,7 +2698,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+ unlock:
+ spin_unlock(&sk->sk_receive_queue.lock);
+
+- kfree_skb(unlinked_skb);
++ kfree_skb(unread_skb);
+
+ return skb;
+ }
+--
+2.43.0
+
--- /dev/null
+From e6e6070cc5f644913c6469225a3c6192b0b1a7e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 09:13:12 +0000
+Subject: ALSA: hda: cs35l41: fix module autoloading
+
+From: Yuntao Liu <liuyuntao12@huawei.com>
+
+[ Upstream commit 48f1434a4632c7da1a6a94e159512ebddbe13392 ]
+
+Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
+based on the alias from spi_device_id table.
+
+Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems")
+Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com>
+Link: https://patch.msgid.link/20240815091312.757139-1-liuyuntao12@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/cs35l41_hda_spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/cs35l41_hda_spi.c b/sound/pci/hda/cs35l41_hda_spi.c
+index b76c0dfd5fefc..f8c356ad0d340 100644
+--- a/sound/pci/hda/cs35l41_hda_spi.c
++++ b/sound/pci/hda/cs35l41_hda_spi.c
+@@ -38,6 +38,7 @@ static const struct spi_device_id cs35l41_hda_spi_id[] = {
+ { "cs35l41-hda", 0 },
+ {}
+ };
++MODULE_DEVICE_TABLE(spi, cs35l41_hda_spi_id);
+
+ static const struct acpi_device_id cs35l41_acpi_hda_match[] = {
+ { "CSC3551", 0 },
+--
+2.43.0
+
--- /dev/null
+From 25fdc3f645724c8843952722e013205a20c3fbb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 17:05:51 +0100
+Subject: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros
+
+From: Calvin Owens <calvin@wbinvd.org>
+
+[ Upstream commit 89a906dfa8c3b21b3e5360f73c49234ac1eb885b ]
+
+Floating point instructions in userspace can crash some arm kernels
+built with clang/LLD 17.0.6:
+
+ BUG: unsupported FP instruction in kernel mode
+ FPEXC == 0xc0000780
+ Internal error: Oops - undefined instruction: 0 [#1] ARM
+ CPU: 0 PID: 196 Comm: vfp-reproducer Not tainted 6.10.0 #1
+ Hardware name: BCM2835
+ PC is at vfp_support_entry+0xc8/0x2cc
+ LR is at do_undefinstr+0xa8/0x250
+ pc : [<c0101d50>] lr : [<c010a80c>] psr: a0000013
+ sp : dc8d1f68 ip : 60000013 fp : bedea19c
+ r10: ec532b17 r9 : 00000010 r8 : 0044766c
+ r7 : c0000780 r6 : ec532b17 r5 : c1c13800 r4 : dc8d1fb0
+ r3 : c10072c4 r2 : c0101c88 r1 : ec532b17 r0 : 0044766c
+ Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+ Control: 00c5387d Table: 0251c008 DAC: 00000051
+ Register r0 information: non-paged memory
+ Register r1 information: vmalloc memory
+ Register r2 information: non-slab/vmalloc memory
+ Register r3 information: non-slab/vmalloc memory
+ Register r4 information: 2-page vmalloc region
+ Register r5 information: slab kmalloc-cg-2k
+ Register r6 information: vmalloc memory
+ Register r7 information: non-slab/vmalloc memory
+ Register r8 information: non-paged memory
+ Register r9 information: zero-size pointer
+ Register r10 information: vmalloc memory
+ Register r11 information: non-paged memory
+ Register r12 information: non-paged memory
+ Process vfp-reproducer (pid: 196, stack limit = 0x61aaaf8b)
+ Stack: (0xdc8d1f68 to 0xdc8d2000)
+ 1f60: 0000081f b6f69300 0000000f c10073f4 c10072c4 dc8d1fb0
+ 1f80: ec532b17 0c532b17 0044766c b6f9ccd8 00000000 c010a80c 00447670 60000010
+ 1fa0: ffffffff c1c13800 00c5387d c0100f10 b6f68af8 00448fc0 00000000 bedea188
+ 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c
+ 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff 00000000 00000000
+ Call trace:
+ [<c0101d50>] (vfp_support_entry) from [<c010a80c>] (do_undefinstr+0xa8/0x250)
+ [<c010a80c>] (do_undefinstr) from [<c0100f10>] (__und_usr+0x70/0x80)
+ Exception stack(0xdc8d1fb0 to 0xdc8d1ff8)
+ 1fa0: b6f68af8 00448fc0 00000000 bedea188
+ 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c
+ 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff
+ Code: 0a000061 e3877202 e594003c e3a09010 (eef16a10)
+ ---[ end trace 0000000000000000 ]---
+ Kernel panic - not syncing: Fatal exception in interrupt
+ ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
+
+This is a minimal userspace reproducer on a Raspberry Pi Zero W:
+
+ #include <stdio.h>
+ #include <math.h>
+
+ int main(void)
+ {
+ double v = 1.0;
+ printf("%fn", NAN + *(volatile double *)&v);
+ return 0;
+ }
+
+Another way to consistently trigger the oops is:
+
+ calvin@raspberry-pi-zero-w ~$ python -c "import json"
+
+The bug reproduces only when the kernel is built with DYNAMIC_DEBUG=n,
+because the pr_debug() calls act as barriers even when not activated.
+
+This is the output from the same kernel source built with the same
+compiler and DYNAMIC_DEBUG=y, where the userspace reproducer works as
+expected:
+
+ VFP: bounce: trigger ec532b17 fpexc c0000780
+ VFP: emulate: INST=0xee377b06 SCR=0x00000000
+ VFP: bounce: trigger eef1fa10 fpexc c0000780
+ VFP: emulate: INST=0xeeb40b40 SCR=0x00000000
+ VFP: raising exceptions 30000000
+
+ calvin@raspberry-pi-zero-w ~$ ./vfp-reproducer
+ nan
+
+Crudely grepping for vmsr/vmrs instructions in the otherwise nearly
+idential text for vfp_support_entry() makes the problem obvious:
+
+ vmlinux.llvm.good [0xc0101cb8] <+48>: vmrs r7, fpexc
+ vmlinux.llvm.good [0xc0101cd8] <+80>: vmsr fpexc, r0
+ vmlinux.llvm.good [0xc0101d20] <+152>: vmsr fpexc, r7
+ vmlinux.llvm.good [0xc0101d38] <+176>: vmrs r4, fpexc
+ vmlinux.llvm.good [0xc0101d6c] <+228>: vmrs r0, fpscr
+ vmlinux.llvm.good [0xc0101dc4] <+316>: vmsr fpexc, r0
+ vmlinux.llvm.good [0xc0101dc8] <+320>: vmrs r0, fpsid
+ vmlinux.llvm.good [0xc0101dcc] <+324>: vmrs r6, fpscr
+ vmlinux.llvm.good [0xc0101e10] <+392>: vmrs r10, fpinst
+ vmlinux.llvm.good [0xc0101eb8] <+560>: vmrs r10, fpinst2
+
+ vmlinux.llvm.bad [0xc0101cb8] <+48>: vmrs r7, fpexc
+ vmlinux.llvm.bad [0xc0101cd8] <+80>: vmsr fpexc, r0
+ vmlinux.llvm.bad [0xc0101d20] <+152>: vmsr fpexc, r7
+ vmlinux.llvm.bad [0xc0101d30] <+168>: vmrs r0, fpscr
+ vmlinux.llvm.bad [0xc0101d50] <+200>: vmrs r6, fpscr <== BOOM!
+ vmlinux.llvm.bad [0xc0101d6c] <+228>: vmsr fpexc, r0
+ vmlinux.llvm.bad [0xc0101d70] <+232>: vmrs r0, fpsid
+ vmlinux.llvm.bad [0xc0101da4] <+284>: vmrs r10, fpinst
+ vmlinux.llvm.bad [0xc0101df8] <+368>: vmrs r4, fpexc
+ vmlinux.llvm.bad [0xc0101e5c] <+468>: vmrs r10, fpinst2
+
+I think LLVM's reordering is valid as the code is currently written: the
+compiler doesn't know the instructions have side effects in hardware.
+
+Fix by using "asm volatile" in fmxr() and fmrx(), so they cannot be
+reordered with respect to each other. The original compiler now produces
+working kernels on my hardware with DYNAMIC_DEBUG=n.
+
+This is the relevant piece of the diff of the vfp_support_entry() text,
+from the original oopsing kernel to a working kernel with this patch:
+
+ vmrs r0, fpscr
+ tst r0, #4096
+ bne 0xc0101d48
+ tst r0, #458752
+ beq 0xc0101ecc
+ orr r7, r7, #536870912
+ ldr r0, [r4, #0x3c]
+ mov r9, #16
+ -vmrs r6, fpscr
+ orr r9, r9, #251658240
+ add r0, r0, #4
+ str r0, [r4, #0x3c]
+ mvn r0, #159
+ sub r0, r0, #-1207959552
+ and r0, r7, r0
+ vmsr fpexc, r0
+ vmrs r0, fpsid
+ +vmrs r6, fpscr
+ and r0, r0, #983040
+ cmp r0, #65536
+ bne 0xc0101d88
+
+Fixes: 4708fb041346 ("ARM: vfp: Reimplement VFP exception entry in C code")
+Signed-off-by: Calvin Owens <calvin@wbinvd.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/vfp/vfpinstr.h | 48 ++++++++++++++++++++++-------------------
+ 1 file changed, 26 insertions(+), 22 deletions(-)
+
+diff --git a/arch/arm/vfp/vfpinstr.h b/arch/arm/vfp/vfpinstr.h
+index 3c7938fd40aad..32090b0fb250b 100644
+--- a/arch/arm/vfp/vfpinstr.h
++++ b/arch/arm/vfp/vfpinstr.h
+@@ -64,33 +64,37 @@
+
+ #ifdef CONFIG_AS_VFP_VMRS_FPINST
+
+-#define fmrx(_vfp_) ({ \
+- u32 __v; \
+- asm(".fpu vfpv2\n" \
+- "vmrs %0, " #_vfp_ \
+- : "=r" (__v) : : "cc"); \
+- __v; \
+- })
+-
+-#define fmxr(_vfp_,_var_) \
+- asm(".fpu vfpv2\n" \
+- "vmsr " #_vfp_ ", %0" \
+- : : "r" (_var_) : "cc")
++#define fmrx(_vfp_) ({ \
++ u32 __v; \
++ asm volatile (".fpu vfpv2\n" \
++ "vmrs %0, " #_vfp_ \
++ : "=r" (__v) : : "cc"); \
++ __v; \
++})
++
++#define fmxr(_vfp_, _var_) ({ \
++ asm volatile (".fpu vfpv2\n" \
++ "vmsr " #_vfp_ ", %0" \
++ : : "r" (_var_) : "cc"); \
++})
+
+ #else
+
+ #define vfpreg(_vfp_) #_vfp_
+
+-#define fmrx(_vfp_) ({ \
+- u32 __v; \
+- asm("mrc p10, 7, %0, " vfpreg(_vfp_) ", cr0, 0 @ fmrx %0, " #_vfp_ \
+- : "=r" (__v) : : "cc"); \
+- __v; \
+- })
+-
+-#define fmxr(_vfp_,_var_) \
+- asm("mcr p10, 7, %0, " vfpreg(_vfp_) ", cr0, 0 @ fmxr " #_vfp_ ", %0" \
+- : : "r" (_var_) : "cc")
++#define fmrx(_vfp_) ({ \
++ u32 __v; \
++ asm volatile ("mrc p10, 7, %0, " vfpreg(_vfp_) "," \
++ "cr0, 0 @ fmrx %0, " #_vfp_ \
++ : "=r" (__v) : : "cc"); \
++ __v; \
++})
++
++#define fmxr(_vfp_, _var_) ({ \
++ asm volatile ("mcr p10, 7, %0, " vfpreg(_vfp_) "," \
++ "cr0, 0 @ fmxr " #_vfp_ ", %0" \
++ : : "r" (_var_) : "cc"); \
++})
+
+ #endif
+
+--
+2.43.0
+
--- /dev/null
+From 8a8d737fc7a98290655e28e7ce8b75f95b5a34c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 11:56:36 +0200
+Subject: ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 0e49cfe364dea4345551516eb2fe53135a10432b ]
+
+There is no "fsl,phy" property in pin controller pincfg nodes:
+
+ imx7d-zii-rmu2.dtb: pinctrl@302c0000: enet1phyinterruptgrp: 'fsl,pins' is a required property
+ imx7d-zii-rmu2.dtb: pinctrl@302c0000: enet1phyinterruptgrp: 'fsl,phy' does not match any of the regexes: 'pinctrl-[0-9]+'
+
+Fixes: f496e6750083 ("ARM: dts: Add ZII support for ZII i.MX7 RMU2 board")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts b/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts
+index 521493342fe97..8f5566027c25a 100644
+--- a/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts
++++ b/arch/arm/boot/dts/nxp/imx/imx7d-zii-rmu2.dts
+@@ -350,7 +350,7 @@
+
+ &iomuxc_lpsr {
+ pinctrl_enet1_phy_interrupt: enet1phyinterruptgrp {
+- fsl,phy = <
++ fsl,pins = <
+ MX7D_PAD_LPSR_GPIO1_IO02__GPIO1_IO2 0x08
+ >;
+ };
+--
+2.43.0
+
--- /dev/null
+From a85c03f053b71fe62f407b16aec280837f5a294d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 07:51:36 +0200
+Subject: ARM: dts: microchip: sam9x60: Fix rtc/rtt clocks
+
+From: Alexander Dahl <ada@thorsis.com>
+
+[ Upstream commit d355c895fa4ddd8bec15569eee540baeed7df8c5 ]
+
+The RTC and RTT peripherals use the timing domain slow clock (TD_SLCK),
+sourced from the 32.768 kHz crystal oscillator or slow rc oscillator.
+
+The previously used Monitoring domain slow clock (MD_SLCK) is sourced
+from an internal RC oscillator which is most probably not precise enough
+for real time clock purposes.
+
+Fixes: 1e5f532c2737 ("ARM: dts: at91: sam9x60: add device tree for soc and board")
+Fixes: 5f6b33f46346 ("ARM: dts: sam9x60: add rtt")
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
+Link: https://lore.kernel.org/r/20240821055136.6858-1-ada@thorsis.com
+[claudiu.beznea: removed () around the last commit description paragraph,
+ removed " in front of "timing domain slow clock", described that
+ TD_SLCK can also be sourced from slow rc oscillator]
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/microchip/sam9x60.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/microchip/sam9x60.dtsi b/arch/arm/boot/dts/microchip/sam9x60.dtsi
+index 291540e5d81e7..d077afd5024db 100644
+--- a/arch/arm/boot/dts/microchip/sam9x60.dtsi
++++ b/arch/arm/boot/dts/microchip/sam9x60.dtsi
+@@ -1312,7 +1312,7 @@
+ compatible = "microchip,sam9x60-rtt", "atmel,at91sam9260-rtt";
+ reg = <0xfffffe20 0x20>;
+ interrupts = <1 IRQ_TYPE_LEVEL_HIGH 7>;
+- clocks = <&clk32k 0>;
++ clocks = <&clk32k 1>;
+ };
+
+ pit: timer@fffffe40 {
+@@ -1338,7 +1338,7 @@
+ compatible = "microchip,sam9x60-rtc", "atmel,at91sam9x5-rtc";
+ reg = <0xfffffea8 0x100>;
+ interrupts = <1 IRQ_TYPE_LEVEL_HIGH 7>;
+- clocks = <&clk32k 0>;
++ clocks = <&clk32k 1>;
+ };
+
+ watchdog: watchdog@ffffff80 {
+--
+2.43.0
+
--- /dev/null
+From fc26259136880c80d1d6729d31db866f6ebeefca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 19:53:20 +0300
+Subject: ARM: dts: microchip: sama7g5: Fix RTT clock
+
+From: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+
+[ Upstream commit 867bf1923200e6ad82bad0289f43bf20b4ac7ff9 ]
+
+According to datasheet, Chapter 34. Clock Generator, section 34.2,
+Embedded characteristics, source clock for RTT is the TD_SLCK, registered
+with ID 1 by the slow clock controller driver. Fix RTT clock.
+
+Fixes: 7540629e2fc7 ("ARM: dts: at91: add sama7g5 SoC DT and sama7g5-ek")
+Link: https://lore.kernel.org/r/20240826165320.3068359-1-claudiu.beznea@tuxon.dev
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/microchip/sama7g5.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/microchip/sama7g5.dtsi b/arch/arm/boot/dts/microchip/sama7g5.dtsi
+index 75778be126a3d..17bcdcf0cf4a0 100644
+--- a/arch/arm/boot/dts/microchip/sama7g5.dtsi
++++ b/arch/arm/boot/dts/microchip/sama7g5.dtsi
+@@ -272,7 +272,7 @@
+ compatible = "microchip,sama7g5-rtt", "microchip,sam9x60-rtt", "atmel,at91sam9260-rtt";
+ reg = <0xe001d020 0x30>;
+ interrupts = <GIC_SPI 8 IRQ_TYPE_LEVEL_HIGH>;
+- clocks = <&clk32k 0>;
++ clocks = <&clk32k 1>;
+ };
+
+ clk32k: clock-controller@e001d050 {
+--
+2.43.0
+
--- /dev/null
+From 71d2edc8b73260d33c4d4e2b2c9fca7ca07e682f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 07:49:33 +0200
+Subject: ARM: versatile: fix OF node leak in CPUs prepare
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit f2642d97f2105ed17b2ece0c597450f2ff95d704 ]
+
+Machine code is leaking OF node reference from of_find_matching_node()
+in realview_smp_prepare_cpus().
+
+Fixes: 5420b4b15617 ("ARM: realview: add an DT SMP boot method")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+Link: https://lore.kernel.org/20240826054934.10724-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-versatile/platsmp-realview.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/mach-versatile/platsmp-realview.c b/arch/arm/mach-versatile/platsmp-realview.c
+index 6965a1de727b0..d38b2e174257e 100644
+--- a/arch/arm/mach-versatile/platsmp-realview.c
++++ b/arch/arm/mach-versatile/platsmp-realview.c
+@@ -70,6 +70,7 @@ static void __init realview_smp_prepare_cpus(unsigned int max_cpus)
+ return;
+ }
+ map = syscon_node_to_regmap(np);
++ of_node_put(np);
+ if (IS_ERR(map)) {
+ pr_err("PLATSMP: No syscon regmap\n");
+ return;
+--
+2.43.0
+
--- /dev/null
+From b06f22430d170cab3307042d539cf07c77ecc52c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jul 2024 19:58:32 +0200
+Subject: arm64: dts: exynos: exynos7885-jackpotlte: Correct RAM amount to 4GB
+
+From: David Virag <virag.david003@gmail.com>
+
+[ Upstream commit d281814b8f7a710a75258da883fb0dfe1329c031 ]
+
+All known jackpotlte variants have 4GB of RAM, let's use it all.
+RAM was set to 3GB from a mistake in the vendor provided DTS file.
+
+Fixes: 06874015327b ("arm64: dts: exynos: Add initial device tree support for Exynos7885 SoC")
+Signed-off-by: David Virag <virag.david003@gmail.com>
+Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
+Link: https://lore.kernel.org/r/20240713180607.147942-3-virag.david003@gmail.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts b/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts
+index 47a389d9ff7d7..9d74fa6bfed9f 100644
+--- a/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts
++++ b/arch/arm64/boot/dts/exynos/exynos7885-jackpotlte.dts
+@@ -32,7 +32,7 @@
+ device_type = "memory";
+ reg = <0x0 0x80000000 0x3da00000>,
+ <0x0 0xc0000000 0x40000000>,
+- <0x8 0x80000000 0x40000000>;
++ <0x8 0x80000000 0x80000000>;
+ };
+
+ gpio-keys {
+--
+2.43.0
+
--- /dev/null
+From 0c24a799268d23692ca2f96f66102522b863cd95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jul 2024 09:22:43 +0200
+Subject: arm64: dts: mediatek: mt8186: Fix supported-hw mask for GPU OPPs
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 2317d018b835842df0501d8f9e9efa843068a101 ]
+
+The speedbin eFuse reads a value 'x' from 0 to 7 and, in order to
+make that compatible with opp-supported-hw, it gets post processed
+as BIT(x).
+
+Change all of the 0x30 supported-hw to 0x20 to avoid getting
+duplicate OPPs for speedbin 4, and also change all of the 0x8 to
+0xcf because speedbins different from 4 and 5 do support 900MHz,
+950MHz, 1000MHz with the higher voltage of 850mV, 900mV, 950mV
+respectively.
+
+Fixes: f38ea593ad0d ("arm64: dts: mediatek: mt8186: Wire up GPU voltage/frequency scaling")
+Link: https://lore.kernel.org/r/20240725072243.173104-1-angelogioacchino.delregno@collabora.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8186.dtsi | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8186.dtsi b/arch/arm64/boot/dts/mediatek/mt8186.dtsi
+index 4763ed5dc86cf..d63a9defe73e1 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8186.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8186.dtsi
+@@ -731,7 +731,7 @@
+ opp-900000000-3 {
+ opp-hz = /bits/ 64 <900000000>;
+ opp-microvolt = <850000>;
+- opp-supported-hw = <0x8>;
++ opp-supported-hw = <0xcf>;
+ };
+
+ opp-900000000-4 {
+@@ -743,13 +743,13 @@
+ opp-900000000-5 {
+ opp-hz = /bits/ 64 <900000000>;
+ opp-microvolt = <825000>;
+- opp-supported-hw = <0x30>;
++ opp-supported-hw = <0x20>;
+ };
+
+ opp-950000000-3 {
+ opp-hz = /bits/ 64 <950000000>;
+ opp-microvolt = <900000>;
+- opp-supported-hw = <0x8>;
++ opp-supported-hw = <0xcf>;
+ };
+
+ opp-950000000-4 {
+@@ -761,13 +761,13 @@
+ opp-950000000-5 {
+ opp-hz = /bits/ 64 <950000000>;
+ opp-microvolt = <850000>;
+- opp-supported-hw = <0x30>;
++ opp-supported-hw = <0x20>;
+ };
+
+ opp-1000000000-3 {
+ opp-hz = /bits/ 64 <1000000000>;
+ opp-microvolt = <950000>;
+- opp-supported-hw = <0x8>;
++ opp-supported-hw = <0xcf>;
+ };
+
+ opp-1000000000-4 {
+@@ -779,7 +779,7 @@
+ opp-1000000000-5 {
+ opp-hz = /bits/ 64 <1000000000>;
+ opp-microvolt = <875000>;
+- opp-supported-hw = <0x30>;
++ opp-supported-hw = <0x20>;
+ };
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 2c53fdbc49052d8e8e75819263050911180a3ebe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 15:09:50 +0800
+Subject: arm64: dts: mediatek: mt8195: Correct clock order for dp_intf*
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 51bc68debab9e30b50c6352315950f3cfc309b32 ]
+
+The clocks for dp_intf* device nodes are given in the wrong order,
+causing the binding validation to fail.
+
+Fixes: 6c2503b5856a ("arm64: dts: mt8195: Add dp-intf nodes")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20240802070951.1086616-1-wenst@chromium.org
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8195.dtsi | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+index 2ee45752583c0..98c15eb68589a 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+@@ -3251,10 +3251,10 @@
+ compatible = "mediatek,mt8195-dp-intf";
+ reg = <0 0x1c015000 0 0x1000>;
+ interrupts = <GIC_SPI 657 IRQ_TYPE_LEVEL_HIGH 0>;
+- clocks = <&vdosys0 CLK_VDO0_DP_INTF0>,
+- <&vdosys0 CLK_VDO0_DP_INTF0_DP_INTF>,
++ clocks = <&vdosys0 CLK_VDO0_DP_INTF0_DP_INTF>,
++ <&vdosys0 CLK_VDO0_DP_INTF0>,
+ <&apmixedsys CLK_APMIXED_TVDPLL1>;
+- clock-names = "engine", "pixel", "pll";
++ clock-names = "pixel", "engine", "pll";
+ status = "disabled";
+ };
+
+@@ -3521,10 +3521,10 @@
+ reg = <0 0x1c113000 0 0x1000>;
+ interrupts = <GIC_SPI 513 IRQ_TYPE_LEVEL_HIGH 0>;
+ power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
+- clocks = <&vdosys1 CLK_VDO1_DP_INTF0_MM>,
+- <&vdosys1 CLK_VDO1_DPINTF>,
++ clocks = <&vdosys1 CLK_VDO1_DPINTF>,
++ <&vdosys1 CLK_VDO1_DP_INTF0_MM>,
+ <&apmixedsys CLK_APMIXED_TVDPLL2>;
+- clock-names = "engine", "pixel", "pll";
++ clock-names = "pixel", "engine", "pll";
+ status = "disabled";
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 5be8bcf2bfca203938135aa1d9b3c3385278c340 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 15:03:28 +0300
+Subject: arm64: dts: qcom: x1e80100: Fix PHY for DP2
+
+From: Abel Vesa <abel.vesa@linaro.org>
+
+[ Upstream commit ba728bda663b0e812cb20450d18af5d0edd803a2 ]
+
+The actual PHY used by MDSS DP2 is the USB SS2 QMP one. So switch to it
+instead. This is needed to get external DP support on boards like CRD
+where the 3rd Type-C USB port (right-hand side) is connected to DP2.
+
+Fixes: 1940c25eaa63 ("arm64: dts: qcom: x1e80100: Add display nodes")
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Reviewed-by: Konrad Dybcio <konradybcio@kernel.org>
+Link: https://lore.kernel.org/r/20240829-x1e80100-dts-dp2-use-qmpphy-ss2-v1-1-9ba3dca61ccc@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/x1e80100.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+index cd732ef88cd8e..6174160b56c49 100644
+--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi
++++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi
+@@ -4402,14 +4402,14 @@
+
+ assigned-clocks = <&dispcc DISP_CC_MDSS_DPTX2_LINK_CLK_SRC>,
+ <&dispcc DISP_CC_MDSS_DPTX2_PIXEL0_CLK_SRC>;
+- assigned-clock-parents = <&mdss_dp2_phy 0>,
+- <&mdss_dp2_phy 1>;
++ assigned-clock-parents = <&usb_1_ss2_qmpphy QMP_USB43DP_DP_LINK_CLK>,
++ <&usb_1_ss2_qmpphy QMP_USB43DP_DP_VCO_DIV_CLK>;
+
+ operating-points-v2 = <&mdss_dp2_opp_table>;
+
+ power-domains = <&rpmhpd RPMHPD_MMCX>;
+
+- phys = <&mdss_dp2_phy>;
++ phys = <&usb_1_ss2_qmpphy QMP_USB43DP_DP_PHY>;
+ phy-names = "dp";
+
+ #sound-dai-cells = <0>;
+@@ -4597,8 +4597,8 @@
+ <&usb_1_ss0_qmpphy QMP_USB43DP_DP_VCO_DIV_CLK>,
+ <&usb_1_ss1_qmpphy QMP_USB43DP_DP_LINK_CLK>, /* dp1 */
+ <&usb_1_ss1_qmpphy QMP_USB43DP_DP_VCO_DIV_CLK>,
+- <&mdss_dp2_phy 0>, /* dp2 */
+- <&mdss_dp2_phy 1>,
++ <&usb_1_ss2_qmpphy QMP_USB43DP_DP_LINK_CLK>, /* dp2 */
++ <&usb_1_ss2_qmpphy QMP_USB43DP_DP_VCO_DIV_CLK>,
+ <&mdss_dp3_phy 0>, /* dp3 */
+ <&mdss_dp3_phy 1>;
+ power-domains = <&rpmhpd RPMHPD_MMCX>;
+--
+2.43.0
+
--- /dev/null
+From 3cc82e04dd7a09518b14dd13e494596fc3ddae12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 13:24:34 +0100
+Subject: arm64: dts: renesas: r9a07g043u: Correct GICD and GICR sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit ab39547f739236e7f16b8b0a51fdca95cc9cadd3 ]
+
+The RZ/G2UL SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB
+for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU.
+
+Despite the RZ/G2UL SoC being single-core, it has two instances of GICR.
+
+Fixes: cf40c9689e510 ("arm64: dts: renesas: Add initial DTSI for RZ/G2UL SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/20240730122436.350013-3-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a07g043u.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi b/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi
+index 18ef297db9336..20fb5e41c5988 100644
+--- a/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a07g043u.dtsi
+@@ -210,8 +210,8 @@
+ #interrupt-cells = <3>;
+ #address-cells = <0>;
+ interrupt-controller;
+- reg = <0x0 0x11900000 0 0x40000>,
+- <0x0 0x11940000 0 0x60000>;
++ reg = <0x0 0x11900000 0 0x20000>,
++ <0x0 0x11940000 0 0x40000>;
+ interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_LOW>;
+ };
+ };
+--
+2.43.0
+
--- /dev/null
+From 93da28d825f8b693a123fe3981680504a00d2373 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 13:24:36 +0100
+Subject: arm64: dts: renesas: r9a07g044: Correct GICD and GICR sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 833948fb2b63155847ab691a54800f801555429b ]
+
+The RZ/G2L(C) SoC is equipped with the GIC-600. The GICD is 64KiB +
+64KiB for the MBI alias (in total 128KiB), and the GICR is 128KiB per
+CPU.
+
+Fixes: 68a45525297b2 ("arm64: dts: renesas: Add initial DTSI for RZ/G2{L,LC} SoC's")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/20240730122436.350013-5-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a07g044.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a07g044.dtsi b/arch/arm64/boot/dts/renesas/r9a07g044.dtsi
+index d3838e5820fca..c9b9b60a3a36e 100644
+--- a/arch/arm64/boot/dts/renesas/r9a07g044.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a07g044.dtsi
+@@ -1043,8 +1043,8 @@
+ #interrupt-cells = <3>;
+ #address-cells = <0>;
+ interrupt-controller;
+- reg = <0x0 0x11900000 0 0x40000>,
+- <0x0 0x11940000 0 0x60000>;
++ reg = <0x0 0x11900000 0 0x20000>,
++ <0x0 0x11940000 0 0x40000>;
+ interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_LOW>;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 1718f3b1d175d33fc6013d9c9c68d5dfc507054e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 13:24:35 +0100
+Subject: arm64: dts: renesas: r9a07g054: Correct GICD and GICR sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 45afa9eacb59b258d2e53c7f63430ea1e8344803 ]
+
+The RZ/V2L SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB
+for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU.
+
+Fixes: 7c2b8198f4f32 ("arm64: dts: renesas: Add initial DTSI for RZ/V2L SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/20240730122436.350013-4-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a07g054.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a07g054.dtsi b/arch/arm64/boot/dts/renesas/r9a07g054.dtsi
+index 1de2e5f0917d9..8a9b61bd759a7 100644
+--- a/arch/arm64/boot/dts/renesas/r9a07g054.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a07g054.dtsi
+@@ -1051,8 +1051,8 @@
+ #interrupt-cells = <3>;
+ #address-cells = <0>;
+ interrupt-controller;
+- reg = <0x0 0x11900000 0 0x40000>,
+- <0x0 0x11940000 0 0x60000>;
++ reg = <0x0 0x11900000 0 0x20000>,
++ <0x0 0x11940000 0 0x40000>;
+ interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_LOW>;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 2ac5591893cd46593de59fe403194892dda43828 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 13:24:33 +0100
+Subject: arm64: dts: renesas: r9a08g045: Correct GICD and GICR sizes
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit ec9532628eb9d82282b8e52fd9c4a3800d87feec ]
+
+The RZ/G3S SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB
+for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU.
+
+Despite the RZ/G3S SoC being single-core, it has two instances of GICR.
+
+Fixes: e20396d65b959 ("arm64: dts: renesas: Add initial DTSI for RZ/G3S SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/20240730122436.350013-2-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a08g045.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a08g045.dtsi b/arch/arm64/boot/dts/renesas/r9a08g045.dtsi
+index 0d5c47a65e46c..34e29463a672d 100644
+--- a/arch/arm64/boot/dts/renesas/r9a08g045.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a08g045.dtsi
+@@ -269,8 +269,8 @@
+ #interrupt-cells = <3>;
+ #address-cells = <0>;
+ interrupt-controller;
+- reg = <0x0 0x12400000 0 0x40000>,
+- <0x0 0x12440000 0 0x60000>;
++ reg = <0x0 0x12400000 0 0x20000>,
++ <0x0 0x12440000 0 0x40000>;
+ interrupts = <GIC_PPI 9 IRQ_TYPE_LEVEL_LOW>;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 5c50350e8155c93966ec24e5799fe12fa2e026a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 21:18:16 +0000
+Subject: arm64: dts: rockchip: Correct vendor prefix for Hardkernel ODROID-M1
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit 735065e774dcfc62e38df01a535862138b6c92ed ]
+
+The vendor prefix for Hardkernel ODROID-M1 is incorrectly listed as
+rockchip. Use the proper hardkernel vendor prefix for this board, while
+at it also drop the redundant soc prefix.
+
+Fixes: fd3583267703 ("arm64: dts: rockchip: Add Hardkernel ODROID-M1 board")
+Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Link: https://lore.kernel.org/r/20240827211825.1419820-3-jonas@kwiboo.se
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts b/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts
+index a337f547caf53..6a02db4f073f2 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts
+@@ -13,7 +13,7 @@
+
+ / {
+ model = "Hardkernel ODROID-M1";
+- compatible = "rockchip,rk3568-odroid-m1", "rockchip,rk3568";
++ compatible = "hardkernel,odroid-m1", "rockchip,rk3568";
+
+ aliases {
+ ethernet0 = &gmac0;
+--
+2.43.0
+
--- /dev/null
+From e7ba19043cb6d7662cc822ae0cec89f14cbf93e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 16:40:00 +0530
+Subject: arm64: dts: ti: k3-am654-idk: Fix dtbs_check warning in ICSSG dmas
+
+From: MD Danish Anwar <danishanwar@ti.com>
+
+[ Upstream commit 2bea7920da8001172f54359395700616269ccb70 ]
+
+ICSSG doesn't use mgmnt rsp dmas. But these are added in the dmas for
+icssg1-eth and icssg0-eth node.
+
+These mgmnt rsp dmas result in below dtbs_check warnings.
+
+/workdir/arch/arm64/boot/dts/ti/k3-am654-idk.dtb: icssg1-eth: dmas: [[39, 49664], [39, 49665], [39, 49666], [39, 49667], [39, 49668], [39, 49669], [39, 49670], [39, 49671], [39, 16896], [39, 16897], [39, 16898], [39, 16899]] is too long
+ from schema $id: http://devicetree.org/schemas/net/ti,icssg-prueth.yaml#
+/workdir/arch/arm64/boot/dts/ti/k3-am654-idk.dtb: icssg0-eth: dmas: [[39, 49408], [39, 49409], [39, 49410], [39, 49411], [39, 49412], [39, 49413], [39, 49414], [39, 49415], [39, 16640], [39, 16641], [39, 16642], [39, 16643]] is too long
+ from schema $id: http://devicetree.org/schemas/net/ti,icssg-prueth.yaml#
+
+Fix these warnings by removing mgmnt rsp dmas from icssg1-eth and
+icssg0-eth nodes.
+
+Fixes: a4d5bc3214eb ("arm64: dts: ti: k3-am654-idk: Add ICSSG Ethernet ports")
+Signed-off-by: MD Danish Anwar <danishanwar@ti.com>
+Reviewed-by: Roger Quadros <rogerq@kernel.org>
+Link: https://lore.kernel.org/r/20240830111000.232028-1-danishanwar@ti.com
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-am654-idk.dtso | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-am654-idk.dtso b/arch/arm64/boot/dts/ti/k3-am654-idk.dtso
+index 8bdb87fcbde00..1674ad564be1f 100644
+--- a/arch/arm64/boot/dts/ti/k3-am654-idk.dtso
++++ b/arch/arm64/boot/dts/ti/k3-am654-idk.dtso
+@@ -58,9 +58,7 @@
+ <&main_udmap 0xc107>, /* egress slice 1 */
+
+ <&main_udmap 0x4100>, /* ingress slice 0 */
+- <&main_udmap 0x4101>, /* ingress slice 1 */
+- <&main_udmap 0x4102>, /* mgmnt rsp slice 0 */
+- <&main_udmap 0x4103>; /* mgmnt rsp slice 1 */
++ <&main_udmap 0x4101>; /* ingress slice 1 */
+ dma-names = "tx0-0", "tx0-1", "tx0-2", "tx0-3",
+ "tx1-0", "tx1-1", "tx1-2", "tx1-3",
+ "rx0", "rx1";
+@@ -126,9 +124,7 @@
+ <&main_udmap 0xc207>, /* egress slice 1 */
+
+ <&main_udmap 0x4200>, /* ingress slice 0 */
+- <&main_udmap 0x4201>, /* ingress slice 1 */
+- <&main_udmap 0x4202>, /* mgmnt rsp slice 0 */
+- <&main_udmap 0x4203>; /* mgmnt rsp slice 1 */
++ <&main_udmap 0x4201>; /* ingress slice 1 */
+ dma-names = "tx0-0", "tx0-1", "tx0-2", "tx0-3",
+ "tx1-0", "tx1-1", "tx1-2", "tx1-3",
+ "rx0", "rx1";
+--
+2.43.0
+
--- /dev/null
+From 3bc019550e13d28db582e060e52fbd511df49bcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2024 13:12:32 -0500
+Subject: arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x carveout
+ locations
+
+From: Andrew Davis <afd@ti.com>
+
+[ Upstream commit 1a314099b7559690fe23cdf3300dfff6e830ecb1 ]
+
+The DMA carveout for the C6x core 0 is at 0xa6000000 and core 1 is at
+0xa7000000. These are reversed in DT. While both C6x can access either
+region, so this is not normally a problem, but if we start restricting
+the memory each core can access (such as with firewalls) the cores
+accessing the regions for the wrong core will not work. Fix this here.
+
+Fixes: fae14a1cb8dd ("arm64: dts: ti: Add k3-j721e-beagleboneai64")
+Signed-off-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20240801181232.55027-2-afd@ti.com
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts b/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts
+index a2925555fe818..fb899c99753ec 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts
++++ b/arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts
+@@ -123,7 +123,7 @@
+ no-map;
+ };
+
+- c66_1_dma_memory_region: c66-dma-memory@a6000000 {
++ c66_0_dma_memory_region: c66-dma-memory@a6000000 {
+ compatible = "shared-dma-pool";
+ reg = <0x00 0xa6000000 0x00 0x100000>;
+ no-map;
+@@ -135,7 +135,7 @@
+ no-map;
+ };
+
+- c66_0_dma_memory_region: c66-dma-memory@a7000000 {
++ c66_1_dma_memory_region: c66-dma-memory@a7000000 {
+ compatible = "shared-dma-pool";
+ reg = <0x00 0xa7000000 0x00 0x100000>;
+ no-map;
+--
+2.43.0
+
--- /dev/null
+From 2070becc9775d27dc982c01eb5d20a039a461b10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2024 13:12:31 -0500
+Subject: arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout locations
+
+From: Andrew Davis <afd@ti.com>
+
+[ Upstream commit 9f3814a7c06b7c7296cf8c1622078ad71820454b ]
+
+The DMA carveout for the C6x core 0 is at 0xa6000000 and core 1 is at
+0xa7000000. These are reversed in DT. While both C6x can access either
+region, so this is not normally a problem, but if we start restricting
+the memory each core can access (such as with firewalls) the cores
+accessing the regions for the wrong core will not work. Fix this here.
+
+Fixes: f46d16cf5b43 ("arm64: dts: ti: k3-j721e-sk: Add DDR carveout memory nodes")
+Signed-off-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20240801181232.55027-1-afd@ti.com
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
+index 89fbfb21e5d3b..e709edeb95cf7 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
++++ b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
+@@ -120,7 +120,7 @@
+ no-map;
+ };
+
+- c66_1_dma_memory_region: c66-dma-memory@a6000000 {
++ c66_0_dma_memory_region: c66-dma-memory@a6000000 {
+ compatible = "shared-dma-pool";
+ reg = <0x00 0xa6000000 0x00 0x100000>;
+ no-map;
+@@ -132,7 +132,7 @@
+ no-map;
+ };
+
+- c66_0_dma_memory_region: c66-dma-memory@a7000000 {
++ c66_1_dma_memory_region: c66-dma-memory@a7000000 {
+ compatible = "shared-dma-pool";
+ reg = <0x00 0xa7000000 0x00 0x100000>;
+ no-map;
+--
+2.43.0
+
--- /dev/null
+From c1f11cea5f6cf0d31fcd0d60e3ad3e112e0b4c9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 16:20:05 +0100
+Subject: arm64: signal: Fix some under-bracketed UAPI macros
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+[ Upstream commit fc2220c9b15828319b09384e68399b4afc6276d9 ]
+
+A few SME-related sigcontext UAPI macros leave an argument
+unprotected from misparsing during macro expansion.
+
+Add parentheses around references to macro arguments where
+appropriate.
+
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Fixes: ee072cf70804 ("arm64/sme: Implement signal handling for ZT")
+Fixes: 39782210eb7e ("arm64/sme: Implement ZA signal handling")
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240729152005.289844-1-Dave.Martin@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/uapi/asm/sigcontext.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/include/uapi/asm/sigcontext.h b/arch/arm64/include/uapi/asm/sigcontext.h
+index 8a45b7a411e04..57f76d82077ea 100644
+--- a/arch/arm64/include/uapi/asm/sigcontext.h
++++ b/arch/arm64/include/uapi/asm/sigcontext.h
+@@ -320,10 +320,10 @@ struct zt_context {
+ ((sizeof(struct za_context) + (__SVE_VQ_BYTES - 1)) \
+ / __SVE_VQ_BYTES * __SVE_VQ_BYTES)
+
+-#define ZA_SIG_REGS_SIZE(vq) ((vq * __SVE_VQ_BYTES) * (vq * __SVE_VQ_BYTES))
++#define ZA_SIG_REGS_SIZE(vq) (((vq) * __SVE_VQ_BYTES) * ((vq) * __SVE_VQ_BYTES))
+
+ #define ZA_SIG_ZAV_OFFSET(vq, n) (ZA_SIG_REGS_OFFSET + \
+- (SVE_SIG_ZREG_SIZE(vq) * n))
++ (SVE_SIG_ZREG_SIZE(vq) * (n)))
+
+ #define ZA_SIG_CONTEXT_SIZE(vq) \
+ (ZA_SIG_REGS_OFFSET + ZA_SIG_REGS_SIZE(vq))
+@@ -334,7 +334,7 @@ struct zt_context {
+
+ #define ZT_SIG_REGS_OFFSET sizeof(struct zt_context)
+
+-#define ZT_SIG_REGS_SIZE(n) (ZT_SIG_REG_BYTES * n)
++#define ZT_SIG_REGS_SIZE(n) (ZT_SIG_REG_BYTES * (n))
+
+ #define ZT_SIG_CONTEXT_SIZE(n) \
+ (sizeof(struct zt_context) + ZT_SIG_REGS_SIZE(n))
+--
+2.43.0
+
--- /dev/null
+From e26df2a9fe8aa7be53999a6b8cc282de5e05ee48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 14:53:57 -0700
+Subject: arm64: smp: smp_send_stop() and crash_smp_send_stop() should try
+ non-NMI first
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit fdfa588124b6356cd08e5d3f0c3643c4ec3d6887 ]
+
+When testing hard lockup handling on my sc7180-trogdor-lazor device
+with pseudo-NMI enabled, with serial console enabled and with kgdb
+disabled, I found that the stack crawls printed to the serial console
+ended up as a jumbled mess. After rebooting, the pstore-based console
+looked fine though. Also, enabling kgdb to trap the panic made the
+console look fine and avoided the mess.
+
+After a bit of tracking down, I came to the conclusion that this was
+what was happening:
+1. The panic path was stopping all other CPUs with
+ panic_other_cpus_shutdown().
+2. At least one of those other CPUs was in the middle of printing to
+ the serial console and holding the console port's lock, which is
+ grabbed with "irqsave". ...but since we were stopping with an NMI
+ we didn't care about the "irqsave" and interrupted anyway.
+3. Since we stopped the CPU while it was holding the lock it would
+ never release it.
+4. All future calls to output to the console would end up failing to
+ get the lock in qcom_geni_serial_console_write(). This isn't
+ _totally_ unexpected at panic time but it's a code path that's not
+ well tested, hard to get right, and apparently doesn't work
+ terribly well on the Qualcomm geni serial driver.
+
+The Qualcomm geni serial driver was fixed to be a bit better in commit
+9e957a155005 ("serial: qcom-geni: Don't cancel/abort if we can't get
+the port lock") but it's nice not to get into this situation in the
+first place.
+
+Taking a page from what x86 appears to do in native_stop_other_cpus(),
+do this:
+1. First, try to stop other CPUs with a normal IPI and wait a second.
+ This gives them a chance to leave critical sections.
+2. If CPUs fail to stop then retry with an NMI, but give a much lower
+ timeout since there's no good reason for a CPU not to react quickly
+ to a NMI.
+
+This works well and avoids the corrupted console and (presumably)
+could help avoid other similar issues.
+
+In order to do this, we need to do a little re-organization of our
+IPIs since we don't have any more free IDs. Do what was suggested in
+previous conversations and combine "stop" and "crash stop". That frees
+up an IPI so now we can have a "stop" and "stop NMI".
+
+In order to do this we also need a slight change in the way we keep
+track of which CPUs still need to be stopped. We need to know
+specifically which CPUs haven't stopped yet when we fall back to NMI
+but in the "crash stop" case the "cpu_online_mask" isn't updated as
+CPUs go down. This is why that code path had an atomic of the number
+of CPUs left. Solve this by also updating the "cpu_online_mask" for
+crash stops.
+
+All of the above lets us combine the logic for "stop" and "crash stop"
+code, which appeared to have a bunch of arbitrary implementation
+differences.
+
+Aside from the above change where we try a normal IPI and then an NMI,
+the combined function has a few subtle differences:
+* In the normal smp_send_stop(), if we fail to stop one or more CPUs
+ then we won't include the current CPU (the one running
+ smp_send_stop()) in the error message.
+* In crash_smp_send_stop(), if we fail to stop some CPUs we'll print
+ the CPUs that we failed to stop instead of printing all _but_ the
+ current running CPU.
+* In crash_smp_send_stop(), we will now only print "SMP: stopping
+ secondary CPUs" if (system_state <= SYSTEM_RUNNING).
+
+Fixes: d7402513c935 ("arm64: smp: IPI_CPU_STOP and IPI_CPU_CRASH_STOP should try for NMI")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20240821145353.v3.1.Id4817adef610302554b8aa42b090d57270dc119c@changeid
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/smp.c | 160 ++++++++++++++++++++++++----------------
+ 1 file changed, 97 insertions(+), 63 deletions(-)
+
+diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
+index f01f0fd7b7feb..3b3f6b56e7330 100644
+--- a/arch/arm64/kernel/smp.c
++++ b/arch/arm64/kernel/smp.c
+@@ -68,7 +68,7 @@ enum ipi_msg_type {
+ IPI_RESCHEDULE,
+ IPI_CALL_FUNC,
+ IPI_CPU_STOP,
+- IPI_CPU_CRASH_STOP,
++ IPI_CPU_STOP_NMI,
+ IPI_TIMER,
+ IPI_IRQ_WORK,
+ NR_IPI,
+@@ -85,6 +85,8 @@ static int ipi_irq_base __ro_after_init;
+ static int nr_ipi __ro_after_init = NR_IPI;
+ static struct irq_desc *ipi_desc[MAX_IPI] __ro_after_init;
+
++static bool crash_stop;
++
+ static void ipi_setup(int cpu);
+
+ #ifdef CONFIG_HOTPLUG_CPU
+@@ -823,7 +825,7 @@ static const char *ipi_types[MAX_IPI] __tracepoint_string = {
+ [IPI_RESCHEDULE] = "Rescheduling interrupts",
+ [IPI_CALL_FUNC] = "Function call interrupts",
+ [IPI_CPU_STOP] = "CPU stop interrupts",
+- [IPI_CPU_CRASH_STOP] = "CPU stop (for crash dump) interrupts",
++ [IPI_CPU_STOP_NMI] = "CPU stop NMIs",
+ [IPI_TIMER] = "Timer broadcast interrupts",
+ [IPI_IRQ_WORK] = "IRQ work interrupts",
+ [IPI_CPU_BACKTRACE] = "CPU backtrace interrupts",
+@@ -867,9 +869,9 @@ void arch_irq_work_raise(void)
+ }
+ #endif
+
+-static void __noreturn local_cpu_stop(void)
++static void __noreturn local_cpu_stop(unsigned int cpu)
+ {
+- set_cpu_online(smp_processor_id(), false);
++ set_cpu_online(cpu, false);
+
+ local_daif_mask();
+ sdei_mask_local_cpu();
+@@ -883,21 +885,26 @@ static void __noreturn local_cpu_stop(void)
+ */
+ void __noreturn panic_smp_self_stop(void)
+ {
+- local_cpu_stop();
++ local_cpu_stop(smp_processor_id());
+ }
+
+-#ifdef CONFIG_KEXEC_CORE
+-static atomic_t waiting_for_crash_ipi = ATOMIC_INIT(0);
+-#endif
+-
+ static void __noreturn ipi_cpu_crash_stop(unsigned int cpu, struct pt_regs *regs)
+ {
+ #ifdef CONFIG_KEXEC_CORE
++ /*
++ * Use local_daif_mask() instead of local_irq_disable() to make sure
++ * that pseudo-NMIs are disabled. The "crash stop" code starts with
++ * an IRQ and falls back to NMI (which might be pseudo). If the IRQ
++ * finally goes through right as we're timing out then the NMI could
++ * interrupt us. It's better to prevent the NMI and let the IRQ
++ * finish since the pt_regs will be better.
++ */
++ local_daif_mask();
++
+ crash_save_cpu(regs, cpu);
+
+- atomic_dec(&waiting_for_crash_ipi);
++ set_cpu_online(cpu, false);
+
+- local_irq_disable();
+ sdei_mask_local_cpu();
+
+ if (IS_ENABLED(CONFIG_HOTPLUG_CPU))
+@@ -962,14 +969,12 @@ static void do_handle_IPI(int ipinr)
+ break;
+
+ case IPI_CPU_STOP:
+- local_cpu_stop();
+- break;
+-
+- case IPI_CPU_CRASH_STOP:
+- if (IS_ENABLED(CONFIG_KEXEC_CORE)) {
++ case IPI_CPU_STOP_NMI:
++ if (IS_ENABLED(CONFIG_KEXEC_CORE) && crash_stop) {
+ ipi_cpu_crash_stop(cpu, get_irq_regs());
+-
+ unreachable();
++ } else {
++ local_cpu_stop(cpu);
+ }
+ break;
+
+@@ -1024,8 +1029,7 @@ static bool ipi_should_be_nmi(enum ipi_msg_type ipi)
+ return false;
+
+ switch (ipi) {
+- case IPI_CPU_STOP:
+- case IPI_CPU_CRASH_STOP:
++ case IPI_CPU_STOP_NMI:
+ case IPI_CPU_BACKTRACE:
+ case IPI_KGDB_ROUNDUP:
+ return true;
+@@ -1138,79 +1142,109 @@ static inline unsigned int num_other_online_cpus(void)
+
+ void smp_send_stop(void)
+ {
++ static unsigned long stop_in_progress;
++ cpumask_t mask;
+ unsigned long timeout;
+
+- if (num_other_online_cpus()) {
+- cpumask_t mask;
++ /*
++ * If this cpu is the only one alive at this point in time, online or
++ * not, there are no stop messages to be sent around, so just back out.
++ */
++ if (num_other_online_cpus() == 0)
++ goto skip_ipi;
+
+- cpumask_copy(&mask, cpu_online_mask);
+- cpumask_clear_cpu(smp_processor_id(), &mask);
++ /* Only proceed if this is the first CPU to reach this code */
++ if (test_and_set_bit(0, &stop_in_progress))
++ return;
+
+- if (system_state <= SYSTEM_RUNNING)
+- pr_crit("SMP: stopping secondary CPUs\n");
+- smp_cross_call(&mask, IPI_CPU_STOP);
+- }
++ /*
++ * Send an IPI to all currently online CPUs except the CPU running
++ * this code.
++ *
++ * NOTE: we don't do anything here to prevent other CPUs from coming
++ * online after we snapshot `cpu_online_mask`. Ideally, the calling code
++ * should do something to prevent other CPUs from coming up. This code
++ * can be called in the panic path and thus it doesn't seem wise to
++ * grab the CPU hotplug mutex ourselves. Worst case:
++ * - If a CPU comes online as we're running, we'll likely notice it
++ * during the 1 second wait below and then we'll catch it when we try
++ * with an NMI (assuming NMIs are enabled) since we re-snapshot the
++ * mask before sending an NMI.
++ * - If we leave the function and see that CPUs are still online we'll
++ * at least print a warning. Especially without NMIs this function
++ * isn't foolproof anyway so calling code will just have to accept
++ * the fact that there could be cases where a CPU can't be stopped.
++ */
++ cpumask_copy(&mask, cpu_online_mask);
++ cpumask_clear_cpu(smp_processor_id(), &mask);
+
+- /* Wait up to one second for other CPUs to stop */
++ if (system_state <= SYSTEM_RUNNING)
++ pr_crit("SMP: stopping secondary CPUs\n");
++
++ /*
++ * Start with a normal IPI and wait up to one second for other CPUs to
++ * stop. We do this first because it gives other processors a chance
++ * to exit critical sections / drop locks and makes the rest of the
++ * stop process (especially console flush) more robust.
++ */
++ smp_cross_call(&mask, IPI_CPU_STOP);
+ timeout = USEC_PER_SEC;
+ while (num_other_online_cpus() && timeout--)
+ udelay(1);
+
+- if (num_other_online_cpus())
++ /*
++ * If CPUs are still online, try an NMI. There's no excuse for this to
++ * be slow, so we only give them an extra 10 ms to respond.
++ */
++ if (num_other_online_cpus() && ipi_should_be_nmi(IPI_CPU_STOP_NMI)) {
++ smp_rmb();
++ cpumask_copy(&mask, cpu_online_mask);
++ cpumask_clear_cpu(smp_processor_id(), &mask);
++
++ pr_info("SMP: retry stop with NMI for CPUs %*pbl\n",
++ cpumask_pr_args(&mask));
++
++ smp_cross_call(&mask, IPI_CPU_STOP_NMI);
++ timeout = USEC_PER_MSEC * 10;
++ while (num_other_online_cpus() && timeout--)
++ udelay(1);
++ }
++
++ if (num_other_online_cpus()) {
++ smp_rmb();
++ cpumask_copy(&mask, cpu_online_mask);
++ cpumask_clear_cpu(smp_processor_id(), &mask);
++
+ pr_warn("SMP: failed to stop secondary CPUs %*pbl\n",
+- cpumask_pr_args(cpu_online_mask));
++ cpumask_pr_args(&mask));
++ }
+
++skip_ipi:
+ sdei_mask_local_cpu();
+ }
+
+ #ifdef CONFIG_KEXEC_CORE
+ void crash_smp_send_stop(void)
+ {
+- static int cpus_stopped;
+- cpumask_t mask;
+- unsigned long timeout;
+-
+ /*
+ * This function can be called twice in panic path, but obviously
+ * we execute this only once.
++ *
++ * We use this same boolean to tell whether the IPI we send was a
++ * stop or a "crash stop".
+ */
+- if (cpus_stopped)
++ if (crash_stop)
+ return;
++ crash_stop = 1;
+
+- cpus_stopped = 1;
++ smp_send_stop();
+
+- /*
+- * If this cpu is the only one alive at this point in time, online or
+- * not, there are no stop messages to be sent around, so just back out.
+- */
+- if (num_other_online_cpus() == 0)
+- goto skip_ipi;
+-
+- cpumask_copy(&mask, cpu_online_mask);
+- cpumask_clear_cpu(smp_processor_id(), &mask);
+-
+- atomic_set(&waiting_for_crash_ipi, num_other_online_cpus());
+-
+- pr_crit("SMP: stopping secondary CPUs\n");
+- smp_cross_call(&mask, IPI_CPU_CRASH_STOP);
+-
+- /* Wait up to one second for other CPUs to stop */
+- timeout = USEC_PER_SEC;
+- while ((atomic_read(&waiting_for_crash_ipi) > 0) && timeout--)
+- udelay(1);
+-
+- if (atomic_read(&waiting_for_crash_ipi) > 0)
+- pr_warn("SMP: failed to stop secondary CPUs %*pbl\n",
+- cpumask_pr_args(&mask));
+-
+-skip_ipi:
+- sdei_mask_local_cpu();
+ sdei_handler_abort();
+ }
+
+ bool smp_crash_stop_failed(void)
+ {
+- return (atomic_read(&waiting_for_crash_ipi) > 0);
++ return num_other_online_cpus() != 0;
+ }
+ #endif
+
+--
+2.43.0
+
--- /dev/null
+From 30da2d2fda754f7147f4a6558b81571e13d28717 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jul 2024 14:20:20 +0100
+Subject: arm64: tegra: Correct location of power-sensors for IGX Orin
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+[ Upstream commit b93679b8f165467e1584f9b23055db83f45c32ce ]
+
+The power-sensors are located on the carrier board and not the
+module board and so update the IGX Orin device-tree files to fix this.
+
+Fixes: 9152ed09309d ("arm64: tegra: Add power-sensors for Tegra234 boards")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/nvidia/tegra234-p3701-0008.dtsi | 33 -------------------
+ .../boot/dts/nvidia/tegra234-p3740-0002.dtsi | 33 +++++++++++++++++++
+ 2 files changed, 33 insertions(+), 33 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/nvidia/tegra234-p3701-0008.dtsi b/arch/arm64/boot/dts/nvidia/tegra234-p3701-0008.dtsi
+index 553fa4ba1cd48..62c4fdad0b600 100644
+--- a/arch/arm64/boot/dts/nvidia/tegra234-p3701-0008.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra234-p3701-0008.dtsi
+@@ -44,39 +44,6 @@
+ status = "okay";
+ };
+
+- i2c@c250000 {
+- power-sensor@41 {
+- compatible = "ti,ina3221";
+- reg = <0x41>;
+- #address-cells = <1>;
+- #size-cells = <0>;
+-
+- input@0 {
+- reg = <0x0>;
+- label = "CVB_ATX_12V";
+- shunt-resistor-micro-ohms = <2000>;
+- };
+-
+- input@1 {
+- reg = <0x1>;
+- label = "CVB_ATX_3V3";
+- shunt-resistor-micro-ohms = <2000>;
+- };
+-
+- input@2 {
+- reg = <0x2>;
+- label = "CVB_ATX_5V";
+- shunt-resistor-micro-ohms = <2000>;
+- };
+- };
+-
+- power-sensor@44 {
+- compatible = "ti,ina219";
+- reg = <0x44>;
+- shunt-resistor = <2000>;
+- };
+- };
+-
+ rtc@c2a0000 {
+ status = "okay";
+ };
+diff --git a/arch/arm64/boot/dts/nvidia/tegra234-p3740-0002.dtsi b/arch/arm64/boot/dts/nvidia/tegra234-p3740-0002.dtsi
+index 527f2f3aee3ad..377f518bd3e57 100644
+--- a/arch/arm64/boot/dts/nvidia/tegra234-p3740-0002.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra234-p3740-0002.dtsi
+@@ -183,6 +183,39 @@
+ phy-names = "usb2-0", "usb2-1", "usb2-2", "usb2-3",
+ "usb3-0", "usb3-1", "usb3-2";
+ };
++
++ i2c@c250000 {
++ power-sensor@41 {
++ compatible = "ti,ina3221";
++ reg = <0x41>;
++ #address-cells = <1>;
++ #size-cells = <0>;
++
++ input@0 {
++ reg = <0x0>;
++ label = "CVB_ATX_12V";
++ shunt-resistor-micro-ohms = <2000>;
++ };
++
++ input@1 {
++ reg = <0x1>;
++ label = "CVB_ATX_3V3";
++ shunt-resistor-micro-ohms = <2000>;
++ };
++
++ input@2 {
++ reg = <0x2>;
++ label = "CVB_ATX_5V";
++ shunt-resistor-micro-ohms = <2000>;
++ };
++ };
++
++ power-sensor@44 {
++ compatible = "ti,ina219";
++ reg = <0x44>;
++ shunt-resistor = <2000>;
++ };
++ };
+ };
+
+ vdd_3v3_dp: regulator-vdd-3v3-dp {
+--
+2.43.0
+
--- /dev/null
+From ccf27def17f6a0003ccb7a4a4806830618f750b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 17:06:20 +0800
+Subject: ASoC: loongson: fix error release
+
+From: tangbin <tangbin@cmss.chinamobile.com>
+
+[ Upstream commit 97688a9c5b1fd2b826c682cdfa36d411a5c99828 ]
+
+In function loongson_card_parse_of(), when get device_node
+'codec' failed, the function of_node_put(codec) should not
+be invoked, thus fix error release.
+
+Fixes: d24028606e76 ("ASoC: loongson: Add Loongson ASoC Sound Card Support")
+Signed-off-by: tangbin <tangbin@cmss.chinamobile.com>
+Link: https://patch.msgid.link/20240903090620.6276-1-tangbin@cmss.chinamobile.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/loongson/loongson_card.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/loongson/loongson_card.c b/sound/soc/loongson/loongson_card.c
+index fae5e9312bf08..2c8dbdba27c5f 100644
+--- a/sound/soc/loongson/loongson_card.c
++++ b/sound/soc/loongson/loongson_card.c
+@@ -127,8 +127,8 @@ static int loongson_card_parse_of(struct loongson_card_data *data)
+ codec = of_get_child_by_name(dev->of_node, "codec");
+ if (!codec) {
+ dev_err(dev, "audio-codec property missing or invalid\n");
+- ret = -EINVAL;
+- goto err;
++ of_node_put(cpu);
++ return -EINVAL;
+ }
+
+ for (i = 0; i < card->num_links; i++) {
+--
+2.43.0
+
--- /dev/null
+From 78584e7a93a69cebddb10ebc99534ef774840d15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 19:54:36 +0800
+Subject: ASoC: rt5682s: Return devm_of_clk_add_hw_provider to transfer the
+ error
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+[ Upstream commit 3ff810b9bebe5578a245cfa97c252ab602e703f1 ]
+
+Return devm_of_clk_add_hw_provider() in order to transfer the error, if it
+fails due to resource allocation failure or device tree clock provider
+registration failure.
+
+Fixes: bdd229ab26be ("ASoC: rt5682s: Add driver for ALC5682I-VS codec")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://patch.msgid.link/20240717115436.3449492-1-make24@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5682s.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/rt5682s.c b/sound/soc/codecs/rt5682s.c
+index f50f196d700d7..ce2e88e066f3e 100644
+--- a/sound/soc/codecs/rt5682s.c
++++ b/sound/soc/codecs/rt5682s.c
+@@ -2828,7 +2828,9 @@ static int rt5682s_register_dai_clks(struct snd_soc_component *component)
+ }
+
+ if (dev->of_node) {
+- devm_of_clk_add_hw_provider(dev, of_clk_hw_simple_get, dai_clk_hw);
++ ret = devm_of_clk_add_hw_provider(dev, of_clk_hw_simple_get, dai_clk_hw);
++ if (ret)
++ return ret;
+ } else {
+ ret = devm_clk_hw_register_clkdev(dev, dai_clk_hw,
+ init.name, dev_name(dev));
+--
+2.43.0
+
--- /dev/null
+From 722fe6c9d462982bf144ccebfd6b2995710dfe86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 15:20:52 +0800
+Subject: ASoC: tas2781: Fix a compiling warning reported by robot kernel test
+ due to adding tas2563_dvc_table
+
+From: Shenghao Ding <shenghao-ding@ti.com>
+
+[ Upstream commit 92b796845a4a8789c2d9434c6a77baa88a99121e ]
+
+Move tas2563_dvc_table into a separate Header file, as only tas2781
+codec driver use this table, and hda side codec driver won't use it.
+
+Fixes: 75ed63a5ab5d ("ASoC: tas2781: Add new Kontrol to set tas2563 digital Volume")
+Signed-off-by: Shenghao Ding <shenghao-ding@ti.com>
+Link: https://patch.msgid.link/20240802072055.1462-1-shenghao-ding@ti.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/tas2563-tlv.h | 279 +++++++++++++++++++++++++++++++++
+ include/sound/tas2781-tlv.h | 260 ------------------------------
+ sound/soc/codecs/tas2781-i2c.c | 1 +
+ 3 files changed, 280 insertions(+), 260 deletions(-)
+ create mode 100644 include/sound/tas2563-tlv.h
+
+diff --git a/include/sound/tas2563-tlv.h b/include/sound/tas2563-tlv.h
+new file mode 100644
+index 0000000000000..faa3e194f73b1
+--- /dev/null
++++ b/include/sound/tas2563-tlv.h
+@@ -0,0 +1,279 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++//
++// ALSA SoC Texas Instruments TAS2563 Audio Smart Amplifier
++//
++// Copyright (C) 2022 - 2024 Texas Instruments Incorporated
++// https://www.ti.com
++//
++// The TAS2563 driver implements a flexible and configurable
++// algo coefficient setting for one, two, or even multiple
++// TAS2563 chips.
++//
++// Author: Shenghao Ding <shenghao-ding@ti.com>
++//
++
++#ifndef __TAS2563_TLV_H__
++#define __TAS2563_TLV_H__
++
++static const __maybe_unused DECLARE_TLV_DB_SCALE(tas2563_dvc_tlv, -12150, 50, 1);
++
++/* pow(10, db/20) * pow(2,30) */
++static const unsigned char tas2563_dvc_table[][4] = {
++ { 0X00, 0X00, 0X00, 0X00 }, /* -121.5db */
++ { 0X00, 0X00, 0X03, 0XBC }, /* -121.0db */
++ { 0X00, 0X00, 0X03, 0XF5 }, /* -120.5db */
++ { 0X00, 0X00, 0X04, 0X31 }, /* -120.0db */
++ { 0X00, 0X00, 0X04, 0X71 }, /* -119.5db */
++ { 0X00, 0X00, 0X04, 0XB4 }, /* -119.0db */
++ { 0X00, 0X00, 0X04, 0XFC }, /* -118.5db */
++ { 0X00, 0X00, 0X05, 0X47 }, /* -118.0db */
++ { 0X00, 0X00, 0X05, 0X97 }, /* -117.5db */
++ { 0X00, 0X00, 0X05, 0XEC }, /* -117.0db */
++ { 0X00, 0X00, 0X06, 0X46 }, /* -116.5db */
++ { 0X00, 0X00, 0X06, 0XA5 }, /* -116.0db */
++ { 0X00, 0X00, 0X07, 0X0A }, /* -115.5db */
++ { 0X00, 0X00, 0X07, 0X75 }, /* -115.0db */
++ { 0X00, 0X00, 0X07, 0XE6 }, /* -114.5db */
++ { 0X00, 0X00, 0X08, 0X5E }, /* -114.0db */
++ { 0X00, 0X00, 0X08, 0XDD }, /* -113.5db */
++ { 0X00, 0X00, 0X09, 0X63 }, /* -113.0db */
++ { 0X00, 0X00, 0X09, 0XF2 }, /* -112.5db */
++ { 0X00, 0X00, 0X0A, 0X89 }, /* -112.0db */
++ { 0X00, 0X00, 0X0B, 0X28 }, /* -111.5db */
++ { 0X00, 0X00, 0X0B, 0XD2 }, /* -111.0db */
++ { 0X00, 0X00, 0X0C, 0X85 }, /* -110.5db */
++ { 0X00, 0X00, 0X0D, 0X43 }, /* -110.0db */
++ { 0X00, 0X00, 0X0E, 0X0C }, /* -109.5db */
++ { 0X00, 0X00, 0X0E, 0XE1 }, /* -109.0db */
++ { 0X00, 0X00, 0X0F, 0XC3 }, /* -108.5db */
++ { 0X00, 0X00, 0X10, 0XB2 }, /* -108.0db */
++ { 0X00, 0X00, 0X11, 0XAF }, /* -107.5db */
++ { 0X00, 0X00, 0X12, 0XBC }, /* -107.0db */
++ { 0X00, 0X00, 0X13, 0XD8 }, /* -106.5db */
++ { 0X00, 0X00, 0X15, 0X05 }, /* -106.0db */
++ { 0X00, 0X00, 0X16, 0X44 }, /* -105.5db */
++ { 0X00, 0X00, 0X17, 0X96 }, /* -105.0db */
++ { 0X00, 0X00, 0X18, 0XFB }, /* -104.5db */
++ { 0X00, 0X00, 0X1A, 0X76 }, /* -104.0db */
++ { 0X00, 0X00, 0X1C, 0X08 }, /* -103.5db */
++ { 0X00, 0X00, 0X1D, 0XB1 }, /* -103.0db */
++ { 0X00, 0X00, 0X1F, 0X73 }, /* -102.5db */
++ { 0X00, 0X00, 0X21, 0X51 }, /* -102.0db */
++ { 0X00, 0X00, 0X23, 0X4A }, /* -101.5db */
++ { 0X00, 0X00, 0X25, 0X61 }, /* -101.0db */
++ { 0X00, 0X00, 0X27, 0X98 }, /* -100.5db */
++ { 0X00, 0X00, 0X29, 0XF1 }, /* -100.0db */
++ { 0X00, 0X00, 0X2C, 0X6D }, /* -99.5db */
++ { 0X00, 0X00, 0X2F, 0X0F }, /* -99.0db */
++ { 0X00, 0X00, 0X31, 0XD9 }, /* -98.5db */
++ { 0X00, 0X00, 0X34, 0XCD }, /* -98.0db */
++ { 0X00, 0X00, 0X37, 0XEE }, /* -97.5db */
++ { 0X00, 0X00, 0X3B, 0X3F }, /* -97.0db */
++ { 0X00, 0X00, 0X3E, 0XC1 }, /* -96.5db */
++ { 0X00, 0X00, 0X42, 0X79 }, /* -96.0db */
++ { 0X00, 0X00, 0X46, 0X6A }, /* -95.5db */
++ { 0X00, 0X00, 0X4A, 0X96 }, /* -95.0db */
++ { 0X00, 0X00, 0X4F, 0X01 }, /* -94.5db */
++ { 0X00, 0X00, 0X53, 0XAF }, /* -94.0db */
++ { 0X00, 0X00, 0X58, 0XA5 }, /* -93.5db */
++ { 0X00, 0X00, 0X5D, 0XE6 }, /* -93.0db */
++ { 0X00, 0X00, 0X63, 0X76 }, /* -92.5db */
++ { 0X00, 0X00, 0X69, 0X5B }, /* -92.0db */
++ { 0X00, 0X00, 0X6F, 0X99 }, /* -91.5db */
++ { 0X00, 0X00, 0X76, 0X36 }, /* -91.0db */
++ { 0X00, 0X00, 0X7D, 0X37 }, /* -90.5db */
++ { 0X00, 0X00, 0X84, 0XA2 }, /* -90.0db */
++ { 0X00, 0X00, 0X8C, 0X7E }, /* -89.5db */
++ { 0X00, 0X00, 0X94, 0XD1 }, /* -89.0db */
++ { 0X00, 0X00, 0X9D, 0XA3 }, /* -88.5db */
++ { 0X00, 0X00, 0XA6, 0XFA }, /* -88.0db */
++ { 0X00, 0X00, 0XB0, 0XDF }, /* -87.5db */
++ { 0X00, 0X00, 0XBB, 0X5A }, /* -87.0db */
++ { 0X00, 0X00, 0XC6, 0X74 }, /* -86.5db */
++ { 0X00, 0X00, 0XD2, 0X36 }, /* -86.0db */
++ { 0X00, 0X00, 0XDE, 0XAB }, /* -85.5db */
++ { 0X00, 0X00, 0XEB, 0XDC }, /* -85.0db */
++ { 0X00, 0X00, 0XF9, 0XD6 }, /* -84.5db */
++ { 0X00, 0X01, 0X08, 0XA4 }, /* -84.0db */
++ { 0X00, 0X01, 0X18, 0X52 }, /* -83.5db */
++ { 0X00, 0X01, 0X28, 0XEF }, /* -83.0db */
++ { 0X00, 0X01, 0X3A, 0X87 }, /* -82.5db */
++ { 0X00, 0X01, 0X4D, 0X2A }, /* -82.0db */
++ { 0X00, 0X01, 0X60, 0XE8 }, /* -81.5db */
++ { 0X00, 0X01, 0X75, 0XD1 }, /* -81.0db */
++ { 0X00, 0X01, 0X8B, 0XF7 }, /* -80.5db */
++ { 0X00, 0X01, 0XA3, 0X6E }, /* -80.0db */
++ { 0X00, 0X01, 0XBC, 0X48 }, /* -79.5db */
++ { 0X00, 0X01, 0XD6, 0X9B }, /* -79.0db */
++ { 0X00, 0X01, 0XF2, 0X7E }, /* -78.5db */
++ { 0X00, 0X02, 0X10, 0X08 }, /* -78.0db */
++ { 0X00, 0X02, 0X2F, 0X51 }, /* -77.5db */
++ { 0X00, 0X02, 0X50, 0X76 }, /* -77.0db */
++ { 0X00, 0X02, 0X73, 0X91 }, /* -76.5db */
++ { 0X00, 0X02, 0X98, 0XC0 }, /* -76.0db */
++ { 0X00, 0X02, 0XC0, 0X24 }, /* -75.5db */
++ { 0X00, 0X02, 0XE9, 0XDD }, /* -75.0db */
++ { 0X00, 0X03, 0X16, 0X0F }, /* -74.5db */
++ { 0X00, 0X03, 0X44, 0XDF }, /* -74.0db */
++ { 0X00, 0X03, 0X76, 0X76 }, /* -73.5db */
++ { 0X00, 0X03, 0XAA, 0XFC }, /* -73.0db */
++ { 0X00, 0X03, 0XE2, 0XA0 }, /* -72.5db */
++ { 0X00, 0X04, 0X1D, 0X8F }, /* -72.0db */
++ { 0X00, 0X04, 0X5B, 0XFD }, /* -71.5db */
++ { 0X00, 0X04, 0X9E, 0X1D }, /* -71.0db */
++ { 0X00, 0X04, 0XE4, 0X29 }, /* -70.5db */
++ { 0X00, 0X05, 0X2E, 0X5A }, /* -70.0db */
++ { 0X00, 0X05, 0X7C, 0XF2 }, /* -69.5db */
++ { 0X00, 0X05, 0XD0, 0X31 }, /* -69.0db */
++ { 0X00, 0X06, 0X28, 0X60 }, /* -68.5db */
++ { 0X00, 0X06, 0X85, 0XC8 }, /* -68.0db */
++ { 0X00, 0X06, 0XE8, 0XB9 }, /* -67.5db */
++ { 0X00, 0X07, 0X51, 0X86 }, /* -67.0db */
++ { 0X00, 0X07, 0XC0, 0X8A }, /* -66.5db */
++ { 0X00, 0X08, 0X36, 0X21 }, /* -66.0db */
++ { 0X00, 0X08, 0XB2, 0XB0 }, /* -65.5db */
++ { 0X00, 0X09, 0X36, 0XA1 }, /* -65.0db */
++ { 0X00, 0X09, 0XC2, 0X63 }, /* -64.5db */
++ { 0X00, 0X0A, 0X56, 0X6D }, /* -64.0db */
++ { 0X00, 0X0A, 0XF3, 0X3C }, /* -63.5db */
++ { 0X00, 0X0B, 0X99, 0X56 }, /* -63.0db */
++ { 0X00, 0X0C, 0X49, 0X48 }, /* -62.5db */
++ { 0X00, 0X0D, 0X03, 0XA7 }, /* -62.0db */
++ { 0X00, 0X0D, 0XC9, 0X11 }, /* -61.5db */
++ { 0X00, 0X0E, 0X9A, 0X2D }, /* -61.0db */
++ { 0X00, 0X0F, 0X77, 0XAD }, /* -60.5db */
++ { 0X00, 0X10, 0X62, 0X4D }, /* -60.0db */
++ { 0X00, 0X11, 0X5A, 0XD5 }, /* -59.5db */
++ { 0X00, 0X12, 0X62, 0X16 }, /* -59.0db */
++ { 0X00, 0X13, 0X78, 0XF0 }, /* -58.5db */
++ { 0X00, 0X14, 0XA0, 0X50 }, /* -58.0db */
++ { 0X00, 0X15, 0XD9, 0X31 }, /* -57.5db */
++ { 0X00, 0X17, 0X24, 0X9C }, /* -57.0db */
++ { 0X00, 0X18, 0X83, 0XAA }, /* -56.5db */
++ { 0X00, 0X19, 0XF7, 0X86 }, /* -56.0db */
++ { 0X00, 0X1B, 0X81, 0X6A }, /* -55.5db */
++ { 0X00, 0X1D, 0X22, 0XA4 }, /* -55.0db */
++ { 0X00, 0X1E, 0XDC, 0X98 }, /* -54.5db */
++ { 0X00, 0X20, 0XB0, 0XBC }, /* -54.0db */
++ { 0X00, 0X22, 0XA0, 0X9D }, /* -53.5db */
++ { 0X00, 0X24, 0XAD, 0XE0 }, /* -53.0db */
++ { 0X00, 0X26, 0XDA, 0X43 }, /* -52.5db */
++ { 0X00, 0X29, 0X27, 0X9D }, /* -52.0db */
++ { 0X00, 0X2B, 0X97, 0XE3 }, /* -51.5db */
++ { 0X00, 0X2E, 0X2D, 0X27 }, /* -51.0db */
++ { 0X00, 0X30, 0XE9, 0X9A }, /* -50.5db */
++ { 0X00, 0X33, 0XCF, 0X8D }, /* -50.0db */
++ { 0X00, 0X36, 0XE1, 0X78 }, /* -49.5db */
++ { 0X00, 0X3A, 0X21, 0XF3 }, /* -49.0db */
++ { 0X00, 0X3D, 0X93, 0XC3 }, /* -48.5db */
++ { 0X00, 0X41, 0X39, 0XD3 }, /* -48.0db */
++ { 0X00, 0X45, 0X17, 0X3B }, /* -47.5db */
++ { 0X00, 0X49, 0X2F, 0X44 }, /* -47.0db */
++ { 0X00, 0X4D, 0X85, 0X66 }, /* -46.5db */
++ { 0X00, 0X52, 0X1D, 0X50 }, /* -46.0db */
++ { 0X00, 0X56, 0XFA, 0XE8 }, /* -45.5db */
++ { 0X00, 0X5C, 0X22, 0X4E }, /* -45.0db */
++ { 0X00, 0X61, 0X97, 0XE1 }, /* -44.5db */
++ { 0X00, 0X67, 0X60, 0X44 }, /* -44.0db */
++ { 0X00, 0X6D, 0X80, 0X60 }, /* -43.5db */
++ { 0X00, 0X73, 0XFD, 0X65 }, /* -43.0db */
++ { 0X00, 0X7A, 0XDC, 0XD7 }, /* -42.5db */
++ { 0X00, 0X82, 0X24, 0X8A }, /* -42.0db */
++ { 0X00, 0X89, 0XDA, 0XAB }, /* -41.5db */
++ { 0X00, 0X92, 0X05, 0XC6 }, /* -41.0db */
++ { 0X00, 0X9A, 0XAC, 0XC8 }, /* -40.5db */
++ { 0X00, 0XA3, 0XD7, 0X0A }, /* -40.0db */
++ { 0X00, 0XAD, 0X8C, 0X52 }, /* -39.5db */
++ { 0X00, 0XB7, 0XD4, 0XDD }, /* -39.0db */
++ { 0X00, 0XC2, 0XB9, 0X65 }, /* -38.5db */
++ { 0X00, 0XCE, 0X43, 0X28 }, /* -38.0db */
++ { 0X00, 0XDA, 0X7B, 0XF1 }, /* -37.5db */
++ { 0X00, 0XE7, 0X6E, 0X1E }, /* -37.0db */
++ { 0X00, 0XF5, 0X24, 0XAC }, /* -36.5db */
++ { 0X01, 0X03, 0XAB, 0X3D }, /* -36.0db */
++ { 0X01, 0X13, 0X0E, 0X24 }, /* -35.5db */
++ { 0X01, 0X23, 0X5A, 0X71 }, /* -35.0db */
++ { 0X01, 0X34, 0X9D, 0XF8 }, /* -34.5db */
++ { 0X01, 0X46, 0XE7, 0X5D }, /* -34.0db */
++ { 0X01, 0X5A, 0X46, 0X27 }, /* -33.5db */
++ { 0X01, 0X6E, 0XCA, 0XC5 }, /* -33.0db */
++ { 0X01, 0X84, 0X86, 0X9F }, /* -32.5db */
++ { 0X01, 0X9B, 0X8C, 0X27 }, /* -32.0db */
++ { 0X01, 0XB3, 0XEE, 0XE5 }, /* -31.5db */
++ { 0X01, 0XCD, 0XC3, 0X8C }, /* -31.0db */
++ { 0X01, 0XE9, 0X20, 0X05 }, /* -30.5db */
++ { 0X02, 0X06, 0X1B, 0X89 }, /* -30.0db */
++ { 0X02, 0X24, 0XCE, 0XB0 }, /* -29.5db */
++ { 0X02, 0X45, 0X53, 0X85 }, /* -29.0db */
++ { 0X02, 0X67, 0XC5, 0XA2 }, /* -28.5db */
++ { 0X02, 0X8C, 0X42, 0X3F }, /* -28.0db */
++ { 0X02, 0XB2, 0XE8, 0X55 }, /* -27.5db */
++ { 0X02, 0XDB, 0XD8, 0XAD }, /* -27.0db */
++ { 0X03, 0X07, 0X36, 0X05 }, /* -26.5db */
++ { 0X03, 0X35, 0X25, 0X29 }, /* -26.0db */
++ { 0X03, 0X65, 0XCD, 0X13 }, /* -25.5db */
++ { 0X03, 0X99, 0X57, 0X0C }, /* -25.0db */
++ { 0X03, 0XCF, 0XEE, 0XCF }, /* -24.5db */
++ { 0X04, 0X09, 0XC2, 0XB0 }, /* -24.0db */
++ { 0X04, 0X47, 0X03, 0XC1 }, /* -23.5db */
++ { 0X04, 0X87, 0XE5, 0XFB }, /* -23.0db */
++ { 0X04, 0XCC, 0XA0, 0X6D }, /* -22.5db */
++ { 0X05, 0X15, 0X6D, 0X68 }, /* -22.0db */
++ { 0X05, 0X62, 0X8A, 0XB3 }, /* -21.5db */
++ { 0X05, 0XB4, 0X39, 0XBC }, /* -21.0db */
++ { 0X06, 0X0A, 0XBF, 0XD4 }, /* -20.5db */
++ { 0X06, 0X66, 0X66, 0X66 }, /* -20.0db */
++ { 0X06, 0XC7, 0X7B, 0X36 }, /* -19.5db */
++ { 0X07, 0X2E, 0X50, 0XA6 }, /* -19.0db */
++ { 0X07, 0X9B, 0X3D, 0XF6 }, /* -18.5db */
++ { 0X08, 0X0E, 0X9F, 0X96 }, /* -18.0db */
++ { 0X08, 0X88, 0XD7, 0X6D }, /* -17.5db */
++ { 0X09, 0X0A, 0X4D, 0X2F }, /* -17.0db */
++ { 0X09, 0X93, 0X6E, 0XB8 }, /* -16.5db */
++ { 0X0A, 0X24, 0XB0, 0X62 }, /* -16.0db */
++ { 0X0A, 0XBE, 0X8D, 0X70 }, /* -15.5db */
++ { 0X0B, 0X61, 0X88, 0X71 }, /* -15.0db */
++ { 0X0C, 0X0E, 0X2B, 0XB0 }, /* -14.5db */
++ { 0X0C, 0XC5, 0X09, 0XAB }, /* -14.0db */
++ { 0X0D, 0X86, 0XBD, 0X8D }, /* -13.5db */
++ { 0X0E, 0X53, 0XEB, 0XB3 }, /* -13.0db */
++ { 0X0F, 0X2D, 0X42, 0X38 }, /* -12.5db */
++ { 0X10, 0X13, 0X79, 0X87 }, /* -12.0db */
++ { 0X11, 0X07, 0X54, 0XF9 }, /* -11.5db */
++ { 0X12, 0X09, 0XA3, 0X7A }, /* -11.0db */
++ { 0X13, 0X1B, 0X40, 0X39 }, /* -10.5db */
++ { 0X14, 0X3D, 0X13, 0X62 }, /* -10.0db */
++ { 0X15, 0X70, 0X12, 0XE1 }, /* -9.5db */
++ { 0X16, 0XB5, 0X43, 0X37 }, /* -9.0db */
++ { 0X18, 0X0D, 0XB8, 0X54 }, /* -8.5db */
++ { 0X19, 0X7A, 0X96, 0X7F }, /* -8.0db */
++ { 0X1A, 0XFD, 0X13, 0X54 }, /* -7.5db */
++ { 0X1C, 0X96, 0X76, 0XC6 }, /* -7.0db */
++ { 0X1E, 0X48, 0X1C, 0X37 }, /* -6.5db */
++ { 0X20, 0X13, 0X73, 0X9E }, /* -6.0db */
++ { 0X21, 0XFA, 0X02, 0XBF }, /* -5.5db */
++ { 0X23, 0XFD, 0X66, 0X78 }, /* -5.0db */
++ { 0X26, 0X1F, 0X54, 0X1C }, /* -4.5db */
++ { 0X28, 0X61, 0X9A, 0XE9 }, /* -4.0db */
++ { 0X2A, 0XC6, 0X25, 0X91 }, /* -3.5db */
++ { 0X2D, 0X4E, 0XFB, 0XD5 }, /* -3.0db */
++ { 0X2F, 0XFE, 0X44, 0X48 }, /* -2.5db */
++ { 0X32, 0XD6, 0X46, 0X17 }, /* -2.0db */
++ { 0X35, 0XD9, 0X6B, 0X02 }, /* -1.5db */
++ { 0X39, 0X0A, 0X41, 0X5F }, /* -1.0db */
++ { 0X3C, 0X6B, 0X7E, 0X4F }, /* -0.5db */
++ { 0X40, 0X00, 0X00, 0X00 }, /* 0.0db */
++ { 0X43, 0XCA, 0XD0, 0X22 }, /* 0.5db */
++ { 0X47, 0XCF, 0X26, 0X7D }, /* 1.0db */
++ { 0X4C, 0X10, 0X6B, 0XA5 }, /* 1.5db */
++ { 0X50, 0X92, 0X3B, 0XE3 }, /* 2.0db */
++ { 0X55, 0X58, 0X6A, 0X46 }, /* 2.5db */
++ { 0X5A, 0X67, 0X03, 0XDF }, /* 3.0db */
++ { 0X5F, 0XC2, 0X53, 0X32 }, /* 3.5db */
++ { 0X65, 0X6E, 0XE3, 0XDB }, /* 4.0db */
++ { 0X6B, 0X71, 0X86, 0X68 }, /* 4.5db */
++ { 0X71, 0XCF, 0X54, 0X71 }, /* 5.0db */
++ { 0X78, 0X8D, 0XB4, 0XE9 }, /* 5.5db */
++ { 0X7F, 0XFF, 0XFF, 0XFF }, /* 6.0db */
++};
++#endif
+diff --git a/include/sound/tas2781-tlv.h b/include/sound/tas2781-tlv.h
+index 00fd4d449ff35..d87263e43fdb6 100644
+--- a/include/sound/tas2781-tlv.h
++++ b/include/sound/tas2781-tlv.h
+@@ -17,265 +17,5 @@
+
+ static const __maybe_unused DECLARE_TLV_DB_SCALE(dvc_tlv, -10000, 100, 0);
+ static const __maybe_unused DECLARE_TLV_DB_SCALE(amp_vol_tlv, 1100, 50, 0);
+-static const __maybe_unused DECLARE_TLV_DB_SCALE(tas2563_dvc_tlv, -12150, 50, 1);
+
+-/* pow(10, db/20) * pow(2,30) */
+-static const __maybe_unused unsigned char tas2563_dvc_table[][4] = {
+- { 0X00, 0X00, 0X00, 0X00 }, /* -121.5db */
+- { 0X00, 0X00, 0X03, 0XBC }, /* -121.0db */
+- { 0X00, 0X00, 0X03, 0XF5 }, /* -120.5db */
+- { 0X00, 0X00, 0X04, 0X31 }, /* -120.0db */
+- { 0X00, 0X00, 0X04, 0X71 }, /* -119.5db */
+- { 0X00, 0X00, 0X04, 0XB4 }, /* -119.0db */
+- { 0X00, 0X00, 0X04, 0XFC }, /* -118.5db */
+- { 0X00, 0X00, 0X05, 0X47 }, /* -118.0db */
+- { 0X00, 0X00, 0X05, 0X97 }, /* -117.5db */
+- { 0X00, 0X00, 0X05, 0XEC }, /* -117.0db */
+- { 0X00, 0X00, 0X06, 0X46 }, /* -116.5db */
+- { 0X00, 0X00, 0X06, 0XA5 }, /* -116.0db */
+- { 0X00, 0X00, 0X07, 0X0A }, /* -115.5db */
+- { 0X00, 0X00, 0X07, 0X75 }, /* -115.0db */
+- { 0X00, 0X00, 0X07, 0XE6 }, /* -114.5db */
+- { 0X00, 0X00, 0X08, 0X5E }, /* -114.0db */
+- { 0X00, 0X00, 0X08, 0XDD }, /* -113.5db */
+- { 0X00, 0X00, 0X09, 0X63 }, /* -113.0db */
+- { 0X00, 0X00, 0X09, 0XF2 }, /* -112.5db */
+- { 0X00, 0X00, 0X0A, 0X89 }, /* -112.0db */
+- { 0X00, 0X00, 0X0B, 0X28 }, /* -111.5db */
+- { 0X00, 0X00, 0X0B, 0XD2 }, /* -111.0db */
+- { 0X00, 0X00, 0X0C, 0X85 }, /* -110.5db */
+- { 0X00, 0X00, 0X0D, 0X43 }, /* -110.0db */
+- { 0X00, 0X00, 0X0E, 0X0C }, /* -109.5db */
+- { 0X00, 0X00, 0X0E, 0XE1 }, /* -109.0db */
+- { 0X00, 0X00, 0X0F, 0XC3 }, /* -108.5db */
+- { 0X00, 0X00, 0X10, 0XB2 }, /* -108.0db */
+- { 0X00, 0X00, 0X11, 0XAF }, /* -107.5db */
+- { 0X00, 0X00, 0X12, 0XBC }, /* -107.0db */
+- { 0X00, 0X00, 0X13, 0XD8 }, /* -106.5db */
+- { 0X00, 0X00, 0X15, 0X05 }, /* -106.0db */
+- { 0X00, 0X00, 0X16, 0X44 }, /* -105.5db */
+- { 0X00, 0X00, 0X17, 0X96 }, /* -105.0db */
+- { 0X00, 0X00, 0X18, 0XFB }, /* -104.5db */
+- { 0X00, 0X00, 0X1A, 0X76 }, /* -104.0db */
+- { 0X00, 0X00, 0X1C, 0X08 }, /* -103.5db */
+- { 0X00, 0X00, 0X1D, 0XB1 }, /* -103.0db */
+- { 0X00, 0X00, 0X1F, 0X73 }, /* -102.5db */
+- { 0X00, 0X00, 0X21, 0X51 }, /* -102.0db */
+- { 0X00, 0X00, 0X23, 0X4A }, /* -101.5db */
+- { 0X00, 0X00, 0X25, 0X61 }, /* -101.0db */
+- { 0X00, 0X00, 0X27, 0X98 }, /* -100.5db */
+- { 0X00, 0X00, 0X29, 0XF1 }, /* -100.0db */
+- { 0X00, 0X00, 0X2C, 0X6D }, /* -99.5db */
+- { 0X00, 0X00, 0X2F, 0X0F }, /* -99.0db */
+- { 0X00, 0X00, 0X31, 0XD9 }, /* -98.5db */
+- { 0X00, 0X00, 0X34, 0XCD }, /* -98.0db */
+- { 0X00, 0X00, 0X37, 0XEE }, /* -97.5db */
+- { 0X00, 0X00, 0X3B, 0X3F }, /* -97.0db */
+- { 0X00, 0X00, 0X3E, 0XC1 }, /* -96.5db */
+- { 0X00, 0X00, 0X42, 0X79 }, /* -96.0db */
+- { 0X00, 0X00, 0X46, 0X6A }, /* -95.5db */
+- { 0X00, 0X00, 0X4A, 0X96 }, /* -95.0db */
+- { 0X00, 0X00, 0X4F, 0X01 }, /* -94.5db */
+- { 0X00, 0X00, 0X53, 0XAF }, /* -94.0db */
+- { 0X00, 0X00, 0X58, 0XA5 }, /* -93.5db */
+- { 0X00, 0X00, 0X5D, 0XE6 }, /* -93.0db */
+- { 0X00, 0X00, 0X63, 0X76 }, /* -92.5db */
+- { 0X00, 0X00, 0X69, 0X5B }, /* -92.0db */
+- { 0X00, 0X00, 0X6F, 0X99 }, /* -91.5db */
+- { 0X00, 0X00, 0X76, 0X36 }, /* -91.0db */
+- { 0X00, 0X00, 0X7D, 0X37 }, /* -90.5db */
+- { 0X00, 0X00, 0X84, 0XA2 }, /* -90.0db */
+- { 0X00, 0X00, 0X8C, 0X7E }, /* -89.5db */
+- { 0X00, 0X00, 0X94, 0XD1 }, /* -89.0db */
+- { 0X00, 0X00, 0X9D, 0XA3 }, /* -88.5db */
+- { 0X00, 0X00, 0XA6, 0XFA }, /* -88.0db */
+- { 0X00, 0X00, 0XB0, 0XDF }, /* -87.5db */
+- { 0X00, 0X00, 0XBB, 0X5A }, /* -87.0db */
+- { 0X00, 0X00, 0XC6, 0X74 }, /* -86.5db */
+- { 0X00, 0X00, 0XD2, 0X36 }, /* -86.0db */
+- { 0X00, 0X00, 0XDE, 0XAB }, /* -85.5db */
+- { 0X00, 0X00, 0XEB, 0XDC }, /* -85.0db */
+- { 0X00, 0X00, 0XF9, 0XD6 }, /* -84.5db */
+- { 0X00, 0X01, 0X08, 0XA4 }, /* -84.0db */
+- { 0X00, 0X01, 0X18, 0X52 }, /* -83.5db */
+- { 0X00, 0X01, 0X28, 0XEF }, /* -83.0db */
+- { 0X00, 0X01, 0X3A, 0X87 }, /* -82.5db */
+- { 0X00, 0X01, 0X4D, 0X2A }, /* -82.0db */
+- { 0X00, 0X01, 0X60, 0XE8 }, /* -81.5db */
+- { 0X00, 0X01, 0X75, 0XD1 }, /* -81.0db */
+- { 0X00, 0X01, 0X8B, 0XF7 }, /* -80.5db */
+- { 0X00, 0X01, 0XA3, 0X6E }, /* -80.0db */
+- { 0X00, 0X01, 0XBC, 0X48 }, /* -79.5db */
+- { 0X00, 0X01, 0XD6, 0X9B }, /* -79.0db */
+- { 0X00, 0X01, 0XF2, 0X7E }, /* -78.5db */
+- { 0X00, 0X02, 0X10, 0X08 }, /* -78.0db */
+- { 0X00, 0X02, 0X2F, 0X51 }, /* -77.5db */
+- { 0X00, 0X02, 0X50, 0X76 }, /* -77.0db */
+- { 0X00, 0X02, 0X73, 0X91 }, /* -76.5db */
+- { 0X00, 0X02, 0X98, 0XC0 }, /* -76.0db */
+- { 0X00, 0X02, 0XC0, 0X24 }, /* -75.5db */
+- { 0X00, 0X02, 0XE9, 0XDD }, /* -75.0db */
+- { 0X00, 0X03, 0X16, 0X0F }, /* -74.5db */
+- { 0X00, 0X03, 0X44, 0XDF }, /* -74.0db */
+- { 0X00, 0X03, 0X76, 0X76 }, /* -73.5db */
+- { 0X00, 0X03, 0XAA, 0XFC }, /* -73.0db */
+- { 0X00, 0X03, 0XE2, 0XA0 }, /* -72.5db */
+- { 0X00, 0X04, 0X1D, 0X8F }, /* -72.0db */
+- { 0X00, 0X04, 0X5B, 0XFD }, /* -71.5db */
+- { 0X00, 0X04, 0X9E, 0X1D }, /* -71.0db */
+- { 0X00, 0X04, 0XE4, 0X29 }, /* -70.5db */
+- { 0X00, 0X05, 0X2E, 0X5A }, /* -70.0db */
+- { 0X00, 0X05, 0X7C, 0XF2 }, /* -69.5db */
+- { 0X00, 0X05, 0XD0, 0X31 }, /* -69.0db */
+- { 0X00, 0X06, 0X28, 0X60 }, /* -68.5db */
+- { 0X00, 0X06, 0X85, 0XC8 }, /* -68.0db */
+- { 0X00, 0X06, 0XE8, 0XB9 }, /* -67.5db */
+- { 0X00, 0X07, 0X51, 0X86 }, /* -67.0db */
+- { 0X00, 0X07, 0XC0, 0X8A }, /* -66.5db */
+- { 0X00, 0X08, 0X36, 0X21 }, /* -66.0db */
+- { 0X00, 0X08, 0XB2, 0XB0 }, /* -65.5db */
+- { 0X00, 0X09, 0X36, 0XA1 }, /* -65.0db */
+- { 0X00, 0X09, 0XC2, 0X63 }, /* -64.5db */
+- { 0X00, 0X0A, 0X56, 0X6D }, /* -64.0db */
+- { 0X00, 0X0A, 0XF3, 0X3C }, /* -63.5db */
+- { 0X00, 0X0B, 0X99, 0X56 }, /* -63.0db */
+- { 0X00, 0X0C, 0X49, 0X48 }, /* -62.5db */
+- { 0X00, 0X0D, 0X03, 0XA7 }, /* -62.0db */
+- { 0X00, 0X0D, 0XC9, 0X11 }, /* -61.5db */
+- { 0X00, 0X0E, 0X9A, 0X2D }, /* -61.0db */
+- { 0X00, 0X0F, 0X77, 0XAD }, /* -60.5db */
+- { 0X00, 0X10, 0X62, 0X4D }, /* -60.0db */
+- { 0X00, 0X11, 0X5A, 0XD5 }, /* -59.5db */
+- { 0X00, 0X12, 0X62, 0X16 }, /* -59.0db */
+- { 0X00, 0X13, 0X78, 0XF0 }, /* -58.5db */
+- { 0X00, 0X14, 0XA0, 0X50 }, /* -58.0db */
+- { 0X00, 0X15, 0XD9, 0X31 }, /* -57.5db */
+- { 0X00, 0X17, 0X24, 0X9C }, /* -57.0db */
+- { 0X00, 0X18, 0X83, 0XAA }, /* -56.5db */
+- { 0X00, 0X19, 0XF7, 0X86 }, /* -56.0db */
+- { 0X00, 0X1B, 0X81, 0X6A }, /* -55.5db */
+- { 0X00, 0X1D, 0X22, 0XA4 }, /* -55.0db */
+- { 0X00, 0X1E, 0XDC, 0X98 }, /* -54.5db */
+- { 0X00, 0X20, 0XB0, 0XBC }, /* -54.0db */
+- { 0X00, 0X22, 0XA0, 0X9D }, /* -53.5db */
+- { 0X00, 0X24, 0XAD, 0XE0 }, /* -53.0db */
+- { 0X00, 0X26, 0XDA, 0X43 }, /* -52.5db */
+- { 0X00, 0X29, 0X27, 0X9D }, /* -52.0db */
+- { 0X00, 0X2B, 0X97, 0XE3 }, /* -51.5db */
+- { 0X00, 0X2E, 0X2D, 0X27 }, /* -51.0db */
+- { 0X00, 0X30, 0XE9, 0X9A }, /* -50.5db */
+- { 0X00, 0X33, 0XCF, 0X8D }, /* -50.0db */
+- { 0X00, 0X36, 0XE1, 0X78 }, /* -49.5db */
+- { 0X00, 0X3A, 0X21, 0XF3 }, /* -49.0db */
+- { 0X00, 0X3D, 0X93, 0XC3 }, /* -48.5db */
+- { 0X00, 0X41, 0X39, 0XD3 }, /* -48.0db */
+- { 0X00, 0X45, 0X17, 0X3B }, /* -47.5db */
+- { 0X00, 0X49, 0X2F, 0X44 }, /* -47.0db */
+- { 0X00, 0X4D, 0X85, 0X66 }, /* -46.5db */
+- { 0X00, 0X52, 0X1D, 0X50 }, /* -46.0db */
+- { 0X00, 0X56, 0XFA, 0XE8 }, /* -45.5db */
+- { 0X00, 0X5C, 0X22, 0X4E }, /* -45.0db */
+- { 0X00, 0X61, 0X97, 0XE1 }, /* -44.5db */
+- { 0X00, 0X67, 0X60, 0X44 }, /* -44.0db */
+- { 0X00, 0X6D, 0X80, 0X60 }, /* -43.5db */
+- { 0X00, 0X73, 0XFD, 0X65 }, /* -43.0db */
+- { 0X00, 0X7A, 0XDC, 0XD7 }, /* -42.5db */
+- { 0X00, 0X82, 0X24, 0X8A }, /* -42.0db */
+- { 0X00, 0X89, 0XDA, 0XAB }, /* -41.5db */
+- { 0X00, 0X92, 0X05, 0XC6 }, /* -41.0db */
+- { 0X00, 0X9A, 0XAC, 0XC8 }, /* -40.5db */
+- { 0X00, 0XA3, 0XD7, 0X0A }, /* -40.0db */
+- { 0X00, 0XAD, 0X8C, 0X52 }, /* -39.5db */
+- { 0X00, 0XB7, 0XD4, 0XDD }, /* -39.0db */
+- { 0X00, 0XC2, 0XB9, 0X65 }, /* -38.5db */
+- { 0X00, 0XCE, 0X43, 0X28 }, /* -38.0db */
+- { 0X00, 0XDA, 0X7B, 0XF1 }, /* -37.5db */
+- { 0X00, 0XE7, 0X6E, 0X1E }, /* -37.0db */
+- { 0X00, 0XF5, 0X24, 0XAC }, /* -36.5db */
+- { 0X01, 0X03, 0XAB, 0X3D }, /* -36.0db */
+- { 0X01, 0X13, 0X0E, 0X24 }, /* -35.5db */
+- { 0X01, 0X23, 0X5A, 0X71 }, /* -35.0db */
+- { 0X01, 0X34, 0X9D, 0XF8 }, /* -34.5db */
+- { 0X01, 0X46, 0XE7, 0X5D }, /* -34.0db */
+- { 0X01, 0X5A, 0X46, 0X27 }, /* -33.5db */
+- { 0X01, 0X6E, 0XCA, 0XC5 }, /* -33.0db */
+- { 0X01, 0X84, 0X86, 0X9F }, /* -32.5db */
+- { 0X01, 0X9B, 0X8C, 0X27 }, /* -32.0db */
+- { 0X01, 0XB3, 0XEE, 0XE5 }, /* -31.5db */
+- { 0X01, 0XCD, 0XC3, 0X8C }, /* -31.0db */
+- { 0X01, 0XE9, 0X20, 0X05 }, /* -30.5db */
+- { 0X02, 0X06, 0X1B, 0X89 }, /* -30.0db */
+- { 0X02, 0X24, 0XCE, 0XB0 }, /* -29.5db */
+- { 0X02, 0X45, 0X53, 0X85 }, /* -29.0db */
+- { 0X02, 0X67, 0XC5, 0XA2 }, /* -28.5db */
+- { 0X02, 0X8C, 0X42, 0X3F }, /* -28.0db */
+- { 0X02, 0XB2, 0XE8, 0X55 }, /* -27.5db */
+- { 0X02, 0XDB, 0XD8, 0XAD }, /* -27.0db */
+- { 0X03, 0X07, 0X36, 0X05 }, /* -26.5db */
+- { 0X03, 0X35, 0X25, 0X29 }, /* -26.0db */
+- { 0X03, 0X65, 0XCD, 0X13 }, /* -25.5db */
+- { 0X03, 0X99, 0X57, 0X0C }, /* -25.0db */
+- { 0X03, 0XCF, 0XEE, 0XCF }, /* -24.5db */
+- { 0X04, 0X09, 0XC2, 0XB0 }, /* -24.0db */
+- { 0X04, 0X47, 0X03, 0XC1 }, /* -23.5db */
+- { 0X04, 0X87, 0XE5, 0XFB }, /* -23.0db */
+- { 0X04, 0XCC, 0XA0, 0X6D }, /* -22.5db */
+- { 0X05, 0X15, 0X6D, 0X68 }, /* -22.0db */
+- { 0X05, 0X62, 0X8A, 0XB3 }, /* -21.5db */
+- { 0X05, 0XB4, 0X39, 0XBC }, /* -21.0db */
+- { 0X06, 0X0A, 0XBF, 0XD4 }, /* -20.5db */
+- { 0X06, 0X66, 0X66, 0X66 }, /* -20.0db */
+- { 0X06, 0XC7, 0X7B, 0X36 }, /* -19.5db */
+- { 0X07, 0X2E, 0X50, 0XA6 }, /* -19.0db */
+- { 0X07, 0X9B, 0X3D, 0XF6 }, /* -18.5db */
+- { 0X08, 0X0E, 0X9F, 0X96 }, /* -18.0db */
+- { 0X08, 0X88, 0XD7, 0X6D }, /* -17.5db */
+- { 0X09, 0X0A, 0X4D, 0X2F }, /* -17.0db */
+- { 0X09, 0X93, 0X6E, 0XB8 }, /* -16.5db */
+- { 0X0A, 0X24, 0XB0, 0X62 }, /* -16.0db */
+- { 0X0A, 0XBE, 0X8D, 0X70 }, /* -15.5db */
+- { 0X0B, 0X61, 0X88, 0X71 }, /* -15.0db */
+- { 0X0C, 0X0E, 0X2B, 0XB0 }, /* -14.5db */
+- { 0X0C, 0XC5, 0X09, 0XAB }, /* -14.0db */
+- { 0X0D, 0X86, 0XBD, 0X8D }, /* -13.5db */
+- { 0X0E, 0X53, 0XEB, 0XB3 }, /* -13.0db */
+- { 0X0F, 0X2D, 0X42, 0X38 }, /* -12.5db */
+- { 0X10, 0X13, 0X79, 0X87 }, /* -12.0db */
+- { 0X11, 0X07, 0X54, 0XF9 }, /* -11.5db */
+- { 0X12, 0X09, 0XA3, 0X7A }, /* -11.0db */
+- { 0X13, 0X1B, 0X40, 0X39 }, /* -10.5db */
+- { 0X14, 0X3D, 0X13, 0X62 }, /* -10.0db */
+- { 0X15, 0X70, 0X12, 0XE1 }, /* -9.5db */
+- { 0X16, 0XB5, 0X43, 0X37 }, /* -9.0db */
+- { 0X18, 0X0D, 0XB8, 0X54 }, /* -8.5db */
+- { 0X19, 0X7A, 0X96, 0X7F }, /* -8.0db */
+- { 0X1A, 0XFD, 0X13, 0X54 }, /* -7.5db */
+- { 0X1C, 0X96, 0X76, 0XC6 }, /* -7.0db */
+- { 0X1E, 0X48, 0X1C, 0X37 }, /* -6.5db */
+- { 0X20, 0X13, 0X73, 0X9E }, /* -6.0db */
+- { 0X21, 0XFA, 0X02, 0XBF }, /* -5.5db */
+- { 0X23, 0XFD, 0X66, 0X78 }, /* -5.0db */
+- { 0X26, 0X1F, 0X54, 0X1C }, /* -4.5db */
+- { 0X28, 0X61, 0X9A, 0XE9 }, /* -4.0db */
+- { 0X2A, 0XC6, 0X25, 0X91 }, /* -3.5db */
+- { 0X2D, 0X4E, 0XFB, 0XD5 }, /* -3.0db */
+- { 0X2F, 0XFE, 0X44, 0X48 }, /* -2.5db */
+- { 0X32, 0XD6, 0X46, 0X17 }, /* -2.0db */
+- { 0X35, 0XD9, 0X6B, 0X02 }, /* -1.5db */
+- { 0X39, 0X0A, 0X41, 0X5F }, /* -1.0db */
+- { 0X3C, 0X6B, 0X7E, 0X4F }, /* -0.5db */
+- { 0X40, 0X00, 0X00, 0X00 }, /* 0.0db */
+- { 0X43, 0XCA, 0XD0, 0X22 }, /* 0.5db */
+- { 0X47, 0XCF, 0X26, 0X7D }, /* 1.0db */
+- { 0X4C, 0X10, 0X6B, 0XA5 }, /* 1.5db */
+- { 0X50, 0X92, 0X3B, 0XE3 }, /* 2.0db */
+- { 0X55, 0X58, 0X6A, 0X46 }, /* 2.5db */
+- { 0X5A, 0X67, 0X03, 0XDF }, /* 3.0db */
+- { 0X5F, 0XC2, 0X53, 0X32 }, /* 3.5db */
+- { 0X65, 0X6E, 0XE3, 0XDB }, /* 4.0db */
+- { 0X6B, 0X71, 0X86, 0X68 }, /* 4.5db */
+- { 0X71, 0XCF, 0X54, 0X71 }, /* 5.0db */
+- { 0X78, 0X8D, 0XB4, 0XE9 }, /* 5.5db */
+- { 0XFF, 0XFF, 0XFF, 0XFF }, /* 6.0db */
+-};
+ #endif
+diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c
+index cf8bc7ede6c7c..01b0e1820b38f 100644
+--- a/sound/soc/codecs/tas2781-i2c.c
++++ b/sound/soc/codecs/tas2781-i2c.c
+@@ -30,6 +30,7 @@
+ #include <sound/soc.h>
+ #include <sound/tas2781.h>
+ #include <sound/tlv.h>
++#include <sound/tas2563-tlv.h>
+ #include <sound/tas2781-tlv.h>
+ #include <asm/unaligned.h>
+
+--
+2.43.0
+
--- /dev/null
+From 362e9de98a65607eca8394177f4586dcfddf0af0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 17:02:32 +0200
+Subject: ASoC: tas2781-i2c: Drop weird GPIO code
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit c2c0b67dca3cb3b3cea0dd60075a1c5ba77e2fcd ]
+
+The tas2781-i2c driver gets an IRQ from either ACPI or device tree,
+then proceeds to check if the IRQ has a corresponding GPIO and in
+case it does enforce the GPIO as input and set a label on it.
+
+This is abuse of the API:
+
+- First we cannot guarantee that the numberspaces of the GPIOs and
+ the IRQs are the same, i.e that an IRQ number corresponds to
+ a GPIO number like that.
+
+- Second, GPIO chips and IRQ chips should be treated as orthogonal
+ APIs, the irqchip needs to ascertain that the backing GPIO line
+ is set to input etc just using the irqchip.
+
+- Third it is using the legacy <linux/gpio.h> API which should not
+ be used in new code yet this was added just a year ago.
+
+Delete the offending code.
+
+If this creates problems the GPIO and irqchip maintainers can help
+to fix the issues.
+
+It *should* not create any problems, because the irq isn't
+used anywhere in the driver, it's just obtained and then
+left unused.
+
+Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patch.msgid.link/20240807-asoc-tas-gpios-v2-1-bd0f2705d58b@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/tas2781.h | 7 +------
+ sound/pci/hda/tas2781_hda_i2c.c | 2 +-
+ sound/soc/codecs/tas2781-comlib.c | 3 ---
+ sound/soc/codecs/tas2781-fmwlib.c | 1 -
+ sound/soc/codecs/tas2781-i2c.c | 24 +++---------------------
+ 5 files changed, 5 insertions(+), 32 deletions(-)
+
+diff --git a/include/sound/tas2781.h b/include/sound/tas2781.h
+index 18161d02a96f7..dbda552398b5b 100644
+--- a/include/sound/tas2781.h
++++ b/include/sound/tas2781.h
+@@ -81,11 +81,6 @@ struct tasdevice {
+ bool is_loaderr;
+ };
+
+-struct tasdevice_irqinfo {
+- int irq_gpio;
+- int irq;
+-};
+-
+ struct calidata {
+ unsigned char *data;
+ unsigned long total_sz;
+@@ -93,7 +88,6 @@ struct calidata {
+
+ struct tasdevice_priv {
+ struct tasdevice tasdevice[TASDEVICE_MAX_CHANNELS];
+- struct tasdevice_irqinfo irq_info;
+ struct tasdevice_rca rcabin;
+ struct calidata cali_data;
+ struct tasdevice_fw *fmw;
+@@ -115,6 +109,7 @@ struct tasdevice_priv {
+ unsigned int chip_id;
+ unsigned int sysclk;
+
++ int irq;
+ int cur_prog;
+ int cur_conf;
+ int fw_state;
+diff --git a/sound/pci/hda/tas2781_hda_i2c.c b/sound/pci/hda/tas2781_hda_i2c.c
+index 89d8235537cd3..f58f434e7110e 100644
+--- a/sound/pci/hda/tas2781_hda_i2c.c
++++ b/sound/pci/hda/tas2781_hda_i2c.c
+@@ -818,7 +818,7 @@ static int tas2781_hda_i2c_probe(struct i2c_client *clt)
+ } else
+ return -ENODEV;
+
+- tas_hda->priv->irq_info.irq = clt->irq;
++ tas_hda->priv->irq = clt->irq;
+ ret = tas2781_read_acpi(tas_hda->priv, device_name);
+ if (ret)
+ return dev_err_probe(tas_hda->dev, ret,
+diff --git a/sound/soc/codecs/tas2781-comlib.c b/sound/soc/codecs/tas2781-comlib.c
+index 1fbf4560f5cc2..28d8b4d7b9855 100644
+--- a/sound/soc/codecs/tas2781-comlib.c
++++ b/sound/soc/codecs/tas2781-comlib.c
+@@ -14,7 +14,6 @@
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
+ #include <linux/of.h>
+-#include <linux/of_gpio.h>
+ #include <linux/of_irq.h>
+ #include <linux/regmap.h>
+ #include <linux/slab.h>
+@@ -411,8 +410,6 @@ EXPORT_SYMBOL_GPL(tasdevice_dsp_remove);
+
+ void tasdevice_remove(struct tasdevice_priv *tas_priv)
+ {
+- if (gpio_is_valid(tas_priv->irq_info.irq_gpio))
+- gpio_free(tas_priv->irq_info.irq_gpio);
+ mutex_destroy(&tas_priv->codec_lock);
+ }
+ EXPORT_SYMBOL_GPL(tasdevice_remove);
+diff --git a/sound/soc/codecs/tas2781-fmwlib.c b/sound/soc/codecs/tas2781-fmwlib.c
+index 8f9a3ae7153e9..f3a7605f07104 100644
+--- a/sound/soc/codecs/tas2781-fmwlib.c
++++ b/sound/soc/codecs/tas2781-fmwlib.c
+@@ -13,7 +13,6 @@
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
+ #include <linux/of.h>
+-#include <linux/of_gpio.h>
+ #include <linux/of_irq.h>
+ #include <linux/regmap.h>
+ #include <linux/slab.h>
+diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c
+index 01b0e1820b38f..5856a68d60d39 100644
+--- a/sound/soc/codecs/tas2781-i2c.c
++++ b/sound/soc/codecs/tas2781-i2c.c
+@@ -22,7 +22,6 @@
+ #include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/of_address.h>
+-#include <linux/of_gpio.h>
+ #include <linux/of_irq.h>
+ #include <linux/regmap.h>
+ #include <linux/slab.h>
+@@ -758,7 +757,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv)
+ {
+ struct i2c_client *client = (struct i2c_client *)tas_priv->client;
+ unsigned int dev_addrs[TASDEVICE_MAX_CHANNELS];
+- int rc, i, ndev = 0;
++ int i, ndev = 0;
+
+ if (tas_priv->isacpi) {
+ ndev = device_property_read_u32_array(&client->dev,
+@@ -773,7 +772,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv)
+ "ti,audio-slots", dev_addrs, ndev);
+ }
+
+- tas_priv->irq_info.irq_gpio =
++ tas_priv->irq =
+ acpi_dev_gpio_irq_get(ACPI_COMPANION(&client->dev), 0);
+ } else if (IS_ENABLED(CONFIG_OF)) {
+ struct device_node *np = tas_priv->dev->of_node;
+@@ -785,7 +784,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv)
+ dev_addrs[ndev++] = addr;
+ }
+
+- tas_priv->irq_info.irq_gpio = of_irq_get(np, 0);
++ tas_priv->irq = of_irq_get(np, 0);
+ } else {
+ ndev = 1;
+ dev_addrs[0] = client->addr;
+@@ -801,23 +800,6 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv)
+ __func__);
+
+ strcpy(tas_priv->dev_name, tasdevice_id[tas_priv->chip_id].name);
+-
+- if (gpio_is_valid(tas_priv->irq_info.irq_gpio)) {
+- rc = gpio_request(tas_priv->irq_info.irq_gpio,
+- "AUDEV-IRQ");
+- if (!rc) {
+- gpio_direction_input(
+- tas_priv->irq_info.irq_gpio);
+-
+- tas_priv->irq_info.irq =
+- gpio_to_irq(tas_priv->irq_info.irq_gpio);
+- } else
+- dev_err(tas_priv->dev, "%s: GPIO %d request error\n",
+- __func__, tas_priv->irq_info.irq_gpio);
+- } else
+- dev_err(tas_priv->dev,
+- "Looking up irq-gpio property failed %d\n",
+- tas_priv->irq_info.irq_gpio);
+ }
+
+ static int tasdevice_i2c_probe(struct i2c_client *i2c)
+--
+2.43.0
+
--- /dev/null
+From 0ff8cafb2200159ca713bb5a89a03148c1d8e2ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 17:02:33 +0200
+Subject: ASoC: tas2781-i2c: Get the right GPIO line
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 1c4b509edad15192bfb64c81d3c305bbae8070db ]
+
+The code is obtaining a GPIO reset using the reset GPIO
+name "reset-gpios", but the gpiolib is already adding the
+suffix "-gpios" to anything passed to this function and
+will be looking for "reset-gpios-gpios" which is most
+certainly not what the author desired.
+
+Fix it up.
+
+Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patch.msgid.link/20240807-asoc-tas-gpios-v2-2-bd0f2705d58b@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tas2781-i2c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c
+index 5856a68d60d39..ea9c6bafa1c3a 100644
+--- a/sound/soc/codecs/tas2781-i2c.c
++++ b/sound/soc/codecs/tas2781-i2c.c
+@@ -794,7 +794,7 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv)
+ tas_priv->tasdevice[i].dev_addr = dev_addrs[i];
+
+ tas_priv->reset = devm_gpiod_get_optional(&client->dev,
+- "reset-gpios", GPIOD_OUT_HIGH);
++ "reset", GPIOD_OUT_HIGH);
+ if (IS_ERR(tas_priv->reset))
+ dev_err(tas_priv->dev, "%s Can't get reset GPIO\n",
+ __func__);
+--
+2.43.0
+
--- /dev/null
+From 43950fe5a2694c5664ccb02341ceaa76dd901bc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 17:42:38 +0200
+Subject: ata: libata: Clear DID_TIME_OUT for ATA PT commands with sense data
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit e5dd410acb34c7341a0a93b429dcf3dabf9e3323 ]
+
+When ata_qc_complete() schedules a command for EH using
+ata_qc_schedule_eh(), blk_abort_request() will be called, which leads to
+req->q->mq_ops->timeout() / scsi_timeout() being called.
+
+scsi_timeout(), if the LLDD has no abort handler (libata has no abort
+handler), will set host byte to DID_TIME_OUT, and then call
+scsi_eh_scmd_add() to add the command to EH.
+
+Thus, when commands first enter libata's EH strategy_handler, all the
+commands that have been added to EH will have DID_TIME_OUT set.
+
+libata has its own flag (AC_ERR_TIMEOUT), that it sets for commands that
+have not received a completion at the time of entering EH.
+
+Thus, libata doesn't really care about DID_TIME_OUT at all, and currently
+clears the host byte at the end of EH, in ata_scsi_qc_complete(), before
+scsi_eh_finish_cmd() is called.
+
+However, this clearing in ata_scsi_qc_complete() is currently only done
+for commands that are not ATA passthrough commands.
+
+Since the host byte is visible in the completion that we return to user
+space for ATA passthrough commands, for ATA passthrough commands that got
+completed via EH (commands with sense data), the user will incorrectly see:
+ATA pass-through(16): transport error: Host_status=0x03 [DID_TIME_OUT]
+
+Fix this by moving the clearing of the host byte (which is currently only
+done for commands that are not ATA passthrough commands) from
+ata_scsi_qc_complete() to the start of EH (regardless if the command is
+ATA passthrough or not).
+
+While at it, use the proper helper function to clear the host byte, rather
+than open coding the clearing.
+
+This will make sure that we:
+-Correctly clear DID_TIME_OUT for both ATA passthrough commands and
+ commands that are not ATA passthrough commands.
+-Do not needlessly clear the host byte for commands that did not go via EH.
+ ata_scsi_qc_complete() is called both for commands that are completed
+ normally (without going via EH), and for commands that went via EH,
+ however, only commands that went via EH will have DID_TIME_OUT set.
+
+Fixes: 24aeebbf8ea9 ("scsi: ata: libata: Change ata_eh_request_sense() to not set CHECK_CONDITION")
+Reported-by: Igor Pylypiv <ipylypiv@google.com>
+Closes: https://lore.kernel.org/linux-ide/ZttIN8He8TOZ7Lct@google.com/
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Igor Pylypiv <ipylypiv@google.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-eh.c | 8 ++++++++
+ drivers/ata/libata-scsi.c | 3 ---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
+index 214b935c2ced7..7df9ec9f924c4 100644
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -630,6 +630,14 @@ void ata_scsi_cmd_error_handler(struct Scsi_Host *host, struct ata_port *ap,
+ list_for_each_entry_safe(scmd, tmp, eh_work_q, eh_entry) {
+ struct ata_queued_cmd *qc;
+
++ /*
++ * If the scmd was added to EH, via ata_qc_schedule_eh() ->
++ * scsi_timeout() -> scsi_eh_scmd_add(), scsi_timeout() will
++ * have set DID_TIME_OUT (since libata does not have an abort
++ * handler). Thus, to clear DID_TIME_OUT, clear the host byte.
++ */
++ set_host_byte(scmd, DID_OK);
++
+ ata_qc_for_each_raw(ap, qc, i) {
+ if (qc->flags & ATA_QCFLAG_ACTIVE &&
+ qc->scsicmd == scmd)
+diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
+index 473e00a58a8b0..fc8d99ea2e581 100644
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -1691,9 +1691,6 @@ static void ata_scsi_qc_complete(struct ata_queued_cmd *qc)
+ set_status_byte(qc->scsicmd, SAM_STAT_CHECK_CONDITION);
+ } else if (is_error && !have_sense) {
+ ata_gen_ata_sense(qc);
+- } else {
+- /* Keep the SCSI ML and status byte, clear host byte. */
+- cmd->result &= 0x0000ffff;
+ }
+
+ ata_qc_done(qc);
+--
+2.43.0
+
--- /dev/null
+From 84748b027762ef3e3c4202b48904411b9641838a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 23:10:27 +1000
+Subject: autofs: fix missing fput for FSCONFIG_SET_FD
+
+From: Aleksa Sarai <cyphar@cyphar.com>
+
+[ Upstream commit 6a64c5220c5df235448b846aeff3c0660d4cc83e ]
+
+If you pass an fd using FSCONFIG_SET_FD, autofs_parse_fd() "steals" the
+param->file and so the fs_context infrastructure will not do fput() for
+us.
+
+Fixes: e6ec453bd0f0 ("autofs: convert autofs to use the new mount api")
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+Link: https://lore.kernel.org/r/20240731-fsconfig-fsparam_fd-fixes-v2-1-e7c472224417@cyphar.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/autofs/inode.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
+index cf792d4de4f1b..64faa6c51f60a 100644
+--- a/fs/autofs/inode.c
++++ b/fs/autofs/inode.c
+@@ -172,8 +172,7 @@ static int autofs_parse_fd(struct fs_context *fc, struct autofs_sb_info *sbi,
+ ret = autofs_check_pipe(pipe);
+ if (ret < 0) {
+ errorf(fc, "Invalid/unusable pipe");
+- if (param->type != fs_value_is_file)
+- fput(pipe);
++ fput(pipe);
+ return -EBADF;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3960e76fa6333c6c64e1b65a9be3dbdd9b7a41d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 11:20:58 +0200
+Subject: bareudp: Pull inner IP header in bareudp_udp_encap_recv().
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 45fa29c85117170b0508790f878b13ec6593c888 ]
+
+Bareudp reads the inner IP header to get the ECN value. Therefore, it
+needs to ensure that it's part of the skb's linear data.
+
+This is similar to the vxlan and geneve fixes for that same problem:
+ * commit f7789419137b ("vxlan: Pull inner IP header in vxlan_rcv().")
+ * commit 1ca1ba465e55 ("geneve: make sure to pull inner header in
+ geneve_rx()")
+
+Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/5205940067c40218a70fbb888080466b2fc288db.1726046181.git.gnault@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bareudp.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
+index 7aca0544fb29c..b4e820a123caf 100644
+--- a/drivers/net/bareudp.c
++++ b/drivers/net/bareudp.c
+@@ -68,6 +68,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ __be16 proto;
+ void *oiph;
+ int err;
++ int nh;
+
+ bareudp = rcu_dereference_sk_user_data(sk);
+ if (!bareudp)
+@@ -148,10 +149,25 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ }
+ skb_dst_set(skb, &tun_dst->dst);
+ skb->dev = bareudp->dev;
+- oiph = skb_network_header(skb);
+- skb_reset_network_header(skb);
+ skb_reset_mac_header(skb);
+
++ /* Save offset of outer header relative to skb->head,
++ * because we are going to reset the network header to the inner header
++ * and might change skb->head.
++ */
++ nh = skb_network_header(skb) - skb->head;
++
++ skb_reset_network_header(skb);
++
++ if (!pskb_inet_may_pull(skb)) {
++ DEV_STATS_INC(bareudp->dev, rx_length_errors);
++ DEV_STATS_INC(bareudp->dev, rx_errors);
++ goto drop;
++ }
++
++ /* Get the outer header. */
++ oiph = skb->head + nh;
++
+ if (!ipv6_mod_enabled() || family == AF_INET)
+ err = IP_ECN_decapsulate(oiph, skb);
+ else
+--
+2.43.0
+
--- /dev/null
+From 14123a9da590870322f698e12d84122e76bdd7fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 11:21:05 +0200
+Subject: bareudp: Pull inner IP header on xmit.
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit c471236b2359e6b27388475dd04fff0a5e2bf922 ]
+
+Both bareudp_xmit_skb() and bareudp6_xmit_skb() read their skb's inner
+IP header to get its ECN value (with ip_tunnel_ecn_encap()). Therefore
+we need to ensure that the inner IP header is part of the skb's linear
+data.
+
+Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/267328222f0a11519c6de04c640a4f87a38ea9ed.1726046181.git.gnault@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bareudp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
+index b4e820a123caf..e80992b4f9de9 100644
+--- a/drivers/net/bareudp.c
++++ b/drivers/net/bareudp.c
+@@ -317,6 +317,9 @@ static int bareudp_xmit_skb(struct sk_buff *skb, struct net_device *dev,
+ __be32 saddr;
+ int err;
+
++ if (!skb_vlan_inet_prepare(skb, skb->protocol != htons(ETH_P_TEB)))
++ return -EINVAL;
++
+ if (!sock)
+ return -ESHUTDOWN;
+
+@@ -384,6 +387,9 @@ static int bareudp6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
+ __be16 sport;
+ int err;
+
++ if (!skb_vlan_inet_prepare(skb, skb->protocol != htons(ETH_P_TEB)))
++ return -EINVAL;
++
+ if (!sock)
+ return -ESHUTDOWN;
+
+--
+2.43.0
+
--- /dev/null
+From 7a2e952cba6cf82f1373f4a0e97941308d670de9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 21:03:27 +0800
+Subject: block, bfq: choose the last bfqq from merge chain in
+ bfq_setup_cooperator()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 0e456dba86c7f9a19792204a044835f1ca2c8dbb ]
+
+Consider the following merge chain:
+
+Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ Λ | | |
+ \--------------\ \-------------\ \-------------\|
+ V V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+
+IO from Process 1 will get bfqf2 from BIC1 first, then
+bfq_setup_cooperator() will found bfqq2 already merged to bfqq3 and then
+handle this IO from bfqq3. However, the merge chain can be much deeper
+and bfqq3 can be merged to other bfqq as well.
+
+Fix this problem by iterating to the last bfqq in
+bfq_setup_cooperator().
+
+Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240902130329.3787024-3-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 83adac3e71dbe..ffaa0d56328a5 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -2911,8 +2911,12 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq,
+ struct bfq_iocq_bfqq_data *bfqq_data = &bic->bfqq_data[a_idx];
+
+ /* if a merge has already been setup, then proceed with that first */
+- if (bfqq->new_bfqq)
+- return bfqq->new_bfqq;
++ new_bfqq = bfqq->new_bfqq;
++ if (new_bfqq) {
++ while (new_bfqq->new_bfqq)
++ new_bfqq = new_bfqq->new_bfqq;
++ return new_bfqq;
++ }
+
+ /*
+ * Check delayed stable merge for rotational or non-queueing
+--
+2.43.0
+
--- /dev/null
+From e6883c87cd93a297e226e08aea870abc4e751e74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 21:03:28 +0800
+Subject: block, bfq: don't break merge chain in bfq_split_bfqq()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 42c306ed723321af4003b2a41bb73728cab54f85 ]
+
+Consider the following scenario:
+
+ Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ Λ | | |
+ \-------------\ \-------------\ \--------------\|
+ V V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ref 0 1 2 4
+
+If Process 1 issue a new IO and bfqq2 is found, and then bfq_init_rq()
+decide to spilt bfqq2 by bfq_split_bfqq(). Howerver, procress reference
+of bfqq2 is 1 and bfq_split_bfqq() just clear the coop flag, which will
+break the merge chain.
+
+Expected result: caller will allocate a new bfqq for BIC1
+
+ Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ | | |
+ \-------------\ \--------------\|
+ V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ref 0 0 1 3
+
+Since the condition is only used for the last bfqq4 when the previous
+bfqq2 and bfqq3 are already splited. Fix the problem by checking if
+bfqq is the last one in the merge chain as well.
+
+Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240902130329.3787024-4-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index ffaa0d56328a5..ca766b7d5560e 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -6727,7 +6727,7 @@ bfq_split_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq)
+ {
+ bfq_log_bfqq(bfqq->bfqd, bfqq, "splitting queue");
+
+- if (bfqq_process_refs(bfqq) == 1) {
++ if (bfqq_process_refs(bfqq) == 1 && !bfqq->new_bfqq) {
+ bfqq->pid = current->pid;
+ bfq_clear_bfqq_coop(bfqq);
+ bfq_clear_bfqq_split_coop(bfqq);
+--
+2.43.0
+
--- /dev/null
+From a8df9794f5a5ca525eb50e52975b66910d553b33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 21:03:26 +0800
+Subject: block, bfq: fix possible UAF for bfqq->bic with merge chain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 18ad4df091dd5d067d2faa8fce1180b79f7041a7 ]
+
+1) initial state, three tasks:
+
+ Process 1 Process 2 Process 3
+ (BIC1) (BIC2) (BIC3)
+ | Λ | Λ | Λ
+ | | | | | |
+ V | V | V |
+ bfqq1 bfqq2 bfqq3
+process ref: 1 1 1
+
+2) bfqq1 merged to bfqq2:
+
+ Process 1 Process 2 Process 3
+ (BIC1) (BIC2) (BIC3)
+ | | | Λ
+ \--------------\| | |
+ V V |
+ bfqq1--------->bfqq2 bfqq3
+process ref: 0 2 1
+
+3) bfqq2 merged to bfqq3:
+
+ Process 1 Process 2 Process 3
+ (BIC1) (BIC2) (BIC3)
+ here -> Λ | |
+ \--------------\ \-------------\|
+ V V
+ bfqq1--------->bfqq2---------->bfqq3
+process ref: 0 1 3
+
+In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then
+get bfqq3 through merge chain, and finially handle IO by bfqq3.
+Howerver, current code will think bfqq2 is owned by BIC1, like initial
+state, and set bfqq2->bic to BIC1.
+
+bfq_insert_request
+-> by Process 1
+ bfqq = bfq_init_rq(rq)
+ bfqq = bfq_get_bfqq_handle_split
+ bfqq = bic_to_bfqq
+ -> get bfqq2 from BIC1
+ bfqq->ref++
+ rq->elv.priv[0] = bic
+ rq->elv.priv[1] = bfqq
+ if (bfqq_process_refs(bfqq) == 1)
+ bfqq->bic = bic
+ -> record BIC1 to bfqq2
+
+ __bfq_insert_request
+ new_bfqq = bfq_setup_cooperator
+ -> get bfqq3 from bfqq2->new_bfqq
+ bfqq_request_freed(bfqq)
+ new_bfqq->ref++
+ rq->elv.priv[1] = new_bfqq
+ -> handle IO by bfqq3
+
+Fix the problem by checking bfqq is from merge chain fist. And this
+might fix a following problem reported by our syzkaller(unreproducible):
+
+==================================================================
+BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
+BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
+BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
+Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595
+
+CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+Workqueue: kblockd blk_mq_requeue_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:364 [inline]
+ print_report+0x10d/0x610 mm/kasan/report.c:475
+ kasan_report+0x8e/0xc0 mm/kasan/report.c:588
+ bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
+ bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
+ bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
+ bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757
+ bfq_init_rq block/bfq-iosched.c:6876 [inline]
+ bfq_insert_request block/bfq-iosched.c:6254 [inline]
+ bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304
+ blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593
+ blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+ </TASK>
+
+Allocated by task 20776:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
+ kasan_slab_alloc include/linux/kasan.h:188 [inline]
+ slab_post_alloc_hook mm/slab.h:763 [inline]
+ slab_alloc_node mm/slub.c:3458 [inline]
+ kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503
+ ioc_create_icq block/blk-ioc.c:370 [inline]
+ ioc_find_get_icq+0x180/0xaa0 block/blk-ioc.c:436
+ bfq_prepare_request+0x39/0xf0 block/bfq-iosched.c:6812
+ blk_mq_rq_ctx_init.isra.7+0x6ac/0xa00 block/blk-mq.c:403
+ __blk_mq_alloc_requests+0xcc0/0x1070 block/blk-mq.c:517
+ blk_mq_get_new_requests block/blk-mq.c:2940 [inline]
+ blk_mq_submit_bio+0x624/0x27c0 block/blk-mq.c:3042
+ __submit_bio+0x331/0x6f0 block/blk-core.c:624
+ __submit_bio_noacct_mq block/blk-core.c:703 [inline]
+ submit_bio_noacct_nocheck+0x816/0xb40 block/blk-core.c:732
+ submit_bio_noacct+0x7a6/0x1b50 block/blk-core.c:826
+ xlog_write_iclog+0x7d5/0xa00 fs/xfs/xfs_log.c:1958
+ xlog_state_release_iclog+0x3b8/0x720 fs/xfs/xfs_log.c:619
+ xlog_cil_push_work+0x19c5/0x2270 fs/xfs/xfs_log_cil.c:1330
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+
+Freed by task 946:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ __kasan_slab_free+0x12c/0x1c0 mm/kasan/common.c:244
+ kasan_slab_free include/linux/kasan.h:164 [inline]
+ slab_free_hook mm/slub.c:1815 [inline]
+ slab_free_freelist_hook mm/slub.c:1841 [inline]
+ slab_free mm/slub.c:3786 [inline]
+ kmem_cache_free+0x118/0x6f0 mm/slub.c:3808
+ rcu_do_batch+0x35c/0xe30 kernel/rcu/tree.c:2189
+ rcu_core+0x819/0xd90 kernel/rcu/tree.c:2462
+ __do_softirq+0x1b0/0x7a2 kernel/softirq.c:553
+
+Last potentially related work creation:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
+ __call_rcu_common kernel/rcu/tree.c:2712 [inline]
+ call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826
+ ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105
+ ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+
+Second to last potentially related work creation:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
+ __call_rcu_common kernel/rcu/tree.c:2712 [inline]
+ call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826
+ ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105
+ ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+
+The buggy address belongs to the object at ffff888123839d68
+ which belongs to the cache bfq_io_cq of size 1360
+The buggy address is located 336 bytes inside of
+ freed 1360-byte region [ffff888123839d68, ffff88812383a2b8)
+
+The buggy address belongs to the physical page:
+page:ffffea00048e0e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812383f588 pfn:0x123838
+head:ffffea00048e0e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0x17ffffc0000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x1fffff)
+page_type: 0xffffffff()
+raw: 0017ffffc0000a40 ffff88810588c200 ffffea00048ffa10 ffff888105889488
+raw: ffff88812383f588 0000000000150006 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888123839d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888123839e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff888123839e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888123839f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888123839f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240902130329.3787024-2-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 36a4998c4b378..83adac3e71dbe 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -6934,7 +6934,8 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ * addition, if the queue has also just been split, we have to
+ * resume its state.
+ */
+- if (likely(bfqq != &bfqd->oom_bfqq) && bfqq_process_refs(bfqq) == 1) {
++ if (likely(bfqq != &bfqd->oom_bfqq) && !bfqq->new_bfqq &&
++ bfqq_process_refs(bfqq) == 1) {
+ bfqq->bic = bic;
+ if (split) {
+ /*
+--
+2.43.0
+
--- /dev/null
+From bd251e1f930c271204f7f9c443436c49d5eaba59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 21:41:49 +0800
+Subject: block, bfq: fix procress reference leakage for bfqq in merge chain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 73aeab373557fa6ee4ae0b742c6211ccd9859280 ]
+
+Original state:
+
+ Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ Λ | | |
+ \--------------\ \-------------\ \-------------\|
+ V V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ ref 0 1 2 4
+
+After commit 0e456dba86c7 ("block, bfq: choose the last bfqq from merge
+chain in bfq_setup_cooperator()"), if P1 issues a new IO:
+
+Without the patch:
+
+ Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ Λ | | |
+ \------------------------------\ \-------------\|
+ V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ ref 0 0 2 4
+
+bfqq3 will be used to handle IO from P1, this is not expected, IO
+should be redirected to bfqq4;
+
+With the patch:
+
+ -------------------------------------------
+ | |
+ Process 1 Process 2 Process 3 | Process 4
+ (BIC1) (BIC2) (BIC3) | (BIC4)
+ | | | |
+ \-------------\ \-------------\|
+ V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ ref 0 0 2 4
+
+IO is redirected to bfqq4, however, procress reference of bfqq3 is still
+2, while there is only P2 using it.
+
+Fix the problem by calling bfq_merge_bfqqs() for each bfqq in the merge
+chain. Also change bfqq_merge_bfqqs() to return new_bfqq to simplify
+code.
+
+Fixes: 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240909134154.954924-3-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 37 +++++++++++++++++--------------------
+ 1 file changed, 17 insertions(+), 20 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 8533e92c5d9ef..1cc40a857fb85 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -3129,10 +3129,12 @@ void bfq_release_process_ref(struct bfq_data *bfqd, struct bfq_queue *bfqq)
+ bfq_put_queue(bfqq);
+ }
+
+-static void
+-bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic,
+- struct bfq_queue *bfqq, struct bfq_queue *new_bfqq)
++static struct bfq_queue *bfq_merge_bfqqs(struct bfq_data *bfqd,
++ struct bfq_io_cq *bic,
++ struct bfq_queue *bfqq)
+ {
++ struct bfq_queue *new_bfqq = bfqq->new_bfqq;
++
+ bfq_log_bfqq(bfqd, bfqq, "merging with queue %lu",
+ (unsigned long)new_bfqq->pid);
+ /* Save weight raising and idle window of the merged queues */
+@@ -3226,6 +3228,8 @@ bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic,
+ bfq_reassign_last_bfqq(bfqq, new_bfqq);
+
+ bfq_release_process_ref(bfqd, bfqq);
++
++ return new_bfqq;
+ }
+
+ static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq,
+@@ -3261,14 +3265,8 @@ static bool bfq_allow_bio_merge(struct request_queue *q, struct request *rq,
+ * fulfilled, i.e., bic can be redirected to new_bfqq
+ * and bfqq can be put.
+ */
+- bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq,
+- new_bfqq);
+- /*
+- * If we get here, bio will be queued into new_queue,
+- * so use new_bfqq to decide whether bio and rq can be
+- * merged.
+- */
+- bfqq = new_bfqq;
++ while (bfqq != new_bfqq)
++ bfqq = bfq_merge_bfqqs(bfqd, bfqd->bio_bic, bfqq);
+
+ /*
+ * Change also bqfd->bio_bfqq, as
+@@ -5705,9 +5703,7 @@ bfq_do_early_stable_merge(struct bfq_data *bfqd, struct bfq_queue *bfqq,
+ * state before killing it.
+ */
+ bfqq->bic = bic;
+- bfq_merge_bfqqs(bfqd, bic, bfqq, new_bfqq);
+-
+- return new_bfqq;
++ return bfq_merge_bfqqs(bfqd, bic, bfqq);
+ }
+
+ /*
+@@ -6162,6 +6158,7 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq)
+ bool waiting, idle_timer_disabled = false;
+
+ if (new_bfqq) {
++ struct bfq_queue *old_bfqq = bfqq;
+ /*
+ * Release the request's reference to the old bfqq
+ * and make sure one is taken to the shared queue.
+@@ -6178,18 +6175,18 @@ static bool __bfq_insert_request(struct bfq_data *bfqd, struct request *rq)
+ * new_bfqq.
+ */
+ if (bic_to_bfqq(RQ_BIC(rq), true,
+- bfq_actuator_index(bfqd, rq->bio)) == bfqq)
+- bfq_merge_bfqqs(bfqd, RQ_BIC(rq),
+- bfqq, new_bfqq);
++ bfq_actuator_index(bfqd, rq->bio)) == bfqq) {
++ while (bfqq != new_bfqq)
++ bfqq = bfq_merge_bfqqs(bfqd, RQ_BIC(rq), bfqq);
++ }
+
+- bfq_clear_bfqq_just_created(bfqq);
++ bfq_clear_bfqq_just_created(old_bfqq);
+ /*
+ * rq is about to be enqueued into new_bfqq,
+ * release rq reference on bfqq
+ */
+- bfq_put_queue(bfqq);
++ bfq_put_queue(old_bfqq);
+ rq->elv.priv[1] = new_bfqq;
+- bfqq = new_bfqq;
+ }
+
+ bfq_update_io_thinktime(bfqd, bfqq);
+--
+2.43.0
+
--- /dev/null
+From c87f60cf3c0b1beb8aa1e2e1640abde4a7c75179 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 21:41:48 +0800
+Subject: block, bfq: fix uaf for accessing waker_bfqq after splitting
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 1ba0403ac6447f2d63914fb760c44a3b19c44eaf ]
+
+After commit 42c306ed7233 ("block, bfq: don't break merge chain in
+bfq_split_bfqq()"), if the current procress is the last holder of bfqq,
+the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and
+then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq
+may in the merge chain of bfqq, hence just recored waker_bfqq is still
+not safe.
+
+Fix the problem by adding a helper bfq_waker_bfqq() to check if
+bfqq->waker_bfqq is in the merge chain, and current procress is the only
+holder.
+
+Fixes: 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240909134154.954924-2-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 31 ++++++++++++++++++++++++++++---
+ 1 file changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index ca766b7d5560e..8533e92c5d9ef 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -6825,6 +6825,31 @@ static void bfq_prepare_request(struct request *rq)
+ rq->elv.priv[0] = rq->elv.priv[1] = NULL;
+ }
+
++static struct bfq_queue *bfq_waker_bfqq(struct bfq_queue *bfqq)
++{
++ struct bfq_queue *new_bfqq = bfqq->new_bfqq;
++ struct bfq_queue *waker_bfqq = bfqq->waker_bfqq;
++
++ if (!waker_bfqq)
++ return NULL;
++
++ while (new_bfqq) {
++ if (new_bfqq == waker_bfqq) {
++ /*
++ * If waker_bfqq is in the merge chain, and current
++ * is the only procress.
++ */
++ if (bfqq_process_refs(waker_bfqq) == 1)
++ return NULL;
++ break;
++ }
++
++ new_bfqq = new_bfqq->new_bfqq;
++ }
++
++ return waker_bfqq;
++}
++
+ /*
+ * If needed, init rq, allocate bfq data structures associated with
+ * rq, and increment reference counters in the destination bfq_queue
+@@ -6886,7 +6911,7 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ /* If the queue was seeky for too long, break it apart. */
+ if (bfq_bfqq_coop(bfqq) && bfq_bfqq_split_coop(bfqq) &&
+ !bic->bfqq_data[a_idx].stably_merged) {
+- struct bfq_queue *old_bfqq = bfqq;
++ struct bfq_queue *waker_bfqq = bfq_waker_bfqq(bfqq);
+
+ /* Update bic before losing reference to bfqq */
+ if (bfq_bfqq_in_large_burst(bfqq))
+@@ -6906,7 +6931,7 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ bfqq_already_existing = true;
+
+ if (!bfqq_already_existing) {
+- bfqq->waker_bfqq = old_bfqq->waker_bfqq;
++ bfqq->waker_bfqq = waker_bfqq;
+ bfqq->tentative_waker_bfqq = NULL;
+
+ /*
+@@ -6916,7 +6941,7 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ * woken_list of the waker. See
+ * bfq_check_waker for details.
+ */
+- if (bfqq->waker_bfqq)
++ if (waker_bfqq)
+ hlist_add_head(&bfqq->woken_list_node,
+ &bfqq->waker_bfqq->woken_list);
+ }
+--
+2.43.0
+
--- /dev/null
+From ed3a2dcabcae91577f92bd4f735aa0b56e20df85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 18:59:54 +0530
+Subject: block: fix potential invalid pointer dereference in blk_add_partition
+
+From: Riyan Dhiman <riyandhiman14@gmail.com>
+
+[ Upstream commit 26e197b7f9240a4ac301dd0ad520c0c697c2ea7d ]
+
+The blk_add_partition() function initially used a single if-condition
+(IS_ERR(part)) to check for errors when adding a partition. This was
+modified to handle the specific case of -ENXIO separately, allowing the
+function to proceed without logging the error in this case. However,
+this change unintentionally left a path where md_autodetect_dev()
+could be called without confirming that part is a valid pointer.
+
+This commit separates the error handling logic by splitting the
+initial if-condition, improving code readability and handling specific
+error scenarios explicitly. The function now distinguishes the general
+error case from -ENXIO without altering the existing behavior of
+md_autodetect_dev() calls.
+
+Fixes: b72053072c0b (block: allow partitions on host aware zone devices)
+Signed-off-by: Riyan Dhiman <riyandhiman14@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20240911132954.5874-1-riyandhiman14@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/partitions/core.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/block/partitions/core.c b/block/partitions/core.c
+index ab76e64f0f6c3..5bd7a603092ea 100644
+--- a/block/partitions/core.c
++++ b/block/partitions/core.c
+@@ -555,9 +555,11 @@ static bool blk_add_partition(struct gendisk *disk,
+
+ part = add_partition(disk, p, from, size, state->parts[p].flags,
+ &state->parts[p].info);
+- if (IS_ERR(part) && PTR_ERR(part) != -ENXIO) {
+- printk(KERN_ERR " %s: p%d could not be added: %pe\n",
+- disk->disk_name, p, part);
++ if (IS_ERR(part)) {
++ if (PTR_ERR(part) != -ENXIO) {
++ printk(KERN_ERR " %s: p%d could not be added: %pe\n",
++ disk->disk_name, p, part);
++ }
+ return true;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 1952304591d6cfc251003ffecda64ee22d92092a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 16:51:52 -0400
+Subject: Bluetooth: btusb: Fix not handling ZPL/short-transfer
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 7b05933340f4490ef5b09e84d644d12484b05fdf ]
+
+Requesting transfers of the exact same size of wMaxPacketSize may result
+in ZPL/short-transfer since the USB stack cannot handle it as we are
+limiting the buffer size to be the same as wMaxPacketSize.
+
+Also, in terms of throughput this change has the same effect to
+interrupt endpoint as 290ba200815f "Bluetooth: Improve USB driver throughput
+by increasing the frame size" had for the bulk endpoint, so users of the
+advertisement bearer (e.g. BT Mesh) may benefit from this change.
+
+Fixes: 5e23b923da03 ("[Bluetooth] Add generic driver for Bluetooth USB devices")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Tested-by: Kiran K <kiran.k@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 51d9d4532dda4..1ec71a2fb63ea 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -1397,7 +1397,10 @@ static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
+ if (!urb)
+ return -ENOMEM;
+
+- size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
++ /* Use maximum HCI Event size so the USB stack handles
++ * ZPL/short-transfer automatically.
++ */
++ size = HCI_MAX_EVENT_SIZE;
+
+ buf = kmalloc(size, mem_flags);
+ if (!buf) {
+--
+2.43.0
+
--- /dev/null
+From dfcad965c6a1716743752cc7f5769969c55a67b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 17:29:27 -0400
+Subject: Bluetooth: hci_core: Fix sending MGMT_EV_CONNECT_FAILED
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit d47da6bd4cfa982fe903f33423b9e2ec541e9496 ]
+
+If HCI_CONN_MGMT_CONNECTED has been set then the event shall be
+HCI_CONN_MGMT_DISCONNECTED.
+
+Fixes: b644ba336997 ("Bluetooth: Update device_connected and device_found events to latest API")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 4 ++--
+ net/bluetooth/hci_conn.c | 6 ++----
+ net/bluetooth/mgmt.c | 13 +++++++++----
+ 3 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 1a32e602630e3..88265d37aa72e 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -2257,8 +2257,8 @@ void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
+ bool mgmt_connected);
+ void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
+ u8 link_type, u8 addr_type, u8 status);
+-void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
+- u8 addr_type, u8 status);
++void mgmt_connect_failed(struct hci_dev *hdev, struct hci_conn *conn,
++ u8 status);
+ void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure);
+ void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
+ u8 status);
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index c82502e213a88..58b528df1a86e 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -106,8 +106,7 @@ void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
+ * where a timeout + cancel does indicate an actual failure.
+ */
+ if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
+- mgmt_connect_failed(hdev, &conn->dst, conn->type,
+- conn->dst_type, status);
++ mgmt_connect_failed(hdev, conn, status);
+
+ /* The connection attempt was doing scan for new RPA, and is
+ * in scan phase. If params are not associated with any other
+@@ -1250,8 +1249,7 @@ void hci_conn_failed(struct hci_conn *conn, u8 status)
+ hci_le_conn_failed(conn, status);
+ break;
+ case ACL_LINK:
+- mgmt_connect_failed(hdev, &conn->dst, conn->type,
+- conn->dst_type, status);
++ mgmt_connect_failed(hdev, conn, status);
+ break;
+ }
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 279902e8bd8a7..e4f564d6f6fbf 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -9779,13 +9779,18 @@ void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
+ mgmt_pending_remove(cmd);
+ }
+
+-void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
+- u8 addr_type, u8 status)
++void mgmt_connect_failed(struct hci_dev *hdev, struct hci_conn *conn, u8 status)
+ {
+ struct mgmt_ev_connect_failed ev;
+
+- bacpy(&ev.addr.bdaddr, bdaddr);
+- ev.addr.type = link_to_bdaddr(link_type, addr_type);
++ if (test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
++ mgmt_device_disconnected(hdev, &conn->dst, conn->type,
++ conn->dst_type, status, true);
++ return;
++ }
++
++ bacpy(&ev.addr.bdaddr, &conn->dst);
++ ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
+ ev.status = mgmt_status(status);
+
+ mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
+--
+2.43.0
+
--- /dev/null
+From 6a3db01737c329baaf05d68234a1dd85cfb9f4ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 12:05:00 -0700
+Subject: Bluetooth: hci_sync: Ignore errors from HCI_OP_REMOTE_NAME_REQ_CANCEL
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit cfbfeee61582e638770a1a10deef866c9adb38f5 ]
+
+This ignores errors from HCI_OP_REMOTE_NAME_REQ_CANCEL since it
+shouldn't interfere with the stopping of discovery and in certain
+conditions it seems to be failing.
+
+Link: https://github.com/bluez/bluez/issues/575
+Fixes: d0b137062b2d ("Bluetooth: hci_sync: Rework init stages")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 5533e6f561b3a..40ccdef168d7d 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -5380,7 +5380,10 @@ int hci_stop_discovery_sync(struct hci_dev *hdev)
+ if (!e)
+ return 0;
+
+- return hci_remote_name_cancel_sync(hdev, &e->data.bdaddr);
++ /* Ignore cancel errors since it should interfere with stopping
++ * of the discovery.
++ */
++ hci_remote_name_cancel_sync(hdev, &e->data.bdaddr);
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 66bcb2c97978ba52bd7431f02f4411abb0a870c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 14:06:02 +0000
+Subject: bonding: Fix unnecessary warnings and logs from
+ bond_xdp_get_xmit_slave()
+
+From: Jiwon Kim <jiwonaid0@gmail.com>
+
+[ Upstream commit 0cbfd45fbcf0cb26d85c981b91c62fe73cdee01c ]
+
+syzbot reported a WARNING in bond_xdp_get_xmit_slave. To reproduce
+this[1], one bond device (bond1) has xdpdrv, which increases
+bpf_master_redirect_enabled_key. Another bond device (bond0) which is
+unsupported by XDP but its slave (veth3) has xdpgeneric that returns
+XDP_TX. This triggers WARN_ON_ONCE() from the xdp_master_redirect().
+To reduce unnecessary warnings and improve log management, we need to
+delete the WARN_ON_ONCE() and add ratelimit to the netdev_err().
+
+[1] Steps to reproduce:
+ # Needs tx_xdp with return XDP_TX;
+ ip l add veth0 type veth peer veth1
+ ip l add veth3 type veth peer veth4
+ ip l add bond0 type bond mode 6 # BOND_MODE_ALB, unsupported by XDP
+ ip l add bond1 type bond # BOND_MODE_ROUNDROBIN by default
+ ip l set veth0 master bond1
+ ip l set bond1 up
+ # Increases bpf_master_redirect_enabled_key
+ ip l set dev bond1 xdpdrv object tx_xdp.o section xdp_tx
+ ip l set veth3 master bond0
+ ip l set bond0 up
+ ip l set veth4 up
+ # Triggers WARN_ON_ONCE() from the xdp_master_redirect()
+ ip l set veth3 xdpgeneric object tx_xdp.o section xdp_tx
+
+Reported-by: syzbot+c187823a52ed505b2257@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c187823a52ed505b2257
+Fixes: 9e2ee5c7e7c3 ("net, bonding: Add XDP support to the bonding driver")
+Signed-off-by: Jiwon Kim <jiwonaid0@gmail.com>
+Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20240918140602.18644-1-jiwonaid0@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index bb9c3d6ef4359..e20bee1bdffd7 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -5536,9 +5536,9 @@ bond_xdp_get_xmit_slave(struct net_device *bond_dev, struct xdp_buff *xdp)
+ break;
+
+ default:
+- /* Should never happen. Mode guarded by bond_xdp_check() */
+- netdev_err(bond_dev, "Unknown bonding mode %d for xdp xmit\n", BOND_MODE(bond));
+- WARN_ON_ONCE(1);
++ if (net_ratelimit())
++ netdev_err(bond_dev, "Unknown bonding mode %d for xdp xmit\n",
++ BOND_MODE(bond));
+ return NULL;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 9070b4dd5db13732a60cf8046334118ae2e947c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jul 2024 20:39:01 +0800
+Subject: bpf, arm64: Fix tailcall hierarchy
+
+From: Leon Hwang <hffilwlqm@gmail.com>
+
+[ Upstream commit 66ff4d61dc124eafe9efaeaef696a09b7f236da2 ]
+
+This patch fixes a tailcall issue caused by abusing the tailcall in
+bpf2bpf feature on arm64 like the way of "bpf, x64: Fix tailcall
+hierarchy".
+
+On arm64, when a tail call happens, it uses tail_call_cnt_ptr to
+increment tail_call_cnt, too.
+
+At the prologue of main prog, it has to initialize tail_call_cnt and
+prepare tail_call_cnt_ptr.
+
+At the prologue of subprog, it pushes x26 register twice, and does not
+initialize tail_call_cnt.
+
+At the epilogue, it pops x26 twice, no matter whether it is main prog or
+subprog.
+
+Fixes: d4609a5d8c70 ("bpf, arm64: Keep tail call count across bpf2bpf calls")
+Acked-by: Puranjay Mohan <puranjay@kernel.org>
+Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
+Link: https://lore.kernel.org/r/20240714123902.32305-3-hffilwlqm@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/net/bpf_jit_comp.c | 57 +++++++++++++++++++++++++----------
+ 1 file changed, 41 insertions(+), 16 deletions(-)
+
+diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
+index dd0bb069df4bb..59e05a7aea56a 100644
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -26,7 +26,7 @@
+
+ #define TMP_REG_1 (MAX_BPF_JIT_REG + 0)
+ #define TMP_REG_2 (MAX_BPF_JIT_REG + 1)
+-#define TCALL_CNT (MAX_BPF_JIT_REG + 2)
++#define TCCNT_PTR (MAX_BPF_JIT_REG + 2)
+ #define TMP_REG_3 (MAX_BPF_JIT_REG + 3)
+ #define FP_BOTTOM (MAX_BPF_JIT_REG + 4)
+ #define ARENA_VM_START (MAX_BPF_JIT_REG + 5)
+@@ -63,8 +63,8 @@ static const int bpf2a64[] = {
+ [TMP_REG_1] = A64_R(10),
+ [TMP_REG_2] = A64_R(11),
+ [TMP_REG_3] = A64_R(12),
+- /* tail_call_cnt */
+- [TCALL_CNT] = A64_R(26),
++ /* tail_call_cnt_ptr */
++ [TCCNT_PTR] = A64_R(26),
+ /* temporary register for blinding constants */
+ [BPF_REG_AX] = A64_R(9),
+ [FP_BOTTOM] = A64_R(27),
+@@ -282,13 +282,35 @@ static bool is_lsi_offset(int offset, int scale)
+ * mov x29, sp
+ * stp x19, x20, [sp, #-16]!
+ * stp x21, x22, [sp, #-16]!
+- * stp x25, x26, [sp, #-16]!
++ * stp x26, x25, [sp, #-16]!
++ * stp x26, x25, [sp, #-16]!
+ * stp x27, x28, [sp, #-16]!
+ * mov x25, sp
+ * mov tcc, #0
+ * // PROLOGUE_OFFSET
+ */
+
++static void prepare_bpf_tail_call_cnt(struct jit_ctx *ctx)
++{
++ const struct bpf_prog *prog = ctx->prog;
++ const bool is_main_prog = !bpf_is_subprog(prog);
++ const u8 ptr = bpf2a64[TCCNT_PTR];
++ const u8 fp = bpf2a64[BPF_REG_FP];
++ const u8 tcc = ptr;
++
++ emit(A64_PUSH(ptr, fp, A64_SP), ctx);
++ if (is_main_prog) {
++ /* Initialize tail_call_cnt. */
++ emit(A64_MOVZ(1, tcc, 0, 0), ctx);
++ emit(A64_PUSH(tcc, fp, A64_SP), ctx);
++ emit(A64_MOV(1, ptr, A64_SP), ctx);
++ } else {
++ emit(A64_PUSH(ptr, fp, A64_SP), ctx);
++ emit(A64_NOP, ctx);
++ emit(A64_NOP, ctx);
++ }
++}
++
+ #define BTI_INSNS (IS_ENABLED(CONFIG_ARM64_BTI_KERNEL) ? 1 : 0)
+ #define PAC_INSNS (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL) ? 1 : 0)
+
+@@ -296,7 +318,7 @@ static bool is_lsi_offset(int offset, int scale)
+ #define POKE_OFFSET (BTI_INSNS + 1)
+
+ /* Tail call offset to jump into */
+-#define PROLOGUE_OFFSET (BTI_INSNS + 2 + PAC_INSNS + 8)
++#define PROLOGUE_OFFSET (BTI_INSNS + 2 + PAC_INSNS + 10)
+
+ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf,
+ bool is_exception_cb, u64 arena_vm_start)
+@@ -308,7 +330,6 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf,
+ const u8 r8 = bpf2a64[BPF_REG_8];
+ const u8 r9 = bpf2a64[BPF_REG_9];
+ const u8 fp = bpf2a64[BPF_REG_FP];
+- const u8 tcc = bpf2a64[TCALL_CNT];
+ const u8 fpb = bpf2a64[FP_BOTTOM];
+ const u8 arena_vm_base = bpf2a64[ARENA_VM_START];
+ const int idx0 = ctx->idx;
+@@ -359,7 +380,7 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf,
+ /* Save callee-saved registers */
+ emit(A64_PUSH(r6, r7, A64_SP), ctx);
+ emit(A64_PUSH(r8, r9, A64_SP), ctx);
+- emit(A64_PUSH(fp, tcc, A64_SP), ctx);
++ prepare_bpf_tail_call_cnt(ctx);
+ emit(A64_PUSH(fpb, A64_R(28), A64_SP), ctx);
+ } else {
+ /*
+@@ -372,18 +393,15 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf,
+ * callee-saved registers. The exception callback will not push
+ * anything and re-use the main program's stack.
+ *
+- * 10 registers are on the stack
++ * 12 registers are on the stack
+ */
+- emit(A64_SUB_I(1, A64_SP, A64_FP, 80), ctx);
++ emit(A64_SUB_I(1, A64_SP, A64_FP, 96), ctx);
+ }
+
+ /* Set up BPF prog stack base register */
+ emit(A64_MOV(1, fp, A64_SP), ctx);
+
+ if (!ebpf_from_cbpf && is_main_prog) {
+- /* Initialize tail_call_cnt */
+- emit(A64_MOVZ(1, tcc, 0, 0), ctx);
+-
+ cur_offset = ctx->idx - idx0;
+ if (cur_offset != PROLOGUE_OFFSET) {
+ pr_err_once("PROLOGUE_OFFSET = %d, expected %d!\n",
+@@ -432,7 +450,8 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
+
+ const u8 tmp = bpf2a64[TMP_REG_1];
+ const u8 prg = bpf2a64[TMP_REG_2];
+- const u8 tcc = bpf2a64[TCALL_CNT];
++ const u8 tcc = bpf2a64[TMP_REG_3];
++ const u8 ptr = bpf2a64[TCCNT_PTR];
+ const int idx0 = ctx->idx;
+ #define cur_offset (ctx->idx - idx0)
+ #define jmp_offset (out_offset - (cur_offset))
+@@ -449,11 +468,12 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
+ emit(A64_B_(A64_COND_CS, jmp_offset), ctx);
+
+ /*
+- * if (tail_call_cnt >= MAX_TAIL_CALL_CNT)
++ * if ((*tail_call_cnt_ptr) >= MAX_TAIL_CALL_CNT)
+ * goto out;
+- * tail_call_cnt++;
++ * (*tail_call_cnt_ptr)++;
+ */
+ emit_a64_mov_i64(tmp, MAX_TAIL_CALL_CNT, ctx);
++ emit(A64_LDR64I(tcc, ptr, 0), ctx);
+ emit(A64_CMP(1, tcc, tmp), ctx);
+ emit(A64_B_(A64_COND_CS, jmp_offset), ctx);
+ emit(A64_ADD_I(1, tcc, tcc, 1), ctx);
+@@ -469,6 +489,9 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
+ emit(A64_LDR64(prg, tmp, prg), ctx);
+ emit(A64_CBZ(1, prg, jmp_offset), ctx);
+
++ /* Update tail_call_cnt if the slot is populated. */
++ emit(A64_STR64I(tcc, ptr, 0), ctx);
++
+ /* goto *(prog->bpf_func + prologue_offset); */
+ off = offsetof(struct bpf_prog, bpf_func);
+ emit_a64_mov_i64(tmp, off, ctx);
+@@ -721,6 +744,7 @@ static void build_epilogue(struct jit_ctx *ctx, bool is_exception_cb)
+ const u8 r8 = bpf2a64[BPF_REG_8];
+ const u8 r9 = bpf2a64[BPF_REG_9];
+ const u8 fp = bpf2a64[BPF_REG_FP];
++ const u8 ptr = bpf2a64[TCCNT_PTR];
+ const u8 fpb = bpf2a64[FP_BOTTOM];
+
+ /* We're done with BPF stack */
+@@ -738,7 +762,8 @@ static void build_epilogue(struct jit_ctx *ctx, bool is_exception_cb)
+ /* Restore x27 and x28 */
+ emit(A64_POP(fpb, A64_R(28), A64_SP), ctx);
+ /* Restore fs (x25) and x26 */
+- emit(A64_POP(fp, A64_R(26), A64_SP), ctx);
++ emit(A64_POP(ptr, fp, A64_SP), ctx);
++ emit(A64_POP(ptr, fp, A64_SP), ctx);
+
+ /* Restore callee-saved register */
+ emit(A64_POP(r8, r9, A64_SP), ctx);
+--
+2.43.0
+
--- /dev/null
+From c64ab38d0da865428660861d40bc7f4a00b3f1bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 01:01:23 -0700
+Subject: bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 3d2786d65aaa954ebd3fcc033ada433e10da21c4 ]
+
+In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL
+referencing a non-existing BTF type, function bpf_core_calc_relo_insn
+would cause a null pointer deference.
+
+Fix this by adding a proper check upper in call stack, as malformed
+relocation records could be passed from user space.
+
+Simplest reproducer is a program:
+
+ r0 = 0
+ exit
+
+With a single relocation record:
+
+ .insn_off = 0, /* patch first instruction */
+ .type_id = 100500, /* this type id does not exist */
+ .access_str_off = 6, /* offset of string "0" */
+ .kind = BPF_CORE_TYPE_ID_LOCAL,
+
+See the link for original reproducer or next commit for a test case.
+
+Fixes: 74753e1462e7 ("libbpf: Replace btf__type_by_id() with btf_type_by_id().")
+Reported-by: Liu RuiTong <cnitlrt@gmail.com>
+Closes: https://lore.kernel.org/bpf/CAK55_s6do7C+DVwbwY_7nKfUz0YLDoiA1v6X3Y9+p0sWzipFSA@mail.gmail.com/
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240822080124.2995724-2-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 249c94c996150..7783b16b87cfe 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -8891,6 +8891,7 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo,
+ struct bpf_core_cand_list cands = {};
+ struct bpf_core_relo_res targ_res;
+ struct bpf_core_spec *specs;
++ const struct btf_type *type;
+ int err;
+
+ /* ~4k of temp memory necessary to convert LLVM spec like "0:1:0:5"
+@@ -8900,6 +8901,13 @@ int bpf_core_apply(struct bpf_core_ctx *ctx, const struct bpf_core_relo *relo,
+ if (!specs)
+ return -ENOMEM;
+
++ type = btf_type_by_id(ctx->btf, relo->type_id);
++ if (!type) {
++ bpf_log(ctx->log, "relo #%u: bad type id %u\n",
++ relo_idx, relo->type_id);
++ return -EINVAL;
++ }
++
+ if (need_cands) {
+ struct bpf_cand_cache *cc;
+ int i;
+--
+2.43.0
+
--- /dev/null
+From a913816b78620f099a05f90faa93bea2598a5d9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 08:34:39 -0700
+Subject: bpf: Fail verification for sign-extension of packet
+ data/data_end/data_meta
+
+From: Yonghong Song <yonghong.song@linux.dev>
+
+[ Upstream commit 92de36080c93296ef9005690705cba260b9bd68a ]
+
+syzbot reported a kernel crash due to
+ commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses").
+The reason is due to sign-extension of 32-bit load for
+packet data/data_end/data_meta uapi field.
+
+The original code looks like:
+ r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */
+ r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */
+ r0 = r2
+ r0 += 8
+ if r3 > r0 goto +1
+ ...
+Note that __sk_buff->data load has 32-bit sign extension.
+
+After verification and convert_ctx_accesses(), the final asm code looks like:
+ r2 = *(u64 *)(r1 +208)
+ r2 = (s32)r2
+ r3 = *(u64 *)(r1 +80)
+ r0 = r2
+ r0 += 8
+ if r3 > r0 goto pc+1
+ ...
+Note that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid
+which may cause runtime failure.
+
+Currently, in C code, typically we have
+ void *data = (void *)(long)skb->data;
+ void *data_end = (void *)(long)skb->data_end;
+ ...
+and it will generate
+ r2 = *(u64 *)(r1 +208)
+ r3 = *(u64 *)(r1 +80)
+ r0 = r2
+ r0 += 8
+ if r3 > r0 goto pc+1
+
+If we allow sign-extension,
+ void *data = (void *)(long)(int)skb->data;
+ void *data_end = (void *)(long)skb->data_end;
+ ...
+the generated code looks like
+ r2 = *(u64 *)(r1 +208)
+ r2 <<= 32
+ r2 s>>= 32
+ r3 = *(u64 *)(r1 +80)
+ r0 = r2
+ r0 += 8
+ if r3 > r0 goto pc+1
+and this will cause verification failure since "r2 <<= 32" is not allowed
+as "r2" is a packet pointer.
+
+To fix this issue for case
+ r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */
+this patch added additional checking in is_valid_access() callback
+function for packet data/data_end/data_meta access. If those accesses
+are with sign-extenstion, the verification will fail.
+
+ [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/
+
+Reported-by: syzbot+ad9ec60c8eaf69e6f99c@syzkaller.appspotmail.com
+Fixes: 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses")
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/r/20240723153439.2429035-1-yonghong.song@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 1 +
+ kernel/bpf/verifier.c | 5 +++--
+ net/core/filter.c | 21 ++++++++++++++++-----
+ 3 files changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 71ccd39011ed0..b051122f62a4f 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -919,6 +919,7 @@ static_assert(__BPF_REG_TYPE_MAX <= BPF_BASE_TYPE_LIMIT);
+ */
+ struct bpf_insn_access_aux {
+ enum bpf_reg_type reg_type;
++ bool is_ldsx;
+ union {
+ int ctx_field_size;
+ struct {
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 4a528afb20620..62cd315984042 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5606,12 +5606,13 @@ static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,
+ /* check access to 'struct bpf_context' fields. Supports fixed offsets only */
+ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size,
+ enum bpf_access_type t, enum bpf_reg_type *reg_type,
+- struct btf **btf, u32 *btf_id, bool *is_retval)
++ struct btf **btf, u32 *btf_id, bool *is_retval, bool is_ldsx)
+ {
+ struct bpf_insn_access_aux info = {
+ .reg_type = *reg_type,
+ .log = &env->log,
+ .is_retval = false,
++ .is_ldsx = is_ldsx,
+ };
+
+ if (env->ops->is_valid_access &&
+@@ -6925,7 +6926,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
+ return err;
+
+ err = check_ctx_access(env, insn_idx, off, size, t, ®_type, &btf,
+- &btf_id, &is_retval);
++ &btf_id, &is_retval, is_ldsx);
+ if (err)
+ verbose_linfo(env, insn_idx, "; ");
+ if (!err && t == BPF_READ && value_regno >= 0) {
+diff --git a/net/core/filter.c b/net/core/filter.c
+index f3c72cf860997..78a6f746ea0ba 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -8579,13 +8579,16 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type
+ if (off + size > offsetofend(struct __sk_buff, cb[4]))
+ return false;
+ break;
++ case bpf_ctx_range(struct __sk_buff, data):
++ case bpf_ctx_range(struct __sk_buff, data_meta):
++ case bpf_ctx_range(struct __sk_buff, data_end):
++ if (info->is_ldsx || size != size_default)
++ return false;
++ break;
+ case bpf_ctx_range_till(struct __sk_buff, remote_ip6[0], remote_ip6[3]):
+ case bpf_ctx_range_till(struct __sk_buff, local_ip6[0], local_ip6[3]):
+ case bpf_ctx_range_till(struct __sk_buff, remote_ip4, remote_ip4):
+ case bpf_ctx_range_till(struct __sk_buff, local_ip4, local_ip4):
+- case bpf_ctx_range(struct __sk_buff, data):
+- case bpf_ctx_range(struct __sk_buff, data_meta):
+- case bpf_ctx_range(struct __sk_buff, data_end):
+ if (size != size_default)
+ return false;
+ break;
+@@ -9029,6 +9032,14 @@ static bool xdp_is_valid_access(int off, int size,
+ }
+ }
+ return false;
++ } else {
++ switch (off) {
++ case offsetof(struct xdp_md, data_meta):
++ case offsetof(struct xdp_md, data):
++ case offsetof(struct xdp_md, data_end):
++ if (info->is_ldsx)
++ return false;
++ }
+ }
+
+ switch (off) {
+@@ -9354,12 +9365,12 @@ static bool flow_dissector_is_valid_access(int off, int size,
+
+ switch (off) {
+ case bpf_ctx_range(struct __sk_buff, data):
+- if (size != size_default)
++ if (info->is_ldsx || size != size_default)
+ return false;
+ info->reg_type = PTR_TO_PACKET;
+ return true;
+ case bpf_ctx_range(struct __sk_buff, data_end):
+- if (size != size_default)
++ if (info->is_ldsx || size != size_default)
+ return false;
+ info->reg_type = PTR_TO_PACKET_END;
+ return true;
+--
+2.43.0
+
--- /dev/null
+From a838f54c464b60d4cc70fd2abfa34f8d3c8fce7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 21:17:46 +0200
+Subject: bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit cfe69c50b05510b24e26ccb427c7cc70beafd6c1 ]
+
+The bpf_strtol() and bpf_strtoul() helpers are currently broken on 32bit:
+
+The argument type ARG_PTR_TO_LONG is BPF-side "long", not kernel-side "long"
+and therefore always considered fixed 64bit no matter if 64 or 32bit underlying
+architecture.
+
+This contract breaks in case of the two mentioned helpers since their BPF_CALL
+definition for the helpers was added with {unsigned,}long *res. Meaning, the
+transition from BPF-side "long" (BPF program) to kernel-side "long" (BPF helper)
+breaks here.
+
+Both helpers call __bpf_strtoll() with "long long" correctly, but later assigning
+the result into 32-bit "*(long *)" on 32bit architectures. From a BPF program
+point of view, this means upper bits will be seen as uninitialised.
+
+Therefore, fix both BPF_CALL signatures to {s,u}64 types to fix this situation.
+
+Now, changing also uapi/bpf.h helper documentation which generates bpf_helper_defs.h
+for BPF programs is tricky: Changing signatures there to __{s,u}64 would trigger
+compiler warnings (incompatible pointer types passing 'long *' to parameter of type
+'__s64 *' (aka 'long long *')) for existing BPF programs.
+
+Leaving the signatures as-is would be fine as from BPF program point of view it is
+still BPF-side "long" and thus equivalent to __{s,u}64 on 64 or 32bit underlying
+architectures.
+
+Note that bpf_strtol() and bpf_strtoul() are the only helpers with this issue.
+
+Fixes: d7a4cb9b6705 ("bpf: Introduce bpf_strtol and bpf_strtoul helpers")
+Reported-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/481fcec8-c12c-9abb-8ecb-76c71c009959@iogearbox.net
+Link: https://lore.kernel.org/r/20240913191754.13290-1-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/helpers.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index b5f0adae82933..17a757c78b488 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -517,7 +517,7 @@ static int __bpf_strtoll(const char *buf, size_t buf_len, u64 flags,
+ }
+
+ BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags,
+- long *, res)
++ s64 *, res)
+ {
+ long long _res;
+ int err;
+@@ -542,7 +542,7 @@ const struct bpf_func_proto bpf_strtol_proto = {
+ };
+
+ BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags,
+- unsigned long *, res)
++ u64 *, res)
+ {
+ unsigned long long _res;
+ bool is_negative;
+--
+2.43.0
+
--- /dev/null
+From d6dd96c8073a5dc3d012068397b705760d716a54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 19:00:54 +0800
+Subject: bpf: Fix compare error in function retval_range_within
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 763aa759d3b2c4f95b11855e3d37b860860107e2 ]
+
+After checking lsm hook return range in verifier, the test case
+"test_progs -t test_lsm" failed, and the failure log says:
+
+libbpf: prog 'test_int_hook': BPF program load failed: Invalid argument
+libbpf: prog 'test_int_hook': -- BEGIN PROG LOAD LOG --
+0: R1=ctx() R10=fp0
+; int BPF_PROG(test_int_hook, struct vm_area_struct *vma, @ lsm.c:89
+0: (79) r0 = *(u64 *)(r1 +24) ; R0_w=scalar(smin=smin32=-4095,smax=smax32=0) R1=ctx()
+
+[...]
+
+24: (b4) w0 = -1 ; R0_w=0xffffffff
+; int BPF_PROG(test_int_hook, struct vm_area_struct *vma, @ lsm.c:89
+25: (95) exit
+At program exit the register R0 has smin=4294967295 smax=4294967295 should have been in [-4095, 0]
+
+It can be seen that instruction "w0 = -1" zero extended -1 to 64-bit
+register r0, setting both smin and smax values of r0 to 4294967295.
+This resulted in a false reject when r0 was checked with range [-4095, 0].
+
+Given bpf lsm does not return 64-bit values, this patch fixes it by changing
+the compare between r0 and return range from 64-bit operation to 32-bit
+operation for bpf lsm.
+
+Fixes: 8fa4ecd49b81 ("bpf: enforce exact retval range on subprog/callback exit")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://lore.kernel.org/r/20240719110059.797546-5-xukuohai@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 665bd75193b03..4a528afb20620 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -9964,9 +9964,13 @@ static bool in_rbtree_lock_required_cb(struct bpf_verifier_env *env)
+ return is_rbtree_lock_required_kfunc(kfunc_btf_id);
+ }
+
+-static bool retval_range_within(struct bpf_retval_range range, const struct bpf_reg_state *reg)
++static bool retval_range_within(struct bpf_retval_range range, const struct bpf_reg_state *reg,
++ bool return_32bit)
+ {
+- return range.minval <= reg->smin_value && reg->smax_value <= range.maxval;
++ if (return_32bit)
++ return range.minval <= reg->s32_min_value && reg->s32_max_value <= range.maxval;
++ else
++ return range.minval <= reg->smin_value && reg->smax_value <= range.maxval;
+ }
+
+ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
+@@ -10003,8 +10007,8 @@ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
+ if (err)
+ return err;
+
+- /* enforce R0 return value range */
+- if (!retval_range_within(callee->callback_ret_range, r0)) {
++ /* enforce R0 return value range, and bpf_callback_t returns 64bit */
++ if (!retval_range_within(callee->callback_ret_range, r0, false)) {
+ verbose_invalid_scalar(env, r0, callee->callback_ret_range,
+ "At callback return", "R0");
+ return -EINVAL;
+@@ -15610,6 +15614,7 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
+ int err;
+ struct bpf_func_state *frame = env->cur_state->frame[0];
+ const bool is_subprog = frame->subprogno;
++ bool return_32bit = false;
+
+ /* LSM and struct_ops func-ptr's return type could be "void" */
+ if (!is_subprog || frame->in_exception_callback_fn) {
+@@ -15721,6 +15726,7 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
+ /* no restricted range, any return value is allowed */
+ if (range.minval == S32_MIN && range.maxval == S32_MAX)
+ return 0;
++ return_32bit = true;
+ } else if (!env->prog->aux->attach_func_proto->type) {
+ /* Make sure programs that attach to void
+ * hooks don't try to modify return value.
+@@ -15751,7 +15757,7 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
+ if (err)
+ return err;
+
+- if (!retval_range_within(range, reg)) {
++ if (!retval_range_within(range, reg, return_32bit)) {
+ verbose_invalid_scalar(env, reg, range, exit_ctx, reg_name);
+ if (!is_subprog &&
+ prog->expected_attach_type == BPF_LSM_CGROUP &&
+--
+2.43.0
+
--- /dev/null
+From 153613c7bbb6c63f8116b953abc62f1810431d30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 21:17:48 +0200
+Subject: bpf: Fix helper writes to read-only maps
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 32556ce93bc45c730829083cb60f95a2728ea48b ]
+
+Lonial found an issue that despite user- and BPF-side frozen BPF map
+(like in case of .rodata), it was still possible to write into it from
+a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}
+as arguments.
+
+In check_func_arg() when the argument is as mentioned, the meta->raw_mode
+is never set. Later, check_helper_mem_access(), under the case of
+PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the
+subsequent call to check_map_access_type() and given the BPF map is
+read-only it succeeds.
+
+The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT
+when results are written into them as opposed to read out of them. The
+latter indicates that it's okay to pass a pointer to uninitialized memory
+as the memory is written to anyway.
+
+However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM
+just with additional alignment requirement. So it is better to just get
+rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the
+fixed size memory types. For this, add MEM_ALIGNED to additionally ensure
+alignment given these helpers write directly into the args via *<ptr> = val.
+The .arg*_size has been initialized reflecting the actual sizeof(*<ptr>).
+
+MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated
+argument types, since in !MEM_FIXED_SIZE cases the verifier does not know
+the buffer size a priori and therefore cannot blindly write *<ptr> = val.
+
+Fixes: 57c3bb725a3d ("bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types")
+Reported-by: Lonial Con <kongln9170@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://lore.kernel.org/r/20240913191754.13290-3-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 7 +++++--
+ kernel/bpf/helpers.c | 6 ++++--
+ kernel/bpf/syscall.c | 3 ++-
+ kernel/bpf/verifier.c | 41 +++++-----------------------------------
+ kernel/trace/bpf_trace.c | 6 ++++--
+ net/core/filter.c | 6 ++++--
+ 6 files changed, 24 insertions(+), 45 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index b051122f62a4f..70fa4ffc3879f 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -694,6 +694,11 @@ enum bpf_type_flag {
+ /* DYNPTR points to xdp_buff */
+ DYNPTR_TYPE_XDP = BIT(16 + BPF_BASE_TYPE_BITS),
+
++ /* Memory must be aligned on some architectures, used in combination with
++ * MEM_FIXED_SIZE.
++ */
++ MEM_ALIGNED = BIT(17 + BPF_BASE_TYPE_BITS),
++
+ __BPF_TYPE_FLAG_MAX,
+ __BPF_TYPE_LAST_FLAG = __BPF_TYPE_FLAG_MAX - 1,
+ };
+@@ -731,8 +736,6 @@ enum bpf_arg_type {
+ ARG_ANYTHING, /* any (initialized) argument is ok */
+ ARG_PTR_TO_SPIN_LOCK, /* pointer to bpf_spin_lock */
+ ARG_PTR_TO_SOCK_COMMON, /* pointer to sock_common */
+- ARG_PTR_TO_INT, /* pointer to int */
+- ARG_PTR_TO_LONG, /* pointer to long */
+ ARG_PTR_TO_SOCKET, /* pointer to bpf_sock (fullsock) */
+ ARG_PTR_TO_BTF_ID, /* pointer to in-kernel struct */
+ ARG_PTR_TO_RINGBUF_MEM, /* pointer to dynamically reserved ringbuf memory */
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index 17a757c78b488..b305b116ce125 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -538,7 +538,8 @@ const struct bpf_func_proto bpf_strtol_proto = {
+ .arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY,
+ .arg2_type = ARG_CONST_SIZE,
+ .arg3_type = ARG_ANYTHING,
+- .arg4_type = ARG_PTR_TO_LONG,
++ .arg4_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg4_size = sizeof(s64),
+ };
+
+ BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags,
+@@ -566,7 +567,8 @@ const struct bpf_func_proto bpf_strtoul_proto = {
+ .arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY,
+ .arg2_type = ARG_CONST_SIZE,
+ .arg3_type = ARG_ANYTHING,
+- .arg4_type = ARG_PTR_TO_LONG,
++ .arg4_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg4_size = sizeof(u64),
+ };
+
+ BPF_CALL_3(bpf_strncmp, const char *, s1, u32, s1_sz, const char *, s2)
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index bf6c5f685ea22..efb7ff89fe2e2 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -5952,7 +5952,8 @@ static const struct bpf_func_proto bpf_kallsyms_lookup_name_proto = {
+ .arg1_type = ARG_PTR_TO_MEM,
+ .arg2_type = ARG_CONST_SIZE_OR_ZERO,
+ .arg3_type = ARG_ANYTHING,
+- .arg4_type = ARG_PTR_TO_LONG,
++ .arg4_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg4_size = sizeof(u64),
+ };
+
+ static const struct bpf_func_proto *
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 62cd315984042..e3abf560e405f 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -8180,16 +8180,6 @@ static bool arg_type_is_dynptr(enum bpf_arg_type type)
+ return base_type(type) == ARG_PTR_TO_DYNPTR;
+ }
+
+-static int int_ptr_type_to_size(enum bpf_arg_type type)
+-{
+- if (type == ARG_PTR_TO_INT)
+- return sizeof(u32);
+- else if (type == ARG_PTR_TO_LONG)
+- return sizeof(u64);
+-
+- return -EINVAL;
+-}
+-
+ static int resolve_map_arg_type(struct bpf_verifier_env *env,
+ const struct bpf_call_arg_meta *meta,
+ enum bpf_arg_type *arg_type)
+@@ -8262,16 +8252,6 @@ static const struct bpf_reg_types mem_types = {
+ },
+ };
+
+-static const struct bpf_reg_types int_ptr_types = {
+- .types = {
+- PTR_TO_STACK,
+- PTR_TO_PACKET,
+- PTR_TO_PACKET_META,
+- PTR_TO_MAP_KEY,
+- PTR_TO_MAP_VALUE,
+- },
+-};
+-
+ static const struct bpf_reg_types spin_lock_types = {
+ .types = {
+ PTR_TO_MAP_VALUE,
+@@ -8327,8 +8307,6 @@ static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = {
+ [ARG_PTR_TO_SPIN_LOCK] = &spin_lock_types,
+ [ARG_PTR_TO_MEM] = &mem_types,
+ [ARG_PTR_TO_RINGBUF_MEM] = &ringbuf_mem_types,
+- [ARG_PTR_TO_INT] = &int_ptr_types,
+- [ARG_PTR_TO_LONG] = &int_ptr_types,
+ [ARG_PTR_TO_PERCPU_BTF_ID] = &percpu_btf_ptr_types,
+ [ARG_PTR_TO_FUNC] = &func_ptr_types,
+ [ARG_PTR_TO_STACK] = &stack_ptr_types,
+@@ -8889,9 +8867,11 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ */
+ meta->raw_mode = arg_type & MEM_UNINIT;
+ if (arg_type & MEM_FIXED_SIZE) {
+- err = check_helper_mem_access(env, regno,
+- fn->arg_size[arg], false,
+- meta);
++ err = check_helper_mem_access(env, regno, fn->arg_size[arg], false, meta);
++ if (err)
++ return err;
++ if (arg_type & MEM_ALIGNED)
++ err = check_ptr_alignment(env, reg, 0, fn->arg_size[arg], true);
+ }
+ break;
+ case ARG_CONST_SIZE:
+@@ -8916,17 +8896,6 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
+ if (err)
+ return err;
+ break;
+- case ARG_PTR_TO_INT:
+- case ARG_PTR_TO_LONG:
+- {
+- int size = int_ptr_type_to_size(arg_type);
+-
+- err = check_helper_mem_access(env, regno, size, false, meta);
+- if (err)
+- return err;
+- err = check_ptr_alignment(env, reg, 0, size, true);
+- break;
+- }
+ case ARG_PTR_TO_CONST_STR:
+ {
+ err = check_reg_const_str(env, reg, regno);
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index cd098846e251c..0b6df2c6ebe08 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -1226,7 +1226,8 @@ static const struct bpf_func_proto bpf_get_func_arg_proto = {
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_CTX,
+ .arg2_type = ARG_ANYTHING,
+- .arg3_type = ARG_PTR_TO_LONG,
++ .arg3_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg3_size = sizeof(u64),
+ };
+
+ BPF_CALL_2(get_func_ret, void *, ctx, u64 *, value)
+@@ -1242,7 +1243,8 @@ static const struct bpf_func_proto bpf_get_func_ret_proto = {
+ .func = get_func_ret,
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_CTX,
+- .arg2_type = ARG_PTR_TO_LONG,
++ .arg2_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg2_size = sizeof(u64),
+ };
+
+ BPF_CALL_1(get_func_arg_cnt, void *, ctx)
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 78a6f746ea0ba..88588dae20267 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -6346,7 +6346,8 @@ static const struct bpf_func_proto bpf_skb_check_mtu_proto = {
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_CTX,
+ .arg2_type = ARG_ANYTHING,
+- .arg3_type = ARG_PTR_TO_INT,
++ .arg3_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg3_size = sizeof(u32),
+ .arg4_type = ARG_ANYTHING,
+ .arg5_type = ARG_ANYTHING,
+ };
+@@ -6357,7 +6358,8 @@ static const struct bpf_func_proto bpf_xdp_check_mtu_proto = {
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_CTX,
+ .arg2_type = ARG_ANYTHING,
+- .arg3_type = ARG_PTR_TO_INT,
++ .arg3_type = ARG_PTR_TO_FIXED_SIZE_MEM | MEM_UNINIT | MEM_ALIGNED,
++ .arg3_size = sizeof(u32),
+ .arg4_type = ARG_ANYTHING,
+ .arg5_type = ARG_ANYTHING,
+ };
+--
+2.43.0
+
--- /dev/null
+From d6df9f749ad47c529e03cc63a5bf5fe2b07def9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 21:17:49 +0200
+Subject: bpf: Improve check_raw_mode_ok test for MEM_UNINIT-tagged types
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 18752d73c1898fd001569195ba4b0b8c43255f4a ]
+
+When checking malformed helper function signatures, also take other argument
+types into account aside from just ARG_PTR_TO_UNINIT_MEM.
+
+This concerns (formerly) ARG_PTR_TO_{INT,LONG} given uninitialized memory can
+be passed there, too.
+
+The func proto sanity check goes back to commit 435faee1aae9 ("bpf, verifier:
+add ARG_PTR_TO_RAW_STACK type"), and its purpose was to detect wrong func protos
+which had more than just one MEM_UNINIT-tagged type as arguments.
+
+The reason more than one is currently not supported is as we mark stack slots with
+STACK_MISC in check_helper_call() in case of raw mode based on meta.access_size to
+allow uninitialized stack memory to be passed to helpers when they just write into
+the buffer.
+
+Probing for base type as well as MEM_UNINIT tagging ensures that other types do not
+get missed (as it used to be the case for ARG_PTR_TO_{INT,LONG}).
+
+Fixes: 57c3bb725a3d ("bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types")
+Reported-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://lore.kernel.org/r/20240913191754.13290-4-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index e3abf560e405f..8c07efa3905b9 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -8170,6 +8170,12 @@ static bool arg_type_is_mem_size(enum bpf_arg_type type)
+ type == ARG_CONST_SIZE_OR_ZERO;
+ }
+
++static bool arg_type_is_raw_mem(enum bpf_arg_type type)
++{
++ return base_type(type) == ARG_PTR_TO_MEM &&
++ type & MEM_UNINIT;
++}
++
+ static bool arg_type_is_release(enum bpf_arg_type type)
+ {
+ return type & OBJ_RELEASE;
+@@ -9212,15 +9218,15 @@ static bool check_raw_mode_ok(const struct bpf_func_proto *fn)
+ {
+ int count = 0;
+
+- if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM)
++ if (arg_type_is_raw_mem(fn->arg1_type))
+ count++;
+- if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM)
++ if (arg_type_is_raw_mem(fn->arg2_type))
+ count++;
+- if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM)
++ if (arg_type_is_raw_mem(fn->arg3_type))
+ count++;
+- if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM)
++ if (arg_type_is_raw_mem(fn->arg4_type))
+ count++;
+- if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM)
++ if (arg_type_is_raw_mem(fn->arg5_type))
+ count++;
+
+ /* We only support one arg being in raw mode at the moment,
+--
+2.43.0
+
--- /dev/null
+From 9a1878f64591ab156a029f5713d6525afc566c31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 19:00:52 +0800
+Subject: bpf, lsm: Add check for BPF LSM return value
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 5d99e198be279045e6ecefe220f5c52f8ce9bfd5 ]
+
+A bpf prog returning a positive number attached to file_alloc_security
+hook makes kernel panic.
+
+This happens because file system can not filter out the positive number
+returned by the LSM prog using IS_ERR, and misinterprets this positive
+number as a file pointer.
+
+Given that hook file_alloc_security never returned positive number
+before the introduction of BPF LSM, and other BPF LSM hooks may
+encounter similar issues, this patch adds LSM return value check
+in verifier, to ensure no unexpected value is returned.
+
+Fixes: 520b7aa00d8c ("bpf: lsm: Initialize the BPF LSM hooks")
+Reported-by: Xin Liu <liuxin350@huawei.com>
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240719110059.797546-3-xukuohai@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 1 +
+ include/linux/bpf_lsm.h | 8 ++++++
+ kernel/bpf/bpf_lsm.c | 34 ++++++++++++++++++++++-
+ kernel/bpf/btf.c | 5 +++-
+ kernel/bpf/verifier.c | 60 ++++++++++++++++++++++++++++++++++-------
+ 5 files changed, 97 insertions(+), 11 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 3b94ec161e8cc..71ccd39011ed0 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -927,6 +927,7 @@ struct bpf_insn_access_aux {
+ };
+ };
+ struct bpf_verifier_log *log; /* for verbose logs */
++ bool is_retval; /* is accessing function return value ? */
+ };
+
+ static inline void
+diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h
+index 1de7ece5d36d4..aefcd65642512 100644
+--- a/include/linux/bpf_lsm.h
++++ b/include/linux/bpf_lsm.h
+@@ -9,6 +9,7 @@
+
+ #include <linux/sched.h>
+ #include <linux/bpf.h>
++#include <linux/bpf_verifier.h>
+ #include <linux/lsm_hooks.h>
+
+ #ifdef CONFIG_BPF_LSM
+@@ -45,6 +46,8 @@ void bpf_inode_storage_free(struct inode *inode);
+
+ void bpf_lsm_find_cgroup_shim(const struct bpf_prog *prog, bpf_func_t *bpf_func);
+
++int bpf_lsm_get_retval_range(const struct bpf_prog *prog,
++ struct bpf_retval_range *range);
+ #else /* !CONFIG_BPF_LSM */
+
+ static inline bool bpf_lsm_is_sleepable_hook(u32 btf_id)
+@@ -78,6 +81,11 @@ static inline void bpf_lsm_find_cgroup_shim(const struct bpf_prog *prog,
+ {
+ }
+
++static inline int bpf_lsm_get_retval_range(const struct bpf_prog *prog,
++ struct bpf_retval_range *range)
++{
++ return -EOPNOTSUPP;
++}
+ #endif /* CONFIG_BPF_LSM */
+
+ #endif /* _LINUX_BPF_LSM_H */
+diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
+index 08a338e1f2311..701092736826a 100644
+--- a/kernel/bpf/bpf_lsm.c
++++ b/kernel/bpf/bpf_lsm.c
+@@ -11,7 +11,6 @@
+ #include <linux/lsm_hooks.h>
+ #include <linux/bpf_lsm.h>
+ #include <linux/kallsyms.h>
+-#include <linux/bpf_verifier.h>
+ #include <net/bpf_sk_storage.h>
+ #include <linux/bpf_local_storage.h>
+ #include <linux/btf_ids.h>
+@@ -390,3 +389,36 @@ const struct bpf_verifier_ops lsm_verifier_ops = {
+ .get_func_proto = bpf_lsm_func_proto,
+ .is_valid_access = btf_ctx_access,
+ };
++
++/* hooks return 0 or 1 */
++BTF_SET_START(bool_lsm_hooks)
++#ifdef CONFIG_SECURITY_NETWORK_XFRM
++BTF_ID(func, bpf_lsm_xfrm_state_pol_flow_match)
++#endif
++#ifdef CONFIG_AUDIT
++BTF_ID(func, bpf_lsm_audit_rule_known)
++#endif
++BTF_ID(func, bpf_lsm_inode_xattr_skipcap)
++BTF_SET_END(bool_lsm_hooks)
++
++int bpf_lsm_get_retval_range(const struct bpf_prog *prog,
++ struct bpf_retval_range *retval_range)
++{
++ /* no return value range for void hooks */
++ if (!prog->aux->attach_func_proto->type)
++ return -EINVAL;
++
++ if (btf_id_set_contains(&bool_lsm_hooks, prog->aux->attach_btf_id)) {
++ retval_range->minval = 0;
++ retval_range->maxval = 1;
++ } else {
++ /* All other available LSM hooks, except task_prctl, return 0
++ * on success and negative error code on failure.
++ * To keep things simple, we only allow bpf progs to return 0
++ * or negative errno for task_prctl too.
++ */
++ retval_range->minval = -MAX_ERRNO;
++ retval_range->maxval = 0;
++ }
++ return 0;
++}
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index a4e4f8d43ecf0..249c94c996150 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -6418,8 +6418,11 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
+
+ if (arg == nr_args) {
+ switch (prog->expected_attach_type) {
+- case BPF_LSM_CGROUP:
+ case BPF_LSM_MAC:
++ /* mark we are accessing the return value */
++ info->is_retval = true;
++ fallthrough;
++ case BPF_LSM_CGROUP:
+ case BPF_TRACE_FEXIT:
+ /* When LSM programs are attached to void LSM hooks
+ * they use FEXIT trampolines and when attached to
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index d8520095ca030..665bd75193b03 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2334,6 +2334,25 @@ static void mark_reg_unknown(struct bpf_verifier_env *env,
+ __mark_reg_unknown(env, regs + regno);
+ }
+
++static int __mark_reg_s32_range(struct bpf_verifier_env *env,
++ struct bpf_reg_state *regs,
++ u32 regno,
++ s32 s32_min,
++ s32 s32_max)
++{
++ struct bpf_reg_state *reg = regs + regno;
++
++ reg->s32_min_value = max_t(s32, reg->s32_min_value, s32_min);
++ reg->s32_max_value = min_t(s32, reg->s32_max_value, s32_max);
++
++ reg->smin_value = max_t(s64, reg->smin_value, s32_min);
++ reg->smax_value = min_t(s64, reg->smax_value, s32_max);
++
++ reg_bounds_sync(reg);
++
++ return reg_bounds_sanity_check(env, reg, "s32_range");
++}
++
+ static void __mark_reg_not_init(const struct bpf_verifier_env *env,
+ struct bpf_reg_state *reg)
+ {
+@@ -5587,11 +5606,12 @@ static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,
+ /* check access to 'struct bpf_context' fields. Supports fixed offsets only */
+ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size,
+ enum bpf_access_type t, enum bpf_reg_type *reg_type,
+- struct btf **btf, u32 *btf_id)
++ struct btf **btf, u32 *btf_id, bool *is_retval)
+ {
+ struct bpf_insn_access_aux info = {
+ .reg_type = *reg_type,
+ .log = &env->log,
++ .is_retval = false,
+ };
+
+ if (env->ops->is_valid_access &&
+@@ -5604,6 +5624,7 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off,
+ * type of narrower access.
+ */
+ *reg_type = info.reg_type;
++ *is_retval = info.is_retval;
+
+ if (base_type(*reg_type) == PTR_TO_BTF_ID) {
+ *btf = info.btf;
+@@ -6772,6 +6793,17 @@ static int check_stack_access_within_bounds(
+ return grow_stack_state(env, state, -min_off /* size */);
+ }
+
++static bool get_func_retval_range(struct bpf_prog *prog,
++ struct bpf_retval_range *range)
++{
++ if (prog->type == BPF_PROG_TYPE_LSM &&
++ prog->expected_attach_type == BPF_LSM_MAC &&
++ !bpf_lsm_get_retval_range(prog, range)) {
++ return true;
++ }
++ return false;
++}
++
+ /* check whether memory at (regno + off) is accessible for t = (read | write)
+ * if t==write, value_regno is a register which value is stored into memory
+ * if t==read, value_regno is a register which will receive the value from memory
+@@ -6876,6 +6908,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
+ if (!err && value_regno >= 0 && (t == BPF_READ || rdonly_mem))
+ mark_reg_unknown(env, regs, value_regno);
+ } else if (reg->type == PTR_TO_CTX) {
++ bool is_retval = false;
++ struct bpf_retval_range range;
+ enum bpf_reg_type reg_type = SCALAR_VALUE;
+ struct btf *btf = NULL;
+ u32 btf_id = 0;
+@@ -6891,7 +6925,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
+ return err;
+
+ err = check_ctx_access(env, insn_idx, off, size, t, ®_type, &btf,
+- &btf_id);
++ &btf_id, &is_retval);
+ if (err)
+ verbose_linfo(env, insn_idx, "; ");
+ if (!err && t == BPF_READ && value_regno >= 0) {
+@@ -6900,7 +6934,14 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
+ * case, we know the offset is zero.
+ */
+ if (reg_type == SCALAR_VALUE) {
+- mark_reg_unknown(env, regs, value_regno);
++ if (is_retval && get_func_retval_range(env->prog, &range)) {
++ err = __mark_reg_s32_range(env, regs, value_regno,
++ range.minval, range.maxval);
++ if (err)
++ return err;
++ } else {
++ mark_reg_unknown(env, regs, value_regno);
++ }
+ } else {
+ mark_reg_known_zero(env, regs,
+ value_regno);
+@@ -15674,12 +15715,13 @@ static int check_return_code(struct bpf_verifier_env *env, int regno, const char
+
+ case BPF_PROG_TYPE_LSM:
+ if (env->prog->expected_attach_type != BPF_LSM_CGROUP) {
+- /* Regular BPF_PROG_TYPE_LSM programs can return
+- * any value.
+- */
+- return 0;
+- }
+- if (!env->prog->aux->attach_func_proto->type) {
++ /* no range found, any return value is allowed */
++ if (!get_func_retval_range(env->prog, &range))
++ return 0;
++ /* no restricted range, any return value is allowed */
++ if (range.minval == S32_MIN && range.maxval == S32_MAX)
++ return 0;
++ } else if (!env->prog->aux->attach_func_proto->type) {
+ /* Make sure programs that attach to void
+ * hooks don't try to modify return value.
+ */
+--
+2.43.0
+
--- /dev/null
+From 5238b50bcfce31cac82742e2324ae0e72b7fc085 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jul 2024 20:39:00 +0800
+Subject: bpf, x64: Fix tailcall hierarchy
+
+From: Leon Hwang <hffilwlqm@gmail.com>
+
+[ Upstream commit 116e04ba1459fc08f80cf27b8c9f9f188be0fcb2 ]
+
+This patch fixes a tailcall issue caused by abusing the tailcall in
+bpf2bpf feature.
+
+As we know, tail_call_cnt propagates by rax from caller to callee when
+to call subprog in tailcall context. But, like the following example,
+MAX_TAIL_CALL_CNT won't work because of missing tail_call_cnt
+back-propagation from callee to caller.
+
+\#include <linux/bpf.h>
+\#include <bpf/bpf_helpers.h>
+\#include "bpf_legacy.h"
+
+struct {
+ __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+ __uint(max_entries, 1);
+ __uint(key_size, sizeof(__u32));
+ __uint(value_size, sizeof(__u32));
+} jmp_table SEC(".maps");
+
+int count = 0;
+
+static __noinline
+int subprog_tail1(struct __sk_buff *skb)
+{
+ bpf_tail_call_static(skb, &jmp_table, 0);
+ return 0;
+}
+
+static __noinline
+int subprog_tail2(struct __sk_buff *skb)
+{
+ bpf_tail_call_static(skb, &jmp_table, 0);
+ return 0;
+}
+
+SEC("tc")
+int entry(struct __sk_buff *skb)
+{
+ volatile int ret = 1;
+
+ count++;
+ subprog_tail1(skb);
+ subprog_tail2(skb);
+
+ return ret;
+}
+
+char __license[] SEC("license") = "GPL";
+
+At run time, the tail_call_cnt in entry() will be propagated to
+subprog_tail1() and subprog_tail2(). But, when the tail_call_cnt in
+subprog_tail1() updates when bpf_tail_call_static(), the tail_call_cnt
+in entry() won't be updated at the same time. As a result, in entry(),
+when tail_call_cnt in entry() is less than MAX_TAIL_CALL_CNT and
+subprog_tail1() returns because of MAX_TAIL_CALL_CNT limit,
+bpf_tail_call_static() in suprog_tail2() is able to run because the
+tail_call_cnt in subprog_tail2() propagated from entry() is less than
+MAX_TAIL_CALL_CNT.
+
+So, how many tailcalls are there for this case if no error happens?
+
+From top-down view, does it look like hierarchy layer and layer?
+
+With this view, there will be 2+4+8+...+2^33 = 2^34 - 2 = 17,179,869,182
+tailcalls for this case.
+
+How about there are N subprog_tail() in entry()? There will be almost
+N^34 tailcalls.
+
+Then, in this patch, it resolves this case on x86_64.
+
+In stead of propagating tail_call_cnt from caller to callee, it
+propagates its pointer, tail_call_cnt_ptr, tcc_ptr for short.
+
+However, where does it store tail_call_cnt?
+
+It stores tail_call_cnt on the stack of main prog. When tail call
+happens in subprog, it increments tail_call_cnt by tcc_ptr.
+
+Meanwhile, it stores tail_call_cnt_ptr on the stack of main prog, too.
+
+And, before jump to tail callee, it has to pop tail_call_cnt and
+tail_call_cnt_ptr.
+
+Then, at the prologue of subprog, it must not make rax as
+tail_call_cnt_ptr again. It has to reuse tail_call_cnt_ptr from caller.
+
+As a result, at run time, it has to recognize rax is tail_call_cnt or
+tail_call_cnt_ptr at prologue by:
+
+1. rax is tail_call_cnt if rax is <= MAX_TAIL_CALL_CNT.
+2. rax is tail_call_cnt_ptr if rax is > MAX_TAIL_CALL_CNT, because a
+ pointer won't be <= MAX_TAIL_CALL_CNT.
+
+Here's an example to dump JITed.
+
+struct {
+ __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+ __uint(max_entries, 1);
+ __uint(key_size, sizeof(__u32));
+ __uint(value_size, sizeof(__u32));
+} jmp_table SEC(".maps");
+
+int count = 0;
+
+static __noinline
+int subprog_tail(struct __sk_buff *skb)
+{
+ bpf_tail_call_static(skb, &jmp_table, 0);
+ return 0;
+}
+
+SEC("tc")
+int entry(struct __sk_buff *skb)
+{
+ int ret = 1;
+
+ count++;
+ subprog_tail(skb);
+ subprog_tail(skb);
+
+ return ret;
+}
+
+When bpftool p d j id 42:
+
+int entry(struct __sk_buff * skb):
+bpf_prog_0c0f4c2413ef19b1_entry:
+; int entry(struct __sk_buff *skb)
+ 0: endbr64
+ 4: nopl (%rax,%rax)
+ 9: xorq %rax, %rax ;; rax = 0 (tail_call_cnt)
+ c: pushq %rbp
+ d: movq %rsp, %rbp
+ 10: endbr64
+ 14: cmpq $33, %rax ;; if rax > 33, rax = tcc_ptr
+ 18: ja 0x20 ;; if rax > 33 goto 0x20 ---+
+ 1a: pushq %rax ;; [rbp - 8] = rax = 0 |
+ 1b: movq %rsp, %rax ;; rax = rbp - 8 |
+ 1e: jmp 0x21 ;; ---------+ |
+ 20: pushq %rax ;; <--------|---------------+
+ 21: pushq %rax ;; <--------+ [rbp - 16] = rax
+ 22: pushq %rbx ;; callee saved
+ 23: movq %rdi, %rbx ;; rbx = skb (callee saved)
+; count++;
+ 26: movabsq $-82417199407104, %rdi
+ 30: movl (%rdi), %esi
+ 33: addl $1, %esi
+ 36: movl %esi, (%rdi)
+; subprog_tail(skb);
+ 39: movq %rbx, %rdi ;; rdi = skb
+ 3c: movq -16(%rbp), %rax ;; rax = tcc_ptr
+ 43: callq 0x80 ;; call subprog_tail()
+; subprog_tail(skb);
+ 48: movq %rbx, %rdi ;; rdi = skb
+ 4b: movq -16(%rbp), %rax ;; rax = tcc_ptr
+ 52: callq 0x80 ;; call subprog_tail()
+; return ret;
+ 57: movl $1, %eax
+ 5c: popq %rbx
+ 5d: leave
+ 5e: retq
+
+int subprog_tail(struct __sk_buff * skb):
+bpf_prog_3a140cef239a4b4f_subprog_tail:
+; int subprog_tail(struct __sk_buff *skb)
+ 0: endbr64
+ 4: nopl (%rax,%rax)
+ 9: nopl (%rax) ;; do not touch tail_call_cnt
+ c: pushq %rbp
+ d: movq %rsp, %rbp
+ 10: endbr64
+ 14: pushq %rax ;; [rbp - 8] = rax (tcc_ptr)
+ 15: pushq %rax ;; [rbp - 16] = rax (tcc_ptr)
+ 16: pushq %rbx ;; callee saved
+ 17: pushq %r13 ;; callee saved
+ 19: movq %rdi, %rbx ;; rbx = skb
+; asm volatile("r1 = %[ctx]\n\t"
+ 1c: movabsq $-105487587488768, %r13 ;; r13 = jmp_table
+ 26: movq %rbx, %rdi ;; 1st arg, skb
+ 29: movq %r13, %rsi ;; 2nd arg, jmp_table
+ 2c: xorl %edx, %edx ;; 3rd arg, index = 0
+ 2e: movq -16(%rbp), %rax ;; rax = [rbp - 16] (tcc_ptr)
+ 35: cmpq $33, (%rax)
+ 39: jae 0x4e ;; if *tcc_ptr >= 33 goto 0x4e --------+
+ 3b: jmp 0x4e ;; jmp bypass, toggled by poking |
+ 40: addq $1, (%rax) ;; (*tcc_ptr)++ |
+ 44: popq %r13 ;; callee saved |
+ 46: popq %rbx ;; callee saved |
+ 47: popq %rax ;; undo rbp-16 push |
+ 48: popq %rax ;; undo rbp-8 push |
+ 49: nopl (%rax,%rax) ;; tail call target, toggled by poking |
+; return 0; ;; |
+ 4e: popq %r13 ;; restore callee saved <--------------+
+ 50: popq %rbx ;; restore callee saved
+ 51: leave
+ 52: retq
+
+Furthermore, when trampoline is the caller of bpf prog, which is
+tail_call_reachable, it is required to propagate rax through trampoline.
+
+Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
+Fixes: e411901c0b77 ("bpf: allow for tailcalls in BPF subprograms for x64 JIT")
+Reviewed-by: Eduard Zingerman <eddyz87@gmail.com>
+Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
+Link: https://lore.kernel.org/r/20240714123902.32305-2-hffilwlqm@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 107 ++++++++++++++++++++++++++----------
+ 1 file changed, 79 insertions(+), 28 deletions(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index d25d81c8ecc00..074b41fafbe3f 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -273,7 +273,7 @@ struct jit_context {
+ /* Number of bytes emit_patch() needs to generate instructions */
+ #define X86_PATCH_SIZE 5
+ /* Number of bytes that will be skipped on tailcall */
+-#define X86_TAIL_CALL_OFFSET (11 + ENDBR_INSN_SIZE)
++#define X86_TAIL_CALL_OFFSET (12 + ENDBR_INSN_SIZE)
+
+ static void push_r12(u8 **pprog)
+ {
+@@ -403,6 +403,37 @@ static void emit_cfi(u8 **pprog, u32 hash)
+ *pprog = prog;
+ }
+
++static void emit_prologue_tail_call(u8 **pprog, bool is_subprog)
++{
++ u8 *prog = *pprog;
++
++ if (!is_subprog) {
++ /* cmp rax, MAX_TAIL_CALL_CNT */
++ EMIT4(0x48, 0x83, 0xF8, MAX_TAIL_CALL_CNT);
++ EMIT2(X86_JA, 6); /* ja 6 */
++ /* rax is tail_call_cnt if <= MAX_TAIL_CALL_CNT.
++ * case1: entry of main prog.
++ * case2: tail callee of main prog.
++ */
++ EMIT1(0x50); /* push rax */
++ /* Make rax as tail_call_cnt_ptr. */
++ EMIT3(0x48, 0x89, 0xE0); /* mov rax, rsp */
++ EMIT2(0xEB, 1); /* jmp 1 */
++ /* rax is tail_call_cnt_ptr if > MAX_TAIL_CALL_CNT.
++ * case: tail callee of subprog.
++ */
++ EMIT1(0x50); /* push rax */
++ /* push tail_call_cnt_ptr */
++ EMIT1(0x50); /* push rax */
++ } else { /* is_subprog */
++ /* rax is tail_call_cnt_ptr. */
++ EMIT1(0x50); /* push rax */
++ EMIT1(0x50); /* push rax */
++ }
++
++ *pprog = prog;
++}
++
+ /*
+ * Emit x86-64 prologue code for BPF program.
+ * bpf_tail_call helper will skip the first X86_TAIL_CALL_OFFSET bytes
+@@ -424,10 +455,10 @@ static void emit_prologue(u8 **pprog, u32 stack_depth, bool ebpf_from_cbpf,
+ /* When it's the entry of the whole tailcall context,
+ * zeroing rax means initialising tail_call_cnt.
+ */
+- EMIT2(0x31, 0xC0); /* xor eax, eax */
++ EMIT3(0x48, 0x31, 0xC0); /* xor rax, rax */
+ else
+ /* Keep the same instruction layout. */
+- EMIT2(0x66, 0x90); /* nop2 */
++ emit_nops(&prog, 3); /* nop3 */
+ }
+ /* Exception callback receives FP as third parameter */
+ if (is_exception_cb) {
+@@ -453,7 +484,7 @@ static void emit_prologue(u8 **pprog, u32 stack_depth, bool ebpf_from_cbpf,
+ if (stack_depth)
+ EMIT3_off32(0x48, 0x81, 0xEC, round_up(stack_depth, 8));
+ if (tail_call_reachable)
+- EMIT1(0x50); /* push rax */
++ emit_prologue_tail_call(&prog, is_subprog);
+ *pprog = prog;
+ }
+
+@@ -589,13 +620,15 @@ static void emit_return(u8 **pprog, u8 *ip)
+ *pprog = prog;
+ }
+
++#define BPF_TAIL_CALL_CNT_PTR_STACK_OFF(stack) (-16 - round_up(stack, 8))
++
+ /*
+ * Generate the following code:
+ *
+ * ... bpf_tail_call(void *ctx, struct bpf_array *array, u64 index) ...
+ * if (index >= array->map.max_entries)
+ * goto out;
+- * if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
++ * if ((*tcc_ptr)++ >= MAX_TAIL_CALL_CNT)
+ * goto out;
+ * prog = array->ptrs[index];
+ * if (prog == NULL)
+@@ -608,7 +641,7 @@ static void emit_bpf_tail_call_indirect(struct bpf_prog *bpf_prog,
+ u32 stack_depth, u8 *ip,
+ struct jit_context *ctx)
+ {
+- int tcc_off = -4 - round_up(stack_depth, 8);
++ int tcc_ptr_off = BPF_TAIL_CALL_CNT_PTR_STACK_OFF(stack_depth);
+ u8 *prog = *pprog, *start = *pprog;
+ int offset;
+
+@@ -630,16 +663,14 @@ static void emit_bpf_tail_call_indirect(struct bpf_prog *bpf_prog,
+ EMIT2(X86_JBE, offset); /* jbe out */
+
+ /*
+- * if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
++ * if ((*tcc_ptr)++ >= MAX_TAIL_CALL_CNT)
+ * goto out;
+ */
+- EMIT2_off32(0x8B, 0x85, tcc_off); /* mov eax, dword ptr [rbp - tcc_off] */
+- EMIT3(0x83, 0xF8, MAX_TAIL_CALL_CNT); /* cmp eax, MAX_TAIL_CALL_CNT */
++ EMIT3_off32(0x48, 0x8B, 0x85, tcc_ptr_off); /* mov rax, qword ptr [rbp - tcc_ptr_off] */
++ EMIT4(0x48, 0x83, 0x38, MAX_TAIL_CALL_CNT); /* cmp qword ptr [rax], MAX_TAIL_CALL_CNT */
+
+ offset = ctx->tail_call_indirect_label - (prog + 2 - start);
+ EMIT2(X86_JAE, offset); /* jae out */
+- EMIT3(0x83, 0xC0, 0x01); /* add eax, 1 */
+- EMIT2_off32(0x89, 0x85, tcc_off); /* mov dword ptr [rbp - tcc_off], eax */
+
+ /* prog = array->ptrs[index]; */
+ EMIT4_off32(0x48, 0x8B, 0x8C, 0xD6, /* mov rcx, [rsi + rdx * 8 + offsetof(...)] */
+@@ -654,6 +685,9 @@ static void emit_bpf_tail_call_indirect(struct bpf_prog *bpf_prog,
+ offset = ctx->tail_call_indirect_label - (prog + 2 - start);
+ EMIT2(X86_JE, offset); /* je out */
+
++ /* Inc tail_call_cnt if the slot is populated. */
++ EMIT4(0x48, 0x83, 0x00, 0x01); /* add qword ptr [rax], 1 */
++
+ if (bpf_prog->aux->exception_boundary) {
+ pop_callee_regs(&prog, all_callee_regs_used);
+ pop_r12(&prog);
+@@ -663,6 +697,11 @@ static void emit_bpf_tail_call_indirect(struct bpf_prog *bpf_prog,
+ pop_r12(&prog);
+ }
+
++ /* Pop tail_call_cnt_ptr. */
++ EMIT1(0x58); /* pop rax */
++ /* Pop tail_call_cnt, if it's main prog.
++ * Pop tail_call_cnt_ptr, if it's subprog.
++ */
+ EMIT1(0x58); /* pop rax */
+ if (stack_depth)
+ EMIT3_off32(0x48, 0x81, 0xC4, /* add rsp, sd */
+@@ -691,21 +730,19 @@ static void emit_bpf_tail_call_direct(struct bpf_prog *bpf_prog,
+ bool *callee_regs_used, u32 stack_depth,
+ struct jit_context *ctx)
+ {
+- int tcc_off = -4 - round_up(stack_depth, 8);
++ int tcc_ptr_off = BPF_TAIL_CALL_CNT_PTR_STACK_OFF(stack_depth);
+ u8 *prog = *pprog, *start = *pprog;
+ int offset;
+
+ /*
+- * if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
++ * if ((*tcc_ptr)++ >= MAX_TAIL_CALL_CNT)
+ * goto out;
+ */
+- EMIT2_off32(0x8B, 0x85, tcc_off); /* mov eax, dword ptr [rbp - tcc_off] */
+- EMIT3(0x83, 0xF8, MAX_TAIL_CALL_CNT); /* cmp eax, MAX_TAIL_CALL_CNT */
++ EMIT3_off32(0x48, 0x8B, 0x85, tcc_ptr_off); /* mov rax, qword ptr [rbp - tcc_ptr_off] */
++ EMIT4(0x48, 0x83, 0x38, MAX_TAIL_CALL_CNT); /* cmp qword ptr [rax], MAX_TAIL_CALL_CNT */
+
+ offset = ctx->tail_call_direct_label - (prog + 2 - start);
+ EMIT2(X86_JAE, offset); /* jae out */
+- EMIT3(0x83, 0xC0, 0x01); /* add eax, 1 */
+- EMIT2_off32(0x89, 0x85, tcc_off); /* mov dword ptr [rbp - tcc_off], eax */
+
+ poke->tailcall_bypass = ip + (prog - start);
+ poke->adj_off = X86_TAIL_CALL_OFFSET;
+@@ -715,6 +752,9 @@ static void emit_bpf_tail_call_direct(struct bpf_prog *bpf_prog,
+ emit_jump(&prog, (u8 *)poke->tailcall_target + X86_PATCH_SIZE,
+ poke->tailcall_bypass);
+
++ /* Inc tail_call_cnt if the slot is populated. */
++ EMIT4(0x48, 0x83, 0x00, 0x01); /* add qword ptr [rax], 1 */
++
+ if (bpf_prog->aux->exception_boundary) {
+ pop_callee_regs(&prog, all_callee_regs_used);
+ pop_r12(&prog);
+@@ -724,6 +764,11 @@ static void emit_bpf_tail_call_direct(struct bpf_prog *bpf_prog,
+ pop_r12(&prog);
+ }
+
++ /* Pop tail_call_cnt_ptr. */
++ EMIT1(0x58); /* pop rax */
++ /* Pop tail_call_cnt, if it's main prog.
++ * Pop tail_call_cnt_ptr, if it's subprog.
++ */
+ EMIT1(0x58); /* pop rax */
+ if (stack_depth)
+ EMIT3_off32(0x48, 0x81, 0xC4, round_up(stack_depth, 8));
+@@ -1311,9 +1356,11 @@ static void emit_shiftx(u8 **pprog, u32 dst_reg, u8 src_reg, bool is64, u8 op)
+
+ #define INSN_SZ_DIFF (((addrs[i] - addrs[i - 1]) - (prog - temp)))
+
+-/* mov rax, qword ptr [rbp - rounded_stack_depth - 8] */
+-#define RESTORE_TAIL_CALL_CNT(stack) \
+- EMIT3_off32(0x48, 0x8B, 0x85, -round_up(stack, 8) - 8)
++#define __LOAD_TCC_PTR(off) \
++ EMIT3_off32(0x48, 0x8B, 0x85, off)
++/* mov rax, qword ptr [rbp - rounded_stack_depth - 16] */
++#define LOAD_TAIL_CALL_CNT_PTR(stack) \
++ __LOAD_TCC_PTR(BPF_TAIL_CALL_CNT_PTR_STACK_OFF(stack))
+
+ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image, u8 *rw_image,
+ int oldproglen, struct jit_context *ctx, bool jmp_padding)
+@@ -2031,7 +2078,7 @@ st: if (is_imm8(insn->off))
+
+ func = (u8 *) __bpf_call_base + imm32;
+ if (tail_call_reachable) {
+- RESTORE_TAIL_CALL_CNT(bpf_prog->aux->stack_depth);
++ LOAD_TAIL_CALL_CNT_PTR(bpf_prog->aux->stack_depth);
+ ip += 7;
+ }
+ if (!imm32)
+@@ -2706,6 +2753,10 @@ static int invoke_bpf_mod_ret(const struct btf_func_model *m, u8 **pprog,
+ return 0;
+ }
+
++/* mov rax, qword ptr [rbp - rounded_stack_depth - 8] */
++#define LOAD_TRAMP_TAIL_CALL_CNT_PTR(stack) \
++ __LOAD_TCC_PTR(-round_up(stack, 8) - 8)
++
+ /* Example:
+ * __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev);
+ * its 'struct btf_func_model' will be nr_args=2
+@@ -2826,7 +2877,7 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *rw_im
+ * [ ... ]
+ * [ stack_arg2 ]
+ * RBP - arg_stack_off [ stack_arg1 ]
+- * RSP [ tail_call_cnt ] BPF_TRAMP_F_TAIL_CALL_CTX
++ * RSP [ tail_call_cnt_ptr ] BPF_TRAMP_F_TAIL_CALL_CTX
+ */
+
+ /* room for return value of orig_call or fentry prog */
+@@ -2955,10 +3006,10 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *rw_im
+ save_args(m, &prog, arg_stack_off, true);
+
+ if (flags & BPF_TRAMP_F_TAIL_CALL_CTX) {
+- /* Before calling the original function, restore the
+- * tail_call_cnt from stack to rax.
++ /* Before calling the original function, load the
++ * tail_call_cnt_ptr from stack to rax.
+ */
+- RESTORE_TAIL_CALL_CNT(stack_size);
++ LOAD_TRAMP_TAIL_CALL_CNT_PTR(stack_size);
+ }
+
+ if (flags & BPF_TRAMP_F_ORIG_STACK) {
+@@ -3017,10 +3068,10 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *rw_im
+ goto cleanup;
+ }
+ } else if (flags & BPF_TRAMP_F_TAIL_CALL_CTX) {
+- /* Before running the original function, restore the
+- * tail_call_cnt from stack to rax.
++ /* Before running the original function, load the
++ * tail_call_cnt_ptr from stack to rax.
+ */
+- RESTORE_TAIL_CALL_CNT(stack_size);
++ LOAD_TRAMP_TAIL_CALL_CNT_PTR(stack_size);
+ }
+
+ /* restore return value of orig_call or fentry prog back into RAX */
+--
+2.43.0
+
--- /dev/null
+From fc2c970891d1ee5bfeee12d76b5e9bacee355e00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 21:17:50 +0200
+Subject: bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 4b3786a6c5397dc220b1483d8e2f4867743e966f ]
+
+For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input
+arguments, zero the value for the case of an error as otherwise it could leak
+memory. For tracing, it is not needed given CAP_PERFMON can already read all
+kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped
+in here.
+
+Also, the MTU helpers mtu_len pointer value is being written but also read.
+Technically, the MEM_UNINIT should not be there in order to always force init.
+Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now
+implies two things actually: i) write into memory, ii) memory does not have
+to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory,
+ii) memory must be initialized. This means that for bpf_*_check_mtu() we're
+readding the issue we're trying to fix, that is, it would then be able to
+write back into things like .rodata BPF maps. Follow-up work will rework the
+MEM_UNINIT semantics such that the intent can be better expressed. For now
+just clear the *mtu_len on error path which can be lifted later again.
+
+Fixes: 8a67f2de9b1d ("bpf: expose bpf_strtol and bpf_strtoul to all program types")
+Fixes: d7a4cb9b6705 ("bpf: Introduce bpf_strtol and bpf_strtoul helpers")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/e5edd241-59e7-5e39-0ee5-a51e31b6840a@iogearbox.net
+Link: https://lore.kernel.org/r/20240913191754.13290-5-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/helpers.c | 2 ++
+ kernel/bpf/syscall.c | 1 +
+ net/core/filter.c | 44 +++++++++++++++++++++++---------------------
+ 3 files changed, 26 insertions(+), 21 deletions(-)
+
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index b305b116ce125..c9e235807caca 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -522,6 +522,7 @@ BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags,
+ long long _res;
+ int err;
+
++ *res = 0;
+ err = __bpf_strtoll(buf, buf_len, flags, &_res);
+ if (err < 0)
+ return err;
+@@ -549,6 +550,7 @@ BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags,
+ bool is_negative;
+ int err;
+
++ *res = 0;
+ err = __bpf_strtoull(buf, buf_len, flags, &_res, &is_negative);
+ if (err < 0)
+ return err;
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index efb7ff89fe2e2..d9cae8e259699 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -5932,6 +5932,7 @@ static const struct bpf_func_proto bpf_sys_close_proto = {
+
+ BPF_CALL_4(bpf_kallsyms_lookup_name, const char *, name, int, name_sz, int, flags, u64 *, res)
+ {
++ *res = 0;
+ if (flags)
+ return -EINVAL;
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 88588dae20267..0e719c7c43bb7 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -6262,20 +6262,25 @@ BPF_CALL_5(bpf_skb_check_mtu, struct sk_buff *, skb,
+ int ret = BPF_MTU_CHK_RET_FRAG_NEEDED;
+ struct net_device *dev = skb->dev;
+ int skb_len, dev_len;
+- int mtu;
++ int mtu = 0;
+
+- if (unlikely(flags & ~(BPF_MTU_CHK_SEGS)))
+- return -EINVAL;
++ if (unlikely(flags & ~(BPF_MTU_CHK_SEGS))) {
++ ret = -EINVAL;
++ goto out;
++ }
+
+- if (unlikely(flags & BPF_MTU_CHK_SEGS && (len_diff || *mtu_len)))
+- return -EINVAL;
++ if (unlikely(flags & BPF_MTU_CHK_SEGS && (len_diff || *mtu_len))) {
++ ret = -EINVAL;
++ goto out;
++ }
+
+ dev = __dev_via_ifindex(dev, ifindex);
+- if (unlikely(!dev))
+- return -ENODEV;
++ if (unlikely(!dev)) {
++ ret = -ENODEV;
++ goto out;
++ }
+
+ mtu = READ_ONCE(dev->mtu);
+-
+ dev_len = mtu + dev->hard_header_len;
+
+ /* If set use *mtu_len as input, L3 as iph->tot_len (like fib_lookup) */
+@@ -6293,15 +6298,12 @@ BPF_CALL_5(bpf_skb_check_mtu, struct sk_buff *, skb,
+ */
+ if (skb_is_gso(skb)) {
+ ret = BPF_MTU_CHK_RET_SUCCESS;
+-
+ if (flags & BPF_MTU_CHK_SEGS &&
+ !skb_gso_validate_network_len(skb, mtu))
+ ret = BPF_MTU_CHK_RET_SEGS_TOOBIG;
+ }
+ out:
+- /* BPF verifier guarantees valid pointer */
+ *mtu_len = mtu;
+-
+ return ret;
+ }
+
+@@ -6311,19 +6313,21 @@ BPF_CALL_5(bpf_xdp_check_mtu, struct xdp_buff *, xdp,
+ struct net_device *dev = xdp->rxq->dev;
+ int xdp_len = xdp->data_end - xdp->data;
+ int ret = BPF_MTU_CHK_RET_SUCCESS;
+- int mtu, dev_len;
++ int mtu = 0, dev_len;
+
+ /* XDP variant doesn't support multi-buffer segment check (yet) */
+- if (unlikely(flags))
+- return -EINVAL;
++ if (unlikely(flags)) {
++ ret = -EINVAL;
++ goto out;
++ }
+
+ dev = __dev_via_ifindex(dev, ifindex);
+- if (unlikely(!dev))
+- return -ENODEV;
++ if (unlikely(!dev)) {
++ ret = -ENODEV;
++ goto out;
++ }
+
+ mtu = READ_ONCE(dev->mtu);
+-
+- /* Add L2-header as dev MTU is L3 size */
+ dev_len = mtu + dev->hard_header_len;
+
+ /* Use *mtu_len as input, L3 as iph->tot_len (like fib_lookup) */
+@@ -6333,10 +6337,8 @@ BPF_CALL_5(bpf_xdp_check_mtu, struct xdp_buff *, xdp,
+ xdp_len += len_diff; /* minus result pass check */
+ if (xdp_len > dev_len)
+ ret = BPF_MTU_CHK_RET_FRAG_NEEDED;
+-
+- /* BPF verifier guarantees valid pointer */
++out:
+ *mtu_len = mtu;
+-
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From b149f7bd5a98c0e0ec10bb9258eb6ddb1c23196c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 18:17:21 +0100
+Subject: bpftool: Fix handling enum64 in btf dump sorting
+
+From: Mykyta Yatsenko <yatsenko@meta.com>
+
+[ Upstream commit b0222d1d9e6f8551a056b89b0bff38f515f3c9b5 ]
+
+Wrong function is used to access the first enum64 element. Substituting btf_enum(t)
+with btf_enum64(t) for BTF_KIND_ENUM64.
+
+Fixes: 94133cf24bb3 ("bpftool: Introduce btf c dump sorting")
+Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Quentin Monnet <qmo@kernel.org>
+Link: https://lore.kernel.org/bpf/20240902171721.105253-1-mykyta.yatsenko5@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/btf.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/tools/bpf/bpftool/btf.c b/tools/bpf/bpftool/btf.c
+index 6789c7a4d5ca1..3b57ba095ab61 100644
+--- a/tools/bpf/bpftool/btf.c
++++ b/tools/bpf/bpftool/btf.c
+@@ -561,9 +561,10 @@ static const char *btf_type_sort_name(const struct btf *btf, __u32 index, bool f
+ case BTF_KIND_ENUM64: {
+ int name_off = t->name_off;
+
+- /* Use name of the first element for anonymous enums if allowed */
+- if (!from_ref && !t->name_off && btf_vlen(t))
+- name_off = btf_enum(t)->name_off;
++ if (!from_ref && !name_off && btf_vlen(t))
++ name_off = btf_kind(t) == BTF_KIND_ENUM64 ?
++ btf_enum64(t)->name_off :
++ btf_enum(t)->name_off;
+
+ return btf__name_by_offset(btf, name_off);
+ }
+--
+2.43.0
+
--- /dev/null
+From df9bec313f797a92199a0353ec1e9e7770c90750 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 15:35:29 +0100
+Subject: cachefiles: Fix non-taking of sb_writers around set/removexattr
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 80887f31672970abae3aaa9cf62ac72a124e7c89 ]
+
+Unlike other vfs_xxxx() calls, vfs_setxattr() and vfs_removexattr() don't
+take the sb_writers lock, so the caller should do it for them.
+
+Fix cachefiles to do this.
+
+Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Christian Brauner <brauner@kernel.org>
+cc: Gao Xiang <xiang@kernel.org>
+cc: netfs@lists.linux.dev
+cc: linux-erofs@lists.ozlabs.org
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20240814203850.2240469-3-dhowells@redhat.com/ # v2
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/xattr.c | 34 ++++++++++++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/fs/cachefiles/xattr.c b/fs/cachefiles/xattr.c
+index 4dd8a993c60a8..7c6f260a3be56 100644
+--- a/fs/cachefiles/xattr.c
++++ b/fs/cachefiles/xattr.c
+@@ -64,9 +64,15 @@ int cachefiles_set_object_xattr(struct cachefiles_object *object)
+ memcpy(buf->data, fscache_get_aux(object->cookie), len);
+
+ ret = cachefiles_inject_write_error();
+- if (ret == 0)
+- ret = vfs_setxattr(&nop_mnt_idmap, dentry, cachefiles_xattr_cache,
+- buf, sizeof(struct cachefiles_xattr) + len, 0);
++ if (ret == 0) {
++ ret = mnt_want_write_file(file);
++ if (ret == 0) {
++ ret = vfs_setxattr(&nop_mnt_idmap, dentry,
++ cachefiles_xattr_cache, buf,
++ sizeof(struct cachefiles_xattr) + len, 0);
++ mnt_drop_write_file(file);
++ }
++ }
+ if (ret < 0) {
+ trace_cachefiles_vfs_error(object, file_inode(file), ret,
+ cachefiles_trace_setxattr_error);
+@@ -151,8 +157,14 @@ int cachefiles_remove_object_xattr(struct cachefiles_cache *cache,
+ int ret;
+
+ ret = cachefiles_inject_remove_error();
+- if (ret == 0)
+- ret = vfs_removexattr(&nop_mnt_idmap, dentry, cachefiles_xattr_cache);
++ if (ret == 0) {
++ ret = mnt_want_write(cache->mnt);
++ if (ret == 0) {
++ ret = vfs_removexattr(&nop_mnt_idmap, dentry,
++ cachefiles_xattr_cache);
++ mnt_drop_write(cache->mnt);
++ }
++ }
+ if (ret < 0) {
+ trace_cachefiles_vfs_error(object, d_inode(dentry), ret,
+ cachefiles_trace_remxattr_error);
+@@ -208,9 +220,15 @@ bool cachefiles_set_volume_xattr(struct cachefiles_volume *volume)
+ memcpy(buf->data, p, volume->vcookie->coherency_len);
+
+ ret = cachefiles_inject_write_error();
+- if (ret == 0)
+- ret = vfs_setxattr(&nop_mnt_idmap, dentry, cachefiles_xattr_cache,
+- buf, len, 0);
++ if (ret == 0) {
++ ret = mnt_want_write(volume->cache->mnt);
++ if (ret == 0) {
++ ret = vfs_setxattr(&nop_mnt_idmap, dentry,
++ cachefiles_xattr_cache,
++ buf, len, 0);
++ mnt_drop_write(volume->cache->mnt);
++ }
++ }
+ if (ret < 0) {
+ trace_cachefiles_vfs_error(NULL, d_inode(dentry), ret,
+ cachefiles_trace_setxattr_error);
+--
+2.43.0
+
--- /dev/null
+From b484ce2e60bff7508a155765c2808ad777fcfb98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 18:22:37 -0700
+Subject: can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 94b0818fa63555a65f6ba107080659ea6bcca63e ]
+
+syzbot reported a warning in bcm_release(). [0]
+
+The blamed change fixed another warning that is triggered when
+connect() is issued again for a socket whose connect()ed device has
+been unregistered.
+
+However, if the socket is just close()d without the 2nd connect(), the
+remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()
+in bcm_release().
+
+Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().
+
+[0]
+name '4986'
+WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
+Modules linked in:
+CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
+Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07
+RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246
+RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a
+R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640
+R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000
+FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ bcm_release+0x250/0x880 net/can/bcm.c:1578
+ __sock_release net/socket.c:659 [inline]
+ sock_close+0xbc/0x240 net/socket.c:1421
+ __fput+0x24a/0x8a0 fs/file_table.c:422
+ task_work_run+0x24f/0x310 kernel/task_work.c:228
+ exit_task_work include/linux/task_work.h:40 [inline]
+ do_exit+0xa2f/0x27f0 kernel/exit.c:882
+ do_group_exit+0x207/0x2c0 kernel/exit.c:1031
+ __do_sys_exit_group kernel/exit.c:1042 [inline]
+ __se_sys_exit_group kernel/exit.c:1040 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
+ x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fcfb51ee969
+Code: Unable to access opcode bytes at 0x7fcfb51ee93f.
+RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969
+RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
+RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000
+R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0
+R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160
+ </TASK>
+
+Fixes: 76fe372ccb81 ("can: bcm: Remove proc entry when dev is unregistered.")
+Reported-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0532ac7a06fb1a03187e
+Tested-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://patch.msgid.link/20240905012237.79683-1-kuniyu@amazon.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/bcm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 46d3ec3aa44b4..217049fa496e9 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1471,8 +1471,10 @@ static void bcm_notify(struct bcm_sock *bo, unsigned long msg,
+ /* remove device reference, if this is our bound device */
+ if (bo->bound && bo->ifindex == dev->ifindex) {
+ #if IS_ENABLED(CONFIG_PROC_FS)
+- if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read)
++ if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read) {
+ remove_proc_entry(bo->procname, sock_net(sk)->can.bcmproc_dir);
++ bo->bcm_proc_read = NULL;
++ }
+ #endif
+ bo->bound = 0;
+ bo->ifindex = 0;
+--
+2.43.0
+
--- /dev/null
+From 943da93c82baa43248f8c754eabe2a3fdbcfacd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 20:48:23 +0800
+Subject: can: j1939: use correct function name in comment
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit dc2ddcd136fe9b6196a7dd01f75f824beb02d43f ]
+
+The function j1939_cancel_all_active_sessions() was renamed to
+j1939_cancel_active_session() but name in comment wasn't updated.
+
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Link: https://patch.msgid.link/1724935703-44621-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index 4be73de5033cb..319f47df33300 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1179,10 +1179,10 @@ static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer)
+ break;
+ case -ENETDOWN:
+ /* In this case we should get a netdev_event(), all active
+- * sessions will be cleared by
+- * j1939_cancel_all_active_sessions(). So handle this as an
+- * error, but let j1939_cancel_all_active_sessions() do the
+- * cleanup including propagation of the error to user space.
++ * sessions will be cleared by j1939_cancel_active_session().
++ * So handle this as an error, but let
++ * j1939_cancel_active_session() do the cleanup including
++ * propagation of the error to user space.
+ */
+ break;
+ case -EOVERFLOW:
+--
+2.43.0
+
--- /dev/null
+From 8e413792e525717b37e9bcd1bbe29d9f2f683e71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 23:19:51 +0000
+Subject: can: m_can: enable NAPI before enabling interrupts
+
+From: Jake Hamby <Jake.Hamby@Teledyne.com>
+
+[ Upstream commit 801ad2f87b0c6d0c34a75a4efd6bfd3a2d9f9298 ]
+
+If an interrupt (RX-complete or error flag) is set when bringing up
+the CAN device, e.g. due to CAN bus traffic before initializing the
+device, when m_can_start() is called and interrupts are enabled,
+m_can_isr() is called immediately, which disables all CAN interrupts
+and calls napi_schedule().
+
+Because napi_enable() isn't called until later in m_can_open(), the
+call to napi_schedule() never schedules the m_can_poll() callback and
+the device is left with interrupts disabled and can't receive any CAN
+packets until rebooted.
+
+This can be verified by running "cansend" from another device before
+setting the bitrate and calling "ip link set up can0" on the test
+device. Adding debug lines to m_can_isr() shows it's called with flags
+(IR_EP | IR_EW | IR_CRCE), which calls m_can_disable_all_interrupts()
+and napi_schedule(), and then m_can_poll() is never called.
+
+Move the call to napi_enable() above the call to m_can_start() to
+enable any initial interrupt flags to be handled by m_can_poll() so
+that interrupts are reenabled. Add a call to napi_disable() in the
+error handling section of m_can_open(), to handle the case where later
+functions return errors.
+
+Also, in m_can_close(), move the call to napi_disable() below the call
+to m_can_stop() to ensure all interrupts are handled when bringing
+down the device. This race condition is much less likely to occur.
+
+Tested on a Microchip SAMA7G54 MPU. The fix should be applicable to
+any SoC with a Bosch M_CAN controller.
+
+Signed-off-by: Jake Hamby <Jake.Hamby@Teledyne.com>
+Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support")
+Link: https://patch.msgid.link/20240910-can-m_can-fix-ifup-v3-1-6c1720ba45ce@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index 012c3d22b01dd..c1a07013433eb 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -1763,9 +1763,6 @@ static int m_can_close(struct net_device *dev)
+
+ netif_stop_queue(dev);
+
+- if (!cdev->is_peripheral)
+- napi_disable(&cdev->napi);
+-
+ m_can_stop(dev);
+ m_can_clk_stop(cdev);
+ free_irq(dev->irq, dev);
+@@ -1776,6 +1773,8 @@ static int m_can_close(struct net_device *dev)
+ destroy_workqueue(cdev->tx_wq);
+ cdev->tx_wq = NULL;
+ can_rx_offload_disable(&cdev->offload);
++ } else {
++ napi_disable(&cdev->napi);
+ }
+
+ close_candev(dev);
+@@ -2030,6 +2029,8 @@ static int m_can_open(struct net_device *dev)
+
+ if (cdev->is_peripheral)
+ can_rx_offload_enable(&cdev->offload);
++ else
++ napi_enable(&cdev->napi);
+
+ /* register interrupt handler */
+ if (cdev->is_peripheral) {
+@@ -2063,9 +2064,6 @@ static int m_can_open(struct net_device *dev)
+ if (err)
+ goto exit_start_fail;
+
+- if (!cdev->is_peripheral)
+- napi_enable(&cdev->napi);
+-
+ netif_start_queue(dev);
+
+ return 0;
+@@ -2079,6 +2077,8 @@ static int m_can_open(struct net_device *dev)
+ out_wq_fail:
+ if (cdev->is_peripheral)
+ can_rx_offload_disable(&cdev->offload);
++ else
++ napi_disable(&cdev->napi);
+ close_candev(dev);
+ exit_disable_clks:
+ m_can_clk_stop(cdev);
+--
+2.43.0
+
--- /dev/null
+From 1e32296ec02cb1077e7a5c04e9cdc5ffcb4428ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 15:07:41 +0200
+Subject: can: m_can: m_can_close(): stop clocks after device has been shut
+ down
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 2c09b50efcad985cf920ca88baa9aa52b1999dcc ]
+
+After calling m_can_stop() an interrupt may be pending or NAPI might
+still be executed. This means the driver might still touch registers
+of the IP core after the clocks have been disabled. This is not good
+practice and might lead to aborts depending on the SoC integration.
+
+To avoid these potential problems, make m_can_close() symmetric to
+m_can_open(), i.e. stop the clocks at the end, right before shutting
+down the transceiver.
+
+Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support")
+Link: https://patch.msgid.link/20240910-can-m_can-fix-ifup-v3-2-6c1720ba45ce@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index c1a07013433eb..7fec04b024d5b 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -1764,7 +1764,6 @@ static int m_can_close(struct net_device *dev)
+ netif_stop_queue(dev);
+
+ m_can_stop(dev);
+- m_can_clk_stop(cdev);
+ free_irq(dev->irq, dev);
+
+ m_can_clean(dev);
+@@ -1779,6 +1778,7 @@ static int m_can_close(struct net_device *dev)
+
+ close_candev(dev);
+
++ m_can_clk_stop(cdev);
+ phy_power_off(cdev->transceiver);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 424ed6c4548fff74a1533e6f602bf0b2ed037501 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 03:29:20 +0000
+Subject: cgroup/pids: Avoid spurious event notification
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit d72a00a8485d1cb11ac1a57bf89b02cbd3a405bf ]
+
+Currently when a process in a group forks and fails due to it's
+parent's max restriction, all the cgroups from 'pids_forking' to root
+will generate event notifications but only the cgroups from
+'pids_over_limit' to root will increase the counter of PIDCG_MAX.
+
+Consider this scenario: there are 4 groups A, B, C,and D, the
+relationships are as follows, and user is watching on C.pids.events.
+
+root->A->B->C->D
+
+When a process in D forks and fails due to B.max restriction, the
+user will get a spurious event notification because when he wakes up
+and reads C.pids.events, he will find that the content has not changed.
+
+To address this issue, only the cgroups from 'pids_over_limit' to root
+will have their PIDCG_MAX counters increased and event notifications
+generated.
+
+Fixes: 385a635cacfe ("cgroup/pids: Make event counters hierarchical")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/pids.c | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/kernel/cgroup/pids.c b/kernel/cgroup/pids.c
+index f5cb0ec45b9dd..34aa63d7c9c65 100644
+--- a/kernel/cgroup/pids.c
++++ b/kernel/cgroup/pids.c
+@@ -244,7 +244,6 @@ static void pids_event(struct pids_cgroup *pids_forking,
+ struct pids_cgroup *pids_over_limit)
+ {
+ struct pids_cgroup *p = pids_forking;
+- bool limit = false;
+
+ /* Only log the first time limit is hit. */
+ if (atomic64_inc_return(&p->events_local[PIDCG_FORKFAIL]) == 1) {
+@@ -252,20 +251,17 @@ static void pids_event(struct pids_cgroup *pids_forking,
+ pr_cont_cgroup_path(p->css.cgroup);
+ pr_cont("\n");
+ }
+- cgroup_file_notify(&p->events_local_file);
+ if (!cgroup_subsys_on_dfl(pids_cgrp_subsys) ||
+- cgrp_dfl_root.flags & CGRP_ROOT_PIDS_LOCAL_EVENTS)
++ cgrp_dfl_root.flags & CGRP_ROOT_PIDS_LOCAL_EVENTS) {
++ cgroup_file_notify(&p->events_local_file);
+ return;
++ }
+
+- for (; parent_pids(p); p = parent_pids(p)) {
+- if (p == pids_over_limit) {
+- limit = true;
+- atomic64_inc(&p->events_local[PIDCG_MAX]);
+- cgroup_file_notify(&p->events_local_file);
+- }
+- if (limit)
+- atomic64_inc(&p->events[PIDCG_MAX]);
++ atomic64_inc(&pids_over_limit->events_local[PIDCG_MAX]);
++ cgroup_file_notify(&pids_over_limit->events_local_file);
+
++ for (p = pids_over_limit; parent_pids(p); p = parent_pids(p)) {
++ atomic64_inc(&p->events[PIDCG_MAX]);
+ cgroup_file_notify(&p->events_file);
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From e3428a04e45cbfe571220136a7fe3a0f994b6771 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jul 2024 17:13:15 +0300
+Subject: clk: at91: sama7g5: Allocate only the needed amount of memory for
+ PLLs
+
+From: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+
+[ Upstream commit 2d6e9ee7cb3e79b1713783c633b13af9aeffc90c ]
+
+The maximum number of PLL components on SAMA7G5 is 3 (one fractional
+part and 2 dividers). Allocate the needed amount of memory for
+sama7g5_plls 2d array. Previous code used to allocate 7 array entries for
+each PLL. While at it, replace 3 with PLL_COMPID_MAX in the loop which
+parses the sama7g5_plls 2d array.
+
+Fixes: cb783bbbcf54 ("clk: at91: sama7g5: add clock support for sama7g5")
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Link: https://lore.kernel.org/r/20240714141315.19480-1-claudiu.beznea@tuxon.dev
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/sama7g5.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/at91/sama7g5.c b/drivers/clk/at91/sama7g5.c
+index 91b5c6f148196..4e9594714b142 100644
+--- a/drivers/clk/at91/sama7g5.c
++++ b/drivers/clk/at91/sama7g5.c
+@@ -66,6 +66,7 @@ enum pll_component_id {
+ PLL_COMPID_FRAC,
+ PLL_COMPID_DIV0,
+ PLL_COMPID_DIV1,
++ PLL_COMPID_MAX,
+ };
+
+ /*
+@@ -165,7 +166,7 @@ static struct sama7g5_pll {
+ u8 t;
+ u8 eid;
+ u8 safe_div;
+-} sama7g5_plls[][PLL_ID_MAX] = {
++} sama7g5_plls[][PLL_COMPID_MAX] = {
+ [PLL_ID_CPU] = {
+ [PLL_COMPID_FRAC] = {
+ .n = "cpupll_fracck",
+@@ -1038,7 +1039,7 @@ static void __init sama7g5_pmc_setup(struct device_node *np)
+ sama7g5_pmc->chws[PMC_MAIN] = hw;
+
+ for (i = 0; i < PLL_ID_MAX; i++) {
+- for (j = 0; j < 3; j++) {
++ for (j = 0; j < PLL_COMPID_MAX; j++) {
+ struct clk_hw *parent_hw;
+
+ if (!sama7g5_plls[i][j].n)
+--
+2.43.0
+
--- /dev/null
+From 5887b135678114400ca83b3a97d36ca401603d83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2024 15:42:03 +0800
+Subject: clk: imx: clk-audiomix: Correct parent clock for earc_phy and audpll
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit d40371a1c963db688b37826adaf5ffdafb0862a1 ]
+
+According to Reference Manual of i.MX8MP
+The parent clock of "earc_phy" is "sai_pll_out_div2",
+The parent clock of "audpll" is "osc_24m".
+
+Add CLK_GATE_PARENT() macro for usage of specifying parent clock.
+
+Fixes: 6cd95f7b151c ("clk: imx: imx8mp: Add audiomix block control")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/1718350923-21392-6-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mp-audiomix.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mp-audiomix.c b/drivers/clk/imx/clk-imx8mp-audiomix.c
+index b381d6f784c89..0767d613b68b0 100644
+--- a/drivers/clk/imx/clk-imx8mp-audiomix.c
++++ b/drivers/clk/imx/clk-imx8mp-audiomix.c
+@@ -154,6 +154,15 @@ static const struct clk_parent_data clk_imx8mp_audiomix_pll_bypass_sels[] = {
+ PDM_SEL, 2, 0 \
+ }
+
++#define CLK_GATE_PARENT(gname, cname, pname) \
++ { \
++ gname"_cg", \
++ IMX8MP_CLK_AUDIOMIX_##cname, \
++ { .fw_name = pname, .name = pname }, NULL, 1, \
++ CLKEN0 + 4 * !!(IMX8MP_CLK_AUDIOMIX_##cname / 32), \
++ 1, IMX8MP_CLK_AUDIOMIX_##cname % 32 \
++ }
++
+ struct clk_imx8mp_audiomix_sel {
+ const char *name;
+ int clkid;
+@@ -171,14 +180,14 @@ static struct clk_imx8mp_audiomix_sel sels[] = {
+ CLK_GATE("earc", EARC_IPG),
+ CLK_GATE("ocrama", OCRAMA_IPG),
+ CLK_GATE("aud2htx", AUD2HTX_IPG),
+- CLK_GATE("earc_phy", EARC_PHY),
++ CLK_GATE_PARENT("earc_phy", EARC_PHY, "sai_pll_out_div2"),
+ CLK_GATE("sdma2", SDMA2_ROOT),
+ CLK_GATE("sdma3", SDMA3_ROOT),
+ CLK_GATE("spba2", SPBA2_ROOT),
+ CLK_GATE("dsp", DSP_ROOT),
+ CLK_GATE("dspdbg", DSPDBG_ROOT),
+ CLK_GATE("edma", EDMA_ROOT),
+- CLK_GATE("audpll", AUDPLL_ROOT),
++ CLK_GATE_PARENT("audpll", AUDPLL_ROOT, "osc_24m"),
+ CLK_GATE("mu2", MU2_ROOT),
+ CLK_GATE("mu3", MU3_ROOT),
+ CLK_PDM,
+--
+2.43.0
+
--- /dev/null
+From a55684ab852dc79899d39df7c9026f2dc59338c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:35 +0800
+Subject: clk: imx: composite-7ulp: Check the PCC present bit
+
+From: Ye Li <ye.li@nxp.com>
+
+[ Upstream commit 4717ccadb51e2630790dddd222830702de17f090 ]
+
+When some module is disabled by fuse, its PCC PR bit is default 0 and
+PCC is not operational. Any write to this PCC will cause SError.
+
+Fixes: b40ba8065347 ("clk: imx: Update the compsite driver to support imx8ulp")
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Ye Li <ye.li@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-4-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-composite-7ulp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/clk/imx/clk-composite-7ulp.c b/drivers/clk/imx/clk-composite-7ulp.c
+index e208ddc511339..db7f40b07d1ab 100644
+--- a/drivers/clk/imx/clk-composite-7ulp.c
++++ b/drivers/clk/imx/clk-composite-7ulp.c
+@@ -14,6 +14,7 @@
+ #include "../clk-fractional-divider.h"
+ #include "clk.h"
+
++#define PCG_PR_MASK BIT(31)
+ #define PCG_PCS_SHIFT 24
+ #define PCG_PCS_MASK 0x7
+ #define PCG_CGC_SHIFT 30
+@@ -78,6 +79,12 @@ static struct clk_hw *imx_ulp_clk_hw_composite(const char *name,
+ struct clk_hw *hw;
+ u32 val;
+
++ val = readl(reg);
++ if (!(val & PCG_PR_MASK)) {
++ pr_info("PCC PR is 0 for clk:%s, bypass\n", name);
++ return 0;
++ }
++
+ if (mux_present) {
+ mux = kzalloc(sizeof(*mux), GFP_KERNEL);
+ if (!mux)
+--
+2.43.0
+
--- /dev/null
+From 20821814c79be443770d59c8572caac6b18f4004 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:33 +0800
+Subject: clk: imx: composite-8m: Enable gate clk with mcore_booted
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 8f32e9dd0916eb3fd4bcf550ed1d04542a65cb9e ]
+
+Bootloader might disable some CCM ROOT Slices. So if mcore_booted set with
+display CCM ROOT disabled by Bootloader, kernel display BLK CTRL driver
+imx8m_blk_ctrl_driver_init may hang the system because the BUS clk is
+disabled.
+
+Add back gate ops, but with disable doing nothing, then the CCM ROOT
+will be enabled when used.
+
+Fixes: bb7e897b002a ("clk: imx8m: check mcore_booted before register clk")
+Reviewed-by: Ye Li <ye.li@nxp.com>
+Reviewed-by: Jacky Bai <ping.bai@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-2-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-composite-8m.c | 53 +++++++++++++++++++++++-------
+ 1 file changed, 42 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-composite-8m.c b/drivers/clk/imx/clk-composite-8m.c
+index 8cc07d056a838..f187582ba4919 100644
+--- a/drivers/clk/imx/clk-composite-8m.c
++++ b/drivers/clk/imx/clk-composite-8m.c
+@@ -204,6 +204,34 @@ static const struct clk_ops imx8m_clk_composite_mux_ops = {
+ .determine_rate = imx8m_clk_composite_mux_determine_rate,
+ };
+
++static int imx8m_clk_composite_gate_enable(struct clk_hw *hw)
++{
++ struct clk_gate *gate = to_clk_gate(hw);
++ unsigned long flags;
++ u32 val;
++
++ spin_lock_irqsave(gate->lock, flags);
++
++ val = readl(gate->reg);
++ val |= BIT(gate->bit_idx);
++ writel(val, gate->reg);
++
++ spin_unlock_irqrestore(gate->lock, flags);
++
++ return 0;
++}
++
++static void imx8m_clk_composite_gate_disable(struct clk_hw *hw)
++{
++ /* composite clk requires the disable hook */
++}
++
++static const struct clk_ops imx8m_clk_composite_gate_ops = {
++ .enable = imx8m_clk_composite_gate_enable,
++ .disable = imx8m_clk_composite_gate_disable,
++ .is_enabled = clk_gate_is_enabled,
++};
++
+ struct clk_hw *__imx8m_clk_hw_composite(const char *name,
+ const char * const *parent_names,
+ int num_parents, void __iomem *reg,
+@@ -217,6 +245,7 @@ struct clk_hw *__imx8m_clk_hw_composite(const char *name,
+ struct clk_mux *mux;
+ const struct clk_ops *divider_ops;
+ const struct clk_ops *mux_ops;
++ const struct clk_ops *gate_ops;
+
+ mux = kzalloc(sizeof(*mux), GFP_KERNEL);
+ if (!mux)
+@@ -257,20 +286,22 @@ struct clk_hw *__imx8m_clk_hw_composite(const char *name,
+ div->flags = CLK_DIVIDER_ROUND_CLOSEST;
+
+ /* skip registering the gate ops if M4 is enabled */
+- if (!mcore_booted) {
+- gate = kzalloc(sizeof(*gate), GFP_KERNEL);
+- if (!gate)
+- goto free_div;
+-
+- gate_hw = &gate->hw;
+- gate->reg = reg;
+- gate->bit_idx = PCG_CGC_SHIFT;
+- gate->lock = &imx_ccm_lock;
+- }
++ gate = kzalloc(sizeof(*gate), GFP_KERNEL);
++ if (!gate)
++ goto free_div;
++
++ gate_hw = &gate->hw;
++ gate->reg = reg;
++ gate->bit_idx = PCG_CGC_SHIFT;
++ gate->lock = &imx_ccm_lock;
++ if (!mcore_booted)
++ gate_ops = &clk_gate_ops;
++ else
++ gate_ops = &imx8m_clk_composite_gate_ops;
+
+ hw = clk_hw_register_composite(NULL, name, parent_names, num_parents,
+ mux_hw, mux_ops, div_hw,
+- divider_ops, gate_hw, &clk_gate_ops, flags);
++ divider_ops, gate_hw, gate_ops, flags);
+ if (IS_ERR(hw))
+ goto free_gate;
+
+--
+2.43.0
+
--- /dev/null
+From 7bd9433a3e577c962189c2f47c4502e355122f4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:34 +0800
+Subject: clk: imx: composite-93: keep root clock on when mcore enabled
+
+From: Jacky Bai <ping.bai@nxp.com>
+
+[ Upstream commit d342df11726bfac9c3a9d2037afa508ac0e9e44e ]
+
+Previously we assumed that the root clock slice is enabled
+by default when kernel boot up. But the bootloader may disable
+the clocks before jump into kernel. The gate ops should be registered
+rather than NULL to make sure the disabled clock can be enabled
+when kernel boot up. Refine the code to skip disable the clock
+if mcore booted.
+
+Fixes: a740d7350ff7 ("clk: imx: imx93: add mcore_booted module paratemter")
+Signed-off-by: Jacky Bai <ping.bai@nxp.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Tested-by: Chancel Liu <chancel.liu@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-3-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-composite-93.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-composite-93.c b/drivers/clk/imx/clk-composite-93.c
+index 81164bdcd6cc9..6c6c5a30f3282 100644
+--- a/drivers/clk/imx/clk-composite-93.c
++++ b/drivers/clk/imx/clk-composite-93.c
+@@ -76,6 +76,13 @@ static int imx93_clk_composite_gate_enable(struct clk_hw *hw)
+
+ static void imx93_clk_composite_gate_disable(struct clk_hw *hw)
+ {
++ /*
++ * Skip disable the root clock gate if mcore enabled.
++ * The root clock may be used by the mcore.
++ */
++ if (mcore_booted)
++ return;
++
+ imx93_clk_composite_gate_endisable(hw, 0);
+ }
+
+@@ -222,7 +229,7 @@ struct clk_hw *imx93_clk_composite_flags(const char *name, const char * const *p
+ hw = clk_hw_register_composite(NULL, name, parent_names, num_parents,
+ mux_hw, &clk_mux_ro_ops, div_hw,
+ &clk_divider_ro_ops, NULL, NULL, flags);
+- } else if (!mcore_booted) {
++ } else {
+ gate = kzalloc(sizeof(*gate), GFP_KERNEL);
+ if (!gate)
+ goto fail;
+@@ -238,12 +245,6 @@ struct clk_hw *imx93_clk_composite_flags(const char *name, const char * const *p
+ &imx93_clk_composite_divider_ops, gate_hw,
+ &imx93_clk_composite_gate_ops,
+ flags | CLK_SET_RATE_NO_REPARENT);
+- } else {
+- hw = clk_hw_register_composite(NULL, name, parent_names, num_parents,
+- mux_hw, &imx93_clk_composite_mux_ops, div_hw,
+- &imx93_clk_composite_divider_ops, NULL,
+- &imx93_clk_composite_gate_ops,
+- flags | CLK_SET_RATE_NO_REPARENT);
+ }
+
+ if (IS_ERR(hw))
+--
+2.43.0
+
--- /dev/null
+From 25fa9c3e0ec90396767b7a6f9bfa62a678b21de9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:36 +0800
+Subject: clk: imx: fracn-gppll: fix fractional part of PLL getting lost
+
+From: Pengfei Li <pengfei.li_1@nxp.com>
+
+[ Upstream commit 7622f888fca125ae46f695edf918798ebc0506c5 ]
+
+Fractional part of PLL gets lost after re-enabling the PLL. the
+MFN can NOT be automatically loaded when doing frac PLL enable/disable,
+So when re-enable PLL, configure mfn explicitly.
+
+Fixes: 1b26cb8a77a4 ("clk: imx: support fracn gppll")
+Signed-off-by: Pengfei Li <pengfei.li_1@nxp.com>
+Reviewed-by: Jacky Bai <ping.bai@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-5-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-fracn-gppll.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/clk/imx/clk-fracn-gppll.c b/drivers/clk/imx/clk-fracn-gppll.c
+index 44462ab50e513..1becba2b62d0b 100644
+--- a/drivers/clk/imx/clk-fracn-gppll.c
++++ b/drivers/clk/imx/clk-fracn-gppll.c
+@@ -291,6 +291,10 @@ static int clk_fracn_gppll_prepare(struct clk_hw *hw)
+ if (val & POWERUP_MASK)
+ return 0;
+
++ if (pll->flags & CLK_FRACN_GPPLL_FRACN)
++ writel_relaxed(readl_relaxed(pll->base + PLL_NUMERATOR),
++ pll->base + PLL_NUMERATOR);
++
+ val |= CLKMUX_BYPASS;
+ writel_relaxed(val, pll->base + PLL_CTRL);
+
+--
+2.43.0
+
--- /dev/null
+From f36859610ab28c8c32a3c9344f39dc368ae68978 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 May 2024 17:14:33 +0200
+Subject: clk: imx: imx6ul: fix default parent for enet*_ref_sel
+
+From: Sebastien Laveze <slaveze@smartandconnective.com>
+
+[ Upstream commit e52fd71333b4ed78fd5bb43094bdc46476614d25 ]
+
+The clk_set_parent for "enet1_ref_sel" and "enet2_ref_sel" are
+incorrect, therefore the original requirements to have "enet_clk_ref" as
+output sourced by iMX ENET PLL as a default config is not met.
+
+Only "enet[1,2]_ref_125m" "enet[1,2]_ref_pad" are possible parents for
+"enet1_ref_sel" and "enet2_ref_sel".
+
+This was observed as a regression using a custom device tree which was
+expecting this default config.
+
+This can be fixed at the device tree level but having a default config
+matching the original behavior (before refclock mux) will avoid breaking
+existing configs.
+
+Fixes: 4e197ee880c2 ("clk: imx6ul: add ethernet refclock mux support")
+Link: https://lore.kernel.org/lkml/20230306020226.GC143566@dragon/T/
+Signed-off-by: Sebastien Laveze <slaveze@smartandconnective.com>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20240528151434.227602-1-slaveze@smartandconnective.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx6ul.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx6ul.c b/drivers/clk/imx/clk-imx6ul.c
+index f9394e94f69d7..05c7a82b751f3 100644
+--- a/drivers/clk/imx/clk-imx6ul.c
++++ b/drivers/clk/imx/clk-imx6ul.c
+@@ -542,8 +542,8 @@ static void __init imx6ul_clocks_init(struct device_node *ccm_node)
+
+ clk_set_parent(hws[IMX6UL_CLK_ENFC_SEL]->clk, hws[IMX6UL_CLK_PLL2_PFD2]->clk);
+
+- clk_set_parent(hws[IMX6UL_CLK_ENET1_REF_SEL]->clk, hws[IMX6UL_CLK_ENET_REF]->clk);
+- clk_set_parent(hws[IMX6UL_CLK_ENET2_REF_SEL]->clk, hws[IMX6UL_CLK_ENET2_REF]->clk);
++ clk_set_parent(hws[IMX6UL_CLK_ENET1_REF_SEL]->clk, hws[IMX6UL_CLK_ENET1_REF_125M]->clk);
++ clk_set_parent(hws[IMX6UL_CLK_ENET2_REF_SEL]->clk, hws[IMX6UL_CLK_ENET2_REF_125M]->clk);
+
+ imx_register_uart_clocks();
+ }
+--
+2.43.0
+
--- /dev/null
+From 595bf9e70222d7ee6dc28bf11bfd16ff0e741630 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:38 +0800
+Subject: clk: imx: imx8mp: fix clock tree update of TF-A managed clocks
+
+From: Zhipeng Wang <zhipeng.wang_1@nxp.com>
+
+[ Upstream commit 3d29036853b9cb07ac49e8261fca82a940be5c41 ]
+
+On the i.MX8M*, the TF-A exposes a SiP (Silicon Provider) service
+for DDR frequency scaling. The imx8m-ddrc-devfreq driver calls the
+SiP and then does clk_set_parent on the DDR muxes to synchronize
+the clock tree.
+
+since commit 936c383673b9 ("clk: imx: fix composite peripheral flags"),
+these TF-A managed muxes have SET_PARENT_GATE set, which results
+in imx8m-ddrc-devfreq's clk_set_parent after SiP failing with -EBUSY:
+
+clk_set_parent(dram_apb_src, sys1_pll_40m);(busfreq-imx8mq.c)
+
+commit 926bf91248dd
+("clk: imx8m: fix clock tree update of TF-A managed clocks") adds this
+method and enables 8mm, 8mn and 8mq. i.MX8MP also needs it.
+
+This is safe to do, because updating the Linux clock tree to reflect
+reality will always be glitch-free.
+
+Another reason to this patch is that powersave image BT music
+requires dram to be 400MTS, so clk_set_parent(dram_alt_src,
+sys1_pll_800m); is required. Without this patch, it will not succeed.
+
+Fixes: 936c383673b9 ("clk: imx: fix composite peripheral flags")
+Signed-off-by: Zhipeng Wang <zhipeng.wang_1@nxp.com>
+Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-7-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c
+index 670aa2bab3017..e561ff7b135fb 100644
+--- a/drivers/clk/imx/clk-imx8mp.c
++++ b/drivers/clk/imx/clk-imx8mp.c
+@@ -551,8 +551,8 @@ static int imx8mp_clocks_probe(struct platform_device *pdev)
+
+ hws[IMX8MP_CLK_IPG_ROOT] = imx_clk_hw_divider2("ipg_root", "ahb_root", ccm_base + 0x9080, 0, 1);
+
+- hws[IMX8MP_CLK_DRAM_ALT] = imx8m_clk_hw_composite("dram_alt", imx8mp_dram_alt_sels, ccm_base + 0xa000);
+- hws[IMX8MP_CLK_DRAM_APB] = imx8m_clk_hw_composite_critical("dram_apb", imx8mp_dram_apb_sels, ccm_base + 0xa080);
++ hws[IMX8MP_CLK_DRAM_ALT] = imx8m_clk_hw_fw_managed_composite("dram_alt", imx8mp_dram_alt_sels, ccm_base + 0xa000);
++ hws[IMX8MP_CLK_DRAM_APB] = imx8m_clk_hw_fw_managed_composite_critical("dram_apb", imx8mp_dram_apb_sels, ccm_base + 0xa080);
+ hws[IMX8MP_CLK_VPU_G1] = imx8m_clk_hw_composite("vpu_g1", imx8mp_vpu_g1_sels, ccm_base + 0xa100);
+ hws[IMX8MP_CLK_VPU_G2] = imx8m_clk_hw_composite("vpu_g2", imx8mp_vpu_g2_sels, ccm_base + 0xa180);
+ hws[IMX8MP_CLK_CAN1] = imx8m_clk_hw_composite("can1", imx8mp_can1_sels, ccm_base + 0xa200);
+--
+2.43.0
+
--- /dev/null
+From 33eb874c94b8bc87ffa4cbd73bbb99eebc791baf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:46 +0800
+Subject: clk: imx: imx8qxp: Parent should be initialized earlier than the
+ clock
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 766c386c16c9899461b83573a06380d364c6e261 ]
+
+The initialization order of SCU clocks affects the sequence of SCU clock
+resume. If there are no other effects, the earlier the initialization,
+the earlier the resume. During SCU clock resume, the clock rate is
+restored. As SCFW guidelines, configure the parent clock rate before
+configuring the child rate.
+
+Fixes: babfaa9556d7 ("clk: imx: scu: add more scu clocks")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-15-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8qxp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8qxp.c b/drivers/clk/imx/clk-imx8qxp.c
+index 16710eef641ba..83f2e8bd6d506 100644
+--- a/drivers/clk/imx/clk-imx8qxp.c
++++ b/drivers/clk/imx/clk-imx8qxp.c
+@@ -170,8 +170,8 @@ static int imx8qxp_clk_probe(struct platform_device *pdev)
+ imx_clk_scu("pwm_clk", IMX_SC_R_LCD_0_PWM_0, IMX_SC_PM_CLK_PER);
+ imx_clk_scu("elcdif_pll", IMX_SC_R_ELCDIF_PLL, IMX_SC_PM_CLK_PLL);
+ imx_clk_scu2("lcd_clk", lcd_sels, ARRAY_SIZE(lcd_sels), IMX_SC_R_LCD_0, IMX_SC_PM_CLK_PER);
+- imx_clk_scu2("lcd_pxl_clk", lcd_pxl_sels, ARRAY_SIZE(lcd_pxl_sels), IMX_SC_R_LCD_0, IMX_SC_PM_CLK_MISC0);
+ imx_clk_scu("lcd_pxl_bypass_div_clk", IMX_SC_R_LCD_0, IMX_SC_PM_CLK_BYPASS);
++ imx_clk_scu2("lcd_pxl_clk", lcd_pxl_sels, ARRAY_SIZE(lcd_pxl_sels), IMX_SC_R_LCD_0, IMX_SC_PM_CLK_MISC0);
+
+ /* Audio SS */
+ imx_clk_scu("audio_pll0_clk", IMX_SC_R_AUDIO_PLL_0, IMX_SC_PM_CLK_PLL);
+@@ -213,11 +213,11 @@ static int imx8qxp_clk_probe(struct platform_device *pdev)
+ imx_clk_scu2("dc0_disp1_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC1);
+ imx_clk_scu("dc0_bypass1_clk", IMX_SC_R_DC_0_VIDEO1, IMX_SC_PM_CLK_BYPASS);
+
+- imx_clk_scu2("dc1_disp0_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC0);
+- imx_clk_scu2("dc1_disp1_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC1);
+ imx_clk_scu("dc1_pll0_clk", IMX_SC_R_DC_1_PLL_0, IMX_SC_PM_CLK_PLL);
+ imx_clk_scu("dc1_pll1_clk", IMX_SC_R_DC_1_PLL_1, IMX_SC_PM_CLK_PLL);
+ imx_clk_scu("dc1_bypass0_clk", IMX_SC_R_DC_1_VIDEO0, IMX_SC_PM_CLK_BYPASS);
++ imx_clk_scu2("dc1_disp0_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC0);
++ imx_clk_scu2("dc1_disp1_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC1);
+ imx_clk_scu("dc1_bypass1_clk", IMX_SC_R_DC_1_VIDEO1, IMX_SC_PM_CLK_BYPASS);
+
+ /* MIPI-LVDS SS */
+--
+2.43.0
+
--- /dev/null
+From ac5ed33a2e28626ad8b73068791fa383fdc2d399 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 21:33:45 +0800
+Subject: clk: imx: imx8qxp: Register dc0_bypass0_clk before disp clk
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit e61352d5ecdc0da2e7253121c15d9a3e040f78a1 ]
+
+The initialization order of SCU clocks affects the sequence of SCU clock
+resume. If there are no other effects, the earlier the initialization,
+the earlier the resume. During SCU clock resume, the clock rate is
+restored. As SCFW guidelines, configure the parent clock rate before
+configuring the child rate.
+
+Fixes: 91e916771de0 ("clk: imx: scu: remove legacy scu clock binding support")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20240607133347.3291040-14-peng.fan@oss.nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8qxp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8qxp.c b/drivers/clk/imx/clk-imx8qxp.c
+index 7d8883916cacd..16710eef641ba 100644
+--- a/drivers/clk/imx/clk-imx8qxp.c
++++ b/drivers/clk/imx/clk-imx8qxp.c
+@@ -206,11 +206,11 @@ static int imx8qxp_clk_probe(struct platform_device *pdev)
+ imx_clk_scu("usb3_lpm_div", IMX_SC_R_USB_2, IMX_SC_PM_CLK_MISC);
+
+ /* Display controller SS */
+- imx_clk_scu2("dc0_disp0_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC0);
+- imx_clk_scu2("dc0_disp1_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC1);
+ imx_clk_scu("dc0_pll0_clk", IMX_SC_R_DC_0_PLL_0, IMX_SC_PM_CLK_PLL);
+ imx_clk_scu("dc0_pll1_clk", IMX_SC_R_DC_0_PLL_1, IMX_SC_PM_CLK_PLL);
+ imx_clk_scu("dc0_bypass0_clk", IMX_SC_R_DC_0_VIDEO0, IMX_SC_PM_CLK_BYPASS);
++ imx_clk_scu2("dc0_disp0_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC0);
++ imx_clk_scu2("dc0_disp1_clk", dc0_sels, ARRAY_SIZE(dc0_sels), IMX_SC_R_DC_0, IMX_SC_PM_CLK_MISC1);
+ imx_clk_scu("dc0_bypass1_clk", IMX_SC_R_DC_0_VIDEO1, IMX_SC_PM_CLK_BYPASS);
+
+ imx_clk_scu2("dc1_disp0_clk", dc1_sels, ARRAY_SIZE(dc1_sels), IMX_SC_R_DC_1, IMX_SC_PM_CLK_MISC0);
+--
+2.43.0
+
--- /dev/null
+From cd5dc8972eab422d50702c6b84e42c30a2c7d184 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Aug 2024 08:40:06 +0300
+Subject: clk: qcom: dispcc-sm8250: use special function for Lucid 5LPE PLL
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 362be5cbaec2a663eb86b7105313368b4a71fc1e ]
+
+According to msm-5.10 the lucid 5lpe PLLs have require slightly
+different configuration that trion / lucid PLLs, it doesn't set
+PLL_UPDATE_BYPASS bit. Add corresponding function and use it for the
+display clock controller on Qualcomm SM8350 platform.
+
+Fixes: 205737fe3345 ("clk: qcom: add support for SM8350 DISPCC")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-2-1149dd8399fe@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/clk-alpha-pll.c | 52 ++++++++++++++++++++++++++++++++
+ drivers/clk/qcom/clk-alpha-pll.h | 2 ++
+ drivers/clk/qcom/dispcc-sm8250.c | 9 ++++--
+ 3 files changed, 61 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/clk-alpha-pll.c b/drivers/clk/qcom/clk-alpha-pll.c
+index 31bf9d13f1541..b59317e234c61 100644
+--- a/drivers/clk/qcom/clk-alpha-pll.c
++++ b/drivers/clk/qcom/clk-alpha-pll.c
+@@ -1832,6 +1832,58 @@ const struct clk_ops clk_alpha_pll_agera_ops = {
+ };
+ EXPORT_SYMBOL_GPL(clk_alpha_pll_agera_ops);
+
++/**
++ * clk_lucid_5lpe_pll_configure - configure the lucid 5lpe pll
++ *
++ * @pll: clk alpha pll
++ * @regmap: register map
++ * @config: configuration to apply for pll
++ */
++void clk_lucid_5lpe_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
++ const struct alpha_pll_config *config)
++{
++ /*
++ * If the bootloader left the PLL enabled it's likely that there are
++ * RCGs that will lock up if we disable the PLL below.
++ */
++ if (trion_pll_is_enabled(pll, regmap)) {
++ pr_debug("Lucid 5LPE PLL is already enabled, skipping configuration\n");
++ return;
++ }
++
++ clk_alpha_pll_write_config(regmap, PLL_L_VAL(pll), config->l);
++ regmap_write(regmap, PLL_CAL_L_VAL(pll), TRION_PLL_CAL_VAL);
++ clk_alpha_pll_write_config(regmap, PLL_ALPHA_VAL(pll), config->alpha);
++ clk_alpha_pll_write_config(regmap, PLL_CONFIG_CTL(pll),
++ config->config_ctl_val);
++ clk_alpha_pll_write_config(regmap, PLL_CONFIG_CTL_U(pll),
++ config->config_ctl_hi_val);
++ clk_alpha_pll_write_config(regmap, PLL_CONFIG_CTL_U1(pll),
++ config->config_ctl_hi1_val);
++ clk_alpha_pll_write_config(regmap, PLL_USER_CTL(pll),
++ config->user_ctl_val);
++ clk_alpha_pll_write_config(regmap, PLL_USER_CTL_U(pll),
++ config->user_ctl_hi_val);
++ clk_alpha_pll_write_config(regmap, PLL_USER_CTL_U1(pll),
++ config->user_ctl_hi1_val);
++ clk_alpha_pll_write_config(regmap, PLL_TEST_CTL(pll),
++ config->test_ctl_val);
++ clk_alpha_pll_write_config(regmap, PLL_TEST_CTL_U(pll),
++ config->test_ctl_hi_val);
++ clk_alpha_pll_write_config(regmap, PLL_TEST_CTL_U1(pll),
++ config->test_ctl_hi1_val);
++
++ /* Disable PLL output */
++ regmap_update_bits(regmap, PLL_MODE(pll), PLL_OUTCTRL, 0);
++
++ /* Set operation mode to OFF */
++ regmap_write(regmap, PLL_OPMODE(pll), PLL_STANDBY);
++
++ /* Place the PLL in STANDBY mode */
++ regmap_update_bits(regmap, PLL_MODE(pll), PLL_RESET_N, PLL_RESET_N);
++}
++EXPORT_SYMBOL_GPL(clk_lucid_5lpe_pll_configure);
++
+ static int alpha_pll_lucid_5lpe_enable(struct clk_hw *hw)
+ {
+ struct clk_alpha_pll *pll = to_clk_alpha_pll(hw);
+diff --git a/drivers/clk/qcom/clk-alpha-pll.h b/drivers/clk/qcom/clk-alpha-pll.h
+index df8f0fe155313..e2cf5c7e501d0 100644
+--- a/drivers/clk/qcom/clk-alpha-pll.h
++++ b/drivers/clk/qcom/clk-alpha-pll.h
+@@ -208,6 +208,8 @@ void clk_agera_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
+
+ void clk_zonda_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
+ const struct alpha_pll_config *config);
++void clk_lucid_5lpe_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
++ const struct alpha_pll_config *config);
+ void clk_lucid_evo_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
+ const struct alpha_pll_config *config);
+ void clk_lucid_ole_pll_configure(struct clk_alpha_pll *pll, struct regmap *regmap,
+diff --git a/drivers/clk/qcom/dispcc-sm8250.c b/drivers/clk/qcom/dispcc-sm8250.c
+index 5a09009b72891..6665e064a5551 100644
+--- a/drivers/clk/qcom/dispcc-sm8250.c
++++ b/drivers/clk/qcom/dispcc-sm8250.c
+@@ -1357,8 +1357,13 @@ static int disp_cc_sm8250_probe(struct platform_device *pdev)
+ disp_cc_sm8250_clocks[DISP_CC_MDSS_EDP_GTC_CLK_SRC] = NULL;
+ }
+
+- clk_lucid_pll_configure(&disp_cc_pll0, regmap, &disp_cc_pll0_config);
+- clk_lucid_pll_configure(&disp_cc_pll1, regmap, &disp_cc_pll1_config);
++ if (of_device_is_compatible(pdev->dev.of_node, "qcom,sm8350-dispcc")) {
++ clk_lucid_5lpe_pll_configure(&disp_cc_pll0, regmap, &disp_cc_pll0_config);
++ clk_lucid_5lpe_pll_configure(&disp_cc_pll1, regmap, &disp_cc_pll1_config);
++ } else {
++ clk_lucid_pll_configure(&disp_cc_pll0, regmap, &disp_cc_pll0_config);
++ clk_lucid_pll_configure(&disp_cc_pll1, regmap, &disp_cc_pll1_config);
++ }
+
+ /* Enable clock gating for MDP clocks */
+ regmap_update_bits(regmap, 0x8000, 0x10, 0x10);
+--
+2.43.0
+
--- /dev/null
+From 4453454a0cb348f998cf08a256698c0d68abadd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 13:04:28 +0300
+Subject: clk: qcom: dispcc-sm8550: fix several supposed typos
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 7b6a4b907297b28727933493b9e0c95494504634 ]
+
+Fix seveal odd-looking places in SM8550's dispcc driver:
+
+- duplicate entries in disp_cc_parent_map_4 and disp_cc_parent_map_5
+- using &disp_cc_mdss_dptx0_link_div_clk_src as a source for
+ disp_cc_mdss_dptx1_usb_router_link_intf_clk
+
+The SM8650 driver has been used as a reference.
+
+Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-1-5c4a3128c40b@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sm8550.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c
+index 31ae46f180a5c..954b0f6fcea28 100644
+--- a/drivers/clk/qcom/dispcc-sm8550.c
++++ b/drivers/clk/qcom/dispcc-sm8550.c
+@@ -196,7 +196,7 @@ static const struct clk_parent_data disp_cc_parent_data_3[] = {
+ static const struct parent_map disp_cc_parent_map_4[] = {
+ { P_BI_TCXO, 0 },
+ { P_DP0_PHY_PLL_LINK_CLK, 1 },
+- { P_DP1_PHY_PLL_VCO_DIV_CLK, 2 },
++ { P_DP0_PHY_PLL_VCO_DIV_CLK, 2 },
+ { P_DP3_PHY_PLL_VCO_DIV_CLK, 3 },
+ { P_DP1_PHY_PLL_VCO_DIV_CLK, 4 },
+ { P_DP2_PHY_PLL_VCO_DIV_CLK, 6 },
+@@ -213,7 +213,7 @@ static const struct clk_parent_data disp_cc_parent_data_4[] = {
+
+ static const struct parent_map disp_cc_parent_map_5[] = {
+ { P_BI_TCXO, 0 },
+- { P_DSI0_PHY_PLL_OUT_BYTECLK, 4 },
++ { P_DSI0_PHY_PLL_OUT_BYTECLK, 2 },
+ { P_DSI1_PHY_PLL_OUT_BYTECLK, 4 },
+ };
+
+--
+2.43.0
+
--- /dev/null
+From b1b32389352b4075744edc9dbd2febe827fcde32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 13:04:29 +0300
+Subject: clk: qcom: dispcc-sm8550: use rcg2_ops for mdss_dptx1_aux_clk_src
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit cb4c00698f2f27d99a69adcce659370ca286cf2a ]
+
+clk_dp_ops should only be used for DisplayPort pixel clocks. Use
+clk_rcg2_ops for disp_cc_mdss_dptx1_aux_clk_src.
+
+Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-2-5c4a3128c40b@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sm8550.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c
+index 954b0f6fcea28..a98230540782c 100644
+--- a/drivers/clk/qcom/dispcc-sm8550.c
++++ b/drivers/clk/qcom/dispcc-sm8550.c
+@@ -400,7 +400,7 @@ static struct clk_rcg2 disp_cc_mdss_dptx1_aux_clk_src = {
+ .parent_data = disp_cc_parent_data_0,
+ .num_parents = ARRAY_SIZE(disp_cc_parent_data_0),
+ .flags = CLK_SET_RATE_PARENT,
+- .ops = &clk_dp_ops,
++ .ops = &clk_rcg2_ops,
+ },
+ };
+
+--
+2.43.0
+
--- /dev/null
+From c83e946ea7f138d1fffcbcbac1ce7895756f9a32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 13:04:32 +0300
+Subject: clk: qcom: dispcc-sm8550: use rcg2_shared_ops for ESC RCGs
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit c8bee3ff6c9220092b646ff929f9c832c1adab6d ]
+
+Follow the recommendations and park disp_cc_mdss_esc[01]_clk_src to the
+XO instead of disabling the clocks by using the clk_rcg2_shared_ops.
+
+Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-5-5c4a3128c40b@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sm8550.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c
+index eb7e432d9eeed..19066ea58224e 100644
+--- a/drivers/clk/qcom/dispcc-sm8550.c
++++ b/drivers/clk/qcom/dispcc-sm8550.c
+@@ -562,7 +562,7 @@ static struct clk_rcg2 disp_cc_mdss_esc0_clk_src = {
+ .parent_data = disp_cc_parent_data_5,
+ .num_parents = ARRAY_SIZE(disp_cc_parent_data_5),
+ .flags = CLK_SET_RATE_PARENT,
+- .ops = &clk_rcg2_ops,
++ .ops = &clk_rcg2_shared_ops,
+ },
+ };
+
+@@ -577,7 +577,7 @@ static struct clk_rcg2 disp_cc_mdss_esc1_clk_src = {
+ .parent_data = disp_cc_parent_data_5,
+ .num_parents = ARRAY_SIZE(disp_cc_parent_data_5),
+ .flags = CLK_SET_RATE_PARENT,
+- .ops = &clk_rcg2_ops,
++ .ops = &clk_rcg2_shared_ops,
+ },
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 5d111938de147ba0673d48a3660e603044049f05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 13:04:31 +0300
+Subject: clk: qcom: dispcc-sm8650: Update the GDSC flags
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 7de10ddbdb9d03651cff5fbdc8cf01837c698526 ]
+
+Add missing POLL_CFG_GDSCR to the MDSS GDSC flags.
+
+Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-4-5c4a3128c40b@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sm8550.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/dispcc-sm8550.c b/drivers/clk/qcom/dispcc-sm8550.c
+index a98230540782c..eb7e432d9eeed 100644
+--- a/drivers/clk/qcom/dispcc-sm8550.c
++++ b/drivers/clk/qcom/dispcc-sm8550.c
+@@ -1611,7 +1611,7 @@ static struct gdsc mdss_gdsc = {
+ .name = "mdss_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+- .flags = HW_CTRL | RETAIN_FF_ENABLE,
++ .flags = POLL_CFG_GDSCR | HW_CTRL | RETAIN_FF_ENABLE,
+ };
+
+ static struct gdsc mdss_int2_gdsc = {
+@@ -1620,7 +1620,7 @@ static struct gdsc mdss_int2_gdsc = {
+ .name = "mdss_int2_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+- .flags = HW_CTRL | RETAIN_FF_ENABLE,
++ .flags = POLL_CFG_GDSCR | HW_CTRL | RETAIN_FF_ENABLE,
+ };
+
+ static struct clk_regmap *disp_cc_sm8550_clocks[] = {
+--
+2.43.0
+
--- /dev/null
+From 46dabac4675e422d986c0e31d7a4a526b068400e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 11:18:15 +0530
+Subject: clk: qcom: ipq5332: Register gcc_qdss_tsctr_clk_src
+
+From: Varadarajan Narayanan <quic_varada@quicinc.com>
+
+[ Upstream commit 0e1ac23dfa3f635e486fdeb08206b981cb0a2a6b ]
+
+gcc_qdss_tsctr_clk_src (enabled in the boot loaders and dependent
+on gpll4_main) was not registered as one of the ipq5332 clocks.
+Hence clk_disable_unused() disabled 'gpll4_main' assuming there
+were no consumers for 'gpll4_main' resulting in system freeze or
+reboots.
+
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Fixes: 3d89d52970fd ("clk: qcom: add Global Clock controller (GCC) driver for IPQ5332 SoC")
+Signed-off-by: Varadarajan Narayanan <quic_varada@quicinc.com>
+Link: https://lore.kernel.org/r/20240730054817.1915652-4-quic_varada@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-ipq5332.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/qcom/gcc-ipq5332.c b/drivers/clk/qcom/gcc-ipq5332.c
+index f98591148a976..6a4877d888294 100644
+--- a/drivers/clk/qcom/gcc-ipq5332.c
++++ b/drivers/clk/qcom/gcc-ipq5332.c
+@@ -3388,6 +3388,7 @@ static struct clk_regmap *gcc_ipq5332_clocks[] = {
+ [GCC_QDSS_DAP_DIV_CLK_SRC] = &gcc_qdss_dap_div_clk_src.clkr,
+ [GCC_QDSS_ETR_USB_CLK] = &gcc_qdss_etr_usb_clk.clkr,
+ [GCC_QDSS_EUD_AT_CLK] = &gcc_qdss_eud_at_clk.clkr,
++ [GCC_QDSS_TSCTR_CLK_SRC] = &gcc_qdss_tsctr_clk_src.clkr,
+ [GCC_QPIC_AHB_CLK] = &gcc_qpic_ahb_clk.clkr,
+ [GCC_QPIC_CLK] = &gcc_qpic_clk.clkr,
+ [GCC_QPIC_IO_MACRO_CLK] = &gcc_qpic_io_macro_clk.clkr,
+--
+2.43.0
+
--- /dev/null
+From 3eb6ddeaef20285e44cdb1f41658fc843d189f7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 08:28:20 +0300
+Subject: clk: rockchip: rk3588: Fix 32k clock name for pmu_24m_32k_100m_src_p
+
+From: Alexander Shiyan <eagle.alexander923@gmail.com>
+
+[ Upstream commit 0d02e8d284a45bfa8997ebe8764437b8eb6b108b ]
+
+The 32kHz input clock is named "xin32k" in the driver,
+so the name "32k" appears to be a typo in this case. Lets fix this.
+
+Signed-off-by: Alexander Shiyan <eagle.alexander923@gmail.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Fixes: f1c506d152ff ("clk: rockchip: add clock controller for the RK3588")
+Link: https://lore.kernel.org/r/20240829052820.3604-1-eagle.alexander923@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3588.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3588.c b/drivers/clk/rockchip/clk-rk3588.c
+index b30279a96dc8a..3027379f2fdd1 100644
+--- a/drivers/clk/rockchip/clk-rk3588.c
++++ b/drivers/clk/rockchip/clk-rk3588.c
+@@ -526,7 +526,7 @@ PNAME(pmu_200m_100m_p) = { "clk_pmu1_200m_src", "clk_pmu1_100m_src" };
+ PNAME(pmu_300m_24m_p) = { "clk_300m_src", "xin24m" };
+ PNAME(pmu_400m_24m_p) = { "clk_400m_src", "xin24m" };
+ PNAME(pmu_100m_50m_24m_src_p) = { "clk_pmu1_100m_src", "clk_pmu1_50m_src", "xin24m" };
+-PNAME(pmu_24m_32k_100m_src_p) = { "xin24m", "32k", "clk_pmu1_100m_src" };
++PNAME(pmu_24m_32k_100m_src_p) = { "xin24m", "xin32k", "clk_pmu1_100m_src" };
+ PNAME(hclk_pmu1_root_p) = { "clk_pmu1_200m_src", "clk_pmu1_100m_src", "clk_pmu1_50m_src", "xin24m" };
+ PNAME(hclk_pmu_cm0_root_p) = { "clk_pmu1_400m_src", "clk_pmu1_200m_src", "clk_pmu1_100m_src", "xin24m" };
+ PNAME(mclk_pdm0_p) = { "clk_pmu1_300m_src", "clk_pmu1_200m_src" };
+--
+2.43.0
+
--- /dev/null
+From eeb24a68230f8c80103c559358d80e4948fb4b0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 17:03:53 +0000
+Subject: clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit 1d34b9757523c1ad547bd6d040381f62d74a3189 ]
+
+Similar to DCLK_LCDC on RK3328, the DCLK_VOP on RK3228 is typically
+parented by the hdmiphy clk and it is expected that the DCLK_VOP and
+hdmiphy clk rate are kept in sync.
+
+Use CLK_SET_RATE_PARENT and CLK_SET_RATE_NO_REPARENT flags, same as used
+on RK3328, to make full use of all possible supported display modes.
+
+Fixes: 0a9d4ac08ebc ("clk: rockchip: set the clock ids for RK3228 VOP")
+Fixes: 307a2e9ac524 ("clk: rockchip: add clock controller for rk3228")
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Link: https://lore.kernel.org/r/20240615170417.3134517-3-jonas@kwiboo.se
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3228.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3228.c b/drivers/clk/rockchip/clk-rk3228.c
+index a24a35553e134..7343d2d7676bc 100644
+--- a/drivers/clk/rockchip/clk-rk3228.c
++++ b/drivers/clk/rockchip/clk-rk3228.c
+@@ -409,7 +409,7 @@ static struct rockchip_clk_branch rk3228_clk_branches[] __initdata = {
+ RK2928_CLKSEL_CON(29), 0, 3, DFLAGS),
+ DIV(0, "sclk_vop_pre", "sclk_vop_src", 0,
+ RK2928_CLKSEL_CON(27), 8, 8, DFLAGS),
+- MUX(DCLK_VOP, "dclk_vop", mux_dclk_vop_p, 0,
++ MUX(DCLK_VOP, "dclk_vop", mux_dclk_vop_p, CLK_SET_RATE_PARENT | CLK_SET_RATE_NO_REPARENT,
+ RK2928_CLKSEL_CON(27), 1, 1, MFLAGS),
+
+ FACTOR(0, "xin12m", "xin24m", 0, 1, 2),
+--
+2.43.0
+
--- /dev/null
+From 47f15bcebad4f4c61d4fcab75d38af3db04bfa70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 09:38:53 +0000
+Subject: clk: starfive: Use pm_runtime_resume_and_get to fix
+ pm_runtime_get_sync() usage
+
+From: Yuntao Liu <liuyuntao12@huawei.com>
+
+[ Upstream commit 55c312c1b2be6d43e39c280ad6ab4b711e545b89 ]
+
+We need to call pm_runtime_put_noidle() when pm_runtime_get_sync()
+fails, so use pm_runtime_resume_and_get() instead. this function
+will handle this.
+
+Fixes: dae5448a327ed ("clk: starfive: Add StarFive JH7110 Video-Output clock driver")
+Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com>
+Link: https://lore.kernel.org/r/20240815093853.757487-1-liuyuntao12@huawei.com
+Reviewed-by: Xingyu Wu <xingyu.wu@starfivetech.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/starfive/clk-starfive-jh7110-vout.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/starfive/clk-starfive-jh7110-vout.c b/drivers/clk/starfive/clk-starfive-jh7110-vout.c
+index 53f7af234cc23..aabd0484ac23f 100644
+--- a/drivers/clk/starfive/clk-starfive-jh7110-vout.c
++++ b/drivers/clk/starfive/clk-starfive-jh7110-vout.c
+@@ -145,7 +145,7 @@ static int jh7110_voutcrg_probe(struct platform_device *pdev)
+
+ /* enable power domain and clocks */
+ pm_runtime_enable(priv->dev);
+- ret = pm_runtime_get_sync(priv->dev);
++ ret = pm_runtime_resume_and_get(priv->dev);
+ if (ret < 0)
+ return dev_err_probe(priv->dev, ret, "failed to turn on power\n");
+
+--
+2.43.0
+
--- /dev/null
+From 1cd2dac1d2cd9c3a9c3f05239ccb3c3ec655387b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 10:35:29 -0500
+Subject: clk: ti: dra7-atl: Fix leak of of_nodes
+
+From: David Lechner <dlechner@baylibre.com>
+
+[ Upstream commit 9d6e9f10e2e031fb7bfb3030a7d1afc561a28fea ]
+
+This fix leaking the of_node references in of_dra7_atl_clk_probe().
+
+The docs for of_parse_phandle_with_args() say that the caller must call
+of_node_put() on the returned node. This adds the missing of_node_put()
+to fix the leak.
+
+Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Link: https://lore.kernel.org/r/20240826-clk-fix-leak-v1-1-f55418a13aa6@baylibre.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/ti/clk-dra7-atl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c
+index d964e3affd42c..0eab7f3e2eab9 100644
+--- a/drivers/clk/ti/clk-dra7-atl.c
++++ b/drivers/clk/ti/clk-dra7-atl.c
+@@ -240,6 +240,7 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev)
+ }
+
+ clk = of_clk_get_from_provider(&clkspec);
++ of_node_put(clkspec.np);
+ if (IS_ERR(clk)) {
+ pr_err("%s: failed to get atl clock %d from provider\n",
+ __func__, i);
+--
+2.43.0
+
--- /dev/null
+From cbcbe85a8a5a54ae2724ccb7c86299887ab7d2bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jul 2024 15:27:13 +0530
+Subject: clocksource/drivers/qcom: Add missing iounmap() on errors in
+ msm_dt_timer_init()
+
+From: Ankit Agrawal <agrawal.ag.ankit@gmail.com>
+
+[ Upstream commit ca140a0dc0a18acd4653b56db211fec9b2339986 ]
+
+Add the missing iounmap() when clock frequency fails to get read by the
+of_property_read_u32() call, or if the call to msm_timer_init() fails.
+
+Fixes: 6e3321631ac2 ("ARM: msm: Add DT support to msm_timer")
+Signed-off-by: Ankit Agrawal <agrawal.ag.ankit@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20240713095713.GA430091@bnew-VirtualBox
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-qcom.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/timer-qcom.c b/drivers/clocksource/timer-qcom.c
+index b4afe3a675835..eac4c95c6127f 100644
+--- a/drivers/clocksource/timer-qcom.c
++++ b/drivers/clocksource/timer-qcom.c
+@@ -233,6 +233,7 @@ static int __init msm_dt_timer_init(struct device_node *np)
+ }
+
+ if (of_property_read_u32(np, "clock-frequency", &freq)) {
++ iounmap(cpu0_base);
+ pr_err("Unknown frequency\n");
+ return -EINVAL;
+ }
+@@ -243,7 +244,11 @@ static int __init msm_dt_timer_init(struct device_node *np)
+ freq /= 4;
+ writel_relaxed(DGT_CLK_CTL_DIV_4, source_base + DGT_CLK_CTL);
+
+- return msm_timer_init(freq, 32, irq, !!percpu_offset);
++ ret = msm_timer_init(freq, 32, irq, !!percpu_offset);
++ if (ret)
++ iounmap(cpu0_base);
++
++ return ret;
+ }
+ TIMER_OF_DECLARE(kpss_timer, "qcom,kpss-timer", msm_dt_timer_init);
+ TIMER_OF_DECLARE(scss_timer, "qcom,scss-timer", msm_dt_timer_init);
+--
+2.43.0
+
--- /dev/null
+From c3122a0b96ed29753fed059cde17961f4e0ec000 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 12:28:44 +0800
+Subject: Coresight: Set correct cs_mode for dummy source to fix disable issue
+
+From: Jie Gan <quic_jiegan@quicinc.com>
+
+[ Upstream commit e6b64cda393efd84709ab3df2e42d36d36d7553e ]
+
+The coresight_disable_source_sysfs function should verify the
+mode of the coresight device before disabling the source.
+However, the mode for the dummy source device is always set to
+CS_MODE_DISABLED, resulting in the check consistently failing.
+As a result, dummy source cannot be properly disabled.
+
+Configure CS_MODE_SYSFS/CS_MODE_PERF during the enablement.
+Configure CS_MODE_DISABLED during the disablement.
+
+Fixes: 9d3ba0b6c056 ("Coresight: Add coresight dummy driver")
+Signed-off-by: Jie Gan <quic_jiegan@quicinc.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20240812042844.2890115-1-quic_jiegan@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-dummy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight-dummy.c b/drivers/hwtracing/coresight/coresight-dummy.c
+index ac70c0b491beb..dab389a5507c1 100644
+--- a/drivers/hwtracing/coresight/coresight-dummy.c
++++ b/drivers/hwtracing/coresight/coresight-dummy.c
+@@ -23,6 +23,9 @@ DEFINE_CORESIGHT_DEVLIST(sink_devs, "dummy_sink");
+ static int dummy_source_enable(struct coresight_device *csdev,
+ struct perf_event *event, enum cs_mode mode)
+ {
++ if (!coresight_take_mode(csdev, mode))
++ return -EBUSY;
++
+ dev_dbg(csdev->dev.parent, "Dummy source enabled\n");
+
+ return 0;
+@@ -31,6 +34,7 @@ static int dummy_source_enable(struct coresight_device *csdev,
+ static void dummy_source_disable(struct coresight_device *csdev,
+ struct perf_event *event)
+ {
++ coresight_set_mode(csdev, CS_MODE_DISABLED);
+ dev_dbg(csdev->dev.parent, "Dummy source disabled\n");
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 83c6de515b8c677a6a23550e3efa1878d7d258c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 12:30:43 +0800
+Subject: Coresight: Set correct cs_mode for TPDM to fix disable issue
+
+From: Jie Gan <quic_jiegan@quicinc.com>
+
+[ Upstream commit 14f5fa9b5fcbe2b3d5098893aba6ad62254d2ef6 ]
+
+The coresight_disable_source_sysfs function should verify the
+mode of the coresight device before disabling the source.
+
+However, the mode for the TPDM device is always set to
+CS_MODE_DISABLED, resulting in the check consistently failing.
+As a result, TPDM cannot be properly disabled.
+
+Configure CS_MODE_SYSFS/CS_MODE_PERF during the enablement.
+Configure CS_MODE_DISABLED during the disablement.
+
+Fixes: b3c71626a933 ("Coresight: Add coresight TPDM source driver")
+Signed-off-by: Jie Gan <quic_jiegan@quicinc.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20240812043043.2890694-1-quic_jiegan@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-tpdm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight-tpdm.c b/drivers/hwtracing/coresight/coresight-tpdm.c
+index 0726f8842552c..5c5a4b3fe6871 100644
+--- a/drivers/hwtracing/coresight/coresight-tpdm.c
++++ b/drivers/hwtracing/coresight/coresight-tpdm.c
+@@ -449,6 +449,11 @@ static int tpdm_enable(struct coresight_device *csdev, struct perf_event *event,
+ return -EBUSY;
+ }
+
++ if (!coresight_take_mode(csdev, mode)) {
++ spin_unlock(&drvdata->spinlock);
++ return -EBUSY;
++ }
++
+ __tpdm_enable(drvdata);
+ drvdata->enable = true;
+ spin_unlock(&drvdata->spinlock);
+@@ -506,6 +511,7 @@ static void tpdm_disable(struct coresight_device *csdev,
+ }
+
+ __tpdm_disable(drvdata);
++ coresight_set_mode(csdev, CS_MODE_DISABLED);
+ drvdata->enable = false;
+ spin_unlock(&drvdata->spinlock);
+
+--
+2.43.0
+
--- /dev/null
+From a399a13e3f556d87994cfe9ccaf438ac69dfe3e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 14:28:46 +0100
+Subject: coresight: tmc: sg: Do not leak sg_table
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit c58dc5a1f886f2fcc1133746d0cbaa1fe7fd44ff ]
+
+Running perf with cs_etm on Juno triggers the following kmemleak warning !
+
+:~# cat /sys/kernel/debug/kmemleak
+ unreferenced object 0xffffff8806b6d720 (size 96):
+ comm "perf", pid 562, jiffies 4297810960
+ hex dump (first 32 bytes):
+ 38 d8 13 07 88 ff ff ff 00 d0 9e 85 c0 ff ff ff 8...............
+ 00 10 00 88 c0 ff ff ff 00 f0 ff f7 ff 00 00 00 ................
+ backtrace (crc 1dbf6e00):
+ [<ffffffc08107381c>] kmemleak_alloc+0xbc/0xd8
+ [<ffffffc0802f9798>] kmalloc_trace_noprof+0x220/0x2e8
+ [<ffffffc07bb71948>] tmc_alloc_sg_table+0x48/0x208 [coresight_tmc]
+ [<ffffffc07bb71cbc>] tmc_etr_alloc_sg_buf+0xac/0x240 [coresight_tmc]
+ [<ffffffc07bb72538>] tmc_alloc_etr_buf.constprop.0+0x1f0/0x260 [coresight_tmc]
+ [<ffffffc07bb7280c>] alloc_etr_buf.constprop.0.isra.0+0x74/0xa8 [coresight_tmc]
+ [<ffffffc07bb72950>] tmc_alloc_etr_buffer+0x110/0x260 [coresight_tmc]
+ [<ffffffc07bb38afc>] etm_setup_aux+0x204/0x3b0 [coresight]
+ [<ffffffc08025837c>] rb_alloc_aux+0x20c/0x318
+ [<ffffffc08024dd84>] perf_mmap+0x2e4/0x7a0
+ [<ffffffc0802cceb0>] mmap_region+0x3b0/0xa08
+ [<ffffffc0802cd8a8>] do_mmap+0x3a0/0x500
+ [<ffffffc080295328>] vm_mmap_pgoff+0x100/0x1d0
+ [<ffffffc0802cadf8>] ksys_mmap_pgoff+0xb8/0x110
+ [<ffffffc080020688>] __arm64_sys_mmap+0x38/0x58
+ [<ffffffc080028fc0>] invoke_syscall.constprop.0+0x58/0x100
+
+This due to the fact that we do not free the "sg_table" itself while
+freeing up the SG table and data pages. Fix this by freeing the sg_table
+in tmc_free_sg_table().
+
+Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework")
+Cc: Mike Leach <mike.leach@linaro.org>
+Cc: James Clark <james.clark@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20240702132846.1677261-1-suzuki.poulose@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+index e75428fa1592a..610ad51cda656 100644
+--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+@@ -261,6 +261,7 @@ void tmc_free_sg_table(struct tmc_sg_table *sg_table)
+ {
+ tmc_free_table_pages(sg_table);
+ tmc_free_data_pages(sg_table);
++ kfree(sg_table);
+ }
+ EXPORT_SYMBOL_GPL(tmc_free_sg_table);
+
+@@ -342,7 +343,6 @@ struct tmc_sg_table *tmc_alloc_sg_table(struct device *dev,
+ rc = tmc_alloc_table_pages(sg_table);
+ if (rc) {
+ tmc_free_sg_table(sg_table);
+- kfree(sg_table);
+ return ERR_PTR(rc);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From fbc5d08e44dbb3d1095aee4cd493bc3daca654b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 08:19:15 -0500
+Subject: cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails
+ appropriately
+
+From: Nishanth Menon <nm@ti.com>
+
+[ Upstream commit abc00ffda43bd4ba85896713464c7510c39f8165 ]
+
+Commit b4bc9f9e27ed ("cpufreq: ti-cpufreq: add support for omap34xx
+and omap36xx") introduced special handling for OMAP3 class devices
+where syscon node may not be present. However, this also creates a bug
+where the syscon node is present, however the offset used to read
+is beyond the syscon defined range.
+
+Fix this by providing a quirk option that is populated when such
+special handling is required. This allows proper failure for all other
+platforms when the syscon node and efuse offsets are mismatched.
+
+Fixes: b4bc9f9e27ed ("cpufreq: ti-cpufreq: add support for omap34xx and omap36xx")
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Tested-by: Dhruva Gole <d-gole@ti.com>
+Reviewed-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/ti-cpufreq.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/ti-cpufreq.c b/drivers/cpufreq/ti-cpufreq.c
+index 4d3f27958fbde..62dfa42570e42 100644
+--- a/drivers/cpufreq/ti-cpufreq.c
++++ b/drivers/cpufreq/ti-cpufreq.c
+@@ -90,6 +90,9 @@ struct ti_cpufreq_soc_data {
+ unsigned long efuse_shift;
+ unsigned long rev_offset;
+ bool multi_regulator;
++/* Backward compatibility hack: Might have missing syscon */
++#define TI_QUIRK_SYSCON_MAY_BE_MISSING 0x1
++ u8 quirks;
+ };
+
+ struct ti_cpufreq_data {
+@@ -254,6 +257,7 @@ static struct ti_cpufreq_soc_data omap34xx_soc_data = {
+ .efuse_mask = BIT(3),
+ .rev_offset = OMAP3_CONTROL_IDCODE - OMAP3_SYSCON_BASE,
+ .multi_regulator = false,
++ .quirks = TI_QUIRK_SYSCON_MAY_BE_MISSING,
+ };
+
+ /*
+@@ -281,6 +285,7 @@ static struct ti_cpufreq_soc_data omap36xx_soc_data = {
+ .efuse_mask = BIT(9),
+ .rev_offset = OMAP3_CONTROL_IDCODE - OMAP3_SYSCON_BASE,
+ .multi_regulator = true,
++ .quirks = TI_QUIRK_SYSCON_MAY_BE_MISSING,
+ };
+
+ /*
+@@ -295,6 +300,7 @@ static struct ti_cpufreq_soc_data am3517_soc_data = {
+ .efuse_mask = 0,
+ .rev_offset = OMAP3_CONTROL_IDCODE - OMAP3_SYSCON_BASE,
+ .multi_regulator = false,
++ .quirks = TI_QUIRK_SYSCON_MAY_BE_MISSING,
+ };
+
+ static struct ti_cpufreq_soc_data am625_soc_data = {
+@@ -340,7 +346,7 @@ static int ti_cpufreq_get_efuse(struct ti_cpufreq_data *opp_data,
+
+ ret = regmap_read(opp_data->syscon, opp_data->soc_data->efuse_offset,
+ &efuse);
+- if (ret == -EIO) {
++ if (opp_data->soc_data->quirks & TI_QUIRK_SYSCON_MAY_BE_MISSING && ret == -EIO) {
+ /* not a syscon register! */
+ void __iomem *regs = ioremap(OMAP3_SYSCON_BASE +
+ opp_data->soc_data->efuse_offset, 4);
+@@ -381,7 +387,7 @@ static int ti_cpufreq_get_rev(struct ti_cpufreq_data *opp_data,
+
+ ret = regmap_read(opp_data->syscon, opp_data->soc_data->rev_offset,
+ &revision);
+- if (ret == -EIO) {
++ if (opp_data->soc_data->quirks & TI_QUIRK_SYSCON_MAY_BE_MISSING && ret == -EIO) {
+ /* not a syscon register! */
+ void __iomem *regs = ioremap(OMAP3_SYSCON_BASE +
+ opp_data->soc_data->rev_offset, 4);
+--
+2.43.0
+
--- /dev/null
+From 1a1be45fdf1105b9e865b33108e1ed88e48311ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 17:57:13 +0800
+Subject: crypto: caam - Pad SG length when allocating hash edesc
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 5124bc96162667766f6120b19f57a640c2eccb2a ]
+
+Because hardware will read in multiples of 4 SG entries, ensure
+the allocated length is always padded. This was already done
+by some callers of ahash_edesc_alloc, but ahash_digest was conspicuously
+missing.
+
+In any case, doing it in the allocation function ensures that the
+memory is always there.
+
+Reported-by: Guangwu Zhang <guazhang@redhat.com>
+Fixes: a5e5c13398f3 ("crypto: caam - fix S/G table passing page boundary")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/caam/caamhash.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
+index fdd724228c2fa..25c02e2672585 100644
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -708,6 +708,7 @@ static struct ahash_edesc *ahash_edesc_alloc(struct ahash_request *req,
+ GFP_KERNEL : GFP_ATOMIC;
+ struct ahash_edesc *edesc;
+
++ sg_num = pad_sg_nents(sg_num);
+ edesc = kzalloc(struct_size(edesc, sec4_sg, sg_num), flags);
+ if (!edesc)
+ return NULL;
+--
+2.43.0
+
--- /dev/null
+From 05302f5656815680759c5e1eaaf1aad0991376a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 12:20:07 +0200
+Subject: crypto: ccp - do not request interrupt on cmd completion when irqs
+ disabled
+
+From: Amit Shah <amit.shah@amd.com>
+
+[ Upstream commit 3401f63e72596dcb7d912a5b67b4291643cc1034 ]
+
+While sending a command to the PSP, we always requested an interrupt
+from the PSP after command completion. This worked for most cases. For
+the special case of irqs being disabled -- e.g. when running within
+crashdump or kexec contexts, we should not set the SEV_CMDRESP_IOC flag,
+so the PSP knows to not attempt interrupt delivery.
+
+Fixes: 8ef979584ea8 ("crypto: ccp: Add panic notifier for SEV/SNP firmware shutdown on kdump")
+
+Based-on-patch-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Amit Shah <amit.shah@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
+index 9810edbb272d2..1775bac7f5973 100644
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -910,7 +910,18 @@ static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret)
+
+ sev->int_rcvd = 0;
+
+- reg = FIELD_PREP(SEV_CMDRESP_CMD, cmd) | SEV_CMDRESP_IOC;
++ reg = FIELD_PREP(SEV_CMDRESP_CMD, cmd);
++
++ /*
++ * If invoked during panic handling, local interrupts are disabled so
++ * the PSP command completion interrupt can't be used.
++ * sev_wait_cmd_ioc() already checks for interrupts disabled and
++ * polls for PSP command completion. Ensure we do not request an
++ * interrupt from the PSP if irqs disabled.
++ */
++ if (!irqs_disabled())
++ reg |= SEV_CMDRESP_IOC;
++
+ iowrite32(reg, sev->io_regs + sev->vdata->cmdresp_reg);
+
+ /* wait for command completion */
+--
+2.43.0
+
--- /dev/null
+From ed368e0f36897923311cf3f1f86f4de800747eff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Aug 2024 19:48:30 +0800
+Subject: crypto: hisilicon/hpre - mask cluster timeout error
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit 145013f723947c83b1a5f76a0cf6e7237d59e973 ]
+
+The timeout threshold of the hpre cluster is 16ms. When the CPU
+and device share virtual address, page fault processing time may
+exceed the threshold.
+
+In the current test, there is a high probability that the
+cluster times out. However, the cluster is waiting for the
+completion of memory access, which is not an error, the device
+does not need to be reset. If an error occurs in the cluster,
+qm also reports the error. Therefore, the cluster timeout
+error of hpre can be masked.
+
+Fixes: d90fab0deb8e ("crypto: hisilicon/qm - get error type from hardware registers")
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/hpre/hpre_main.c | 22 ++++++----------------
+ 1 file changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/hpre/hpre_main.c b/drivers/crypto/hisilicon/hpre/hpre_main.c
+index 10aa4da93323f..f8340d68afe1d 100644
+--- a/drivers/crypto/hisilicon/hpre/hpre_main.c
++++ b/drivers/crypto/hisilicon/hpre/hpre_main.c
+@@ -13,9 +13,7 @@
+ #include <linux/uacce.h>
+ #include "hpre.h"
+
+-#define HPRE_QM_ABNML_INT_MASK 0x100004
+ #define HPRE_CTRL_CNT_CLR_CE_BIT BIT(0)
+-#define HPRE_COMM_CNT_CLR_CE 0x0
+ #define HPRE_CTRL_CNT_CLR_CE 0x301000
+ #define HPRE_FSM_MAX_CNT 0x301008
+ #define HPRE_VFG_AXQOS 0x30100c
+@@ -42,7 +40,6 @@
+ #define HPRE_HAC_INT_SET 0x301500
+ #define HPRE_RNG_TIMEOUT_NUM 0x301A34
+ #define HPRE_CORE_INT_ENABLE 0
+-#define HPRE_CORE_INT_DISABLE GENMASK(21, 0)
+ #define HPRE_RDCHN_INI_ST 0x301a00
+ #define HPRE_CLSTR_BASE 0x302000
+ #define HPRE_CORE_EN_OFFSET 0x04
+@@ -66,7 +63,6 @@
+ #define HPRE_CLSTR_ADDR_INTRVL 0x1000
+ #define HPRE_CLUSTER_INQURY 0x100
+ #define HPRE_CLSTR_ADDR_INQRY_RSLT 0x104
+-#define HPRE_TIMEOUT_ABNML_BIT 6
+ #define HPRE_PASID_EN_BIT 9
+ #define HPRE_REG_RD_INTVRL_US 10
+ #define HPRE_REG_RD_TMOUT_US 1000
+@@ -203,9 +199,9 @@ static const struct hisi_qm_cap_info hpre_basic_info[] = {
+ {HPRE_QM_RESET_MASK_CAP, 0x3128, 0, GENMASK(31, 0), 0x0, 0xC37, 0x6C37},
+ {HPRE_QM_OOO_SHUTDOWN_MASK_CAP, 0x3128, 0, GENMASK(31, 0), 0x0, 0x4, 0x6C37},
+ {HPRE_QM_CE_MASK_CAP, 0x312C, 0, GENMASK(31, 0), 0x0, 0x8, 0x8},
+- {HPRE_NFE_MASK_CAP, 0x3130, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0x1FFFFFE},
+- {HPRE_RESET_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0xBFFFFE},
+- {HPRE_OOO_SHUTDOWN_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x22, 0xBFFFFE},
++ {HPRE_NFE_MASK_CAP, 0x3130, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0x1FFFC3E},
++ {HPRE_RESET_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x3FFFFE, 0xBFFC3E},
++ {HPRE_OOO_SHUTDOWN_MASK_CAP, 0x3134, 0, GENMASK(31, 0), 0x0, 0x22, 0xBFFC3E},
+ {HPRE_CE_MASK_CAP, 0x3138, 0, GENMASK(31, 0), 0x0, 0x1, 0x1},
+ {HPRE_CLUSTER_NUM_CAP, 0x313c, 20, GENMASK(3, 0), 0x0, 0x4, 0x1},
+ {HPRE_CORE_TYPE_NUM_CAP, 0x313c, 16, GENMASK(3, 0), 0x0, 0x2, 0x2},
+@@ -654,11 +650,6 @@ static int hpre_set_user_domain_and_cache(struct hisi_qm *qm)
+ writel(HPRE_QM_USR_CFG_MASK, qm->io_base + QM_AWUSER_M_CFG_ENABLE);
+ writel_relaxed(HPRE_QM_AXI_CFG_MASK, qm->io_base + QM_AXI_M_CFG);
+
+- /* HPRE need more time, we close this interrupt */
+- val = readl_relaxed(qm->io_base + HPRE_QM_ABNML_INT_MASK);
+- val |= BIT(HPRE_TIMEOUT_ABNML_BIT);
+- writel_relaxed(val, qm->io_base + HPRE_QM_ABNML_INT_MASK);
+-
+ if (qm->ver >= QM_HW_V3)
+ writel(HPRE_RSA_ENB | HPRE_ECC_ENB,
+ qm->io_base + HPRE_TYPES_ENB);
+@@ -667,9 +658,7 @@ static int hpre_set_user_domain_and_cache(struct hisi_qm *qm)
+
+ writel(HPRE_QM_VFG_AX_MASK, qm->io_base + HPRE_VFG_AXCACHE);
+ writel(0x0, qm->io_base + HPRE_BD_ENDIAN);
+- writel(0x0, qm->io_base + HPRE_INT_MASK);
+ writel(0x0, qm->io_base + HPRE_POISON_BYPASS);
+- writel(0x0, qm->io_base + HPRE_COMM_CNT_CLR_CE);
+ writel(0x0, qm->io_base + HPRE_ECC_BYPASS);
+
+ writel(HPRE_BD_USR_MASK, qm->io_base + HPRE_BD_ARUSR_CFG);
+@@ -759,7 +748,7 @@ static void hpre_hw_error_disable(struct hisi_qm *qm)
+
+ static void hpre_hw_error_enable(struct hisi_qm *qm)
+ {
+- u32 ce, nfe;
++ u32 ce, nfe, err_en;
+
+ ce = hisi_qm_get_hw_info(qm, hpre_basic_info, HPRE_CE_MASK_CAP, qm->cap_ver);
+ nfe = hisi_qm_get_hw_info(qm, hpre_basic_info, HPRE_NFE_MASK_CAP, qm->cap_ver);
+@@ -776,7 +765,8 @@ static void hpre_hw_error_enable(struct hisi_qm *qm)
+ hpre_master_ooo_ctrl(qm, true);
+
+ /* enable hpre hw error interrupts */
+- writel(HPRE_CORE_INT_ENABLE, qm->io_base + HPRE_INT_MASK);
++ err_en = ce | nfe | HPRE_HAC_RAS_FE_ENABLE;
++ writel(~err_en, qm->io_base + HPRE_INT_MASK);
+ }
+
+ static inline struct hisi_qm *hpre_file_to_qm(struct hpre_debugfs_file *file)
+--
+2.43.0
+
--- /dev/null
+From aac828bae14bbbee144234771347628e7e679587 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Aug 2024 19:48:31 +0800
+Subject: crypto: hisilicon/qm - inject error before stopping queue
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit b04f06fc0243600665b3b50253869533b7938468 ]
+
+The master ooo cannot be completely closed when the
+accelerator core reports memory error. Therefore, the driver
+needs to inject the qm error to close the master ooo. Currently,
+the qm error is injected after stopping queue, memory may be
+released immediately after stopping queue, causing the device to
+access the released memory. Therefore, error is injected to close master
+ooo before stopping queue to ensure that the device does not access
+the released memory.
+
+Fixes: 6c6dd5802c2d ("crypto: hisilicon/qm - add controller reset interface")
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/qm.c | 47 ++++++++++++++++++-----------------
+ 1 file changed, 24 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index b2b5f15abdf72..07983af9e3e22 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -4015,6 +4015,28 @@ static int qm_set_vf_mse(struct hisi_qm *qm, bool set)
+ return -ETIMEDOUT;
+ }
+
++static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm)
++{
++ u32 nfe_enb = 0;
++
++ /* Kunpeng930 hardware automatically close master ooo when NFE occurs */
++ if (qm->ver >= QM_HW_V3)
++ return;
++
++ if (!qm->err_status.is_dev_ecc_mbit &&
++ qm->err_status.is_qm_ecc_mbit &&
++ qm->err_ini->close_axi_master_ooo) {
++ qm->err_ini->close_axi_master_ooo(qm);
++ } else if (qm->err_status.is_dev_ecc_mbit &&
++ !qm->err_status.is_qm_ecc_mbit &&
++ !qm->err_ini->close_axi_master_ooo) {
++ nfe_enb = readl(qm->io_base + QM_RAS_NFE_ENABLE);
++ writel(nfe_enb & QM_RAS_NFE_MBIT_DISABLE,
++ qm->io_base + QM_RAS_NFE_ENABLE);
++ writel(QM_ECC_MBIT, qm->io_base + QM_ABNORMAL_INT_SET);
++ }
++}
++
+ static int qm_vf_reset_prepare(struct hisi_qm *qm,
+ enum qm_stop_reason stop_reason)
+ {
+@@ -4079,6 +4101,8 @@ static int qm_controller_reset_prepare(struct hisi_qm *qm)
+ return ret;
+ }
+
++ qm_dev_ecc_mbit_handle(qm);
++
+ /* PF obtains the information of VF by querying the register. */
+ qm_cmd_uninit(qm);
+
+@@ -4125,28 +4149,6 @@ static int qm_master_ooo_check(struct hisi_qm *qm)
+ return ret;
+ }
+
+-static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm)
+-{
+- u32 nfe_enb = 0;
+-
+- /* Kunpeng930 hardware automatically close master ooo when NFE occurs */
+- if (qm->ver >= QM_HW_V3)
+- return;
+-
+- if (!qm->err_status.is_dev_ecc_mbit &&
+- qm->err_status.is_qm_ecc_mbit &&
+- qm->err_ini->close_axi_master_ooo) {
+- qm->err_ini->close_axi_master_ooo(qm);
+- } else if (qm->err_status.is_dev_ecc_mbit &&
+- !qm->err_status.is_qm_ecc_mbit &&
+- !qm->err_ini->close_axi_master_ooo) {
+- nfe_enb = readl(qm->io_base + QM_RAS_NFE_ENABLE);
+- writel(nfe_enb & QM_RAS_NFE_MBIT_DISABLE,
+- qm->io_base + QM_RAS_NFE_ENABLE);
+- writel(QM_ECC_MBIT, qm->io_base + QM_ABNORMAL_INT_SET);
+- }
+-}
+-
+ static int qm_soft_reset_prepare(struct hisi_qm *qm)
+ {
+ struct pci_dev *pdev = qm->pdev;
+@@ -4171,7 +4173,6 @@ static int qm_soft_reset_prepare(struct hisi_qm *qm)
+ return ret;
+ }
+
+- qm_dev_ecc_mbit_handle(qm);
+ ret = qm_master_ooo_check(qm);
+ if (ret)
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From 215f4eff07a519dc783223744772db1cb848c476 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Aug 2024 19:48:29 +0800
+Subject: crypto: hisilicon/qm - reset device before enabling it
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit 5d2d1ee0874c26b8010ddf7f57e2f246e848af38 ]
+
+Before the device is enabled again, the device may still
+store the previously processed data. If an error occurs in
+the previous task, the device may fail to be enabled again.
+Therefore, before enabling device, reset the device to restore
+the initial state.
+
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: b04f06fc0243 ("crypto: hisilicon/qm - inject error before stopping queue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/hpre/hpre_main.c | 32 +++---
+ drivers/crypto/hisilicon/qm.c | 114 +++++++++++++++-------
+ drivers/crypto/hisilicon/sec2/sec_main.c | 16 ++-
+ drivers/crypto/hisilicon/zip/zip_main.c | 23 +++--
+ 4 files changed, 121 insertions(+), 64 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/hpre/hpre_main.c b/drivers/crypto/hisilicon/hpre/hpre_main.c
+index f8340d68afe1d..6b536ad2ada52 100644
+--- a/drivers/crypto/hisilicon/hpre/hpre_main.c
++++ b/drivers/crypto/hisilicon/hpre/hpre_main.c
+@@ -354,6 +354,8 @@ static struct dfx_diff_registers hpre_diff_regs[] = {
+ },
+ };
+
++static const struct hisi_qm_err_ini hpre_err_ini;
++
+ bool hpre_check_alg_support(struct hisi_qm *qm, u32 alg)
+ {
+ u32 cap_val;
+@@ -1151,6 +1153,7 @@ static int hpre_qm_init(struct hisi_qm *qm, struct pci_dev *pdev)
+ qm->qp_num = pf_q_num;
+ qm->debug.curr_qm_qp_num = pf_q_num;
+ qm->qm_list = &hpre_devices;
++ qm->err_ini = &hpre_err_ini;
+ if (pf_q_num_flag)
+ set_bit(QM_MODULE_PARAM, &qm->misc_ctl);
+ }
+@@ -1340,8 +1343,6 @@ static int hpre_pf_probe_init(struct hpre *hpre)
+
+ hpre_open_sva_prefetch(qm);
+
+- qm->err_ini = &hpre_err_ini;
+- qm->err_ini->err_info_init(qm);
+ hisi_qm_dev_err_init(qm);
+ ret = hpre_show_last_regs_init(qm);
+ if (ret)
+@@ -1370,6 +1371,18 @@ static int hpre_probe_init(struct hpre *hpre)
+ return 0;
+ }
+
++static void hpre_probe_uninit(struct hisi_qm *qm)
++{
++ if (qm->fun_type == QM_HW_VF)
++ return;
++
++ hpre_cnt_regs_clear(qm);
++ qm->debug.curr_qm_qp_num = 0;
++ hpre_show_last_regs_uninit(qm);
++ hpre_close_sva_prefetch(qm);
++ hisi_qm_dev_err_uninit(qm);
++}
++
+ static int hpre_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ {
+ struct hisi_qm *qm;
+@@ -1395,7 +1408,7 @@ static int hpre_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+
+ ret = hisi_qm_start(qm);
+ if (ret)
+- goto err_with_err_init;
++ goto err_with_probe_init;
+
+ ret = hpre_debugfs_init(qm);
+ if (ret)
+@@ -1434,9 +1447,8 @@ static int hpre_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ hpre_debugfs_exit(qm);
+ hisi_qm_stop(qm, QM_NORMAL);
+
+-err_with_err_init:
+- hpre_show_last_regs_uninit(qm);
+- hisi_qm_dev_err_uninit(qm);
++err_with_probe_init:
++ hpre_probe_uninit(qm);
+
+ err_with_qm_init:
+ hisi_qm_uninit(qm);
+@@ -1458,13 +1470,7 @@ static void hpre_remove(struct pci_dev *pdev)
+ hpre_debugfs_exit(qm);
+ hisi_qm_stop(qm, QM_NORMAL);
+
+- if (qm->fun_type == QM_HW_PF) {
+- hpre_cnt_regs_clear(qm);
+- qm->debug.curr_qm_qp_num = 0;
+- hpre_show_last_regs_uninit(qm);
+- hisi_qm_dev_err_uninit(qm);
+- }
+-
++ hpre_probe_uninit(qm);
+ hisi_qm_uninit(qm);
+ }
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index f614fd228b562..b2b5f15abdf72 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -450,6 +450,7 @@ static struct qm_typical_qos_table shaper_cbs_s[] = {
+ };
+
+ static void qm_irqs_unregister(struct hisi_qm *qm);
++static int qm_reset_device(struct hisi_qm *qm);
+
+ static u32 qm_get_hw_error_status(struct hisi_qm *qm)
+ {
+@@ -4108,6 +4109,22 @@ static int qm_controller_reset_prepare(struct hisi_qm *qm)
+ return 0;
+ }
+
++static int qm_master_ooo_check(struct hisi_qm *qm)
++{
++ u32 val;
++ int ret;
++
++ /* Check the ooo register of the device before resetting the device. */
++ writel(ACC_MASTER_GLOBAL_CTRL_SHUTDOWN, qm->io_base + ACC_MASTER_GLOBAL_CTRL);
++ ret = readl_relaxed_poll_timeout(qm->io_base + ACC_MASTER_TRANS_RETURN,
++ val, (val == ACC_MASTER_TRANS_RETURN_RW),
++ POLL_PERIOD, POLL_TIMEOUT);
++ if (ret)
++ pci_warn(qm->pdev, "Bus lock! Please reset system.\n");
++
++ return ret;
++}
++
+ static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm)
+ {
+ u32 nfe_enb = 0;
+@@ -4130,11 +4147,10 @@ static void qm_dev_ecc_mbit_handle(struct hisi_qm *qm)
+ }
+ }
+
+-static int qm_soft_reset(struct hisi_qm *qm)
++static int qm_soft_reset_prepare(struct hisi_qm *qm)
+ {
+ struct pci_dev *pdev = qm->pdev;
+ int ret;
+- u32 val;
+
+ /* Ensure all doorbells and mailboxes received by QM */
+ ret = qm_check_req_recv(qm);
+@@ -4156,29 +4172,23 @@ static int qm_soft_reset(struct hisi_qm *qm)
+ }
+
+ qm_dev_ecc_mbit_handle(qm);
+-
+- /* OOO register set and check */
+- writel(ACC_MASTER_GLOBAL_CTRL_SHUTDOWN,
+- qm->io_base + ACC_MASTER_GLOBAL_CTRL);
+-
+- /* If bus lock, reset chip */
+- ret = readl_relaxed_poll_timeout(qm->io_base + ACC_MASTER_TRANS_RETURN,
+- val,
+- (val == ACC_MASTER_TRANS_RETURN_RW),
+- POLL_PERIOD, POLL_TIMEOUT);
+- if (ret) {
+- pci_emerg(pdev, "Bus lock! Please reset system.\n");
++ ret = qm_master_ooo_check(qm);
++ if (ret)
+ return ret;
+- }
+
+ if (qm->err_ini->close_sva_prefetch)
+ qm->err_ini->close_sva_prefetch(qm);
+
+ ret = qm_set_pf_mse(qm, false);
+- if (ret) {
++ if (ret)
+ pci_err(pdev, "Fails to disable pf MSE bit.\n");
+- return ret;
+- }
++
++ return ret;
++}
++
++static int qm_reset_device(struct hisi_qm *qm)
++{
++ struct pci_dev *pdev = qm->pdev;
+
+ /* The reset related sub-control registers are not in PCI BAR */
+ if (ACPI_HANDLE(&pdev->dev)) {
+@@ -4197,12 +4207,23 @@ static int qm_soft_reset(struct hisi_qm *qm)
+ pci_err(pdev, "Reset step %llu failed!\n", value);
+ return -EIO;
+ }
+- } else {
+- pci_err(pdev, "No reset method!\n");
+- return -EINVAL;
++
++ return 0;
+ }
+
+- return 0;
++ pci_err(pdev, "No reset method!\n");
++ return -EINVAL;
++}
++
++static int qm_soft_reset(struct hisi_qm *qm)
++{
++ int ret;
++
++ ret = qm_soft_reset_prepare(qm);
++ if (ret)
++ return ret;
++
++ return qm_reset_device(qm);
+ }
+
+ static int qm_vf_reset_done(struct hisi_qm *qm)
+@@ -5155,6 +5176,35 @@ static int qm_get_pci_res(struct hisi_qm *qm)
+ return ret;
+ }
+
++static int qm_clear_device(struct hisi_qm *qm)
++{
++ acpi_handle handle = ACPI_HANDLE(&qm->pdev->dev);
++ int ret;
++
++ if (qm->fun_type == QM_HW_VF)
++ return 0;
++
++ /* Device does not support reset, return */
++ if (!qm->err_ini->err_info_init)
++ return 0;
++ qm->err_ini->err_info_init(qm);
++
++ if (!handle)
++ return 0;
++
++ /* No reset method, return */
++ if (!acpi_has_method(handle, qm->err_info.acpi_rst))
++ return 0;
++
++ ret = qm_master_ooo_check(qm);
++ if (ret) {
++ writel(0x0, qm->io_base + ACC_MASTER_GLOBAL_CTRL);
++ return ret;
++ }
++
++ return qm_reset_device(qm);
++}
++
+ static int hisi_qm_pci_init(struct hisi_qm *qm)
+ {
+ struct pci_dev *pdev = qm->pdev;
+@@ -5184,8 +5234,14 @@ static int hisi_qm_pci_init(struct hisi_qm *qm)
+ goto err_get_pci_res;
+ }
+
++ ret = qm_clear_device(qm);
++ if (ret)
++ goto err_free_vectors;
++
+ return 0;
+
++err_free_vectors:
++ pci_free_irq_vectors(pdev);
+ err_get_pci_res:
+ qm_put_pci_res(qm);
+ err_disable_pcidev:
+@@ -5486,7 +5542,6 @@ static int qm_prepare_for_suspend(struct hisi_qm *qm)
+ {
+ struct pci_dev *pdev = qm->pdev;
+ int ret;
+- u32 val;
+
+ ret = qm->ops->set_msi(qm, false);
+ if (ret) {
+@@ -5494,18 +5549,9 @@ static int qm_prepare_for_suspend(struct hisi_qm *qm)
+ return ret;
+ }
+
+- /* shutdown OOO register */
+- writel(ACC_MASTER_GLOBAL_CTRL_SHUTDOWN,
+- qm->io_base + ACC_MASTER_GLOBAL_CTRL);
+-
+- ret = readl_relaxed_poll_timeout(qm->io_base + ACC_MASTER_TRANS_RETURN,
+- val,
+- (val == ACC_MASTER_TRANS_RETURN_RW),
+- POLL_PERIOD, POLL_TIMEOUT);
+- if (ret) {
+- pci_emerg(pdev, "Bus lock! Please reset system.\n");
++ ret = qm_master_ooo_check(qm);
++ if (ret)
+ return ret;
+- }
+
+ ret = qm_set_pf_mse(qm, false);
+ if (ret)
+diff --git a/drivers/crypto/hisilicon/sec2/sec_main.c b/drivers/crypto/hisilicon/sec2/sec_main.c
+index 75aad04ffe5eb..c35533d8930b2 100644
+--- a/drivers/crypto/hisilicon/sec2/sec_main.c
++++ b/drivers/crypto/hisilicon/sec2/sec_main.c
+@@ -1065,9 +1065,6 @@ static int sec_pf_probe_init(struct sec_dev *sec)
+ struct hisi_qm *qm = &sec->qm;
+ int ret;
+
+- qm->err_ini = &sec_err_ini;
+- qm->err_ini->err_info_init(qm);
+-
+ ret = sec_set_user_domain_and_cache(qm);
+ if (ret)
+ return ret;
+@@ -1122,6 +1119,7 @@ static int sec_qm_init(struct hisi_qm *qm, struct pci_dev *pdev)
+ qm->qp_num = pf_q_num;
+ qm->debug.curr_qm_qp_num = pf_q_num;
+ qm->qm_list = &sec_devices;
++ qm->err_ini = &sec_err_ini;
+ if (pf_q_num_flag)
+ set_bit(QM_MODULE_PARAM, &qm->misc_ctl);
+ } else if (qm->fun_type == QM_HW_VF && qm->ver == QM_HW_V1) {
+@@ -1186,6 +1184,12 @@ static int sec_probe_init(struct sec_dev *sec)
+
+ static void sec_probe_uninit(struct hisi_qm *qm)
+ {
++ if (qm->fun_type == QM_HW_VF)
++ return;
++
++ sec_debug_regs_clear(qm);
++ sec_show_last_regs_uninit(qm);
++ sec_close_sva_prefetch(qm);
+ hisi_qm_dev_err_uninit(qm);
+ }
+
+@@ -1274,7 +1278,6 @@ static int sec_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ sec_debugfs_exit(qm);
+ hisi_qm_stop(qm, QM_NORMAL);
+ err_probe_uninit:
+- sec_show_last_regs_uninit(qm);
+ sec_probe_uninit(qm);
+ err_qm_uninit:
+ sec_qm_uninit(qm);
+@@ -1296,11 +1299,6 @@ static void sec_remove(struct pci_dev *pdev)
+ sec_debugfs_exit(qm);
+
+ (void)hisi_qm_stop(qm, QM_NORMAL);
+-
+- if (qm->fun_type == QM_HW_PF)
+- sec_debug_regs_clear(qm);
+- sec_show_last_regs_uninit(qm);
+-
+ sec_probe_uninit(qm);
+
+ sec_qm_uninit(qm);
+diff --git a/drivers/crypto/hisilicon/zip/zip_main.c b/drivers/crypto/hisilicon/zip/zip_main.c
+index 7c2d803886fde..d07e47b48be06 100644
+--- a/drivers/crypto/hisilicon/zip/zip_main.c
++++ b/drivers/crypto/hisilicon/zip/zip_main.c
+@@ -1141,8 +1141,6 @@ static int hisi_zip_pf_probe_init(struct hisi_zip *hisi_zip)
+
+ hisi_zip->ctrl = ctrl;
+ ctrl->hisi_zip = hisi_zip;
+- qm->err_ini = &hisi_zip_err_ini;
+- qm->err_ini->err_info_init(qm);
+
+ ret = hisi_zip_set_user_domain_and_cache(qm);
+ if (ret)
+@@ -1203,6 +1201,7 @@ static int hisi_zip_qm_init(struct hisi_qm *qm, struct pci_dev *pdev)
+ qm->qp_num = pf_q_num;
+ qm->debug.curr_qm_qp_num = pf_q_num;
+ qm->qm_list = &zip_devices;
++ qm->err_ini = &hisi_zip_err_ini;
+ if (pf_q_num_flag)
+ set_bit(QM_MODULE_PARAM, &qm->misc_ctl);
+ } else if (qm->fun_type == QM_HW_VF && qm->ver == QM_HW_V1) {
+@@ -1269,6 +1268,16 @@ static int hisi_zip_probe_init(struct hisi_zip *hisi_zip)
+ return 0;
+ }
+
++static void hisi_zip_probe_uninit(struct hisi_qm *qm)
++{
++ if (qm->fun_type == QM_HW_VF)
++ return;
++
++ hisi_zip_show_last_regs_uninit(qm);
++ hisi_zip_close_sva_prefetch(qm);
++ hisi_qm_dev_err_uninit(qm);
++}
++
+ static int hisi_zip_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ {
+ struct hisi_zip *hisi_zip;
+@@ -1295,7 +1304,7 @@ static int hisi_zip_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+
+ ret = hisi_qm_start(qm);
+ if (ret)
+- goto err_dev_err_uninit;
++ goto err_probe_uninit;
+
+ ret = hisi_zip_debugfs_init(qm);
+ if (ret)
+@@ -1334,9 +1343,8 @@ static int hisi_zip_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ hisi_zip_debugfs_exit(qm);
+ hisi_qm_stop(qm, QM_NORMAL);
+
+-err_dev_err_uninit:
+- hisi_zip_show_last_regs_uninit(qm);
+- hisi_qm_dev_err_uninit(qm);
++err_probe_uninit:
++ hisi_zip_probe_uninit(qm);
+
+ err_qm_uninit:
+ hisi_zip_qm_uninit(qm);
+@@ -1358,8 +1366,7 @@ static void hisi_zip_remove(struct pci_dev *pdev)
+
+ hisi_zip_debugfs_exit(qm);
+ hisi_qm_stop(qm, QM_NORMAL);
+- hisi_zip_show_last_regs_uninit(qm);
+- hisi_qm_dev_err_uninit(qm);
++ hisi_zip_probe_uninit(qm);
+ hisi_zip_qm_uninit(qm);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 4a00f0e485249cee80bf6227b9324ec3fd20cd2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 11:09:43 -0500
+Subject: crypto: iaa - Fix potential use after free bug
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit e0d3b845a1b10b7b5abdad7ecc69d45b2aab3209 ]
+
+The free_device_compression_mode(iaa_device, device_mode) function frees
+"device_mode" but it iss passed to iaa_compression_modes[i]->free() a few
+lines later resulting in a use after free.
+
+The good news is that, so far as I can tell, nothing implements the
+->free() function and the use after free happens in dead code. But, with
+this fix, when something does implement it, we'll be ready. :)
+
+Fixes: b190447e0fa3 ("crypto: iaa - Add compression mode management along with fixed mode")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Tom Zanussi <tom.zanussi@linux.intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/iaa/iaa_crypto_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/intel/iaa/iaa_crypto_main.c b/drivers/crypto/intel/iaa/iaa_crypto_main.c
+index e810d286ee8c4..237f870000702 100644
+--- a/drivers/crypto/intel/iaa/iaa_crypto_main.c
++++ b/drivers/crypto/intel/iaa/iaa_crypto_main.c
+@@ -495,10 +495,10 @@ static void remove_device_compression_modes(struct iaa_device *iaa_device)
+ if (!device_mode)
+ continue;
+
+- free_device_compression_mode(iaa_device, device_mode);
+- iaa_device->compression_modes[i] = NULL;
+ if (iaa_compression_modes[i]->free)
+ iaa_compression_modes[i]->free(device_mode);
++ free_device_compression_mode(iaa_device, device_mode);
++ iaa_device->compression_modes[i] = NULL;
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 69cd5b83bc4dd520147d896cb86eadfcabede83d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 17:30:24 +0800
+Subject: crypto: n2 - Set err to EINVAL if snprintf fails for hmac
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit ce212d2afca47acd366a2e74c76fe82c31f785ab ]
+
+Return EINVAL if the snprintf check fails when constructing the
+algorithm names.
+
+Fixes: 8c20982caca4 ("crypto: n2 - Silence gcc format-truncation false positive warnings")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/202409090726.TP0WfY7p-lkp@intel.com/
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/n2_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/n2_core.c b/drivers/crypto/n2_core.c
+index 251e088a53dff..b11545cc5cb79 100644
+--- a/drivers/crypto/n2_core.c
++++ b/drivers/crypto/n2_core.c
+@@ -1353,6 +1353,7 @@ static int __n2_register_one_hmac(struct n2_ahash_alg *n2ahash)
+ ahash->setkey = n2_hmac_async_setkey;
+
+ base = &ahash->halg.base;
++ err = -EINVAL;
+ if (snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "hmac(%s)",
+ p->child_alg) >= CRYPTO_MAX_ALG_NAME)
+ goto out_free_p;
+--
+2.43.0
+
--- /dev/null
+From 48ee4920cbab52d70219981e2cff2e78ed49a5e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 07:36:37 -0400
+Subject: crypto: powerpc/p10-aes-gcm - Disable CRYPTO_AES_GCM_P10
+
+From: Danny Tsen <dtsen@linux.ibm.com>
+
+[ Upstream commit 44ac4625ea002deecd0c227336c95b724206c698 ]
+
+Data mismatch found when testing ipsec tunnel with AES/GCM crypto.
+Disabling CRYPTO_AES_GCM_P10 in Kconfig for this feature.
+
+Fixes: fd0e9b3e2ee6 ("crypto: p10-aes-gcm - An accelerated AES/GCM stitched implementation")
+Fixes: cdcecfd9991f ("crypto: p10-aes-gcm - Glue code for AES/GCM stitched implementation")
+Fixes: 45a4672b9a6e2 ("crypto: p10-aes-gcm - Update Kconfig and Makefile")
+Signed-off-by: Danny Tsen <dtsen@linux.ibm.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/crypto/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/crypto/Kconfig b/arch/powerpc/crypto/Kconfig
+index 09ebcbdfb34f6..46a4c85e85e24 100644
+--- a/arch/powerpc/crypto/Kconfig
++++ b/arch/powerpc/crypto/Kconfig
+@@ -107,6 +107,7 @@ config CRYPTO_AES_PPC_SPE
+
+ config CRYPTO_AES_GCM_P10
+ tristate "Stitched AES/GCM acceleration support on P10 or later CPU (PPC)"
++ depends on BROKEN
+ depends on PPC64 && CPU_LITTLE_ENDIAN && VSX
+ select CRYPTO_LIB_AES
+ select CRYPTO_ALGAPI
+--
+2.43.0
+
--- /dev/null
+From 3d720bf7d4a83c87e2c8c99e377df760bc21749b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 07:44:57 -0400
+Subject: crypto: qat - disable IOV in adf_dev_stop()
+
+From: Michal Witwicki <michal.witwicki@intel.com>
+
+[ Upstream commit b6c7d36292d50627dbe6a57fa344f87c776971e6 ]
+
+Disabling IOV has the side effect of re-enabling the AEs that might
+attempt to do DMAs into the heartbeat buffers.
+Move the disable_iov() function in adf_dev_stop() before the AEs are
+stopped.
+
+Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV")
+Signed-off-by: Michal Witwicki <michal.witwicki@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/adf_init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_init.c b/drivers/crypto/intel/qat/qat_common/adf_init.c
+index 74f0818c07034..55f1ff1e0b322 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_init.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_init.c
+@@ -323,6 +323,8 @@ static void adf_dev_stop(struct adf_accel_dev *accel_dev)
+ if (hw_data->stop_timer)
+ hw_data->stop_timer(accel_dev);
+
++ hw_data->disable_iov(accel_dev);
++
+ if (wait)
+ msleep(100);
+
+@@ -386,8 +388,6 @@ static void adf_dev_shutdown(struct adf_accel_dev *accel_dev)
+
+ adf_tl_shutdown(accel_dev);
+
+- hw_data->disable_iov(accel_dev);
+-
+ if (test_bit(ADF_STATUS_IRQ_ALLOCATED, &accel_dev->status)) {
+ hw_data->free_irq(accel_dev);
+ clear_bit(ADF_STATUS_IRQ_ALLOCATED, &accel_dev->status);
+--
+2.43.0
+
--- /dev/null
+From 4970f9bf44e7be9c99b04aad851bc5a1065c3302 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 07:44:59 -0400
+Subject: crypto: qat - ensure correct order in VF restarting handler
+
+From: Michal Witwicki <michal.witwicki@intel.com>
+
+[ Upstream commit cd8d2d74292c199b433ef77762bb1d28a4821784 ]
+
+In the process of sending the ADF_PF2VF_MSGTYPE_RESTARTING message to
+Virtual Functions (VFs), the Physical Function (PF) should set the
+`vf->restarting` flag to true before dispatching the message.
+This change is necessary to prevent a race condition where the handling
+of the ADF_VF2PF_MSGTYPE_RESTARTING_COMPLETE message (which sets the
+`vf->restarting` flag to false) runs immediately after the message is sent,
+but before the flag is set to true.
+
+Set the `vf->restarting` to true before sending the message
+ADF_PF2VF_MSGTYPE_RESTARTING, if supported by the version of the
+protocol and if the VF is started.
+
+Fixes: ec26f8e6c784 ("crypto: qat - update PFVF protocol for recovery")
+Signed-off-by: Michal Witwicki <michal.witwicki@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/adf_pfvf_pf_msg.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_pfvf_pf_msg.c b/drivers/crypto/intel/qat/qat_common/adf_pfvf_pf_msg.c
+index 0e31f4b41844e..0cee3b23dee90 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_pfvf_pf_msg.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_pfvf_pf_msg.c
+@@ -18,14 +18,17 @@ void adf_pf2vf_notify_restarting(struct adf_accel_dev *accel_dev)
+
+ dev_dbg(&GET_DEV(accel_dev), "pf2vf notify restarting\n");
+ for (i = 0, vf = accel_dev->pf.vf_info; i < num_vfs; i++, vf++) {
+- vf->restarting = false;
++ if (vf->init && vf->vf_compat_ver >= ADF_PFVF_COMPAT_FALLBACK)
++ vf->restarting = true;
++ else
++ vf->restarting = false;
++
+ if (!vf->init)
+ continue;
++
+ if (adf_send_pf2vf_msg(accel_dev, i, msg))
+ dev_err(&GET_DEV(accel_dev),
+ "Failed to send restarting msg to VF%d\n", i);
+- else if (vf->vf_compat_ver >= ADF_PFVF_COMPAT_FALLBACK)
+- vf->restarting = true;
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 815c9f7d5f3bf55fe4f9e2fa97f0e1c68c165e13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 16:47:23 +0100
+Subject: crypto: qat - fix "Full Going True" macro definition
+
+From: Svyatoslav Pankratov <svyatoslav.pankratov@intel.com>
+
+[ Upstream commit 694a6f594817462942acbb1a35b1f7d61e2d49e7 ]
+
+The macro `ADF_RP_INT_SRC_SEL_F_RISE_MASK` is currently set to the value
+`0100b` which means "Empty Going False". This might cause an incorrect
+restore of the bank state during live migration.
+
+Fix the definition of the macro to properly represent the "Full Going
+True" state which is encoded as `0011b`.
+
+Fixes: bbfdde7d195f ("crypto: qat - add bank save and restore flows")
+Signed-off-by: Svyatoslav Pankratov <svyatoslav.pankratov@intel.com>
+Reviewed-by: Xin Zeng <xin.zeng@intel.com>
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.h b/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.h
+index 8b10926cedbac..e8c53bd76f1bd 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.h
++++ b/drivers/crypto/intel/qat/qat_common/adf_gen4_hw_data.h
+@@ -83,7 +83,7 @@
+ #define ADF_WQM_CSR_RPRESETSTS(bank) (ADF_WQM_CSR_RPRESETCTL(bank) + 4)
+
+ /* Ring interrupt */
+-#define ADF_RP_INT_SRC_SEL_F_RISE_MASK BIT(2)
++#define ADF_RP_INT_SRC_SEL_F_RISE_MASK GENMASK(1, 0)
+ #define ADF_RP_INT_SRC_SEL_F_FALL_MASK GENMASK(2, 0)
+ #define ADF_RP_INT_SRC_SEL_RANGE_WIDTH 4
+ #define ADF_COALESCED_POLL_TIMEOUT_US (1 * USEC_PER_SEC)
+--
+2.43.0
+
--- /dev/null
+From d237ad29e43a75e150f86336e1e61233fa872b6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jul 2024 07:44:58 -0400
+Subject: crypto: qat - fix recovery flow for VFs
+
+From: Michal Witwicki <michal.witwicki@intel.com>
+
+[ Upstream commit 6f1b5236348fced7e7691a933327694b4106bc39 ]
+
+When the PFVF protocol was updated to support version 5, i.e.
+ADF_PFVF_COMPAT_FALLBACK, the compatibility version for the VF was
+updated without supporting the message RESTARTING_COMPLETE required for
+such version.
+
+Add support for the ADF_VF2PF_MSGTYPE_RESTARTING_COMPLETE message in the
+VF drivers. This message is sent by the VF driver to the PF to notify
+the completion of the shutdown flow.
+
+Fixes: ec26f8e6c784 ("crypto: qat - update PFVF protocol for recovery")
+Signed-off-by: Michal Witwicki <michal.witwicki@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../crypto/intel/qat/qat_common/adf_pfvf_vf_msg.c | 14 ++++++++++++++
+ .../crypto/intel/qat/qat_common/adf_pfvf_vf_msg.h | 1 +
+ drivers/crypto/intel/qat/qat_common/adf_vf_isr.c | 2 ++
+ 3 files changed, 17 insertions(+)
+
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.c b/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.c
+index 1141258db4b65..10c91e56d6be3 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.c
+@@ -48,6 +48,20 @@ void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev)
+ }
+ EXPORT_SYMBOL_GPL(adf_vf2pf_notify_shutdown);
+
++void adf_vf2pf_notify_restart_complete(struct adf_accel_dev *accel_dev)
++{
++ struct pfvf_message msg = { .type = ADF_VF2PF_MSGTYPE_RESTARTING_COMPLETE };
++
++ /* Check compatibility version */
++ if (accel_dev->vf.pf_compat_ver < ADF_PFVF_COMPAT_FALLBACK)
++ return;
++
++ if (adf_send_vf2pf_msg(accel_dev, msg))
++ dev_err(&GET_DEV(accel_dev),
++ "Failed to send Restarting complete event to PF\n");
++}
++EXPORT_SYMBOL_GPL(adf_vf2pf_notify_restart_complete);
++
+ int adf_vf2pf_request_version(struct adf_accel_dev *accel_dev)
+ {
+ u8 pf_version;
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.h b/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.h
+index 71bc0e3f1d933..d79340ab3134f 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.h
++++ b/drivers/crypto/intel/qat/qat_common/adf_pfvf_vf_msg.h
+@@ -6,6 +6,7 @@
+ #if defined(CONFIG_PCI_IOV)
+ int adf_vf2pf_notify_init(struct adf_accel_dev *accel_dev);
+ void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev);
++void adf_vf2pf_notify_restart_complete(struct adf_accel_dev *accel_dev);
+ int adf_vf2pf_request_version(struct adf_accel_dev *accel_dev);
+ int adf_vf2pf_get_capabilities(struct adf_accel_dev *accel_dev);
+ int adf_vf2pf_get_ring_to_svc(struct adf_accel_dev *accel_dev);
+diff --git a/drivers/crypto/intel/qat/qat_common/adf_vf_isr.c b/drivers/crypto/intel/qat/qat_common/adf_vf_isr.c
+index cdbb2d687b1b0..4ab9ac3315195 100644
+--- a/drivers/crypto/intel/qat/qat_common/adf_vf_isr.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_vf_isr.c
+@@ -13,6 +13,7 @@
+ #include "adf_cfg.h"
+ #include "adf_cfg_strings.h"
+ #include "adf_cfg_common.h"
++#include "adf_pfvf_vf_msg.h"
+ #include "adf_transport_access_macros.h"
+ #include "adf_transport_internal.h"
+
+@@ -75,6 +76,7 @@ static void adf_dev_stop_async(struct work_struct *work)
+
+ /* Re-enable PF2VF interrupts */
+ adf_enable_pf2vf_interrupts(accel_dev);
++ adf_vf2pf_notify_restart_complete(accel_dev);
+ kfree(stop_data);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3a389886d22e16f4074ddb2d073648722f2d9446 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 11:27:13 -0700
+Subject: crypto: x86/aes-gcm - fix PREEMPT_RT issue in gcm_crypt()
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit 001412493e74d89166d2441b622eeaea00511bdc ]
+
+On PREEMPT_RT, kfree() takes sleeping locks and must not be called with
+preemption disabled. Therefore, on PREEMPT_RT skcipher_walk_done() must
+not be called from within a kernel_fpu_{begin,end}() pair, even when
+it's the last call which is guaranteed to not allocate memory.
+
+Therefore, move the last skcipher_walk_done() in gcm_crypt() to the end
+of the function so that it goes after the kernel_fpu_end(). To make
+this work cleanly, rework the data processing loop to handle only
+non-last data segments.
+
+Fixes: b06affb1cb58 ("crypto: x86/aes-gcm - add VAES and AVX512 / AVX10 optimized AES-GCM")
+Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Closes: https://lore.kernel.org/linux-crypto/20240802102333.itejxOsJ@linutronix.de
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Tested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/crypto/aesni-intel_glue.c | 59 ++++++++++++++----------------
+ 1 file changed, 28 insertions(+), 31 deletions(-)
+
+diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c
+index cd37de5ec4046..d63ba9eaba3e4 100644
+--- a/arch/x86/crypto/aesni-intel_glue.c
++++ b/arch/x86/crypto/aesni-intel_glue.c
+@@ -1366,6 +1366,8 @@ gcm_crypt(struct aead_request *req, int flags)
+ err = skcipher_walk_aead_encrypt(&walk, req, false);
+ else
+ err = skcipher_walk_aead_decrypt(&walk, req, false);
++ if (err)
++ return err;
+
+ /*
+ * Since the AES-GCM assembly code requires that at least three assembly
+@@ -1381,37 +1383,31 @@ gcm_crypt(struct aead_request *req, int flags)
+ gcm_process_assoc(key, ghash_acc, req->src, assoclen, flags);
+
+ /* En/decrypt the data and pass the ciphertext through GHASH. */
+- while ((nbytes = walk.nbytes) != 0) {
+- if (unlikely(nbytes < walk.total)) {
+- /*
+- * Non-last segment. In this case, the assembly
+- * function requires that the length be a multiple of 16
+- * (AES_BLOCK_SIZE) bytes. The needed buffering of up
+- * to 16 bytes is handled by the skcipher_walk. Here we
+- * just need to round down to a multiple of 16.
+- */
+- nbytes = round_down(nbytes, AES_BLOCK_SIZE);
+- aes_gcm_update(key, le_ctr, ghash_acc,
+- walk.src.virt.addr, walk.dst.virt.addr,
+- nbytes, flags);
+- le_ctr[0] += nbytes / AES_BLOCK_SIZE;
+- kernel_fpu_end();
+- err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
+- kernel_fpu_begin();
+- } else {
+- /* Last segment: process all remaining data. */
+- aes_gcm_update(key, le_ctr, ghash_acc,
+- walk.src.virt.addr, walk.dst.virt.addr,
+- nbytes, flags);
+- err = skcipher_walk_done(&walk, 0);
+- /*
+- * The low word of the counter isn't used by the
+- * finalize, so there's no need to increment it here.
+- */
+- }
++ while (unlikely((nbytes = walk.nbytes) < walk.total)) {
++ /*
++ * Non-last segment. In this case, the assembly function
++ * requires that the length be a multiple of 16 (AES_BLOCK_SIZE)
++ * bytes. The needed buffering of up to 16 bytes is handled by
++ * the skcipher_walk. Here we just need to round down to a
++ * multiple of 16.
++ */
++ nbytes = round_down(nbytes, AES_BLOCK_SIZE);
++ aes_gcm_update(key, le_ctr, ghash_acc, walk.src.virt.addr,
++ walk.dst.virt.addr, nbytes, flags);
++ le_ctr[0] += nbytes / AES_BLOCK_SIZE;
++ kernel_fpu_end();
++ err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
++ if (err)
++ return err;
++ kernel_fpu_begin();
+ }
+- if (err)
+- goto out;
++ /* Last segment: process all remaining data. */
++ aes_gcm_update(key, le_ctr, ghash_acc, walk.src.virt.addr,
++ walk.dst.virt.addr, nbytes, flags);
++ /*
++ * The low word of the counter isn't used by the finalize, so there's no
++ * need to increment it here.
++ */
+
+ /* Finalize */
+ taglen = crypto_aead_authsize(tfm);
+@@ -1439,8 +1435,9 @@ gcm_crypt(struct aead_request *req, int flags)
+ datalen, tag, taglen, flags))
+ err = -EBADMSG;
+ }
+-out:
+ kernel_fpu_end();
++ if (nbytes)
++ skcipher_walk_done(&walk, 0);
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 810e4b4e785e5848b365dd9c62db397f1a7b8ca5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jul 2024 14:24:52 +0200
+Subject: crypto: xor - fix template benchmarking
+
+From: Helge Deller <deller@kernel.org>
+
+[ Upstream commit ab9a244c396aae4aaa34b2399b82fc15ec2df8c1 ]
+
+Commit c055e3eae0f1 ("crypto: xor - use ktime for template benchmarking")
+switched from using jiffies to ktime-based performance benchmarking.
+
+This works nicely on machines which have a fine-grained ktime()
+clocksource as e.g. x86 machines with TSC.
+But other machines, e.g. my 4-way HP PARISC server, don't have such
+fine-grained clocksources, which is why it seems that 800 xor loops
+take zero seconds, which then shows up in the logs as:
+
+ xor: measuring software checksum speed
+ 8regs : -1018167296 MB/sec
+ 8regs_prefetch : -1018167296 MB/sec
+ 32regs : -1018167296 MB/sec
+ 32regs_prefetch : -1018167296 MB/sec
+
+Fix this with some small modifications to the existing code to improve
+the algorithm to always produce correct results without introducing
+major delays for architectures with a fine-grained ktime()
+clocksource:
+a) Delay start of the timing until ktime() just advanced. On machines
+with a fast ktime() this should be just one additional ktime() call.
+b) Count the number of loops. Run at minimum 800 loops and finish
+earliest when the ktime() counter has progressed.
+
+With that the throughput can now be calculated more accurately under all
+conditions.
+
+Fixes: c055e3eae0f1 ("crypto: xor - use ktime for template benchmarking")
+Signed-off-by: Helge Deller <deller@gmx.de>
+Tested-by: John David Anglin <dave.anglin@bell.net>
+
+v2:
+- clean up coding style (noticed & suggested by Herbert Xu)
+- rephrased & fixed typo in commit message
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/xor.c | 31 ++++++++++++++-----------------
+ 1 file changed, 14 insertions(+), 17 deletions(-)
+
+diff --git a/crypto/xor.c b/crypto/xor.c
+index a1363162978c7..f39621a57bb33 100644
+--- a/crypto/xor.c
++++ b/crypto/xor.c
+@@ -83,33 +83,30 @@ static void __init
+ do_xor_speed(struct xor_block_template *tmpl, void *b1, void *b2)
+ {
+ int speed;
+- int i, j;
+- ktime_t min, start, diff;
++ unsigned long reps;
++ ktime_t min, start, t0;
+
+ tmpl->next = template_list;
+ template_list = tmpl;
+
+ preempt_disable();
+
+- min = (ktime_t)S64_MAX;
+- for (i = 0; i < 3; i++) {
+- start = ktime_get();
+- for (j = 0; j < REPS; j++) {
+- mb(); /* prevent loop optimization */
+- tmpl->do_2(BENCH_SIZE, b1, b2);
+- mb();
+- }
+- diff = ktime_sub(ktime_get(), start);
+- if (diff < min)
+- min = diff;
+- }
++ reps = 0;
++ t0 = ktime_get();
++ /* delay start until time has advanced */
++ while ((start = ktime_get()) == t0)
++ cpu_relax();
++ do {
++ mb(); /* prevent loop optimization */
++ tmpl->do_2(BENCH_SIZE, b1, b2);
++ mb();
++ } while (reps++ < REPS || (t0 = ktime_get()) == start);
++ min = ktime_sub(t0, start);
+
+ preempt_enable();
+
+ // bytes/ns == GB/s, multiply by 1000 to get MB/s [not MiB/s]
+- if (!min)
+- min = 1;
+- speed = (1000 * REPS * BENCH_SIZE) / (unsigned int)ktime_to_ns(min);
++ speed = (1000 * reps * BENCH_SIZE) / (unsigned int)ktime_to_ns(min);
+ tmpl->speed = speed;
+
+ pr_info(" %-16s: %5d MB/sec\n", tmpl->name, speed);
+--
+2.43.0
+
--- /dev/null
+From 69cb33ad6f2f2132926377c2cee1272102f842d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 16:42:28 +0800
+Subject: cxl/pci: Fix to record only non-zero ranges
+
+From: Yanfei Xu <yanfei.xu@intel.com>
+
+[ Upstream commit 55e268694e8b07026c88191f9b6949b6887d9ce3 ]
+
+The function cxl_dvsec_rr_decode() retrieves and records DVSEC ranges
+into info->dvsec_range[], regardless of whether it is non-zero range,
+and the variable info->ranges indicates the number of non-zero ranges.
+However, in cxl_hdm_decode_init(), the validation for
+info->dvsec_range[] occurs in a for loop that iterates based on
+info->ranges. It may result in zero range to be validated but non-zero
+range not be validated, in turn, the number of allowed ranges is to be
+0. Address it by only record non-zero ranges.
+
+This fix is not urgent as it requires a configuration that zeroes out
+the first dvsec range while populating the second. This has not been
+observed, but it is theoretically possible. If this gets picked up for
+-stable, no harm done, but there is no urgency to backport.
+
+Fixes: 560f78559006 ("cxl/pci: Retrieve CXL DVSEC memory info")
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Yanfei Xu <yanfei.xu@intel.com>
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Link: https://patch.msgid.link/20240828084231.1378789-2-yanfei.xu@intel.com
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/core/pci.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/drivers/cxl/core/pci.c b/drivers/cxl/core/pci.c
+index 51132a575b276..73b6498d5e5ca 100644
+--- a/drivers/cxl/core/pci.c
++++ b/drivers/cxl/core/pci.c
+@@ -390,10 +390,6 @@ int cxl_dvsec_rr_decode(struct device *dev, int d,
+
+ size |= temp & CXL_DVSEC_MEM_SIZE_LOW_MASK;
+ if (!size) {
+- info->dvsec_range[i] = (struct range) {
+- .start = 0,
+- .end = CXL_RESOURCE_NONE,
+- };
+ continue;
+ }
+
+@@ -411,12 +407,10 @@ int cxl_dvsec_rr_decode(struct device *dev, int d,
+
+ base |= temp & CXL_DVSEC_MEM_BASE_LOW_MASK;
+
+- info->dvsec_range[i] = (struct range) {
++ info->dvsec_range[ranges++] = (struct range) {
+ .start = base,
+ .end = base + size - 1
+ };
+-
+- ranges++;
+ }
+
+ info->ranges = ranges;
+--
+2.43.0
+
--- /dev/null
+From 9b5f725695743d002f2a56484c754fcabbe34d6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 11:50:11 +0200
+Subject: dm integrity: fix gcc 5 warning
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit a8fa6483b40943a6c8feea803a2dc8e9982cc766 ]
+
+This commit fixes gcc 5 warning "logical not is only applied to the left
+hand side of comparison"
+
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Fixes: fb0987682c62 ("dm-integrity: introduce the Inline mode")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-integrity.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
+index acff2f64f251f..4545d934f73d3 100644
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -4717,13 +4717,18 @@ static int dm_integrity_ctr(struct dm_target *ti, unsigned int argc, char **argv
+ ti->error = "Block size doesn't match the information in superblock";
+ goto bad;
+ }
+- if (!le32_to_cpu(ic->sb->journal_sections) != (ic->mode == 'I')) {
+- r = -EINVAL;
+- if (ic->mode != 'I')
++ if (ic->mode != 'I') {
++ if (!le32_to_cpu(ic->sb->journal_sections)) {
++ r = -EINVAL;
+ ti->error = "Corrupted superblock, journal_sections is 0";
+- else
++ goto bad;
++ }
++ } else {
++ if (le32_to_cpu(ic->sb->journal_sections)) {
++ r = -EINVAL;
+ ti->error = "Corrupted superblock, journal_sections is not 0";
+- goto bad;
++ goto bad;
++ }
+ }
+ /* make sure that ti->max_io_len doesn't overflow */
+ if (!ic->meta_dev) {
+--
+2.43.0
+
--- /dev/null
+From fd28f5b5d37ac654521cee6a7d08601e6c6a8b63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 16:06:58 +0800
+Subject: driver core: Fix a potential null-ptr-deref in module_add_driver()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 18ec12c97b39ff6aa15beb8d2b25d15cd44b87d8 ]
+
+Inject fault while probing of-fpga-region, if kasprintf() fails in
+module_add_driver(), the second sysfs_remove_link() in exit path will cause
+null-ptr-deref as below because kernfs_name_hash() will call strlen() with
+NULL driver_name.
+
+Fix it by releasing resources based on the exit path sequence.
+
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ Mem abort info:
+ ESR = 0x0000000096000005
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x05: level 1 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
+ CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+ [dfffffc000000000] address between user and kernel address ranges
+ Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
+ Dumping ftrace buffer:
+ (ftrace buffer empty)
+ Modules linked in: of_fpga_region(+) fpga_region fpga_bridge cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: of_fpga_region]
+ CPU: 2 UID: 0 PID: 2036 Comm: modprobe Not tainted 6.11.0-rc2-g6a0e38264012 #295
+ Hardware name: linux,dummy-virt (DT)
+ pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : strlen+0x24/0xb0
+ lr : kernfs_name_hash+0x1c/0xc4
+ sp : ffffffc081f97380
+ x29: ffffffc081f97380 x28: ffffffc081f97b90 x27: ffffff80c821c2a0
+ x26: ffffffedac0be418 x25: 0000000000000000 x24: ffffff80c09d2000
+ x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
+ x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000001840
+ x17: 0000000000000000 x16: 0000000000000000 x15: 1ffffff8103f2e42
+ x14: 00000000f1f1f1f1 x13: 0000000000000004 x12: ffffffb01812d61d
+ x11: 1ffffff01812d61c x10: ffffffb01812d61c x9 : dfffffc000000000
+ x8 : 0000004fe7ed29e4 x7 : ffffff80c096b0e7 x6 : 0000000000000001
+ x5 : ffffff80c096b0e0 x4 : 1ffffffdb990efa2 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000000
+ Call trace:
+ strlen+0x24/0xb0
+ kernfs_name_hash+0x1c/0xc4
+ kernfs_find_ns+0x118/0x2e8
+ kernfs_remove_by_name_ns+0x80/0x100
+ sysfs_remove_link+0x74/0xa8
+ module_add_driver+0x278/0x394
+ bus_add_driver+0x1f0/0x43c
+ driver_register+0xf4/0x3c0
+ __platform_driver_register+0x60/0x88
+ of_fpga_region_init+0x20/0x1000 [of_fpga_region]
+ do_one_initcall+0x110/0x788
+ do_init_module+0x1dc/0x5c8
+ load_module+0x3c38/0x4cac
+ init_module_from_file+0xd4/0x128
+ idempotent_init_module+0x2cc/0x528
+ __arm64_sys_finit_module+0xac/0x100
+ invoke_syscall+0x6c/0x258
+ el0_svc_common.constprop.0+0x160/0x22c
+ do_el0_svc+0x44/0x5c
+ el0_svc+0x48/0xb8
+ el0t_64_sync_handler+0x13c/0x158
+ el0t_64_sync+0x190/0x194
+ Code: f2fbffe1 a90157f4 12000802 aa0003f5 (38e16861)
+ ---[ end trace 0000000000000000 ]---
+ Kernel panic - not syncing: Oops: Fatal exception
+
+Fixes: 85d2b0aa1703 ("module: don't ignore sysfs_create_link() failures")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/r/20240812080658.2791982-1-ruanjinjie@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/module.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/base/module.c b/drivers/base/module.c
+index f742ad2a21da0..c4eaa1158d54e 100644
+--- a/drivers/base/module.c
++++ b/drivers/base/module.c
+@@ -66,27 +66,31 @@ int module_add_driver(struct module *mod, const struct device_driver *drv)
+ driver_name = make_driver_name(drv);
+ if (!driver_name) {
+ ret = -ENOMEM;
+- goto out;
++ goto out_remove_kobj;
+ }
+
+ module_create_drivers_dir(mk);
+ if (!mk->drivers_dir) {
+ ret = -EINVAL;
+- goto out;
++ goto out_free_driver_name;
+ }
+
+ ret = sysfs_create_link(mk->drivers_dir, &drv->p->kobj, driver_name);
+ if (ret)
+- goto out;
++ goto out_remove_drivers_dir;
+
+ kfree(driver_name);
+
+ return 0;
+-out:
+- sysfs_remove_link(&drv->p->kobj, "module");
++
++out_remove_drivers_dir:
+ sysfs_remove_link(mk->drivers_dir, driver_name);
++
++out_free_driver_name:
+ kfree(driver_name);
+
++out_remove_kobj:
++ sysfs_remove_link(&drv->p->kobj, "module");
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 00714f66265910b521714b9586019288c3363080 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:48:10 +0800
+Subject: driver core: Fix error handling in driver API device_rename()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit 6d8249ac29bc23260dfa9747eb398ce76012d73c ]
+
+For class-device, device_rename() failure maybe cause unexpected link name
+within its class folder as explained below:
+
+/sys/class/.../old_name -> /sys/devices/.../old_name
+device_rename(..., new_name) and failed
+/sys/class/.../new_name -> /sys/devices/.../old_name
+
+Fixed by undoing renaming link if renaming kobject failed.
+
+Fixes: f349cf34731c ("driver core: Implement ns directory support for device classes.")
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20240722-device_rename_fix-v2-1-77de1a6c6495@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/core.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/base/core.c b/drivers/base/core.c
+index 8c0733d3aad8e..3b0f4b6153fc5 100644
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -4515,9 +4515,11 @@ EXPORT_SYMBOL_GPL(device_destroy);
+ */
+ int device_rename(struct device *dev, const char *new_name)
+ {
++ struct subsys_private *sp = NULL;
+ struct kobject *kobj = &dev->kobj;
+ char *old_device_name = NULL;
+ int error;
++ bool is_link_renamed = false;
+
+ dev = get_device(dev);
+ if (!dev)
+@@ -4532,7 +4534,7 @@ int device_rename(struct device *dev, const char *new_name)
+ }
+
+ if (dev->class) {
+- struct subsys_private *sp = class_to_subsys(dev->class);
++ sp = class_to_subsys(dev->class);
+
+ if (!sp) {
+ error = -EINVAL;
+@@ -4541,16 +4543,19 @@ int device_rename(struct device *dev, const char *new_name)
+
+ error = sysfs_rename_link_ns(&sp->subsys.kobj, kobj, old_device_name,
+ new_name, kobject_namespace(kobj));
+- subsys_put(sp);
+ if (error)
+ goto out;
++
++ is_link_renamed = true;
+ }
+
+ error = kobject_rename(kobj, new_name);
+- if (error)
+- goto out;
+-
+ out:
++ if (error && is_link_renamed)
++ sysfs_rename_link_ns(&sp->subsys.kobj, kobj, new_name,
++ old_device_name, kobject_namespace(kobj));
++ subsys_put(sp);
++
+ put_device(dev);
+
+ kfree(old_device_name);
+--
+2.43.0
+
--- /dev/null
+From 423befe0877eb7515ffe24e67d773a08c2216347 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 17:09:27 +0800
+Subject: drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind()
+
+From: Yuesong Li <liyuesong@vivo.com>
+
+[ Upstream commit 94ebc3d3235c5c516f67315059ce657e5090e94b ]
+
+cocci reported a double assignment problem. Upon reviewing previous
+commits, it appears this may actually be an incorrect assignment.
+
+Fixes: 8b9550344d39 ("drm/ipp: clean up debug messages")
+Signed-off-by: Yuesong Li <liyuesong@vivo.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_gsc.c b/drivers/gpu/drm/exynos/exynos_drm_gsc.c
+index 1b111e2c33472..752339d33f39a 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_gsc.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_gsc.c
+@@ -1174,7 +1174,7 @@ static int gsc_bind(struct device *dev, struct device *master, void *data)
+ struct exynos_drm_ipp *ipp = &ctx->ipp;
+
+ ctx->drm_dev = drm_dev;
+- ctx->drm_dev = drm_dev;
++ ipp->drm_dev = drm_dev;
+ exynos_drm_register_dma(drm_dev, dev, &ctx->dma_priv);
+
+ exynos_drm_ipp_register(dev, ipp, &ipp_funcs,
+--
+2.43.0
+
--- /dev/null
+From 7110d228c109466cb9093386abc4eb9c9697ed5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 01:50:23 +0800
+Subject: drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write
+ error
+
+From: Junlin Li <make24@iscas.ac.cn>
+
+[ Upstream commit 46d7ebfe6a75a454a5fa28604f0ef1491f9d8d14 ]
+
+Ensure index in rtl2830_pid_filter does not exceed 31 to prevent
+out-of-bounds access.
+
+dev->filters is a 32-bit value, so set_bit and clear_bit functions should
+only operate on indices from 0 to 31. If index is 32, it will attempt to
+access a non-existent 33rd bit, leading to out-of-bounds access.
+Change the boundary check from index > 32 to index >= 32 to resolve this
+issue.
+
+Fixes: df70ddad81b4 ("[media] rtl2830: implement PID filter")
+Signed-off-by: Junlin Li <make24@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/rtl2830.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/rtl2830.c b/drivers/media/dvb-frontends/rtl2830.c
+index 30d10fe4b33e3..320aa2bf99d42 100644
+--- a/drivers/media/dvb-frontends/rtl2830.c
++++ b/drivers/media/dvb-frontends/rtl2830.c
+@@ -609,7 +609,7 @@ static int rtl2830_pid_filter(struct dvb_frontend *fe, u8 index, u16 pid, int on
+ index, pid, onoff);
+
+ /* skip invalid PIDs (0x2000) */
+- if (pid > 0x1fff || index > 32)
++ if (pid > 0x1fff || index >= 32)
+ return 0;
+
+ if (onoff)
+--
+2.43.0
+
--- /dev/null
+From e193f1b804f1dd71f6c1b6a05e16c982a00e0f67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 21:24:13 +0800
+Subject: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write
+ error
+
+From: Junlin Li <make24@iscas.ac.cn>
+
+[ Upstream commit 8ae06f360cfaca2b88b98ca89144548b3186aab1 ]
+
+Ensure index in rtl2832_pid_filter does not exceed 31 to prevent
+out-of-bounds access.
+
+dev->filters is a 32-bit value, so set_bit and clear_bit functions should
+only operate on indices from 0 to 31. If index is 32, it will attempt to
+access a non-existent 33rd bit, leading to out-of-bounds access.
+Change the boundary check from index > 32 to index >= 32 to resolve this
+issue.
+
+Signed-off-by: Junlin Li <make24@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 4b01e01a81b6 ("[media] rtl2832: implement PID filter")
+[hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/rtl2832.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/rtl2832.c b/drivers/media/dvb-frontends/rtl2832.c
+index 5142820b1b3d9..76c3f40443b2c 100644
+--- a/drivers/media/dvb-frontends/rtl2832.c
++++ b/drivers/media/dvb-frontends/rtl2832.c
+@@ -983,7 +983,7 @@ static int rtl2832_pid_filter(struct dvb_frontend *fe, u8 index, u16 pid,
+ index, pid, onoff, dev->slave_ts);
+
+ /* skip invalid PIDs (0x2000) */
+- if (pid > 0x1fff || index > 32)
++ if (pid > 0x1fff || index >= 32)
+ return 0;
+
+ if (onoff)
+--
+2.43.0
+
--- /dev/null
+From d9fa2537d7a2c4498b682735a37fa73d523a39a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 11:33:31 +0800
+Subject: drivers/perf: Fix ali_drw_pmu driver interrupt status clearing
+
+From: Jing Zhang <renyu.zj@linux.alibaba.com>
+
+[ Upstream commit a3dd920977dccc453c550260c4b7605b280b79c3 ]
+
+The alibaba_uncore_pmu driver forgot to clear all interrupt status
+in the interrupt processing function. After the PMU counter overflow
+interrupt occurred, an interrupt storm occurred, causing the system
+to hang.
+
+Therefore, clear the correct interrupt status in the interrupt handling
+function to fix it.
+
+Fixes: cf7b61073e45 ("drivers/perf: add DDR Sub-System Driveway PMU driver for Yitian 710 SoC")
+Signed-off-by: Jing Zhang <renyu.zj@linux.alibaba.com>
+Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/1724297611-20686-1-git-send-email-renyu.zj@linux.alibaba.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/alibaba_uncore_drw_pmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/perf/alibaba_uncore_drw_pmu.c b/drivers/perf/alibaba_uncore_drw_pmu.c
+index 38a2947ae8130..c6ff1bc7d336b 100644
+--- a/drivers/perf/alibaba_uncore_drw_pmu.c
++++ b/drivers/perf/alibaba_uncore_drw_pmu.c
+@@ -400,7 +400,7 @@ static irqreturn_t ali_drw_pmu_isr(int irq_num, void *data)
+ }
+
+ /* clear common counter intr status */
+- clr_status = FIELD_PREP(ALI_DRW_PMCOM_CNT_OV_INTR_MASK, 1);
++ clr_status = FIELD_PREP(ALI_DRW_PMCOM_CNT_OV_INTR_MASK, status);
+ writel(clr_status,
+ drw_pmu->cfg_base + ALI_DRW_PMU_OV_INTR_CLR);
+ }
+--
+2.43.0
+
--- /dev/null
+From 969db6f0466df4235ba734e2149de6da9da42935 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 17:03:31 +0800
+Subject: drivers/perf: hisi_pcie: Fix TLP headers bandwidth counting
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit 17bf68aeb3642221e3e770399b5a52f370747ac1 ]
+
+We make the initial value of event ctrl register as HISI_PCIE_INIT_SET
+and modify according to the user options. This will make TLP headers
+bandwidth only counting never take effect since HISI_PCIE_INIT_SET
+configures to count the TLP payloads bandwidth. Fix this by making
+the initial value of event ctrl register as 0.
+
+Fixes: 17d573984d4d ("drivers/perf: hisi: Add TLP filter support")
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://lore.kernel.org/r/20240829090332.28756-3-yangyicong@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/hisilicon/hisi_pcie_pmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c
+index fba569a8640cf..f7d6c59d99301 100644
+--- a/drivers/perf/hisilicon/hisi_pcie_pmu.c
++++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c
+@@ -208,7 +208,7 @@ static void hisi_pcie_pmu_writeq(struct hisi_pcie_pmu *pcie_pmu, u32 reg_offset,
+ static u64 hisi_pcie_pmu_get_event_ctrl_val(struct perf_event *event)
+ {
+ u64 port, trig_len, thr_len, len_mode;
+- u64 reg = HISI_PCIE_INIT_SET;
++ u64 reg = 0;
+
+ /* Config HISI_PCIE_EVENT_CTRL according to event. */
+ reg |= FIELD_PREP(HISI_PCIE_EVENT_M, hisi_pcie_get_real_event(event));
+--
+2.43.0
+
--- /dev/null
+From 80c315beb759e3915ed22437a33f6bbe31141638 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 17:03:30 +0800
+Subject: drivers/perf: hisi_pcie: Record hardware counts correctly
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit daecd3373a16a039ad241086e30a1ec46fc9d61f ]
+
+Currently we set the period and record it as the initial value of the
+counter without checking it's set to the hardware successfully or not.
+However the counter maybe unwritable if the target event is unsupported
+by the device. In such case we will pass user a wrong count:
+
+[start counts when setting the period]
+hwc->prev_count = 0x8000000000000000
+device.counter_value = 0 // the counter is not set as the period
+[when user reads the counter]
+event->count = device.counter_value - hwc->prev_count
+ = 0x8000000000000000 // wrong. should be 0.
+
+Fix this by record the hardware counter counts correctly when setting
+the period.
+
+Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU")
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://lore.kernel.org/r/20240829090332.28756-2-yangyicong@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/hisilicon/hisi_pcie_pmu.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/perf/hisilicon/hisi_pcie_pmu.c b/drivers/perf/hisilicon/hisi_pcie_pmu.c
+index f06027574a241..fba569a8640cf 100644
+--- a/drivers/perf/hisilicon/hisi_pcie_pmu.c
++++ b/drivers/perf/hisilicon/hisi_pcie_pmu.c
+@@ -452,10 +452,24 @@ static void hisi_pcie_pmu_set_period(struct perf_event *event)
+ struct hisi_pcie_pmu *pcie_pmu = to_pcie_pmu(event->pmu);
+ struct hw_perf_event *hwc = &event->hw;
+ int idx = hwc->idx;
++ u64 orig_cnt, cnt;
++
++ orig_cnt = hisi_pcie_pmu_read_counter(event);
+
+ local64_set(&hwc->prev_count, HISI_PCIE_INIT_VAL);
+ hisi_pcie_pmu_writeq(pcie_pmu, HISI_PCIE_CNT, idx, HISI_PCIE_INIT_VAL);
+ hisi_pcie_pmu_writeq(pcie_pmu, HISI_PCIE_EXT_CNT, idx, HISI_PCIE_INIT_VAL);
++
++ /*
++ * The counter maybe unwritable if the target event is unsupported.
++ * Check this by comparing the counts after setting the period. If
++ * the counts stay unchanged after setting the period then update
++ * the hwc->prev_count correctly. Otherwise the final counts user
++ * get maybe totally wrong.
++ */
++ cnt = hisi_pcie_pmu_read_counter(event);
++ if (orig_cnt == cnt)
++ local64_set(&hwc->prev_count, cnt);
+ }
+
+ static void hisi_pcie_pmu_enable_counter(struct hisi_pcie_pmu *pcie_pmu, struct hw_perf_event *hwc)
+--
+2.43.0
+
--- /dev/null
+From b5bdfdf8fb2ba4c12c4aa5593416bc85253c4395 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 12:10:40 +0800
+Subject: drm/amd/amdgpu: Properly tune the size of struct
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit 0cee47cde41e22712c034ae961076067d4ac13a0 ]
+
+The struct assertion is failed because sparse cannot parse
+`#pragma pack(push, 1)` and `#pragma pack(pop)` correctly.
+GCC's output is still 1-byte-aligned. No harm to memory layout.
+
+The error can be filtered out by sparse-diff, but sometimes
+multiple lines queezed into one, making the sparse-diff thinks
+its a new error. I'm trying to aviod this by fixing errors.
+
+Link: https://lore.kernel.org/all/20230620045919.492128-1-suhui@nfschina.com/
+Link: https://lore.kernel.org/all/93d10611-9fbb-4242-87b8-5860b2606042@suswa.mountain/
+Fixes: 1721bc1b2afa ("drm/amdgpu: Update VF2PF interface")
+Cc: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: wenlunpeng <wenlunpeng@uniontech.com>
+Reported-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h b/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h
+index fb2b394bb9c55..6e9eeaeb3de1d 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgv_sriovmsg.h
+@@ -213,7 +213,7 @@ struct amd_sriov_msg_pf2vf_info {
+ uint32_t gpu_capacity;
+ /* reserved */
+ uint32_t reserved[256 - AMD_SRIOV_MSG_PF2VF_INFO_FILLED_SIZE];
+-};
++} __packed;
+
+ struct amd_sriov_msg_vf2pf_info_header {
+ /* the total structure size in byte */
+@@ -273,7 +273,7 @@ struct amd_sriov_msg_vf2pf_info {
+ uint32_t mes_info_size;
+ /* reserved */
+ uint32_t reserved[256 - AMD_SRIOV_MSG_VF2PF_INFO_FILLED_SIZE];
+-};
++} __packed;
+
+ /* mailbox message send from guest to host */
+ enum amd_sriov_mailbox_request_message {
+--
+2.43.0
+
--- /dev/null
+From b13747b4049e571789cd6c0ebd49cef037b741e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 17:18:17 +0530
+Subject: drm/amd/display: Add null check for set_output_gamma in
+ dcn30_set_output_transfer_func
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+[ Upstream commit 08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2 ]
+
+This commit adds a null check for the set_output_gamma function pointer
+in the dcn30_set_output_transfer_func function. Previously,
+set_output_gamma was being checked for nullity at line 386, but then it
+was being dereferenced without any nullity check at line 401. This
+could potentially lead to a null pointer dereference error if
+set_output_gamma is indeed null.
+
+To fix this, we now ensure that set_output_gamma is not null before
+dereferencing it. We do this by adding a nullity check for
+set_output_gamma before the call to set_output_gamma at line 401. If
+set_output_gamma is null, we log an error message and do not call the
+function.
+
+This fix prevents a potential null pointer dereference error.
+
+drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()
+error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)
+
+drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c
+ 373 bool dcn30_set_output_transfer_func(struct dc *dc,
+ 374 struct pipe_ctx *pipe_ctx,
+ 375 const struct dc_stream_state *stream)
+ 376 {
+ 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst;
+ 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;
+ 379 const struct pwl_params *params = NULL;
+ 380 bool ret = false;
+ 381
+ 382 /* program OGAM or 3DLUT only for the top pipe*/
+ 383 if (pipe_ctx->top_pipe == NULL) {
+ 384 /*program rmu shaper and 3dlut in MPC*/
+ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);
+ 386 if (ret == false && mpc->funcs->set_output_gamma) {
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL
+
+ 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL)
+ 388 params = &stream->out_transfer_func.pwl;
+ 389 else if (pipe_ctx->stream->out_transfer_func.type ==
+ 390 TF_TYPE_DISTRIBUTED_POINTS &&
+ 391 cm3_helper_translate_curve_to_hw_format(
+ 392 &stream->out_transfer_func,
+ 393 &mpc->blender_params, false))
+ 394 params = &mpc->blender_params;
+ 395 /* there are no ROM LUTs in OUTGAM */
+ 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)
+ 397 BREAK_TO_DEBUGGER();
+ 398 }
+ 399 }
+ 400
+--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params);
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash
+
+ 402 return ret;
+ 403 }
+
+Fixes: d99f13878d6f ("drm/amd/display: Add DCN3 HWSEQ")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Roman Li <roman.li@amd.com>
+Cc: Hersen Wu <hersenxs.wu@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Cc: Harry Wentland <harry.wentland@amd.com>
+Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c
+index eaeeade31ed74..2b4dae2d4b0c1 100644
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c
+@@ -398,7 +398,11 @@ bool dcn30_set_output_transfer_func(struct dc *dc,
+ }
+ }
+
+- mpc->funcs->set_output_gamma(mpc, mpcc_id, params);
++ if (mpc->funcs->set_output_gamma)
++ mpc->funcs->set_output_gamma(mpc, mpcc_id, params);
++ else
++ DC_LOG_ERROR("%s: set_output_gamma function pointer is NULL.\n", __func__);
++
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From a0714aea2a3e2896d5cee4c7d21d6f4ab4e1b3af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 16:45:39 -0600
+Subject: drm/amd/display: Check link_res->hpo_dp_link_enc before using it
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit 0beca868cde8742240cd0038141c30482d2b7eb8 ]
+
+[WHAT & HOW]
+Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res
+without initializing hpo_dp_link_enc and it is necessary to check for
+null before dereferencing.
+
+This fixes 2 FORWARD_NULL issues reported by Coverity.
+
+Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Signed-off-by: Jerry Zuo <jerry.zuo@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c b/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c
+index e1257404357b1..d0148f10dfc0a 100644
+--- a/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c
++++ b/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c
+@@ -28,6 +28,8 @@
+ #include "dccg.h"
+ #include "clk_mgr.h"
+
++#define DC_LOGGER link->ctx->logger
++
+ void set_hpo_dp_throttled_vcp_size(struct pipe_ctx *pipe_ctx,
+ struct fixed31_32 throttled_vcp_size)
+ {
+@@ -124,6 +126,11 @@ void disable_hpo_dp_link_output(struct dc_link *link,
+ const struct link_resource *link_res,
+ enum signal_type signal)
+ {
++ if (!link_res->hpo_dp_link_enc) {
++ DC_LOG_ERROR("%s: invalid hpo_dp_link_enc\n", __func__);
++ return;
++ }
++
+ link_res->hpo_dp_link_enc->funcs->link_disable(link_res->hpo_dp_link_enc);
+ link_res->hpo_dp_link_enc->funcs->disable_link_phy(
+ link_res->hpo_dp_link_enc, signal);
+--
+2.43.0
+
--- /dev/null
+From 639320cbbd1c2dcd1bf7ad18d95b0e11e2199dc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 16:41:52 -0400
+Subject: drm/amd/display: free bo used for dmub bounding box
+
+From: Aurabindo Pillai <aurabindo.pillai@amd.com>
+
+[ Upstream commit f59549c7e705be0087d08bc116ccc767b86d8362 ]
+
+fix a memleak introduced by not removing the buffer object for use with
+early dmub bounding box value storage
+
+Fixes: 234e94555800 ("drm/amd/display: Enable copying of bounding box data from VBIOS DMUB")
+Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Jerry Zuo <jerry.zuo@amd.com>
+Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 1e069fa5211ee..511d46d38d6af 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -1740,7 +1740,7 @@ static struct dml2_soc_bb *dm_dmub_get_vbios_bounding_box(struct amdgpu_device *
+ /* Send the chunk */
+ ret = dm_dmub_send_vbios_gpint_command(adev, send_addrs[i], chunk, 30000);
+ if (ret != DMUB_STATUS_OK)
+- /* No need to free bb here since it shall be done unconditionally <elsewhere> */
++ /* No need to free bb here since it shall be done in dm_sw_fini() */
+ return NULL;
+ }
+
+@@ -2489,8 +2489,17 @@ static int dm_sw_init(void *handle)
+ static int dm_sw_fini(void *handle)
+ {
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
++ struct dal_allocation *da;
++
++ list_for_each_entry(da, &adev->dm.da_list, list) {
++ if (adev->dm.bb_from_dmub == (void *) da->cpu_ptr) {
++ amdgpu_bo_free_kernel(&da->bo, &da->gpu_addr, &da->cpu_ptr);
++ list_del(&da->list);
++ kfree(da);
++ break;
++ }
++ }
+
+- kfree(adev->dm.bb_from_dmub);
+ adev->dm.bb_from_dmub = NULL;
+
+ kfree(adev->dm.dmub_fb_info);
+--
+2.43.0
+
--- /dev/null
+From cb12d64728a9004b181c7a4d5f40e5a37cac4df9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 11:59:25 -0600
+Subject: drm/amd/display: Improve FAM control for DCN401
+
+From: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+
+[ Upstream commit 17b6527dcfb3249401e037734ed3fd0f4752572f ]
+
+[why & how]
+When the commit 5324e2b205a2 ("drm/amd/display: Add driver support for
+future FAMS versions") was introduced, it missed some of the FAM2 code.
+This commit introduces the code that control the FAM enable and disable.
+
+Fixes: 5324e2b205a2 ("drm/amd/display: Add driver support for future FAMS versions")
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c
+index 05d8f81daa064..f4eb28206bcb2 100644
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c
+@@ -982,8 +982,19 @@ void dcn32_init_hw(struct dc *dc)
+ dc->caps.dmub_caps.gecc_enable = dc->ctx->dmub_srv->dmub->feature_caps.gecc_enable;
+ dc->caps.dmub_caps.mclk_sw = dc->ctx->dmub_srv->dmub->feature_caps.fw_assisted_mclk_switch_ver;
+
+- if (dc->ctx->dmub_srv->dmub->fw_version <
++ /* for DCN401 testing only */
++ dc->caps.dmub_caps.fams_ver = dc->ctx->dmub_srv->dmub->feature_caps.fw_assisted_mclk_switch_ver;
++ if (dc->caps.dmub_caps.fams_ver == 2) {
++ /* FAMS2 is enabled */
++ dc->debug.fams2_config.bits.enable &= true;
++ } else if (dc->ctx->dmub_srv->dmub->fw_version <
+ DMUB_FW_VERSION(7, 0, 35)) {
++ /* FAMS2 is disabled */
++ dc->debug.fams2_config.bits.enable = false;
++ if (dc->debug.using_dml2 && dc->res_pool->funcs->update_bw_bounding_box) {
++ /* update bounding box if FAMS2 disabled */
++ dc->res_pool->funcs->update_bw_bounding_box(dc, dc->clk_mgr->bw_params);
++ }
+ dc->debug.force_disable_subvp = true;
+ dc->debug.disable_fpo_optimizations = true;
+ }
+--
+2.43.0
+
--- /dev/null
+From 009f2eda3a09541353fd81ab65288c38515f7706 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jul 2024 17:29:07 +0800
+Subject: drm/amd/display: Reset VRR config during resume
+
+From: Tom Chung <chiahsuan.chung@amd.com>
+
+[ Upstream commit df18a4de9e77ad92c472fd1eb0fb1255d52dd4cd ]
+
+[Why]
+After resume the system, the new_crtc_state->vrr_infopacket does not
+synchronize with the current state. It will affect the
+update_freesync_state_on_stream() does not update the state correctly.
+
+The previous patch causes a PSR SU regression that cannot let panel go
+into self-refresh mode.
+
+[How]
+Reset the VRR config during resume to force update the VRR config later.
+
+Fixes: eb6dfbb7a9c6 ("drm/amd/display: Reset freesync config before update new state")
+Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
+Reviewed-by: Sun peng Li <sunpeng.li@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 511d46d38d6af..ba5f98bd7b391 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -176,6 +176,7 @@ MODULE_FIRMWARE(FIRMWARE_DCN_401_DMUB);
+ static int amdgpu_dm_init(struct amdgpu_device *adev);
+ static void amdgpu_dm_fini(struct amdgpu_device *adev);
+ static bool is_freesync_video_mode(const struct drm_display_mode *mode, struct amdgpu_dm_connector *aconnector);
++static void reset_freesync_config_for_crtc(struct dm_crtc_state *new_crtc_state);
+
+ static enum drm_mode_subconnector get_subconnector_type(struct dc_link *link)
+ {
+@@ -3239,8 +3240,11 @@ static int dm_resume(void *handle)
+ drm_connector_list_iter_end(&iter);
+
+ /* Force mode set in atomic commit */
+- for_each_new_crtc_in_state(dm->cached_state, crtc, new_crtc_state, i)
++ for_each_new_crtc_in_state(dm->cached_state, crtc, new_crtc_state, i) {
+ new_crtc_state->active_changed = true;
++ dm_new_crtc_state = to_dm_crtc_state(new_crtc_state);
++ reset_freesync_config_for_crtc(dm_new_crtc_state);
++ }
+
+ /*
+ * atomic_check is expected to create the dc states. We need to release
+--
+2.43.0
+
--- /dev/null
+From e93b283c94a6a37f12553a4687894dddc9160a2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 08:56:07 -0400
+Subject: drm/amdgpu: fix invalid fence handling in amdgpu_vm_tlb_flush
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lang Yu <lang.yu@amd.com>
+
+[ Upstream commit 4453808d9eab0461dea338e89372ffc4a3c50acc ]
+
+CPU based update doesn't produce a fence, handle such cases properly.
+
+Fixes: d8a3f0a0348d ("drm/amdgpu: implement TLB flush fence")
+Signed-off-by: Lang Yu <lang.yu@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+index a060c28f0877c..119eebeb16b7f 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+@@ -902,10 +902,12 @@ amdgpu_vm_tlb_flush(struct amdgpu_vm_update_params *params,
+ {
+ struct amdgpu_vm *vm = params->vm;
+
+- if (!fence || !*fence)
++ tlb_cb->vm = vm;
++ if (!fence || !*fence) {
++ amdgpu_vm_tlb_seq_cb(NULL, &tlb_cb->cb);
+ return;
++ }
+
+- tlb_cb->vm = vm;
+ if (!dma_fence_add_callback(*fence, &tlb_cb->cb,
+ amdgpu_vm_tlb_seq_cb)) {
+ dma_fence_put(vm->last_tlb_flush);
+--
+2.43.0
+
--- /dev/null
+From 1302f9ab0e5e210196ab97ee1003f255b8f2c3c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 13:23:56 -0400
+Subject: drm/amdgpu: properly handle vbios fake edid sizing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 8155566a26b8d6c1dd914f06a0c652e4e2f2adf1 ]
+
+The comment in the vbios structure says:
+// = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128
+
+This fake edid struct has not been used in a long time, so I'm
+not sure if there were actually any boards out there with a non-128 byte
+EDID, but align the code with the comment.
+
+Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
+Reported-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html
+Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/amdgpu/atombios_encoders.c | 29 ++++++++++---------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
+index 25feab188dfe6..ebf83fee43bb9 100644
+--- a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
++++ b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
+@@ -2065,26 +2065,29 @@ amdgpu_atombios_encoder_get_lcd_info(struct amdgpu_encoder *encoder)
+ fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record;
+ if (fake_edid_record->ucFakeEDIDLength) {
+ struct edid *edid;
+- int edid_size =
+- max((int)EDID_LENGTH, (int)fake_edid_record->ucFakeEDIDLength);
+- edid = kmalloc(edid_size, GFP_KERNEL);
++ int edid_size;
++
++ if (fake_edid_record->ucFakeEDIDLength == 128)
++ edid_size = fake_edid_record->ucFakeEDIDLength;
++ else
++ edid_size = fake_edid_record->ucFakeEDIDLength * 128;
++ edid = kmemdup(&fake_edid_record->ucFakeEDIDString[0],
++ edid_size, GFP_KERNEL);
+ if (edid) {
+- memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0],
+- fake_edid_record->ucFakeEDIDLength);
+-
+ if (drm_edid_is_valid(edid)) {
+ adev->mode_info.bios_hardcoded_edid = edid;
+ adev->mode_info.bios_hardcoded_edid_size = edid_size;
+- } else
++ } else {
+ kfree(edid);
++ }
+ }
++ record += struct_size(fake_edid_record,
++ ucFakeEDIDString,
++ edid_size);
++ } else {
++ /* empty fake edid record must be 3 bytes long */
++ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ }
+- record += fake_edid_record->ucFakeEDIDLength ?
+- struct_size(fake_edid_record,
+- ucFakeEDIDString,
+- fake_edid_record->ucFakeEDIDLength) :
+- /* empty fake edid record must be 3 bytes long */
+- sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ break;
+ case LCD_PANEL_RESOLUTION_RECORD_TYPE:
+ panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
+--
+2.43.0
+
--- /dev/null
+From 306a71b6a067837f6e11a824e5e41072f8c061af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Aug 2024 17:16:37 +0800
+Subject: drm/bridge: lontium-lt8912b: Validate mode in
+ drm_bridge_funcs::mode_valid()
+
+From: Liu Ying <victor.liu@nxp.com>
+
+[ Upstream commit fe828fbd87786238b30f44cafd698d975d956c97 ]
+
+If the bridge is attached with the DRM_BRIDGE_ATTACH_NO_CONNECTOR flag set,
+this driver won't initialize a connector and hence display mode won't be
+validated in drm_connector_helper_funcs::mode_valid(). So, move the mode
+validation from drm_connector_helper_funcs::mode_valid() to
+drm_bridge_funcs::mode_valid(), because the mode validation is always done
+for the bridge.
+
+Fixes: 30e2ae943c26 ("drm/bridge: Introduce LT8912B DSI to HDMI bridge")
+Signed-off-by: Liu Ying <victor.liu@nxp.com>
+Reviewed-by: Robert Foss <rfoss@kernel.org>
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240813091637.1054586-1-victor.liu@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/lontium-lt8912b.c | 35 ++++++++++++------------
+ 1 file changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/lontium-lt8912b.c b/drivers/gpu/drm/bridge/lontium-lt8912b.c
+index 1a9defa15663c..e265ab3c8c929 100644
+--- a/drivers/gpu/drm/bridge/lontium-lt8912b.c
++++ b/drivers/gpu/drm/bridge/lontium-lt8912b.c
+@@ -422,22 +422,6 @@ static const struct drm_connector_funcs lt8912_connector_funcs = {
+ .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
+ };
+
+-static enum drm_mode_status
+-lt8912_connector_mode_valid(struct drm_connector *connector,
+- struct drm_display_mode *mode)
+-{
+- if (mode->clock > 150000)
+- return MODE_CLOCK_HIGH;
+-
+- if (mode->hdisplay > 1920)
+- return MODE_BAD_HVALUE;
+-
+- if (mode->vdisplay > 1080)
+- return MODE_BAD_VVALUE;
+-
+- return MODE_OK;
+-}
+-
+ static int lt8912_connector_get_modes(struct drm_connector *connector)
+ {
+ const struct drm_edid *drm_edid;
+@@ -463,7 +447,6 @@ static int lt8912_connector_get_modes(struct drm_connector *connector)
+
+ static const struct drm_connector_helper_funcs lt8912_connector_helper_funcs = {
+ .get_modes = lt8912_connector_get_modes,
+- .mode_valid = lt8912_connector_mode_valid,
+ };
+
+ static void lt8912_bridge_mode_set(struct drm_bridge *bridge,
+@@ -605,6 +588,23 @@ static void lt8912_bridge_detach(struct drm_bridge *bridge)
+ drm_bridge_hpd_disable(lt->hdmi_port);
+ }
+
++static enum drm_mode_status
++lt8912_bridge_mode_valid(struct drm_bridge *bridge,
++ const struct drm_display_info *info,
++ const struct drm_display_mode *mode)
++{
++ if (mode->clock > 150000)
++ return MODE_CLOCK_HIGH;
++
++ if (mode->hdisplay > 1920)
++ return MODE_BAD_HVALUE;
++
++ if (mode->vdisplay > 1080)
++ return MODE_BAD_VVALUE;
++
++ return MODE_OK;
++}
++
+ static enum drm_connector_status
+ lt8912_bridge_detect(struct drm_bridge *bridge)
+ {
+@@ -635,6 +635,7 @@ static const struct drm_edid *lt8912_bridge_edid_read(struct drm_bridge *bridge,
+ static const struct drm_bridge_funcs lt8912_bridge_funcs = {
+ .attach = lt8912_bridge_attach,
+ .detach = lt8912_bridge_detach,
++ .mode_valid = lt8912_bridge_mode_valid,
+ .mode_set = lt8912_bridge_mode_set,
+ .enable = lt8912_bridge_enable,
+ .detect = lt8912_bridge_detect,
+--
+2.43.0
+
--- /dev/null
+From 14e87ec542b17711aa61af811e8194caf63376f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 22:55:19 +0800
+Subject: drm/mediatek: Fix missing configuration flags in
+ mtk_crtc_ddp_config()
+
+From: Jason-JH.Lin <jason-jh.lin@mediatek.com>
+
+[ Upstream commit fe30bae552ce27b9fefe0b12db1544e73d07325f ]
+
+In mtk_crtc_ddp_config(), mtk_crtc will use some configuration flags to
+generate instructions to cmdq_handle, such as:
+ state->pending_config
+ mtk_crtc->pending_planes
+ plane_state->pending.config
+ mtk_crtc->pending_async_planes
+ plane_state->pending.async_config
+
+These configuration flags may be set to false when a GCE IRQ comes calling
+ddp_cmdq_cb(). This may result in missing prepare instructions,
+especially if mtk_crtc_update_config() with the flase need_vblank (no need
+to wait for vblank) cases.
+
+Therefore, the mtk_crtc->config_updating flag is set at the beginning of
+mtk_crtc_update_config() to ensure that these configuration flags won't be
+changed when the mtk_crtc_ddp_config() is preparing instructions.
+But somehow the ddp_cmdq_cb() didn't use the mtk_crtc->config_updating
+flag to prevent those pending config flags from being cleared.
+
+To avoid missing the configuration when generating the config instruction,
+the config_updating flag should be added into ddp_cmdq_cb() and be
+protected with spin_lock.
+
+Fixes: 7f82d9c43879 ("drm/mediatek: Clear pending flag when cmdq packet is done")
+Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Reviewed-by: Fei Shao <fshao@chromium.org>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20240827-drm-fixup-0819-v3-1-4761005211ec@mediatek.com/
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20240827-drm-fixup-0819-v3-2-4761005211ec@mediatek.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_crtc.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_crtc.c b/drivers/gpu/drm/mediatek/mtk_crtc.c
+index 6f34f573e127e..d7f0926f896d6 100644
+--- a/drivers/gpu/drm/mediatek/mtk_crtc.c
++++ b/drivers/gpu/drm/mediatek/mtk_crtc.c
+@@ -69,6 +69,8 @@ struct mtk_crtc {
+ /* lock for display hardware access */
+ struct mutex hw_lock;
+ bool config_updating;
++ /* lock for config_updating to cmd buffer */
++ spinlock_t config_lock;
+ };
+
+ struct mtk_crtc_state {
+@@ -106,11 +108,16 @@ static void mtk_crtc_finish_page_flip(struct mtk_crtc *mtk_crtc)
+
+ static void mtk_drm_finish_page_flip(struct mtk_crtc *mtk_crtc)
+ {
++ unsigned long flags;
++
+ drm_crtc_handle_vblank(&mtk_crtc->base);
++
++ spin_lock_irqsave(&mtk_crtc->config_lock, flags);
+ if (!mtk_crtc->config_updating && mtk_crtc->pending_needs_vblank) {
+ mtk_crtc_finish_page_flip(mtk_crtc);
+ mtk_crtc->pending_needs_vblank = false;
+ }
++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags);
+ }
+
+ #if IS_REACHABLE(CONFIG_MTK_CMDQ)
+@@ -308,12 +315,19 @@ static void ddp_cmdq_cb(struct mbox_client *cl, void *mssg)
+ struct mtk_crtc *mtk_crtc = container_of(cmdq_cl, struct mtk_crtc, cmdq_client);
+ struct mtk_crtc_state *state;
+ unsigned int i;
++ unsigned long flags;
+
+ if (data->sta < 0)
+ return;
+
+ state = to_mtk_crtc_state(mtk_crtc->base.state);
+
++ spin_lock_irqsave(&mtk_crtc->config_lock, flags);
++ if (mtk_crtc->config_updating) {
++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags);
++ goto ddp_cmdq_cb_out;
++ }
++
+ state->pending_config = false;
+
+ if (mtk_crtc->pending_planes) {
+@@ -340,6 +354,10 @@ static void ddp_cmdq_cb(struct mbox_client *cl, void *mssg)
+ mtk_crtc->pending_async_planes = false;
+ }
+
++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags);
++
++ddp_cmdq_cb_out:
++
+ mtk_crtc->cmdq_vblank_cnt = 0;
+ wake_up(&mtk_crtc->cb_blocking_queue);
+ }
+@@ -569,9 +587,14 @@ static void mtk_crtc_update_config(struct mtk_crtc *mtk_crtc, bool needs_vblank)
+ struct mtk_drm_private *priv = crtc->dev->dev_private;
+ unsigned int pending_planes = 0, pending_async_planes = 0;
+ int i;
++ unsigned long flags;
+
+ mutex_lock(&mtk_crtc->hw_lock);
++
++ spin_lock_irqsave(&mtk_crtc->config_lock, flags);
+ mtk_crtc->config_updating = true;
++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags);
++
+ if (needs_vblank)
+ mtk_crtc->pending_needs_vblank = true;
+
+@@ -625,7 +648,10 @@ static void mtk_crtc_update_config(struct mtk_crtc *mtk_crtc, bool needs_vblank)
+ mbox_client_txdone(mtk_crtc->cmdq_client.chan, 0);
+ }
+ #endif
++ spin_lock_irqsave(&mtk_crtc->config_lock, flags);
+ mtk_crtc->config_updating = false;
++ spin_unlock_irqrestore(&mtk_crtc->config_lock, flags);
++
+ mutex_unlock(&mtk_crtc->hw_lock);
+ }
+
+@@ -1068,6 +1094,7 @@ int mtk_crtc_create(struct drm_device *drm_dev, const unsigned int *path,
+ drm_mode_crtc_set_gamma_size(&mtk_crtc->base, gamma_lut_size);
+ drm_crtc_enable_color_mgmt(&mtk_crtc->base, 0, has_ctm, gamma_lut_size);
+ mutex_init(&mtk_crtc->hw_lock);
++ spin_lock_init(&mtk_crtc->config_lock);
+
+ #if IS_REACHABLE(CONFIG_MTK_CMDQ)
+ i = priv->mbox_index++;
+--
+2.43.0
+
--- /dev/null
+From a5b81f081158e5de37fad95735901b76ba9e6a20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 18:14:47 +0800
+Subject: drm/mediatek: Use spin_lock_irqsave() for CRTC event lock
+
+From: Fei Shao <fshao@chromium.org>
+
+[ Upstream commit be03b30b7aa99aca876fbc7c1c1b73b2d0339321 ]
+
+Use the state-aware spin_lock_irqsave() and spin_unlock_irqrestore()
+to avoid unconditionally re-enabling the local interrupts.
+
+Fixes: 411f5c1eacfe ("drm/mediatek: handle events when enabling/disabling crtc")
+Signed-off-by: Fei Shao <fshao@chromium.org>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20240828101511.3269822-1-fshao@chromium.org/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_crtc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_crtc.c b/drivers/gpu/drm/mediatek/mtk_crtc.c
+index d7f0926f896d6..a90504359e8d2 100644
+--- a/drivers/gpu/drm/mediatek/mtk_crtc.c
++++ b/drivers/gpu/drm/mediatek/mtk_crtc.c
+@@ -467,6 +467,7 @@ static void mtk_crtc_ddp_hw_fini(struct mtk_crtc *mtk_crtc)
+ {
+ struct drm_device *drm = mtk_crtc->base.dev;
+ struct drm_crtc *crtc = &mtk_crtc->base;
++ unsigned long flags;
+ int i;
+
+ for (i = 0; i < mtk_crtc->ddp_comp_nr; i++) {
+@@ -498,10 +499,10 @@ static void mtk_crtc_ddp_hw_fini(struct mtk_crtc *mtk_crtc)
+ pm_runtime_put(drm->dev);
+
+ if (crtc->state->event && !crtc->state->active) {
+- spin_lock_irq(&crtc->dev->event_lock);
++ spin_lock_irqsave(&crtc->dev->event_lock, flags);
+ drm_crtc_send_vblank_event(crtc, crtc->state->event);
+ crtc->state->event = NULL;
+- spin_unlock_irq(&crtc->dev->event_lock);
++ spin_unlock_irqrestore(&crtc->dev->event_lock, flags);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 82686a3c8c72b9c899982d5d0bd6473e32ffbc03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 13:54:00 +0000
+Subject: drm/msm/a5xx: disable preemption in submits by default
+
+From: Vladimir Lypak <vladimir.lypak@gmail.com>
+
+[ Upstream commit db9dec2db76146d65e1cfbb6afb2e2bd5dab67f8 ]
+
+Fine grain preemption (switching from/to points within submits)
+requires extra handling in command stream of those submits, especially
+when rendering with tiling (using GMEM). However this handling is
+missing at this point in mesa (and always was). For this reason we get
+random GPU faults and hangs if more than one priority level is used
+because local preemption is enabled prior to executing command stream
+from submit.
+With that said it was ahead of time to enable local preemption by
+default considering the fact that even on downstream kernel it is only
+enabled if requested via UAPI.
+
+Fixes: a7a4c19c36de ("drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register")
+Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/612041/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+index c0b5373e90d71..6c80d3003966b 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+@@ -150,9 +150,13 @@ static void a5xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit)
+ OUT_PKT7(ring, CP_SET_PROTECTED_MODE, 1);
+ OUT_RING(ring, 1);
+
+- /* Enable local preemption for finegrain preemption */
++ /*
++ * Disable local preemption by default because it requires
++ * user-space to be aware of it and provide additional handling
++ * to restore rendering state or do various flushes on switch.
++ */
+ OUT_PKT7(ring, CP_PREEMPT_ENABLE_LOCAL, 1);
+- OUT_RING(ring, 0x1);
++ OUT_RING(ring, 0x0);
+
+ /* Allow CP_CONTEXT_SWITCH_YIELD packets in the IB2 */
+ OUT_PKT7(ring, CP_YIELD_ENABLE, 1);
+--
+2.43.0
+
--- /dev/null
+From fe608f6200e91e70d630d5313ee4b26d52306a6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 13:54:02 +0000
+Subject: drm/msm/a5xx: fix races in preemption evaluation stage
+
+From: Vladimir Lypak <vladimir.lypak@gmail.com>
+
+[ Upstream commit ce050f307ad93bcc5958d0dd35fc276fd394d274 ]
+
+On A5XX GPUs when preemption is used it's invietable to enter a soft
+lock-up state in which GPU is stuck at empty ring-buffer doing nothing.
+This appears as full UI lockup and not detected as GPU hang (because
+it's not). This happens due to not triggering preemption when it was
+needed. Sometimes this state can be recovered by some new submit but
+generally it won't happen because applications are waiting for old
+submits to retire.
+
+One of the reasons why this happens is a race between a5xx_submit and
+a5xx_preempt_trigger called from IRQ during submit retire. Former thread
+updates ring->cur of previously empty and not current ring right after
+latter checks it for emptiness. Then both threads can just exit because
+for first one preempt_state wasn't NONE yet and for second one all rings
+appeared to be empty.
+
+To prevent such situations from happening we need to establish guarantee
+for preempt_trigger to make decision after each submit or retire. To
+implement this we serialize preemption initiation using spinlock. If
+switch is already in progress we need to re-trigger preemption when it
+finishes.
+
+Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
+Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/612045/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 +
+ drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 24 +++++++++++++++++++++--
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
+index c7187bcc5e908..b4d06ca3e499d 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
+@@ -36,6 +36,7 @@ struct a5xx_gpu {
+ uint64_t preempt_iova[MSM_GPU_MAX_RINGS];
+
+ atomic_t preempt_state;
++ spinlock_t preempt_start_lock;
+ struct timer_list preempt_timer;
+
+ struct drm_gem_object *shadow_bo;
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+index 67a8ef4adf6b6..c65b34a4a8cc2 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+@@ -97,12 +97,19 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu)
+ if (gpu->nr_rings == 1)
+ return;
+
++ /*
++ * Serialize preemption start to ensure that we always make
++ * decision on latest state. Otherwise we can get stuck in
++ * lower priority or empty ring.
++ */
++ spin_lock_irqsave(&a5xx_gpu->preempt_start_lock, flags);
++
+ /*
+ * Try to start preemption by moving from NONE to START. If
+ * unsuccessful, a preemption is already in flight
+ */
+ if (!try_preempt_state(a5xx_gpu, PREEMPT_NONE, PREEMPT_START))
+- return;
++ goto out;
+
+ /* Get the next ring to preempt to */
+ ring = get_next_ring(gpu);
+@@ -127,9 +134,11 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu)
+ set_preempt_state(a5xx_gpu, PREEMPT_ABORT);
+ update_wptr(gpu, a5xx_gpu->cur_ring);
+ set_preempt_state(a5xx_gpu, PREEMPT_NONE);
+- return;
++ goto out;
+ }
+
++ spin_unlock_irqrestore(&a5xx_gpu->preempt_start_lock, flags);
++
+ /* Make sure the wptr doesn't update while we're in motion */
+ spin_lock_irqsave(&ring->preempt_lock, flags);
+ a5xx_gpu->preempt[ring->id]->wptr = get_wptr(ring);
+@@ -152,6 +161,10 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu)
+
+ /* And actually start the preemption */
+ gpu_write(gpu, REG_A5XX_CP_CONTEXT_SWITCH_CNTL, 1);
++ return;
++
++out:
++ spin_unlock_irqrestore(&a5xx_gpu->preempt_start_lock, flags);
+ }
+
+ void a5xx_preempt_irq(struct msm_gpu *gpu)
+@@ -188,6 +201,12 @@ void a5xx_preempt_irq(struct msm_gpu *gpu)
+ update_wptr(gpu, a5xx_gpu->cur_ring);
+
+ set_preempt_state(a5xx_gpu, PREEMPT_NONE);
++
++ /*
++ * Try to trigger preemption again in case there was a submit or
++ * retire during ring switch
++ */
++ a5xx_preempt_trigger(gpu);
+ }
+
+ void a5xx_preempt_hw_init(struct msm_gpu *gpu)
+@@ -300,5 +319,6 @@ void a5xx_preempt_init(struct msm_gpu *gpu)
+ }
+ }
+
++ spin_lock_init(&a5xx_gpu->preempt_start_lock);
+ timer_setup(&a5xx_gpu->preempt_timer, a5xx_preempt_timer, 0);
+ }
+--
+2.43.0
+
--- /dev/null
+From 8f58d7b58c0225308b8993ecb73878947416d6cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 13:54:01 +0000
+Subject: drm/msm/a5xx: properly clear preemption records on resume
+
+From: Vladimir Lypak <vladimir.lypak@gmail.com>
+
+[ Upstream commit 64fd6d01a52904bdbda0ce810a45a428c995a4ca ]
+
+Two fields of preempt_record which are used by CP aren't reset on
+resume: "data" and "info". This is the reason behind faults which happen
+when we try to switch to the ring that was active last before suspend.
+In addition those faults can't be recovered from because we use suspend
+and resume to do so (keeping values of those fields again).
+
+Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
+Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/612043/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+index f58dd564d122b..67a8ef4adf6b6 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+@@ -204,6 +204,8 @@ void a5xx_preempt_hw_init(struct msm_gpu *gpu)
+ return;
+
+ for (i = 0; i < gpu->nr_rings; i++) {
++ a5xx_gpu->preempt[i]->data = 0;
++ a5xx_gpu->preempt[i]->info = 0;
+ a5xx_gpu->preempt[i]->wptr = 0;
+ a5xx_gpu->preempt[i]->rptr = 0;
+ a5xx_gpu->preempt[i]->rbase = gpu->rb[i]->iova;
+--
+2.43.0
+
--- /dev/null
+From 6f7f7046c59bd46276a411d31cee2dbe78175dce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 13:54:03 +0000
+Subject: drm/msm/a5xx: workaround early ring-buffer emptiness check
+
+From: Vladimir Lypak <vladimir.lypak@gmail.com>
+
+[ Upstream commit a30f9f65b5ac82d4390548c32ed9c7f05de7ddf5 ]
+
+There is another cause for soft lock-up of GPU in empty ring-buffer:
+race between GPU executing last commands and CPU checking ring for
+emptiness. On GPU side IRQ for retire is triggered by CACHE_FLUSH_TS
+event and RPTR shadow (which is used to check ring emptiness) is updated
+a bit later from CP_CONTEXT_SWITCH_YIELD. Thus if GPU is executing its
+last commands slow enough or we check that ring too fast we will miss a
+chance to trigger switch to lower priority ring because current ring isn't
+empty just yet. This can escalate to lock-up situation described in
+previous patch.
+To work-around this issue we keep track of last submit sequence number
+for each ring and compare it with one written to memptrs from GPU during
+execution of CACHE_FLUSH_TS event.
+
+Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
+Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/612047/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 4 ++++
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 +
+ drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 4 ++++
+ 3 files changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+index 6c80d3003966b..7cfefb5e62218 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+@@ -65,6 +65,8 @@ void a5xx_flush(struct msm_gpu *gpu, struct msm_ringbuffer *ring,
+
+ static void a5xx_submit_in_rb(struct msm_gpu *gpu, struct msm_gem_submit *submit)
+ {
++ struct adreno_gpu *adreno_gpu = to_adreno_gpu(gpu);
++ struct a5xx_gpu *a5xx_gpu = to_a5xx_gpu(adreno_gpu);
+ struct msm_ringbuffer *ring = submit->ring;
+ struct drm_gem_object *obj;
+ uint32_t *ptr, dwords;
+@@ -109,6 +111,7 @@ static void a5xx_submit_in_rb(struct msm_gpu *gpu, struct msm_gem_submit *submit
+ }
+ }
+
++ a5xx_gpu->last_seqno[ring->id] = submit->seqno;
+ a5xx_flush(gpu, ring, true);
+ a5xx_preempt_trigger(gpu);
+
+@@ -210,6 +213,7 @@ static void a5xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit)
+ /* Write the fence to the scratch register */
+ OUT_PKT4(ring, REG_A5XX_CP_SCRATCH_REG(2), 1);
+ OUT_RING(ring, submit->seqno);
++ a5xx_gpu->last_seqno[ring->id] = submit->seqno;
+
+ /*
+ * Execute a CACHE_FLUSH_TS event. This will ensure that the
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
+index b4d06ca3e499d..9c0d701fe4b85 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
+@@ -34,6 +34,7 @@ struct a5xx_gpu {
+ struct drm_gem_object *preempt_counters_bo[MSM_GPU_MAX_RINGS];
+ struct a5xx_preempt_record *preempt[MSM_GPU_MAX_RINGS];
+ uint64_t preempt_iova[MSM_GPU_MAX_RINGS];
++ uint32_t last_seqno[MSM_GPU_MAX_RINGS];
+
+ atomic_t preempt_state;
+ spinlock_t preempt_start_lock;
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+index c65b34a4a8cc2..0469fea550108 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+@@ -55,6 +55,8 @@ static inline void update_wptr(struct msm_gpu *gpu, struct msm_ringbuffer *ring)
+ /* Return the highest priority ringbuffer with something in it */
+ static struct msm_ringbuffer *get_next_ring(struct msm_gpu *gpu)
+ {
++ struct adreno_gpu *adreno_gpu = to_adreno_gpu(gpu);
++ struct a5xx_gpu *a5xx_gpu = to_a5xx_gpu(adreno_gpu);
+ unsigned long flags;
+ int i;
+
+@@ -64,6 +66,8 @@ static struct msm_ringbuffer *get_next_ring(struct msm_gpu *gpu)
+
+ spin_lock_irqsave(&ring->preempt_lock, flags);
+ empty = (get_wptr(ring) == gpu->funcs->get_rptr(gpu, ring));
++ if (!empty && ring == a5xx_gpu->cur_ring)
++ empty = ring->memptrs->fence == a5xx_gpu->last_seqno[i];
+ spin_unlock_irqrestore(&ring->preempt_lock, flags);
+
+ if (!empty)
+--
+2.43.0
+
--- /dev/null
+From 61952c6cf2cd535512eca6e14b9140ce4d37bb11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 12:50:11 -0700
+Subject: drm/msm/dp: enable widebus on all relevant chipsets
+
+From: Abhinav Kumar <quic_abhinavk@quicinc.com>
+
+[ Upstream commit c7c412202623951dcfc22316f5255fd84fd56186 ]
+
+Hardware document indicates that widebus is recommended on DP on all
+MDSS chipsets starting version 5.x.x and above.
+
+Follow the guideline and mark widebus support on all relevant
+chipsets for DP.
+
+Fixes: 766f705204a0 ("drm/msm/dp: Remove now unused connector_type from desc")
+Fixes: 1b2d98bdd7b7 ("drm/msm/dp: Add DisplayPort controller for SM8650")
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Fixes: 757a2f36ab09 ("drm/msm/dp: enable widebus feature for display port")
+Fixes: 1b2d98bdd7b7 ("drm/msm/dp: Add DisplayPort controller for SM8650")
+Patchwork: https://patchwork.freedesktop.org/patch/606556/
+Link: https://lore.kernel.org/r/20240730195012.2595980-1-quic_abhinavk@quicinc.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_display.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
+index 9622e58dce3e7..e1228fb093ee0 100644
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -119,7 +119,7 @@ struct msm_dp_desc {
+ };
+
+ static const struct msm_dp_desc sc7180_dp_descs[] = {
+- { .io_start = 0x0ae90000, .id = MSM_DP_CONTROLLER_0 },
++ { .io_start = 0x0ae90000, .id = MSM_DP_CONTROLLER_0, .wide_bus_supported = true },
+ {}
+ };
+
+@@ -130,9 +130,9 @@ static const struct msm_dp_desc sc7280_dp_descs[] = {
+ };
+
+ static const struct msm_dp_desc sc8180x_dp_descs[] = {
+- { .io_start = 0x0ae90000, .id = MSM_DP_CONTROLLER_0 },
+- { .io_start = 0x0ae98000, .id = MSM_DP_CONTROLLER_1 },
+- { .io_start = 0x0ae9a000, .id = MSM_DP_CONTROLLER_2 },
++ { .io_start = 0x0ae90000, .id = MSM_DP_CONTROLLER_0, .wide_bus_supported = true },
++ { .io_start = 0x0ae98000, .id = MSM_DP_CONTROLLER_1, .wide_bus_supported = true },
++ { .io_start = 0x0ae9a000, .id = MSM_DP_CONTROLLER_2, .wide_bus_supported = true },
+ {}
+ };
+
+@@ -149,7 +149,7 @@ static const struct msm_dp_desc sc8280xp_dp_descs[] = {
+ };
+
+ static const struct msm_dp_desc sm8650_dp_descs[] = {
+- { .io_start = 0x0af54000, .id = MSM_DP_CONTROLLER_0 },
++ { .io_start = 0x0af54000, .id = MSM_DP_CONTROLLER_0, .wide_bus_supported = true },
+ {}
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 575870d008336172625522359058e162c5005913 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Aug 2024 08:40:07 +0300
+Subject: drm/msm/dsi: correct programming sequence for SM8350 / SM8450
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 1328cb7c34bf6d056df9ff694ee5194537548258 ]
+
+According to the display-drivers, 5nm DSI PLL (v4.2, v4.3) have
+different boundaries for pll_clock_inverters programming. Follow the
+vendor code and use correct values.
+
+Fixes: 2f9ae4e395ed ("drm/msm/dsi: add support for DSI-PHY on SM8350 and SM8450")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/606947/
+Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-3-1149dd8399fe@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c
+index 3b59137ca6743..031446c87daec 100644
+--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c
++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c
+@@ -135,7 +135,7 @@ static void dsi_pll_calc_dec_frac(struct dsi_pll_7nm *pll, struct dsi_pll_config
+ config->pll_clock_inverters = 0x00;
+ else
+ config->pll_clock_inverters = 0x40;
+- } else {
++ } else if (pll->phy->cfg->quirks & DSI_PHY_7NM_QUIRK_V4_1) {
+ if (pll_freq <= 1000000000ULL)
+ config->pll_clock_inverters = 0xa0;
+ else if (pll_freq <= 2500000000ULL)
+@@ -144,6 +144,16 @@ static void dsi_pll_calc_dec_frac(struct dsi_pll_7nm *pll, struct dsi_pll_config
+ config->pll_clock_inverters = 0x00;
+ else
+ config->pll_clock_inverters = 0x40;
++ } else {
++ /* 4.2, 4.3 */
++ if (pll_freq <= 1000000000ULL)
++ config->pll_clock_inverters = 0xa0;
++ else if (pll_freq <= 2500000000ULL)
++ config->pll_clock_inverters = 0x20;
++ else if (pll_freq <= 3500000000ULL)
++ config->pll_clock_inverters = 0x00;
++ else
++ config->pll_clock_inverters = 0x40;
+ }
+
+ config->decimal_div_start = dec;
+--
+2.43.0
+
--- /dev/null
+From 77ad260b43b26329b79356f97a8574188b20aaa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 13:34:28 +0100
+Subject: drm/msm: Dump correct dbgahb clusters on a750
+
+From: Connor Abbott <cwabbott0@gmail.com>
+
+[ Upstream commit d8c17d7aadc2463a395f9340f44c7c34399f1d48 ]
+
+This was missed thanks to the family mixup fixed in the previous commit.
+
+Fixes: f3f8207d8aed ("drm/msm: Add devcoredump support for a750")
+Signed-off-by: Connor Abbott <cwabbott0@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/607393/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+index f2030e521a03a..0fcae53c0b140 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+@@ -663,10 +663,13 @@ static void a7xx_get_dbgahb_clusters(struct msm_gpu *gpu,
+ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ dbgahb_clusters = gen7_0_0_sptp_clusters;
+ dbgahb_clusters_size = ARRAY_SIZE(gen7_0_0_sptp_clusters);
+- } else {
+- BUG_ON(adreno_gpu->info->family > ADRENO_7XX_GEN3);
++ } else if (adreno_gpu->info->family == ADRENO_7XX_GEN2) {
+ dbgahb_clusters = gen7_2_0_sptp_clusters;
+ dbgahb_clusters_size = ARRAY_SIZE(gen7_2_0_sptp_clusters);
++ } else {
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
++ dbgahb_clusters = gen7_9_0_sptp_clusters;
++ dbgahb_clusters_size = ARRAY_SIZE(gen7_9_0_sptp_clusters);
+ }
+
+ a6xx_state->dbgahb_clusters = state_kcalloc(a6xx_state,
+--
+2.43.0
+
--- /dev/null
+From 418c4571ce31ad29f51ccc05675247728e254105 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 13:34:29 +0100
+Subject: drm/msm: Fix CP_BV_DRAW_STATE_ADDR name
+
+From: Connor Abbott <cwabbott0@gmail.com>
+
+[ Upstream commit a47cfb688d78217983c4a0051449aa88e2ff5ebb ]
+
+This was missed because we weren't using the a750-specific indexed regs.
+
+Fixes: f3f8207d8aed ("drm/msm: Add devcoredump support for a750")
+Signed-off-by: Connor Abbott <cwabbott0@gmail.com>
+Reviewed-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/607394/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h b/drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h
+index 260d66eccfecb..9a327d543f27d 100644
+--- a/drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h
++++ b/drivers/gpu/drm/msm/adreno/adreno_gen7_9_0_snapshot.h
+@@ -1303,7 +1303,7 @@ static struct a6xx_indexed_registers gen7_9_0_cp_indexed_reg_list[] = {
+ REG_A6XX_CP_ROQ_DBG_DATA, 0x00800},
+ { "CP_UCODE_DBG_DATA", REG_A6XX_CP_SQE_UCODE_DBG_ADDR,
+ REG_A6XX_CP_SQE_UCODE_DBG_DATA, 0x08000},
+- { "CP_BV_SQE_STAT_ADDR", REG_A7XX_CP_BV_DRAW_STATE_ADDR,
++ { "CP_BV_DRAW_STATE_ADDR", REG_A7XX_CP_BV_DRAW_STATE_ADDR,
+ REG_A7XX_CP_BV_DRAW_STATE_DATA, 0x00200},
+ { "CP_BV_ROQ_DBG_ADDR", REG_A7XX_CP_BV_ROQ_DBG_ADDR,
+ REG_A7XX_CP_BV_ROQ_DBG_DATA, 0x00800},
+--
+2.43.0
+
--- /dev/null
+From 392f34c1be8b8f883c2197c57537b7b2f48a9d79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jul 2024 12:13:12 +0300
+Subject: drm/msm: Fix incorrect file name output in adreno_request_fw()
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit e19366911340c2313a1abbb09c54eaf9bdea4f58 ]
+
+In adreno_request_fw() when debugging information is printed to the log
+after firmware load, an incorrect filename is printed. 'newname' is used
+instead of 'fwname', so prefix "qcom/" is being added to filename.
+Looks like "copy-paste" mistake.
+
+Fix this mistake by replacing 'newname' with 'fwname'.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 2c41ef1b6f7d ("drm/msm/adreno: deal with linux-firmware fw paths")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/602382/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+index ecc3fc5cec227..3896123ec51c9 100644
+--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+@@ -478,7 +478,7 @@ adreno_request_fw(struct adreno_gpu *adreno_gpu, const char *fwname)
+ ret = request_firmware_direct(&fw, fwname, drm->dev);
+ if (!ret) {
+ DRM_DEV_INFO(drm->dev, "loaded %s from legacy location\n",
+- newname);
++ fwname);
+ adreno_gpu->fwloc = FW_LOCATION_LEGACY;
+ goto out;
+ } else if (adreno_gpu->fwloc != FW_LOCATION_UNKNOWN) {
+--
+2.43.0
+
--- /dev/null
+From 6cc2ecf588046e74a163780397cdce57ede0fbfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 09:53:37 -0700
+Subject: drm/msm: fix %s null argument error
+
+From: Sherry Yang <sherry.yang@oracle.com>
+
+[ Upstream commit 25b85075150fe8adddb096db8a4b950353045ee1 ]
+
+The following build error was triggered because of NULL string argument:
+
+BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c: In function 'mdp5_smp_dump':
+BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=]
+BUILDSTDERR: 352 | drm_printf(p, "%s:%d\t%d\t%s\n",
+BUILDSTDERR: | ^~
+BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=]
+
+This happens from the commit a61ddb4393ad ("drm: enable (most) W=1
+warnings by default across the subsystem"). Using "(null)" instead
+to fix it.
+
+Fixes: bc5289eed481 ("drm/msm/mdp5: add debugfs to show smp block status")
+Signed-off-by: Sherry Yang <sherry.yang@oracle.com>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/611071/
+Link: https://lore.kernel.org/r/20240827165337.1075904-1-sherry.yang@oracle.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c
+index 3a7f7edda96b2..500b7dc895d05 100644
+--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c
++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c
+@@ -351,7 +351,7 @@ void mdp5_smp_dump(struct mdp5_smp *smp, struct drm_printer *p,
+
+ drm_printf(p, "%s:%d\t%d\t%s\n",
+ pipe2name(pipe), j, inuse,
+- plane ? plane->name : NULL);
++ plane ? plane->name : "(null)");
+
+ total += inuse;
+ }
+--
+2.43.0
+
--- /dev/null
+From c40c27e7bdc848c471828e5a478617a20b68776d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 13:34:27 +0100
+Subject: drm/msm: Use a7xx family directly in gpu_state
+
+From: Connor Abbott <cwabbott0@gmail.com>
+
+[ Upstream commit db75ef03d72ea75515f5282fe8a4925ae8373fe1 ]
+
+With a7xx, we need to import a new header for each new generation and
+switch to a different list of registers, instead of making
+backwards-compatible changes. Using the helpers inadvertently made a750
+use the a740 list of registers, instead use the family directly to fix
+this.
+
+Fixes: f3f8207d8aed ("drm/msm: Add devcoredump support for a750")
+Signed-off-by: Connor Abbott <cwabbott0@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/607392/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 41 ++++++++++-----------
+ 1 file changed, 20 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+index 789a11416f7a4..f2030e521a03a 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+@@ -388,18 +388,18 @@ static void a7xx_get_debugbus_blocks(struct msm_gpu *gpu,
+ const u32 *debugbus_blocks, *gbif_debugbus_blocks;
+ int i;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ debugbus_blocks = gen7_0_0_debugbus_blocks;
+ debugbus_blocks_count = ARRAY_SIZE(gen7_0_0_debugbus_blocks);
+ gbif_debugbus_blocks = a7xx_gbif_debugbus_blocks;
+ gbif_debugbus_blocks_count = ARRAY_SIZE(a7xx_gbif_debugbus_blocks);
+- } else if (adreno_is_a740_family(adreno_gpu)) {
++ } else if (adreno_gpu->info->family == ADRENO_7XX_GEN2) {
+ debugbus_blocks = gen7_2_0_debugbus_blocks;
+ debugbus_blocks_count = ARRAY_SIZE(gen7_2_0_debugbus_blocks);
+ gbif_debugbus_blocks = a7xx_gbif_debugbus_blocks;
+ gbif_debugbus_blocks_count = ARRAY_SIZE(a7xx_gbif_debugbus_blocks);
+ } else {
+- BUG_ON(!adreno_is_a750(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
+ debugbus_blocks = gen7_9_0_debugbus_blocks;
+ debugbus_blocks_count = ARRAY_SIZE(gen7_9_0_debugbus_blocks);
+ gbif_debugbus_blocks = gen7_9_0_gbif_debugbus_blocks;
+@@ -509,7 +509,7 @@ static void a6xx_get_debugbus(struct msm_gpu *gpu,
+ const struct a6xx_debugbus_block *cx_debugbus_blocks;
+
+ if (adreno_is_a7xx(adreno_gpu)) {
+- BUG_ON(!(adreno_is_a730(adreno_gpu) || adreno_is_a740_family(adreno_gpu)));
++ BUG_ON(adreno_gpu->info->family > ADRENO_7XX_GEN3);
+ cx_debugbus_blocks = a7xx_cx_debugbus_blocks;
+ nr_cx_debugbus_blocks = ARRAY_SIZE(a7xx_cx_debugbus_blocks);
+ } else {
+@@ -660,11 +660,11 @@ static void a7xx_get_dbgahb_clusters(struct msm_gpu *gpu,
+ const struct gen7_sptp_cluster_registers *dbgahb_clusters;
+ unsigned dbgahb_clusters_size;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ dbgahb_clusters = gen7_0_0_sptp_clusters;
+ dbgahb_clusters_size = ARRAY_SIZE(gen7_0_0_sptp_clusters);
+ } else {
+- BUG_ON(!adreno_is_a740_family(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family > ADRENO_7XX_GEN3);
+ dbgahb_clusters = gen7_2_0_sptp_clusters;
+ dbgahb_clusters_size = ARRAY_SIZE(gen7_2_0_sptp_clusters);
+ }
+@@ -818,14 +818,14 @@ static void a7xx_get_clusters(struct msm_gpu *gpu,
+ const struct gen7_cluster_registers *clusters;
+ unsigned clusters_size;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ clusters = gen7_0_0_clusters;
+ clusters_size = ARRAY_SIZE(gen7_0_0_clusters);
+- } else if (adreno_is_a740_family(adreno_gpu)) {
++ } else if (adreno_gpu->info->family == ADRENO_7XX_GEN2) {
+ clusters = gen7_2_0_clusters;
+ clusters_size = ARRAY_SIZE(gen7_2_0_clusters);
+ } else {
+- BUG_ON(!adreno_is_a750(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
+ clusters = gen7_9_0_clusters;
+ clusters_size = ARRAY_SIZE(gen7_9_0_clusters);
+ }
+@@ -893,7 +893,7 @@ static void a7xx_get_shader_block(struct msm_gpu *gpu,
+ if (WARN_ON(datasize > A6XX_CD_DATA_SIZE))
+ return;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ gpu_rmw(gpu, REG_A7XX_SP_DBG_CNTL, GENMASK(1, 0), 3);
+ }
+
+@@ -923,7 +923,7 @@ static void a7xx_get_shader_block(struct msm_gpu *gpu,
+ datasize);
+
+ out:
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ gpu_rmw(gpu, REG_A7XX_SP_DBG_CNTL, GENMASK(1, 0), 0);
+ }
+ }
+@@ -956,14 +956,14 @@ static void a7xx_get_shaders(struct msm_gpu *gpu,
+ unsigned num_shader_blocks;
+ int i;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ shader_blocks = gen7_0_0_shader_blocks;
+ num_shader_blocks = ARRAY_SIZE(gen7_0_0_shader_blocks);
+- } else if (adreno_is_a740_family(adreno_gpu)) {
++ } else if (adreno_gpu->info->family == ADRENO_7XX_GEN2) {
+ shader_blocks = gen7_2_0_shader_blocks;
+ num_shader_blocks = ARRAY_SIZE(gen7_2_0_shader_blocks);
+ } else {
+- BUG_ON(!adreno_is_a750(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
+ shader_blocks = gen7_9_0_shader_blocks;
+ num_shader_blocks = ARRAY_SIZE(gen7_9_0_shader_blocks);
+ }
+@@ -1348,14 +1348,14 @@ static void a7xx_get_registers(struct msm_gpu *gpu,
+ const u32 *pre_crashdumper_regs;
+ const struct gen7_reg_list *reglist;
+
+- if (adreno_is_a730(adreno_gpu)) {
++ if (adreno_gpu->info->family == ADRENO_7XX_GEN1) {
+ reglist = gen7_0_0_reg_list;
+ pre_crashdumper_regs = gen7_0_0_pre_crashdumper_gpu_registers;
+- } else if (adreno_is_a740_family(adreno_gpu)) {
++ } else if (adreno_gpu->info->family == ADRENO_7XX_GEN2) {
+ reglist = gen7_2_0_reg_list;
+ pre_crashdumper_regs = gen7_0_0_pre_crashdumper_gpu_registers;
+ } else {
+- BUG_ON(!adreno_is_a750(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
+ reglist = gen7_9_0_reg_list;
+ pre_crashdumper_regs = gen7_9_0_pre_crashdumper_gpu_registers;
+ }
+@@ -1405,8 +1405,7 @@ static void a7xx_get_post_crashdumper_registers(struct msm_gpu *gpu,
+ struct adreno_gpu *adreno_gpu = to_adreno_gpu(gpu);
+ const u32 *regs;
+
+- BUG_ON(!(adreno_is_a730(adreno_gpu) || adreno_is_a740_family(adreno_gpu) ||
+- adreno_is_a750(adreno_gpu)));
++ BUG_ON(adreno_gpu->info->family > ADRENO_7XX_GEN3);
+ regs = gen7_0_0_post_crashdumper_registers;
+
+ a7xx_get_ahb_gpu_registers(gpu,
+@@ -1514,11 +1513,11 @@ static void a7xx_get_indexed_registers(struct msm_gpu *gpu,
+ const struct a6xx_indexed_registers *indexed_regs;
+ int i, indexed_count, mempool_count;
+
+- if (adreno_is_a730(adreno_gpu) || adreno_is_a740_family(adreno_gpu)) {
++ if (adreno_gpu->info->family <= ADRENO_7XX_GEN2) {
+ indexed_regs = a7xx_indexed_reglist;
+ indexed_count = ARRAY_SIZE(a7xx_indexed_reglist);
+ } else {
+- BUG_ON(!adreno_is_a750(adreno_gpu));
++ BUG_ON(adreno_gpu->info->family != ADRENO_7XX_GEN3);
+ indexed_regs = gen7_9_0_cp_indexed_reg_list;
+ indexed_count = ARRAY_SIZE(gen7_9_0_cp_indexed_reg_list);
+ }
+--
+2.43.0
+
--- /dev/null
+From 551e8cb421011395d6002f489a1fe1a1ff219be1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 10:19:04 -0700
+Subject: drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 3fbaf475a5b8361ebee7da18964db809e37518b7 ]
+
+Several cs track offsets (such as 'track->db_s_read_offset')
+either are initialized with or plainly take big enough values that,
+once shifted 8 bits left, may be hit with integer overflow if the
+resulting values end up going over u32 limit.
+
+Same goes for a few instances of 'surf.layer_size * mslice'
+multiplications that are added to 'offset' variable - they may
+potentially overflow as well and need to be validated properly.
+
+While some debug prints in this code section take possible overflow
+issues into account, simply casting to (unsigned long) may be
+erroneous in its own way, as depending on CPU architecture one is
+liable to get different results.
+
+Fix said problems by:
+ - casting 'offset' to fixed u64 data type instead of
+ ambiguous unsigned long.
+ - casting one of the operands in vulnerable to integer
+ overflow cases to u64.
+ - adjust format specifiers in debug prints to properly
+ represent 'offset' values.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 285484e2d55e ("drm/radeon: add support for evergreen/ni tiling informations v11")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/evergreen_cs.c | 62 +++++++++++++--------------
+ 1 file changed, 31 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/evergreen_cs.c b/drivers/gpu/drm/radeon/evergreen_cs.c
+index e5577d2a19ef4..a466132833936 100644
+--- a/drivers/gpu/drm/radeon/evergreen_cs.c
++++ b/drivers/gpu/drm/radeon/evergreen_cs.c
+@@ -397,7 +397,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ struct evergreen_cs_track *track = p->track;
+ struct eg_surface surf;
+ unsigned pitch, slice, mslice;
+- unsigned long offset;
++ u64 offset;
+ int r;
+
+ mslice = G_028C6C_SLICE_MAX(track->cb_color_view[id]) + 1;
+@@ -435,14 +435,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ return r;
+ }
+
+- offset = track->cb_color_bo_offset[id] << 8;
++ offset = (u64)track->cb_color_bo_offset[id] << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d cb[%d] bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d cb[%d] bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, id, offset, surf.base_align);
+ return -EINVAL;
+ }
+
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->cb_color_bo[id])) {
+ /* old ddx are broken they allocate bo with w*h*bpp but
+ * program slice with ALIGN(h, 8), catch this and patch
+@@ -450,14 +450,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ */
+ if (!surf.mode) {
+ uint32_t *ib = p->ib.ptr;
+- unsigned long tmp, nby, bsize, size, min = 0;
++ u64 tmp, nby, bsize, size, min = 0;
+
+ /* find the height the ddx wants */
+ if (surf.nby > 8) {
+ min = surf.nby - 8;
+ }
+ bsize = radeon_bo_size(track->cb_color_bo[id]);
+- tmp = track->cb_color_bo_offset[id] << 8;
++ tmp = (u64)track->cb_color_bo_offset[id] << 8;
+ for (nby = surf.nby; nby > min; nby--) {
+ size = nby * surf.nbx * surf.bpe * surf.nsamples;
+ if ((tmp + size * mslice) <= bsize) {
+@@ -469,7 +469,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ slice = ((nby * surf.nbx) / 64) - 1;
+ if (!evergreen_surface_check(p, &surf, "cb")) {
+ /* check if this one works */
+- tmp += surf.layer_size * mslice;
++ tmp += (u64)surf.layer_size * mslice;
+ if (tmp <= bsize) {
+ ib[track->cb_color_slice_idx[id]] = slice;
+ goto old_ddx_ok;
+@@ -478,9 +478,9 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ }
+ }
+ dev_warn(p->dev, "%s:%d cb[%d] bo too small (layer size %d, "
+- "offset %d, max layer %d, bo size %ld, slice %d)\n",
++ "offset %llu, max layer %d, bo size %ld, slice %d)\n",
+ __func__, __LINE__, id, surf.layer_size,
+- track->cb_color_bo_offset[id] << 8, mslice,
++ (u64)track->cb_color_bo_offset[id] << 8, mslice,
+ radeon_bo_size(track->cb_color_bo[id]), slice);
+ dev_warn(p->dev, "%s:%d problematic surf: (%d %d) (%d %d %d %d %d %d %d)\n",
+ __func__, __LINE__, surf.nbx, surf.nby,
+@@ -564,7 +564,7 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
+ struct evergreen_cs_track *track = p->track;
+ struct eg_surface surf;
+ unsigned pitch, slice, mslice;
+- unsigned long offset;
++ u64 offset;
+ int r;
+
+ mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1;
+@@ -610,18 +610,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
+ return r;
+ }
+
+- offset = track->db_s_read_offset << 8;
++ offset = (u64)track->db_s_read_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_s_read_bo)) {
+ dev_warn(p->dev, "%s:%d stencil read bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_s_read_offset << 8, mslice,
++ (u64)track->db_s_read_offset << 8, mslice,
+ radeon_bo_size(track->db_s_read_bo));
+ dev_warn(p->dev, "%s:%d stencil invalid (0x%08x 0x%08x 0x%08x 0x%08x)\n",
+ __func__, __LINE__, track->db_depth_size,
+@@ -629,18 +629,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
+ return -EINVAL;
+ }
+
+- offset = track->db_s_write_offset << 8;
++ offset = (u64)track->db_s_write_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_s_write_bo)) {
+ dev_warn(p->dev, "%s:%d stencil write bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_s_write_offset << 8, mslice,
++ (u64)track->db_s_write_offset << 8, mslice,
+ radeon_bo_size(track->db_s_write_bo));
+ return -EINVAL;
+ }
+@@ -661,7 +661,7 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p)
+ struct evergreen_cs_track *track = p->track;
+ struct eg_surface surf;
+ unsigned pitch, slice, mslice;
+- unsigned long offset;
++ u64 offset;
+ int r;
+
+ mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1;
+@@ -708,34 +708,34 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p)
+ return r;
+ }
+
+- offset = track->db_z_read_offset << 8;
++ offset = (u64)track->db_z_read_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_z_read_bo)) {
+ dev_warn(p->dev, "%s:%d depth read bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_z_read_offset << 8, mslice,
++ (u64)track->db_z_read_offset << 8, mslice,
+ radeon_bo_size(track->db_z_read_bo));
+ return -EINVAL;
+ }
+
+- offset = track->db_z_write_offset << 8;
++ offset = (u64)track->db_z_write_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_z_write_bo)) {
+ dev_warn(p->dev, "%s:%d depth write bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_z_write_offset << 8, mslice,
++ (u64)track->db_z_write_offset << 8, mslice,
+ radeon_bo_size(track->db_z_write_bo));
+ return -EINVAL;
+ }
+--
+2.43.0
+
--- /dev/null
+From eb5af15c9d091f9a9eab4365a97796ef52be4e9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 13:31:58 -0400
+Subject: drm/radeon: properly handle vbios fake edid sizing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 17c6baff3d5f65c8da164137a58742541a060b2f ]
+
+The comment in the vbios structure says:
+// = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128
+
+This fake edid struct has not been used in a long time, so I'm
+not sure if there were actually any boards out there with a non-128 byte
+EDID, but align the code with the comment.
+
+Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
+Reported-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html
+Fixes: c324acd5032f ("drm/radeon/kms: parse the extended LCD info block")
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c | 29 +++++++++++++-----------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
+index 10793a433bf58..d698a899eaf4c 100644
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -1717,26 +1717,29 @@ struct radeon_encoder_atom_dig *radeon_atombios_get_lvds_info(struct
+ fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record;
+ if (fake_edid_record->ucFakeEDIDLength) {
+ struct edid *edid;
+- int edid_size =
+- max((int)EDID_LENGTH, (int)fake_edid_record->ucFakeEDIDLength);
+- edid = kmalloc(edid_size, GFP_KERNEL);
++ int edid_size;
++
++ if (fake_edid_record->ucFakeEDIDLength == 128)
++ edid_size = fake_edid_record->ucFakeEDIDLength;
++ else
++ edid_size = fake_edid_record->ucFakeEDIDLength * 128;
++ edid = kmemdup(&fake_edid_record->ucFakeEDIDString[0],
++ edid_size, GFP_KERNEL);
+ if (edid) {
+- memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0],
+- fake_edid_record->ucFakeEDIDLength);
+-
+ if (drm_edid_is_valid(edid)) {
+ rdev->mode_info.bios_hardcoded_edid = edid;
+ rdev->mode_info.bios_hardcoded_edid_size = edid_size;
+- } else
++ } else {
+ kfree(edid);
++ }
+ }
++ record += struct_size(fake_edid_record,
++ ucFakeEDIDString,
++ edid_size);
++ } else {
++ /* empty fake edid record must be 3 bytes long */
++ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ }
+- record += fake_edid_record->ucFakeEDIDLength ?
+- struct_size(fake_edid_record,
+- ucFakeEDIDString,
+- fake_edid_record->ucFakeEDIDLength) :
+- /* empty fake edid record must be 3 bytes long */
+- sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ break;
+ case LCD_PANEL_RESOLUTION_RECORD_TYPE:
+ panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
+--
+2.43.0
+
--- /dev/null
+From 774dfd79fde1c890f43363b58a2b6967ff1500fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 17:03:55 +0000
+Subject: drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit a5d024541ec466f428e6c514577d511a40779c7b ]
+
+EDID cannot be read on RK3328 until after read_hpd has been called and
+correct io voltage has been configured based on connection status.
+
+When a forced mode is used, e.g. video=1920x1080@60e, the connector
+detect ops, that in turn normally calls the read_hpd, never gets called.
+
+This result in reading EDID to fail in connector get_modes ops.
+
+Call dw_hdmi_rk3328_read_hpd at end of dw_hdmi_rk3328_setup_hpd to
+correct io voltage and allow reading EDID after setup_hpd.
+
+Fixes: 1c53ba8f22a1 ("drm/rockchip: dw_hdmi: add dw-hdmi support for the rk3328")
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-5-jonas@kwiboo.se
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c
+index fe33092abbe7d..aae48e906af11 100644
+--- a/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c
++++ b/drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c
+@@ -434,6 +434,8 @@ static void dw_hdmi_rk3328_setup_hpd(struct dw_hdmi *dw_hdmi, void *data)
+ HIWORD_UPDATE(RK3328_HDMI_SDAIN_MSK | RK3328_HDMI_SCLIN_MSK,
+ RK3328_HDMI_SDAIN_MSK | RK3328_HDMI_SCLIN_MSK |
+ RK3328_HDMI_HPD_IOE));
++
++ dw_hdmi_rk3328_read_hpd(dw_hdmi, data);
+ }
+
+ static const struct dw_hdmi_phy_ops rk3228_hdmi_phy_ops = {
+--
+2.43.0
+
--- /dev/null
+From e44d6f56c440ca87ad9967bd3def0a5f000eb9c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 17:03:54 +0000
+Subject: drm/rockchip: vop: Allow 4096px width scaling
+
+From: Alex Bee <knaerzche@gmail.com>
+
+[ Upstream commit 0ef968d91a20b5da581839f093f98f7a03a804f7 ]
+
+There is no reason to limit VOP scaling to 3840px width, the limit of
+RK3288, when there are newer VOP versions that support 4096px width.
+
+Change to enforce a maximum of 4096px width plane scaling, the maximum
+supported output width of the VOP versions supported by this driver.
+
+Fixes: 4c156c21c794 ("drm/rockchip: vop: support plane scale")
+Signed-off-by: Alex Bee <knaerzche@gmail.com>
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-4-jonas@kwiboo.se
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+index a13473b2d54c4..4a9c6ea7f15dc 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+@@ -396,8 +396,8 @@ static void scl_vop_cal_scl_fac(struct vop *vop, const struct vop_win_data *win,
+ if (info->is_yuv)
+ is_yuv = true;
+
+- if (dst_w > 3840) {
+- DRM_DEV_ERROR(vop->dev, "Maximum dst width (3840) exceeded\n");
++ if (dst_w > 4096) {
++ DRM_DEV_ERROR(vop->dev, "Maximum dst width (4096) exceeded\n");
+ return;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From b92a10ae8595ea6fdcf107848d873927ceef4b04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jan 2024 17:54:32 +0100
+Subject: drm/stm: Fix an error handling path in stm_drm_platform_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ce7c90bfda2656418c69ba0dd8f8a7536b8928d4 ]
+
+If drm_dev_register() fails, a call to drv_load() must be undone, as
+already done in the remove function.
+
+Fixes: b759012c5fa7 ("drm/stm: Add STM32 LTDC driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20fff7f853f20a48a96db8ff186124470ec4d976.1704560028.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/stm/drv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
+index e8523abef27a5..4d2db079ad4ff 100644
+--- a/drivers/gpu/drm/stm/drv.c
++++ b/drivers/gpu/drm/stm/drv.c
+@@ -203,12 +203,14 @@ static int stm_drm_platform_probe(struct platform_device *pdev)
+
+ ret = drm_dev_register(ddev, 0);
+ if (ret)
+- goto err_put;
++ goto err_unload;
+
+ drm_fbdev_dma_setup(ddev, 16);
+
+ return 0;
+
++err_unload:
++ drv_unload(ddev);
+ err_put:
+ drm_dev_put(ddev);
+
+--
+2.43.0
+
--- /dev/null
+From 742a0d40a9243627e518c38c5f9fb6d607d3a4dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 10:28:54 +0300
+Subject: drm/stm: ltdc: check memory returned by devm_kzalloc()
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit fd39730c58890cd7f0a594231e19bb357f28877c ]
+
+devm_kzalloc() can fail and return NULL pointer. Check its return status.
+Identified with Coccinelle (kmerr.cocci script).
+
+Fixes: 484e72d3146b ("drm/stm: ltdc: add support of ycbcr pixel formats")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Acked-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230531072854.142629-1-claudiu.beznea@microchip.com
+Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/stm/ltdc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
+index 5576fdae49623..5aec1e58c968c 100644
+--- a/drivers/gpu/drm/stm/ltdc.c
++++ b/drivers/gpu/drm/stm/ltdc.c
+@@ -1580,6 +1580,8 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
+ ARRAY_SIZE(ltdc_drm_fmt_ycbcr_sp) +
+ ARRAY_SIZE(ltdc_drm_fmt_ycbcr_fp)) *
+ sizeof(*formats), GFP_KERNEL);
++ if (!formats)
++ return NULL;
+
+ for (i = 0; i < ldev->caps.pix_fmt_nb; i++) {
+ drm_fmt = ldev->caps.pix_fmt_drm[i];
+--
+2.43.0
+
--- /dev/null
+From e43ec71e335ba0b3de8a8d51bcb348c3ce5d4265 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 23:40:45 +0200
+Subject: drm/vc4: hdmi: Handle error case of pm_runtime_resume_and_get
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit f1a54e860b1bc8d824925b5a77f510913880e8d6 ]
+
+The commit 0f5251339eda ("drm/vc4: hdmi: Make sure the controller is
+powered in detect") introduced the necessary power management handling
+to avoid register access while controller is powered down.
+Unfortunately it just print a warning if pm_runtime_resume_and_get()
+fails and proceed anyway.
+
+This could happen during suspend to idle. So we must assume it is unsafe
+to access the HDMI register. So bail out properly.
+
+Fixes: 0f5251339eda ("drm/vc4: hdmi: Make sure the controller is powered in detect")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Reviewed-by: Maíra Canal <mcanal@igalia.com>
+Acked-by: Maxime Ripard <mripard@kernel.org>
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240821214052.6800-3-wahrenst@gmx.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index d57c4a5948c89..cb424604484f1 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -429,6 +429,7 @@ static int vc4_hdmi_connector_detect_ctx(struct drm_connector *connector,
+ {
+ struct vc4_hdmi *vc4_hdmi = connector_to_vc4_hdmi(connector);
+ enum drm_connector_status status = connector_status_disconnected;
++ int ret;
+
+ /*
+ * NOTE: This function should really take vc4_hdmi->mutex, but
+@@ -441,7 +442,12 @@ static int vc4_hdmi_connector_detect_ctx(struct drm_connector *connector,
+ * the lock for now.
+ */
+
+- WARN_ON(pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev));
++ ret = pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev);
++ if (ret) {
++ drm_err_once(connector->dev, "Failed to retain HDMI power domain: %d\n",
++ ret);
++ return connector_status_unknown;
++ }
+
+ if (vc4_hdmi->hpd_gpio) {
+ if (gpiod_get_value_cansleep(vc4_hdmi->hpd_gpio))
+--
+2.43.0
+
--- /dev/null
+From efea4de265fabca31978727d3d279dd5d5c41508 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 07:42:27 +0300
+Subject: drm/xe: fix missing 'xe_vm_put'
+
+From: Dafna Hirschfeld <dhirschfeld@habana.ai>
+
+[ Upstream commit 2efba0c095419f93f8913f1cbae8bf3fb030db20 ]
+
+Fix memleak caused by missing xe_vm_put
+
+Fixes: 852856e3b6f6 ("drm/xe: Use reserved copy engine for user binds on faulting devices")
+Signed-off-by: Dafna Hirschfeld <dhirschfeld@habana.ai>
+Reviewed-by: Nirmoy Das <nirmoy.das@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240901044227.1177211-1-dhirschfeld@habana.ai
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit 249df8cbecf0ab4877eab66cae857748631831a9)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_exec_queue.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_exec_queue.c b/drivers/gpu/drm/xe/xe_exec_queue.c
+index c2953ddbd16e1..d0bbb1d9b1ac1 100644
+--- a/drivers/gpu/drm/xe/xe_exec_queue.c
++++ b/drivers/gpu/drm/xe/xe_exec_queue.c
+@@ -221,8 +221,10 @@ struct xe_exec_queue *xe_exec_queue_create_bind(struct xe_device *xe,
+ gt->usm.reserved_bcs_instance,
+ false);
+
+- if (!hwe)
++ if (!hwe) {
++ xe_vm_put(migrate_vm);
+ return ERR_PTR(-EINVAL);
++ }
+
+ q = xe_exec_queue_create(xe, migrate_vm,
+ BIT(hwe->logical_instance), 1, hwe,
+--
+2.43.0
+
--- /dev/null
+From 6e17e02b03e72ddf4e4b0d1f83a6f8b77cd888cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 16:01:52 +0300
+Subject: drm/xe: Move and export xe_hw_engine lookup.
+
+From: Dominik Grzegorzek <dominik.grzegorzek@intel.com>
+
+[ Upstream commit 6f20fc09936e786a4ba18f5514fe185e0451ada9 ]
+
+Move and export xe_hw_engine lookup. This is in preparation
+to use this in eudebug code where we want to find active
+engine.
+
+v2: s/tile/gt due to uapi changes (Mika)
+
+Signed-off-by: Dominik Grzegorzek <dominik.grzegorzek@intel.com>
+Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Signed-off-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240729130152.100130-1-mika.kuoppala@linux.intel.com
+Stable-dep-of: 852856e3b6f6 ("drm/xe: Use reserved copy engine for user binds on faulting devices")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_exec_queue.c | 37 ++++--------------------------
+ drivers/gpu/drm/xe/xe_hw_engine.c | 31 +++++++++++++++++++++++++
+ drivers/gpu/drm/xe/xe_hw_engine.h | 7 ++++++
+ 3 files changed, 42 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_exec_queue.c b/drivers/gpu/drm/xe/xe_exec_queue.c
+index 9731dcd0b1bde..ddc22a8d9bf5f 100644
+--- a/drivers/gpu/drm/xe/xe_exec_queue.c
++++ b/drivers/gpu/drm/xe/xe_exec_queue.c
+@@ -418,34 +418,6 @@ static int exec_queue_user_extensions(struct xe_device *xe, struct xe_exec_queue
+ return 0;
+ }
+
+-static const enum xe_engine_class user_to_xe_engine_class[] = {
+- [DRM_XE_ENGINE_CLASS_RENDER] = XE_ENGINE_CLASS_RENDER,
+- [DRM_XE_ENGINE_CLASS_COPY] = XE_ENGINE_CLASS_COPY,
+- [DRM_XE_ENGINE_CLASS_VIDEO_DECODE] = XE_ENGINE_CLASS_VIDEO_DECODE,
+- [DRM_XE_ENGINE_CLASS_VIDEO_ENHANCE] = XE_ENGINE_CLASS_VIDEO_ENHANCE,
+- [DRM_XE_ENGINE_CLASS_COMPUTE] = XE_ENGINE_CLASS_COMPUTE,
+-};
+-
+-static struct xe_hw_engine *
+-find_hw_engine(struct xe_device *xe,
+- struct drm_xe_engine_class_instance eci)
+-{
+- u32 idx;
+-
+- if (eci.engine_class >= ARRAY_SIZE(user_to_xe_engine_class))
+- return NULL;
+-
+- if (eci.gt_id >= xe->info.gt_count)
+- return NULL;
+-
+- idx = array_index_nospec(eci.engine_class,
+- ARRAY_SIZE(user_to_xe_engine_class));
+-
+- return xe_gt_hw_engine(xe_device_get_gt(xe, eci.gt_id),
+- user_to_xe_engine_class[idx],
+- eci.engine_instance, true);
+-}
+-
+ static u32 bind_exec_queue_logical_mask(struct xe_device *xe, struct xe_gt *gt,
+ struct drm_xe_engine_class_instance *eci,
+ u16 width, u16 num_placements)
+@@ -467,8 +439,7 @@ static u32 bind_exec_queue_logical_mask(struct xe_device *xe, struct xe_gt *gt,
+ if (xe_hw_engine_is_reserved(hwe))
+ continue;
+
+- if (hwe->class ==
+- user_to_xe_engine_class[DRM_XE_ENGINE_CLASS_COPY])
++ if (hwe->class == XE_ENGINE_CLASS_COPY)
+ logical_mask |= BIT(hwe->logical_instance);
+ }
+
+@@ -497,7 +468,7 @@ static u32 calc_validate_logical_mask(struct xe_device *xe, struct xe_gt *gt,
+
+ n = j * width + i;
+
+- hwe = find_hw_engine(xe, eci[n]);
++ hwe = xe_hw_engine_lookup(xe, eci[n]);
+ if (XE_IOCTL_DBG(xe, !hwe))
+ return 0;
+
+@@ -576,7 +547,7 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data,
+ if (XE_IOCTL_DBG(xe, !logical_mask))
+ return -EINVAL;
+
+- hwe = find_hw_engine(xe, eci[0]);
++ hwe = xe_hw_engine_lookup(xe, eci[0]);
+ if (XE_IOCTL_DBG(xe, !hwe))
+ return -EINVAL;
+
+@@ -613,7 +584,7 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data,
+ if (XE_IOCTL_DBG(xe, !logical_mask))
+ return -EINVAL;
+
+- hwe = find_hw_engine(xe, eci[0]);
++ hwe = xe_hw_engine_lookup(xe, eci[0]);
+ if (XE_IOCTL_DBG(xe, !hwe))
+ return -EINVAL;
+
+diff --git a/drivers/gpu/drm/xe/xe_hw_engine.c b/drivers/gpu/drm/xe/xe_hw_engine.c
+index 07ed9fd28f195..00ace5fcc284e 100644
+--- a/drivers/gpu/drm/xe/xe_hw_engine.c
++++ b/drivers/gpu/drm/xe/xe_hw_engine.c
+@@ -5,7 +5,10 @@
+
+ #include "xe_hw_engine.h"
+
++#include <linux/nospec.h>
++
+ #include <drm/drm_managed.h>
++#include <drm/xe_drm.h>
+
+ #include "regs/xe_engine_regs.h"
+ #include "regs/xe_gt_regs.h"
+@@ -1135,3 +1138,31 @@ enum xe_force_wake_domains xe_hw_engine_to_fw_domain(struct xe_hw_engine *hwe)
+ {
+ return engine_infos[hwe->engine_id].domain;
+ }
++
++static const enum xe_engine_class user_to_xe_engine_class[] = {
++ [DRM_XE_ENGINE_CLASS_RENDER] = XE_ENGINE_CLASS_RENDER,
++ [DRM_XE_ENGINE_CLASS_COPY] = XE_ENGINE_CLASS_COPY,
++ [DRM_XE_ENGINE_CLASS_VIDEO_DECODE] = XE_ENGINE_CLASS_VIDEO_DECODE,
++ [DRM_XE_ENGINE_CLASS_VIDEO_ENHANCE] = XE_ENGINE_CLASS_VIDEO_ENHANCE,
++ [DRM_XE_ENGINE_CLASS_COMPUTE] = XE_ENGINE_CLASS_COMPUTE,
++};
++
++struct xe_hw_engine *
++xe_hw_engine_lookup(struct xe_device *xe,
++ struct drm_xe_engine_class_instance eci)
++{
++ unsigned int idx;
++
++ if (eci.engine_class > ARRAY_SIZE(user_to_xe_engine_class))
++ return NULL;
++
++ if (eci.gt_id >= xe->info.gt_count)
++ return NULL;
++
++ idx = array_index_nospec(eci.engine_class,
++ ARRAY_SIZE(user_to_xe_engine_class));
++
++ return xe_gt_hw_engine(xe_device_get_gt(xe, eci.gt_id),
++ user_to_xe_engine_class[idx],
++ eci.engine_instance, true);
++}
+diff --git a/drivers/gpu/drm/xe/xe_hw_engine.h b/drivers/gpu/drm/xe/xe_hw_engine.h
+index 900c8c9914303..d227ffe557ebf 100644
+--- a/drivers/gpu/drm/xe/xe_hw_engine.h
++++ b/drivers/gpu/drm/xe/xe_hw_engine.h
+@@ -9,6 +9,8 @@
+ #include "xe_hw_engine_types.h"
+
+ struct drm_printer;
++struct drm_xe_engine_class_instance;
++struct xe_device;
+
+ #ifdef CONFIG_DRM_XE_JOB_TIMEOUT_MIN
+ #define XE_HW_ENGINE_JOB_TIMEOUT_MIN CONFIG_DRM_XE_JOB_TIMEOUT_MIN
+@@ -62,6 +64,11 @@ void xe_hw_engine_print(struct xe_hw_engine *hwe, struct drm_printer *p);
+ void xe_hw_engine_setup_default_lrc_state(struct xe_hw_engine *hwe);
+
+ bool xe_hw_engine_is_reserved(struct xe_hw_engine *hwe);
++
++struct xe_hw_engine *
++xe_hw_engine_lookup(struct xe_device *xe,
++ struct drm_xe_engine_class_instance eci);
++
+ static inline bool xe_hw_engine_is_valid(struct xe_hw_engine *hwe)
+ {
+ return hwe->name;
+--
+2.43.0
+
--- /dev/null
+From ba2cc06fec25f826054acf7dac2694cf27b7cffc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 20:40:33 -0700
+Subject: drm/xe: Use reserved copy engine for user binds on faulting devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Brost <matthew.brost@intel.com>
+
+[ Upstream commit 852856e3b6f679c694dd5ec41e5a3c11aa46640b ]
+
+User binds map to engines with can fault, faults depend on user binds
+completion, thus we can deadlock. Avoid this by using reserved copy
+engine for user binds on faulting devices.
+
+While we are here, normalize bind queue creation with a helper.
+
+v2:
+ - Pass in extensions to bind queue creation (CI)
+v3:
+ - s/resevered/reserved (Lucas)
+ - Fix NULL hwe check (Jonathan)
+
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Matthew Brost <matthew.brost@intel.com>
+Reviewed-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240816034033.53837-1-matthew.brost@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_exec_queue.c | 122 +++++++++++++++--------------
+ drivers/gpu/drm/xe/xe_exec_queue.h | 6 +-
+ drivers/gpu/drm/xe/xe_migrate.c | 2 +-
+ drivers/gpu/drm/xe/xe_vm.c | 8 +-
+ 4 files changed, 70 insertions(+), 68 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_exec_queue.c b/drivers/gpu/drm/xe/xe_exec_queue.c
+index ddc22a8d9bf5f..c2953ddbd16e1 100644
+--- a/drivers/gpu/drm/xe/xe_exec_queue.c
++++ b/drivers/gpu/drm/xe/xe_exec_queue.c
+@@ -166,7 +166,8 @@ struct xe_exec_queue *xe_exec_queue_create(struct xe_device *xe, struct xe_vm *v
+
+ struct xe_exec_queue *xe_exec_queue_create_class(struct xe_device *xe, struct xe_gt *gt,
+ struct xe_vm *vm,
+- enum xe_engine_class class, u32 flags)
++ enum xe_engine_class class,
++ u32 flags, u64 extensions)
+ {
+ struct xe_hw_engine *hwe, *hwe0 = NULL;
+ enum xe_hw_engine_id id;
+@@ -186,7 +187,54 @@ struct xe_exec_queue *xe_exec_queue_create_class(struct xe_device *xe, struct xe
+ if (!logical_mask)
+ return ERR_PTR(-ENODEV);
+
+- return xe_exec_queue_create(xe, vm, logical_mask, 1, hwe0, flags, 0);
++ return xe_exec_queue_create(xe, vm, logical_mask, 1, hwe0, flags, extensions);
++}
++
++/**
++ * xe_exec_queue_create_bind() - Create bind exec queue.
++ * @xe: Xe device.
++ * @tile: tile which bind exec queue belongs to.
++ * @flags: exec queue creation flags
++ * @extensions: exec queue creation extensions
++ *
++ * Normalize bind exec queue creation. Bind exec queue is tied to migration VM
++ * for access to physical memory required for page table programming. On a
++ * faulting devices the reserved copy engine instance must be used to avoid
++ * deadlocking (user binds cannot get stuck behind faults as kernel binds which
++ * resolve faults depend on user binds). On non-faulting devices any copy engine
++ * can be used.
++ *
++ * Returns exec queue on success, ERR_PTR on failure
++ */
++struct xe_exec_queue *xe_exec_queue_create_bind(struct xe_device *xe,
++ struct xe_tile *tile,
++ u32 flags, u64 extensions)
++{
++ struct xe_gt *gt = tile->primary_gt;
++ struct xe_exec_queue *q;
++ struct xe_vm *migrate_vm;
++
++ migrate_vm = xe_migrate_get_vm(tile->migrate);
++ if (xe->info.has_usm) {
++ struct xe_hw_engine *hwe = xe_gt_hw_engine(gt,
++ XE_ENGINE_CLASS_COPY,
++ gt->usm.reserved_bcs_instance,
++ false);
++
++ if (!hwe)
++ return ERR_PTR(-EINVAL);
++
++ q = xe_exec_queue_create(xe, migrate_vm,
++ BIT(hwe->logical_instance), 1, hwe,
++ flags, extensions);
++ } else {
++ q = xe_exec_queue_create_class(xe, gt, migrate_vm,
++ XE_ENGINE_CLASS_COPY, flags,
++ extensions);
++ }
++ xe_vm_put(migrate_vm);
++
++ return q;
+ }
+
+ void xe_exec_queue_destroy(struct kref *ref)
+@@ -418,34 +466,6 @@ static int exec_queue_user_extensions(struct xe_device *xe, struct xe_exec_queue
+ return 0;
+ }
+
+-static u32 bind_exec_queue_logical_mask(struct xe_device *xe, struct xe_gt *gt,
+- struct drm_xe_engine_class_instance *eci,
+- u16 width, u16 num_placements)
+-{
+- struct xe_hw_engine *hwe;
+- enum xe_hw_engine_id id;
+- u32 logical_mask = 0;
+-
+- if (XE_IOCTL_DBG(xe, width != 1))
+- return 0;
+- if (XE_IOCTL_DBG(xe, num_placements != 1))
+- return 0;
+- if (XE_IOCTL_DBG(xe, eci[0].engine_instance != 0))
+- return 0;
+-
+- eci[0].engine_class = DRM_XE_ENGINE_CLASS_COPY;
+-
+- for_each_hw_engine(hwe, gt, id) {
+- if (xe_hw_engine_is_reserved(hwe))
+- continue;
+-
+- if (hwe->class == XE_ENGINE_CLASS_COPY)
+- logical_mask |= BIT(hwe->logical_instance);
+- }
+-
+- return logical_mask;
+-}
+-
+ static u32 calc_validate_logical_mask(struct xe_device *xe, struct xe_gt *gt,
+ struct drm_xe_engine_class_instance *eci,
+ u16 width, u16 num_placements)
+@@ -507,8 +527,9 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data,
+ struct drm_xe_engine_class_instance __user *user_eci =
+ u64_to_user_ptr(args->instances);
+ struct xe_hw_engine *hwe;
+- struct xe_vm *vm, *migrate_vm;
++ struct xe_vm *vm;
+ struct xe_gt *gt;
++ struct xe_tile *tile;
+ struct xe_exec_queue *q = NULL;
+ u32 logical_mask;
+ u32 id;
+@@ -533,37 +554,20 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data,
+ return -EINVAL;
+
+ if (eci[0].engine_class == DRM_XE_ENGINE_CLASS_VM_BIND) {
+- for_each_gt(gt, xe, id) {
+- struct xe_exec_queue *new;
+- u32 flags;
+-
+- if (xe_gt_is_media_type(gt))
+- continue;
+-
+- eci[0].gt_id = gt->info.id;
+- logical_mask = bind_exec_queue_logical_mask(xe, gt, eci,
+- args->width,
+- args->num_placements);
+- if (XE_IOCTL_DBG(xe, !logical_mask))
+- return -EINVAL;
+-
+- hwe = xe_hw_engine_lookup(xe, eci[0]);
+- if (XE_IOCTL_DBG(xe, !hwe))
+- return -EINVAL;
+-
+- /* The migration vm doesn't hold rpm ref */
+- xe_pm_runtime_get_noresume(xe);
+-
+- flags = EXEC_QUEUE_FLAG_VM | (id ? EXEC_QUEUE_FLAG_BIND_ENGINE_CHILD : 0);
++ if (XE_IOCTL_DBG(xe, args->width != 1) ||
++ XE_IOCTL_DBG(xe, args->num_placements != 1) ||
++ XE_IOCTL_DBG(xe, eci[0].engine_instance != 0))
++ return -EINVAL;
+
+- migrate_vm = xe_migrate_get_vm(gt_to_tile(gt)->migrate);
+- new = xe_exec_queue_create(xe, migrate_vm, logical_mask,
+- args->width, hwe, flags,
+- args->extensions);
++ for_each_tile(tile, xe, id) {
++ struct xe_exec_queue *new;
++ u32 flags = EXEC_QUEUE_FLAG_VM;
+
+- xe_pm_runtime_put(xe); /* now held by engine */
++ if (id)
++ flags |= EXEC_QUEUE_FLAG_BIND_ENGINE_CHILD;
+
+- xe_vm_put(migrate_vm);
++ new = xe_exec_queue_create_bind(xe, tile, flags,
++ args->extensions);
+ if (IS_ERR(new)) {
+ err = PTR_ERR(new);
+ if (q)
+diff --git a/drivers/gpu/drm/xe/xe_exec_queue.h b/drivers/gpu/drm/xe/xe_exec_queue.h
+index 289a3a51d2a21..f4ba8897763f8 100644
+--- a/drivers/gpu/drm/xe/xe_exec_queue.h
++++ b/drivers/gpu/drm/xe/xe_exec_queue.h
+@@ -20,7 +20,11 @@ struct xe_exec_queue *xe_exec_queue_create(struct xe_device *xe, struct xe_vm *v
+ u64 extensions);
+ struct xe_exec_queue *xe_exec_queue_create_class(struct xe_device *xe, struct xe_gt *gt,
+ struct xe_vm *vm,
+- enum xe_engine_class class, u32 flags);
++ enum xe_engine_class class,
++ u32 flags, u64 extensions);
++struct xe_exec_queue *xe_exec_queue_create_bind(struct xe_device *xe,
++ struct xe_tile *tile,
++ u32 flags, u64 extensions);
+
+ void xe_exec_queue_fini(struct xe_exec_queue *q);
+ void xe_exec_queue_destroy(struct kref *ref);
+diff --git a/drivers/gpu/drm/xe/xe_migrate.c b/drivers/gpu/drm/xe/xe_migrate.c
+index c9f5673353ee3..a849c48d8ac90 100644
+--- a/drivers/gpu/drm/xe/xe_migrate.c
++++ b/drivers/gpu/drm/xe/xe_migrate.c
+@@ -404,7 +404,7 @@ struct xe_migrate *xe_migrate_init(struct xe_tile *tile)
+ m->q = xe_exec_queue_create_class(xe, primary_gt, vm,
+ XE_ENGINE_CLASS_COPY,
+ EXEC_QUEUE_FLAG_KERNEL |
+- EXEC_QUEUE_FLAG_PERMANENT);
++ EXEC_QUEUE_FLAG_PERMANENT, 0);
+ }
+ if (IS_ERR(m->q)) {
+ xe_vm_close_and_put(vm);
+diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
+index 50e8fc49ba6c1..b49bee0dfac5d 100644
+--- a/drivers/gpu/drm/xe/xe_vm.c
++++ b/drivers/gpu/drm/xe/xe_vm.c
+@@ -1412,19 +1412,13 @@ struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags)
+ /* Kernel migration VM shouldn't have a circular loop.. */
+ if (!(flags & XE_VM_FLAG_MIGRATION)) {
+ for_each_tile(tile, xe, id) {
+- struct xe_gt *gt = tile->primary_gt;
+- struct xe_vm *migrate_vm;
+ struct xe_exec_queue *q;
+ u32 create_flags = EXEC_QUEUE_FLAG_VM;
+
+ if (!vm->pt_root[id])
+ continue;
+
+- migrate_vm = xe_migrate_get_vm(tile->migrate);
+- q = xe_exec_queue_create_class(xe, gt, migrate_vm,
+- XE_ENGINE_CLASS_COPY,
+- create_flags);
+- xe_vm_put(migrate_vm);
++ q = xe_exec_queue_create_bind(xe, tile, create_flags, 0);
+ if (IS_ERR(q)) {
+ err = PTR_ERR(q);
+ goto err_close;
+--
+2.43.0
+
--- /dev/null
+From 16b3627ede01127568b174891c4f9444db74a6c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 07:30:16 +0200
+Subject: dt-bindings: iio: asahi-kasei,ak8975: drop incorrect AK09116
+ compatible
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit c7668ac67bc21aebdd8e2d7f839bfffba31b7713 ]
+
+All compatibles in this binding without prefixes were deprecated, so
+adding a new deprecated one after some time is not allowed, because it
+defies the core logic of deprecating things.
+
+Drop the AK09916 vendorless compatible.
+
+Fixes: 76e28aa97fa0 ("iio: magnetometer: ak8975: add AK09116 support")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://patch.msgid.link/20240806053016.6401-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml b/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml
+index 9790f75fc669e..fe5145d3b73cf 100644
+--- a/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml
++++ b/Documentation/devicetree/bindings/iio/magnetometer/asahi-kasei,ak8975.yaml
+@@ -23,7 +23,6 @@ properties:
+ - ak8963
+ - ak09911
+ - ak09912
+- - ak09916
+ deprecated: true
+
+ reg:
+--
+2.43.0
+
--- /dev/null
+From da316ff3c81ec533c0bb4c8b9359c4295ea162a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 17:38:32 -0400
+Subject: dt-bindings: PCI: layerscape-pci: Replace fsl,lx2160a-pcie with
+ fsl,lx2160ar2-pcie
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frank Li <Frank.Li@nxp.com>
+
+[ Upstream commit 1a1bf58897d20fc38b454dfecd2771e142d36966 ]
+
+The fsl,lx2160a-pcie compatible is used for mobivel according to the
+Documentation/devicetree/bindings/pci/layerscape-pcie-gen4.txt file.
+
+Whereas the fsl,layerscape-pcie is used for DesignWare PCIe controller binding.
+
+So change it to fsl,lx2160ar2-pcie and allow a fall back to fsl,ls2088a-pcie.
+
+While at it, sort compatible string.
+
+Fixes: 24cd7ecb3886 ("dt-bindings: PCI: layerscape-pci: Convert to YAML format")
+Link: https://lore.kernel.org/linux-pci/20240826-2160r2-v1-1-106340d538d6@nxp.com
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bindings/pci/fsl,layerscape-pcie.yaml | 26 ++++++++++---------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/pci/fsl,layerscape-pcie.yaml b/Documentation/devicetree/bindings/pci/fsl,layerscape-pcie.yaml
+index 793986c5af7ff..daeab5c0758d1 100644
+--- a/Documentation/devicetree/bindings/pci/fsl,layerscape-pcie.yaml
++++ b/Documentation/devicetree/bindings/pci/fsl,layerscape-pcie.yaml
+@@ -22,18 +22,20 @@ description:
+
+ properties:
+ compatible:
+- enum:
+- - fsl,ls1021a-pcie
+- - fsl,ls2080a-pcie
+- - fsl,ls2085a-pcie
+- - fsl,ls2088a-pcie
+- - fsl,ls1088a-pcie
+- - fsl,ls1046a-pcie
+- - fsl,ls1043a-pcie
+- - fsl,ls1012a-pcie
+- - fsl,ls1028a-pcie
+- - fsl,lx2160a-pcie
+-
++ oneOf:
++ - enum:
++ - fsl,ls1012a-pcie
++ - fsl,ls1021a-pcie
++ - fsl,ls1028a-pcie
++ - fsl,ls1043a-pcie
++ - fsl,ls1046a-pcie
++ - fsl,ls1088a-pcie
++ - fsl,ls2080a-pcie
++ - fsl,ls2085a-pcie
++ - fsl,ls2088a-pcie
++ - items:
++ - const: fsl,lx2160ar2-pcie
++ - const: fsl,ls2088a-pcie
+ reg:
+ maxItems: 2
+
+--
+2.43.0
+
--- /dev/null
+From 25d66865277300d6a53886f41d7d807d327dde42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jul 2024 15:36:56 +0530
+Subject: EDAC/synopsys: Fix error injection on Zynq UltraScale+
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+
+[ Upstream commit 35e6dbfe1846caeafabb49b7575adb36b0aa2269 ]
+
+The Zynq UltraScale+ MPSoC DDR has a disjoint memory from 2GB to 32GB.
+The DDR host interface has a contiguous memory so while injecting
+errors, the driver should remove the hole else the injection fails as
+the address translation is incorrect.
+
+Introduce a get_mem_info() function pointer and set it for Zynq
+UltraScale+ platform to return host address.
+
+Fixes: 1a81361f75d8 ("EDAC, synopsys: Add Error Injection support for ZynqMP DDR controller")
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/20240711100656.31376-1-shubhrajyoti.datta@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/synopsys_edac.c | 35 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/synopsys_edac.c b/drivers/edac/synopsys_edac.c
+index ea7a9a342dd30..d7416166fd8a4 100644
+--- a/drivers/edac/synopsys_edac.c
++++ b/drivers/edac/synopsys_edac.c
+@@ -10,6 +10,7 @@
+ #include <linux/module.h>
+ #include <linux/platform_device.h>
+ #include <linux/spinlock.h>
++#include <linux/sizes.h>
+ #include <linux/interrupt.h>
+ #include <linux/of.h>
+
+@@ -337,6 +338,7 @@ struct synps_edac_priv {
+ * @get_mtype: Get mtype.
+ * @get_dtype: Get dtype.
+ * @get_ecc_state: Get ECC state.
++ * @get_mem_info: Get EDAC memory info
+ * @quirks: To differentiate IPs.
+ */
+ struct synps_platform_data {
+@@ -344,6 +346,9 @@ struct synps_platform_data {
+ enum mem_type (*get_mtype)(const void __iomem *base);
+ enum dev_type (*get_dtype)(const void __iomem *base);
+ bool (*get_ecc_state)(void __iomem *base);
++#ifdef CONFIG_EDAC_DEBUG
++ u64 (*get_mem_info)(struct synps_edac_priv *priv);
++#endif
+ int quirks;
+ };
+
+@@ -402,6 +407,25 @@ static int zynq_get_error_info(struct synps_edac_priv *priv)
+ return 0;
+ }
+
++#ifdef CONFIG_EDAC_DEBUG
++/**
++ * zynqmp_get_mem_info - Get the current memory info.
++ * @priv: DDR memory controller private instance data.
++ *
++ * Return: host interface address.
++ */
++static u64 zynqmp_get_mem_info(struct synps_edac_priv *priv)
++{
++ u64 hif_addr = 0, linear_addr;
++
++ linear_addr = priv->poison_addr;
++ if (linear_addr >= SZ_32G)
++ linear_addr = linear_addr - SZ_32G + SZ_2G;
++ hif_addr = linear_addr >> 3;
++ return hif_addr;
++}
++#endif
++
+ /**
+ * zynqmp_get_error_info - Get the current ECC error info.
+ * @priv: DDR memory controller private instance data.
+@@ -922,6 +946,9 @@ static const struct synps_platform_data zynqmp_edac_def = {
+ .get_mtype = zynqmp_get_mtype,
+ .get_dtype = zynqmp_get_dtype,
+ .get_ecc_state = zynqmp_get_ecc_state,
++#ifdef CONFIG_EDAC_DEBUG
++ .get_mem_info = zynqmp_get_mem_info,
++#endif
+ .quirks = (DDR_ECC_INTR_SUPPORT
+ #ifdef CONFIG_EDAC_DEBUG
+ | DDR_ECC_DATA_POISON_SUPPORT
+@@ -975,10 +1002,16 @@ MODULE_DEVICE_TABLE(of, synps_edac_match);
+ static void ddr_poison_setup(struct synps_edac_priv *priv)
+ {
+ int col = 0, row = 0, bank = 0, bankgrp = 0, rank = 0, regval;
++ const struct synps_platform_data *p_data;
+ int index;
+ ulong hif_addr = 0;
+
+- hif_addr = priv->poison_addr >> 3;
++ p_data = priv->p_data;
++
++ if (p_data->get_mem_info)
++ hif_addr = p_data->get_mem_info(priv);
++ else
++ hif_addr = priv->poison_addr >> 3;
+
+ for (index = 0; index < DDR_MAX_ROW_SHIFT; index++) {
+ if (priv->row_shift[index])
+--
+2.43.0
+
--- /dev/null
+From 952ebfcc2e54433bfef853458bc3a0143cfa8b90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 10:39:15 +0300
+Subject: ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate()
+
+From: Dan Carpenter <alexander.sverdlin@gmail.com>
+
+[ Upstream commit c7f06284a6427475e3df742215535ec3f6cd9662 ]
+
+The psc->div[] array has psc->num_div elements. These values come from
+when we call clk_hw_register_div(). It's adc_divisors and
+ARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >=
+instead of > to prevent an out of bounds read.
+
+Fixes: 9645ccc7bd7a ("ep93xx: clock: convert in-place to COMMON_CLK")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Acked-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Reviewed-by: Nikita Shubin <nikita.shubin@maquefel.me>
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Link: https://lore.kernel.org/r/1caf01ad4c0a8069535813c26c7f0b8ea011155e.camel@linaro.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-ep93xx/clock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-ep93xx/clock.c b/arch/arm/mach-ep93xx/clock.c
+index 85a496ddc6197..e9f72a529b508 100644
+--- a/arch/arm/mach-ep93xx/clock.c
++++ b/arch/arm/mach-ep93xx/clock.c
+@@ -359,7 +359,7 @@ static unsigned long ep93xx_div_recalc_rate(struct clk_hw *hw,
+ u32 val = __raw_readl(psc->reg);
+ u8 index = (val & psc->mask) >> psc->shift;
+
+- if (index > psc->num_div)
++ if (index >= psc->num_div)
+ return 0;
+
+ return DIV_ROUND_UP_ULL(parent_rate, psc->div[index]);
+--
+2.43.0
+
--- /dev/null
+From 40cdae011842e0974084935a5d128771468f5625 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 23:00:25 -0700
+Subject: erofs: fix error handling in z_erofs_init_decompressor
+
+From: Sandeep Dhavale <dhavale@google.com>
+
+[ Upstream commit 3fc3e45fcdeaad4b7660b560fcbc827eb733f58e ]
+
+If we get a failure at the first decompressor init (i = 0),
+the clean up while loop could enter infinite loop due to wrong while
+check. Check the value of i now to see if we need any clean up at all.
+
+Fixes: 5a7cce827ee9 ("erofs: refine z_erofs_{init,exit}_subsystem()")
+Reported-by: liujinbao1 <liujinbao1@xiaomi.com>
+Signed-off-by: Sandeep Dhavale <dhavale@google.com>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Link: https://lore.kernel.org/r/20240905060027.2388893-1-dhavale@google.com
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/decompressor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
+index c2253b6a54164..eb318c7ddd80e 100644
+--- a/fs/erofs/decompressor.c
++++ b/fs/erofs/decompressor.c
+@@ -539,7 +539,7 @@ int __init z_erofs_init_decompressor(void)
+ for (i = 0; i < Z_EROFS_COMPRESSION_MAX; ++i) {
+ err = z_erofs_decomp[i] ? z_erofs_decomp[i]->init() : 0;
+ if (err) {
+- while (--i)
++ while (i--)
+ if (z_erofs_decomp[i])
+ z_erofs_decomp[i]->exit();
+ return err;
+--
+2.43.0
+
--- /dev/null
+From d0c0f3e822526d6385eb41354dbd2493627c9c63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 11:19:11 +0800
+Subject: erofs: fix incorrect symlink detection in fast symlink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 9ed50b8231e37b1ae863f5dec8153b98d9f389b4 ]
+
+Fast symlink can be used if the on-disk symlink data is stored
+in the same block as the on-disk inode, so we don’t need to trigger
+another I/O for symlink data. However, currently fs correction could be
+reported _incorrectly_ if inode xattrs are too large.
+
+In fact, these should be valid images although they cannot be handled as
+fast symlinks.
+
+Many thanks to Colin for reporting this!
+
+Reported-by: Colin Walters <walters@verbum.org>
+Reported-by: https://honggfuzz.dev/
+Link: https://lore.kernel.org/r/bb2dd430-7de0-47da-ae5b-82ab2dd4d945@app.fastmail.com
+Fixes: 431339ba9042 ("staging: erofs: add inode operations")
+[ Note that it's a runtime misbehavior instead of a security issue. ]
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20240909031911.1174718-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/inode.c | 20 ++++++--------------
+ 1 file changed, 6 insertions(+), 14 deletions(-)
+
+diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c
+index 419432be3223b..4e3ea6689cb4e 100644
+--- a/fs/erofs/inode.c
++++ b/fs/erofs/inode.c
+@@ -178,12 +178,14 @@ static int erofs_fill_symlink(struct inode *inode, void *kaddr,
+ unsigned int m_pofs)
+ {
+ struct erofs_inode *vi = EROFS_I(inode);
+- unsigned int bsz = i_blocksize(inode);
++ loff_t off;
+ char *lnk;
+
+- /* if it cannot be handled with fast symlink scheme */
+- if (vi->datalayout != EROFS_INODE_FLAT_INLINE ||
+- inode->i_size >= bsz || inode->i_size < 0) {
++ m_pofs += vi->xattr_isize;
++ /* check if it cannot be handled with fast symlink scheme */
++ if (vi->datalayout != EROFS_INODE_FLAT_INLINE || inode->i_size < 0 ||
++ check_add_overflow(m_pofs, inode->i_size, &off) ||
++ off > i_blocksize(inode)) {
+ inode->i_op = &erofs_symlink_iops;
+ return 0;
+ }
+@@ -192,16 +194,6 @@ static int erofs_fill_symlink(struct inode *inode, void *kaddr,
+ if (!lnk)
+ return -ENOMEM;
+
+- m_pofs += vi->xattr_isize;
+- /* inline symlink data shouldn't cross block boundary */
+- if (m_pofs + inode->i_size > bsz) {
+- kfree(lnk);
+- erofs_err(inode->i_sb,
+- "inline data cross block boundary @ nid %llu",
+- vi->nid);
+- DBG_BUGON(1);
+- return -EFSCORRUPTED;
+- }
+ memcpy(lnk, kaddr + m_pofs, inode->i_size);
+ lnk[inode->i_size] = '\0';
+
+--
+2.43.0
+
--- /dev/null
+From c269c7479986245e84421b554136f710e9bf4200 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 15:08:47 +0800
+Subject: erofs: handle overlapped pclusters out of crafted images properly
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50 ]
+
+syzbot reported a task hang issue due to a deadlock case where it is
+waiting for the folio lock of a cached folio that will be used for
+cache I/Os.
+
+After looking into the crafted fuzzed image, I found it's formed with
+several overlapped big pclusters as below:
+
+ Ext: logical offset | length : physical offset | length
+ 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384
+ 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384
+ 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384
+...
+
+Here, extent 0/1 are physically overlapped although it's entirely
+_impossible_ for normal filesystem images generated by mkfs.
+
+First, managed folios containing compressed data will be marked as
+up-to-date and then unlocked immediately (unlike in-place folios) when
+compressed I/Os are complete. If physical blocks are not submitted in
+the incremental order, there should be separate BIOs to avoid dependency
+issues. However, the current code mis-arranges z_erofs_fill_bio_vec()
+and BIO submission which causes unexpected BIO waits.
+
+Second, managed folios will be connected to their own pclusters for
+efficient inter-queries. However, this is somewhat hard to implement
+easily if overlapped big pclusters exist. Again, these only appear in
+fuzzed images so let's simply fall back to temporary short-lived pages
+for correctness.
+
+Additionally, it justifies that referenced managed folios cannot be
+truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy
+up `struct z_erofs_bvec`") for simplicity although it shouldn't be any
+difference.
+
+Reported-by: syzbot+4fc98ed414ae63d1ada2@syzkaller.appspotmail.com
+Reported-by: syzbot+de04e06b28cfecf2281c@syzkaller.appspotmail.com
+Reported-by: syzbot+c8c8238b394be4a1087d@syzkaller.appspotmail.com
+Tested-by: syzbot+4fc98ed414ae63d1ada2@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/0000000000002fda01061e334873@google.com
+Fixes: 8e6c8fa9f2e9 ("erofs: enable big pcluster feature")
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20240910070847.3356592-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zdata.c | 71 ++++++++++++++++++++++++++----------------------
+ 1 file changed, 38 insertions(+), 33 deletions(-)
+
+diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
+index 424f656cd765e..a0bae499c5ff6 100644
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -1428,6 +1428,7 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ struct z_erofs_bvec zbv;
+ struct address_space *mapping;
+ struct folio *folio;
++ struct page *page;
+ int bs = i_blocksize(f->inode);
+
+ /* Except for inplace folios, the entire folio can be used for I/Os */
+@@ -1450,7 +1451,6 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ * file-backed folios will be used instead.
+ */
+ if (folio->private == (void *)Z_EROFS_PREALLOCATED_PAGE) {
+- folio->private = 0;
+ tocache = true;
+ goto out_tocache;
+ }
+@@ -1468,7 +1468,7 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ }
+
+ folio_lock(folio);
+- if (folio->mapping == mc) {
++ if (likely(folio->mapping == mc)) {
+ /*
+ * The cached folio is still in managed cache but without
+ * a valid `->private` pcluster hint. Let's reconnect them.
+@@ -1478,41 +1478,44 @@ static void z_erofs_fill_bio_vec(struct bio_vec *bvec,
+ /* compressed_bvecs[] already takes a ref before */
+ folio_put(folio);
+ }
+-
+- /* no need to submit if it is already up-to-date */
+- if (folio_test_uptodate(folio)) {
+- folio_unlock(folio);
+- bvec->bv_page = NULL;
++ if (likely(folio->private == pcl)) {
++ /* don't submit cache I/Os again if already uptodate */
++ if (folio_test_uptodate(folio)) {
++ folio_unlock(folio);
++ bvec->bv_page = NULL;
++ }
++ return;
+ }
+- return;
++ /*
++ * Already linked with another pcluster, which only appears in
++ * crafted images by fuzzers for now. But handle this anyway.
++ */
++ tocache = false; /* use temporary short-lived pages */
++ } else {
++ DBG_BUGON(1); /* referenced managed folios can't be truncated */
++ tocache = true;
+ }
+-
+- /*
+- * It has been truncated, so it's unsafe to reuse this one. Let's
+- * allocate a new page for compressed data.
+- */
+- DBG_BUGON(folio->mapping);
+- tocache = true;
+ folio_unlock(folio);
+ folio_put(folio);
+ out_allocfolio:
+- zbv.page = erofs_allocpage(&f->pagepool, gfp | __GFP_NOFAIL);
++ page = erofs_allocpage(&f->pagepool, gfp | __GFP_NOFAIL);
+ spin_lock(&pcl->obj.lockref.lock);
+- if (pcl->compressed_bvecs[nr].page) {
+- erofs_pagepool_add(&f->pagepool, zbv.page);
++ if (unlikely(pcl->compressed_bvecs[nr].page != zbv.page)) {
++ erofs_pagepool_add(&f->pagepool, page);
+ spin_unlock(&pcl->obj.lockref.lock);
+ cond_resched();
+ goto repeat;
+ }
+- bvec->bv_page = pcl->compressed_bvecs[nr].page = zbv.page;
+- folio = page_folio(zbv.page);
+- /* first mark it as a temporary shortlived folio (now 1 ref) */
+- folio->private = (void *)Z_EROFS_SHORTLIVED_PAGE;
++ bvec->bv_page = pcl->compressed_bvecs[nr].page = page;
++ folio = page_folio(page);
+ spin_unlock(&pcl->obj.lockref.lock);
+ out_tocache:
+ if (!tocache || bs != PAGE_SIZE ||
+- filemap_add_folio(mc, folio, pcl->obj.index + nr, gfp))
++ filemap_add_folio(mc, folio, pcl->obj.index + nr, gfp)) {
++ /* turn into a temporary shortlived folio (1 ref) */
++ folio->private = (void *)Z_EROFS_SHORTLIVED_PAGE;
+ return;
++ }
+ folio_attach_private(folio, pcl);
+ /* drop a refcount added by allocpage (then 2 refs in total here) */
+ folio_put(folio);
+@@ -1647,13 +1650,10 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+ cur = mdev.m_pa;
+ end = cur + pcl->pclustersize;
+ do {
+- z_erofs_fill_bio_vec(&bvec, f, pcl, i++, mc);
+- if (!bvec.bv_page)
+- continue;
+-
++ bvec.bv_page = NULL;
+ if (bio && (cur != last_pa ||
+ bio->bi_bdev != mdev.m_bdev)) {
+-io_retry:
++drain_io:
+ if (!erofs_is_fscache_mode(sb))
+ submit_bio(bio);
+ else
+@@ -1666,6 +1666,15 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+ bio = NULL;
+ }
+
++ if (!bvec.bv_page) {
++ z_erofs_fill_bio_vec(&bvec, f, pcl, i++, mc);
++ if (!bvec.bv_page)
++ continue;
++ if (cur + bvec.bv_len > end)
++ bvec.bv_len = end - cur;
++ DBG_BUGON(bvec.bv_len < sb->s_blocksize);
++ }
++
+ if (unlikely(PageWorkingset(bvec.bv_page)) &&
+ !memstall) {
+ psi_memstall_enter(&pflags);
+@@ -1685,13 +1694,9 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+ ++nr_bios;
+ }
+
+- if (cur + bvec.bv_len > end)
+- bvec.bv_len = end - cur;
+- DBG_BUGON(bvec.bv_len < sb->s_blocksize);
+ if (!bio_add_page(bio, bvec.bv_page, bvec.bv_len,
+ bvec.bv_offset))
+- goto io_retry;
+-
++ goto drain_io;
+ last_pa = cur + bvec.bv_len;
+ bypass = false;
+ } while ((cur += bvec.bv_len) < end);
+--
+2.43.0
+
--- /dev/null
+From 506245a1e8f3d48f7524d9127179950cf9f3aa36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 16:43:17 +0100
+Subject: eth: fbnic: select DEVLINK and PAGE_POOL
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit 9a95b7a89dffae5f1e99dd73748f144fec820292 ]
+
+Build bot reports undefined references to devlink functions.
+And local testing revealed undefined references to page_pool functions.
+
+Based on a patch by Jakub Kicinski <kuba@kernel.org>
+
+Fixes: 1a9d48892ea5 ("eth: fbnic: Allocate core device specific structures and devlink interface")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202408011219.hiPmwwAs-lkp@intel.com/
+Signed-off-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20240802-fbnic-select-v2-1-41f82a3e0178@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/meta/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/meta/Kconfig b/drivers/net/ethernet/meta/Kconfig
+index c002ede364020..85519690b8377 100644
+--- a/drivers/net/ethernet/meta/Kconfig
++++ b/drivers/net/ethernet/meta/Kconfig
+@@ -23,6 +23,8 @@ config FBNIC
+ depends on !S390
+ depends on MAX_SKB_FRAGS < 22
+ depends on PCI_MSI
++ select NET_DEVLINK
++ select PAGE_POOL
+ select PHYLINK
+ help
+ This driver supports Meta Platforms Host Network Interface.
+--
+2.43.0
+
--- /dev/null
+From 69da5639b67e5c31aabefd01aaa8c17b39493b85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 21:22:28 +0800
+Subject: ext4: avoid buffer_head leak in ext4_mark_inode_used()
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit 5e5b2a56c57def1b41efd49596621504d7bcc61c ]
+
+Release inode_bitmap_bh from ext4_read_inode_bitmap() in
+ext4_mark_inode_used() to avoid buffer_head leak.
+By the way, remove unneeded goto for invalid ino when inode_bitmap_bh
+is NULL.
+
+Fixes: 8016e29f4362 ("ext4: fast commit recovery path")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Link: https://patch.msgid.link/20240820132234.2759926-2-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/ialloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index 9dfd768ed9f8d..ad7f13976dc60 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -755,10 +755,10 @@ int ext4_mark_inode_used(struct super_block *sb, int ino)
+ struct ext4_group_desc *gdp;
+ ext4_group_t group;
+ int bit;
+- int err = -EFSCORRUPTED;
++ int err;
+
+ if (ino < EXT4_FIRST_INO(sb) || ino > max_ino)
+- goto out;
++ return -EFSCORRUPTED;
+
+ group = (ino - 1) / EXT4_INODES_PER_GROUP(sb);
+ bit = (ino - 1) % EXT4_INODES_PER_GROUP(sb);
+@@ -860,6 +860,7 @@ int ext4_mark_inode_used(struct super_block *sb, int ino)
+ err = ext4_handle_dirty_metadata(NULL, NULL, group_desc_bh);
+ sync_dirty_buffer(group_desc_bh);
+ out:
++ brelse(inode_bitmap_bh);
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 397dcb1eb19306e357530f90072b8f5fccd7cf91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 21:22:30 +0800
+Subject: ext4: avoid negative min_clusters in find_group_orlov()
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit bb0a12c3439b10d88412fd3102df5b9a6e3cd6dc ]
+
+min_clusters is signed integer and will be converted to unsigned
+integer when compared with unsigned number stats.free_clusters.
+If min_clusters is negative, it will be converted to a huge unsigned
+value in which case all groups may not meet the actual desired free
+clusters.
+Set negative min_clusters to 0 to avoid unexpected behavior.
+
+Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Link: https://patch.msgid.link/20240820132234.2759926-4-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/ialloc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index 9e2c08a8665f2..81641be38c0e8 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -514,6 +514,8 @@ static int find_group_orlov(struct super_block *sb, struct inode *parent,
+ if (min_inodes < 1)
+ min_inodes = 1;
+ min_clusters = avefreec - EXT4_CLUSTERS_PER_GROUP(sb)*flex_size / 4;
++ if (min_clusters < 0)
++ min_clusters = 0;
+
+ /*
+ * Start looking in the flex group where we last allocated an
+--
+2.43.0
+
--- /dev/null
+From 77544ca19849fb93f82d999695ab7674e5fffb7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 12:23:24 -0300
+Subject: ext4: avoid OOB when system.data xattr changes underneath the
+ filesystem
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit c6b72f5d82b1017bad80f9ebf502832fc321d796 ]
+
+When looking up for an entry in an inlined directory, if e_value_offs is
+changed underneath the filesystem by some change in the block device, it
+will lead to an out-of-bounds access that KASAN detects as an UAF.
+
+EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
+loop0: detected capacity change from 2048 to 2047
+==================================================================
+BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
+Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103
+
+CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:93 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
+ ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697
+ __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573
+ ext4_lookup_entry fs/ext4/namei.c:1727 [inline]
+ ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795
+ lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
+ filename_create+0x297/0x540 fs/namei.c:3980
+ do_symlinkat+0xf9/0x3a0 fs/namei.c:4587
+ __do_sys_symlinkat fs/namei.c:4610 [inline]
+ __se_sys_symlinkat fs/namei.c:4607 [inline]
+ __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f3e73ced469
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
+RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469
+RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0
+RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290
+R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c
+R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0
+ </TASK>
+
+Calling ext4_xattr_ibody_find right after reading the inode with
+ext4_get_inode_loc will lead to a check of the validity of the xattrs,
+avoiding this problem.
+
+Reported-by: syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0c2508114d912a54ee79
+Fixes: e8e948e7802a ("ext4: let ext4_find_entry handle inline data")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Link: https://patch.msgid.link/20240821152324.3621860-5-cascardo@igalia.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inline.c | 31 +++++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index 7b98b1bf1dc94..44a5f6df59ecd 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1664,25 +1664,36 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+ struct ext4_dir_entry_2 **res_dir,
+ int *has_inline_data)
+ {
++ struct ext4_xattr_ibody_find is = {
++ .s = { .not_found = -ENODATA, },
++ };
++ struct ext4_xattr_info i = {
++ .name_index = EXT4_XATTR_INDEX_SYSTEM,
++ .name = EXT4_XATTR_SYSTEM_DATA,
++ };
+ int ret;
+- struct ext4_iloc iloc;
+ void *inline_start;
+ int inline_size;
+
+- ret = ext4_get_inode_loc(dir, &iloc);
++ ret = ext4_get_inode_loc(dir, &is.iloc);
+ if (ret)
+ return ERR_PTR(ret);
+
+ down_read(&EXT4_I(dir)->xattr_sem);
++
++ ret = ext4_xattr_ibody_find(dir, &i, &is);
++ if (ret)
++ goto out;
++
+ if (!ext4_has_inline_data(dir)) {
+ *has_inline_data = 0;
+ goto out;
+ }
+
+- inline_start = (void *)ext4_raw_inode(&iloc)->i_block +
++ inline_start = (void *)ext4_raw_inode(&is.iloc)->i_block +
+ EXT4_INLINE_DOTDOT_SIZE;
+ inline_size = EXT4_MIN_INLINE_DATA_SIZE - EXT4_INLINE_DOTDOT_SIZE;
+- ret = ext4_search_dir(iloc.bh, inline_start, inline_size,
++ ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size,
+ dir, fname, 0, res_dir);
+ if (ret == 1)
+ goto out_find;
+@@ -1692,23 +1703,23 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+ if (ext4_get_inline_size(dir) == EXT4_MIN_INLINE_DATA_SIZE)
+ goto out;
+
+- inline_start = ext4_get_inline_xattr_pos(dir, &iloc);
++ inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc);
+ inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE;
+
+- ret = ext4_search_dir(iloc.bh, inline_start, inline_size,
++ ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size,
+ dir, fname, 0, res_dir);
+ if (ret == 1)
+ goto out_find;
+
+ out:
+- brelse(iloc.bh);
++ brelse(is.iloc.bh);
+ if (ret < 0)
+- iloc.bh = ERR_PTR(ret);
++ is.iloc.bh = ERR_PTR(ret);
+ else
+- iloc.bh = NULL;
++ is.iloc.bh = NULL;
+ out_find:
+ up_read(&EXT4_I(dir)->xattr_sem);
+- return iloc.bh;
++ return is.iloc.bh;
+ }
+
+ int ext4_delete_inline_entry(handle_t *handle,
+--
+2.43.0
+
--- /dev/null
+From 15b8100c10d117aa00a7830aceae3a3061486b06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 21:22:29 +0800
+Subject: ext4: avoid potential buffer_head leak in __ext4_new_inode()
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit 227d31b9214d1b9513383cf6c7180628d4b3b61f ]
+
+If a group is marked EXT4_GROUP_INFO_IBITMAP_CORRUPT after it's inode
+bitmap buffer_head was successfully verified, then __ext4_new_inode()
+will get a valid inode_bitmap_bh of a corrupted group from
+ext4_read_inode_bitmap() in which case inode_bitmap_bh misses a release.
+Hnadle "IS_ERR(inode_bitmap_bh)" and group corruption separately like
+how ext4_free_inode() does to avoid buffer_head leak.
+
+Fixes: 9008a58e5dce ("ext4: make the bitmap read routines return real error codes")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Link: https://patch.msgid.link/20240820132234.2759926-3-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/ialloc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index ad7f13976dc60..9e2c08a8665f2 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -1054,12 +1054,13 @@ struct inode *__ext4_new_inode(struct mnt_idmap *idmap,
+ brelse(inode_bitmap_bh);
+ inode_bitmap_bh = ext4_read_inode_bitmap(sb, group);
+ /* Skip groups with suspicious inode tables */
+- if (((!(sbi->s_mount_state & EXT4_FC_REPLAY))
+- && EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) ||
+- IS_ERR(inode_bitmap_bh)) {
++ if (IS_ERR(inode_bitmap_bh)) {
+ inode_bitmap_bh = NULL;
+ goto next_group;
+ }
++ if (!(sbi->s_mount_state & EXT4_FC_REPLAY) &&
++ EXT4_MB_GRP_IBITMAP_CORRUPT(grp))
++ goto next_group;
+
+ repeat_in_this_group:
+ ret2 = find_inode_bit(sb, group, inode_bitmap_bh, &ino);
+--
+2.43.0
+
--- /dev/null
+From 55ce6447d258eb457fc2d5ae55a5b876374f59a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 12:50:57 +0530
+Subject: ext4: check stripe size compatibility on remount as well
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+[ Upstream commit ee85e0938aa8f9846d21e4d302c3cf6a2a75110d ]
+
+We disable stripe size in __ext4_fill_super if it is not a multiple of
+the cluster ratio however this check is missed when trying to remount.
+This can leave us with cases where stripe < cluster_ratio after
+remount:set making EXT4_B2C(sbi->s_stripe) become 0 that can cause some
+unforeseen bugs like divide by 0.
+
+Fix that by adding the check in remount path as well.
+
+Reported-by: syzbot+1ad8bac5af24d01e2cbd@syzkaller.appspotmail.com
+Tested-by: syzbot+1ad8bac5af24d01e2cbd@syzkaller.appspotmail.com
+Reviewed-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Fixes: c3defd99d58c ("ext4: treat stripe in block unit")
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Link: https://patch.msgid.link/3a493bb503c3598e25dcfbed2936bb2dff3fece7.1725002410.git.ojaswin@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/super.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index e72145c4ae5a0..7e73e13741d1e 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5165,6 +5165,18 @@ static int ext4_block_group_meta_init(struct super_block *sb, int silent)
+ return 0;
+ }
+
++/*
++ * It's hard to get stripe aligned blocks if stripe is not aligned with
++ * cluster, just disable stripe and alert user to simplify code and avoid
++ * stripe aligned allocation which will rarely succeed.
++ */
++static bool ext4_is_stripe_incompatible(struct super_block *sb, unsigned long stripe)
++{
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
++ return (stripe > 0 && sbi->s_cluster_ratio > 1 &&
++ stripe % sbi->s_cluster_ratio != 0);
++}
++
+ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
+ {
+ struct ext4_super_block *es = NULL;
+@@ -5272,13 +5284,7 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
+ goto failed_mount3;
+
+ sbi->s_stripe = ext4_get_stripe_size(sbi);
+- /*
+- * It's hard to get stripe aligned blocks if stripe is not aligned with
+- * cluster, just disable stripe and alert user to simpfy code and avoid
+- * stripe aligned allocation which will rarely successes.
+- */
+- if (sbi->s_stripe > 0 && sbi->s_cluster_ratio > 1 &&
+- sbi->s_stripe % sbi->s_cluster_ratio != 0) {
++ if (ext4_is_stripe_incompatible(sb, sbi->s_stripe)) {
+ ext4_msg(sb, KERN_WARNING,
+ "stripe (%lu) is not aligned with cluster size (%u), "
+ "stripe is disabled",
+@@ -6441,6 +6447,15 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb)
+
+ }
+
++ if ((ctx->spec & EXT4_SPEC_s_stripe) &&
++ ext4_is_stripe_incompatible(sb, ctx->s_stripe)) {
++ ext4_msg(sb, KERN_WARNING,
++ "stripe (%lu) is not aligned with cluster size (%u), "
++ "stripe is disabled",
++ ctx->s_stripe, sbi->s_cluster_ratio);
++ ctx->s_stripe = 0;
++ }
++
+ /*
+ * Changing the DIOREAD_NOLOCK or DELALLOC mount options may cause
+ * two calls to ext4_should_dioread_nolock() to return inconsistent
+--
+2.43.0
+
--- /dev/null
+From 66dcb08a780bd39fbd53b0bf9768f853b79867ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Aug 2024 16:55:10 +0800
+Subject: ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard
+
+From: yangerkun <yangerkun@huawei.com>
+
+[ Upstream commit 20cee68f5b44fdc2942d20f3172a262ec247b117 ]
+
+Commit 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in
+ext4_group_info") speed up fstrim by skipping trim trimmed group. We
+also has the chance to clear trimmed once there exists some block free
+for this group(mount without discard), and the next trim for this group
+will work well too.
+
+For mount with discard, we will issue dicard when we free blocks, so
+leave trimmed flag keep alive to skip useless trim trigger from
+userspace seems reasonable. But for some case like ext4 build on
+dm-thinpool(ext4 blocksize 4K, pool blocksize 128K), discard from ext4
+maybe unaligned for dm thinpool, and thinpool will just finish this
+discard(see process_discard_bio when begein equals to end) without
+actually process discard. For this case, trim from userspace can really
+help us to free some thinpool block.
+
+So convert to clear trimmed flag for all case no matter mounted with
+discard or not.
+
+Fixes: 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in ext4_group_info")
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20240817085510.2084444-1-yangerkun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 9dda9cd68ab2f..dfecd25cee4ea 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -3887,11 +3887,8 @@ static void ext4_free_data_in_buddy(struct super_block *sb,
+ /*
+ * Clear the trimmed flag for the group so that the next
+ * ext4_trim_fs can trim it.
+- * If the volume is mounted with -o discard, online discard
+- * is supported and the free blocks will be trimmed online.
+ */
+- if (!test_opt(sb, DISCARD))
+- EXT4_MB_GRP_CLEAR_TRIMMED(db);
++ EXT4_MB_GRP_CLEAR_TRIMMED(db);
+
+ if (!db->bb_free_root.rb_node) {
+ /* No more items in the per group rb tree
+@@ -6515,8 +6512,9 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode,
+ " group:%u block:%d count:%lu failed"
+ " with %d", block_group, bit, count,
+ err);
+- } else
+- EXT4_MB_GRP_CLEAR_TRIMMED(e4b.bd_info);
++ }
++
++ EXT4_MB_GRP_CLEAR_TRIMMED(e4b.bd_info);
+
+ ext4_lock_group(sb, block_group);
+ mb_free_blocks(inode, &e4b, bit, count_clusters);
+--
+2.43.0
+
--- /dev/null
+From 2afa0b62d26aac2f6579585d637cb98fad934d67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 12:23:22 -0300
+Subject: ext4: return error on ext4_find_inline_entry
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit 4d231b91a944f3cab355fce65af5871fb5d7735b ]
+
+In case of errors when reading an inode from disk or traversing inline
+directory entries, return an error-encoded ERR_PTR instead of returning
+NULL. ext4_find_inline_entry only caller, __ext4_find_entry already returns
+such encoded errors.
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Link: https://patch.msgid.link/20240821152324.3621860-3-cascardo@igalia.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: c6b72f5d82b1 ("ext4: avoid OOB when system.data xattr changes underneath the filesystem")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inline.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index e7a09a99837b9..7b98b1bf1dc94 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1669,8 +1669,9 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+ void *inline_start;
+ int inline_size;
+
+- if (ext4_get_inode_loc(dir, &iloc))
+- return NULL;
++ ret = ext4_get_inode_loc(dir, &iloc);
++ if (ret)
++ return ERR_PTR(ret);
+
+ down_read(&EXT4_I(dir)->xattr_sem);
+ if (!ext4_has_inline_data(dir)) {
+@@ -1701,7 +1702,10 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+
+ out:
+ brelse(iloc.bh);
+- iloc.bh = NULL;
++ if (ret < 0)
++ iloc.bh = ERR_PTR(ret);
++ else
++ iloc.bh = NULL;
+ out_find:
+ up_read(&EXT4_I(dir)->xattr_sem);
+ return iloc.bh;
+--
+2.43.0
+
--- /dev/null
+From d43e36f6975b9602c0da0c4d91d5c63544b54052 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jun 2024 11:13:48 +0800
+Subject: f2fs: atomic: fix to avoid racing w/ GC
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 1a0bd289a5db1df8df8fab949633a0b8d3f235ee ]
+
+Case #1:
+SQLite App GC Thread Kworker Shrinker
+- f2fs_ioc_start_atomic_write
+
+- f2fs_ioc_commit_atomic_write
+ - f2fs_commit_atomic_write
+ - filemap_write_and_wait_range
+ : write atomic_file's data to cow_inode
+ echo 3 > drop_caches
+ to drop atomic_file's
+ cache.
+ - f2fs_gc
+ - gc_data_segment
+ - move_data_page
+ - set_page_dirty
+
+ - writepages
+ - f2fs_do_write_data_page
+ : overwrite atomic_file's data
+ to cow_inode
+ - f2fs_down_write(&fi->i_gc_rwsem[WRITE])
+ - __f2fs_commit_atomic_write
+ - f2fs_up_write(&fi->i_gc_rwsem[WRITE])
+
+Case #2:
+SQLite App GC Thread Kworker
+- f2fs_ioc_start_atomic_write
+
+ - __writeback_single_inode
+ - do_writepages
+ - f2fs_write_cache_pages
+ - f2fs_write_single_data_page
+ - f2fs_do_write_data_page
+ : write atomic_file's data to cow_inode
+ - f2fs_gc
+ - gc_data_segment
+ - move_data_page
+ - set_page_dirty
+
+ - writepages
+ - f2fs_do_write_data_page
+ : overwrite atomic_file's data to cow_inode
+- f2fs_ioc_commit_atomic_write
+
+In above cases racing in between atomic_write and GC, previous
+data in atomic_file may be overwrited to cow_file, result in
+data corruption.
+
+This patch introduces PAGE_PRIVATE_ATOMIC_WRITE bit flag in page.private,
+and use it to indicate that there is last dirty data in atomic file,
+and the data should be writebacked into cow_file, if the flag is not
+tagged in page, we should never write data across files.
+
+Fixes: 3db1de0e582c ("f2fs: change the current atomic write way")
+Cc: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 10 +++++++++-
+ fs/f2fs/f2fs.h | 8 +++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 6457e5bca9c9e..be66b3a0e793f 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -2650,10 +2650,13 @@ int f2fs_do_write_data_page(struct f2fs_io_info *fio)
+ struct dnode_of_data dn;
+ struct node_info ni;
+ bool ipu_force = false;
++ bool atomic_commit;
+ int err = 0;
+
+ /* Use COW inode to make dnode_of_data for atomic write */
+- if (f2fs_is_atomic_file(inode))
++ atomic_commit = f2fs_is_atomic_file(inode) &&
++ page_private_atomic(fio->page);
++ if (atomic_commit)
+ set_new_dnode(&dn, F2FS_I(inode)->cow_inode, NULL, NULL, 0);
+ else
+ set_new_dnode(&dn, inode, NULL, NULL, 0);
+@@ -2752,6 +2755,8 @@ int f2fs_do_write_data_page(struct f2fs_io_info *fio)
+ f2fs_outplace_write_data(&dn, fio);
+ trace_f2fs_do_write_data_page(page_folio(page), OPU);
+ set_inode_flag(inode, FI_APPEND_WRITE);
++ if (atomic_commit)
++ clear_page_private_atomic(page);
+ out_writepage:
+ f2fs_put_dnode(&dn);
+ out:
+@@ -3721,6 +3726,9 @@ static int f2fs_write_end(struct file *file,
+
+ set_page_dirty(page);
+
++ if (f2fs_is_atomic_file(inode))
++ set_page_private_atomic(page);
++
+ if (pos + copied > i_size_read(inode) &&
+ !f2fs_verity_in_progress(inode)) {
+ f2fs_i_size_write(inode, pos + copied);
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index ac19c61f0c3ec..9f8dd17b85b9d 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1418,7 +1418,8 @@ static inline void f2fs_clear_bit(unsigned int nr, char *addr);
+ * bit 1 PAGE_PRIVATE_ONGOING_MIGRATION
+ * bit 2 PAGE_PRIVATE_INLINE_INODE
+ * bit 3 PAGE_PRIVATE_REF_RESOURCE
+- * bit 4- f2fs private data
++ * bit 4 PAGE_PRIVATE_ATOMIC_WRITE
++ * bit 5- f2fs private data
+ *
+ * Layout B: lowest bit should be 0
+ * page.private is a wrapped pointer.
+@@ -1428,6 +1429,7 @@ enum {
+ PAGE_PRIVATE_ONGOING_MIGRATION, /* data page which is on-going migrating */
+ PAGE_PRIVATE_INLINE_INODE, /* inode page contains inline data */
+ PAGE_PRIVATE_REF_RESOURCE, /* dirty page has referenced resources */
++ PAGE_PRIVATE_ATOMIC_WRITE, /* data page from atomic write path */
+ PAGE_PRIVATE_MAX
+ };
+
+@@ -2396,14 +2398,17 @@ static inline void clear_page_private_##name(struct page *page) \
+ PAGE_PRIVATE_GET_FUNC(nonpointer, NOT_POINTER);
+ PAGE_PRIVATE_GET_FUNC(inline, INLINE_INODE);
+ PAGE_PRIVATE_GET_FUNC(gcing, ONGOING_MIGRATION);
++PAGE_PRIVATE_GET_FUNC(atomic, ATOMIC_WRITE);
+
+ PAGE_PRIVATE_SET_FUNC(reference, REF_RESOURCE);
+ PAGE_PRIVATE_SET_FUNC(inline, INLINE_INODE);
+ PAGE_PRIVATE_SET_FUNC(gcing, ONGOING_MIGRATION);
++PAGE_PRIVATE_SET_FUNC(atomic, ATOMIC_WRITE);
+
+ PAGE_PRIVATE_CLEAR_FUNC(reference, REF_RESOURCE);
+ PAGE_PRIVATE_CLEAR_FUNC(inline, INLINE_INODE);
+ PAGE_PRIVATE_CLEAR_FUNC(gcing, ONGOING_MIGRATION);
++PAGE_PRIVATE_CLEAR_FUNC(atomic, ATOMIC_WRITE);
+
+ static inline unsigned long get_page_private_data(struct page *page)
+ {
+@@ -2435,6 +2440,7 @@ static inline void clear_page_private_all(struct page *page)
+ clear_page_private_reference(page);
+ clear_page_private_gcing(page);
+ clear_page_private_inline(page);
++ clear_page_private_atomic(page);
+
+ f2fs_bug_on(F2FS_P_SB(page), page_private(page));
+ }
+--
+2.43.0
+
--- /dev/null
+From 04f669f00a425bd7044feee837705dacae799181 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 18:24:35 +0800
+Subject: f2fs: atomic: fix to truncate pagecache before on-disk metadata
+ truncation
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit ebd3309aec6271c4616573b0cb83ea25e623070a ]
+
+We should always truncate pagecache while truncating on-disk data.
+
+Fixes: a46bebd502fe ("f2fs: synchronize atomic write aborts")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index e178e3ebde04e..5558a75f29b79 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2184,6 +2184,10 @@ static int f2fs_ioc_start_atomic_write(struct file *filp, bool truncate)
+ F2FS_I(fi->cow_inode)->atomic_inode = inode;
+ } else {
+ /* Reuse the already created COW inode */
++ f2fs_bug_on(sbi, get_dirty_pages(fi->cow_inode));
++
++ invalidate_mapping_pages(fi->cow_inode->i_mapping, 0, -1);
++
+ ret = f2fs_do_truncate_blocks(fi->cow_inode, 0, true);
+ if (ret) {
+ f2fs_up_write(&fi->i_gc_rwsem[WRITE]);
+--
+2.43.0
+
--- /dev/null
+From b304cc0b56f555474ab4c016191f9f6b70c16a81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 17:34:30 +0900
+Subject: f2fs: compress: don't redirty sparse cluster during {,de}compress
+
+From: Yeongjin Gil <youngjin.gil@samsung.com>
+
+[ Upstream commit f785cec298c95d00058560c0715233294a04b8f3 ]
+
+In f2fs_do_write_data_page, when the data block is NULL_ADDR, it skips
+writepage considering that it has been already truncated.
+This results in an infinite loop as the PAGECACHE_TAG_TOWRITE tag is not
+cleared during the writeback process for a compressed file including
+NULL_ADDR in compress_mode=user.
+
+This is the reproduction process:
+
+1. dd if=/dev/zero bs=4096 count=1024 seek=1024 of=testfile
+2. f2fs_io compress testfile
+3. dd if=/dev/zero bs=4096 count=1 conv=notrunc of=testfile
+4. f2fs_io decompress testfile
+
+To prevent the problem, let's check whether the cluster is fully
+allocated before redirty its pages.
+
+Fixes: 5fdb322ff2c2 ("f2fs: add F2FS_IOC_DECOMPRESS_FILE and F2FS_IOC_COMPRESS_FILE")
+Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
+Reviewed-by: Sunmin Jeong <s_min.jeong@samsung.com>
+Tested-by: Jaewook Kim <jw5454.kim@samsung.com>
+Signed-off-by: Yeongjin Gil <youngjin.gil@samsung.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/compress.c | 36 ++++++++++++++++++++++++++++--------
+ fs/f2fs/f2fs.h | 12 ++++++++++++
+ fs/f2fs/file.c | 39 +++++++++++++++++++++------------------
+ 3 files changed, 61 insertions(+), 26 deletions(-)
+
+diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
+index 990b93689b460..f55d54bb12f42 100644
+--- a/fs/f2fs/compress.c
++++ b/fs/f2fs/compress.c
+@@ -945,7 +945,7 @@ static int __f2fs_get_cluster_blocks(struct inode *inode,
+ unsigned int cluster_size = F2FS_I(inode)->i_cluster_size;
+ int count, i;
+
+- for (i = 1, count = 1; i < cluster_size; i++) {
++ for (i = 0, count = 0; i < cluster_size; i++) {
+ block_t blkaddr = data_blkaddr(dn->inode, dn->node_page,
+ dn->ofs_in_node + i);
+
+@@ -956,8 +956,8 @@ static int __f2fs_get_cluster_blocks(struct inode *inode,
+ return count;
+ }
+
+-static int __f2fs_cluster_blocks(struct inode *inode,
+- unsigned int cluster_idx, bool compr_blks)
++static int __f2fs_cluster_blocks(struct inode *inode, unsigned int cluster_idx,
++ enum cluster_check_type type)
+ {
+ struct dnode_of_data dn;
+ unsigned int start_idx = cluster_idx <<
+@@ -978,10 +978,12 @@ static int __f2fs_cluster_blocks(struct inode *inode,
+ }
+
+ if (dn.data_blkaddr == COMPRESS_ADDR) {
+- if (compr_blks)
+- ret = __f2fs_get_cluster_blocks(inode, &dn);
+- else
++ if (type == CLUSTER_COMPR_BLKS)
++ ret = 1 + __f2fs_get_cluster_blocks(inode, &dn);
++ else if (type == CLUSTER_IS_COMPR)
+ ret = 1;
++ } else if (type == CLUSTER_RAW_BLKS) {
++ ret = __f2fs_get_cluster_blocks(inode, &dn);
+ }
+ fail:
+ f2fs_put_dnode(&dn);
+@@ -991,7 +993,16 @@ static int __f2fs_cluster_blocks(struct inode *inode,
+ /* return # of compressed blocks in compressed cluster */
+ static int f2fs_compressed_blocks(struct compress_ctx *cc)
+ {
+- return __f2fs_cluster_blocks(cc->inode, cc->cluster_idx, true);
++ return __f2fs_cluster_blocks(cc->inode, cc->cluster_idx,
++ CLUSTER_COMPR_BLKS);
++}
++
++/* return # of raw blocks in non-compressed cluster */
++static int f2fs_decompressed_blocks(struct inode *inode,
++ unsigned int cluster_idx)
++{
++ return __f2fs_cluster_blocks(inode, cluster_idx,
++ CLUSTER_RAW_BLKS);
+ }
+
+ /* return whether cluster is compressed one or not */
+@@ -999,7 +1010,16 @@ int f2fs_is_compressed_cluster(struct inode *inode, pgoff_t index)
+ {
+ return __f2fs_cluster_blocks(inode,
+ index >> F2FS_I(inode)->i_log_cluster_size,
+- false);
++ CLUSTER_IS_COMPR);
++}
++
++/* return whether cluster contains non raw blocks or not */
++bool f2fs_is_sparse_cluster(struct inode *inode, pgoff_t index)
++{
++ unsigned int cluster_idx = index >> F2FS_I(inode)->i_log_cluster_size;
++
++ return f2fs_decompressed_blocks(inode, cluster_idx) !=
++ F2FS_I(inode)->i_cluster_size;
+ }
+
+ static bool cluster_may_compress(struct compress_ctx *cc)
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index f4342622dec6a..d40a8d6676f2d 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -4297,6 +4297,11 @@ static inline bool f2fs_meta_inode_gc_required(struct inode *inode)
+ * compress.c
+ */
+ #ifdef CONFIG_F2FS_FS_COMPRESSION
++enum cluster_check_type {
++ CLUSTER_IS_COMPR, /* check only if compressed cluster */
++ CLUSTER_COMPR_BLKS, /* return # of compressed blocks in a cluster */
++ CLUSTER_RAW_BLKS /* return # of raw blocks in a cluster */
++};
+ bool f2fs_is_compressed_page(struct page *page);
+ struct page *f2fs_compress_control_page(struct page *page);
+ int f2fs_prepare_compress_overwrite(struct inode *inode,
+@@ -4323,6 +4328,7 @@ int f2fs_write_multi_pages(struct compress_ctx *cc,
+ struct writeback_control *wbc,
+ enum iostat_type io_type);
+ int f2fs_is_compressed_cluster(struct inode *inode, pgoff_t index);
++bool f2fs_is_sparse_cluster(struct inode *inode, pgoff_t index);
+ void f2fs_update_read_extent_tree_range_compressed(struct inode *inode,
+ pgoff_t fofs, block_t blkaddr,
+ unsigned int llen, unsigned int c_len);
+@@ -4409,6 +4415,12 @@ static inline bool f2fs_load_compressed_page(struct f2fs_sb_info *sbi,
+ static inline void f2fs_invalidate_compress_pages(struct f2fs_sb_info *sbi,
+ nid_t ino) { }
+ #define inc_compr_inode_stat(inode) do { } while (0)
++static inline int f2fs_is_compressed_cluster(
++ struct inode *inode,
++ pgoff_t index) { return 0; }
++static inline bool f2fs_is_sparse_cluster(
++ struct inode *inode,
++ pgoff_t index) { return true; }
+ static inline void f2fs_update_read_extent_tree_range_compressed(
+ struct inode *inode,
+ pgoff_t fofs, block_t blkaddr,
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 869f4744b443e..56381a0b63219 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -4219,9 +4219,8 @@ static int f2fs_ioc_decompress_file(struct file *filp)
+ struct inode *inode = file_inode(filp);
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ struct f2fs_inode_info *fi = F2FS_I(inode);
+- pgoff_t page_idx = 0, last_idx;
+- int cluster_size = fi->i_cluster_size;
+- int count, ret;
++ pgoff_t page_idx = 0, last_idx, cluster_idx;
++ int ret;
+
+ if (!f2fs_sb_has_compression(sbi) ||
+ F2FS_OPTION(sbi).compress_mode != COMPR_MODE_USER)
+@@ -4256,10 +4255,15 @@ static int f2fs_ioc_decompress_file(struct file *filp)
+ goto out;
+
+ last_idx = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
++ last_idx >>= fi->i_log_cluster_size;
++
++ for (cluster_idx = 0; cluster_idx < last_idx; cluster_idx++) {
++ page_idx = cluster_idx << fi->i_log_cluster_size;
++
++ if (!f2fs_is_compressed_cluster(inode, page_idx))
++ continue;
+
+- count = last_idx - page_idx;
+- while (count && count >= cluster_size) {
+- ret = redirty_blocks(inode, page_idx, cluster_size);
++ ret = redirty_blocks(inode, page_idx, fi->i_cluster_size);
+ if (ret < 0)
+ break;
+
+@@ -4269,9 +4273,6 @@ static int f2fs_ioc_decompress_file(struct file *filp)
+ break;
+ }
+
+- count -= cluster_size;
+- page_idx += cluster_size;
+-
+ cond_resched();
+ if (fatal_signal_pending(current)) {
+ ret = -EINTR;
+@@ -4298,9 +4299,9 @@ static int f2fs_ioc_compress_file(struct file *filp)
+ {
+ struct inode *inode = file_inode(filp);
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+- pgoff_t page_idx = 0, last_idx;
+- int cluster_size = F2FS_I(inode)->i_cluster_size;
+- int count, ret;
++ struct f2fs_inode_info *fi = F2FS_I(inode);
++ pgoff_t page_idx = 0, last_idx, cluster_idx;
++ int ret;
+
+ if (!f2fs_sb_has_compression(sbi) ||
+ F2FS_OPTION(sbi).compress_mode != COMPR_MODE_USER)
+@@ -4334,10 +4335,15 @@ static int f2fs_ioc_compress_file(struct file *filp)
+ set_inode_flag(inode, FI_ENABLE_COMPRESS);
+
+ last_idx = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
++ last_idx >>= fi->i_log_cluster_size;
+
+- count = last_idx - page_idx;
+- while (count && count >= cluster_size) {
+- ret = redirty_blocks(inode, page_idx, cluster_size);
++ for (cluster_idx = 0; cluster_idx < last_idx; cluster_idx++) {
++ page_idx = cluster_idx << fi->i_log_cluster_size;
++
++ if (f2fs_is_sparse_cluster(inode, page_idx))
++ continue;
++
++ ret = redirty_blocks(inode, page_idx, fi->i_cluster_size);
+ if (ret < 0)
+ break;
+
+@@ -4347,9 +4353,6 @@ static int f2fs_ioc_compress_file(struct file *filp)
+ break;
+ }
+
+- count -= cluster_size;
+- page_idx += cluster_size;
+-
+ cond_resched();
+ if (fatal_signal_pending(current)) {
+ ret = -EINTR;
+--
+2.43.0
+
--- /dev/null
+From 0e1bf4b63004edfc1c8f41e63db5059f35b2ff45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Aug 2024 16:32:44 +0900
+Subject: f2fs: Create COW inode from parent dentry for atomic write
+
+From: Yeongjin Gil <youngjin.gil@samsung.com>
+
+[ Upstream commit 8c1b787938fd86bab27a1492fa887408c75fec2b ]
+
+The i_pino in f2fs_inode_info has the previous parent's i_ino when inode
+was renamed, which may cause f2fs_ioc_start_atomic_write to fail.
+If file_wrong_pino is true and i_nlink is 1, then to find a valid pino,
+we should refer to the dentry from inode.
+
+To resolve this issue, let's get parent inode using parent dentry
+directly.
+
+Fixes: 3db1de0e582c ("f2fs: change the current atomic write way")
+Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
+Reviewed-by: Sunmin Jeong <s_min.jeong@samsung.com>
+Signed-off-by: Yeongjin Gil <youngjin.gil@samsung.com>
+Reviewed-by: Daeho Jeong <daehojeong@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index afa43d1aa030a..bf448dbe2c551 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2119,7 +2119,6 @@ static int f2fs_ioc_start_atomic_write(struct file *filp, bool truncate)
+ struct mnt_idmap *idmap = file_mnt_idmap(filp);
+ struct f2fs_inode_info *fi = F2FS_I(inode);
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+- struct inode *pinode;
+ loff_t isize;
+ int ret;
+
+@@ -2169,15 +2168,10 @@ static int f2fs_ioc_start_atomic_write(struct file *filp, bool truncate)
+ /* Check if the inode already has a COW inode */
+ if (fi->cow_inode == NULL) {
+ /* Create a COW inode for atomic write */
+- pinode = f2fs_iget(inode->i_sb, fi->i_pino);
+- if (IS_ERR(pinode)) {
+- f2fs_up_write(&fi->i_gc_rwsem[WRITE]);
+- ret = PTR_ERR(pinode);
+- goto out;
+- }
++ struct dentry *dentry = file_dentry(filp);
++ struct inode *dir = d_inode(dentry->d_parent);
+
+- ret = f2fs_get_tmpfile(idmap, pinode, &fi->cow_inode);
+- iput(pinode);
++ ret = f2fs_get_tmpfile(idmap, dir, &fi->cow_inode);
+ if (ret) {
+ f2fs_up_write(&fi->i_gc_rwsem[WRITE]);
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From 22947b72f35f29954ec42294b17fb9d1be0b26e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 15:15:21 +0800
+Subject: f2fs: fix to avoid racing in between read and OPU dio write
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 0cac51185e65dc2a20686184e02f3cafc99eb202 ]
+
+If lfs mode is on, buffered read may race w/ OPU dio write as below,
+it may cause buffered read hits unwritten data unexpectly, and for
+dio read, the race condition exists as well.
+
+Thread A Thread B
+- f2fs_file_write_iter
+ - f2fs_dio_write_iter
+ - __iomap_dio_rw
+ - f2fs_iomap_begin
+ - f2fs_map_blocks
+ - __allocate_data_block
+ - allocated blkaddr #x
+ - iomap_dio_submit_bio
+ - f2fs_file_read_iter
+ - filemap_read
+ - f2fs_read_data_folio
+ - f2fs_mpage_readpages
+ - f2fs_map_blocks
+ : get blkaddr #x
+ - f2fs_submit_read_bio
+ IRQ
+ - f2fs_read_end_io
+ : read IO on blkaddr #x complete
+IRQ
+- iomap_dio_bio_end_io
+ : direct write IO on blkaddr #x complete
+
+In LFS mode, if there is inflight dio, let's wait for its completion,
+this policy won't cover all race cases, however it is a tradeoff which
+avoids abusing lock around IO paths.
+
+Fixes: f847c699cff3 ("f2fs: allow out-place-update for direct IO in LFS mode")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index f42d1e41a82b1..afa43d1aa030a 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -4600,6 +4600,10 @@ static ssize_t f2fs_file_read_iter(struct kiocb *iocb, struct iov_iter *to)
+ f2fs_trace_rw_file_path(iocb->ki_filp, iocb->ki_pos,
+ iov_iter_count(to), READ);
+
++ /* In LFS mode, if there is inflight dio, wait for its completion */
++ if (f2fs_lfs_mode(F2FS_I_SB(inode)))
++ inode_dio_wait(inode);
++
+ if (f2fs_should_use_dio(inode, iocb, to)) {
+ ret = f2fs_dio_read_iter(iocb, to);
+ } else {
+--
+2.43.0
+
--- /dev/null
+From a7666572b8f81de5b425a552faf2549c794772be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 09:08:55 +0800
+Subject: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit c7f114d864ac91515bb07ac271e9824a20f5ed95 ]
+
+syzbot reports a f2fs bug as below:
+
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
+ print_report+0xe8/0x550 mm/kasan/report.c:491
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
+ instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
+ atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
+ __refcount_add include/linux/refcount.h:184 [inline]
+ __refcount_inc include/linux/refcount.h:241 [inline]
+ refcount_inc include/linux/refcount.h:258 [inline]
+ get_task_struct include/linux/sched/task.h:118 [inline]
+ kthread_stop+0xca/0x630 kernel/kthread.c:704
+ f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210
+ f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283
+ f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline]
+ __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The root cause is below race condition, it may cause use-after-free
+issue in sbi->gc_th pointer.
+
+- remount
+ - f2fs_remount
+ - f2fs_stop_gc_thread
+ - kfree(gc_th)
+ - f2fs_ioc_shutdown
+ - f2fs_do_shutdown
+ - f2fs_stop_gc_thread
+ - kthread_stop(gc_th->f2fs_gc_task)
+ : sbi->gc_thread = NULL;
+
+We will call f2fs_do_shutdown() in two paths:
+- for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore
+for fixing.
+- for f2fs_shutdown() path, it's safe since caller has already grabbed
+sb->s_umount semaphore.
+
+Reported-by: syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/0000000000005c7ccb061e032b9b@google.com
+Fixes: 7950e9ac638e ("f2fs: stop gc/discard thread after fs shutdown")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 +-
+ fs/f2fs/file.c | 11 +++++++++--
+ fs/f2fs/super.c | 2 +-
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index eb6b3e62e6575..f4342622dec6a 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -3503,7 +3503,7 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ int f2fs_truncate_hole(struct inode *inode, pgoff_t pg_start, pgoff_t pg_end);
+ void f2fs_truncate_data_blocks_range(struct dnode_of_data *dn, int count);
+ int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag,
+- bool readonly);
++ bool readonly, bool need_lock);
+ int f2fs_precache_extents(struct inode *inode);
+ int f2fs_fileattr_get(struct dentry *dentry, struct fileattr *fa);
+ int f2fs_fileattr_set(struct mnt_idmap *idmap,
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 5558a75f29b79..869f4744b443e 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2280,7 +2280,7 @@ static int f2fs_ioc_abort_atomic_write(struct file *filp)
+ }
+
+ int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag,
+- bool readonly)
++ bool readonly, bool need_lock)
+ {
+ struct super_block *sb = sbi->sb;
+ int ret = 0;
+@@ -2327,12 +2327,19 @@ int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag,
+ if (readonly)
+ goto out;
+
++ /* grab sb->s_umount to avoid racing w/ remount() */
++ if (need_lock)
++ down_read(&sbi->sb->s_umount);
++
+ f2fs_stop_gc_thread(sbi);
+ f2fs_stop_discard_thread(sbi);
+
+ f2fs_drop_discard_cmd(sbi);
+ clear_opt(sbi, DISCARD);
+
++ if (need_lock)
++ up_read(&sbi->sb->s_umount);
++
+ f2fs_update_time(sbi, REQ_TIME);
+ out:
+
+@@ -2369,7 +2376,7 @@ static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg)
+ }
+ }
+
+- ret = f2fs_do_shutdown(sbi, in, readonly);
++ ret = f2fs_do_shutdown(sbi, in, readonly, true);
+
+ if (need_drop)
+ mnt_drop_write_file(filp);
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 3959fd137cc9b..4e46cbd1fc2ba 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -2561,7 +2561,7 @@ static int f2fs_remount(struct super_block *sb, int *flags, char *data)
+
+ static void f2fs_shutdown(struct super_block *sb)
+ {
+- f2fs_do_shutdown(F2FS_SB(sb), F2FS_GOING_DOWN_NOSYNC, false);
++ f2fs_do_shutdown(F2FS_SB(sb), F2FS_GOING_DOWN_NOSYNC, false, false);
+ }
+
+ #ifdef CONFIG_QUOTA
+--
+2.43.0
+
--- /dev/null
+From 140de2604681c6f2a756d9657f26811b46b0a017 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 11:07:13 +0800
+Subject: f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 930c6ab93492c4b15436524e704950b364b2930c ]
+
+syzbot reports a f2fs bug as below:
+
+------------[ cut here ]------------
+WARNING: CPU: 1 PID: 58 at kernel/rcu/sync.c:177 rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
+CPU: 1 UID: 0 PID: 58 Comm: kworker/1:2 Not tainted 6.10.0-syzkaller-12562-g1722389b0d86 #0
+Workqueue: events destroy_super_work
+RIP: 0010:rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
+Call Trace:
+ percpu_free_rwsem+0x41/0x80 kernel/locking/percpu-rwsem.c:42
+ destroy_super_work+0xec/0x130 fs/super.c:282
+ process_one_work kernel/workqueue.c:3231 [inline]
+ process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
+ worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
+ kthread+0x2f0/0x390 kernel/kthread.c:389
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+As Christian Brauner pointed out [1]: the root cause is f2fs sets
+SB_RDONLY flag in internal function, rather than setting the flag
+covered w/ sb->s_umount semaphore via remount procedure, then below
+race condition causes this bug:
+
+- freeze_super()
+ - sb_wait_write(sb, SB_FREEZE_WRITE)
+ - sb_wait_write(sb, SB_FREEZE_PAGEFAULT)
+ - sb_wait_write(sb, SB_FREEZE_FS)
+ - f2fs_handle_critical_error
+ - sb->s_flags |= SB_RDONLY
+- thaw_super
+ - thaw_super_locked
+ - sb_rdonly() is true, so it skips
+ sb_freeze_unlock(sb, SB_FREEZE_FS)
+ - deactivate_locked_super
+
+Since f2fs has almost the same logic as ext4 [2] when handling critical
+error in filesystem if it mounts w/ errors=remount-ro option:
+- set CP_ERROR_FLAG flag which indicates filesystem is stopped
+- record errors to superblock
+- set SB_RDONLY falg
+Once we set CP_ERROR_FLAG flag, all writable interfaces can detect the
+flag and stop any further updates on filesystem. So, it is safe to not
+set SB_RDONLY flag, let's remove the logic and keep in line w/ ext4 [3].
+
+[1] https://lore.kernel.org/all/20240729-himbeeren-funknetz-96e62f9c7aee@brauner
+[2] https://lore.kernel.org/all/20240729132721.hxih6ehigadqf7wx@quack3
+[3] https://lore.kernel.org/linux-ext4/20240805201241.27286-1-jack@suse.cz
+
+Fixes: b62e71be2110 ("f2fs: support errors=remount-ro|continue|panic mountoption")
+Reported-by: syzbot+20d7e439f76bbbd863a7@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000b90a8e061e21d12f@google.com/
+Cc: Jan Kara <jack@suse.cz>
+Cc: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/super.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 4e46cbd1fc2ba..80ce869d542c6 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4173,12 +4173,14 @@ void f2fs_handle_critical_error(struct f2fs_sb_info *sbi, unsigned char reason,
+ }
+
+ f2fs_warn(sbi, "Remounting filesystem read-only");
++
+ /*
+- * Make sure updated value of ->s_mount_flags will be visible before
+- * ->s_flags update
++ * We have already set CP_ERROR_FLAG flag to stop all updates
++ * to filesystem, so it doesn't need to set SB_RDONLY flag here
++ * because the flag should be set covered w/ sb->s_umount semaphore
++ * via remount procedure, otherwise, it will confuse code like
++ * freeze_super() which will lead to deadlocks and other problems.
+ */
+- smp_wmb();
+- sb->s_flags |= SB_RDONLY;
+ }
+
+ static void f2fs_record_error_work(struct work_struct *work)
+--
+2.43.0
+
--- /dev/null
+From e9c639ece316afe25aae01a34a9dc114ab874e70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 22:12:42 +0800
+Subject: f2fs: fix to wait page writeback before setting gcing flag
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit a4d7f2b3238fd5f76b9e6434a0bd5d2e29049cff ]
+
+Soft IRQ Thread
+- f2fs_write_end_io
+ - f2fs_defragment_range
+ - set_page_private_gcing
+ - type = WB_DATA_TYPE(page, false);
+ : assign type w/ F2FS_WB_CP_DATA
+ due to page_private_gcing() is true
+ - dec_page_count() w/ wrong type
+ - end_page_writeback()
+
+Value of F2FS_WB_CP_DATA reference count may become negative under above
+race condition, the root cause is we missed to wait page writeback before
+setting gcing page private flag, let's fix it.
+
+Fixes: 2d1fe8a86bf5 ("f2fs: fix to tag gcing flag on page during file defragment")
+Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index bf448dbe2c551..e178e3ebde04e 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2790,6 +2790,8 @@ static int f2fs_defragment_range(struct f2fs_sb_info *sbi,
+ goto clear_out;
+ }
+
++ f2fs_wait_on_page_writeback(page, DATA, true, true);
++
+ set_page_dirty(page);
+ set_page_private_gcing(page);
+ f2fs_put_page(page, 1);
+@@ -4190,6 +4192,8 @@ static int redirty_blocks(struct inode *inode, pgoff_t page_idx, int len)
+ /* It will never fail, when page has pinned above */
+ f2fs_bug_on(F2FS_I_SB(inode), !page);
+
++ f2fs_wait_on_page_writeback(page, DATA, true, true);
++
+ set_page_dirty(page);
+ set_page_private_gcing(page);
+ f2fs_put_page(page, 1);
+--
+2.43.0
+
--- /dev/null
+From a411d67f299b23b713045fb8d70b70fa2d0c9e8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 14:27:24 +0800
+Subject: f2fs: get rid of online repaire on corrupted directory
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 884ee6dc85b959bc152f15bca80c30f06069e6c4 ]
+
+syzbot reports a f2fs bug as below:
+
+kernel BUG at fs/f2fs/inode.c:896!
+RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896
+Call Trace:
+ evict+0x532/0x950 fs/inode.c:704
+ dispose_list fs/inode.c:747 [inline]
+ evict_inodes+0x5f9/0x690 fs/inode.c:797
+ generic_shutdown_super+0x9d/0x2d0 fs/super.c:627
+ kill_block_super+0x44/0x90 fs/super.c:1696
+ kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898
+ deactivate_locked_super+0xc4/0x130 fs/super.c:473
+ cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373
+ task_work_run+0x24f/0x310 kernel/task_work.c:228
+ ptrace_notify+0x2d2/0x380 kernel/signal.c:2402
+ ptrace_report_syscall include/linux/ptrace.h:415 [inline]
+ ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
+ syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173
+ syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
+ syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218
+ do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896
+
+Online repaire on corrupted directory in f2fs_lookup() can generate
+dirty data/meta while racing w/ readonly remount, it may leave dirty
+inode after filesystem becomes readonly, however, checkpoint() will
+skips flushing dirty inode in a state of readonly mode, result in
+above panic.
+
+Let's get rid of online repaire in f2fs_lookup(), and leave the work
+to fsck.f2fs.
+
+Fixes: 510022a85839 ("f2fs: add F2FS_INLINE_DOTS to recover missing dot dentries")
+Reported-by: syzbot+ebea2790904673d7c618@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000a7b20f061ff2d56a@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 11 -------
+ fs/f2fs/namei.c | 68 -----------------------------------------
+ include/linux/f2fs_fs.h | 2 +-
+ 3 files changed, 1 insertion(+), 80 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 5fcacc8df80ea..40e96d577982c 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -785,7 +785,6 @@ enum {
+ FI_NEED_IPU, /* used for ipu per file */
+ FI_ATOMIC_FILE, /* indicate atomic file */
+ FI_DATA_EXIST, /* indicate data exists */
+- FI_INLINE_DOTS, /* indicate inline dot dentries */
+ FI_SKIP_WRITES, /* should skip data page writeback */
+ FI_OPU_WRITE, /* used for opu per file */
+ FI_DIRTY_FILE, /* indicate regular/symlink has dirty pages */
+@@ -3047,7 +3046,6 @@ static inline void __mark_inode_dirty_flag(struct inode *inode,
+ return;
+ fallthrough;
+ case FI_DATA_EXIST:
+- case FI_INLINE_DOTS:
+ case FI_PIN_FILE:
+ case FI_COMPRESS_RELEASED:
+ f2fs_mark_inode_dirty_sync(inode, true);
+@@ -3171,8 +3169,6 @@ static inline void get_inline_info(struct inode *inode, struct f2fs_inode *ri)
+ set_bit(FI_INLINE_DENTRY, fi->flags);
+ if (ri->i_inline & F2FS_DATA_EXIST)
+ set_bit(FI_DATA_EXIST, fi->flags);
+- if (ri->i_inline & F2FS_INLINE_DOTS)
+- set_bit(FI_INLINE_DOTS, fi->flags);
+ if (ri->i_inline & F2FS_EXTRA_ATTR)
+ set_bit(FI_EXTRA_ATTR, fi->flags);
+ if (ri->i_inline & F2FS_PIN_FILE)
+@@ -3193,8 +3189,6 @@ static inline void set_raw_inline(struct inode *inode, struct f2fs_inode *ri)
+ ri->i_inline |= F2FS_INLINE_DENTRY;
+ if (is_inode_flag_set(inode, FI_DATA_EXIST))
+ ri->i_inline |= F2FS_DATA_EXIST;
+- if (is_inode_flag_set(inode, FI_INLINE_DOTS))
+- ri->i_inline |= F2FS_INLINE_DOTS;
+ if (is_inode_flag_set(inode, FI_EXTRA_ATTR))
+ ri->i_inline |= F2FS_EXTRA_ATTR;
+ if (is_inode_flag_set(inode, FI_PIN_FILE))
+@@ -3275,11 +3269,6 @@ static inline int f2fs_exist_data(struct inode *inode)
+ return is_inode_flag_set(inode, FI_DATA_EXIST);
+ }
+
+-static inline int f2fs_has_inline_dots(struct inode *inode)
+-{
+- return is_inode_flag_set(inode, FI_INLINE_DOTS);
+-}
+-
+ static inline int f2fs_is_mmap_file(struct inode *inode)
+ {
+ return is_inode_flag_set(inode, FI_MMAP_FILE);
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index 38b4750475db6..57d46e1439ded 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -457,62 +457,6 @@ struct dentry *f2fs_get_parent(struct dentry *child)
+ return d_obtain_alias(f2fs_iget(child->d_sb, ino));
+ }
+
+-static int __recover_dot_dentries(struct inode *dir, nid_t pino)
+-{
+- struct f2fs_sb_info *sbi = F2FS_I_SB(dir);
+- struct qstr dot = QSTR_INIT(".", 1);
+- struct f2fs_dir_entry *de;
+- struct page *page;
+- int err = 0;
+-
+- if (f2fs_readonly(sbi->sb)) {
+- f2fs_info(sbi, "skip recovering inline_dots inode (ino:%lu, pino:%u) in readonly mountpoint",
+- dir->i_ino, pino);
+- return 0;
+- }
+-
+- if (!S_ISDIR(dir->i_mode)) {
+- f2fs_err(sbi, "inconsistent inode status, skip recovering inline_dots inode (ino:%lu, i_mode:%u, pino:%u)",
+- dir->i_ino, dir->i_mode, pino);
+- set_sbi_flag(sbi, SBI_NEED_FSCK);
+- return -ENOTDIR;
+- }
+-
+- err = f2fs_dquot_initialize(dir);
+- if (err)
+- return err;
+-
+- f2fs_balance_fs(sbi, true);
+-
+- f2fs_lock_op(sbi);
+-
+- de = f2fs_find_entry(dir, &dot, &page);
+- if (de) {
+- f2fs_put_page(page, 0);
+- } else if (IS_ERR(page)) {
+- err = PTR_ERR(page);
+- goto out;
+- } else {
+- err = f2fs_do_add_link(dir, &dot, NULL, dir->i_ino, S_IFDIR);
+- if (err)
+- goto out;
+- }
+-
+- de = f2fs_find_entry(dir, &dotdot_name, &page);
+- if (de)
+- f2fs_put_page(page, 0);
+- else if (IS_ERR(page))
+- err = PTR_ERR(page);
+- else
+- err = f2fs_do_add_link(dir, &dotdot_name, NULL, pino, S_IFDIR);
+-out:
+- if (!err)
+- clear_inode_flag(dir, FI_INLINE_DOTS);
+-
+- f2fs_unlock_op(sbi);
+- return err;
+-}
+-
+ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry,
+ unsigned int flags)
+ {
+@@ -522,7 +466,6 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry,
+ struct dentry *new;
+ nid_t ino = -1;
+ int err = 0;
+- unsigned int root_ino = F2FS_ROOT_INO(F2FS_I_SB(dir));
+ struct f2fs_filename fname;
+
+ trace_f2fs_lookup_start(dir, dentry, flags);
+@@ -558,17 +501,6 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry,
+ goto out;
+ }
+
+- if ((dir->i_ino == root_ino) && f2fs_has_inline_dots(dir)) {
+- err = __recover_dot_dentries(dir, root_ino);
+- if (err)
+- goto out_iput;
+- }
+-
+- if (f2fs_has_inline_dots(inode)) {
+- err = __recover_dot_dentries(inode, dir->i_ino);
+- if (err)
+- goto out_iput;
+- }
+ if (IS_ENCRYPTED(dir) &&
+ (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) &&
+ !fscrypt_has_permitted_context(dir, inode)) {
+diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h
+index 01bee2b289c2a..c68e37201a12a 100644
+--- a/include/linux/f2fs_fs.h
++++ b/include/linux/f2fs_fs.h
+@@ -278,7 +278,7 @@ struct node_footer {
+ #define F2FS_INLINE_DATA 0x02 /* file inline data flag */
+ #define F2FS_INLINE_DENTRY 0x04 /* file inline dentry flag */
+ #define F2FS_DATA_EXIST 0x08 /* file inline data exist flag */
+-#define F2FS_INLINE_DOTS 0x10 /* file having implicit dot dentries */
++#define F2FS_INLINE_DOTS 0x10 /* file having implicit dot dentries (obsolete) */
+ #define F2FS_EXTRA_ATTR 0x20 /* file having extra attribute */
+ #define F2FS_PIN_FILE 0x40 /* file should not be gced */
+ #define F2FS_COMPRESS_RELEASED 0x80 /* file released compressed blocks */
+--
+2.43.0
+
--- /dev/null
+From bb724d465e9599beadc0713fed12ab397fa8ea24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 08:33:06 -0700
+Subject: f2fs: prevent atomic file from being dirtied before commit
+
+From: Daeho Jeong <daehojeong@google.com>
+
+[ Upstream commit fccaa81de87e80b1809906f7e438e5766fbdc172 ]
+
+Keep atomic file clean while updating and make it dirtied during commit
+in order to avoid unnecessary and excessive inode updates in the previous
+fix.
+
+Fixes: 4bf78322346f ("f2fs: mark inode dirty for FI_ATOMIC_COMMITTED flag")
+Signed-off-by: Daeho Jeong <daehojeong@google.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 +-
+ fs/f2fs/inode.c | 5 +++++
+ fs/f2fs/segment.c | 8 ++++++++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index d40a8d6676f2d..5fcacc8df80ea 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -803,6 +803,7 @@ enum {
+ FI_ALIGNED_WRITE, /* enable aligned write */
+ FI_COW_FILE, /* indicate COW file */
+ FI_ATOMIC_COMMITTED, /* indicate atomic commit completed except disk sync */
++ FI_ATOMIC_DIRTIED, /* indicate atomic file is dirtied */
+ FI_ATOMIC_REPLACE, /* indicate atomic replace */
+ FI_OPENED_FILE, /* indicate file has been opened */
+ FI_MAX, /* max flag, never be used */
+@@ -3049,7 +3050,6 @@ static inline void __mark_inode_dirty_flag(struct inode *inode,
+ case FI_INLINE_DOTS:
+ case FI_PIN_FILE:
+ case FI_COMPRESS_RELEASED:
+- case FI_ATOMIC_COMMITTED:
+ f2fs_mark_inode_dirty_sync(inode, true);
+ }
+ }
+diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
+index aef57172014fa..4729c49bf6d7e 100644
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -35,6 +35,11 @@ void f2fs_mark_inode_dirty_sync(struct inode *inode, bool sync)
+ if (f2fs_inode_dirtied(inode, sync))
+ return;
+
++ if (f2fs_is_atomic_file(inode)) {
++ set_inode_flag(inode, FI_ATOMIC_DIRTIED);
++ return;
++ }
++
+ mark_inode_dirty_sync(inode);
+ }
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 78c3198a6308f..2f6ee9afd3ad7 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -199,6 +199,10 @@ void f2fs_abort_atomic_write(struct inode *inode, bool clean)
+ clear_inode_flag(inode, FI_ATOMIC_COMMITTED);
+ clear_inode_flag(inode, FI_ATOMIC_REPLACE);
+ clear_inode_flag(inode, FI_ATOMIC_FILE);
++ if (is_inode_flag_set(inode, FI_ATOMIC_DIRTIED)) {
++ clear_inode_flag(inode, FI_ATOMIC_DIRTIED);
++ f2fs_mark_inode_dirty_sync(inode, true);
++ }
+ stat_dec_atomic_inode(inode);
+
+ F2FS_I(inode)->atomic_write_task = NULL;
+@@ -366,6 +370,10 @@ static int __f2fs_commit_atomic_write(struct inode *inode)
+ } else {
+ sbi->committed_atomic_block += fi->atomic_write_cnt;
+ set_inode_flag(inode, FI_ATOMIC_COMMITTED);
++ if (is_inode_flag_set(inode, FI_ATOMIC_DIRTIED)) {
++ clear_inode_flag(inode, FI_ATOMIC_DIRTIED);
++ f2fs_mark_inode_dirty_sync(inode, true);
++ }
+ }
+
+ __complete_revoke_list(inode, &revoke_list, ret ? true : false);
+--
+2.43.0
+
--- /dev/null
+From 119e03197b05c0ed539f277d70979a9ea907801c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 09:47:27 +0800
+Subject: f2fs: reduce expensive checkpoint trigger frequency
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit aaf8c0b9ae042494cb4585883b15c1332de77840 ]
+
+We may trigger high frequent checkpoint for below case:
+1. mkdir /mnt/dir1; set dir1 encrypted
+2. touch /mnt/file1; fsync /mnt/file1
+3. mkdir /mnt/dir2; set dir2 encrypted
+4. touch /mnt/file2; fsync /mnt/file2
+...
+
+Although, newly created dir and file are not related, due to
+commit bbf156f7afa7 ("f2fs: fix lost xattrs of directories"), we will
+trigger checkpoint whenever fsync() comes after a new encrypted dir
+created.
+
+In order to avoid such performance regression issue, let's record an
+entry including directory's ino in global cache whenever we update
+directory's xattr data, and then triggerring checkpoint() only if
+xattr metadata of target file's parent was updated.
+
+This patch updates to cover below no encryption case as well:
+1) parent is checkpointed
+2) set_xattr(dir) w/ new xnid
+3) create(file)
+4) fsync(file)
+
+Fixes: bbf156f7afa7 ("f2fs: fix lost xattrs of directories")
+Reported-by: wangzijie <wangzijie1@honor.com>
+Reported-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Tested-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reported-by: Yunlei He <heyunlei@hihonor.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 ++
+ fs/f2fs/file.c | 3 +++
+ fs/f2fs/xattr.c | 14 ++++++++++++--
+ include/trace/events/f2fs.h | 3 ++-
+ 4 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 9f8dd17b85b9d..eb6b3e62e6575 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -285,6 +285,7 @@ enum {
+ APPEND_INO, /* for append ino list */
+ UPDATE_INO, /* for update ino list */
+ TRANS_DIR_INO, /* for transactions dir ino list */
++ XATTR_DIR_INO, /* for xattr updated dir ino list */
+ FLUSH_INO, /* for multiple device flushing */
+ MAX_INO_ENTRY, /* max. list */
+ };
+@@ -1155,6 +1156,7 @@ enum cp_reason_type {
+ CP_FASTBOOT_MODE,
+ CP_SPEC_LOG_NUM,
+ CP_RECOVER_DIR,
++ CP_XATTR_DIR,
+ };
+
+ enum iostat_type {
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 168f085070046..f42d1e41a82b1 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -218,6 +218,9 @@ static inline enum cp_reason_type need_do_checkpoint(struct inode *inode)
+ f2fs_exist_written_data(sbi, F2FS_I(inode)->i_pino,
+ TRANS_DIR_INO))
+ cp_reason = CP_RECOVER_DIR;
++ else if (f2fs_exist_written_data(sbi, F2FS_I(inode)->i_pino,
++ XATTR_DIR_INO))
++ cp_reason = CP_XATTR_DIR;
+
+ return cp_reason;
+ }
+diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
+index f290fe9327c49..3f38749436796 100644
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -629,6 +629,7 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ const char *name, const void *value, size_t size,
+ struct page *ipage, int flags)
+ {
++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ struct f2fs_xattr_entry *here, *last;
+ void *base_addr, *last_base_addr;
+ int found, newsize;
+@@ -772,9 +773,18 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ if (index == F2FS_XATTR_INDEX_ENCRYPTION &&
+ !strcmp(name, F2FS_XATTR_NAME_ENCRYPTION_CONTEXT))
+ f2fs_set_encrypted_inode(inode);
+- if (S_ISDIR(inode->i_mode))
+- set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP);
+
++ if (!S_ISDIR(inode->i_mode))
++ goto same;
++ /*
++ * In restrict mode, fsync() always try to trigger checkpoint for all
++ * metadata consistency, in other mode, it triggers checkpoint when
++ * parent's xattr metadata was updated.
++ */
++ if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT)
++ set_sbi_flag(sbi, SBI_NEED_CP);
++ else
++ f2fs_add_ino_entry(sbi, inode->i_ino, XATTR_DIR_INO);
+ same:
+ if (is_inode_flag_set(inode, FI_ACL_MODE)) {
+ inode->i_mode = F2FS_I(inode)->i_acl_mode;
+diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h
+index ed794b5fefbe3..2851c823095bc 100644
+--- a/include/trace/events/f2fs.h
++++ b/include/trace/events/f2fs.h
+@@ -139,7 +139,8 @@ TRACE_DEFINE_ENUM(EX_BLOCK_AGE);
+ { CP_NODE_NEED_CP, "node needs cp" }, \
+ { CP_FASTBOOT_MODE, "fastboot mode" }, \
+ { CP_SPEC_LOG_NUM, "log type is 2" }, \
+- { CP_RECOVER_DIR, "dir needs recovery" })
++ { CP_RECOVER_DIR, "dir needs recovery" }, \
++ { CP_XATTR_DIR, "dir's xattr updated" })
+
+ #define show_shutdown_mode(type) \
+ __print_symbolic(type, \
+--
+2.43.0
+
--- /dev/null
+From aac9b3223f4353fb5e454b4ac1b0ea065b0f78e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2024 22:34:39 +0200
+Subject: fbdev: hpfb: Fix an error handling path in hpfb_dio_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit aa578e897520f32ae12bec487f2474357d01ca9c ]
+
+If an error occurs after request_mem_region(), a corresponding
+release_mem_region() should be called, as already done in the remove
+function.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/hpfb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/fbdev/hpfb.c b/drivers/video/fbdev/hpfb.c
+index 66fac8e5393e0..a1144b1509826 100644
+--- a/drivers/video/fbdev/hpfb.c
++++ b/drivers/video/fbdev/hpfb.c
+@@ -345,6 +345,7 @@ static int hpfb_dio_probe(struct dio_dev *d, const struct dio_device_id *ent)
+ if (hpfb_init_one(paddr, vaddr)) {
+ if (d->scode >= DIOII_SCBASE)
+ iounmap((void *)vaddr);
++ release_mem_region(d->resource.start, resource_size(&d->resource));
+ return -ENOMEM;
+ }
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From a25c71b31d64eb70ecb6a9ee7c8cdffaad832b65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 10:49:22 -0700
+Subject: fbnic: Set napi irq value after calling netif_napi_add
+
+From: Brett Creeley <brett.creeley@amd.com>
+
+[ Upstream commit 9f3e7f11f21ac83cd99428390165177d4953b005 ]
+
+The driver calls netif_napi_set_irq() and then calls netif_napi_add(),
+which calls netif_napi_add_weight(). At the end of
+netif_napi_add_weight() is a call to netif_napi_set_irq(napi, -1), which
+clears the previously set napi->irq value. Fix this by calling
+netif_napi_set_irq() after calling netif_napi_add().
+
+This was found when reviewing another patch and I have no way to test
+this, but the fix seemed relatively straight forward.
+
+Fixes: bc6107771bb4 ("eth: fbnic: Allocate a netdevice and napi vectors with queues")
+Signed-off-by: Brett Creeley <brett.creeley@amd.com>
+Reviewed-by: Joe Damato <jdamato@fastly.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20240912174922.10550-1-brett.creeley@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/meta/fbnic/fbnic_txrx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/meta/fbnic/fbnic_txrx.c b/drivers/net/ethernet/meta/fbnic/fbnic_txrx.c
+index 0ed4c9fff5d80..72f88ae7815f4 100644
+--- a/drivers/net/ethernet/meta/fbnic/fbnic_txrx.c
++++ b/drivers/net/ethernet/meta/fbnic/fbnic_txrx.c
+@@ -1012,14 +1012,14 @@ static int fbnic_alloc_napi_vector(struct fbnic_dev *fbd, struct fbnic_net *fbn,
+ nv->fbd = fbd;
+ nv->v_idx = v_idx;
+
+- /* Record IRQ to NAPI struct */
+- netif_napi_set_irq(&nv->napi,
+- pci_irq_vector(to_pci_dev(fbd->dev), nv->v_idx));
+-
+ /* Tie napi to netdev */
+ list_add(&nv->napis, &fbn->napis);
+ netif_napi_add(fbn->netdev, &nv->napi, fbnic_poll);
+
++ /* Record IRQ to NAPI struct */
++ netif_napi_set_irq(&nv->napi,
++ pci_irq_vector(to_pci_dev(fbd->dev), nv->v_idx));
++
+ /* Tie nv back to PCIe dev */
+ nv->dev = fbd->dev;
+
+--
+2.43.0
+
--- /dev/null
+From 5480b48dc265b0620b6d3a1ca9f7f04bdca90268 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Aug 2024 16:04:03 +0900
+Subject: firewire: core: correct range of block for case of switch statement
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+[ Upstream commit ebb9d3ca8f7efc1b6a2f1750d1058eda444883d0 ]
+
+A commit d8527cab6c31 ("firewire: cdev: implement new event to notify
+response subaction with time stamp") adds an additional case,
+FW_CDEV_EVENT_RESPONSE2, into switch statement in complete_transaction().
+However, the range of block is beyond to the case label and reaches
+neibour default label.
+
+This commit corrects the range of block. Fortunately, it has few impacts
+in practice since the local variable in the scope under the label is not
+used in codes under default label.
+
+Fixes: d8527cab6c31 ("firewire: cdev: implement new event to notify response subaction with time stamp")
+Link: https://lore.kernel.org/r/20240810070403.36801-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/core-cdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
+index 9a7dc90330a35..a888a001bedb1 100644
+--- a/drivers/firewire/core-cdev.c
++++ b/drivers/firewire/core-cdev.c
+@@ -599,11 +599,11 @@ static void complete_transaction(struct fw_card *card, int rcode, u32 request_ts
+ queue_event(client, &e->event, rsp, sizeof(*rsp) + rsp->length, NULL, 0);
+
+ break;
++ }
+ default:
+ WARN_ON(1);
+ break;
+ }
+- }
+
+ /* Drop the idr's reference */
+ client_put(client);
+--
+2.43.0
+
--- /dev/null
+From 1717e89f75625cb50ae5d3e27ea72c2ead737a20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 18:33:32 +0100
+Subject: firmware: arm_scmi: Fix double free in OPTEE transport
+
+From: Cristian Marussi <cristian.marussi@arm.com>
+
+[ Upstream commit e98dba934b2fc587eafb83f47ad64d9053b18ae0 ]
+
+Channels can be shared between protocols, avoid freeing the same channel
+descriptors twice when unloading the stack.
+
+Fixes: 5f90f189a052 ("firmware: arm_scmi: Add optee transport")
+Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
+Tested-by: Peng Fan <peng.fan@nxp.com> #i.MX95 19x19 EVK
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Message-Id: <20240812173340.3912830-2-cristian.marussi@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/optee.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/firmware/arm_scmi/optee.c b/drivers/firmware/arm_scmi/optee.c
+index 4e7944b91e385..0c8908d3b1d67 100644
+--- a/drivers/firmware/arm_scmi/optee.c
++++ b/drivers/firmware/arm_scmi/optee.c
+@@ -473,6 +473,13 @@ static int scmi_optee_chan_free(int id, void *p, void *data)
+ struct scmi_chan_info *cinfo = p;
+ struct scmi_optee_channel *channel = cinfo->transport_info;
+
++ /*
++ * Different protocols might share the same chan info, so a previous
++ * call might have already freed the structure.
++ */
++ if (!channel)
++ return 0;
++
+ mutex_lock(&scmi_optee_private->mu);
+ list_del(&channel->link);
+ mutex_unlock(&scmi_optee_private->mu);
+--
+2.43.0
+
--- /dev/null
+From 904ac1d8f30255c19ce0645cf2133f8217a13313 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jul 2024 21:23:32 +0530
+Subject: firmware: qcom: scm: Disable SDI and write no dump to dump mode
+
+From: Mukesh Ojha <quic_mojha@quicinc.com>
+
+[ Upstream commit 79cb2cb8d89b7eca87e8dac031dadea4aeafeaa7 ]
+
+SDI is enabled for most of the Qualcomm SoCs and as per commit
+ff4aa3bc9825 ("firmware: qcom_scm: disable SDI if required")
+it was recommended to disable SDI by mentioning it in device tree
+to avoid hang during watchdog or during reboot.
+
+However, for some cases if download mode tcsr register already
+configured from boot firmware to collect dumps and if SDI is
+disabled via means of mentioning it in device tree we could
+still end up with dump collection. Disabling SDI alone is
+not completely enough to disable dump mode and we also need to
+zero out the bits download bits from tcsr register.
+
+Current commit now, unconditionally call qcom_scm_set_download_mode()
+based on download_mode flag, at max if TCSR register is not mentioned
+or available for a SoC it will fallback to legacy way of setting
+download mode through command which may be no-ops or return error
+in case current firmware does not implements QCOM_SCM_INFO_IS_CALL_AVAIL
+so, at worst it does nothing if it fails.
+
+It also does to call SDI disable call if dload mode is disabled, which
+looks fine to do as intention is to disable dump collection even if
+system crashes.
+
+Fixes: ff4aa3bc9825 ("firmware: qcom_scm: disable SDI if required")
+Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Link: https://lore.kernel.org/r/20240708155332.4056479-1-quic_mojha@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/qcom/qcom_scm.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
+index 00c379a3ccebe..0f5ac346bda43 100644
+--- a/drivers/firmware/qcom/qcom_scm.c
++++ b/drivers/firmware/qcom/qcom_scm.c
+@@ -1954,14 +1954,12 @@ static int qcom_scm_probe(struct platform_device *pdev)
+ * will cause the boot stages to enter download mode, unless
+ * disabled below by a clean shutdown/reboot.
+ */
+- if (download_mode)
+- qcom_scm_set_download_mode(true);
+-
++ qcom_scm_set_download_mode(download_mode);
+
+ /*
+ * Disable SDI if indicated by DT that it is enabled by default.
+ */
+- if (of_property_read_bool(pdev->dev.of_node, "qcom,sdi-enabled"))
++ if (of_property_read_bool(pdev->dev.of_node, "qcom,sdi-enabled") || !download_mode)
+ qcom_scm_disable_sdi();
+
+ ret = of_reserved_mem_device_init(__scm->dev);
+--
+2.43.0
+
--- /dev/null
+From 86fba8fc7cdf7116428f71e116ac6cabb9830702 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 13:32:08 -0700
+Subject: HID: wacom: Do not warn about dropped packets for first packet
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+[ Upstream commit 84aecf2d251a3359bc78b7c8e58f54b9fc966e89 ]
+
+The driver currently assumes that the first sequence number it will see
+is going to be 0. This is not a realiable assumption and can break if,
+for example, the tablet has already been running for some time prior to
+the kernel driver connecting to the device. This commit initializes the
+expected sequence number to -1 and will only print the "Dropped" warning
+the it has been updated to a non-negative value.
+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Tested-by: Joshua Dickens <joshua.dickens@wacom.com>
+Fixes: 6d09085b38e5 ("HID: wacom: Adding Support for new usages")
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/wacom_wac.c | 6 +++++-
+ drivers/hid/wacom_wac.h | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
+index 0c8713fe0d179..e86a37c3cf9c3 100644
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -2322,6 +2322,9 @@ static void wacom_wac_pen_usage_mapping(struct hid_device *hdev,
+ wacom_map_usage(input, usage, field, EV_KEY, BTN_STYLUS3, 0);
+ features->quirks &= ~WACOM_QUIRK_PEN_BUTTON3;
+ break;
++ case WACOM_HID_WD_SEQUENCENUMBER:
++ wacom_wac->hid_data.sequence_number = -1;
++ break;
+ }
+ }
+
+@@ -2446,7 +2449,8 @@ static void wacom_wac_pen_event(struct hid_device *hdev, struct hid_field *field
+ wacom_wac->hid_data.barrelswitch3 = value;
+ return;
+ case WACOM_HID_WD_SEQUENCENUMBER:
+- if (wacom_wac->hid_data.sequence_number != value) {
++ if (wacom_wac->hid_data.sequence_number != value &&
++ wacom_wac->hid_data.sequence_number >= 0) {
+ int sequence_size = field->logical_maximum - field->logical_minimum + 1;
+ int drop_count = (value - wacom_wac->hid_data.sequence_number) % sequence_size;
+ hid_warn(hdev, "Dropped %d packets", drop_count);
+diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h
+index 6ec499841f709..e6443740b462f 100644
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -324,7 +324,7 @@ struct hid_data {
+ int bat_connected;
+ int ps_connected;
+ bool pad_input_event_flag;
+- unsigned short sequence_number;
++ int sequence_number;
+ ktime_t time_delayed;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 74e97642cfc074b1440a0aec795e6f42c32e0ff1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 13:32:07 -0700
+Subject: HID: wacom: Support sequence numbers smaller than 16-bit
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+[ Upstream commit 359673ea3a203611b4f6d0f28922a4b9d2cfbcc8 ]
+
+The current dropped packet reporting assumes that all sequence numbers
+are 16 bits in length. This results in misleading "Dropped" messages if
+the hardware uses fewer bits. For example, if a tablet uses only 8 bits
+to store its sequence number, once it rolls over from 255 -> 0, the
+driver will still be expecting a packet "256". This patch adjusts the
+logic to reset the next expected packet to logical_minimum whenever
+it overflows beyond logical_maximum.
+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Tested-by: Joshua Dickens <joshua.dickens@wacom.com>
+Fixes: 6d09085b38e5 ("HID: wacom: Adding Support for new usages")
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/wacom_wac.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
+index 2541fa2e0fa3b..0c8713fe0d179 100644
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -2446,9 +2446,14 @@ static void wacom_wac_pen_event(struct hid_device *hdev, struct hid_field *field
+ wacom_wac->hid_data.barrelswitch3 = value;
+ return;
+ case WACOM_HID_WD_SEQUENCENUMBER:
+- if (wacom_wac->hid_data.sequence_number != value)
+- hid_warn(hdev, "Dropped %hu packets", (unsigned short)(value - wacom_wac->hid_data.sequence_number));
++ if (wacom_wac->hid_data.sequence_number != value) {
++ int sequence_size = field->logical_maximum - field->logical_minimum + 1;
++ int drop_count = (value - wacom_wac->hid_data.sequence_number) % sequence_size;
++ hid_warn(hdev, "Dropped %d packets", drop_count);
++ }
+ wacom_wac->hid_data.sequence_number = value + 1;
++ if (wacom_wac->hid_data.sequence_number > field->logical_maximum)
++ wacom_wac->hid_data.sequence_number = field->logical_minimum;
+ return;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 9694c60172a0a18c17d5d18cb4ae69e35d562f97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Jul 2024 06:41:17 -0700
+Subject: hwmon: (max16065) Fix alarm attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 119abf7d1815f098f7f91ae7abc84324a19943d7 ]
+
+Chips reporting overcurrent alarms report it in the second alarm register.
+That means the second alarm register has to be read, even if the chip only
+supports 8 or fewer ADC channels.
+
+MAX16067 and MAX16068 report undervoltage and overvoltage alarms in
+separate registers. Fold register contents together to report both with
+the existing alarm attribute. This requires actually storing the chip type
+in struct max16065_data. Rename the variable 'chip' to match the variable
+name used in the probe function.
+
+Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max16065.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c
+index 5b2a174c6bad3..0ccb5eb596fc4 100644
+--- a/drivers/hwmon/max16065.c
++++ b/drivers/hwmon/max16065.c
+@@ -79,7 +79,7 @@ static const bool max16065_have_current[] = {
+ };
+
+ struct max16065_data {
+- enum chips type;
++ enum chips chip;
+ struct i2c_client *client;
+ const struct attribute_group *groups[4];
+ struct mutex update_lock;
+@@ -162,10 +162,17 @@ static struct max16065_data *max16065_update_device(struct device *dev)
+ MAX16065_CURR_SENSE);
+ }
+
+- for (i = 0; i < DIV_ROUND_UP(data->num_adc, 8); i++)
++ for (i = 0; i < 2; i++)
+ data->fault[i]
+ = i2c_smbus_read_byte_data(client, MAX16065_FAULT(i));
+
++ /*
++ * MAX16067 and MAX16068 have separate undervoltage and
++ * overvoltage alarm bits. Squash them together.
++ */
++ if (data->chip == max16067 || data->chip == max16068)
++ data->fault[0] |= data->fault[1];
++
+ data->last_updated = jiffies;
+ data->valid = true;
+ }
+@@ -514,6 +521,7 @@ static int max16065_probe(struct i2c_client *client)
+ if (unlikely(!data))
+ return -ENOMEM;
+
++ data->chip = chip;
+ data->client = client;
+ mutex_init(&data->update_lock);
+
+--
+2.43.0
+
--- /dev/null
+From 5756e793f630943952ee821577fc03c7052b7de5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jul 2024 09:52:01 -0700
+Subject: hwmon: (max16065) Fix overflows seen when writing limits
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 744ec4477b11c42e2c8de9eb8364675ae7a0bd81 ]
+
+Writing large limits resulted in overflows as reported by module tests.
+
+in0_lcrit: Suspected overflow: [max=5538, read 0, written 2147483647]
+in0_crit: Suspected overflow: [max=5538, read 0, written 2147483647]
+in0_min: Suspected overflow: [max=5538, read 0, written 2147483647]
+
+Fix the problem by clamping prior to multiplications and the use of
+DIV_ROUND_CLOSEST, and by using consistent variable types.
+
+Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max16065.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c
+index 7ce9a89f93a0d..5b2a174c6bad3 100644
+--- a/drivers/hwmon/max16065.c
++++ b/drivers/hwmon/max16065.c
+@@ -114,9 +114,10 @@ static inline int LIMIT_TO_MV(int limit, int range)
+ return limit * range / 256;
+ }
+
+-static inline int MV_TO_LIMIT(int mv, int range)
++static inline int MV_TO_LIMIT(unsigned long mv, int range)
+ {
+- return clamp_val(DIV_ROUND_CLOSEST(mv * 256, range), 0, 255);
++ mv = clamp_val(mv, 0, ULONG_MAX / 256);
++ return DIV_ROUND_CLOSEST(clamp_val(mv * 256, 0, range * 255), range);
+ }
+
+ static inline int ADC_TO_CURR(int adc, int gain)
+--
+2.43.0
+
--- /dev/null
+From 8e117436a9708b2238a3ff4ad5f6a3c120fac023 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 08:30:21 +0000
+Subject: hwmon: (ntc_thermistor) fix module autoloading
+
+From: Yuntao Liu <liuyuntao12@huawei.com>
+
+[ Upstream commit b6964d66a07a9003868e428a956949e17ab44d7e ]
+
+Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
+based on the alias from of_device_id table.
+
+Fixes: 9e8269de100d ("hwmon: (ntc_thermistor) Add DT with IIO support to NTC thermistor driver")
+Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com>
+Message-ID: <20240815083021.756134-1-liuyuntao12@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ntc_thermistor.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwmon/ntc_thermistor.c b/drivers/hwmon/ntc_thermistor.c
+index ef75b63f5894e..b5352900463fb 100644
+--- a/drivers/hwmon/ntc_thermistor.c
++++ b/drivers/hwmon/ntc_thermistor.c
+@@ -62,6 +62,7 @@ static const struct platform_device_id ntc_thermistor_id[] = {
+ [NTC_SSG1404001221] = { "ssg1404_001221", TYPE_NCPXXWB473 },
+ [NTC_LAST] = { },
+ };
++MODULE_DEVICE_TABLE(platform, ntc_thermistor_id);
+
+ /*
+ * A compensation table should be sorted by the values of .ohm
+--
+2.43.0
+
--- /dev/null
+From ff241806a423f8c3ca0e579e9ff9b015bbd18bf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 13:36:40 +0200
+Subject: hwrng: cn10k - Enable by default CN10K driver if Thunder SoC is
+ enabled
+
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+
+[ Upstream commit 9d3a7ff2ce1781a77ad6f8896e1256875c17631e ]
+
+Before commit addea5858b66 ("hwrng: Kconfig - Do not enable by default
+CN10K driver") the Marvell CN10K Random Number Generator was always
+enabled when HW_RANDOM was enabled.
+
+This was changed with that commit to prevent having this driver being
+always enabled on arm64. To prevent introducing regression with some old
+defconfig enable the driver when ARCH_THUNDER is enabled.
+
+Fixes: addea5858b66 ("hwrng: Kconfig - Do not enable by default CN10K driver")
+Closes: https://lore.kernel.org/all/SN7PR18MB53144B37B82ADEEC5D35AE0CE3AC2@SN7PR18MB5314.namprd18.prod.outlook.com/
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/char/hw_random/Kconfig b/drivers/char/hw_random/Kconfig
+index 01e2e1ef82cf9..ae5f3a01f5542 100644
+--- a/drivers/char/hw_random/Kconfig
++++ b/drivers/char/hw_random/Kconfig
+@@ -555,6 +555,7 @@ config HW_RANDOM_ARM_SMCCC_TRNG
+ config HW_RANDOM_CN10K
+ tristate "Marvell CN10K Random Number Generator support"
+ depends on HW_RANDOM && PCI && (ARM64 || (64BIT && COMPILE_TEST))
++ default HW_RANDOM if ARCH_THUNDER
+ help
+ This driver provides support for the True Random Number
+ generator available in Marvell CN10K SoCs.
+--
+2.43.0
+
--- /dev/null
+From 8e76bac3a78b9e4a496efd8ca30318974cfe6ed0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 13:36:33 +0300
+Subject: IB/core: Fix ib_cache_setup_one error flow cleanup
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit 1403c8b14765eab805377dd3b75e96ace8747aed ]
+
+When ib_cache_update return an error, we exit ib_cache_setup_one
+instantly with no proper cleanup, even though before this we had
+already successfully done gid_table_setup_one, that results in
+the kernel WARN below.
+
+Do proper cleanup using gid_table_cleanup_one before returning
+the err in order to fix the issue.
+
+WARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0
+Modules linked in:
+CPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+RIP: 0010:gid_table_release_one+0x181/0x1a0
+Code: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8 3 c4 10 5b 5d 41 5c 41 5d 41
+RSP: 0018:ffffc90002b835b0 EFLAGS: 00010286
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527
+RDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001
+RBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631
+R10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001
+R13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001
+FS: 00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ? show_regs+0x94/0xa0
+ ? __warn+0x9e/0x1c0
+ ? gid_table_release_one+0x181/0x1a0
+ ? report_bug+0x1f9/0x340
+ ? gid_table_release_one+0x181/0x1a0
+ ? handle_bug+0xa2/0x110
+ ? exc_invalid_op+0x31/0xa0
+ ? asm_exc_invalid_op+0x16/0x20
+ ? __warn_printk+0xc7/0x180
+ ? __warn_printk+0xd4/0x180
+ ? gid_table_release_one+0x181/0x1a0
+ ib_device_release+0x71/0xe0
+ ? __pfx_ib_device_release+0x10/0x10
+ device_release+0x44/0xd0
+ kobject_put+0x135/0x3d0
+ put_device+0x20/0x30
+ rxe_net_add+0x7d/0xa0
+ rxe_newlink+0xd7/0x190
+ nldev_newlink+0x1b0/0x2a0
+ ? __pfx_nldev_newlink+0x10/0x10
+ rdma_nl_rcv_msg+0x1ad/0x2e0
+ rdma_nl_rcv_skb.constprop.0+0x176/0x210
+ netlink_unicast+0x2de/0x400
+ netlink_sendmsg+0x306/0x660
+ __sock_sendmsg+0x110/0x120
+ ____sys_sendmsg+0x30e/0x390
+ ___sys_sendmsg+0x9b/0xf0
+ ? kstrtouint+0x6e/0xa0
+ ? kstrtouint_from_user+0x7c/0xb0
+ ? get_pid_task+0xb0/0xd0
+ ? proc_fail_nth_write+0x5b/0x140
+ ? __fget_light+0x9a/0x200
+ ? preempt_count_add+0x47/0xa0
+ __sys_sendmsg+0x61/0xd0
+ do_syscall_64+0x50/0x110
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Fixes: 1901b91f9982 ("IB/core: Fix potential NULL pointer dereference in pkey cache")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Maher Sanalla <msanalla@nvidia.com>
+Link: https://patch.msgid.link/79137687d829899b0b1c9835fcb4b258004c439a.1725273354.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cache.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
+index 6791df64a5fe0..b7c078b7f7cfd 100644
+--- a/drivers/infiniband/core/cache.c
++++ b/drivers/infiniband/core/cache.c
+@@ -1640,8 +1640,10 @@ int ib_cache_setup_one(struct ib_device *device)
+
+ rdma_for_each_port (device, p) {
+ err = ib_cache_update(device, p, true, true, true);
+- if (err)
++ if (err) {
++ gid_table_cleanup_one(device);
+ return err;
++ }
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 2d0cf04ac37a01f51eb177fd6bda14264ed54c71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 13:35:40 +0300
+Subject: IB/mlx5: Fix UMR pd cleanup on error flow of driver init
+
+From: Chris Mi <cmi@nvidia.com>
+
+[ Upstream commit 112e6e83a894260cc7efe79a1fc47d4d51461742 ]
+
+The cited commit moves the pd allocation from function
+mlx5r_umr_resource_cleanup() to a new function mlx5r_umr_cleanup().
+So the fix in commit [1] is broken. In error flow, will hit panic [2].
+
+Fix it by checking pd pointer to avoid panic if it is NULL;
+
+[1] RDMA/mlx5: Fix UMR cleanup on error flow of driver init
+[2]
+ [ 347.567063] infiniband mlx5_0: Couldn't register device with driver model
+ [ 347.591382] BUG: kernel NULL pointer dereference, address: 0000000000000020
+ [ 347.593438] #PF: supervisor read access in kernel mode
+ [ 347.595176] #PF: error_code(0x0000) - not-present page
+ [ 347.596962] PGD 0 P4D 0
+ [ 347.601361] RIP: 0010:ib_dealloc_pd_user+0x12/0xc0 [ib_core]
+ [ 347.604171] RSP: 0018:ffff888106293b10 EFLAGS: 00010282
+ [ 347.604834] RAX: 0000000000000000 RBX: 000000000000000e RCX: 0000000000000000
+ [ 347.605672] RDX: ffff888106293ad0 RSI: 0000000000000000 RDI: 0000000000000000
+ [ 347.606529] RBP: 0000000000000000 R08: ffff888106293ae0 R09: ffff888106293ae0
+ [ 347.607379] R10: 0000000000000a06 R11: 0000000000000000 R12: 0000000000000000
+ [ 347.608224] R13: ffffffffa0704dc0 R14: 0000000000000001 R15: 0000000000000001
+ [ 347.609067] FS: 00007fdc720cd9c0(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000
+ [ 347.610094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 347.610727] CR2: 0000000000000020 CR3: 0000000103012003 CR4: 0000000000370eb0
+ [ 347.611421] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [ 347.612113] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [ 347.612804] Call Trace:
+ [ 347.613130] <TASK>
+ [ 347.613417] ? __die+0x20/0x60
+ [ 347.613793] ? page_fault_oops+0x150/0x3e0
+ [ 347.614243] ? free_msg+0x68/0x80 [mlx5_core]
+ [ 347.614840] ? cmd_exec+0x48f/0x11d0 [mlx5_core]
+ [ 347.615359] ? exc_page_fault+0x74/0x130
+ [ 347.615808] ? asm_exc_page_fault+0x22/0x30
+ [ 347.616273] ? ib_dealloc_pd_user+0x12/0xc0 [ib_core]
+ [ 347.616801] mlx5r_umr_cleanup+0x23/0x90 [mlx5_ib]
+ [ 347.617365] mlx5_ib_stage_pre_ib_reg_umr_cleanup+0x36/0x40 [mlx5_ib]
+ [ 347.618025] __mlx5_ib_add+0x96/0xd0 [mlx5_ib]
+ [ 347.618539] mlx5r_probe+0xe9/0x310 [mlx5_ib]
+ [ 347.619032] ? kernfs_add_one+0x107/0x150
+ [ 347.619478] ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib]
+ [ 347.619984] auxiliary_bus_probe+0x3e/0x90
+ [ 347.620448] really_probe+0xc5/0x3a0
+ [ 347.620857] __driver_probe_device+0x80/0x160
+ [ 347.621325] driver_probe_device+0x1e/0x90
+ [ 347.621770] __driver_attach+0xec/0x1c0
+ [ 347.622213] ? __device_attach_driver+0x100/0x100
+ [ 347.622724] bus_for_each_dev+0x71/0xc0
+ [ 347.623151] bus_add_driver+0xed/0x240
+ [ 347.623570] driver_register+0x58/0x100
+ [ 347.623998] __auxiliary_driver_register+0x6a/0xc0
+ [ 347.624499] ? driver_register+0xae/0x100
+ [ 347.624940] ? 0xffffffffa0893000
+ [ 347.625329] mlx5_ib_init+0x16a/0x1e0 [mlx5_ib]
+ [ 347.625845] do_one_initcall+0x4a/0x2a0
+ [ 347.626273] ? gcov_event+0x2e2/0x3a0
+ [ 347.626706] do_init_module+0x8a/0x260
+ [ 347.627126] init_module_from_file+0x8b/0xd0
+ [ 347.627596] __x64_sys_finit_module+0x1ca/0x2f0
+ [ 347.628089] do_syscall_64+0x4c/0x100
+
+Fixes: 638420115cc4 ("IB/mlx5: Create UMR QP just before first reg_mr occurs")
+Signed-off-by: Chris Mi <cmi@nvidia.com>
+Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
+Link: https://patch.msgid.link/778c40c60287992da5d6ec92bb07b67f7bb5e6ef.1725273295.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/umr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/hw/mlx5/umr.c b/drivers/infiniband/hw/mlx5/umr.c
+index ffc31b01f6905..8823ecc84e60e 100644
+--- a/drivers/infiniband/hw/mlx5/umr.c
++++ b/drivers/infiniband/hw/mlx5/umr.c
+@@ -224,6 +224,9 @@ int mlx5r_umr_init(struct mlx5_ib_dev *dev)
+
+ void mlx5r_umr_cleanup(struct mlx5_ib_dev *dev)
+ {
++ if (!dev->umrc.pd)
++ return;
++
+ mutex_destroy(&dev->umrc.init_lock);
+ ib_dealloc_pd(dev->umrc.pd);
+ }
+--
+2.43.0
+
--- /dev/null
+From 31ffcb4f7329c601cd6e065d80e4485a468e9980 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 17:47:48 +0200
+Subject: idpf: enable WB_ON_ITR
+
+From: Joshua Hay <joshua.a.hay@intel.com>
+
+[ Upstream commit 9c4a27da0ecc4080dfcd63903dd94f01ba1399dd ]
+
+Tell hardware to write back completed descriptors even when interrupts
+are disabled. Otherwise, descriptors might not be written back until
+the hardware can flush a full cacheline of descriptors. This can cause
+unnecessary delays when traffic is light (or even trigger Tx queue
+timeout).
+
+The example scenario to reproduce the Tx timeout if the fix is not
+applied:
+ - configure at least 2 Tx queues to be assigned to the same q_vector,
+ - generate a huge Tx traffic on the first Tx queue
+ - try to send a few packets using the second Tx queue.
+In such a case Tx timeout will appear on the second Tx queue because no
+completion descriptors are written back for that queue while interrupts
+are disabled due to NAPI polling.
+
+Fixes: c2d548cad150 ("idpf: add TX splitq napi poll support")
+Fixes: a5ab9ee0df0b ("idpf: add singleq start_xmit and napi poll")
+Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
+Co-developed-by: Michal Kubiak <michal.kubiak@intel.com>
+Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_dev.c | 2 ++
+ .../ethernet/intel/idpf/idpf_singleq_txrx.c | 6 ++++-
+ drivers/net/ethernet/intel/idpf/idpf_txrx.c | 7 ++++-
+ drivers/net/ethernet/intel/idpf/idpf_txrx.h | 27 ++++++++++++++++++-
+ drivers/net/ethernet/intel/idpf/idpf_vf_dev.c | 2 ++
+ 5 files changed, 41 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_dev.c b/drivers/net/ethernet/intel/idpf/idpf_dev.c
+index 3df9935685e96..6c913a703df64 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_dev.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_dev.c
+@@ -97,8 +97,10 @@ static int idpf_intr_reg_init(struct idpf_vport *vport)
+ intr->dyn_ctl = idpf_get_reg_addr(adapter,
+ reg_vals[vec_id].dyn_ctl_reg);
+ intr->dyn_ctl_intena_m = PF_GLINT_DYN_CTL_INTENA_M;
++ intr->dyn_ctl_intena_msk_m = PF_GLINT_DYN_CTL_INTENA_MSK_M;
+ intr->dyn_ctl_itridx_s = PF_GLINT_DYN_CTL_ITR_INDX_S;
+ intr->dyn_ctl_intrvl_s = PF_GLINT_DYN_CTL_INTERVAL_S;
++ intr->dyn_ctl_wb_on_itr_m = PF_GLINT_DYN_CTL_WB_ON_ITR_M;
+
+ spacing = IDPF_ITR_IDX_SPACING(reg_vals[vec_id].itrn_index_spacing,
+ IDPF_PF_ITR_IDX_SPACING);
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c
+index fe64febf7436f..73ed024c5b862 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c
+@@ -1134,8 +1134,10 @@ int idpf_vport_singleq_napi_poll(struct napi_struct *napi, int budget)
+ &work_done);
+
+ /* If work not completed, return budget and polling will return */
+- if (!clean_complete)
++ if (!clean_complete) {
++ idpf_vport_intr_set_wb_on_itr(q_vector);
+ return budget;
++ }
+
+ work_done = min_t(int, work_done, budget - 1);
+
+@@ -1144,6 +1146,8 @@ int idpf_vport_singleq_napi_poll(struct napi_struct *napi, int budget)
+ */
+ if (likely(napi_complete_done(napi, work_done)))
+ idpf_vport_intr_update_itr_ena_irq(q_vector);
++ else
++ idpf_vport_intr_set_wb_on_itr(q_vector);
+
+ return work_done;
+ }
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+index 585c3dadd9bfa..1431e503f76aa 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+@@ -3749,6 +3749,7 @@ void idpf_vport_intr_update_itr_ena_irq(struct idpf_q_vector *q_vector)
+ /* net_dim() updates ITR out-of-band using a work item */
+ idpf_net_dim(q_vector);
+
++ q_vector->wb_on_itr = false;
+ intval = idpf_vport_intr_buildreg_itr(q_vector,
+ IDPF_NO_ITR_UPDATE_IDX, 0);
+
+@@ -4051,8 +4052,10 @@ static int idpf_vport_splitq_napi_poll(struct napi_struct *napi, int budget)
+ clean_complete &= idpf_tx_splitq_clean_all(q_vector, budget, &work_done);
+
+ /* If work not completed, return budget and polling will return */
+- if (!clean_complete)
++ if (!clean_complete) {
++ idpf_vport_intr_set_wb_on_itr(q_vector);
+ return budget;
++ }
+
+ work_done = min_t(int, work_done, budget - 1);
+
+@@ -4061,6 +4064,8 @@ static int idpf_vport_splitq_napi_poll(struct napi_struct *napi, int budget)
+ */
+ if (likely(napi_complete_done(napi, work_done)))
+ idpf_vport_intr_update_itr_ena_irq(q_vector);
++ else
++ idpf_vport_intr_set_wb_on_itr(q_vector);
+
+ /* Switch to poll mode in the tear-down path after sending disable
+ * queues virtchnl message, as the interrupts will be disabled after
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+index 6215dbee55465..62a9656e96e85 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h
++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+@@ -390,9 +390,11 @@ struct idpf_vec_regs {
+ * struct idpf_intr_reg
+ * @dyn_ctl: Dynamic control interrupt register
+ * @dyn_ctl_intena_m: Mask for dyn_ctl interrupt enable
++ * @dyn_ctl_intena_msk_m: Mask for dyn_ctl interrupt enable mask
+ * @dyn_ctl_itridx_s: Register bit offset for ITR index
+ * @dyn_ctl_itridx_m: Mask for ITR index
+ * @dyn_ctl_intrvl_s: Register bit offset for ITR interval
++ * @dyn_ctl_wb_on_itr_m: Mask for WB on ITR feature
+ * @rx_itr: RX ITR register
+ * @tx_itr: TX ITR register
+ * @icr_ena: Interrupt cause register offset
+@@ -401,9 +403,11 @@ struct idpf_vec_regs {
+ struct idpf_intr_reg {
+ void __iomem *dyn_ctl;
+ u32 dyn_ctl_intena_m;
++ u32 dyn_ctl_intena_msk_m;
+ u32 dyn_ctl_itridx_s;
+ u32 dyn_ctl_itridx_m;
+ u32 dyn_ctl_intrvl_s;
++ u32 dyn_ctl_wb_on_itr_m;
+ void __iomem *rx_itr;
+ void __iomem *tx_itr;
+ void __iomem *icr_ena;
+@@ -424,6 +428,7 @@ struct idpf_intr_reg {
+ * @intr_reg: See struct idpf_intr_reg
+ * @napi: napi handler
+ * @total_events: Number of interrupts processed
++ * @wb_on_itr: whether WB on ITR is enabled
+ * @tx_dim: Data for TX net_dim algorithm
+ * @tx_itr_value: TX interrupt throttling rate
+ * @tx_intr_mode: Dynamic ITR or not
+@@ -454,6 +459,7 @@ struct idpf_q_vector {
+ __cacheline_group_begin_aligned(read_write);
+ struct napi_struct napi;
+ u16 total_events;
++ bool wb_on_itr;
+
+ struct dim tx_dim;
+ u16 tx_itr_value;
+@@ -472,7 +478,7 @@ struct idpf_q_vector {
+ cpumask_var_t affinity_mask;
+ __cacheline_group_end_aligned(cold);
+ };
+-libeth_cacheline_set_assert(struct idpf_q_vector, 104,
++libeth_cacheline_set_assert(struct idpf_q_vector, 112,
+ 424 + 2 * sizeof(struct dim),
+ 8 + sizeof(cpumask_var_t));
+
+@@ -1033,6 +1039,25 @@ static inline void idpf_tx_splitq_build_desc(union idpf_tx_flex_desc *desc,
+ idpf_tx_splitq_build_flow_desc(desc, params, td_cmd, size);
+ }
+
++/**
++ * idpf_vport_intr_set_wb_on_itr - enable descriptor writeback on disabled interrupts
++ * @q_vector: pointer to queue vector struct
++ */
++static inline void idpf_vport_intr_set_wb_on_itr(struct idpf_q_vector *q_vector)
++{
++ struct idpf_intr_reg *reg;
++
++ if (q_vector->wb_on_itr)
++ return;
++
++ q_vector->wb_on_itr = true;
++ reg = &q_vector->intr_reg;
++
++ writel(reg->dyn_ctl_wb_on_itr_m | reg->dyn_ctl_intena_msk_m |
++ (IDPF_NO_ITR_UPDATE_IDX << reg->dyn_ctl_itridx_s),
++ reg->dyn_ctl);
++}
++
+ int idpf_vport_singleq_napi_poll(struct napi_struct *napi, int budget);
+ void idpf_vport_init_num_qs(struct idpf_vport *vport,
+ struct virtchnl2_create_vport *vport_msg);
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_vf_dev.c b/drivers/net/ethernet/intel/idpf/idpf_vf_dev.c
+index 629cb5cb7c9fc..99b8dbaf4225c 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_vf_dev.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_vf_dev.c
+@@ -97,7 +97,9 @@ static int idpf_vf_intr_reg_init(struct idpf_vport *vport)
+ intr->dyn_ctl = idpf_get_reg_addr(adapter,
+ reg_vals[vec_id].dyn_ctl_reg);
+ intr->dyn_ctl_intena_m = VF_INT_DYN_CTLN_INTENA_M;
++ intr->dyn_ctl_intena_msk_m = VF_INT_DYN_CTLN_INTENA_MSK_M;
+ intr->dyn_ctl_itridx_s = VF_INT_DYN_CTLN_ITR_INDX_S;
++ intr->dyn_ctl_wb_on_itr_m = VF_INT_DYN_CTLN_WB_ON_ITR_M;
+
+ spacing = IDPF_ITR_IDX_SPACING(reg_vals[vec_id].itrn_index_spacing,
+ IDPF_VF_ITR_IDX_SPACING);
+--
+2.43.0
+
--- /dev/null
+From 431e516df9b87ef3458f76e07a6632f6ba1f0b89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 17:34:10 +0000
+Subject: iio: adc: ad7606: fix oversampling gpio array
+
+From: Guillaume Stols <gstols@baylibre.com>
+
+[ Upstream commit 8dc4594b54dbaaba40dc8884ad3d42083de39434 ]
+
+gpiod_set_array_value was misused here: the implementation relied on the
+assumption that an unsigned long was required for each gpio, while the
+function expects a bit array stored in "as much unsigned long as needed
+for storing one bit per GPIO", i.e it is using a bit field.
+
+This leaded to incorrect parameter passed to gpiod_set_array_value, that
+would set 1 value instead of 3.
+It also prevents to select the software mode correctly for the AD7606B.
+
+Fixes: d2a415c86c6b ("iio: adc: ad7606: Add support for AD7606B ADC")
+Fixes: 41f71e5e7daf ("staging: iio: adc: ad7606: Use find_closest() macro")
+Signed-off-by: Guillaume Stols <gstols@baylibre.com>
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7606.c | 4 ++--
+ drivers/iio/adc/ad7606_spi.c | 5 +++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c
+index c321c6ef48df4..a123a9e35b33f 100644
+--- a/drivers/iio/adc/ad7606.c
++++ b/drivers/iio/adc/ad7606.c
+@@ -212,9 +212,9 @@ static int ad7606_write_os_hw(struct iio_dev *indio_dev, int val)
+ struct ad7606_state *st = iio_priv(indio_dev);
+ DECLARE_BITMAP(values, 3);
+
+- values[0] = val;
++ values[0] = val & GENMASK(2, 0);
+
+- gpiod_set_array_value(ARRAY_SIZE(values), st->gpio_os->desc,
++ gpiod_set_array_value(st->gpio_os->ndescs, st->gpio_os->desc,
+ st->gpio_os->info, values);
+
+ /* AD7616 requires a reset to update value */
+diff --git a/drivers/iio/adc/ad7606_spi.c b/drivers/iio/adc/ad7606_spi.c
+index 263a778bcf253..287a0591533b6 100644
+--- a/drivers/iio/adc/ad7606_spi.c
++++ b/drivers/iio/adc/ad7606_spi.c
+@@ -249,8 +249,9 @@ static int ad7616_sw_mode_config(struct iio_dev *indio_dev)
+ static int ad7606B_sw_mode_config(struct iio_dev *indio_dev)
+ {
+ struct ad7606_state *st = iio_priv(indio_dev);
+- unsigned long os[3] = {1};
++ DECLARE_BITMAP(os, 3);
+
++ bitmap_fill(os, 3);
+ /*
+ * Software mode is enabled when all three oversampling
+ * pins are set to high. If oversampling gpios are defined
+@@ -258,7 +259,7 @@ static int ad7606B_sw_mode_config(struct iio_dev *indio_dev)
+ * otherwise, they must be hardwired to VDD
+ */
+ if (st->gpio_os) {
+- gpiod_set_array_value(ARRAY_SIZE(os),
++ gpiod_set_array_value(st->gpio_os->ndescs,
+ st->gpio_os->desc, st->gpio_os->info, os);
+ }
+ /* OS of 128 and 256 are available only in software mode */
+--
+2.43.0
+
--- /dev/null
+From 7ec35735bbb3a8ce5b606debac4c266ad45e49c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 17:34:11 +0000
+Subject: iio: adc: ad7606: fix standby gpio state to match the documentation
+
+From: Guillaume Stols <gstols@baylibre.com>
+
+[ Upstream commit 059fe4f8bbdf5cad212e1aeeb3e8968c80b9ff3b ]
+
+The binding's documentation specifies that "As the line is active low, it
+should be marked GPIO_ACTIVE_LOW". However, in the driver, it was handled
+the opposite way. This commit sets the driver's behaviour in sync with the
+documentation
+
+Fixes: 722407a4e8c0 ("staging:iio:ad7606: Use GPIO descriptor API")
+Signed-off-by: Guillaume Stols <gstols@baylibre.com>
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7606.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c
+index a123a9e35b33f..8f9ee56c8bed2 100644
+--- a/drivers/iio/adc/ad7606.c
++++ b/drivers/iio/adc/ad7606.c
+@@ -419,7 +419,7 @@ static int ad7606_request_gpios(struct ad7606_state *st)
+ return PTR_ERR(st->gpio_range);
+
+ st->gpio_standby = devm_gpiod_get_optional(dev, "standby",
+- GPIOD_OUT_HIGH);
++ GPIOD_OUT_LOW);
+ if (IS_ERR(st->gpio_standby))
+ return PTR_ERR(st->gpio_standby);
+
+@@ -662,7 +662,7 @@ static int ad7606_suspend(struct device *dev)
+
+ if (st->gpio_standby) {
+ gpiod_set_value(st->gpio_range, 1);
+- gpiod_set_value(st->gpio_standby, 0);
++ gpiod_set_value(st->gpio_standby, 1);
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 65918dff230af5ee41fb6dd6864ce91ca624ea08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jun 2024 01:38:12 +0200
+Subject: iio: chemical: bme680: Fix read/write ops to device by adding mutexes
+
+From: Vasileios Amoiridis <vassilisamir@gmail.com>
+
+[ Upstream commit 77641e5a477d428335cd094b88ac54e09ccb70f4 ]
+
+Add mutexes in the {read/write}_raw() functions of the device to guard the
+read/write of data from/to the device. This is necessary because for any
+operation other than temperature, multiple reads need to take place from
+the device. Even though regmap has a locking by itself, it won't protect us
+from multiple applications trying to read at the same time temperature and
+pressure since the pressure reading includes an internal temperature
+reading and there is nothing to ensure that this temperature+pressure
+reading will happen sequentially without any other operation interfering
+in the meantime.
+
+Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor")
+Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
+Link: https://patch.msgid.link/20240609233826.330516-2-vassilisamir@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/chemical/bme680_core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/iio/chemical/bme680_core.c b/drivers/iio/chemical/bme680_core.c
+index 500f56834b01f..a6bf689833dad 100644
+--- a/drivers/iio/chemical/bme680_core.c
++++ b/drivers/iio/chemical/bme680_core.c
+@@ -10,6 +10,7 @@
+ */
+ #include <linux/acpi.h>
+ #include <linux/bitfield.h>
++#include <linux/cleanup.h>
+ #include <linux/delay.h>
+ #include <linux/device.h>
+ #include <linux/module.h>
+@@ -52,6 +53,7 @@ struct bme680_calib {
+ struct bme680_data {
+ struct regmap *regmap;
+ struct bme680_calib bme680;
++ struct mutex lock; /* Protect multiple serial R/W ops to device. */
+ u8 oversampling_temp;
+ u8 oversampling_press;
+ u8 oversampling_humid;
+@@ -827,6 +829,8 @@ static int bme680_read_raw(struct iio_dev *indio_dev,
+ {
+ struct bme680_data *data = iio_priv(indio_dev);
+
++ guard(mutex)(&data->lock);
++
+ switch (mask) {
+ case IIO_CHAN_INFO_PROCESSED:
+ switch (chan->type) {
+@@ -871,6 +875,8 @@ static int bme680_write_raw(struct iio_dev *indio_dev,
+ {
+ struct bme680_data *data = iio_priv(indio_dev);
+
++ guard(mutex)(&data->lock);
++
+ if (val2 != 0)
+ return -EINVAL;
+
+@@ -967,6 +973,7 @@ int bme680_core_probe(struct device *dev, struct regmap *regmap,
+ name = bme680_match_acpi_device(dev);
+
+ data = iio_priv(indio_dev);
++ mutex_init(&data->lock);
+ dev_set_drvdata(dev, indio_dev);
+ data->regmap = regmap;
+ indio_dev->name = name;
+--
+2.43.0
+
--- /dev/null
+From 19f53a94f916666087c373e0c6f78e00dbd192f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 07:30:15 +0200
+Subject: iio: magnetometer: ak8975: drop incorrect AK09116 compatible
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit da6e3160df230692bbd48a6d52318035f19595e2 ]
+
+All compatibles in this binding without prefixes were deprecated, so
+adding a new deprecated one after some time is not allowed, because it
+defies the core logic of deprecating things.
+
+Drop the AK09916 vendorless compatible.
+
+Fixes: 76e28aa97fa0 ("iio: magnetometer: ak8975: add AK09116 support")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://patch.msgid.link/20240806053016.6401-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/magnetometer/ak8975.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c
+index dd466c5fa6214..ccbebe5b66cde 100644
+--- a/drivers/iio/magnetometer/ak8975.c
++++ b/drivers/iio/magnetometer/ak8975.c
+@@ -1081,7 +1081,6 @@ static const struct of_device_id ak8975_of_match[] = {
+ { .compatible = "asahi-kasei,ak09912", .data = &ak_def_array[AK09912] },
+ { .compatible = "ak09912", .data = &ak_def_array[AK09912] },
+ { .compatible = "asahi-kasei,ak09916", .data = &ak_def_array[AK09916] },
+- { .compatible = "ak09916", .data = &ak_def_array[AK09916] },
+ {}
+ };
+ MODULE_DEVICE_TABLE(of, ak8975_of_match);
+--
+2.43.0
+
--- /dev/null
+From 7cba9f8bc9a205df74224c5da2b130fbf364ab34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 10:55:11 +0200
+Subject: Input: ilitek_ts_i2c - add report id message validation
+
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+
+[ Upstream commit 208989744a6f01bed86968473312d4e650e600b3 ]
+
+Ensure that the touchscreen response has correct "report id" byte
+before processing the touch data and discard other messages.
+
+Fixes: 42370681bd46 ("Input: Add support for ILITEK Lego Series")
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20240805085511.43955-3-francesco@dolcini.it
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/ilitek_ts_i2c.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/input/touchscreen/ilitek_ts_i2c.c b/drivers/input/touchscreen/ilitek_ts_i2c.c
+index e1849185e18c7..5a807ad723190 100644
+--- a/drivers/input/touchscreen/ilitek_ts_i2c.c
++++ b/drivers/input/touchscreen/ilitek_ts_i2c.c
+@@ -37,6 +37,8 @@
+ #define ILITEK_TP_CMD_GET_MCU_VER 0x61
+ #define ILITEK_TP_CMD_GET_IC_MODE 0xC0
+
++#define ILITEK_TP_I2C_REPORT_ID 0x48
++
+ #define REPORT_COUNT_ADDRESS 61
+ #define ILITEK_SUPPORT_MAX_POINT 40
+
+@@ -163,6 +165,11 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts)
+ return error;
+ }
+
++ if (buf[0] != ILITEK_TP_I2C_REPORT_ID) {
++ dev_err(dev, "get touch info failed. Wrong id: 0x%02X\n", buf[0]);
++ return -EINVAL;
++ }
++
+ report_max_point = buf[REPORT_COUNT_ADDRESS];
+ if (report_max_point > ts->max_tp) {
+ dev_err(dev, "FW report max point:%d > panel info. max:%d\n",
+--
+2.43.0
+
--- /dev/null
+From 8f34fd90263232108c1647dc833b6fc7ea43d979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 10:55:10 +0200
+Subject: Input: ilitek_ts_i2c - avoid wrong input subsystem sync
+
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+
+[ Upstream commit 7d0b18cd5dc7429917812963611d961fd93cb44d ]
+
+For different reasons i2c transaction may fail or report id in the
+message may be wrong. Avoid closing the frame in this case as it will
+result in all contacts being dropped, indicating that nothing is
+touching the screen anymore, while usually it is not the case.
+
+Fixes: 42370681bd46 ("Input: Add support for ILITEK Lego Series")
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20240805085511.43955-2-francesco@dolcini.it
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/ilitek_ts_i2c.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/input/touchscreen/ilitek_ts_i2c.c b/drivers/input/touchscreen/ilitek_ts_i2c.c
+index 3eb762896345b..e1849185e18c7 100644
+--- a/drivers/input/touchscreen/ilitek_ts_i2c.c
++++ b/drivers/input/touchscreen/ilitek_ts_i2c.c
+@@ -160,15 +160,14 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts)
+ error = ilitek_i2c_write_and_read(ts, NULL, 0, 0, buf, 64);
+ if (error) {
+ dev_err(dev, "get touch info failed, err:%d\n", error);
+- goto err_sync_frame;
++ return error;
+ }
+
+ report_max_point = buf[REPORT_COUNT_ADDRESS];
+ if (report_max_point > ts->max_tp) {
+ dev_err(dev, "FW report max point:%d > panel info. max:%d\n",
+ report_max_point, ts->max_tp);
+- error = -EINVAL;
+- goto err_sync_frame;
++ return -EINVAL;
+ }
+
+ count = DIV_ROUND_UP(report_max_point, packet_max_point);
+@@ -178,7 +177,7 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts)
+ if (error) {
+ dev_err(dev, "get touch info. failed, cnt:%d, err:%d\n",
+ count, error);
+- goto err_sync_frame;
++ return error;
+ }
+ }
+
+@@ -203,10 +202,10 @@ static int ilitek_process_and_report_v6(struct ilitek_ts_data *ts)
+ ilitek_touch_down(ts, id, x, y);
+ }
+
+-err_sync_frame:
+ input_mt_sync_frame(input);
+ input_sync(input);
+- return error;
++
++ return 0;
+ }
+
+ /* APIs of cmds for ILITEK Touch IC */
+--
+2.43.0
+
--- /dev/null
+From c137195362a652adfbc6a538b78a40b043de6eb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 16:58:47 -0500
+Subject: Input: ims-pcu - fix calling interruptible mutex
+
+From: David Lechner <dlechner@baylibre.com>
+
+[ Upstream commit 82abef590eb31d373e632743262ee7c42f49c289 ]
+
+Fix calling scoped_cond_guard() with mutex instead of mutex_intr.
+
+scoped_cond_guard(mutex, ...) will call mutex_lock() instead of
+mutex_lock_interruptible().
+
+Fixes: 703f12672e1f ("Input: ims-pcu - switch to using cleanup functions")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Link: https://lore.kernel.org/r/20240910-input-misc-ims-pcu-fix-mutex-intr-v1-1-bdd983685c43@baylibre.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/ims-pcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
+index c086dadb45e3a..058f3470b7ae2 100644
+--- a/drivers/input/misc/ims-pcu.c
++++ b/drivers/input/misc/ims-pcu.c
+@@ -1067,7 +1067,7 @@ static ssize_t ims_pcu_attribute_store(struct device *dev,
+ if (data_len > attr->field_length)
+ return -EINVAL;
+
+- scoped_cond_guard(mutex, return -EINTR, &pcu->cmd_mutex) {
++ scoped_cond_guard(mutex_intr, return -EINTR, &pcu->cmd_mutex) {
+ memset(field, 0, attr->field_length);
+ memcpy(field, buf, data_len);
+
+--
+2.43.0
+
--- /dev/null
+From 75a485cc165a2c95eaa503bb082c07b1feb8ab97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 11:30:13 +0800
+Subject: Input: ps2-gpio - use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit dcd18a3fb1228409dfc24373c5c6868a655810b0 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: 9ee0a0558819 ("Input: PS/2 gpio bit banging driver for serio bus")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Acked-by: Danilo Krummrich <dakr@kernel.org>
+Link: https://lore.kernel.org/r/20240912033013.2610949-1-ruanjinjie@huawei.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/serio/ps2-gpio.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/serio/ps2-gpio.c b/drivers/input/serio/ps2-gpio.c
+index 0c8b390b8b4f8..3a431395c4646 100644
+--- a/drivers/input/serio/ps2-gpio.c
++++ b/drivers/input/serio/ps2-gpio.c
+@@ -429,16 +429,14 @@ static int ps2_gpio_probe(struct platform_device *pdev)
+ }
+
+ error = devm_request_irq(dev, drvdata->irq, ps2_gpio_irq,
+- IRQF_NO_THREAD, DRIVER_NAME, drvdata);
++ IRQF_NO_THREAD | IRQF_NO_AUTOEN, DRIVER_NAME,
++ drvdata);
+ if (error) {
+ dev_err(dev, "failed to request irq %d: %d\n",
+ drvdata->irq, error);
+ goto err_free_serio;
+ }
+
+- /* Keep irq disabled until serio->open is called. */
+- disable_irq(drvdata->irq);
+-
+ serio->id.type = SERIO_8042;
+ serio->open = ps2_gpio_open;
+ serio->close = ps2_gpio_close;
+--
+2.43.0
+
--- /dev/null
+From 407ae6ebd4178a3df378f7d4e94690b735ad08d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jul 2024 14:48:23 -0700
+Subject: interconnect: icc-clk: Add missed num_nodes initialization
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit c801ed86840ec38b2a9bcafeee3d7c9e14c743f3 ]
+
+With the new __counted_by annotation, the "num_nodes" struct member must
+be set before accessing the "nodes" array. This initialization was done
+in other places where a new struct icc_onecell_data is allocated, but this
+case in icc_clk_register() was missed. Set "num_nodes" after allocation.
+
+Fixes: dd4904f3b924 ("interconnect: qcom: Annotate struct icc_onecell_data with __counted_by")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/20240716214819.work.328-kees@kernel.org
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/icc-clk.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/interconnect/icc-clk.c b/drivers/interconnect/icc-clk.c
+index f788db15cd76a..b956e4050f381 100644
+--- a/drivers/interconnect/icc-clk.c
++++ b/drivers/interconnect/icc-clk.c
+@@ -87,6 +87,7 @@ struct icc_provider *icc_clk_register(struct device *dev,
+ onecell = devm_kzalloc(dev, struct_size(onecell, nodes, 2 * num_clocks), GFP_KERNEL);
+ if (!onecell)
+ return ERR_PTR(-ENOMEM);
++ onecell->num_nodes = 2 * num_clocks;
+
+ qp = devm_kzalloc(dev, struct_size(qp, clocks, num_clocks), GFP_KERNEL);
+ if (!qp)
+@@ -133,8 +134,6 @@ struct icc_provider *icc_clk_register(struct device *dev,
+ onecell->nodes[j++] = node;
+ }
+
+- onecell->num_nodes = j;
+-
+ ret = icc_provider_register(provider);
+ if (ret)
+ goto err;
+--
+2.43.0
+
--- /dev/null
+From e7d498b11723cd706d7c075ca8095e769682f3e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Aug 2024 08:40:12 +0300
+Subject: interconnect: qcom: sm8250: Enable sync_state
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit d3681b30214eb5885092ce4586f07237dc3c522f ]
+
+Enable the generic icc sync_state callback to ensure interconnect votes
+are actually taken into account, instead of being forced to the maximum
+value.
+
+Fixes: b95b668eaaa2 ("interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-8-1149dd8399fe@linaro.org
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/qcom/sm8350.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/interconnect/qcom/sm8350.c b/drivers/interconnect/qcom/sm8350.c
+index b321c3009acba..885a9d3f92e4d 100644
+--- a/drivers/interconnect/qcom/sm8350.c
++++ b/drivers/interconnect/qcom/sm8350.c
+@@ -1965,6 +1965,7 @@ static struct platform_driver qnoc_driver = {
+ .driver = {
+ .name = "qnoc-sm8350",
+ .of_match_table = qnoc_of_match,
++ .sync_state = icc_sync_state,
+ },
+ };
+ module_platform_driver(qnoc_driver);
+--
+2.43.0
+
--- /dev/null
+From d840b88d94f61d9a8ad9584845dd77e5adecf405 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 19:11:56 +0200
+Subject: io_uring/io-wq: do not allow pinning outside of cpuset
+
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+
+[ Upstream commit 0997aa5497c714edbb349ca366d28bd550ba3408 ]
+
+The io worker threads are userland threads that just never exit to the
+userland. By that, they are also assigned to a cgroup (the group of the
+creating task).
+
+When changing the affinity of the io_wq thread via syscall, we must only
+allow cpumasks within the limits defined by the cpuset controller of the
+cgroup (if enabled).
+
+Fixes: da64d6db3bd3 ("io_uring: One wqe per wq")
+Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
+Link: https://lore.kernel.org/r/20240910171157.166423-2-felix.moessbauer@siemens.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/io-wq.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
+index f1e7c670add85..c7055a8895d7e 100644
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -13,6 +13,7 @@
+ #include <linux/slab.h>
+ #include <linux/rculist_nulls.h>
+ #include <linux/cpu.h>
++#include <linux/cpuset.h>
+ #include <linux/task_work.h>
+ #include <linux/audit.h>
+ #include <linux/mmu_context.h>
+@@ -1322,17 +1323,29 @@ static int io_wq_cpu_offline(unsigned int cpu, struct hlist_node *node)
+
+ int io_wq_cpu_affinity(struct io_uring_task *tctx, cpumask_var_t mask)
+ {
++ cpumask_var_t allowed_mask;
++ int ret = 0;
++
+ if (!tctx || !tctx->io_wq)
+ return -EINVAL;
+
++ if (!alloc_cpumask_var(&allowed_mask, GFP_KERNEL))
++ return -ENOMEM;
++
+ rcu_read_lock();
+- if (mask)
+- cpumask_copy(tctx->io_wq->cpu_mask, mask);
+- else
+- cpumask_copy(tctx->io_wq->cpu_mask, cpu_possible_mask);
++ cpuset_cpus_allowed(tctx->io_wq->task, allowed_mask);
++ if (mask) {
++ if (cpumask_subset(mask, allowed_mask))
++ cpumask_copy(tctx->io_wq->cpu_mask, mask);
++ else
++ ret = -EINVAL;
++ } else {
++ cpumask_copy(tctx->io_wq->cpu_mask, allowed_mask);
++ }
+ rcu_read_unlock();
+
+- return 0;
++ free_cpumask_var(allowed_mask);
++ return ret;
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From cb5ed1e06d6fbe79c4b86850413a87b8d18f093d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 19:11:57 +0200
+Subject: io_uring/io-wq: inherit cpuset of cgroup in io worker
+
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+
+[ Upstream commit 84eacf177faa605853c58e5b1c0d9544b88c16fd ]
+
+The io worker threads are userland threads that just never exit to the
+userland. By that, they are also assigned to a cgroup (the group of the
+creating task).
+
+When creating a new io worker, this worker should inherit the cpuset
+of the cgroup.
+
+Fixes: da64d6db3bd3 ("io_uring: One wqe per wq")
+Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
+Link: https://lore.kernel.org/r/20240910171157.166423-3-felix.moessbauer@siemens.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/io-wq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
+index c7055a8895d7e..a38f36b680604 100644
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -1168,7 +1168,7 @@ struct io_wq *io_wq_create(unsigned bounded, struct io_wq_data *data)
+
+ if (!alloc_cpumask_var(&wq->cpu_mask, GFP_KERNEL))
+ goto err;
+- cpumask_copy(wq->cpu_mask, cpu_possible_mask);
++ cpuset_cpus_allowed(data->task, wq->cpu_mask);
+ wq->acct[IO_WQ_ACCT_BOUND].max_workers = bounded;
+ wq->acct[IO_WQ_ACCT_UNBOUND].max_workers =
+ task_rlimit(current, RLIMIT_NPROC);
+--
+2.43.0
+
--- /dev/null
+From 93dff458c89b63e1c677ea6a55668609c6d4a675 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 21:06:11 -0300
+Subject: iommu/amd: Allocate the page table root using GFP_KERNEL
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit b0a6c883bcd42eeb0850135e529b34b64d57673c ]
+
+Domain allocation is always done under a sleepable context, the v1 path
+and other drivers use GFP_KERNEL already. Fix the v2 path to also use
+GFP_KERNEL.
+
+Fixes: 0d571dcbe7c6 ("iommu/amd: Allocate page table using numa locality info")
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/2-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/io_pgtable_v2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd/io_pgtable_v2.c b/drivers/iommu/amd/io_pgtable_v2.c
+index 664e91c88748e..6088822180e1e 100644
+--- a/drivers/iommu/amd/io_pgtable_v2.c
++++ b/drivers/iommu/amd/io_pgtable_v2.c
+@@ -362,7 +362,7 @@ static struct io_pgtable *v2_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo
+ struct protection_domain *pdom = (struct protection_domain *)cookie;
+ int ias = IOMMU_IN_ADDR_BIT_SIZE;
+
+- pgtable->pgd = iommu_alloc_page_node(pdom->nid, GFP_ATOMIC);
++ pgtable->pgd = iommu_alloc_page_node(pdom->nid, GFP_KERNEL);
+ if (!pgtable->pgd)
+ return NULL;
+
+--
+2.43.0
+
--- /dev/null
+From 3c2167439bdef7e731bcaeed703195620b765f05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 21:06:23 -0300
+Subject: iommu/amd: Do not set the D bit on AMD v2 table entries
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 2910a7fa1be090fc7637cef0b2e70bcd15bf5469 ]
+
+The manual says that bit 6 is IGN for all Page-Table Base Address
+pointers, don't set it.
+
+Fixes: aaac38f61487 ("iommu/amd: Initial support for AMD IOMMU v2 page table")
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/14-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/io_pgtable_v2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd/io_pgtable_v2.c b/drivers/iommu/amd/io_pgtable_v2.c
+index 6088822180e1e..f9227cbf75dfe 100644
+--- a/drivers/iommu/amd/io_pgtable_v2.c
++++ b/drivers/iommu/amd/io_pgtable_v2.c
+@@ -51,7 +51,7 @@ static inline u64 set_pgtable_attr(u64 *page)
+ u64 prot;
+
+ prot = IOMMU_PAGE_PRESENT | IOMMU_PAGE_RW | IOMMU_PAGE_USER;
+- prot |= IOMMU_PAGE_ACCESS | IOMMU_PAGE_DIRTY;
++ prot |= IOMMU_PAGE_ACCESS;
+
+ return (iommu_virt_to_phys(page) | prot);
+ }
+--
+2.43.0
+
--- /dev/null
+From 0d7e9d498e34c0e0336e0f12799f45d0f775296e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 11:10:25 +0000
+Subject: iommu/amd: Handle error path in amd_iommu_probe_device()
+
+From: Vasant Hegde <vasant.hegde@amd.com>
+
+[ Upstream commit 293aa9ec694e633bff83ab93715a2684e15fe214 ]
+
+Do not try to set max_pasids in error path as dev_data is not allocated.
+
+Fixes: a0c47f233e68 ("iommu/amd: Introduce iommu_dev_data.max_pasids")
+Signed-off-by: Vasant Hegde <vasant.hegde@amd.com>
+Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Link: https://lore.kernel.org/r/20240828111029.5429-5-vasant.hegde@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/iommu.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index b19e8c0f48fa2..fc660d4b10ac8 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -2185,11 +2185,12 @@ static struct iommu_device *amd_iommu_probe_device(struct device *dev)
+ dev_err(dev, "Failed to initialize - trying to proceed anyway\n");
+ iommu_dev = ERR_PTR(ret);
+ iommu_ignore_device(iommu, dev);
+- } else {
+- amd_iommu_set_pci_msi_domain(dev, iommu);
+- iommu_dev = &iommu->iommu;
++ goto out_err;
+ }
+
++ amd_iommu_set_pci_msi_domain(dev, iommu);
++ iommu_dev = &iommu->iommu;
++
+ /*
+ * If IOMMU and device supports PASID then it will contain max
+ * supported PASIDs, else it will be zero.
+@@ -2201,6 +2202,7 @@ static struct iommu_device *amd_iommu_probe_device(struct device *dev)
+ pci_max_pasids(to_pci_dev(dev)));
+ }
+
++out_err:
+ iommu_completion_wait(iommu);
+
+ return iommu_dev;
+--
+2.43.0
+
--- /dev/null
+From 70abc45864e102d2cf511448c039bf1f9f6093f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 21:06:10 -0300
+Subject: iommu/amd: Move allocation of the top table into v1_alloc_pgtable
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 8d00b77a52ef4b2091696ca25753d0ab95e4d839 ]
+
+All the page table memory should be allocated/free within the io_pgtable
+struct. The v2 path is already doing this, make it consistent.
+
+It is hard to see but the free of the root in protection_domain_free() is
+a NOP on the success path because v1_free_pgtable() does
+amd_iommu_domain_clr_pt_root().
+
+The root memory is already freed because free_sub_pt() put it on the
+freelist. The free path in protection_domain_free() is only used during
+error unwind of protection_domain_alloc().
+
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/1-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Stable-dep-of: 7a41dcb52f9d ("iommu/amd: Set the pgsize_bitmap correctly")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/io_pgtable.c | 8 ++++++--
+ drivers/iommu/amd/iommu.c | 21 ++-------------------
+ 2 files changed, 8 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c
+index 1074ee25064d0..05aed3cb46f1b 100644
+--- a/drivers/iommu/amd/io_pgtable.c
++++ b/drivers/iommu/amd/io_pgtable.c
+@@ -574,20 +574,24 @@ static void v1_free_pgtable(struct io_pgtable *iop)
+ pgtable->mode > PAGE_MODE_6_LEVEL);
+
+ free_sub_pt(pgtable->root, pgtable->mode, &freelist);
++ iommu_put_pages_list(&freelist);
+
+ /* Update data structure */
+ amd_iommu_domain_clr_pt_root(dom);
+
+ /* Make changes visible to IOMMUs */
+ amd_iommu_domain_update(dom);
+-
+- iommu_put_pages_list(&freelist);
+ }
+
+ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *cookie)
+ {
+ struct amd_io_pgtable *pgtable = io_pgtable_cfg_to_data(cfg);
+
++ pgtable->root = iommu_alloc_page(GFP_KERNEL);
++ if (!pgtable->root)
++ return NULL;
++ pgtable->mode = PAGE_MODE_3_LEVEL;
++
+ cfg->pgsize_bitmap = AMD_IOMMU_PGSIZES;
+ cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;
+ cfg->oas = IOMMU_OUT_ADDR_BIT_SIZE;
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index fc660d4b10ac8..edbd4ca1451a8 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -52,8 +52,6 @@
+ #define HT_RANGE_START (0xfd00000000ULL)
+ #define HT_RANGE_END (0xffffffffffULL)
+
+-#define DEFAULT_PGTABLE_LEVEL PAGE_MODE_3_LEVEL
+-
+ static DEFINE_SPINLOCK(pd_bitmap_lock);
+
+ LIST_HEAD(ioapic_map);
+@@ -2267,30 +2265,15 @@ void protection_domain_free(struct protection_domain *domain)
+ if (domain->iop.pgtbl_cfg.tlb)
+ free_io_pgtable_ops(&domain->iop.iop.ops);
+
+- if (domain->iop.root)
+- iommu_free_page(domain->iop.root);
+-
+ if (domain->id)
+ domain_id_free(domain->id);
+
+ kfree(domain);
+ }
+
+-static int protection_domain_init_v1(struct protection_domain *domain, int mode)
++static int protection_domain_init_v1(struct protection_domain *domain)
+ {
+- u64 *pt_root = NULL;
+-
+- BUG_ON(mode < PAGE_MODE_NONE || mode > PAGE_MODE_6_LEVEL);
+-
+- if (mode != PAGE_MODE_NONE) {
+- pt_root = iommu_alloc_page(GFP_KERNEL);
+- if (!pt_root)
+- return -ENOMEM;
+- }
+-
+ domain->pd_mode = PD_MODE_V1;
+- amd_iommu_domain_set_pgtable(domain, pt_root, mode);
+-
+ return 0;
+ }
+
+@@ -2343,7 +2326,7 @@ struct protection_domain *protection_domain_alloc(unsigned int type)
+
+ switch (pgtable) {
+ case AMD_IOMMU_V1:
+- ret = protection_domain_init_v1(domain, DEFAULT_PGTABLE_LEVEL);
++ ret = protection_domain_init_v1(domain);
+ break;
+ case AMD_IOMMU_V2:
+ ret = protection_domain_init_v2(domain);
+--
+2.43.0
+
--- /dev/null
+From ce8a6bbad90892f5c9c4190f0fc5fa06cb18db84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 21:06:12 -0300
+Subject: iommu/amd: Set the pgsize_bitmap correctly
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 7a41dcb52f9de6079621fc31c3b84c7fc290934b ]
+
+When using io_pgtable the correct pgsize_bitmap is stored in the cfg, both
+v1_alloc_pgtable() and v2_alloc_pgtable() set it correctly.
+
+This fixes a bug where the v2 pgtable had the wrong pgsize as
+protection_domain_init_v2() would set it and then do_iommu_domain_alloc()
+immediately resets it.
+
+Remove the confusing ops.pgsize_bitmap since that is not used if the
+driver sets domain.pgsize_bitmap.
+
+Fixes: 134288158a41 ("iommu/amd: Add domain_alloc_user based domain allocation")
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/3-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/iommu.c | 28 ++++------------------------
+ 1 file changed, 4 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index edbd4ca1451a8..833637ffae39f 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -2271,26 +2271,11 @@ void protection_domain_free(struct protection_domain *domain)
+ kfree(domain);
+ }
+
+-static int protection_domain_init_v1(struct protection_domain *domain)
+-{
+- domain->pd_mode = PD_MODE_V1;
+- return 0;
+-}
+-
+-static int protection_domain_init_v2(struct protection_domain *pdom)
+-{
+- pdom->pd_mode = PD_MODE_V2;
+- pdom->domain.pgsize_bitmap = AMD_IOMMU_PGSIZES_V2;
+-
+- return 0;
+-}
+-
+ struct protection_domain *protection_domain_alloc(unsigned int type)
+ {
+ struct io_pgtable_ops *pgtbl_ops;
+ struct protection_domain *domain;
+ int pgtable;
+- int ret;
+
+ domain = kzalloc(sizeof(*domain), GFP_KERNEL);
+ if (!domain)
+@@ -2326,18 +2311,14 @@ struct protection_domain *protection_domain_alloc(unsigned int type)
+
+ switch (pgtable) {
+ case AMD_IOMMU_V1:
+- ret = protection_domain_init_v1(domain);
++ domain->pd_mode = PD_MODE_V1;
+ break;
+ case AMD_IOMMU_V2:
+- ret = protection_domain_init_v2(domain);
++ domain->pd_mode = PD_MODE_V2;
+ break;
+ default:
+- ret = -EINVAL;
+- break;
+- }
+-
+- if (ret)
+ goto out_err;
++ }
+
+ pgtbl_ops = alloc_io_pgtable_ops(pgtable, &domain->iop.pgtbl_cfg, domain);
+ if (!pgtbl_ops)
+@@ -2390,10 +2371,10 @@ static struct iommu_domain *do_iommu_domain_alloc(unsigned int type,
+ domain->domain.geometry.aperture_start = 0;
+ domain->domain.geometry.aperture_end = dma_max_address();
+ domain->domain.geometry.force_aperture = true;
++ domain->domain.pgsize_bitmap = domain->iop.iop.cfg.pgsize_bitmap;
+
+ if (iommu) {
+ domain->domain.type = type;
+- domain->domain.pgsize_bitmap = iommu->iommu.ops->pgsize_bitmap;
+ domain->domain.ops = iommu->iommu.ops->default_domain_ops;
+
+ if (dirty_tracking)
+@@ -2852,7 +2833,6 @@ const struct iommu_ops amd_iommu_ops = {
+ .device_group = amd_iommu_device_group,
+ .get_resv_regions = amd_iommu_get_resv_regions,
+ .is_attach_deferred = amd_iommu_is_attach_deferred,
+- .pgsize_bitmap = AMD_IOMMU_PGSIZES,
+ .def_domain_type = amd_iommu_def_domain_type,
+ .dev_enable_feat = amd_iommu_dev_enable_feature,
+ .dev_disable_feat = amd_iommu_dev_disable_feature,
+--
+2.43.0
+
--- /dev/null
+From 5d2b859602e8d1d9d15d88bb6d9ab2a1cdb9aa77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Sep 2024 21:48:12 +0300
+Subject: iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 19eb465c969f3d6ed1b98506d3e470e863b41e16 ]
+
+The Qualcomm SDM630 / SDM660 platform requires the same kind of
+workaround as MSM8998: some IOMMUs have context banks reserved by
+firmware / TZ, touching those banks resets the board.
+
+Apply the num_context_bank workaround to those two SMMU devices in order
+to allow them to be used by Linux.
+
+Fixes: b812834b5329 ("iommu: arm-smmu-qcom: Add sdm630/msm8998 compatibles for qcom quirks")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20240907-sdm660-wifi-v1-1-e316055142f8@linaro.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+index 087fb4f6f4d3d..6372f3e25c4bc 100644
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -286,8 +286,15 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
+ * MSM8998 LPASS SMMU reports 13 context banks, but accessing
+ * the last context bank crashes the system.
+ */
+- if (of_device_is_compatible(smmu->dev->of_node, "qcom,msm8998-smmu-v2") && smmu->num_context_banks == 13)
++ if (of_device_is_compatible(smmu->dev->of_node, "qcom,msm8998-smmu-v2") &&
++ smmu->num_context_banks == 13) {
+ smmu->num_context_banks = 12;
++ } else if (of_device_is_compatible(smmu->dev->of_node, "qcom,sdm630-smmu-v2")) {
++ if (smmu->num_context_banks == 21) /* SDM630 / SDM660 A2NOC SMMU */
++ smmu->num_context_banks = 7;
++ else if (smmu->num_context_banks == 14) /* SDM630 / SDM660 LPASS SMMU */
++ smmu->num_context_banks = 13;
++ }
+
+ /*
+ * Some platforms support more than the Arm SMMU architected maximum of
+@@ -350,6 +357,11 @@ static int qcom_adreno_smmuv2_cfg_probe(struct arm_smmu_device *smmu)
+ /* Support for 16K pages is advertised on some SoCs, but it doesn't seem to work */
+ smmu->features &= ~ARM_SMMU_FEAT_FMT_AARCH64_16K;
+
++ /* TZ protects several last context banks, hide them from Linux */
++ if (of_device_is_compatible(smmu->dev->of_node, "qcom,sdm630-smmu-v2") &&
++ smmu->num_context_banks == 5)
++ smmu->num_context_banks = 2;
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 319d794f057dddbf667e2f0898a9a7a4448145db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 15:27:19 +0200
+Subject: iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux
+
+From: Marc Gonzalez <mgonzalez@freebox.fr>
+
+[ Upstream commit 3a8990b8a778219327c5f8ecf10b5d81377b925a ]
+
+On qcom msm8998, writing to the last context bank of lpass_q6_smmu
+(base address 0x05100000) produces a system freeze & reboot.
+
+The hardware/hypervisor reports 13 context banks for the LPASS SMMU
+on msm8998, but only the first 12 are accessible...
+Override the number of context banks
+
+[ 2.546101] arm-smmu 5100000.iommu: probing hardware configuration...
+[ 2.552439] arm-smmu 5100000.iommu: SMMUv2 with:
+[ 2.558945] arm-smmu 5100000.iommu: stage 1 translation
+[ 2.563627] arm-smmu 5100000.iommu: address translation ops
+[ 2.568923] arm-smmu 5100000.iommu: non-coherent table walk
+[ 2.574566] arm-smmu 5100000.iommu: (IDR0.CTTW overridden by FW configuration)
+[ 2.580220] arm-smmu 5100000.iommu: stream matching with 12 register groups
+[ 2.587263] arm-smmu 5100000.iommu: 13 context banks (0 stage-2 only)
+[ 2.614447] arm-smmu 5100000.iommu: Supported page sizes: 0x63315000
+[ 2.621358] arm-smmu 5100000.iommu: Stage-1: 36-bit VA -> 36-bit IPA
+[ 2.627772] arm-smmu 5100000.iommu: preserved 0 boot mappings
+
+Specifically, the crashes occur here:
+
+ qsmmu->bypass_cbndx = smmu->num_context_banks - 1;
+ arm_smmu_cb_write(smmu, qsmmu->bypass_cbndx, ARM_SMMU_CB_SCTLR, 0);
+
+and here:
+
+ arm_smmu_write_context_bank(smmu, i);
+ arm_smmu_cb_write(smmu, i, ARM_SMMU_CB_FSR, ARM_SMMU_CB_FSR_FAULT);
+
+It is likely that FW reserves the last context bank for its own use,
+thus a simple work-around is: DON'T USE IT in Linux.
+
+If we decrease the number of context banks, last one will be "hidden".
+
+Signed-off-by: Marc Gonzalez <mgonzalez@freebox.fr>
+Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20240820-smmu-v3-1-2f71483b00ec@freebox.fr
+Signed-off-by: Will Deacon <will@kernel.org>
+Stable-dep-of: 19eb465c969f ("iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+index 36c6b36ad4ff7..b981ff25a983d 100644
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -282,6 +282,13 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
+ u32 smr;
+ int i;
+
++ /*
++ * MSM8998 LPASS SMMU reports 13 context banks, but accessing
++ * the last context bank crashes the system.
++ */
++ if (of_device_is_compatible(smmu->dev->of_node, "qcom,msm8998-smmu-v2") && smmu->num_context_banks == 13)
++ smmu->num_context_banks = 12;
++
+ /*
+ * Some platforms support more than the Arm SMMU architected maximum of
+ * 128 stream matching groups. For unknown reasons, the additional
+--
+2.43.0
+
--- /dev/null
+From fff63db8cf962d796c59630799884e054e7dd773 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Aug 2024 01:12:01 +0200
+Subject: iommu/arm-smmu-qcom: Work around SDM845 Adreno SMMU w/ 16K pages
+
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+
+[ Upstream commit 2d42d3ba443706c9164fa0bef4e5fd1c36bc1bd9 ]
+
+SDM845's Adreno SMMU is unique in that it actually advertizes support
+for 16K (and 32M) pages, which doesn't hold for newer SoCs.
+
+This however, seems either broken in the hardware implementation, the
+hypervisor middleware that abstracts the SMMU, or there's a bug in the
+Linux kernel somewhere down the line that nobody managed to track down.
+
+Booting SDM845 with 16K page sizes and drm/msm results in:
+
+*** gpu fault: ttbr0=0000000000000000 iova=000100000000c000 dir=READ
+type=TRANSLATION source=CP (0,0,0,0)
+
+right after loading the firmware. The GPU then starts spitting out
+illegal intstruction errors, as it's quite obvious that it got a
+bogus pointer.
+
+Moreover, it seems like this issue also concerns other implementations
+of SMMUv2 on Qualcomm SoCs, such as the one on SC7180.
+
+Hide 16K support on such instances to work around this.
+
+Reported-by: Sumit Semwal <sumit.semwal@linaro.org>
+Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20240824-topic-845_gpu_smmu-v2-1-a302b8acc052@quicinc.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Stable-dep-of: 19eb465c969f ("iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+index b981ff25a983d..087fb4f6f4d3d 100644
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -345,6 +345,14 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
+ return 0;
+ }
+
++static int qcom_adreno_smmuv2_cfg_probe(struct arm_smmu_device *smmu)
++{
++ /* Support for 16K pages is advertised on some SoCs, but it doesn't seem to work */
++ smmu->features &= ~ARM_SMMU_FEAT_FMT_AARCH64_16K;
++
++ return 0;
++}
++
+ static void qcom_smmu_write_s2cr(struct arm_smmu_device *smmu, int idx)
+ {
+ struct arm_smmu_s2cr *s2cr = smmu->s2crs + idx;
+@@ -443,6 +451,7 @@ static const struct arm_smmu_impl sdm845_smmu_500_impl = {
+
+ static const struct arm_smmu_impl qcom_adreno_smmu_v2_impl = {
+ .init_context = qcom_adreno_smmu_init_context,
++ .cfg_probe = qcom_adreno_smmuv2_cfg_probe,
+ .def_domain_type = qcom_smmu_def_domain_type,
+ .alloc_context_bank = qcom_adreno_smmu_alloc_context_bank,
+ .write_sctlr = qcom_adreno_smmu_write_sctlr,
+--
+2.43.0
+
--- /dev/null
+From 52b80e077402b258e5bf51a26b21b056dba29662 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Aug 2024 10:27:14 -0700
+Subject: iommu/arm-smmu: Un-demote unhandled-fault msg
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 98db56e4900837e4d5d3892b332dca76c8c9f68a ]
+
+Previously this was dev_err_ratelimited() but it got changed to a
+ratelimited dev_dbg(). Change it back to dev_err().
+
+Fixes: d525b0af0c3b ("iommu/arm-smmu: Pretty-print context fault related regs")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Pranjal Shrivastava <praan@google.com>
+Link: https://lore.kernel.org/r/20240809172716.10275-1-robdclark@gmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu.c b/drivers/iommu/arm/arm-smmu/arm-smmu.c
+index 723273440c211..8321962b37148 100644
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c
+@@ -417,7 +417,7 @@ void arm_smmu_read_context_fault_info(struct arm_smmu_device *smmu, int idx,
+ void arm_smmu_print_context_fault_info(struct arm_smmu_device *smmu, int idx,
+ const struct arm_smmu_context_fault_info *cfi)
+ {
+- dev_dbg(smmu->dev,
++ dev_err(smmu->dev,
+ "Unhandled context fault: fsr=0x%x, iova=0x%08lx, fsynr=0x%x, cbfrsynra=0x%x, cb=%d\n",
+ cfi->fsr, cfi->iova, cfi->fsynr, cfi->cbfrsynra, idx);
+
+--
+2.43.0
+
--- /dev/null
+From f6e22d9fd69ec1c9ba4373a7d1a6430d27db12c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 14:25:00 +0300
+Subject: iommu/arm-smmu-v3: Fix a NULL vs IS_ERR() check
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit af048ec9c05178206e845a88bfd3cb2884a43da7 ]
+
+The arm_smmu_domain_alloc() function returns error pointers on error. It
+doesn't return NULL. Update the error checking to match.
+
+Fixes: 52acd7d8a413 ("iommu/arm-smmu-v3: Add support for domain_alloc_user fn")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/9208cd0d-8105-40df-93e9-bdcdf0d55eec@stanley.mountain
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+index ed2b106e02dd1..f490385c13605 100644
+--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+@@ -3062,8 +3062,8 @@ arm_smmu_domain_alloc_user(struct device *dev, u32 flags,
+ return ERR_PTR(-EOPNOTSUPP);
+
+ smmu_domain = arm_smmu_domain_alloc();
+- if (!smmu_domain)
+- return ERR_PTR(-ENOMEM);
++ if (IS_ERR(smmu_domain))
++ return ERR_CAST(smmu_domain);
+
+ smmu_domain->domain.type = IOMMU_DOMAIN_UNMANAGED;
+ smmu_domain->domain.ops = arm_smmu_ops.default_domain_ops;
+--
+2.43.0
+
--- /dev/null
+From fea508ea0331baedcc3997b334acde92678db7f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 10:19:59 -0300
+Subject: iommufd: Check the domain owner of the parent before creating a
+ nesting domain
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 73183ad6ea51029d04b098286dcee98d715015f1 ]
+
+This check was missed, before we can pass a struct iommu_domain to a
+driver callback we need to validate that the domain was created by that
+driver.
+
+Fixes: bd529dbb661d ("iommufd: Add a nested HW pagetable object")
+Link: https://patch.msgid.link/r/0-v1-c8770519edde+1a-iommufd_nesting_ops_jgg@nvidia.com
+Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommufd/hw_pagetable.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/iommufd/hw_pagetable.c b/drivers/iommu/iommufd/hw_pagetable.c
+index aefde4443671e..d06bf6e6c19fd 100644
+--- a/drivers/iommu/iommufd/hw_pagetable.c
++++ b/drivers/iommu/iommufd/hw_pagetable.c
+@@ -225,7 +225,8 @@ iommufd_hwpt_nested_alloc(struct iommufd_ctx *ictx,
+ if ((flags & ~IOMMU_HWPT_FAULT_ID_VALID) ||
+ !user_data->len || !ops->domain_alloc_user)
+ return ERR_PTR(-EOPNOTSUPP);
+- if (parent->auto_domain || !parent->nest_parent)
++ if (parent->auto_domain || !parent->nest_parent ||
++ parent->common.domain->owner != ops)
+ return ERR_PTR(-EINVAL);
+
+ hwpt_nested = __iommufd_object_alloc(
+--
+2.43.0
+
--- /dev/null
+From 48bae00db53a16273b90976fa57b8cf17a24e4b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 11:47:09 -0300
+Subject: iommufd/selftest: Fix buffer read overrrun in the dirty test
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 79ea4a496ab5c970a3a793d863ed8893b1af107c ]
+
+test_bit() is used to read the memory storing the bitmap, however
+test_bit() always uses a unsigned long 8 byte access.
+
+If the bitmap is not an aligned size of 64 bits this will now trigger a
+KASAN warning reading past the end of the buffer.
+
+Properly round the buffer allocation to an unsigned long size. Continue to
+copy_from_user() using a byte granularity.
+
+Fixes: 9560393b830b ("iommufd/selftest: Fix iommufd_test_dirty() to handle <u8 bitmaps")
+Link: https://patch.msgid.link/r/0-v1-113e8d9e7861+5ae-iommufd_kasan_jgg@nvidia.com
+Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommufd/selftest.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
+index 222cfc11ebfd0..4a279b8f02cb7 100644
+--- a/drivers/iommu/iommufd/selftest.c
++++ b/drivers/iommu/iommufd/selftest.c
+@@ -1342,7 +1342,7 @@ static int iommufd_test_dirty(struct iommufd_ucmd *ucmd, unsigned int mockpt_id,
+ unsigned long page_size, void __user *uptr,
+ u32 flags)
+ {
+- unsigned long bitmap_size, i, max;
++ unsigned long i, max;
+ struct iommu_test_cmd *cmd = ucmd->cmd;
+ struct iommufd_hw_pagetable *hwpt;
+ struct mock_iommu_domain *mock;
+@@ -1363,15 +1363,14 @@ static int iommufd_test_dirty(struct iommufd_ucmd *ucmd, unsigned int mockpt_id,
+ }
+
+ max = length / page_size;
+- bitmap_size = DIV_ROUND_UP(max, BITS_PER_BYTE);
+-
+- tmp = kvzalloc(bitmap_size, GFP_KERNEL_ACCOUNT);
++ tmp = kvzalloc(DIV_ROUND_UP(max, BITS_PER_LONG) * sizeof(unsigned long),
++ GFP_KERNEL_ACCOUNT);
+ if (!tmp) {
+ rc = -ENOMEM;
+ goto out_put;
+ }
+
+- if (copy_from_user(tmp, uptr, bitmap_size)) {
++ if (copy_from_user(tmp, uptr,DIV_ROUND_UP(max, BITS_PER_BYTE))) {
+ rc = -EFAULT;
+ goto out_free;
+ }
+--
+2.43.0
+
--- /dev/null
+From 2239b9fc9c053c4a425f6752b93f0b33d498ffd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 11:02:11 +0200
+Subject: ipmi: docs: don't advertise deprecated sysfs entries
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 64dce81f8c373c681e62d5ffe0397c45a35d48a2 ]
+
+"i2c-adapter" class entries are deprecated since 2009. Switch to the
+proper location.
+
+Reported-by: Heiner Kallweit <hkallweit1@gmail.com>
+Closes: https://lore.kernel.org/r/80c4a898-5867-4162-ac85-bdf7c7c68746@gmail.com
+Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Message-Id: <20240901090211.3797-2-wsa+renesas@sang-engineering.com>
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/driver-api/ipmi.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/driver-api/ipmi.rst b/Documentation/driver-api/ipmi.rst
+index e224e47b6b094..dfa021eacd63c 100644
+--- a/Documentation/driver-api/ipmi.rst
++++ b/Documentation/driver-api/ipmi.rst
+@@ -540,7 +540,7 @@ at module load time (for a module) with::
+ alerts_broken
+
+ The addresses are normal I2C addresses. The adapter is the string
+-name of the adapter, as shown in /sys/class/i2c-adapter/i2c-<n>/name.
++name of the adapter, as shown in /sys/bus/i2c/devices/i2c-<n>/name.
+ It is *NOT* i2c-<n> itself. Also, the comparison is done ignoring
+ spaces, so if the name is "This is an I2C chip" you can say
+ adapter_name=ThisisanI2cchip. This is because it's hard to pass in
+--
+2.43.0
+
--- /dev/null
+From 99f872030237d7b77a74c5f966b51686a0dcecb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 08:31:47 +0000
+Subject: ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 04ccecfa959d3b9ae7348780d8e379c6486176ac ]
+
+Blamed commit accidentally removed a check for rt->rt6i_idev being NULL,
+as spotted by syzbot:
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+ RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]
+ RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914
+Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06
+RSP: 0018:ffffc900047374e0 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000
+RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0
+RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c
+R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18
+R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930
+FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ addrconf_ifdown+0x15d/0x1bd0 net/ipv6/addrconf.c:3856
+ addrconf_notify+0x3cb/0x1020
+ notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
+ call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]
+ call_netdevice_notifiers net/core/dev.c:2046 [inline]
+ unregister_netdevice_many_notify+0xd81/0x1c40 net/core/dev.c:11352
+ unregister_netdevice_many net/core/dev.c:11414 [inline]
+ unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11289
+ unregister_netdevice include/linux/netdevice.h:3129 [inline]
+ __tun_detach+0x6b9/0x1600 drivers/net/tun.c:685
+ tun_detach drivers/net/tun.c:701 [inline]
+ tun_chr_close+0x108/0x1b0 drivers/net/tun.c:3510
+ __fput+0x24a/0x8a0 fs/file_table.c:422
+ task_work_run+0x24f/0x310 kernel/task_work.c:228
+ exit_task_work include/linux/task_work.h:40 [inline]
+ do_exit+0xa2f/0x27f0 kernel/exit.c:882
+ do_group_exit+0x207/0x2c0 kernel/exit.c:1031
+ __do_sys_exit_group kernel/exit.c:1042 [inline]
+ __se_sys_exit_group kernel/exit.c:1040 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
+ x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f1acc77def9
+Code: Unable to access opcode bytes at 0x7f1acc77decf.
+RSP: 002b:00007ffeb26fa738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1acc77def9
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
+RBP: 00007f1acc7dd508 R08: 00007ffeb26f84d7 R09: 0000000000000003
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
+R13: 0000000000000003 R14: 00000000ffffffff R15: 00007ffeb26fa8e0
+ </TASK>
+Modules linked in:
+---[ end trace 0000000000000000 ]---
+ RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]
+ RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914
+Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06
+RSP: 0018:ffffc900047374e0 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000
+RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0
+RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c
+R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18
+R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930
+FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: e332bc67cf5e ("ipv6: Don't call with rt6_uncached_list_flush_dev")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20240913083147.3095442-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 219701caba1e9..b4dcd8f3e7bab 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -174,7 +174,7 @@ static void rt6_uncached_list_flush_dev(struct net_device *dev)
+ struct net_device *rt_dev = rt->dst.dev;
+ bool handled = false;
+
+- if (rt_idev->dev == dev) {
++ if (rt_idev && rt_idev->dev == dev) {
+ rt->rt6i_idev = in6_dev_get(blackhole_netdev);
+ in6_dev_put(rt_idev);
+ handled = true;
+--
+2.43.0
+
--- /dev/null
+From 8ed78b70d62eb4c89bedae809f265ed7d249b1c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 13:05:46 +0900
+Subject: jfs: fix out-of-bounds in dbNextAG() and diAlloc()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+[ Upstream commit e63866a475562810500ea7f784099bfe341e761a ]
+
+In dbNextAG() , there is no check for the case where bmp->db_numag is
+greater or same than MAXAG due to a polluted image, which causes an
+out-of-bounds. Therefore, a bounds check should be added in dbMount().
+
+And in dbNextAG(), a check for the case where agpref is greater than
+bmp->db_numag should be added, so an out-of-bounds exception should be
+prevented.
+
+Additionally, a check for the case where agno is greater or same than
+MAXAG should be added in diAlloc() to prevent out-of-bounds.
+
+Reported-by: Jeongjun Park <aha310510@gmail.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 4 ++--
+ fs/jfs/jfs_imap.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 5713994328cbc..0625d1c0d0649 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -187,7 +187,7 @@ int dbMount(struct inode *ipbmap)
+ }
+
+ bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
+- if (!bmp->db_numag) {
++ if (!bmp->db_numag || bmp->db_numag >= MAXAG) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+@@ -652,7 +652,7 @@ int dbNextAG(struct inode *ipbmap)
+ * average free space.
+ */
+ for (i = 0 ; i < bmp->db_numag; i++, agpref++) {
+- if (agpref == bmp->db_numag)
++ if (agpref >= bmp->db_numag)
+ agpref = 0;
+
+ if (atomic_read(&bmp->db_active[agpref]))
+diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
+index 1407feccbc2d0..a360b24ed320c 100644
+--- a/fs/jfs/jfs_imap.c
++++ b/fs/jfs/jfs_imap.c
+@@ -1360,7 +1360,7 @@ int diAlloc(struct inode *pip, bool dir, struct inode *ip)
+ /* get the ag number of this iag */
+ agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb));
+ dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag;
+- if (agno < 0 || agno > dn_numag)
++ if (agno < 0 || agno > dn_numag || agno >= MAXAG)
+ return -EIO;
+
+ if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) {
+--
+2.43.0
+
--- /dev/null
+From 6df55f0246f8e6f595fffdf8fc731399c1df2c30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 18:20:09 +0100
+Subject: kselftest/arm64: Actually test SME vector length changes via
+ sigreturn
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 6f0315330af7a57c1c00587fdfb69c7778bf1c50 ]
+
+The test case for SME vector length changes via sigreturn use a bit too
+much cut'n'paste and only actually changed the SVE vector length in the
+test itself. Andre's recent factoring out of the initialisation code caused
+this to be exposed and the test to start failing. Fix the test to actually
+cover the thing it's supposed to test.
+
+Fixes: 4963aeb35a9e ("kselftest/arm64: signal: Add SME signal handling tests")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Tested-by: Andre Przywara <andre.przywara@arm.com>
+Link: https://lore.kernel.org/r/20240829-arm64-sme-signal-vl-change-test-v1-1-42d7534cb818@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testcases/fake_sigreturn_sme_change_vl.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
+index cb8c051b5c8f2..dfd6a2badf9fb 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
++++ b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
+@@ -35,30 +35,30 @@ static int fake_sigreturn_ssve_change_vl(struct tdescr *td,
+ {
+ size_t resv_sz, offset;
+ struct _aarch64_ctx *head = GET_SF_RESV_HEAD(sf);
+- struct sve_context *sve;
++ struct za_context *za;
+
+ /* Get a signal context with a SME ZA frame in it */
+ if (!get_current_context(td, &sf.uc, sizeof(sf.uc)))
+ return 1;
+
+ resv_sz = GET_SF_RESV_SIZE(sf);
+- head = get_header(head, SVE_MAGIC, resv_sz, &offset);
++ head = get_header(head, ZA_MAGIC, resv_sz, &offset);
+ if (!head) {
+- fprintf(stderr, "No SVE context\n");
++ fprintf(stderr, "No ZA context\n");
+ return 1;
+ }
+
+- if (head->size != sizeof(struct sve_context)) {
++ if (head->size != sizeof(struct za_context)) {
+ fprintf(stderr, "Register data present, aborting\n");
+ return 1;
+ }
+
+- sve = (struct sve_context *)head;
++ za = (struct za_context *)head;
+
+ /* No changes are supported; init left us at minimum VL so go to max */
+ fprintf(stderr, "Attempting to change VL from %d to %d\n",
+- sve->vl, vls[0]);
+- sve->vl = vls[0];
++ za->vl, vls[0]);
++ za->vl = vls[0];
+
+ fake_sigreturn(&sf, sizeof(sf), 0);
+
+--
+2.43.0
+
--- /dev/null
+From a4ba8139c3af3640ad2aba95183731ff2ae316bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 17:44:01 +0100
+Subject: kselftest/arm64: signal: fix/refactor SVE vector length enumeration
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit 5225b6562b9a7dc808d5a1e465aaf5e2ebb220cd ]
+
+Currently a number of SVE/SME related tests have almost identical
+functions to enumerate all supported vector lengths. However over time
+the copy&pasted code has diverged, allowing some bugs to creep in:
+- fake_sigreturn_sme_change_vl reports a failure, not a SKIP if only
+ one vector length is supported (but the SVE version is fine)
+- fake_sigreturn_sme_change_vl tries to set the SVE vector length, not
+ the SME one (but the other SME tests are fine)
+- za_no_regs keeps iterating forever if only one vector length is
+ supported (but za_regs is correct)
+
+Since those bugs seem to be mostly copy&paste ones, let's consolidate
+the enumeration loop into one shared function, and just call that from
+each test. That should fix the above bugs, and prevent similar issues
+from happening again.
+
+Fixes: 4963aeb35a9e ("kselftest/arm64: signal: Add SME signal handling tests")
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240821164401.3598545-1-andre.przywara@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/arm64/signal/Makefile | 2 +-
+ .../selftests/arm64/signal/sve_helpers.c | 56 +++++++++++++++++++
+ .../selftests/arm64/signal/sve_helpers.h | 21 +++++++
+ .../testcases/fake_sigreturn_sme_change_vl.c | 32 +++--------
+ .../testcases/fake_sigreturn_sve_change_vl.c | 30 ++--------
+ .../arm64/signal/testcases/ssve_regs.c | 36 +++---------
+ .../arm64/signal/testcases/ssve_za_regs.c | 36 +++---------
+ .../arm64/signal/testcases/sve_regs.c | 32 +++--------
+ .../arm64/signal/testcases/za_no_regs.c | 32 +++--------
+ .../arm64/signal/testcases/za_regs.c | 36 +++---------
+ 10 files changed, 132 insertions(+), 181 deletions(-)
+ create mode 100644 tools/testing/selftests/arm64/signal/sve_helpers.c
+ create mode 100644 tools/testing/selftests/arm64/signal/sve_helpers.h
+
+diff --git a/tools/testing/selftests/arm64/signal/Makefile b/tools/testing/selftests/arm64/signal/Makefile
+index 8f5febaf1a9a2..edb3613513b8a 100644
+--- a/tools/testing/selftests/arm64/signal/Makefile
++++ b/tools/testing/selftests/arm64/signal/Makefile
+@@ -23,7 +23,7 @@ $(TEST_GEN_PROGS): $(PROGS)
+ # Common test-unit targets to build common-layout test-cases executables
+ # Needs secondary expansion to properly include the testcase c-file in pre-reqs
+ COMMON_SOURCES := test_signals.c test_signals_utils.c testcases/testcases.c \
+- signals.S
++ signals.S sve_helpers.c
+ COMMON_HEADERS := test_signals.h test_signals_utils.h testcases/testcases.h
+
+ .SECONDEXPANSION:
+diff --git a/tools/testing/selftests/arm64/signal/sve_helpers.c b/tools/testing/selftests/arm64/signal/sve_helpers.c
+new file mode 100644
+index 0000000000000..0acc121af3062
+--- /dev/null
++++ b/tools/testing/selftests/arm64/signal/sve_helpers.c
+@@ -0,0 +1,56 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Copyright (C) 2024 ARM Limited
++ *
++ * Common helper functions for SVE and SME functionality.
++ */
++
++#include <stdbool.h>
++#include <kselftest.h>
++#include <asm/sigcontext.h>
++#include <sys/prctl.h>
++
++unsigned int vls[SVE_VQ_MAX];
++unsigned int nvls;
++
++int sve_fill_vls(bool use_sme, int min_vls)
++{
++ int vq, vl;
++ int pr_set_vl = use_sme ? PR_SME_SET_VL : PR_SVE_SET_VL;
++ int len_mask = use_sme ? PR_SME_VL_LEN_MASK : PR_SVE_VL_LEN_MASK;
++
++ /*
++ * Enumerate up to SVE_VQ_MAX vector lengths
++ */
++ for (vq = SVE_VQ_MAX; vq > 0; --vq) {
++ vl = prctl(pr_set_vl, vq * 16);
++ if (vl == -1)
++ return KSFT_FAIL;
++
++ vl &= len_mask;
++
++ /*
++ * Unlike SVE, SME does not require the minimum vector length
++ * to be implemented, or the VLs to be consecutive, so any call
++ * to the prctl might return the single implemented VL, which
++ * might be larger than 16. So to avoid this loop never
++ * terminating, bail out here when we find a higher VL than
++ * we asked for.
++ * See the ARM ARM, DDI 0487K.a, B1.4.2: I_QQRNR and I_NWYBP.
++ */
++ if (vq < sve_vq_from_vl(vl))
++ break;
++
++ /* Skip missing VLs */
++ vq = sve_vq_from_vl(vl);
++
++ vls[nvls++] = vl;
++ }
++
++ if (nvls < min_vls) {
++ fprintf(stderr, "Only %d VL supported\n", nvls);
++ return KSFT_SKIP;
++ }
++
++ return KSFT_PASS;
++}
+diff --git a/tools/testing/selftests/arm64/signal/sve_helpers.h b/tools/testing/selftests/arm64/signal/sve_helpers.h
+new file mode 100644
+index 0000000000000..50948ce471cc6
+--- /dev/null
++++ b/tools/testing/selftests/arm64/signal/sve_helpers.h
+@@ -0,0 +1,21 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++/*
++ * Copyright (C) 2024 ARM Limited
++ *
++ * Common helper functions for SVE and SME functionality.
++ */
++
++#ifndef __SVE_HELPERS_H__
++#define __SVE_HELPERS_H__
++
++#include <stdbool.h>
++
++#define VLS_USE_SVE false
++#define VLS_USE_SME true
++
++extern unsigned int vls[];
++extern unsigned int nvls;
++
++int sve_fill_vls(bool use_sme, int min_vls);
++
++#endif
+diff --git a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
+index ebd5815b54bba..cb8c051b5c8f2 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
++++ b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sme_change_vl.c
+@@ -6,44 +6,28 @@
+ * handler, this is not supported and is expected to segfault.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ struct fake_sigframe sf;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sme_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SME, 2);
+
+- /*
+- * Enumerate up to SVE_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SVE_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
++ if (!res)
++ return true;
+
+- vl &= PR_SME_VL_LEN_MASK;
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
+-
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least two VLs */
+- if (nvls < 2) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
+-
+- return true;
++ return false;
+ }
+
+ static int fake_sigreturn_ssve_change_vl(struct tdescr *td,
+diff --git a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c
+index e2a452190511f..e1ccf8f85a70c 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c
++++ b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_sve_change_vl.c
+@@ -12,40 +12,22 @@
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ struct fake_sigframe sf;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sve_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SVE, 2);
+
+- /*
+- * Enumerate up to SVE_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SVE_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
++ if (!res)
++ return true;
+
+- vl &= PR_SVE_VL_LEN_MASK;
+-
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
+-
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least two VLs */
+- if (nvls < 2) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
++ if (res == KSFT_SKIP)
+ td->result = KSFT_SKIP;
+- return false;
+- }
+
+- return true;
++ return false;
+ }
+
+ static int fake_sigreturn_sve_change_vl(struct tdescr *td,
+diff --git a/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c b/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c
+index 3d37daafcff51..6dbe48cf8b09e 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c
++++ b/tools/testing/selftests/arm64/signal/testcases/ssve_regs.c
+@@ -6,51 +6,31 @@
+ * set up as expected.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ static union {
+ ucontext_t uc;
+ char buf[1024 * 64];
+ } context;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sme_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SME, 1);
+
+- /*
+- * Enumerate up to SVE_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SME_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
+-
+- vl &= PR_SME_VL_LEN_MASK;
+-
+- /* Did we find the lowest supported VL? */
+- if (vq < sve_vq_from_vl(vl))
+- break;
++ if (!res)
++ return true;
+
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
+-
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least one VL */
+- if (nvls < 1) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- return true;
++ return false;
+ }
+
+ static void setup_ssve_regs(void)
+diff --git a/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c b/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c
+index 9dc5f128bbc0d..5557e116e9736 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c
++++ b/tools/testing/selftests/arm64/signal/testcases/ssve_za_regs.c
+@@ -6,51 +6,31 @@
+ * signal frames is set up as expected when enabled simultaneously.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ static union {
+ ucontext_t uc;
+ char buf[1024 * 128];
+ } context;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sme_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SME, 1);
+
+- /*
+- * Enumerate up to SVE_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SME_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
+-
+- vl &= PR_SME_VL_LEN_MASK;
+-
+- /* Did we find the lowest supported VL? */
+- if (vq < sve_vq_from_vl(vl))
+- break;
++ if (!res)
++ return true;
+
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
+-
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least one VL */
+- if (nvls < 1) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- return true;
++ return false;
+ }
+
+ static void setup_regs(void)
+diff --git a/tools/testing/selftests/arm64/signal/testcases/sve_regs.c b/tools/testing/selftests/arm64/signal/testcases/sve_regs.c
+index 8b16eabbb7697..8143eb1c58c18 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/sve_regs.c
++++ b/tools/testing/selftests/arm64/signal/testcases/sve_regs.c
+@@ -6,47 +6,31 @@
+ * expected.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ static union {
+ ucontext_t uc;
+ char buf[1024 * 64];
+ } context;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sve_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SVE, 1);
+
+- /*
+- * Enumerate up to SVE_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SVE_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
+-
+- vl &= PR_SVE_VL_LEN_MASK;
+-
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
++ if (!res)
++ return true;
+
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least one VL */
+- if (nvls < 1) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- return true;
++ return false;
+ }
+
+ static void setup_sve_regs(void)
+diff --git a/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c b/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c
+index 4d6f94b6178f3..ce26e9c2fa5e3 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c
++++ b/tools/testing/selftests/arm64/signal/testcases/za_no_regs.c
+@@ -6,47 +6,31 @@
+ * expected.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ static union {
+ ucontext_t uc;
+ char buf[1024 * 128];
+ } context;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sme_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SME, 1);
+
+- /*
+- * Enumerate up to SME_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SME_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
+-
+- vl &= PR_SME_VL_LEN_MASK;
+-
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
++ if (!res)
++ return true;
+
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least one VL */
+- if (nvls < 1) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- return true;
++ return false;
+ }
+
+ static int do_one_sme_vl(struct tdescr *td, siginfo_t *si, ucontext_t *uc,
+diff --git a/tools/testing/selftests/arm64/signal/testcases/za_regs.c b/tools/testing/selftests/arm64/signal/testcases/za_regs.c
+index 174ad66566964..b9e13f27f1f9a 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/za_regs.c
++++ b/tools/testing/selftests/arm64/signal/testcases/za_regs.c
+@@ -6,51 +6,31 @@
+ * expected.
+ */
+
++#include <kselftest.h>
+ #include <signal.h>
+ #include <ucontext.h>
+ #include <sys/prctl.h>
+
+ #include "test_signals_utils.h"
++#include "sve_helpers.h"
+ #include "testcases.h"
+
+ static union {
+ ucontext_t uc;
+ char buf[1024 * 128];
+ } context;
+-static unsigned int vls[SVE_VQ_MAX];
+-unsigned int nvls = 0;
+
+ static bool sme_get_vls(struct tdescr *td)
+ {
+- int vq, vl;
++ int res = sve_fill_vls(VLS_USE_SME, 1);
+
+- /*
+- * Enumerate up to SME_VQ_MAX vector lengths
+- */
+- for (vq = SVE_VQ_MAX; vq > 0; --vq) {
+- vl = prctl(PR_SME_SET_VL, vq * 16);
+- if (vl == -1)
+- return false;
+-
+- vl &= PR_SME_VL_LEN_MASK;
+-
+- /* Did we find the lowest supported VL? */
+- if (vq < sve_vq_from_vl(vl))
+- break;
++ if (!res)
++ return true;
+
+- /* Skip missing VLs */
+- vq = sve_vq_from_vl(vl);
+-
+- vls[nvls++] = vl;
+- }
+-
+- /* We need at least one VL */
+- if (nvls < 1) {
+- fprintf(stderr, "Only %d VL supported\n", nvls);
+- return false;
+- }
++ if (res == KSFT_SKIP)
++ td->result = KSFT_SKIP;
+
+- return true;
++ return false;
+ }
+
+ static void setup_za_regs(void)
+--
+2.43.0
+
--- /dev/null
+From f12499b16b82cf8842fd1307065bb022f7ee93c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 16:56:02 -0400
+Subject: kselftest: dt: Ignore nodes that have ancestors disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+[ Upstream commit 05144ab7b7eaf531fc728fcb79dcf36b621ff42d ]
+
+Filter out nodes that have one of its ancestors disabled as they aren't
+expected to probe.
+
+This removes the following false-positive failures on the
+sc7180-trogdor-lazor-limozeen-nots-r5 platform:
+
+/soc@0/geniqup@8c0000/i2c@894000/proximity@28
+/soc@0/geniqup@ac0000/spi@a90000/ec@0
+/soc@0/remoteproc@62400000/glink-edge/apr
+/soc@0/remoteproc@62400000/glink-edge/apr/service@3
+/soc@0/remoteproc@62400000/glink-edge/apr/service@4
+/soc@0/remoteproc@62400000/glink-edge/apr/service@4/clock-controller
+/soc@0/remoteproc@62400000/glink-edge/apr/service@4/dais
+/soc@0/remoteproc@62400000/glink-edge/apr/service@7
+/soc@0/remoteproc@62400000/glink-edge/apr/service@7/dais
+/soc@0/remoteproc@62400000/glink-edge/apr/service@8
+/soc@0/remoteproc@62400000/glink-edge/apr/service@8/routing
+/soc@0/remoteproc@62400000/glink-edge/fastrpc
+/soc@0/remoteproc@62400000/glink-edge/fastrpc/compute-cb@3
+/soc@0/remoteproc@62400000/glink-edge/fastrpc/compute-cb@4
+/soc@0/remoteproc@62400000/glink-edge/fastrpc/compute-cb@5
+/soc@0/spmi@c440000/pmic@0/pon@800/pwrkey
+
+Fixes: 14571ab1ad21 ("kselftest: Add new test for detecting unprobed Devicetree devices")
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20240729-dt-kselftest-parent-disabled-v2-1-d7a001c4930d@collabora.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/dt/test_unprobed_devices.sh | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/dt/test_unprobed_devices.sh b/tools/testing/selftests/dt/test_unprobed_devices.sh
+index 2d7e70c5ad2d3..5e3f42ef249ee 100755
+--- a/tools/testing/selftests/dt/test_unprobed_devices.sh
++++ b/tools/testing/selftests/dt/test_unprobed_devices.sh
+@@ -34,8 +34,21 @@ nodes_compatible=$(
+ # Check if node is available
+ if [[ -e "${node}"/status ]]; then
+ status=$(tr -d '\000' < "${node}"/status)
+- [[ "${status}" != "okay" && "${status}" != "ok" ]] && continue
++ if [[ "${status}" != "okay" && "${status}" != "ok" ]]; then
++ if [ -n "${disabled_nodes_regex}" ]; then
++ disabled_nodes_regex="${disabled_nodes_regex}|${node}"
++ else
++ disabled_nodes_regex="${node}"
++ fi
++ continue
++ fi
+ fi
++
++ # Ignore this node if one of its ancestors was disabled
++ if [ -n "${disabled_nodes_regex}" ]; then
++ echo "${node}" | grep -q -E "${disabled_nodes_regex}" && continue
++ fi
++
+ echo "${node}" | sed -e 's|\/proc\/device-tree||'
+ done | sort
+ )
+--
+2.43.0
+
--- /dev/null
+From d5ec4bf570d20294282cd205457c58810d2650fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 19:23:08 +0800
+Subject: kthread: fix task state in kthread worker if being frozen
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Yu <yu.c.chen@intel.com>
+
+[ Upstream commit e16c7b07784f3fb03025939c4590b9a7c64970a7 ]
+
+When analyzing a kernel waring message, Peter pointed out that there is a
+race condition when the kworker is being frozen and falls into
+try_to_freeze() with TASK_INTERRUPTIBLE, which could trigger a
+might_sleep() warning in try_to_freeze(). Although the root cause is not
+related to freeze()[1], it is still worthy to fix this issue ahead.
+
+One possible race scenario:
+
+ CPU 0 CPU 1
+ ----- -----
+
+ // kthread_worker_fn
+ set_current_state(TASK_INTERRUPTIBLE);
+ suspend_freeze_processes()
+ freeze_processes
+ static_branch_inc(&freezer_active);
+ freeze_kernel_threads
+ pm_nosig_freezing = true;
+ if (work) { //false
+ __set_current_state(TASK_RUNNING);
+
+ } else if (!freezing(current)) //false, been frozen
+
+ freezing():
+ if (static_branch_unlikely(&freezer_active))
+ if (pm_nosig_freezing)
+ return true;
+ schedule()
+ }
+
+ // state is still TASK_INTERRUPTIBLE
+ try_to_freeze()
+ might_sleep() <--- warning
+
+Fix this by explicitly set the TASK_RUNNING before entering
+try_to_freeze().
+
+Link: https://lore.kernel.org/lkml/Zs2ZoAcUsZMX2B%2FI@chenyu5-mobl2/ [1]
+Link: https://lkml.kernel.org/r/20240827112308.181081-1-yu.c.chen@intel.com
+Fixes: b56c0d8937e6 ("kthread: implement kthread_worker")
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Suggested-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andreas Gruenbacher <agruenba@redhat.com>
+Cc: David Gow <davidgow@google.com>
+Cc: Mateusz Guzik <mjguzik@gmail.com>
+Cc: Mickaël Salaün <mic@digikod.net>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kthread.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kthread.c b/kernel/kthread.c
+index f7be976ff88af..db4ceb0f503cc 100644
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -845,8 +845,16 @@ int kthread_worker_fn(void *worker_ptr)
+ * event only cares about the address.
+ */
+ trace_sched_kthread_work_execute_end(work, func);
+- } else if (!freezing(current))
++ } else if (!freezing(current)) {
+ schedule();
++ } else {
++ /*
++ * Handle the case where the current remains
++ * TASK_INTERRUPTIBLE. try_to_freeze() expects
++ * the current to be TASK_RUNNING.
++ */
++ __set_current_state(TASK_RUNNING);
++ }
+
+ try_to_freeze();
+ cond_resched();
+--
+2.43.0
+
--- /dev/null
+From a852326c267ab961a86336f96fd07aa94e4d37a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Jul 2024 17:19:03 +0200
+Subject: leds: bd2606mvv: Fix device child node usage in bd2606mvv_probe()
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit ffbf1fcb421429916a861cfc25dfe0c6387dda75 ]
+
+The current implementation accesses the `child` fwnode handle outside of
+fwnode_for_each_available_child_node() without incrementing its
+refcount. Add the missing call to `fwnode_handle_get(child)`.
+
+The cleanup process where `child` is accessed is not right either
+because a single call to `fwnode_handle_put()` is carried out in case of
+an error, ignoring unasigned nodes at the point when the error happens.
+Keep `child` inside of the first loop, and use the helper pointer that
+receives references via `fwnode_handle_get()` to handle the child nodes
+within the second loop.
+
+Moreover, the iterated nodes are direct children of the device node,
+and the `device_for_each_child_node()` macro accounts for child node
+availability. By restricting `child` to live within that loop, the
+scoped version of it can be used to simplify the error handling.
+
+`fwnode_for_each_available_child_node()` is meant to access the child
+nodes of an fwnode, and therefore not direct child nodes of the device
+node.
+
+Use `device_for_each_child_node_scoped()` to indicate device's direct
+child nodes.
+
+Fixes: 8325642d2757 ("leds: bd2606mvv: Driver for the Rohm 6 Channel i2c LED driver")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://lore.kernel.org/r/20240721-device_for_each_child_node-available-v2-3-f33748fd8b2d@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-bd2606mvv.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/leds/leds-bd2606mvv.c b/drivers/leds/leds-bd2606mvv.c
+index 3fda712d2f809..c1181a35d0f76 100644
+--- a/drivers/leds/leds-bd2606mvv.c
++++ b/drivers/leds/leds-bd2606mvv.c
+@@ -69,16 +69,14 @@ static const struct regmap_config bd2606mvv_regmap = {
+
+ static int bd2606mvv_probe(struct i2c_client *client)
+ {
+- struct fwnode_handle *np, *child;
+ struct device *dev = &client->dev;
+ struct bd2606mvv_priv *priv;
+ struct fwnode_handle *led_fwnodes[BD2606_MAX_LEDS] = { 0 };
+ int active_pairs[BD2606_MAX_LEDS / 2] = { 0 };
+ int err, reg;
+- int i;
++ int i, j;
+
+- np = dev_fwnode(dev);
+- if (!np)
++ if (!dev_fwnode(dev))
+ return -ENODEV;
+
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
+@@ -94,20 +92,18 @@ static int bd2606mvv_probe(struct i2c_client *client)
+
+ i2c_set_clientdata(client, priv);
+
+- fwnode_for_each_available_child_node(np, child) {
++ device_for_each_child_node_scoped(dev, child) {
+ struct bd2606mvv_led *led;
+
+ err = fwnode_property_read_u32(child, "reg", ®);
+- if (err) {
+- fwnode_handle_put(child);
++ if (err)
+ return err;
+- }
+- if (reg < 0 || reg >= BD2606_MAX_LEDS || led_fwnodes[reg]) {
+- fwnode_handle_put(child);
++
++ if (reg < 0 || reg >= BD2606_MAX_LEDS || led_fwnodes[reg])
+ return -EINVAL;
+- }
++
+ led = &priv->leds[reg];
+- led_fwnodes[reg] = child;
++ led_fwnodes[reg] = fwnode_handle_get(child);
+ active_pairs[reg / 2]++;
+ led->priv = priv;
+ led->led_no = reg;
+@@ -130,7 +126,8 @@ static int bd2606mvv_probe(struct i2c_client *client)
+ &priv->leds[i].ldev,
+ &init_data);
+ if (err < 0) {
+- fwnode_handle_put(child);
++ for (j = i; j < BD2606_MAX_LEDS; j++)
++ fwnode_handle_put(led_fwnodes[j]);
+ return dev_err_probe(dev, err,
+ "couldn't register LED %s\n",
+ priv->leds[i].ldev.name);
+--
+2.43.0
+
--- /dev/null
+From 164ff0a95bc03c9516657a0e09ec402f30efe0f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jul 2024 14:24:59 -0700
+Subject: leds: gpio: Set num_leds after allocation
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 045391a02bd971d431c83ad03f7cc51b6e2fe331 ]
+
+With the new __counted_by annotation, the "num_leds" variable needs to
+valid for accesses to the "leds" array. This requirement is not met in
+gpio_leds_create(), since "num_leds" starts at "0", so "leds" index "0"
+will not be considered valid (num_leds would need to be "1" to access
+index "0").
+
+Fix this by setting the allocation size after allocation, and then update
+the final count based on how many were actually added to the array.
+
+Fixes: 52cd75108a42 ("leds: gpio: Annotate struct gpio_leds_priv with __counted_by")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/20240716212455.work.809-kees@kernel.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-gpio.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/leds/leds-gpio.c b/drivers/leds/leds-gpio.c
+index 83fcd7b6afff7..4d1612d557c84 100644
+--- a/drivers/leds/leds-gpio.c
++++ b/drivers/leds/leds-gpio.c
+@@ -150,7 +150,7 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
+ {
+ struct fwnode_handle *child;
+ struct gpio_leds_priv *priv;
+- int count, ret;
++ int count, used, ret;
+
+ count = device_get_child_node_count(dev);
+ if (!count)
+@@ -159,9 +159,11 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
+ priv = devm_kzalloc(dev, struct_size(priv, leds, count), GFP_KERNEL);
+ if (!priv)
+ return ERR_PTR(-ENOMEM);
++ priv->num_leds = count;
++ used = 0;
+
+ device_for_each_child_node(dev, child) {
+- struct gpio_led_data *led_dat = &priv->leds[priv->num_leds];
++ struct gpio_led_data *led_dat = &priv->leds[used];
+ struct gpio_led led = {};
+
+ /*
+@@ -197,8 +199,9 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
+ /* Set gpiod label to match the corresponding LED name. */
+ gpiod_set_consumer_name(led_dat->gpiod,
+ led_dat->cdev.dev->kobj.name);
+- priv->num_leds++;
++ used++;
+ }
++ priv->num_leds = used;
+
+ return priv;
+ }
+--
+2.43.0
+
--- /dev/null
+From 2358d2ca2af1bea308fb45e83ca9fcec96f4b805 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 15:37:03 +0200
+Subject: leds: pca995x: Fix device child node usage in pca995x_probe()
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit 82c5ada1f9d05902a4ccb926c7ce34e2fe699283 ]
+
+The current implementation accesses the `child` fwnode handle outside of
+device_for_each_child_node() without incrementing its refcount.
+
+Add the missing call to `fwnode_handle_get(child)`.
+
+The cleanup process where `child` is accessed is not right either
+because a single call to `fwnode_handle_put()` is carried out in case of
+an error, ignoring unasigned nodes at the point when the error happens.
+
+Keep `child` inside of the first loop, and use the helper pointer that
+receives references via `fwnode_handle_get()` to handle the child nodes
+within the second loop. Keeping `child` inside the first node has also
+the advantage that the scoped version of the loop can be used.
+
+Fixes: ee4e80b2962e ("leds: pca995x: Add support for PCA995X chips")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://lore.kernel.org/r/20240807-leds-pca995x-fix-fwnode-usage-v1-1-8057c84dc583@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-pca995x.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/leds/leds-pca995x.c b/drivers/leds/leds-pca995x.c
+index a5b32eaba7248..3e56ce90b4b92 100644
+--- a/drivers/leds/leds-pca995x.c
++++ b/drivers/leds/leds-pca995x.c
+@@ -102,11 +102,10 @@ static const struct regmap_config pca995x_regmap = {
+ static int pca995x_probe(struct i2c_client *client)
+ {
+ struct fwnode_handle *led_fwnodes[PCA995X_MAX_OUTPUTS] = { 0 };
+- struct fwnode_handle *child;
+ struct device *dev = &client->dev;
+ struct pca995x_chip *chip;
+ struct pca995x_led *led;
+- int i, btype, reg, ret;
++ int i, j, btype, reg, ret;
+
+ btype = (unsigned long)device_get_match_data(&client->dev);
+
+@@ -124,7 +123,7 @@ static int pca995x_probe(struct i2c_client *client)
+
+ i2c_set_clientdata(client, chip);
+
+- device_for_each_child_node(dev, child) {
++ device_for_each_child_node_scoped(dev, child) {
+ ret = fwnode_property_read_u32(child, "reg", ®);
+ if (ret)
+ return ret;
+@@ -133,7 +132,7 @@ static int pca995x_probe(struct i2c_client *client)
+ return -EINVAL;
+
+ led = &chip->leds[reg];
+- led_fwnodes[reg] = child;
++ led_fwnodes[reg] = fwnode_handle_get(child);
+ led->chip = chip;
+ led->led_no = reg;
+ led->ldev.brightness_set_blocking = pca995x_brightness_set;
+@@ -152,7 +151,8 @@ static int pca995x_probe(struct i2c_client *client)
+ &chip->leds[i].ldev,
+ &init_data);
+ if (ret < 0) {
+- fwnode_handle_put(child);
++ for (j = i; j < PCA995X_MAX_OUTPUTS; j++)
++ fwnode_handle_put(led_fwnodes[j]);
+ return dev_err_probe(dev, ret,
+ "Could not register LED %s\n",
+ chip->leds[i].ldev.name);
+--
+2.43.0
+
--- /dev/null
+From 9a2141682e910599f55609306e9fae2f1debdd39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 16:49:45 +0200
+Subject: leds: pca995x: Use device_for_each_child_node() to access device
+ child nodes
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit 6eefd65ba6ae29ab801f6461e59c10f93dd496f8 ]
+
+The iterated nodes are direct children of the device node, and the
+`device_for_each_child_node()` macro accounts for child node
+availability.
+
+`fwnode_for_each_available_child_node()` is meant to access the child
+nodes of an fwnode, and therefore not direct child nodes of the device
+node.
+
+Use `device_for_each_child_node()` to indicate device's direct child
+nodes.
+
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://lore.kernel.org/r/20240805-device_for_each_child_node-available-v3-2-48243a4aa5c0@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Stable-dep-of: 82c5ada1f9d0 ("leds: pca995x: Fix device child node usage in pca995x_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-pca995x.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/leds/leds-pca995x.c b/drivers/leds/leds-pca995x.c
+index 78215dff14997..a5b32eaba7248 100644
+--- a/drivers/leds/leds-pca995x.c
++++ b/drivers/leds/leds-pca995x.c
+@@ -102,7 +102,7 @@ static const struct regmap_config pca995x_regmap = {
+ static int pca995x_probe(struct i2c_client *client)
+ {
+ struct fwnode_handle *led_fwnodes[PCA995X_MAX_OUTPUTS] = { 0 };
+- struct fwnode_handle *np, *child;
++ struct fwnode_handle *child;
+ struct device *dev = &client->dev;
+ struct pca995x_chip *chip;
+ struct pca995x_led *led;
+@@ -110,8 +110,7 @@ static int pca995x_probe(struct i2c_client *client)
+
+ btype = (unsigned long)device_get_match_data(&client->dev);
+
+- np = dev_fwnode(dev);
+- if (!np)
++ if (!dev_fwnode(dev))
+ return -ENODEV;
+
+ chip = devm_kzalloc(dev, sizeof(*chip), GFP_KERNEL);
+@@ -125,17 +124,13 @@ static int pca995x_probe(struct i2c_client *client)
+
+ i2c_set_clientdata(client, chip);
+
+- fwnode_for_each_available_child_node(np, child) {
++ device_for_each_child_node(dev, child) {
+ ret = fwnode_property_read_u32(child, "reg", ®);
+- if (ret) {
+- fwnode_handle_put(child);
++ if (ret)
+ return ret;
+- }
+
+- if (reg < 0 || reg >= PCA995X_MAX_OUTPUTS || led_fwnodes[reg]) {
+- fwnode_handle_put(child);
++ if (reg < 0 || reg >= PCA995X_MAX_OUTPUTS || led_fwnodes[reg])
+ return -EINVAL;
+- }
+
+ led = &chip->leds[reg];
+ led_fwnodes[reg] = child;
+--
+2.43.0
+
--- /dev/null
+From c8b37327bb31bc8b067f964f39826099f45071cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 10:17:09 +0800
+Subject: lib/sbitmap: define swap_lock as raw_spinlock_t
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 65f666c6203600053478ce8e34a1db269a8701c9 ]
+
+When called from sbitmap_queue_get(), sbitmap_deferred_clear() may be run
+with preempt disabled. In RT kernel, spin_lock() can sleep, then warning
+of "BUG: sleeping function called from invalid context" can be triggered.
+
+Fix it by replacing it with raw_spin_lock.
+
+Cc: Yang Yang <yang.yang@vivo.com>
+Fixes: 72d04bdcf3f7 ("sbitmap: fix io hung due to race on sbitmap_word::cleared")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Yang Yang <yang.yang@vivo.com>
+Link: https://lore.kernel.org/r/20240919021709.511329-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sbitmap.h | 2 +-
+ lib/sbitmap.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/sbitmap.h b/include/linux/sbitmap.h
+index c09cdcc99471e..189140bf11fc4 100644
+--- a/include/linux/sbitmap.h
++++ b/include/linux/sbitmap.h
+@@ -40,7 +40,7 @@ struct sbitmap_word {
+ /**
+ * @swap_lock: serializes simultaneous updates of ->word and ->cleared
+ */
+- spinlock_t swap_lock;
++ raw_spinlock_t swap_lock;
+ } ____cacheline_aligned_in_smp;
+
+ /**
+diff --git a/lib/sbitmap.c b/lib/sbitmap.c
+index 5e2e93307f0d0..d3412984170c0 100644
+--- a/lib/sbitmap.c
++++ b/lib/sbitmap.c
+@@ -65,7 +65,7 @@ static inline bool sbitmap_deferred_clear(struct sbitmap_word *map,
+ {
+ unsigned long mask, word_mask;
+
+- guard(spinlock_irqsave)(&map->swap_lock);
++ guard(raw_spinlock_irqsave)(&map->swap_lock);
+
+ if (!map->cleared) {
+ if (depth == 0)
+@@ -136,7 +136,7 @@ int sbitmap_init_node(struct sbitmap *sb, unsigned int depth, int shift,
+ }
+
+ for (i = 0; i < sb->map_nr; i++)
+- spin_lock_init(&sb->map[i].swap_lock);
++ raw_spin_lock_init(&sb->map[i].swap_lock);
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 6e41ddbb964dff8f9a3dd245cad679e646163579 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 12:14:58 -0500
+Subject: libbpf: Don't take direct pointers into BTF data from st_ops
+
+From: David Vernet <void@manifault.com>
+
+[ Upstream commit 04a94133f1b3cccb19e056c26f056c50b4e5b3b1 ]
+
+In struct bpf_struct_ops, we have take a pointer to a BTF type name, and
+a struct btf_type. This was presumably done for convenience, but can
+actually result in subtle and confusing bugs given that BTF data can be
+invalidated before a program is loaded. For example, in sched_ext, we
+may sometimes resize a data section after a skeleton has been opened,
+but before the struct_ops scheduler map has been loaded. This may cause
+the BTF data to be realloc'd, which can then cause a UAF when loading
+the program because the struct_ops map has pointers directly into the
+BTF data.
+
+We're already storing the BTF type_id in struct bpf_struct_ops. Because
+type_id is stable, we can therefore just update the places where we were
+looking at those pointers to instead do the lookups we need from the
+type_id.
+
+Fixes: 590a00888250 ("bpf: libbpf: Add STRUCT_OPS support")
+Signed-off-by: David Vernet <void@manifault.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20240724171459.281234-1-void@manifault.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index a3be6f8fac09e..e553538874393 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -496,8 +496,6 @@ struct bpf_program {
+ };
+
+ struct bpf_struct_ops {
+- const char *tname;
+- const struct btf_type *type;
+ struct bpf_program **progs;
+ __u32 *kern_func_off;
+ /* e.g. struct tcp_congestion_ops in bpf_prog's btf format */
+@@ -1083,11 +1081,14 @@ static int bpf_object_adjust_struct_ops_autoload(struct bpf_object *obj)
+ continue;
+
+ for (j = 0; j < obj->nr_maps; ++j) {
++ const struct btf_type *type;
++
+ map = &obj->maps[j];
+ if (!bpf_map__is_struct_ops(map))
+ continue;
+
+- vlen = btf_vlen(map->st_ops->type);
++ type = btf__type_by_id(obj->btf, map->st_ops->type_id);
++ vlen = btf_vlen(type);
+ for (k = 0; k < vlen; ++k) {
+ slot_prog = map->st_ops->progs[k];
+ if (prog != slot_prog)
+@@ -1121,8 +1122,8 @@ static int bpf_map__init_kern_struct_ops(struct bpf_map *map)
+ int err;
+
+ st_ops = map->st_ops;
+- type = st_ops->type;
+- tname = st_ops->tname;
++ type = btf__type_by_id(btf, st_ops->type_id);
++ tname = btf__name_by_offset(btf, type->name_off);
+ err = find_struct_ops_kern_types(obj, tname, &mod_btf,
+ &kern_type, &kern_type_id,
+ &kern_vtype, &kern_vtype_id,
+@@ -1423,8 +1424,6 @@ static int init_struct_ops_maps(struct bpf_object *obj, const char *sec_name,
+ memcpy(st_ops->data,
+ data->d_buf + vsi->offset,
+ type->size);
+- st_ops->tname = tname;
+- st_ops->type = type;
+ st_ops->type_id = type_id;
+
+ pr_debug("struct_ops init: struct %s(type_id=%u) %s found at offset %u\n",
+@@ -8445,11 +8444,13 @@ static int bpf_object__resolve_externs(struct bpf_object *obj,
+
+ static void bpf_map_prepare_vdata(const struct bpf_map *map)
+ {
++ const struct btf_type *type;
+ struct bpf_struct_ops *st_ops;
+ __u32 i;
+
+ st_ops = map->st_ops;
+- for (i = 0; i < btf_vlen(st_ops->type); i++) {
++ type = btf__type_by_id(map->obj->btf, st_ops->type_id);
++ for (i = 0; i < btf_vlen(type); i++) {
+ struct bpf_program *prog = st_ops->progs[i];
+ void *kern_data;
+ int prog_fd;
+@@ -9712,6 +9713,7 @@ static struct bpf_map *find_struct_ops_map_by_offset(struct bpf_object *obj,
+ static int bpf_object__collect_st_ops_relos(struct bpf_object *obj,
+ Elf64_Shdr *shdr, Elf_Data *data)
+ {
++ const struct btf_type *type;
+ const struct btf_member *member;
+ struct bpf_struct_ops *st_ops;
+ struct bpf_program *prog;
+@@ -9771,13 +9773,14 @@ static int bpf_object__collect_st_ops_relos(struct bpf_object *obj,
+ }
+ insn_idx = sym->st_value / BPF_INSN_SZ;
+
+- member = find_member_by_offset(st_ops->type, moff * 8);
++ type = btf__type_by_id(btf, st_ops->type_id);
++ member = find_member_by_offset(type, moff * 8);
+ if (!member) {
+ pr_warn("struct_ops reloc %s: cannot find member at moff %u\n",
+ map->name, moff);
+ return -EINVAL;
+ }
+- member_idx = member - btf_members(st_ops->type);
++ member_idx = member - btf_members(type);
+ name = btf__name_by_offset(btf, member->name_off);
+
+ if (!resolve_func_ptr(btf, member->type, NULL)) {
+--
+2.43.0
+
--- /dev/null
+From c487b7d6d2e0529b41ef5fd74e9ff97682f7151c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 02:51:50 -0700
+Subject: libbpf: Ensure new BTF objects inherit input endianness
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit da18bfa59d403040d8bcba1284285916fe9e4425 ]
+
+New split BTF needs to preserve base's endianness. Similarly, when
+creating a distilled BTF, we need to preserve original endianness.
+
+Fix by updating libbpf's btf__distill_base() and btf_new_empty() to retain
+the byte order of any source BTF objects when creating new ones.
+
+Fixes: ba451366bf44 ("libbpf: Implement basic split BTF support")
+Fixes: 58e185a0dc35 ("libbpf: Add btf__distill_base() creating split BTF with distilled base BTF")
+Reported-by: Song Liu <song@kernel.org>
+Reported-by: Eduard Zingerman <eddyz87@gmail.com>
+Suggested-by: Eduard Zingerman <eddyz87@gmail.com>
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Tested-by: Alan Maguire <alan.maguire@oracle.com>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/bpf/6358db36c5f68b07873a0a5be2d062b1af5ea5f8.camel@gmail.com/
+Link: https://lore.kernel.org/bpf/20240830095150.278881-1-tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
+index 32c00db3b91b9..40aae244e35f7 100644
+--- a/tools/lib/bpf/btf.c
++++ b/tools/lib/bpf/btf.c
+@@ -996,6 +996,7 @@ static struct btf *btf_new_empty(struct btf *base_btf)
+ btf->base_btf = base_btf;
+ btf->start_id = btf__type_cnt(base_btf);
+ btf->start_str_off = base_btf->hdr->str_len;
++ btf->swapped_endian = base_btf->swapped_endian;
+ }
+
+ /* +1 for empty string at offset 0 */
+@@ -5394,6 +5395,9 @@ int btf__distill_base(const struct btf *src_btf, struct btf **new_base_btf,
+ new_base = btf__new_empty();
+ if (!new_base)
+ return libbpf_err(-ENOMEM);
++
++ btf__set_endianness(new_base, btf__endianness(src_btf));
++
+ dist.id_map = calloc(n, sizeof(*dist.id_map));
+ if (!dist.id_map) {
+ err = -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From c7d53205343bda02db40cadb8027b46461b38abc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 13:37:21 -0700
+Subject: libbpf: Fix bpf_object__open_skeleton()'s mishandling of options
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit c634d6f4e12d00c954410ba11db45799a8c77b5b ]
+
+We do an ugly copying of options in bpf_object__open_skeleton() just to
+be able to set object name from skeleton's recorded name (while still
+allowing user to override it through opts->object_name).
+
+This is not just ugly, but it also is broken due to memcpy() that
+doesn't take into account potential skel_opts' and user-provided opts'
+sizes differences due to backward and forward compatibility. This leads
+to copying over extra bytes and then failing to validate options
+properly. It could, technically, lead also to SIGSEGV, if we are unlucky.
+
+So just get rid of that memory copy completely and instead pass
+default object name into bpf_object_open() directly, simplifying all
+this significantly. The rule now is that obj_name should be non-NULL for
+bpf_object_open() when called with in-memory buffer, so validate that
+explicitly as well.
+
+We adopt bpf_object__open_mem() to this as well and generate default
+name (based on buffer memory address and size) outside of bpf_object_open().
+
+Fixes: d66562fba1ce ("libbpf: Add BPF object skeleton support")
+Reported-by: Daniel Müller <deso@posteo.net>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Daniel Müller <deso@posteo.net>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/bpf/20240827203721.1145494-1-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 52 +++++++++++++++---------------------------
+ 1 file changed, 19 insertions(+), 33 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index e553538874393..d3a542649e6ba 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -7905,16 +7905,19 @@ static int bpf_object_init_progs(struct bpf_object *obj, const struct bpf_object
+ }
+
+ static struct bpf_object *bpf_object_open(const char *path, const void *obj_buf, size_t obj_buf_sz,
++ const char *obj_name,
+ const struct bpf_object_open_opts *opts)
+ {
+- const char *obj_name, *kconfig, *btf_tmp_path, *token_path;
++ const char *kconfig, *btf_tmp_path, *token_path;
+ struct bpf_object *obj;
+- char tmp_name[64];
+ int err;
+ char *log_buf;
+ size_t log_size;
+ __u32 log_level;
+
++ if (obj_buf && !obj_name)
++ return ERR_PTR(-EINVAL);
++
+ if (elf_version(EV_CURRENT) == EV_NONE) {
+ pr_warn("failed to init libelf for %s\n",
+ path ? : "(mem buf)");
+@@ -7924,16 +7927,12 @@ static struct bpf_object *bpf_object_open(const char *path, const void *obj_buf,
+ if (!OPTS_VALID(opts, bpf_object_open_opts))
+ return ERR_PTR(-EINVAL);
+
+- obj_name = OPTS_GET(opts, object_name, NULL);
++ obj_name = OPTS_GET(opts, object_name, NULL) ?: obj_name;
+ if (obj_buf) {
+- if (!obj_name) {
+- snprintf(tmp_name, sizeof(tmp_name), "%lx-%lx",
+- (unsigned long)obj_buf,
+- (unsigned long)obj_buf_sz);
+- obj_name = tmp_name;
+- }
+ path = obj_name;
+ pr_debug("loading object '%s' from buffer\n", obj_name);
++ } else {
++ pr_debug("loading object from %s\n", path);
+ }
+
+ log_buf = OPTS_GET(opts, kernel_log_buf, NULL);
+@@ -8017,9 +8016,7 @@ bpf_object__open_file(const char *path, const struct bpf_object_open_opts *opts)
+ if (!path)
+ return libbpf_err_ptr(-EINVAL);
+
+- pr_debug("loading %s\n", path);
+-
+- return libbpf_ptr(bpf_object_open(path, NULL, 0, opts));
++ return libbpf_ptr(bpf_object_open(path, NULL, 0, NULL, opts));
+ }
+
+ struct bpf_object *bpf_object__open(const char *path)
+@@ -8031,10 +8028,15 @@ struct bpf_object *
+ bpf_object__open_mem(const void *obj_buf, size_t obj_buf_sz,
+ const struct bpf_object_open_opts *opts)
+ {
++ char tmp_name[64];
++
+ if (!obj_buf || obj_buf_sz == 0)
+ return libbpf_err_ptr(-EINVAL);
+
+- return libbpf_ptr(bpf_object_open(NULL, obj_buf, obj_buf_sz, opts));
++ /* create a (quite useless) default "name" for this memory buffer object */
++ snprintf(tmp_name, sizeof(tmp_name), "%lx-%zx", (unsigned long)obj_buf, obj_buf_sz);
++
++ return libbpf_ptr(bpf_object_open(NULL, obj_buf, obj_buf_sz, tmp_name, opts));
+ }
+
+ static int bpf_object_unload(struct bpf_object *obj)
+@@ -13761,29 +13763,13 @@ static int populate_skeleton_progs(const struct bpf_object *obj,
+ int bpf_object__open_skeleton(struct bpf_object_skeleton *s,
+ const struct bpf_object_open_opts *opts)
+ {
+- DECLARE_LIBBPF_OPTS(bpf_object_open_opts, skel_opts,
+- .object_name = s->name,
+- );
+ struct bpf_object *obj;
+ int err;
+
+- /* Attempt to preserve opts->object_name, unless overriden by user
+- * explicitly. Overwriting object name for skeletons is discouraged,
+- * as it breaks global data maps, because they contain object name
+- * prefix as their own map name prefix. When skeleton is generated,
+- * bpftool is making an assumption that this name will stay the same.
+- */
+- if (opts) {
+- memcpy(&skel_opts, opts, sizeof(*opts));
+- if (!opts->object_name)
+- skel_opts.object_name = s->name;
+- }
+-
+- obj = bpf_object__open_mem(s->data, s->data_sz, &skel_opts);
+- err = libbpf_get_error(obj);
+- if (err) {
+- pr_warn("failed to initialize skeleton BPF object '%s': %d\n",
+- s->name, err);
++ obj = bpf_object_open(NULL, s->data, s->data_sz, s->name, opts);
++ if (IS_ERR(obj)) {
++ err = PTR_ERR(obj);
++ pr_warn("failed to initialize skeleton BPF object '%s': %d\n", s->name, err);
+ return libbpf_err(err);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 5907e53c77d93a67253db51c350fd3c92b5147b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Aug 2024 10:35:04 +0100
+Subject: libbpf: Fix license for btf_relocate.c
+
+From: Alan Maguire <alan.maguire@oracle.com>
+
+[ Upstream commit 4a4c013d3385b0db85dc361203dc42ff048b6fd6 ]
+
+License should be
+
+// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+
+...as with other libbpf files.
+
+Fixes: 19e00c897d50 ("libbpf: Split BTF relocation")
+Reported-by: Neill Kapron <nkapron@google.com>
+Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/bpf/20240810093504.2111134-1-alan.maguire@oracle.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf_relocate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/btf_relocate.c b/tools/lib/bpf/btf_relocate.c
+index 17f8b32f94a08..4f7399d85eab3 100644
+--- a/tools/lib/bpf/btf_relocate.c
++++ b/tools/lib/bpf/btf_relocate.c
+@@ -1,4 +1,4 @@
+-// SPDX-License-Identifier: GPL-2.0
++// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+ /* Copyright (c) 2024, Oracle and/or its affiliates. */
+
+ #ifndef _GNU_SOURCE
+--
+2.43.0
+
--- /dev/null
+From c08c65b4abeb272311fdf2dcd16cbcc912328a37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Aug 2024 10:12:29 +1000
+Subject: m68k: Fix kernel_clone_args.flags in m68k_clone()
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 09b3d870faa7bc3e96c0978ab3cf4e96e4b15571 ]
+
+Stan Johnson recently reported a failure from the 'dump' command:
+
+ DUMP: Date of this level 0 dump: Fri Aug 9 23:37:15 2024
+ DUMP: Dumping /dev/sda (an unlisted file system) to /dev/null
+ DUMP: Label: none
+ DUMP: Writing 10 Kilobyte records
+ DUMP: mapping (Pass I) [regular files]
+ DUMP: mapping (Pass II) [directories]
+ DUMP: estimated 3595695 blocks.
+ DUMP: Context save fork fails in parent 671
+
+The dump program uses the clone syscall with the CLONE_IO flag, that is,
+flags == 0x80000000. When that value is promoted from long int to u64 by
+m68k_clone(), it undergoes sign-extension. The new value includes
+CLONE_INTO_CGROUP so the validation in cgroup_css_set_fork() fails and
+the syscall returns -EBADF. Avoid sign-extension by casting to u32.
+
+Reported-by: Stan Johnson <userm57@yahoo.com>
+Closes: https://lists.debian.org/debian-68k/2024/08/msg00000.html
+Fixes: 6aabc1facdb2 ("m68k: Implement copy_thread_tls()")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/3463f1e5d4e95468dc9f3368f2b78ffa7b72199b.1723335149.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/m68k/kernel/process.c b/arch/m68k/kernel/process.c
+index 2584e94e21346..fda7eac23f872 100644
+--- a/arch/m68k/kernel/process.c
++++ b/arch/m68k/kernel/process.c
+@@ -117,7 +117,7 @@ asmlinkage int m68k_clone(struct pt_regs *regs)
+ {
+ /* regs will be equal to current_pt_regs() */
+ struct kernel_clone_args args = {
+- .flags = regs->d1 & ~CSIGNAL,
++ .flags = (u32)(regs->d1) & ~CSIGNAL,
+ .pidfd = (int __user *)regs->d3,
+ .child_tid = (int __user *)regs->d4,
+ .parent_tid = (int __user *)regs->d3,
+--
+2.43.0
+
--- /dev/null
+From bbb89060a6c22015bdc7dd22785b7a0f05196329 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 17:25:53 +0200
+Subject: media: imagination: VIDEO_E5010_JPEG_ENC should depend on ARCH_K3
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit afe6ec667e8846c8470d32789cebbc435588972d ]
+
+Currently, the Imagination E5010 JPEG Encoder is only present on Texas
+Instruments K3 SoCs. Hence add a dependency on ARCH_K3, to prevent
+asking the user about this driver when configuring a kernel without TI
+K3 SoC support. The dependency can be relaxed if/when the encoder
+appears on other SoC families.
+
+Fixes: a1e294045885 ("media: imagination: Add E5010 JPEG Encoder driver")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/imagination/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/imagination/Kconfig b/drivers/media/platform/imagination/Kconfig
+index 7139ae22219b4..a302c955483dc 100644
+--- a/drivers/media/platform/imagination/Kconfig
++++ b/drivers/media/platform/imagination/Kconfig
+@@ -2,6 +2,7 @@
+ config VIDEO_E5010_JPEG_ENC
+ tristate "Imagination E5010 JPEG Encoder Driver"
+ depends on VIDEO_DEV
++ depends on ARCH_K3 || COMPILE_TEST
+ select VIDEOBUF2_DMA_CONTIG
+ select VIDEOBUF2_VMALLOC
+ select V4L2_MEM2MEM_DEV
+--
+2.43.0
+
--- /dev/null
+From 3bc6d4903c9244c8953761995f2b76ad14b8c081 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 17:33:55 +0800
+Subject: media: mediatek: vcodec: Fix H264 multi stateless decoder smatch
+ warning
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit 9be85491619f1953b8a29590ca630be571941ffa ]
+
+Fix a smatch static checker warning on vdec_h264_req_multi_if.c.
+Which leads to a kernel crash when fb is NULL.
+
+Fixes: 397edc703a10 ("media: mediatek: vcodec: add h264 decoder driver for mt8186")
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../vcodec/decoder/vdec/vdec_h264_req_multi_if.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c
+index 2d4611e7fa0b2..1ed0ccec56655 100644
+--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c
++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c
+@@ -724,11 +724,16 @@ static int vdec_h264_slice_single_decode(void *h_vdec, struct mtk_vcodec_mem *bs
+ return vpu_dec_reset(vpu);
+
+ fb = inst->ctx->dev->vdec_pdata->get_cap_buffer(inst->ctx);
++ if (!fb) {
++ mtk_vdec_err(inst->ctx, "fb buffer is NULL");
++ return -ENOMEM;
++ }
++
+ src_buf_info = container_of(bs, struct mtk_video_dec_buf, bs_buffer);
+ dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer);
+
+- y_fb_dma = fb ? (u64)fb->base_y.dma_addr : 0;
+- c_fb_dma = fb ? (u64)fb->base_c.dma_addr : 0;
++ y_fb_dma = fb->base_y.dma_addr;
++ c_fb_dma = fb->base_c.dma_addr;
+ mtk_vdec_debug(inst->ctx, "[h264-dec] [%d] y_dma=%llx c_dma=%llx",
+ inst->ctx->decoded_frame_cnt, y_fb_dma, c_fb_dma);
+
+--
+2.43.0
+
--- /dev/null
+From 2c6b975af1976597a45561e3805b9525e414b485 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 17:33:57 +0800
+Subject: media: mediatek: vcodec: Fix H264 stateless decoder smatch warning
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit 7878d3a385efab560dce793b595447867fb163f2 ]
+
+Fix a smatch static checker warning on vdec_h264_req_if.c.
+Which leads to a kernel crash when fb is NULL.
+
+Fixes: 06fa5f757dc5 ("media: mtk-vcodec: vdec: support stateless H.264 decoding")
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c
+index 73d5cef33b2ab..1e1b32faac77b 100644
+--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c
++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c
+@@ -347,11 +347,16 @@ static int vdec_h264_slice_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ return vpu_dec_reset(vpu);
+
+ fb = inst->ctx->dev->vdec_pdata->get_cap_buffer(inst->ctx);
++ if (!fb) {
++ mtk_vdec_err(inst->ctx, "fb buffer is NULL");
++ return -ENOMEM;
++ }
++
+ src_buf_info = container_of(bs, struct mtk_video_dec_buf, bs_buffer);
+ dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer);
+
+- y_fb_dma = fb ? (u64)fb->base_y.dma_addr : 0;
+- c_fb_dma = fb ? (u64)fb->base_c.dma_addr : 0;
++ y_fb_dma = fb->base_y.dma_addr;
++ c_fb_dma = fb->base_c.dma_addr;
+
+ mtk_vdec_debug(inst->ctx, "+ [%d] FB y_dma=%llx c_dma=%llx va=%p",
+ inst->num_nalu, y_fb_dma, c_fb_dma, fb);
+--
+2.43.0
+
--- /dev/null
+From efdddb1d174e639c989f5107eb2ada0dca4e165f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 17:33:56 +0800
+Subject: media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning
+
+From: Yunfei Dong <yunfei.dong@mediatek.com>
+
+[ Upstream commit b113bc7c0e83b32f4dd2d291a2b6c4803e0a2c44 ]
+
+Fix a smatch static checker warning on vdec_vp8_req_if.c.
+Which leads to a kernel crash when fb is NULL.
+
+Fixes: 7a7ae26fd458 ("media: mediatek: vcodec: support stateless VP8 decoding")
+Signed-off-by: Yunfei Dong <yunfei.dong@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c
+index e27e728f392e6..232ef3bd246a3 100644
+--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c
++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c
+@@ -334,14 +334,18 @@ static int vdec_vp8_slice_decode(void *h_vdec, struct mtk_vcodec_mem *bs,
+ src_buf_info = container_of(bs, struct mtk_video_dec_buf, bs_buffer);
+
+ fb = inst->ctx->dev->vdec_pdata->get_cap_buffer(inst->ctx);
+- dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer);
++ if (!fb) {
++ mtk_vdec_err(inst->ctx, "fb buffer is NULL");
++ return -ENOMEM;
++ }
+
+- y_fb_dma = fb ? (u64)fb->base_y.dma_addr : 0;
++ dst_buf_info = container_of(fb, struct mtk_video_dec_buf, frame_buffer);
++ y_fb_dma = fb->base_y.dma_addr;
+ if (inst->ctx->q_data[MTK_Q_DATA_DST].fmt->num_planes == 1)
+ c_fb_dma = y_fb_dma +
+ inst->ctx->picinfo.buf_w * inst->ctx->picinfo.buf_h;
+ else
+- c_fb_dma = fb ? (u64)fb->base_c.dma_addr : 0;
++ c_fb_dma = fb->base_c.dma_addr;
+
+ inst->vsi->dec.bs_dma = (u64)bs->dma_addr;
+ inst->vsi->dec.bs_sz = bs->size;
+--
+2.43.0
+
--- /dev/null
+From 6b3ef56fcd67dfeab7296482efba490dcd4dabf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 17:49:32 +0100
+Subject: media: platform: rzg2l-cru: rzg2l-csi2: Add missing
+ MODULE_DEVICE_TABLE
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit 07668fb0f867388bfdac0b60dbf51a4ad789f8e7 ]
+
+The rzg2l-csi2 driver can be compiled as a module, but lacks
+MODULE_DEVICE_TABLE() and will therefore not be loaded automatically.
+Fix this.
+
+Fixes: 51e8415e39a9 ("media: platform: Add Renesas RZ/G2L MIPI CSI-2 receiver driver")
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://lore.kernel.org/r/20240731164935.308994-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c
+index e68fcdaea207a..c7fdee347ac8a 100644
+--- a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c
++++ b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-csi2.c
+@@ -865,6 +865,7 @@ static const struct of_device_id rzg2l_csi2_of_table[] = {
+ { .compatible = "renesas,rzg2l-csi2", },
+ { /* sentinel */ }
+ };
++MODULE_DEVICE_TABLE(of, rzg2l_csi2_of_table);
+
+ static struct platform_driver rzg2l_csi2_pdrv = {
+ .remove_new = rzg2l_csi2_remove,
+--
+2.43.0
+
--- /dev/null
+From b1a8b8a57a715fec54e9103f40601653e853f472 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 17:28:28 +0200
+Subject: media: raspberrypi: VIDEO_RASPBERRYPI_PISP_BE should depend on
+ ARCH_BCM2835
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit c8ad75010c5bafe014860f33fc73a887ab561209 ]
+
+Currently, the Raspberry Pi PiSP Backend (BE) ISP is only present on the
+Broadcom BCM2712-based Raspberry Pi 5. Hence add a dependency on
+ARCH_BCM2835, to prevent asking the user about this driver when
+configuring a kernel without Broadcom BCM2835 family support. The
+dependency can be relaxed if/when the encoder appears on other SoC
+families.
+
+Fixes: 12187bd5d4f8 ("media: raspberrypi: Add support for PiSP BE")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: FLorian Fainelli <florian.fainelli@broadcom.com>
+Acked-by: Jacopo Mondi <jacopo.mondi@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/raspberrypi/pisp_be/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/raspberrypi/pisp_be/Kconfig b/drivers/media/platform/raspberrypi/pisp_be/Kconfig
+index 38c0f8305d620..46765a2e4c4d1 100644
+--- a/drivers/media/platform/raspberrypi/pisp_be/Kconfig
++++ b/drivers/media/platform/raspberrypi/pisp_be/Kconfig
+@@ -2,6 +2,7 @@ config VIDEO_RASPBERRYPI_PISP_BE
+ tristate "Raspberry Pi PiSP Backend (BE) ISP driver"
+ depends on V4L_PLATFORM_DRIVERS
+ depends on VIDEO_DEV
++ depends on ARCH_BCM2835 || COMPILE_TEST
+ select VIDEO_V4L2_SUBDEV_API
+ select MEDIA_CONTROLLER
+ select VIDEOBUF2_DMA_CONTIG
+--
+2.43.0
+
--- /dev/null
+From d890c1e8583635c22f28238babd171ea966ce157 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 16:02:48 +0200
+Subject: media: staging: media: starfive: camss: Drop obsolete return value
+ documentation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 044fcf738a56d915514e2d651333395b3f8daa62 ]
+
+Recently the function stfcamss_remove() was changed to not return a
+value. Drop the documentation of the return value in the kernel doc.
+
+Fixes: b1f3677aebe5 ("media: staging: media: starfive: camss: Convert to platform remove callback returning void")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/starfive/camss/stf-camss.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/staging/media/starfive/camss/stf-camss.c b/drivers/staging/media/starfive/camss/stf-camss.c
+index fecd3e67c7a1d..b6d34145bc191 100644
+--- a/drivers/staging/media/starfive/camss/stf-camss.c
++++ b/drivers/staging/media/starfive/camss/stf-camss.c
+@@ -358,8 +358,6 @@ static int stfcamss_probe(struct platform_device *pdev)
+ /*
+ * stfcamss_remove - Remove STFCAMSS platform device
+ * @pdev: Pointer to STFCAMSS platform device
+- *
+- * Always returns 0.
+ */
+ static void stfcamss_remove(struct platform_device *pdev)
+ {
+--
+2.43.0
+
--- /dev/null
+From 1a113b689af48aaf9211fcc0bb85a1b5daf840c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 10:58:13 +0200
+Subject: mount: handle OOM on mnt_warn_timestamp_expiry
+
+From: Olaf Hering <olaf@aepfle.de>
+
+[ Upstream commit 4bcda1eaf184e308f07f9c61d3a535f9ce477ce8 ]
+
+If no page could be allocated, an error pointer was used as format
+string in pr_warn.
+
+Rearrange the code to return early in case of OOM. Also add a check
+for the return value of d_path.
+
+Fixes: f8b92ba67c5d ("mount: Add mount warning for impending timestamp expiry")
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Link: https://lore.kernel.org/r/20240730085856.32385-1-olaf@aepfle.de
+[brauner: rewrite commit and commit message]
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 328087a4df8a6..155c6abda71da 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2921,8 +2921,15 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount *
+ if (!__mnt_is_readonly(mnt) &&
+ (!(sb->s_iflags & SB_I_TS_EXPIRY_WARNED)) &&
+ (ktime_get_real_seconds() + TIME_UPTIME_SEC_MAX > sb->s_time_max)) {
+- char *buf = (char *)__get_free_page(GFP_KERNEL);
+- char *mntpath = buf ? d_path(mountpoint, buf, PAGE_SIZE) : ERR_PTR(-ENOMEM);
++ char *buf, *mntpath;
++
++ buf = (char *)__get_free_page(GFP_KERNEL);
++ if (buf)
++ mntpath = d_path(mountpoint, buf, PAGE_SIZE);
++ else
++ mntpath = ERR_PTR(-ENOMEM);
++ if (IS_ERR(mntpath))
++ mntpath = "(unknown)";
+
+ pr_warn("%s filesystem being %s at %s supports timestamps until %ptTd (0x%llx)\n",
+ sb->s_type->name,
+@@ -2930,8 +2937,9 @@ static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount *
+ mntpath, &sb->s_time_max,
+ (unsigned long long)sb->s_time_max);
+
+- free_page((unsigned long)buf);
+ sb->s_iflags |= SB_I_TS_EXPIRY_WARNED;
++ if (buf)
++ free_page((unsigned long)buf);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From a9580c4cdf72d6dc884ebc3f57974fcdf600397c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 17:24:27 +0800
+Subject: mtd: powernv: Add check devm_kasprintf() returned value
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 395999829880a106bb95f0ce34e6e4c2b43c6a5d ]
+
+devm_kasprintf() can return a NULL pointer on failure but this
+returned value is not checked.
+
+Fixes: acfe63ec1c59 ("mtd: Convert to using %pOFn instead of device_node.name")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240828092427.128177-1-hanchunchao@inspur.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/devices/powernv_flash.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mtd/devices/powernv_flash.c b/drivers/mtd/devices/powernv_flash.c
+index 66044f4f5bade..10cd1d9b48859 100644
+--- a/drivers/mtd/devices/powernv_flash.c
++++ b/drivers/mtd/devices/powernv_flash.c
+@@ -207,6 +207,9 @@ static int powernv_flash_set_driver_info(struct device *dev,
+ * get them
+ */
+ mtd->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFP", dev->of_node);
++ if (!mtd->name)
++ return -ENOMEM;
++
+ mtd->type = MTD_NORFLASH;
+ mtd->flags = MTD_WRITEABLE;
+ mtd->size = size;
+--
+2.43.0
+
--- /dev/null
+From 068a7eb5d85b00b710162d9a58eb323bcfbd98cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 17:30:18 +0200
+Subject: mtd: rawnand: mtk: Factorize out the logic cleaning mtk chips
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+[ Upstream commit 81cb3be3261e766a1f8efab9e3154a4f4fd9d03d ]
+
+There are some un-freed resources in one of the error path which would
+benefit from a helper going through all the registered mtk chips one by
+one and perform all the necessary cleanup. This is precisely what the
+remove path does, so let's extract the logic in a helper.
+
+There is no functional change.
+
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Reviewed-by: Matthias Brugger <matthias.bgg@kernel.org>
+Link: https://lore.kernel.org/linux-mtd/20240826153019.67106-1-miquel.raynal@bootlin.com
+Stable-dep-of: 2073ae37d550 ("mtd: rawnand: mtk: Fix init error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/mtk_nand.c | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c
+index d65e6371675bb..bf845dd167374 100644
+--- a/drivers/mtd/nand/raw/mtk_nand.c
++++ b/drivers/mtd/nand/raw/mtk_nand.c
+@@ -1429,6 +1429,23 @@ static int mtk_nfc_nand_chip_init(struct device *dev, struct mtk_nfc *nfc,
+ return 0;
+ }
+
++static void mtk_nfc_nand_chips_cleanup(struct mtk_nfc *nfc)
++{
++ struct mtk_nfc_nand_chip *mtk_chip;
++ struct nand_chip *chip;
++ int ret;
++
++ while (!list_empty(&nfc->chips)) {
++ mtk_chip = list_first_entry(&nfc->chips,
++ struct mtk_nfc_nand_chip, node);
++ chip = &mtk_chip->nand;
++ ret = mtd_device_unregister(nand_to_mtd(chip));
++ WARN_ON(ret);
++ nand_cleanup(chip);
++ list_del(&mtk_chip->node);
++ }
++}
++
+ static int mtk_nfc_nand_chips_init(struct device *dev, struct mtk_nfc *nfc)
+ {
+ struct device_node *np = dev->of_node;
+@@ -1567,20 +1584,8 @@ static int mtk_nfc_probe(struct platform_device *pdev)
+ static void mtk_nfc_remove(struct platform_device *pdev)
+ {
+ struct mtk_nfc *nfc = platform_get_drvdata(pdev);
+- struct mtk_nfc_nand_chip *mtk_chip;
+- struct nand_chip *chip;
+- int ret;
+-
+- while (!list_empty(&nfc->chips)) {
+- mtk_chip = list_first_entry(&nfc->chips,
+- struct mtk_nfc_nand_chip, node);
+- chip = &mtk_chip->nand;
+- ret = mtd_device_unregister(nand_to_mtd(chip));
+- WARN_ON(ret);
+- nand_cleanup(chip);
+- list_del(&mtk_chip->node);
+- }
+
++ mtk_nfc_nand_chips_cleanup(nfc);
+ mtk_ecc_release(nfc->ecc);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 007ccd6e5e00453804a20fda55234973252bfb04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 17:30:19 +0200
+Subject: mtd: rawnand: mtk: Fix init error path
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+[ Upstream commit 2073ae37d550ea32e8545edaa94ef10b4fef7235 ]
+
+Reviewing a series converting the for_each_chil_of_node() loops into
+their _scoped variants made me realize there was no cleanup of the
+already registered NAND devices upon error which may leak memory on
+systems with more than a chip when this error occurs. We should call the
+_nand_chips_cleanup() function when this happens.
+
+Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Reviewed-by: Matthias Brugger <matthias.bgg@kernel.org>
+Link: https://lore.kernel.org/linux-mtd/20240826153019.67106-2-miquel.raynal@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/mtk_nand.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c
+index bf845dd167374..586868b4139f5 100644
+--- a/drivers/mtd/nand/raw/mtk_nand.c
++++ b/drivers/mtd/nand/raw/mtk_nand.c
+@@ -1453,8 +1453,10 @@ static int mtk_nfc_nand_chips_init(struct device *dev, struct mtk_nfc *nfc)
+
+ for_each_child_of_node_scoped(np, nand_np) {
+ ret = mtk_nfc_nand_chip_init(dev, nfc, nand_np);
+- if (ret)
++ if (ret) {
++ mtk_nfc_nand_chips_cleanup(nfc);
+ return ret;
++ }
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 2295e4a22963945794b214b6cefeb7cd94c961d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 17:43:25 +0800
+Subject: mtd: rawnand: mtk: Use for_each_child_of_node_scoped()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 8795952679494b111b7b2ba08bb54ac408daca3b ]
+
+Avoids the need for manual cleanup of_node_put() in early exits
+from the loop.
+
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240826094328.2991664-8-ruanjinjie@huawei.com
+Stable-dep-of: 2073ae37d550 ("mtd: rawnand: mtk: Fix init error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/mtk_nand.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c
+index 17477bb2d48ff..d65e6371675bb 100644
+--- a/drivers/mtd/nand/raw/mtk_nand.c
++++ b/drivers/mtd/nand/raw/mtk_nand.c
+@@ -1432,15 +1432,12 @@ static int mtk_nfc_nand_chip_init(struct device *dev, struct mtk_nfc *nfc,
+ static int mtk_nfc_nand_chips_init(struct device *dev, struct mtk_nfc *nfc)
+ {
+ struct device_node *np = dev->of_node;
+- struct device_node *nand_np;
+ int ret;
+
+- for_each_child_of_node(np, nand_np) {
++ for_each_child_of_node_scoped(np, nand_np) {
+ ret = mtk_nfc_nand_chip_init(dev, nfc, nand_np);
+- if (ret) {
+- of_node_put(nand_np);
++ if (ret)
+ return ret;
+- }
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 76d3613c193772e06f1d8fa1d061976e4da2d259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jul 2024 01:43:20 +0200
+Subject: mtd: slram: insert break after errors in parsing the map
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Todorovac <mtodorovac69@gmail.com>
+
+[ Upstream commit 336c218dd7f0588ed8a7345f367975a00a4f003f ]
+
+GCC 12.3.0 compiler on linux-next next-20240709 tree found the execution
+path in which, due to lazy evaluation, devlength isn't initialised with the
+parsed string:
+
+ 289 while (map) {
+ 290 devname = devstart = devlength = NULL;
+ 291
+ 292 if (!(devname = strsep(&map, ","))) {
+ 293 E("slram: No devicename specified.\n");
+ 294 break;
+ 295 }
+ 296 T("slram: devname = %s\n", devname);
+ 297 if ((!map) || (!(devstart = strsep(&map, ",")))) {
+ 298 E("slram: No devicestart specified.\n");
+ 299 }
+ 300 T("slram: devstart = %s\n", devstart);
+ → 301 if ((!map) || (!(devlength = strsep(&map, ",")))) {
+ 302 E("slram: No devicelength / -end specified.\n");
+ 303 }
+ → 304 T("slram: devlength = %s\n", devlength);
+ 305 if (parse_cmdline(devname, devstart, devlength) != 0) {
+ 306 return(-EINVAL);
+ 307 }
+
+Parsing should be finished after map == NULL, so a break is best inserted after
+each E("slram: ... \n") error message.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: Miquel Raynal <miquel.raynal@bootlin.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Vignesh Raghavendra <vigneshr@ti.com>
+Cc: linux-mtd@lists.infradead.org
+Signed-off-by: Mirsad Todorovac <mtodorovac69@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240711234319.637824-1-mtodorovac69@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/devices/slram.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
+index 28131a127d065..8297b366a0669 100644
+--- a/drivers/mtd/devices/slram.c
++++ b/drivers/mtd/devices/slram.c
+@@ -296,10 +296,12 @@ static int __init init_slram(void)
+ T("slram: devname = %s\n", devname);
+ if ((!map) || (!(devstart = strsep(&map, ",")))) {
+ E("slram: No devicestart specified.\n");
++ break;
+ }
+ T("slram: devstart = %s\n", devstart);
+ if ((!map) || (!(devlength = strsep(&map, ",")))) {
+ E("slram: No devicelength / -end specified.\n");
++ break;
+ }
+ T("slram: devlength = %s\n", devlength);
+ if (parse_cmdline(devname, devstart, devlength) != 0) {
+--
+2.43.0
+
--- /dev/null
+From 5cb1099c9a85fdf0558d199524fe1d57e2f58924 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 15:20:42 +0200
+Subject: nbd: correct the maximum value for discard sectors
+
+From: Wouter Verhelst <w@uter.be>
+
+[ Upstream commit 296dbc72d29085d5fc34430d0760423071e9e81d ]
+
+The version of the NBD protocol implemented by the kernel driver
+currently has a 32 bit field for length values. As the NBD protocol uses
+bytes as a unit of length, length values larger than 2^32 bytes cannot
+be expressed.
+
+Update the max_hw_discard_sectors field to match that.
+
+Signed-off-by: Wouter Verhelst <w@uter.be>
+Fixes: 268283244c0f ("nbd: use the atomic queue limits API in nbd_set_size")
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Cc: Eric Blake <eblake@redhat.Com>
+Link: https://lore.kernel.org/r/20240812133032.115134-8-w@uter.be
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 69b9851b67982..8b243144fd64f 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -350,7 +350,7 @@ static int __nbd_set_size(struct nbd_device *nbd, loff_t bytesize,
+
+ lim = queue_limits_start_update(nbd->disk->queue);
+ if (nbd->config->flags & NBD_FLAG_SEND_TRIM)
+- lim.max_hw_discard_sectors = UINT_MAX;
++ lim.max_hw_discard_sectors = UINT_MAX >> SECTOR_SHIFT;
+ else
+ lim.max_hw_discard_sectors = 0;
+ if (!(nbd->config->flags & NBD_FLAG_SEND_FLUSH)) {
+--
+2.43.0
+
--- /dev/null
+From 98d5bdf24edcd04860cb2faaa55cf8d500b19394 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 11:41:45 +0800
+Subject: nbd: fix race between timeout and normal completion
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit c9ea57c91f03bcad415e1a20113bdb2077bcf990 ]
+
+If request timetout is handled by nbd_requeue_cmd(), normal completion
+has to be stopped for avoiding to complete this requeued request, other
+use-after-free can be triggered.
+
+Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime
+make sure that cmd->lock is grabbed for clearing the flag and the
+requeue.
+
+Cc: Josef Bacik <josef@toxicpanda.com>
+Cc: Yu Kuai <yukuai3@huawei.com>
+Fixes: 2895f1831e91 ("nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240830034145.1827742-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 41a90150b501d..69b9851b67982 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -181,6 +181,17 @@ static void nbd_requeue_cmd(struct nbd_cmd *cmd)
+ {
+ struct request *req = blk_mq_rq_from_pdu(cmd);
+
++ lockdep_assert_held(&cmd->lock);
++
++ /*
++ * Clear INFLIGHT flag so that this cmd won't be completed in
++ * normal completion path
++ *
++ * INFLIGHT flag will be set when the cmd is queued to nbd next
++ * time.
++ */
++ __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags);
++
+ if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags))
+ blk_mq_requeue_request(req, true);
+ }
+@@ -488,8 +499,8 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req)
+ nbd_mark_nsock_dead(nbd, nsock, 1);
+ mutex_unlock(&nsock->tx_lock);
+ }
+- mutex_unlock(&cmd->lock);
+ nbd_requeue_cmd(cmd);
++ mutex_unlock(&cmd->lock);
+ nbd_config_put(nbd);
+ return BLK_EH_DONE;
+ }
+--
+2.43.0
+
--- /dev/null
+From 682fff12895cf8db2db3616234bc2a54c55f4c00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 17:44:44 +0800
+Subject: net: enetc: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 799a9225997799f7b1b579bc50a93b78b4fb2a01 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: bbb96dc7fa1a ("enetc: Factor out the traffic start/stop procedures")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://patch.msgid.link/20240911094445.1922476-3-ruanjinjie@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
+index 5c45f42232d32..f04f42ea60c0f 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc.c
+@@ -2305,12 +2305,11 @@ static int enetc_setup_irqs(struct enetc_ndev_priv *priv)
+
+ snprintf(v->name, sizeof(v->name), "%s-rxtx%d",
+ priv->ndev->name, i);
+- err = request_irq(irq, enetc_msix, 0, v->name, v);
++ err = request_irq(irq, enetc_msix, IRQF_NO_AUTOEN, v->name, v);
+ if (err) {
+ dev_err(priv->dev, "request_irq() failed!\n");
+ goto irq_err;
+ }
+- disable_irq(irq);
+
+ v->tbier_base = hw->reg + ENETC_BDR(TX, 0, ENETC_TBIER);
+ v->rbier = hw->reg + ENETC_BDR(RX, i, ENETC_RBIER);
+--
+2.43.0
+
--- /dev/null
+From 6468008e7e0b8901bd0f69cad5070b77f1f96667 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 19:45:57 +0200
+Subject: net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input
+
+From: Justin Iurman <justin.iurman@uliege.be>
+
+[ Upstream commit 2c84b0aa28b9e73e8c4b4ce038269469434ae372 ]
+
+Free the skb before returning from rpl_input when skb_cow_head() fails.
+Use a "drop" label and goto instructions.
+
+Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel")
+Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20240911174557.11536-1-justin.iurman@uliege.be
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/rpl_iptunnel.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c
+index 2c83b7586422d..db3c19a42e1ca 100644
+--- a/net/ipv6/rpl_iptunnel.c
++++ b/net/ipv6/rpl_iptunnel.c
+@@ -263,10 +263,8 @@ static int rpl_input(struct sk_buff *skb)
+ rlwt = rpl_lwt_lwtunnel(orig_dst->lwtstate);
+
+ err = rpl_do_srh(skb, rlwt);
+- if (unlikely(err)) {
+- kfree_skb(skb);
+- return err;
+- }
++ if (unlikely(err))
++ goto drop;
+
+ local_bh_disable();
+ dst = dst_cache_get(&rlwt->cache);
+@@ -286,9 +284,13 @@ static int rpl_input(struct sk_buff *skb)
+
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ if (unlikely(err))
+- return err;
++ goto drop;
+
+ return dst_input(skb);
++
++drop:
++ kfree_skb(skb);
++ return err;
+ }
+
+ static int nla_put_rpl_srh(struct sk_buff *skb, int attrtype,
+--
+2.43.0
+
--- /dev/null
+From c5eadb9c4b9787cdd56d4e8f71cb32c8cdbcdf9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 20:57:13 +0200
+Subject: net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit 93c21077bb9ba08807c459982d440dbbee4c7af3 ]
+
+The rpl sr tunnel code contains calls to dst_cache_*() which are
+only present when the dst cache is built.
+Select DST_CACHE to build the dst cache, similar to other kconfig
+options in the same file.
+Compiling the rpl sr tunnel without DST_CACHE will lead to linker
+errors.
+
+Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel")
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org> # build-tested
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
+index 08d4b7132d4c4..1c9c686d9522f 100644
+--- a/net/ipv6/Kconfig
++++ b/net/ipv6/Kconfig
+@@ -323,6 +323,7 @@ config IPV6_RPL_LWTUNNEL
+ bool "IPv6: RPL Source Routing Header support"
+ depends on IPV6
+ select LWTUNNEL
++ select DST_CACHE
+ help
+ Support for RFC6554 RPL Source Routing Header using the lightweight
+ tunnels mechanism.
+--
+2.43.0
+
--- /dev/null
+From 8eeb053c19cafd943f212b6eb58fc9f91db7ac5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2024 14:49:55 +0100
+Subject: net: phy: aquantia: fix applying active_low bit after reset
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit 6f9defaf99122d1af9c2562181c77bc99be0672d ]
+
+for_each_set_bit was used wrongly in aqr107_config_init() when iterating
+over LEDs. Drop misleading 'index' variable and call
+aqr_phy_led_active_low_set() for each set bit representing an LED which
+is driven by VDD instead of GND pin.
+
+Fixes: 61578f679378 ("net: phy: aquantia: add support for PHY LEDs")
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://patch.msgid.link/9b1f0cd91f4cda54c8be56b4fe780480baf4aa0f.1726580902.git.daniel@makrotopia.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/aquantia/aquantia_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/phy/aquantia/aquantia_main.c b/drivers/net/phy/aquantia/aquantia_main.c
+index 57b8b8f400fd4..4d156d406bab9 100644
+--- a/drivers/net/phy/aquantia/aquantia_main.c
++++ b/drivers/net/phy/aquantia/aquantia_main.c
+@@ -489,7 +489,7 @@ static int aqr107_config_init(struct phy_device *phydev)
+ {
+ struct aqr107_priv *priv = phydev->priv;
+ u32 led_active_low;
+- int ret, index = 0;
++ int ret;
+
+ /* Check that the PHY interface type is compatible */
+ if (phydev->interface != PHY_INTERFACE_MODE_SGMII &&
+@@ -516,10 +516,9 @@ static int aqr107_config_init(struct phy_device *phydev)
+
+ /* Restore LED polarity state after reset */
+ for_each_set_bit(led_active_low, &priv->leds_active_low, AQR_MAX_LEDS) {
+- ret = aqr_phy_led_active_low_set(phydev, index, led_active_low);
++ ret = aqr_phy_led_active_low_set(phydev, led_active_low, true);
+ if (ret)
+ return ret;
+- index++;
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From be012476386f57829535259b267d908ad5c35354 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 15:12:30 +0300
+Subject: net: phy: aquantia: fix -ETIMEDOUT PHY probe failure when firmware
+ not present
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 194ef9d0de9021df4a0ba8b112f91e56adaddd22 ]
+
+The author of the blamed commit apparently did not notice something
+about aqr_wait_reset_complete(): it polls the exact same register -
+MDIO_MMD_VEND1:VEND1_GLOBAL_FW_ID - as aqr_firmware_load().
+
+Thus, the entire logic after the introduction of aqr_wait_reset_complete() is
+now completely side-stepped, because if aqr_wait_reset_complete()
+succeeds, MDIO_MMD_VEND1:VEND1_GLOBAL_FW_ID could have only been a
+non-zero value. The handling of the case where the register reads as 0
+is dead code, due to the previous -ETIMEDOUT having stopped execution
+and returning a fatal error to the caller. We never attempt to load
+new firmware if no firmware is present.
+
+Based on static code analysis, I guess we should simply introduce a
+switch/case statement based on the return code from aqr_wait_reset_complete(),
+to determine whether to load firmware or not. I am not intending to
+change the procedure through which the driver determines whether to load
+firmware or not, as I am unaware of alternative possibilities.
+
+At the same time, Russell King suggests that if aqr_wait_reset_complete()
+is expected to return -ETIMEDOUT as part of normal operation and not
+just catastrophic failure, the use of phy_read_mmd_poll_timeout() is
+improper, since that has an embedded print inside. Just open-code a
+call to read_poll_timeout() to avoid printing -ETIMEDOUT, but continue
+printing actual read errors from the MDIO bus.
+
+Fixes: ad649a1fac37 ("net: phy: aquantia: wait for FW reset before checking the vendor ID")
+Reported-by: Clark Wang <xiaoning.wang@nxp.com>
+Reported-by: Jon Hunter <jonathanh@nvidia.com>
+Closes: https://lore.kernel.org/netdev/8ac00a45-ac61-41b4-9f74-d18157b8b6bf@nvidia.com/
+Reported-by: Hans-Frieder Vogt <hfdevel@gmx.net>
+Closes: https://lore.kernel.org/netdev/c7c1a3ae-be97-4929-8d89-04c8aa870209@gmx.net/
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Tested-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Tested-by: Hans-Frieder Vogt <hfdevel@gmx.net>
+Link: https://patch.msgid.link/20240913121230.2620122-1-vladimir.oltean@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/aquantia/aquantia_firmware.c | 42 +++++++++++---------
+ drivers/net/phy/aquantia/aquantia_main.c | 19 +++++++--
+ 2 files changed, 39 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/phy/aquantia/aquantia_firmware.c b/drivers/net/phy/aquantia/aquantia_firmware.c
+index 524627a36c6fc..dac6464b5fe2e 100644
+--- a/drivers/net/phy/aquantia/aquantia_firmware.c
++++ b/drivers/net/phy/aquantia/aquantia_firmware.c
+@@ -353,26 +353,32 @@ int aqr_firmware_load(struct phy_device *phydev)
+ {
+ int ret;
+
+- ret = aqr_wait_reset_complete(phydev);
+- if (ret)
+- return ret;
+-
+- /* Check if the firmware is not already loaded by pooling
+- * the current version returned by the PHY. If 0 is returned,
+- * no firmware is loaded.
++ /* Check if the firmware is not already loaded by polling
++ * the current version returned by the PHY.
+ */
+- ret = phy_read_mmd(phydev, MDIO_MMD_VEND1, VEND1_GLOBAL_FW_ID);
+- if (ret > 0)
+- goto exit;
+-
+- ret = aqr_firmware_load_nvmem(phydev);
+- if (!ret)
+- goto exit;
+-
+- ret = aqr_firmware_load_fs(phydev);
+- if (ret)
++ ret = aqr_wait_reset_complete(phydev);
++ switch (ret) {
++ case 0:
++ /* Some firmware is loaded => do nothing */
++ return 0;
++ case -ETIMEDOUT:
++ /* VEND1_GLOBAL_FW_ID still reads 0 after 2 seconds of polling.
++ * We don't have full confidence that no firmware is loaded (in
++ * theory it might just not have loaded yet), but we will
++ * assume that, and load a new image.
++ */
++ ret = aqr_firmware_load_nvmem(phydev);
++ if (!ret)
++ return ret;
++
++ ret = aqr_firmware_load_fs(phydev);
++ if (ret)
++ return ret;
++ break;
++ default:
++ /* PHY read error, propagate it to the caller */
+ return ret;
++ }
+
+-exit:
+ return 0;
+ }
+diff --git a/drivers/net/phy/aquantia/aquantia_main.c b/drivers/net/phy/aquantia/aquantia_main.c
+index e982e9ce44a59..57b8b8f400fd4 100644
+--- a/drivers/net/phy/aquantia/aquantia_main.c
++++ b/drivers/net/phy/aquantia/aquantia_main.c
+@@ -435,6 +435,9 @@ static int aqr107_set_tunable(struct phy_device *phydev,
+ }
+ }
+
++#define AQR_FW_WAIT_SLEEP_US 20000
++#define AQR_FW_WAIT_TIMEOUT_US 2000000
++
+ /* If we configure settings whilst firmware is still initializing the chip,
+ * then these settings may be overwritten. Therefore make sure chip
+ * initialization has completed. Use presence of the firmware ID as
+@@ -444,11 +447,19 @@ static int aqr107_set_tunable(struct phy_device *phydev,
+ */
+ int aqr_wait_reset_complete(struct phy_device *phydev)
+ {
+- int val;
++ int ret, val;
++
++ ret = read_poll_timeout(phy_read_mmd, val, val != 0,
++ AQR_FW_WAIT_SLEEP_US, AQR_FW_WAIT_TIMEOUT_US,
++ false, phydev, MDIO_MMD_VEND1,
++ VEND1_GLOBAL_FW_ID);
++ if (val < 0) {
++ phydev_err(phydev, "Failed to read VEND1_GLOBAL_FW_ID: %pe\n",
++ ERR_PTR(val));
++ return val;
++ }
+
+- return phy_read_mmd_poll_timeout(phydev, MDIO_MMD_VEND1,
+- VEND1_GLOBAL_FW_ID, val, val != 0,
+- 20000, 2000000, false);
++ return ret;
+ }
+
+ static void aqr107_chip_info(struct phy_device *phydev)
+--
+2.43.0
+
--- /dev/null
+From 08e381b175ed0f41cafc2436b0f597f9b5720548 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2024 14:49:40 +0100
+Subject: net: phy: aquantia: fix setting active_low bit
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit d2b366c43443a21d9bcf047f3ee1f09cf9792dc4 ]
+
+phy_modify_mmd was used wrongly in aqr_phy_led_active_low_set() resulting
+in a no-op instead of setting the VEND1_GLOBAL_LED_DRIVE_VDD bit.
+Correctly set VEND1_GLOBAL_LED_DRIVE_VDD bit.
+
+Fixes: 61578f679378 ("net: phy: aquantia: add support for PHY LEDs")
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://patch.msgid.link/ab963584b0a7e3b4dac39472a4b82ca264d79630.1726580902.git.daniel@makrotopia.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/aquantia/aquantia_leds.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/aquantia/aquantia_leds.c b/drivers/net/phy/aquantia/aquantia_leds.c
+index 0516ac02c3f81..201c8df93fad9 100644
+--- a/drivers/net/phy/aquantia/aquantia_leds.c
++++ b/drivers/net/phy/aquantia/aquantia_leds.c
+@@ -120,7 +120,8 @@ int aqr_phy_led_hw_control_set(struct phy_device *phydev, u8 index,
+ int aqr_phy_led_active_low_set(struct phy_device *phydev, int index, bool enable)
+ {
+ return phy_modify_mmd(phydev, MDIO_MMD_VEND1, AQR_LED_DRIVE(index),
+- VEND1_GLOBAL_LED_DRIVE_VDD, enable);
++ VEND1_GLOBAL_LED_DRIVE_VDD,
++ enable ? VEND1_GLOBAL_LED_DRIVE_VDD : 0);
+ }
+
+ int aqr_phy_led_polarity_set(struct phy_device *phydev, int index, unsigned long modes)
+--
+2.43.0
+
--- /dev/null
+From fe520cced3f1504ca08cbacf8dc798d6fff9caeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 19:08:58 +0200
+Subject: net: qrtr: Update packets cloning when broadcasting
+
+From: Youssef Samir <quic_yabdulra@quicinc.com>
+
+[ Upstream commit f011b313e8ebd5b7abd8521b5119aecef403de45 ]
+
+When broadcasting data to multiple nodes via MHI, using skb_clone()
+causes all nodes to receive the same header data. This can result in
+packets being discarded by endpoints, leading to lost data.
+
+This issue occurs when a socket is closed, and a QRTR_TYPE_DEL_CLIENT
+packet is broadcasted. All nodes receive the same destination node ID,
+causing the node connected to the client to discard the packet and
+remain unaware of the client's deletion.
+
+Replace skb_clone() with pskb_copy(), to create a separate copy of
+the header for each sk_buff.
+
+Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
+Signed-off-by: Youssef Samir <quic_yabdulra@quicinc.com>
+Reviewed-by: Jeffery Hugo <quic_jhugo@quicinc.com>
+Reviewed-by: Carl Vanderlip <quic_carlv@quicinc.com>
+Reviewed-by: Chris Lew <quic_clew@quicinc.com>
+Link: https://patch.msgid.link/20240916170858.2382247-1-quic_yabdulra@quicinc.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/qrtr/af_qrtr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c
+index 41ece61eb57ab..00c51cf693f3d 100644
+--- a/net/qrtr/af_qrtr.c
++++ b/net/qrtr/af_qrtr.c
+@@ -884,7 +884,7 @@ static int qrtr_bcast_enqueue(struct qrtr_node *node, struct sk_buff *skb,
+
+ mutex_lock(&qrtr_node_lock);
+ list_for_each_entry(node, &qrtr_all_nodes, item) {
+- skbn = skb_clone(skb, GFP_KERNEL);
++ skbn = pskb_copy(skb, GFP_KERNEL);
+ if (!skbn)
+ break;
+ skb_set_owner_w(skbn, skb->sk);
+--
+2.43.0
+
--- /dev/null
+From 5ab5697be5c52994584f49eb153573c32867ffec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 09:18:38 +0100
+Subject: net: ravb: Fix maximum TX frame size for GbEth devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Barker <paul.barker.ct@bp.renesas.com>
+
+[ Upstream commit 1d63864299cafa7c8cbde56491c9932afdbff7ea ]
+
+The datasheets for all SoCs using the GbEth IP specify a maximum
+transmission frame size of 1.5 kByte. I've confirmed through internal
+discussions that support for 1522 byte frames has been validated, which
+allows us to support the default MTU of 1500 bytes after reserving space
+for the Ethernet header, frame checksums and an optional VLAN tag.
+
+Fixes: 2e95e08ac009 ("ravb: Add rx_max_buf_size to struct ravb_hw_info")
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb.h | 1 +
+ drivers/net/ethernet/renesas/ravb_main.c | 6 +++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb.h b/drivers/net/ethernet/renesas/ravb.h
+index 9893c91af1050..a7de5cf6b3174 100644
+--- a/drivers/net/ethernet/renesas/ravb.h
++++ b/drivers/net/ethernet/renesas/ravb.h
+@@ -1052,6 +1052,7 @@ struct ravb_hw_info {
+ netdev_features_t net_features;
+ int stats_len;
+ u32 tccr_mask;
++ u32 tx_max_frame_size;
+ u32 rx_max_frame_size;
+ u32 rx_buffer_size;
+ u32 rx_desc_size;
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index c02fb296bf7d7..471a68b0146ed 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -2674,6 +2674,7 @@ static const struct ravb_hw_info ravb_gen2_hw_info = {
+ .net_features = NETIF_F_RXCSUM,
+ .stats_len = ARRAY_SIZE(ravb_gstrings_stats),
+ .tccr_mask = TCCR_TSRQ0 | TCCR_TSRQ1 | TCCR_TSRQ2 | TCCR_TSRQ3,
++ .tx_max_frame_size = SZ_2K,
+ .rx_max_frame_size = SZ_2K,
+ .rx_buffer_size = SZ_2K +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)),
+@@ -2696,6 +2697,7 @@ static const struct ravb_hw_info ravb_gen3_hw_info = {
+ .net_features = NETIF_F_RXCSUM,
+ .stats_len = ARRAY_SIZE(ravb_gstrings_stats),
+ .tccr_mask = TCCR_TSRQ0 | TCCR_TSRQ1 | TCCR_TSRQ2 | TCCR_TSRQ3,
++ .tx_max_frame_size = SZ_2K,
+ .rx_max_frame_size = SZ_2K,
+ .rx_buffer_size = SZ_2K +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)),
+@@ -2721,6 +2723,7 @@ static const struct ravb_hw_info ravb_gen4_hw_info = {
+ .net_features = NETIF_F_RXCSUM,
+ .stats_len = ARRAY_SIZE(ravb_gstrings_stats),
+ .tccr_mask = TCCR_TSRQ0 | TCCR_TSRQ1 | TCCR_TSRQ2 | TCCR_TSRQ3,
++ .tx_max_frame_size = SZ_2K,
+ .rx_max_frame_size = SZ_2K,
+ .rx_buffer_size = SZ_2K +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)),
+@@ -2770,6 +2773,7 @@ static const struct ravb_hw_info gbeth_hw_info = {
+ .net_features = NETIF_F_RXCSUM | NETIF_F_HW_CSUM,
+ .stats_len = ARRAY_SIZE(ravb_gstrings_stats_gbeth),
+ .tccr_mask = TCCR_TSRQ0,
++ .tx_max_frame_size = 1522,
+ .rx_max_frame_size = SZ_8K,
+ .rx_buffer_size = SZ_2K,
+ .rx_desc_size = sizeof(struct ravb_rx_desc),
+@@ -2981,7 +2985,7 @@ static int ravb_probe(struct platform_device *pdev)
+ priv->avb_link_active_low =
+ of_property_read_bool(np, "renesas,ether-link-active-low");
+
+- ndev->max_mtu = info->rx_max_frame_size -
++ ndev->max_mtu = info->tx_max_frame_size -
+ (ETH_HLEN + VLAN_HLEN + ETH_FCS_LEN);
+ ndev->min_mtu = ETH_MIN_MTU;
+
+--
+2.43.0
+
--- /dev/null
+From 02dc4787dbe5e80fc09b95923179d88db3ffd54a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 09:18:39 +0100
+Subject: net: ravb: Fix R-Car RX frame size limit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paul Barker <paul.barker.ct@bp.renesas.com>
+
+[ Upstream commit ec8234717db8589078d08b17efa528a235c61f4f ]
+
+The RX frame size limit should not be based on the current MTU setting.
+Instead it should be based on the hardware capabilities.
+
+While we're here, improve the description of the receive frame length
+setting as suggested by Niklas.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 471a68b0146ed..6b82df11fe8d0 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -555,8 +555,16 @@ static void ravb_emac_init_gbeth(struct net_device *ndev)
+
+ static void ravb_emac_init_rcar(struct net_device *ndev)
+ {
+- /* Receive frame limit set register */
+- ravb_write(ndev, ndev->mtu + ETH_HLEN + VLAN_HLEN + ETH_FCS_LEN, RFLR);
++ struct ravb_private *priv = netdev_priv(ndev);
++
++ /* Set receive frame length
++ *
++ * The length set here describes the frame from the destination address
++ * up to and including the CRC data. However only the frame data,
++ * excluding the CRC, are transferred to memory. To allow for the
++ * largest frames add the CRC length to the maximum Rx descriptor size.
++ */
++ ravb_write(ndev, priv->info->rx_max_frame_size + ETH_FCS_LEN, RFLR);
+
+ /* EMAC Mode: PAUSE prohibition; Duplex; RX Checksum; TX; RX */
+ ravb_write(ndev, ECMR_ZPF | ECMR_DM |
+--
+2.43.0
+
--- /dev/null
+From e993eab2396491195ed64492b5d81cf50dc15317 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Sep 2024 22:40:46 +0800
+Subject: net: seeq: Fix use after free vulnerability in ether3 Driver Due to
+ Race Condition
+
+From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+
+[ Upstream commit b5109b60ee4fcb2f2bb24f589575e10cc5283ad4 ]
+
+In the ether3_probe function, a timer is initialized with a callback
+function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is
+started, there is a risk of a race condition if the module or device
+is removed, triggering the ether3_remove function to perform cleanup.
+The sequence of operations that may lead to a UAF bug is as follows:
+
+CPU0 CPU1
+
+ | ether3_ledoff
+ether3_remove |
+ free_netdev(dev); |
+ put_devic |
+ kfree(dev); |
+ | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
+ | // use dev
+
+Fix it by ensuring that the timer is canceled before proceeding with
+the cleanup in ether3_remove.
+
+Fixes: 6fd9c53f7186 ("net: seeq: Convert timers to use timer_setup()")
+Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+Link: https://patch.msgid.link/20240915144045.451-1-kxwang23@m.fudan.edu.cn
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/seeq/ether3.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/seeq/ether3.c b/drivers/net/ethernet/seeq/ether3.c
+index c672f92d65e97..9319a2675e7b6 100644
+--- a/drivers/net/ethernet/seeq/ether3.c
++++ b/drivers/net/ethernet/seeq/ether3.c
+@@ -847,9 +847,11 @@ static void ether3_remove(struct expansion_card *ec)
+ {
+ struct net_device *dev = ecard_get_drvdata(ec);
+
++ ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
+ ecard_set_drvdata(ec, NULL);
+
+ unregister_netdev(dev);
++ del_timer_sync(&priv(dev)->timer);
+ free_netdev(dev);
+ ecard_release_resources(ec);
+ }
+--
+2.43.0
+
--- /dev/null
+From 6d345ce705e2f542c72279ae4984af002b0ed82a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 21:48:02 +0800
+Subject: net: stmmac: dwmac-loongson: Init ref and PTP clocks rate
+
+From: Yanteng Si <siyanteng@loongson.cn>
+
+[ Upstream commit c70f3163681381c15686bdd2fe56bf4af9b8aaaa ]
+
+Reference and PTP clocks rate of the Loongson GMAC devices is 125MHz.
+(So is in the GNET devices which support is about to be added.) Set
+the respective plat_stmmacenet_data field up in accordance with that
+so to have the coalesce command and timestamping work correctly.
+
+Fixes: 30bba69d7db4 ("stmmac: pci: Add dwmac support for Loongson")
+Signed-off-by: Feiyang Chen <chenfeiyang@loongson.cn>
+Signed-off-by: Yinggang Gu <guyinggang@loongson.cn>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Acked-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Yanteng Si <siyanteng@loongson.cn>
+Tested-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+index 9e40c28d453ab..ee3604f58def5 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+@@ -35,6 +35,9 @@ static int loongson_default_data(struct plat_stmmacenet_data *plat)
+ /* Disable RX queues routing by default */
+ plat->rx_queues_cfg[0].pkt_route = 0x0;
+
++ plat->clk_ref_rate = 125000000;
++ plat->clk_ptp_rate = 125000000;
++
+ /* Default to phy auto-detection */
+ plat->phy_addr = -1;
+
+--
+2.43.0
+
--- /dev/null
+From 7e27191770250b15370b52f28e575ee22499d40e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 20:10:28 +0800
+Subject: net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled
+
+From: Furong Xu <0x1207@gmail.com>
+
+[ Upstream commit b514c47ebf41a6536551ed28a05758036e6eca7c ]
+
+Commit 5fabb01207a2 ("net: stmmac: Add initial XDP support") sets
+PP_FLAG_DMA_SYNC_DEV flag for page_pool unconditionally,
+page_pool_recycle_direct() will call page_pool_dma_sync_for_device()
+on every page even the page is not going to be reused by XDP program.
+
+When XDP is not enabled, the page which holds the received buffer
+will be recycled once the buffer is copied into new SKB by
+skb_copy_to_linear_data(), then the MAC core will never reuse this
+page any longer. Always setting PP_FLAG_DMA_SYNC_DEV wastes CPU cycles
+on unnecessary calling of page_pool_dma_sync_for_device().
+
+After this patch, up to 9% noticeable performance improvement was observed
+on certain platforms.
+
+Fixes: 5fabb01207a2 ("net: stmmac: Add initial XDP support")
+Signed-off-by: Furong Xu <0x1207@gmail.com>
+Link: https://patch.msgid.link/20240919121028.1348023-1-0x1207@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index f3a1b179aaeac..95d3d1081727f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2022,7 +2022,7 @@ static int __alloc_dma_rx_desc_resources(struct stmmac_priv *priv,
+ rx_q->queue_index = queue;
+ rx_q->priv_data = priv;
+
+- pp_params.flags = PP_FLAG_DMA_MAP | PP_FLAG_DMA_SYNC_DEV;
++ pp_params.flags = PP_FLAG_DMA_MAP | (xdp_prog ? PP_FLAG_DMA_SYNC_DEV : 0);
+ pp_params.pool_size = dma_conf->dma_rx_size;
+ num_pages = DIV_ROUND_UP(dma_conf->dma_buf_sz, PAGE_SIZE);
+ pp_params.order = ilog2(num_pages);
+--
+2.43.0
+
--- /dev/null
+From 7c0edf55e8ddeb6ddff60a9efe8df8321293b3bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 19:01:20 +0800
+Subject: net: tipc: avoid possible garbage value
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 99655a304e450baaae6b396cb942b9e47659d644 ]
+
+Clang static checker (scan-build) warning:
+net/tipc/bcast.c:305:4:
+The expression is an uninitialized value. The computed value will also
+be garbage [core.uninitialized.Assign]
+ 305 | (*cong_link_cnt)++;
+ | ^~~~~~~~~~~~~~~~~~
+
+tipc_rcast_xmit() will increase cong_link_cnt's value, but cong_link_cnt
+is uninitialized. Although it won't really cause a problem, it's better
+to fix it.
+
+Fixes: dca4a17d24ee ("tipc: fix potential hanging after b/rcast changing")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Reviewed-by: Justin Stitt <justinstitt@google.com>
+Link: https://patch.msgid.link/20240912110119.2025503-1-suhui@nfschina.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/bcast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
+index 593846d252143..114fef65f92ea 100644
+--- a/net/tipc/bcast.c
++++ b/net/tipc/bcast.c
+@@ -320,8 +320,8 @@ static int tipc_mcast_send_sync(struct net *net, struct sk_buff *skb,
+ {
+ struct tipc_msg *hdr, *_hdr;
+ struct sk_buff_head tmpq;
++ u16 cong_link_cnt = 0;
+ struct sk_buff *_skb;
+- u16 cong_link_cnt;
+ int rc = 0;
+
+ /* Is a cluster supporting with new capabilities ? */
+--
+2.43.0
+
--- /dev/null
+From af39f88181560e2e8a4a7b2c8ccf217430af05f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 10:51:56 -0400
+Subject: net: xilinx: axienet: Fix packet counting
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit 5a6caa2cfabb559309b5ce29ee7c8e9ce1a9a9df ]
+
+axienet_free_tx_chain returns the number of DMA descriptors it's
+handled. However, axienet_tx_poll treats the return as the number of
+packets. When scatter-gather SKBs are enabled, a single packet may use
+multiple DMA descriptors, which causes incorrect packet counts. Fix this
+by explicitly keepting track of the number of packets processed as
+separate from the DMA descriptors.
+
+Budget does not affect the number of Tx completions we can process for
+NAPI, so we use the ring size as the limit instead of budget. As we no
+longer return the number of descriptors processed to axienet_tx_poll, we
+now update tx_bd_ci in axienet_free_tx_chain.
+
+Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Link: https://patch.msgid.link/20240913145156.2283067-1-sean.anderson@linux.dev
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/xilinx/xilinx_axienet_main.c | 23 +++++++++++--------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 3de6559ceea62..5dbfee4aee43c 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -674,15 +674,15 @@ static int axienet_device_reset(struct net_device *ndev)
+ *
+ * Would either be called after a successful transmit operation, or after
+ * there was an error when setting up the chain.
+- * Returns the number of descriptors handled.
++ * Returns the number of packets handled.
+ */
+ static int axienet_free_tx_chain(struct axienet_local *lp, u32 first_bd,
+ int nr_bds, bool force, u32 *sizep, int budget)
+ {
+ struct axidma_bd *cur_p;
+ unsigned int status;
++ int i, packets = 0;
+ dma_addr_t phys;
+- int i;
+
+ for (i = 0; i < nr_bds; i++) {
+ cur_p = &lp->tx_bd_v[(first_bd + i) % lp->tx_bd_num];
+@@ -701,8 +701,10 @@ static int axienet_free_tx_chain(struct axienet_local *lp, u32 first_bd,
+ (cur_p->cntrl & XAXIDMA_BD_CTRL_LENGTH_MASK),
+ DMA_TO_DEVICE);
+
+- if (cur_p->skb && (status & XAXIDMA_BD_STS_COMPLETE_MASK))
++ if (cur_p->skb && (status & XAXIDMA_BD_STS_COMPLETE_MASK)) {
+ napi_consume_skb(cur_p->skb, budget);
++ packets++;
++ }
+
+ cur_p->app0 = 0;
+ cur_p->app1 = 0;
+@@ -718,7 +720,13 @@ static int axienet_free_tx_chain(struct axienet_local *lp, u32 first_bd,
+ *sizep += status & XAXIDMA_BD_STS_ACTUAL_LEN_MASK;
+ }
+
+- return i;
++ if (!force) {
++ lp->tx_bd_ci += i;
++ if (lp->tx_bd_ci >= lp->tx_bd_num)
++ lp->tx_bd_ci %= lp->tx_bd_num;
++ }
++
++ return packets;
+ }
+
+ /**
+@@ -891,13 +899,10 @@ static int axienet_tx_poll(struct napi_struct *napi, int budget)
+ u32 size = 0;
+ int packets;
+
+- packets = axienet_free_tx_chain(lp, lp->tx_bd_ci, budget, false, &size, budget);
++ packets = axienet_free_tx_chain(lp, lp->tx_bd_ci, lp->tx_bd_num, false,
++ &size, budget);
+
+ if (packets) {
+- lp->tx_bd_ci += packets;
+- if (lp->tx_bd_ci >= lp->tx_bd_num)
+- lp->tx_bd_ci %= lp->tx_bd_num;
+-
+ u64_stats_update_begin(&lp->tx_stat_sync);
+ u64_stats_add(&lp->tx_packets, packets);
+ u64_stats_add(&lp->tx_bytes, size);
+--
+2.43.0
+
--- /dev/null
+From 07552e85b6b1fee057bbb7db1b829e6f4a4f704f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 10:57:11 -0400
+Subject: net: xilinx: axienet: Schedule NAPI in two steps
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit ba0da2dc934ec5ac32bbeecbd0670da16ba03565 ]
+
+As advised by Documentation/networking/napi.rst, masking IRQs after
+calling napi_schedule can be racy. Avoid this by only masking/scheduling
+if napi_schedule_prep returns true.
+
+Fixes: 9e2bc267e780 ("net: axienet: Use NAPI for TX completion path")
+Fixes: cc37610caaf8 ("net: axienet: implement NAPI and GRO receive")
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20240913145711.2284295-1-sean.anderson@linux.dev
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 9eb300fc35909..3de6559ceea62 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -1222,9 +1222,10 @@ static irqreturn_t axienet_tx_irq(int irq, void *_ndev)
+ u32 cr = lp->tx_dma_cr;
+
+ cr &= ~(XAXIDMA_IRQ_IOC_MASK | XAXIDMA_IRQ_DELAY_MASK);
+- axienet_dma_out32(lp, XAXIDMA_TX_CR_OFFSET, cr);
+-
+- napi_schedule(&lp->napi_tx);
++ if (napi_schedule_prep(&lp->napi_tx)) {
++ axienet_dma_out32(lp, XAXIDMA_TX_CR_OFFSET, cr);
++ __napi_schedule(&lp->napi_tx);
++ }
+ }
+
+ return IRQ_HANDLED;
+@@ -1266,9 +1267,10 @@ static irqreturn_t axienet_rx_irq(int irq, void *_ndev)
+ u32 cr = lp->rx_dma_cr;
+
+ cr &= ~(XAXIDMA_IRQ_IOC_MASK | XAXIDMA_IRQ_DELAY_MASK);
+- axienet_dma_out32(lp, XAXIDMA_RX_CR_OFFSET, cr);
+-
+- napi_schedule(&lp->napi_rx);
++ if (napi_schedule_prep(&lp->napi_rx)) {
++ axienet_dma_out32(lp, XAXIDMA_RX_CR_OFFSET, cr);
++ __napi_schedule(&lp->napi_rx);
++ }
+ }
+
+ return IRQ_HANDLED;
+--
+2.43.0
+
--- /dev/null
+From 0c6294cb63280f05857188684a28e62f23989b21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 16:14:41 +0100
+Subject: netfilter: ctnetlink: compile ctnetlink_label_size with
+ CONFIG_NF_CONNTRACK_EVENTS
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit e1f1ee0e9ad8cbe660f5c104e791c5f1a7cf4c31 ]
+
+Only provide ctnetlink_label_size when it is used,
+which is when CONFIG_NF_CONNTRACK_EVENTS is configured.
+
+Flagged by clang-18 W=1 builds as:
+
+.../nf_conntrack_netlink.c:385:19: warning: unused function 'ctnetlink_label_size' [-Wunused-function]
+ 385 | static inline int ctnetlink_label_size(const struct nf_conn *ct)
+ | ^~~~~~~~~~~~~~~~~~~~
+
+The condition on CONFIG_NF_CONNTRACK_LABELS being removed by
+this patch guards compilation of non-trivial implementations
+of ctnetlink_dump_labels() and ctnetlink_label_size().
+
+However, this is not necessary as each of these functions
+will always return 0 if CONFIG_NF_CONNTRACK_LABELS is not defined
+as each function starts with the equivalent of:
+
+ struct nf_conn_labels *labels = nf_ct_labels_find(ct);
+
+ if (!labels)
+ return 0;
+
+And nf_ct_labels_find always returns NULL if CONFIG_NF_CONNTRACK_LABELS
+is not enabled. So I believe that the compiler optimises the code away
+in such cases anyway.
+
+Found by inspection.
+Compile tested only.
+
+Originally splitted in two patches, Pablo Neira Ayuso collapsed them and
+added Fixes: tag.
+
+Fixes: 0ceabd83875b ("netfilter: ctnetlink: deliver labels to userspace")
+Link: https://lore.kernel.org/netfilter-devel/20240909151712.GZ2097826@kernel.org/
+Signed-off-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 4cbf71d0786b0..c55cf5bc36b2f 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -382,7 +382,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
+ #define ctnetlink_dump_secctx(a, b) (0)
+ #endif
+
+-#ifdef CONFIG_NF_CONNTRACK_LABELS
++#ifdef CONFIG_NF_CONNTRACK_EVENTS
+ static inline int ctnetlink_label_size(const struct nf_conn *ct)
+ {
+ struct nf_conn_labels *labels = nf_ct_labels_find(ct);
+@@ -391,6 +391,7 @@ static inline int ctnetlink_label_size(const struct nf_conn *ct)
+ return 0;
+ return nla_total_size(sizeof(labels->bits));
+ }
++#endif
+
+ static int
+ ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
+@@ -411,10 +412,6 @@ ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
+
+ return 0;
+ }
+-#else
+-#define ctnetlink_dump_labels(a, b) (0)
+-#define ctnetlink_label_size(a) (0)
+-#endif
+
+ #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
+
+--
+2.43.0
+
--- /dev/null
+From 83874f811b23274633e640517b38c3f1b26249e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 17:06:15 +0000
+Subject: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9c778fe48d20ef362047e3376dee56d77f8500d4 ]
+
+syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending
+garbage on the four reserved tcp bits (th->res1)
+
+Use skb_put_zero() to clear the whole TCP header,
+as done in nf_reject_ip_tcphdr_put()
+
+BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
+ nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
+ nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+ do_softirq+0x9a/0x100 kernel/softirq.c:455
+ __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382
+ local_bh_enable include/linux/bottom_half.h:33 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]
+ __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450
+ dev_queue_xmit include/linux/netdevice.h:3105 [inline]
+ neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565
+ neigh_output include/net/neighbour.h:542 [inline]
+ ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141
+ __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
+ ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226
+ NF_HOOK_COND include/linux/netfilter.h:303 [inline]
+ ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247
+ dst_output include/net/dst.h:450 [inline]
+ NF_HOOK include/linux/netfilter.h:314 [inline]
+ ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366
+ inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135
+ __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466
+ tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
+ tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143
+ tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333
+ __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679
+ inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750
+ __sys_connect_file net/socket.c:2061 [inline]
+ __sys_connect+0x606/0x690 net/socket.c:2078
+ __do_sys_connect net/socket.c:2088 [inline]
+ __se_sys_connect net/socket.c:2085 [inline]
+ __x64_sys_connect+0x91/0xe0 net/socket.c:2085
+ x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was stored to memory at:
+ nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249
+ nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+
+Uninit was stored to memory at:
+ nf_reject_ip6_tcphdr_put+0x2ca/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:231
+ nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:3998 [inline]
+ slab_alloc_node mm/slub.c:4041 [inline]
+ kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4084
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583
+ __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674
+ alloc_skb include/linux/skbuff.h:1320 [inline]
+ nf_send_reset6+0x98d/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:327
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+
+Fixes: c8d7b98bec43 ("netfilter: move nf_send_resetX() code to nf_reject_ipvX modules")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Link: https://patch.msgid.link/20240913170615.3670897-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_reject_ipv6.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
+index dedee264b8f6c..b9457473c176d 100644
+--- a/net/ipv6/netfilter/nf_reject_ipv6.c
++++ b/net/ipv6/netfilter/nf_reject_ipv6.c
+@@ -223,33 +223,23 @@ void nf_reject_ip6_tcphdr_put(struct sk_buff *nskb,
+ const struct tcphdr *oth, unsigned int otcplen)
+ {
+ struct tcphdr *tcph;
+- int needs_ack;
+
+ skb_reset_transport_header(nskb);
+- tcph = skb_put(nskb, sizeof(struct tcphdr));
++ tcph = skb_put_zero(nskb, sizeof(struct tcphdr));
+ /* Truncate to length (no data) */
+ tcph->doff = sizeof(struct tcphdr)/4;
+ tcph->source = oth->dest;
+ tcph->dest = oth->source;
+
+ if (oth->ack) {
+- needs_ack = 0;
+ tcph->seq = oth->ack_seq;
+- tcph->ack_seq = 0;
+ } else {
+- needs_ack = 1;
+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
+ otcplen - (oth->doff<<2));
+- tcph->seq = 0;
++ tcph->ack = 1;
+ }
+
+- /* Reset flags */
+- ((u_int8_t *)tcph)[13] = 0;
+ tcph->rst = 1;
+- tcph->ack = needs_ack;
+- tcph->window = 0;
+- tcph->urg_ptr = 0;
+- tcph->check = 0;
+
+ /* Adjust TCP checksum */
+ tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr,
+--
+2.43.0
+
--- /dev/null
+From 50514a210207cb1ecdc71032fad65b25e5458260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 01:06:41 +0200
+Subject: netfilter: nf_tables: elements with timeout below CONFIG_HZ never
+ expire
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit e0c47281723f301894c14e6f5cd5884fdfb813f9 ]
+
+Element timeout that is below CONFIG_HZ never expires because the
+timeout extension is not allocated given that nf_msecs_to_jiffies64()
+returns 0. Set timeout to the minimum value to honor timeout.
+
+Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 3ea5d01635107..95ef930d4fe9f 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4592,7 +4592,7 @@ int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
+ return -ERANGE;
+
+ ms *= NSEC_PER_MSEC;
+- *result = nsecs_to_jiffies64(ms);
++ *result = nsecs_to_jiffies64(ms) ? : !!ms;
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From b39596294007a143ec50d7cc72a316a9dd2f861e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 14:21:33 +0200
+Subject: netfilter: nf_tables: Keep deleted flowtable hooks until after RCU
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 642c89c475419b4d0c0d90e29d9c1a0e4351f379 ]
+
+Documentation of list_del_rcu() warns callers to not immediately free
+the deleted list item. While it seems not necessary to use the
+RCU-variant of list_del() here in the first place, doing so seems to
+require calling kfree_rcu() on the deleted item as well.
+
+Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 9e57c68f0803f..4ceb3e0798dee 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -9185,7 +9185,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
+ flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
+ FLOW_BLOCK_UNBIND);
+ list_del_rcu(&hook->list);
+- kfree(hook);
++ kfree_rcu(hook, rcu);
+ }
+ kfree(flowtable->name);
+ module_put(flowtable->data.type->owner);
+--
+2.43.0
+
--- /dev/null
+From c3a20fbea2e08b66e03989f0f8bf334a1a27d35d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 14:19:45 +0200
+Subject: netfilter: nf_tables: missing objects with no memcg accounting
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 69e687cea79fc99a17dfb0116c8644b9391b915e ]
+
+Several ruleset objects are still not using GFP_KERNEL_ACCOUNT for
+memory accounting, update them. This includes:
+
+- catchall elements
+- compat match large info area
+- log prefix
+- meta secctx
+- numgen counters
+- pipapo set backend datastructure
+- tunnel private objects
+
+Fixes: 33758c891479 ("memcg: enable accounting for nft objects")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ net/netfilter/nft_compat.c | 6 +++---
+ net/netfilter/nft_log.c | 2 +-
+ net/netfilter/nft_meta.c | 2 +-
+ net/netfilter/nft_numgen.c | 2 +-
+ net/netfilter/nft_set_pipapo.c | 13 +++++++------
+ net/netfilter/nft_tunnel.c | 5 +++--
+ 7 files changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 02a8b863a151b..472f211472db4 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6679,7 +6679,7 @@ static int nft_setelem_catchall_insert(const struct net *net,
+ }
+ }
+
+- catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
++ catchall = kmalloc(sizeof(*catchall), GFP_KERNEL_ACCOUNT);
+ if (!catchall)
+ return -ENOMEM;
+
+diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
+index d3d11dede5450..85450f6011426 100644
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -536,7 +536,7 @@ nft_match_large_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ struct xt_match *m = expr->ops->data;
+ int ret;
+
+- priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL);
++ priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL_ACCOUNT);
+ if (!priv->info)
+ return -ENOMEM;
+
+@@ -810,7 +810,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
+ goto err;
+ }
+
+- ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL);
++ ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL_ACCOUNT);
+ if (!ops) {
+ err = -ENOMEM;
+ goto err;
+@@ -900,7 +900,7 @@ nft_target_select_ops(const struct nft_ctx *ctx,
+ goto err;
+ }
+
+- ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL);
++ ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL_ACCOUNT);
+ if (!ops) {
+ err = -ENOMEM;
+ goto err;
+diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
+index 5defe6e4fd982..e355881379957 100644
+--- a/net/netfilter/nft_log.c
++++ b/net/netfilter/nft_log.c
+@@ -163,7 +163,7 @@ static int nft_log_init(const struct nft_ctx *ctx,
+
+ nla = tb[NFTA_LOG_PREFIX];
+ if (nla != NULL) {
+- priv->prefix = kmalloc(nla_len(nla) + 1, GFP_KERNEL);
++ priv->prefix = kmalloc(nla_len(nla) + 1, GFP_KERNEL_ACCOUNT);
+ if (priv->prefix == NULL)
+ return -ENOMEM;
+ nla_strscpy(priv->prefix, nla, nla_len(nla) + 1);
+diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
+index 9139ce38ea7b9..f23faf565b687 100644
+--- a/net/netfilter/nft_meta.c
++++ b/net/netfilter/nft_meta.c
+@@ -954,7 +954,7 @@ static int nft_secmark_obj_init(const struct nft_ctx *ctx,
+ if (tb[NFTA_SECMARK_CTX] == NULL)
+ return -EINVAL;
+
+- priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL);
++ priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL_ACCOUNT);
+ if (!priv->ctx)
+ return -ENOMEM;
+
+diff --git a/net/netfilter/nft_numgen.c b/net/netfilter/nft_numgen.c
+index 7d29db7c2ac0f..bd058babfc820 100644
+--- a/net/netfilter/nft_numgen.c
++++ b/net/netfilter/nft_numgen.c
+@@ -66,7 +66,7 @@ static int nft_ng_inc_init(const struct nft_ctx *ctx,
+ if (priv->offset + priv->modulus - 1 < priv->offset)
+ return -EOVERFLOW;
+
+- priv->counter = kmalloc(sizeof(*priv->counter), GFP_KERNEL);
++ priv->counter = kmalloc(sizeof(*priv->counter), GFP_KERNEL_ACCOUNT);
+ if (!priv->counter)
+ return -ENOMEM;
+
+diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
+index eb4c4a4ac7ace..7be342b495f5f 100644
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -663,7 +663,7 @@ static int pipapo_realloc_mt(struct nft_pipapo_field *f,
+ check_add_overflow(rules, extra, &rules_alloc))
+ return -EOVERFLOW;
+
+- new_mt = kvmalloc_array(rules_alloc, sizeof(*new_mt), GFP_KERNEL);
++ new_mt = kvmalloc_array(rules_alloc, sizeof(*new_mt), GFP_KERNEL_ACCOUNT);
+ if (!new_mt)
+ return -ENOMEM;
+
+@@ -936,7 +936,7 @@ static void pipapo_lt_bits_adjust(struct nft_pipapo_field *f)
+ return;
+ }
+
+- new_lt = kvzalloc(lt_size + NFT_PIPAPO_ALIGN_HEADROOM, GFP_KERNEL);
++ new_lt = kvzalloc(lt_size + NFT_PIPAPO_ALIGN_HEADROOM, GFP_KERNEL_ACCOUNT);
+ if (!new_lt)
+ return;
+
+@@ -1212,7 +1212,7 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone,
+ scratch = kzalloc_node(struct_size(scratch, map,
+ bsize_max * 2) +
+ NFT_PIPAPO_ALIGN_HEADROOM,
+- GFP_KERNEL, cpu_to_node(i));
++ GFP_KERNEL_ACCOUNT, cpu_to_node(i));
+ if (!scratch) {
+ /* On failure, there's no need to undo previous
+ * allocations: this means that some scratch maps have
+@@ -1427,7 +1427,7 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
+ struct nft_pipapo_match *new;
+ int i;
+
+- new = kmalloc(struct_size(new, f, old->field_count), GFP_KERNEL);
++ new = kmalloc(struct_size(new, f, old->field_count), GFP_KERNEL_ACCOUNT);
+ if (!new)
+ return NULL;
+
+@@ -1457,7 +1457,7 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
+ new_lt = kvzalloc(src->groups * NFT_PIPAPO_BUCKETS(src->bb) *
+ src->bsize * sizeof(*dst->lt) +
+ NFT_PIPAPO_ALIGN_HEADROOM,
+- GFP_KERNEL);
++ GFP_KERNEL_ACCOUNT);
+ if (!new_lt)
+ goto out_lt;
+
+@@ -1470,7 +1470,8 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
+
+ if (src->rules > 0) {
+ dst->mt = kvmalloc_array(src->rules_alloc,
+- sizeof(*src->mt), GFP_KERNEL);
++ sizeof(*src->mt),
++ GFP_KERNEL_ACCOUNT);
+ if (!dst->mt)
+ goto out_mt;
+
+diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
+index 60a76e6e348e7..5c6ed68cc6e05 100644
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -509,13 +509,14 @@ static int nft_tunnel_obj_init(const struct nft_ctx *ctx,
+ return err;
+ }
+
+- md = metadata_dst_alloc(priv->opts.len, METADATA_IP_TUNNEL, GFP_KERNEL);
++ md = metadata_dst_alloc(priv->opts.len, METADATA_IP_TUNNEL,
++ GFP_KERNEL_ACCOUNT);
+ if (!md)
+ return -ENOMEM;
+
+ memcpy(&md->u.tun_info, &info, sizeof(info));
+ #ifdef CONFIG_DST_CACHE
+- err = dst_cache_init(&md->u.tun_info.dst_cache, GFP_KERNEL);
++ err = dst_cache_init(&md->u.tun_info.dst_cache, GFP_KERNEL_ACCOUNT);
+ if (err < 0) {
+ metadata_dst_free(md);
+ return err;
+--
+2.43.0
+
--- /dev/null
+From d3af465afdce5262269cbec6bee3fde306fbd013 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 01:06:49 +0200
+Subject: netfilter: nf_tables: reject element expiration with no timeout
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d2dc429ecb4e79ad164028d965c00f689e6f6d06 ]
+
+If element timeout is unset and set provides no default timeout, the
+element expiration is silently ignored, reject this instead to let user
+know this is unsupported.
+
+Also prepare for supporting timeout that never expire, where zero
+timeout and expiration must be also rejected.
+
+Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 95ef930d4fe9f..70992c6baf52e 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6922,6 +6922,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
+ if (!(set->flags & NFT_SET_TIMEOUT))
+ return -EINVAL;
++ if (timeout == 0)
++ return -EOPNOTSUPP;
++
+ err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
+ &expiration);
+ if (err)
+--
+2.43.0
+
--- /dev/null
+From 9b14f7d64f120aa5e28a6adeec5d7300a3e08b47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 01:06:58 +0200
+Subject: netfilter: nf_tables: reject expiration higher than timeout
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit c0f38a8c60174368aed1d0f9965d733195f15033 ]
+
+Report ERANGE to userspace if user specifies an expiration larger than
+the timeout.
+
+Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 70992c6baf52e..b13a899698a8a 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6929,6 +6929,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ &expiration);
+ if (err)
+ return err;
++
++ if (expiration > timeout)
++ return -ERANGE;
+ }
+
+ if (nla[NFTA_SET_ELEM_EXPR]) {
+--
+2.43.0
+
--- /dev/null
+From 8dd88c4edab13efaeeedaeeebbfaa8d65abc022a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 01:07:06 +0200
+Subject: netfilter: nf_tables: remove annotation to access set timeout while
+ holding lock
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 15d8605c0cf4fc9cf4386cae658c68a0fd4bdb92 ]
+
+Mutex is held when adding an element, no need for READ_ONCE, remove it.
+
+Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index b13a899698a8a..9e57c68f0803f 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6915,7 +6915,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ return err;
+ } else if (set->flags & NFT_SET_TIMEOUT &&
+ !(flags & NFT_SET_ELEM_INTERVAL_END)) {
+- timeout = READ_ONCE(set->timeout);
++ timeout = set->timeout;
+ }
+
+ expiration = 0;
+@@ -7022,7 +7022,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ if (err < 0)
+ goto err_parse_key_end;
+
+- if (timeout != READ_ONCE(set->timeout)) {
++ if (timeout != set->timeout) {
+ err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
+ if (err < 0)
+ goto err_parse_key_end;
+--
+2.43.0
+
--- /dev/null
+From c8c1111813e43612d83f81c00fe3eb9c868b94fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jul 2024 10:58:29 +0200
+Subject: netfilter: nf_tables: store new sets in dedicated list
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit c1aa38866b9c58dc6cf7a5fc6a3e1ca75565169e ]
+
+nft_set_lookup_byid() is very slow when transaction becomes large, due to
+walk of the transaction list.
+
+Add a dedicated list that contains only the new sets.
+
+Before: nft -f ruleset 0.07s user 0.00s system 0% cpu 1:04.84 total
+After: nft -f ruleset 0.07s user 0.00s system 0% cpu 30.115 total
+
+.. where ruleset contains ~10 sets with ~100k elements.
+The above number is for a combined flush+reload of the ruleset.
+
+With previous flush, even the first NEWELEM has to walk through a few
+hundred thousands of DELSET(ELEM) transactions before the first NEWSET
+object. To cope with random-order-newset-newsetelem we'd need to replace
+commit_set_list with a hashtable.
+
+Expectation is that a NEWELEM operation refers to the most recently added
+set, so last entry of the dedicated list should be the set we want.
+
+NB: This is not a bug fix per se (functionality is fine), but with
+larger transaction batches list search takes forever, so it would be
+nice to speed this up for -stable too, hence adding a "fixes" tag.
+
+Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets")
+Reported-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 2 ++
+ net/netfilter/nf_tables_api.c | 29 ++++++++++++++++++++---------
+ 2 files changed, 22 insertions(+), 9 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 1bfdd16890fac..2be4738eae1cc 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -1674,6 +1674,7 @@ struct nft_trans_rule {
+
+ struct nft_trans_set {
+ struct nft_trans_binding nft_trans_binding;
++ struct list_head list_trans_newset;
+ struct nft_set *set;
+ u32 set_id;
+ u32 gc_int;
+@@ -1875,6 +1876,7 @@ static inline int nft_request_module(struct net *net, const char *fmt, ...) { re
+ struct nftables_pernet {
+ struct list_head tables;
+ struct list_head commit_list;
++ struct list_head commit_set_list;
+ struct list_head binding_list;
+ struct list_head module_list;
+ struct list_head notify_list;
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 0a2f793469589..3ea5d01635107 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -393,6 +393,7 @@ static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *tr
+ {
+ struct nftables_pernet *nft_net = nft_pernet(net);
+ struct nft_trans_binding *binding;
++ struct nft_trans_set *trans_set;
+
+ list_add_tail(&trans->list, &nft_net->commit_list);
+
+@@ -402,9 +403,13 @@ static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *tr
+
+ switch (trans->msg_type) {
+ case NFT_MSG_NEWSET:
++ trans_set = nft_trans_container_set(trans);
++
+ if (!nft_trans_set_update(trans) &&
+ nft_set_is_anonymous(nft_trans_set(trans)))
+ list_add_tail(&binding->binding_list, &nft_net->binding_list);
++
++ list_add_tail(&trans_set->list_trans_newset, &nft_net->commit_set_list);
+ break;
+ case NFT_MSG_NEWCHAIN:
+ if (!nft_trans_chain_update(trans) &&
+@@ -611,6 +616,7 @@ static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
+
+ trans_set = nft_trans_container_set(trans);
+ INIT_LIST_HEAD(&trans_set->nft_trans_binding.binding_list);
++ INIT_LIST_HEAD(&trans_set->list_trans_newset);
+
+ if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
+ nft_trans_set_id(trans) =
+@@ -4485,17 +4491,16 @@ static struct nft_set *nft_set_lookup_byid(const struct net *net,
+ {
+ struct nftables_pernet *nft_net = nft_pernet(net);
+ u32 id = ntohl(nla_get_be32(nla));
+- struct nft_trans *trans;
++ struct nft_trans_set *trans;
+
+- list_for_each_entry(trans, &nft_net->commit_list, list) {
+- if (trans->msg_type == NFT_MSG_NEWSET) {
+- struct nft_set *set = nft_trans_set(trans);
++ /* its likely the id we need is at the tail, not at start */
++ list_for_each_entry_reverse(trans, &nft_net->commit_set_list, list_trans_newset) {
++ struct nft_set *set = trans->set;
+
+- if (id == nft_trans_set_id(trans) &&
+- set->table == table &&
+- nft_active_genmask(set, genmask))
+- return set;
+- }
++ if (id == trans->set_id &&
++ set->table == table &&
++ nft_active_genmask(set, genmask))
++ return set;
+ }
+ return ERR_PTR(-ENOENT);
+ }
+@@ -10447,6 +10452,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
+ nft_flow_rule_destroy(nft_trans_flow_rule(trans));
+ break;
+ case NFT_MSG_NEWSET:
++ list_del(&nft_trans_container_set(trans)->list_trans_newset);
+ if (nft_trans_set_update(trans)) {
+ struct nft_set *set = nft_trans_set(trans);
+
+@@ -10755,6 +10761,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+ nft_trans_destroy(trans);
+ break;
+ case NFT_MSG_NEWSET:
++ list_del(&nft_trans_container_set(trans)->list_trans_newset);
+ if (nft_trans_set_update(trans)) {
+ nft_trans_destroy(trans);
+ break;
+@@ -10850,6 +10857,8 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+ }
+ }
+
++ WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
++
+ nft_set_abort_update(&set_update_list);
+
+ synchronize_rcu();
+@@ -11519,6 +11528,7 @@ static int __net_init nf_tables_init_net(struct net *net)
+
+ INIT_LIST_HEAD(&nft_net->tables);
+ INIT_LIST_HEAD(&nft_net->commit_list);
++ INIT_LIST_HEAD(&nft_net->commit_set_list);
+ INIT_LIST_HEAD(&nft_net->binding_list);
+ INIT_LIST_HEAD(&nft_net->module_list);
+ INIT_LIST_HEAD(&nft_net->notify_list);
+@@ -11549,6 +11559,7 @@ static void __net_exit nf_tables_exit_net(struct net *net)
+ gc_seq = nft_gc_seq_begin(nft_net);
+
+ WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
++ WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
+
+ if (!list_empty(&nft_net->module_list))
+ nf_tables_module_autoload_cleanup(net);
+--
+2.43.0
+
--- /dev/null
+From 8a0147cd332e9d20722067390970e22d4c03e28b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2024 23:07:46 +0200
+Subject: netfilter: nf_tables: use rcu chain hook list iterator from netlink
+ dump path
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 4ffcf5ca81c3b83180473eb0d3c010a1a7c6c4de ]
+
+Lockless iteration over hook list is possible from netlink dump path,
+use rcu variant to iterate over the hook list as is done with flowtable
+hooks.
+
+Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain")
+Reported-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4ceb3e0798dee..02a8b863a151b 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1847,7 +1847,7 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
+ if (!hook_list)
+ hook_list = &basechain->hook_list;
+
+- list_for_each_entry(hook, hook_list, list) {
++ list_for_each_entry_rcu(hook, hook_list, list) {
+ if (!first)
+ first = hook;
+
+--
+2.43.0
+
--- /dev/null
+From 170c487506ad3d5f0ddf28ac1ff6062fbb5f316e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 01:08:49 +0200
+Subject: netfilter: nft_dynset: annotate data-races around set timeout
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit c5ad8ed61fa8410b272c077ec167c593602b4542 ]
+
+set timeout can be read locklessly while being updated from control
+plane, add annotation.
+
+Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_dynset.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
+index b4ada3ab21679..489a9b34f1ecc 100644
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -56,7 +56,7 @@ static struct nft_elem_priv *nft_dynset_new(struct nft_set *set,
+ if (!atomic_add_unless(&set->nelems, 1, set->size))
+ return NULL;
+
+- timeout = priv->timeout ? : set->timeout;
++ timeout = priv->timeout ? : READ_ONCE(set->timeout);
+ elem_priv = nft_set_elem_init(set, &priv->tmpl,
+ ®s->data[priv->sreg_key], NULL,
+ ®s->data[priv->sreg_data],
+@@ -95,7 +95,7 @@ void nft_dynset_eval(const struct nft_expr *expr,
+ expr, regs, &ext)) {
+ if (priv->op == NFT_DYNSET_OP_UPDATE &&
+ nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
+- timeout = priv->timeout ? : set->timeout;
++ timeout = priv->timeout ? : READ_ONCE(set->timeout);
+ *nft_set_ext_expiration(ext) = get_jiffies_64() + timeout;
+ }
+
+@@ -313,7 +313,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
+ nft_dynset_ext_add_expr(priv);
+
+ if (set->flags & NFT_SET_TIMEOUT) {
+- if (timeout || set->timeout) {
++ if (timeout || READ_ONCE(set->timeout)) {
+ nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_TIMEOUT);
+ nft_set_ext_add(&priv->tmpl, NFT_SET_EXT_EXPIRATION);
+ }
+--
+2.43.0
+
--- /dev/null
+From fa92c76ea862fe9c09e9eeff9a5d24eac885f46d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 08:56:19 -0700
+Subject: netkit: Assign missing bpf_net_context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 157f29152b61ca41809dd7ead29f5733adeced19 ]
+
+During the introduction of struct bpf_net_context handling for
+XDP-redirect, the netkit driver has been missed, which also requires it
+because NETKIT_REDIRECT invokes skb_do_redirect() which is accessing the
+per-CPU variables. Otherwise we see the following crash:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000038
+ bpf_redirect()
+ netkit_xmit()
+ dev_hard_start_xmit()
+
+Set the bpf_net_context before invoking netkit_xmit() program within the
+netkit driver.
+
+Fixes: 401cb7dae813 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20240912155620.1334587-1-leitao@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netkit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/netkit.c b/drivers/net/netkit.c
+index 16789cd446e9e..3f4187102e773 100644
+--- a/drivers/net/netkit.c
++++ b/drivers/net/netkit.c
+@@ -65,6 +65,7 @@ static struct netkit *netkit_priv(const struct net_device *dev)
+
+ static netdev_tx_t netkit_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
++ struct bpf_net_context __bpf_net_ctx, *bpf_net_ctx;
+ struct netkit *nk = netkit_priv(dev);
+ enum netkit_action ret = READ_ONCE(nk->policy);
+ netdev_tx_t ret_dev = NET_XMIT_SUCCESS;
+@@ -72,6 +73,7 @@ static netdev_tx_t netkit_xmit(struct sk_buff *skb, struct net_device *dev)
+ struct net_device *peer;
+ int len = skb->len;
+
++ bpf_net_ctx = bpf_net_ctx_set(&__bpf_net_ctx);
+ rcu_read_lock();
+ peer = rcu_dereference(nk->peer);
+ if (unlikely(!peer || !(peer->flags & IFF_UP) ||
+@@ -110,6 +112,7 @@ static netdev_tx_t netkit_xmit(struct sk_buff *skb, struct net_device *dev)
+ break;
+ }
+ rcu_read_unlock();
++ bpf_net_ctx_clear(bpf_net_ctx);
+ return ret_dev;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From ccc30de1704b8143f663ae5171fc71b268015c76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 22:03:18 +0800
+Subject: nfsd: call cache_put if xdr_reserve_space returns NULL
+
+From: Guoqing Jiang <guoqing.jiang@linux.dev>
+
+[ Upstream commit d078cbf5c38de83bc31f83c47dcd2184c04a50c7 ]
+
+If not enough buffer space available, but idmap_lookup has triggered
+lookup_fn which calls cache_get and returns successfully. Then we
+missed to call cache_put here which pairs with cache_get.
+
+Fixes: ddd1ea563672 ("nfsd4: use xdr_reserve_space in attribute encoding")
+Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
+Reviwed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4idmap.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfsd/nfs4idmap.c b/fs/nfsd/nfs4idmap.c
+index 7a806ac13e317..8cca1329f3485 100644
+--- a/fs/nfsd/nfs4idmap.c
++++ b/fs/nfsd/nfs4idmap.c
+@@ -581,6 +581,7 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr,
+ .id = id,
+ .type = type,
+ };
++ __be32 status = nfs_ok;
+ __be32 *p;
+ int ret;
+ struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
+@@ -593,12 +594,16 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr,
+ return nfserrno(ret);
+ ret = strlen(item->name);
+ WARN_ON_ONCE(ret > IDMAP_NAMESZ);
++
+ p = xdr_reserve_space(xdr, ret + 4);
+- if (!p)
+- return nfserr_resource;
+- p = xdr_encode_opaque(p, item->name, ret);
++ if (unlikely(!p)) {
++ status = nfserr_resource;
++ goto out_put;
++ }
++ xdr_encode_opaque(p, item->name, ret);
++out_put:
+ cache_put(&item->h, nn->idtoname_cache);
+- return 0;
++ return status;
+ }
+
+ static bool
+--
+2.43.0
+
--- /dev/null
+From aca38c768e9cfd838fbd3a43a7d8c1e2082d6890 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 10:40:53 -0400
+Subject: nfsd: fix initial getattr on write delegation
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit bf92e5008b17f935a6de8b708551e02c2294121c ]
+
+At this point in compound processing, currentfh refers to the parent of
+the file, not the file itself. Get the correct dentry from the delegation
+stateid instead.
+
+Fixes: c5967721e106 ("NFSD: handle GETATTR conflict with write delegation")
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 29c11714ac3db..fe06779ea527a 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -5912,6 +5912,28 @@ static void nfsd4_open_deleg_none_ext(struct nfsd4_open *open, int status)
+ }
+ }
+
++static bool
++nfs4_delegation_stat(struct nfs4_delegation *dp, struct svc_fh *currentfh,
++ struct kstat *stat)
++{
++ struct nfsd_file *nf = find_rw_file(dp->dl_stid.sc_file);
++ struct path path;
++ int rc;
++
++ if (!nf)
++ return false;
++
++ path.mnt = currentfh->fh_export->ex_path.mnt;
++ path.dentry = file_dentry(nf->nf_file);
++
++ rc = vfs_getattr(&path, stat,
++ (STATX_SIZE | STATX_CTIME | STATX_CHANGE_COOKIE),
++ AT_STATX_SYNC_AS_STAT);
++
++ nfsd_file_put(nf);
++ return rc == 0;
++}
++
+ /*
+ * The Linux NFS server does not offer write delegations to NFSv4.0
+ * clients in order to avoid conflicts between write delegations and
+@@ -5947,7 +5969,6 @@ nfs4_open_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
+ int cb_up;
+ int status = 0;
+ struct kstat stat;
+- struct path path;
+
+ cb_up = nfsd4_cb_channel_good(oo->oo_owner.so_client);
+ open->op_recall = false;
+@@ -5983,20 +6004,16 @@ nfs4_open_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp,
+ memcpy(&open->op_delegate_stateid, &dp->dl_stid.sc_stateid, sizeof(dp->dl_stid.sc_stateid));
+
+ if (open->op_share_access & NFS4_SHARE_ACCESS_WRITE) {
+- open->op_delegate_type = NFS4_OPEN_DELEGATE_WRITE;
+- trace_nfsd_deleg_write(&dp->dl_stid.sc_stateid);
+- path.mnt = currentfh->fh_export->ex_path.mnt;
+- path.dentry = currentfh->fh_dentry;
+- if (vfs_getattr(&path, &stat,
+- (STATX_SIZE | STATX_CTIME | STATX_CHANGE_COOKIE),
+- AT_STATX_SYNC_AS_STAT)) {
++ if (!nfs4_delegation_stat(dp, currentfh, &stat)) {
+ nfs4_put_stid(&dp->dl_stid);
+ destroy_delegation(dp);
+ goto out_no_deleg;
+ }
++ open->op_delegate_type = NFS4_OPEN_DELEGATE_WRITE;
+ dp->dl_cb_fattr.ncf_cur_fsize = stat.size;
+ dp->dl_cb_fattr.ncf_initial_cinfo =
+ nfsd4_change_attribute(&stat, d_inode(currentfh->fh_dentry));
++ trace_nfsd_deleg_write(&dp->dl_stid.sc_stateid);
+ } else {
+ open->op_delegate_type = NFS4_OPEN_DELEGATE_READ;
+ trace_nfsd_deleg_read(&dp->dl_stid.sc_stateid);
+--
+2.43.0
+
--- /dev/null
+From b1f4cad3c78e65b2bac40d7f496dd8cc1e4b389d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jul 2024 09:05:32 -0400
+Subject: nfsd: fix refcount leak when file is unhashed after being found
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 8a7926176378460e0d91e02b03f0ff20a8709a60 ]
+
+If we wait_for_construction and find that the file is no longer hashed,
+and we're going to retry the open, the old nfsd_file reference is
+currently leaked. Put the reference before retrying.
+
+Fixes: c6593366c0bf ("nfsd: don't kill nfsd_files because of lease break error")
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Tested-by: Youzhong Yang <youzhong@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/filecache.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
+index f09d96ff20652..e2e248032bfd0 100644
+--- a/fs/nfsd/filecache.c
++++ b/fs/nfsd/filecache.c
+@@ -1049,6 +1049,7 @@ nfsd_file_do_acquire(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ status = nfserr_jukebox;
+ goto construction_err;
+ }
++ nfsd_file_put(nf);
+ open_retry = false;
+ fh_put(fhp);
+ goto retry;
+--
+2.43.0
+
--- /dev/null
+From 26268df33256b506ff2dc956da149a94b949b04e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jul 2024 15:11:13 -0400
+Subject: nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 81a95c2b1d605743220f28db04b8da13a65c4059 ]
+
+Given that we do the search and insertion while holding the i_lock, I
+don't think it's possible for us to get EEXIST here. Remove this case.
+
+Fixes: c6593366c0bf ("nfsd: don't kill nfsd_files because of lease break error")
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Tested-by: Youzhong Yang <youzhong@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/filecache.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
+index f4704f5d40867..f09d96ff20652 100644
+--- a/fs/nfsd/filecache.c
++++ b/fs/nfsd/filecache.c
+@@ -1035,8 +1035,6 @@ nfsd_file_do_acquire(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ if (likely(ret == 0))
+ goto open_file;
+
+- if (ret == -EEXIST)
+- goto retry;
+ trace_nfsd_file_insert_err(rqstp, inode, may_flags, ret);
+ status = nfserr_jukebox;
+ goto construction_err;
+--
+2.43.0
+
--- /dev/null
+From 7fcb68f934f0e3e2680752e1c93e2098c9f377e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 19:14:46 +0800
+Subject: nfsd: return -EINVAL when namelen is 0
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit 22451a16b7ab7debefce660672566be887db1637 ]
+
+When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may
+result in namelen being 0, which will cause memdup_user() to return
+ZERO_SIZE_PTR.
+When we access the name.data that has been assigned the value of
+ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is
+triggered.
+
+[ T1205] ==================================================================
+[ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260
+[ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205
+[ T1205]
+[ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406
+[ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
+[ T1205] Call Trace:
+[ T1205] dump_stack+0x9a/0xd0
+[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260
+[ T1205] __kasan_report.cold+0x34/0x84
+[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260
+[ T1205] kasan_report+0x3a/0x50
+[ T1205] nfs4_client_to_reclaim+0xe9/0x260
+[ T1205] ? nfsd4_release_lockowner+0x410/0x410
+[ T1205] cld_pipe_downcall+0x5ca/0x760
+[ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0
+[ T1205] ? down_write_killable_nested+0x170/0x170
+[ T1205] ? avc_policy_seqno+0x28/0x40
+[ T1205] ? selinux_file_permission+0x1b4/0x1e0
+[ T1205] rpc_pipe_write+0x84/0xb0
+[ T1205] vfs_write+0x143/0x520
+[ T1205] ksys_write+0xc9/0x170
+[ T1205] ? __ia32_sys_read+0x50/0x50
+[ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110
+[ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110
+[ T1205] do_syscall_64+0x33/0x40
+[ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1
+[ T1205] RIP: 0033:0x7fdbdb761bc7
+[ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514
+[ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7
+[ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008
+[ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001
+[ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b
+[ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000
+[ T1205] ==================================================================
+
+Fix it by checking namelen.
+
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Fixes: 74725959c33c ("nfsd: un-deprecate nfsdcld")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Scott Mayhew <smayhew@redhat.com>
+Tested-by: Scott Mayhew <smayhew@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4recover.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
+index 67d8673a9391c..69a3a84e159e6 100644
+--- a/fs/nfsd/nfs4recover.c
++++ b/fs/nfsd/nfs4recover.c
+@@ -809,6 +809,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
+ ci = &cmsg->cm_u.cm_clntinfo;
+ if (get_user(namelen, &ci->cc_name.cn_len))
+ return -EFAULT;
++ if (!namelen) {
++ dprintk("%s: namelen should not be zero", __func__);
++ return -EINVAL;
++ }
+ name.data = memdup_user(&ci->cc_name.cn_id, namelen);
+ if (IS_ERR(name.data))
+ return PTR_ERR(name.data);
+@@ -831,6 +835,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
+ cnm = &cmsg->cm_u.cm_name;
+ if (get_user(namelen, &cnm->cn_len))
+ return -EFAULT;
++ if (!namelen) {
++ dprintk("%s: namelen should not be zero", __func__);
++ return -EINVAL;
++ }
+ name.data = memdup_user(&cnm->cn_id, namelen);
+ if (IS_ERR(name.data))
+ return PTR_ERR(name.data);
+--
+2.43.0
+
--- /dev/null
+From e460b2e7a56f199b4f2442d6a599d2abfe23b1e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 09:26:40 -0400
+Subject: nfsd: untangle code in nfsd4_deleg_getattr_conflict()
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit a078a7dc0eaa9db288ae45319f7f7503968af546 ]
+
+The code in nfsd4_deleg_getattr_conflict() is convoluted and buggy.
+
+With this patch we:
+ - properly handle non-nfsd leases. We must not assume flc_owner is a
+ delegation unless fl_lmops == &nfsd_lease_mng_ops
+ - move the main code out of the for loop
+ - have a single exit which calls nfs4_put_stid()
+ (and other exits which don't need to call that)
+
+[ jlayton: refactored on top of Neil's other patch: nfsd: fix
+ nfsd4_deleg_getattr_conflict in presence of third party lease ]
+
+Fixes: c5967721e106 ("NFSD: handle GETATTR conflict with write delegation")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 131 +++++++++++++++++++++-----------------------
+ 1 file changed, 62 insertions(+), 69 deletions(-)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index a366fb1c1b9b4..29c11714ac3db 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -8836,6 +8836,7 @@ nfsd4_deleg_getattr_conflict(struct svc_rqst *rqstp, struct dentry *dentry,
+ __be32 status;
+ struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
+ struct file_lock_context *ctx;
++ struct nfs4_delegation *dp = NULL;
+ struct file_lease *fl;
+ struct iattr attrs;
+ struct nfs4_cb_fattr *ncf;
+@@ -8845,84 +8846,76 @@ nfsd4_deleg_getattr_conflict(struct svc_rqst *rqstp, struct dentry *dentry,
+ ctx = locks_inode_context(inode);
+ if (!ctx)
+ return 0;
++
++#define NON_NFSD_LEASE ((void *)1)
++
+ spin_lock(&ctx->flc_lock);
+ for_each_file_lock(fl, &ctx->flc_lease) {
+- unsigned char type = fl->c.flc_type;
+-
+ if (fl->c.flc_flags == FL_LAYOUT)
+ continue;
+- if (fl->fl_lmops != &nfsd_lease_mng_ops) {
+- /*
+- * non-nfs lease, if it's a lease with F_RDLCK then
+- * we are done; there isn't any write delegation
+- * on this inode
+- */
+- if (type == F_RDLCK)
+- break;
+-
+- nfsd_stats_wdeleg_getattr_inc(nn);
+- spin_unlock(&ctx->flc_lock);
+-
+- status = nfserrno(nfsd_open_break_lease(inode, NFSD_MAY_READ));
++ if (fl->c.flc_type == F_WRLCK) {
++ if (fl->fl_lmops == &nfsd_lease_mng_ops)
++ dp = fl->c.flc_owner;
++ else
++ dp = NON_NFSD_LEASE;
++ }
++ break;
++ }
++ if (dp == NULL || dp == NON_NFSD_LEASE ||
++ dp->dl_recall.cb_clp == *(rqstp->rq_lease_breaker)) {
++ spin_unlock(&ctx->flc_lock);
++ if (dp == NON_NFSD_LEASE) {
++ status = nfserrno(nfsd_open_break_lease(inode,
++ NFSD_MAY_READ));
+ if (status != nfserr_jukebox ||
+ !nfsd_wait_for_delegreturn(rqstp, inode))
+ return status;
+- return 0;
+ }
+- if (type == F_WRLCK) {
+- struct nfs4_delegation *dp = fl->c.flc_owner;
++ return 0;
++ }
+
+- if (dp->dl_recall.cb_clp == *(rqstp->rq_lease_breaker)) {
+- spin_unlock(&ctx->flc_lock);
+- return 0;
+- }
+- nfsd_stats_wdeleg_getattr_inc(nn);
+- dp = fl->c.flc_owner;
+- refcount_inc(&dp->dl_stid.sc_count);
+- ncf = &dp->dl_cb_fattr;
+- nfs4_cb_getattr(&dp->dl_cb_fattr);
+- spin_unlock(&ctx->flc_lock);
+- wait_on_bit_timeout(&ncf->ncf_cb_flags, CB_GETATTR_BUSY,
+- TASK_INTERRUPTIBLE, NFSD_CB_GETATTR_TIMEOUT);
+- if (ncf->ncf_cb_status) {
+- /* Recall delegation only if client didn't respond */
+- status = nfserrno(nfsd_open_break_lease(inode, NFSD_MAY_READ));
+- if (status != nfserr_jukebox ||
+- !nfsd_wait_for_delegreturn(rqstp, inode)) {
+- nfs4_put_stid(&dp->dl_stid);
+- return status;
+- }
+- }
+- if (!ncf->ncf_file_modified &&
+- (ncf->ncf_initial_cinfo != ncf->ncf_cb_change ||
+- ncf->ncf_cur_fsize != ncf->ncf_cb_fsize))
+- ncf->ncf_file_modified = true;
+- if (ncf->ncf_file_modified) {
+- int err;
+-
+- /*
+- * Per section 10.4.3 of RFC 8881, the server would
+- * not update the file's metadata with the client's
+- * modified size
+- */
+- attrs.ia_mtime = attrs.ia_ctime = current_time(inode);
+- attrs.ia_valid = ATTR_MTIME | ATTR_CTIME | ATTR_DELEG;
+- inode_lock(inode);
+- err = notify_change(&nop_mnt_idmap, dentry, &attrs, NULL);
+- inode_unlock(inode);
+- if (err) {
+- nfs4_put_stid(&dp->dl_stid);
+- return nfserrno(err);
+- }
+- ncf->ncf_cur_fsize = ncf->ncf_cb_fsize;
+- *size = ncf->ncf_cur_fsize;
+- *modified = true;
+- }
+- nfs4_put_stid(&dp->dl_stid);
+- return 0;
++ nfsd_stats_wdeleg_getattr_inc(nn);
++ refcount_inc(&dp->dl_stid.sc_count);
++ ncf = &dp->dl_cb_fattr;
++ nfs4_cb_getattr(&dp->dl_cb_fattr);
++ spin_unlock(&ctx->flc_lock);
++
++ wait_on_bit_timeout(&ncf->ncf_cb_flags, CB_GETATTR_BUSY,
++ TASK_INTERRUPTIBLE, NFSD_CB_GETATTR_TIMEOUT);
++ if (ncf->ncf_cb_status) {
++ /* Recall delegation only if client didn't respond */
++ status = nfserrno(nfsd_open_break_lease(inode, NFSD_MAY_READ));
++ if (status != nfserr_jukebox ||
++ !nfsd_wait_for_delegreturn(rqstp, inode))
++ goto out_status;
++ }
++ if (!ncf->ncf_file_modified &&
++ (ncf->ncf_initial_cinfo != ncf->ncf_cb_change ||
++ ncf->ncf_cur_fsize != ncf->ncf_cb_fsize))
++ ncf->ncf_file_modified = true;
++ if (ncf->ncf_file_modified) {
++ int err;
++
++ /*
++ * Per section 10.4.3 of RFC 8881, the server would
++ * not update the file's metadata with the client's
++ * modified size
++ */
++ attrs.ia_mtime = attrs.ia_ctime = current_time(inode);
++ attrs.ia_valid = ATTR_MTIME | ATTR_CTIME | ATTR_DELEG;
++ inode_lock(inode);
++ err = notify_change(&nop_mnt_idmap, dentry, &attrs, NULL);
++ inode_unlock(inode);
++ if (err) {
++ status = nfserrno(err);
++ goto out_status;
+ }
+- break;
++ ncf->ncf_cur_fsize = ncf->ncf_cb_fsize;
++ *size = ncf->ncf_cur_fsize;
++ *modified = true;
+ }
+- spin_unlock(&ctx->flc_lock);
+- return 0;
++ status = 0;
++out_status:
++ nfs4_put_stid(&dp->dl_stid);
++ return status;
+ }
+--
+2.43.0
+
--- /dev/null
+From 15c814bdc8bd70bc36a162c9d64e80af18689120 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Sep 2024 10:27:35 +0000
+Subject: NFSv4.2: Fix detection of "Proxying of Times" server support
+
+From: Roi Azarzar <roi.azarzar@vastdata.com>
+
+[ Upstream commit 615e693b14ba22e1332c3bd5a4e038284bbc3e07 ]
+
+According to draft-ietf-nfsv4-delstid-07:
+ If a server informs the client via the fattr4_open_arguments
+ attribute that it supports
+ OPEN_ARGS_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS and it returns a valid
+ delegation stateid for an OPEN operation which sets the
+ OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS flag, then it MUST query the
+ client via a CB_GETATTR for the fattr4_time_deleg_access (see
+ Section 5.2) attribute and fattr4_time_deleg_modify attribute (see
+ Section 5.2).
+
+Thus, we should look that the server supports proxying of times via
+OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS.
+
+We want to be extra pedantic and continue to check that FATTR4_TIME_DELEG_ACCESS
+and FATTR4_TIME_DELEG_MODIFY are set. The server needs to expose both for the
+client to correctly detect "Proxying of Times" support.
+
+Signed-off-by: Roi Azarzar <roi.azarzar@vastdata.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Fixes: dcb3c20f7419 ("NFSv4: Add a capability for delegated attributes")
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index b8ffbe52ba15a..cd2fbde2e6d72 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3904,6 +3904,18 @@ static void nfs4_close_context(struct nfs_open_context *ctx, int is_sync)
+ #define FATTR4_WORD2_NFS41_MASK (2*FATTR4_WORD2_SUPPATTR_EXCLCREAT - 1UL)
+ #define FATTR4_WORD2_NFS42_MASK (2*FATTR4_WORD2_OPEN_ARGUMENTS - 1UL)
+
++#define FATTR4_WORD2_NFS42_TIME_DELEG_MASK \
++ (FATTR4_WORD2_TIME_DELEG_MODIFY|FATTR4_WORD2_TIME_DELEG_ACCESS)
++static bool nfs4_server_delegtime_capable(struct nfs4_server_caps_res *res)
++{
++ u32 share_access_want = res->open_caps.oa_share_access_want[0];
++ u32 attr_bitmask = res->attr_bitmask[2];
++
++ return (share_access_want & NFS4_SHARE_WANT_DELEG_TIMESTAMPS) &&
++ ((attr_bitmask & FATTR4_WORD2_NFS42_TIME_DELEG_MASK) ==
++ FATTR4_WORD2_NFS42_TIME_DELEG_MASK);
++}
++
+ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
+ {
+ u32 minorversion = server->nfs_client->cl_minorversion;
+@@ -3982,8 +3994,6 @@ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *f
+ #endif
+ if (res.attr_bitmask[0] & FATTR4_WORD0_FS_LOCATIONS)
+ server->caps |= NFS_CAP_FS_LOCATIONS;
+- if (res.attr_bitmask[2] & FATTR4_WORD2_TIME_DELEG_MODIFY)
+- server->caps |= NFS_CAP_DELEGTIME;
+ if (!(res.attr_bitmask[0] & FATTR4_WORD0_FILEID))
+ server->fattr_valid &= ~NFS_ATTR_FATTR_FILEID;
+ if (!(res.attr_bitmask[1] & FATTR4_WORD1_MODE))
+@@ -4011,6 +4021,8 @@ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *f
+ if (res.open_caps.oa_share_access_want[0] &
+ NFS4_SHARE_WANT_OPEN_XOR_DELEGATION)
+ server->caps |= NFS_CAP_OPEN_XOR;
++ if (nfs4_server_delegtime_capable(&res))
++ server->caps |= NFS_CAP_DELEGTIME;
+
+ memcpy(server->cache_consistency_bitmask, res.attr_bitmask, sizeof(server->cache_consistency_bitmask));
+ server->cache_consistency_bitmask[0] &= FATTR4_WORD0_CHANGE|FATTR4_WORD0_SIZE;
+--
+2.43.0
+
--- /dev/null
+From 68b812e96f19c5191cbc2d5605f6bf66ce020af2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 17:13:08 +0900
+Subject: nilfs2: determine empty node blocks as corrupted
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit 111b812d3662f3a1b831d19208f83aa711583fe6 ]
+
+Due to the nature of b-trees, nilfs2 itself and admin tools such as
+mkfs.nilfs2 will never create an intermediate b-tree node block with 0
+child nodes, nor will they delete (key, pointer)-entries that would result
+in such a state. However, it is possible that a b-tree node block is
+corrupted on the backing device and is read with 0 child nodes.
+
+Because operation is not guaranteed if the number of child nodes is 0 for
+intermediate node blocks other than the root node, modify
+nilfs_btree_node_broken(), which performs sanity checks when reading a
+b-tree node block, so that such cases will be judged as metadata
+corruption.
+
+Link: https://lkml.kernel.org/r/20240904081401.16682-3-konishi.ryusuke@gmail.com
+Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index d390b8ba00d45..dedd3c4808423 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -350,7 +350,7 @@ static int nilfs_btree_node_broken(const struct nilfs_btree_node *node,
+ if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
+ level >= NILFS_BTREE_LEVEL_MAX ||
+ (flags & NILFS_BTREE_NODE_ROOT) ||
+- nchildren < 0 ||
++ nchildren <= 0 ||
+ nchildren > NILFS_BTREE_NODE_NCHILDREN_MAX(size))) {
+ nilfs_crit(inode->i_sb,
+ "bad btree node (ino=%lu, blocknr=%llu): level = %d, flags = 0x%x, nchildren = %d",
+--
+2.43.0
+
--- /dev/null
+From 538a4891d0391402f1060668d4571aeb8221c8f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 17:13:07 +0900
+Subject: nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit 9403001ad65ae4f4c5de368bdda3a0636b51d51a ]
+
+Patch series "nilfs2: fix potential issues with empty b-tree nodes".
+
+This series addresses three potential issues with empty b-tree nodes that
+can occur with corrupted filesystem images, including one recently
+discovered by syzbot.
+
+This patch (of 3):
+
+If a b-tree is broken on the device, and the b-tree height is greater than
+2 (the level of the root node is greater than 1) even if the number of
+child nodes of the b-tree root is 0, a NULL pointer dereference occurs in
+nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert().
+
+This is because, when the number of child nodes of the b-tree root is 0,
+nilfs_btree_do_lookup() does not set the block buffer head in any of
+path[x].bp_bh, leaving it as the initial value of NULL, but if the level
+of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(),
+which accesses the buffer memory of path[x].bp_bh, is called.
+
+Fix this issue by adding a check to nilfs_btree_root_broken(), which
+performs sanity checks when reading the root node from the device, to
+detect this inconsistency.
+
+Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause
+early on.
+
+Link: https://lkml.kernel.org/r/20240904081401.16682-1-konishi.ryusuke@gmail.com
+Link: https://lkml.kernel.org/r/20240902084101.138971-1-lizhi.xu@windriver.com
+Link: https://lkml.kernel.org/r/20240904081401.16682-2-konishi.ryusuke@gmail.com
+Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+9bff4c7b992038a7409f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=9bff4c7b992038a7409f
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index 862bdf23120e8..d390b8ba00d45 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -381,7 +381,8 @@ static int nilfs_btree_root_broken(const struct nilfs_btree_node *node,
+ if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
+ level >= NILFS_BTREE_LEVEL_MAX ||
+ nchildren < 0 ||
+- nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) {
++ nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX ||
++ (nchildren == 0 && level > NILFS_BTREE_LEVEL_NODE_MIN))) {
+ nilfs_crit(inode->i_sb,
+ "bad btree root (ino=%lu): level = %d, flags = 0x%x, nchildren = %d",
+ inode->i_ino, level, flags, nchildren);
+--
+2.43.0
+
--- /dev/null
+From 82f48f20b1415c5b6b8f357884167b8a60c7a917 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 17:13:09 +0900
+Subject: nilfs2: fix potential oob read in nilfs_btree_check_delete()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit f9c96351aa6718b42a9f42eaf7adce0356bdb5e8 ]
+
+The function nilfs_btree_check_delete(), which checks whether degeneration
+to direct mapping occurs before deleting a b-tree entry, causes memory
+access outside the block buffer when retrieving the maximum key if the
+root node has no entries.
+
+This does not usually happen because b-tree mappings with 0 child nodes
+are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen
+if the b-tree root node read from a device is configured that way, so fix
+this potential issue by adding a check for that case.
+
+Link: https://lkml.kernel.org/r/20240904081401.16682-4-konishi.ryusuke@gmail.com
+Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index dedd3c4808423..ef5061bb56da1 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -1659,13 +1659,16 @@ static int nilfs_btree_check_delete(struct nilfs_bmap *btree, __u64 key)
+ int nchildren, ret;
+
+ root = nilfs_btree_get_root(btree);
++ nchildren = nilfs_btree_node_get_nchildren(root);
++ if (unlikely(nchildren == 0))
++ return 0;
++
+ switch (nilfs_btree_height(btree)) {
+ case 2:
+ bh = NULL;
+ node = root;
+ break;
+ case 3:
+- nchildren = nilfs_btree_node_get_nchildren(root);
+ if (nchildren > 1)
+ return 0;
+ ptr = nilfs_btree_node_get_ptr(root, nchildren - 1,
+@@ -1674,12 +1677,12 @@ static int nilfs_btree_check_delete(struct nilfs_bmap *btree, __u64 key)
+ if (ret < 0)
+ return ret;
+ node = (struct nilfs_btree_node *)bh->b_data;
++ nchildren = nilfs_btree_node_get_nchildren(node);
+ break;
+ default:
+ return 0;
+ }
+
+- nchildren = nilfs_btree_node_get_nchildren(node);
+ maxkey = nilfs_btree_node_get_key(node, nchildren - 1);
+ nextmaxkey = (nchildren > 1) ?
+ nilfs_btree_node_get_key(node, nchildren - 2) : 0;
+--
+2.43.0
+
--- /dev/null
+From 12204a60cf0d0a3794e1444275b882734adcab2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 14:22:07 -0700
+Subject: ntb: Force physically contiguous allocation of rx ring buffers
+
+From: Dave Jiang <dave.jiang@intel.com>
+
+[ Upstream commit 061a785a114f159e990ea8ed8d1b7dca4b41120f ]
+
+Physical addresses under IOVA on x86 platform are mapped contiguously
+as a side effect before the patch that removed CONFIG_DMA_REMAP. The
+NTB rx buffer ring is a single chunk DMA buffer that is allocated
+against the NTB PCI device. If the receive side is using a DMA device,
+then the buffers are remapped against the DMA device before being
+submitted via the dmaengine API. This scheme becomes a problem when
+the physical memory is discontiguous. When dma_map_page() is called
+on the kernel virtual address from the dma_alloc_coherent() call, the
+new IOVA mapping no longer points to all the physical memory allocated
+due to being discontiguous. Change dma_alloc_coherent() to dma_alloc_attrs()
+in order to force DMA_ATTR_FORCE_CONTIGUOUS attribute. This is the best
+fix for the circumstance. A potential future solution may be having the DMA
+mapping API providing a way to alias an existing IOVA mapping to a new
+device perhaps.
+
+This fix is not to fix the patch pointed to by the fixes tag, but to fix
+the issue arised in the ntb_transport driver on x86 platforms after the
+said patch is applied.
+
+Reported-by: Jerry Dai <jerry.dai@intel.com>
+Fixes: f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP")
+Tested-by: Jerry Dai <jerry.dai@intel.com>
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/ntb_transport.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
+index 77e55debeed61..ef2855946a992 100644
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -807,16 +807,29 @@ static void ntb_free_mw(struct ntb_transport_ctx *nt, int num_mw)
+ }
+
+ static int ntb_alloc_mw_buffer(struct ntb_transport_mw *mw,
+- struct device *dma_dev, size_t align)
++ struct device *ntb_dev, size_t align)
+ {
+ dma_addr_t dma_addr;
+ void *alloc_addr, *virt_addr;
+ int rc;
+
+- alloc_addr = dma_alloc_coherent(dma_dev, mw->alloc_size,
+- &dma_addr, GFP_KERNEL);
++ /*
++ * The buffer here is allocated against the NTB device. The reason to
++ * use dma_alloc_*() call is to allocate a large IOVA contiguous buffer
++ * backing the NTB BAR for the remote host to write to. During receive
++ * processing, the data is being copied out of the receive buffer to
++ * the kernel skbuff. When a DMA device is being used, dma_map_page()
++ * is called on the kvaddr of the receive buffer (from dma_alloc_*())
++ * and remapped against the DMA device. It appears to be a double
++ * DMA mapping of buffers, but first is mapped to the NTB device and
++ * second is to the DMA device. DMA_ATTR_FORCE_CONTIGUOUS is necessary
++ * in order for the later dma_map_page() to not fail.
++ */
++ alloc_addr = dma_alloc_attrs(ntb_dev, mw->alloc_size,
++ &dma_addr, GFP_KERNEL,
++ DMA_ATTR_FORCE_CONTIGUOUS);
+ if (!alloc_addr) {
+- dev_err(dma_dev, "Unable to alloc MW buff of size %zu\n",
++ dev_err(ntb_dev, "Unable to alloc MW buff of size %zu\n",
+ mw->alloc_size);
+ return -ENOMEM;
+ }
+@@ -845,7 +858,7 @@ static int ntb_alloc_mw_buffer(struct ntb_transport_mw *mw,
+ return 0;
+
+ err:
+- dma_free_coherent(dma_dev, mw->alloc_size, alloc_addr, dma_addr);
++ dma_free_coherent(ntb_dev, mw->alloc_size, alloc_addr, dma_addr);
+
+ return rc;
+ }
+--
+2.43.0
+
--- /dev/null
+From 304cf294dd9c764cff92a8bf79e3ea0534dd710b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 20:39:27 +0800
+Subject: ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit e229897d373a87ee09ec5cc4ecd4bb2f895fc16b ]
+
+The debugfs_create_dir() function returns error pointers.
+It never returns NULL. So use IS_ERR() to check it.
+
+Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c
+index 9ab836d0d4f12..079b8cd797857 100644
+--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c
++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c
+@@ -778,7 +778,7 @@ static void ndev_init_debugfs(struct intel_ntb_dev *ndev)
+ ndev->debugfs_dir =
+ debugfs_create_dir(pci_name(ndev->ntb.pdev),
+ debugfs_dir);
+- if (!ndev->debugfs_dir)
++ if (IS_ERR(ndev->debugfs_dir))
+ ndev->debugfs_info = NULL;
+ else
+ ndev->debugfs_info =
+--
+2.43.0
+
--- /dev/null
+From 48db5a92cc599d93ab7d3afe65ac48f840c9cf24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Oct 2023 20:45:16 -0700
+Subject: ntb_perf: Fix printk format
+
+From: Max Hawking <maxahawking@sonnenkinder.org>
+
+[ Upstream commit 1501ae7479c8d0f66efdbfdc9ae8d6136cefbd37 ]
+
+The correct printk format is %pa or %pap, but not %pa[p].
+
+Fixes: 99a06056124d ("NTB: ntb_perf: Fix address err in perf_copy_chunk")
+Signed-off-by: Max Hawking <maxahawking@sonnenkinder.org>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/test/ntb_perf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/test/ntb_perf.c b/drivers/ntb/test/ntb_perf.c
+index 553f1f46bc664..72bc1d017a46e 100644
+--- a/drivers/ntb/test/ntb_perf.c
++++ b/drivers/ntb/test/ntb_perf.c
+@@ -1227,7 +1227,7 @@ static ssize_t perf_dbgfs_read_info(struct file *filep, char __user *ubuf,
+ "\tOut buffer addr 0x%pK\n", peer->outbuf);
+
+ pos += scnprintf(buf + pos, buf_size - pos,
+- "\tOut buff phys addr %pa[p]\n", &peer->out_phys_addr);
++ "\tOut buff phys addr %pap\n", &peer->out_phys_addr);
+
+ pos += scnprintf(buf + pos, buf_size - pos,
+ "\tOut buffer size %pa\n", &peer->outbuf_size);
+--
+2.43.0
+
--- /dev/null
+From 96e595b6725e056c903a71706f3248f053f4cb71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 14:20:44 +0800
+Subject: nvdimm: Fix devs leaks in scan_labels()
+
+From: Li Zhijian <lizhijian@fujitsu.com>
+
+[ Upstream commit 62c2aa6b1f565d2fc1ec11a6e9e8336ce37a6426 ]
+
+scan_labels() leaks memory when label scanning fails and it falls back
+to just creating a default "seed" namespace for userspace to configure.
+Root can force the kernel to leak memory.
+
+Allocate the minimum resources unconditionally and release them when
+unneeded to avoid the memory leak.
+
+A kmemleak reports:
+unreferenced object 0xffff88800dda1980 (size 16):
+ comm "kworker/u10:5", pid 69, jiffies 4294671781
+ hex dump (first 16 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc 0):
+ [<00000000c5dea560>] __kmalloc+0x32c/0x470
+ [<000000009ed43c83>] nd_region_register_namespaces+0x6fb/0x1120 [libnvdimm]
+ [<000000000e07a65c>] nd_region_probe+0xfe/0x210 [libnvdimm]
+ [<000000007b79ce5f>] nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm]
+ [<00000000a5f3da2e>] really_probe+0xc6/0x390
+ [<00000000129e2a69>] __driver_probe_device+0x78/0x150
+ [<000000002dfed28b>] driver_probe_device+0x1e/0x90
+ [<00000000e7048de2>] __device_attach_driver+0x85/0x110
+ [<0000000032dca295>] bus_for_each_drv+0x85/0xe0
+ [<00000000391c5a7d>] __device_attach+0xbe/0x1e0
+ [<0000000026dabec0>] bus_probe_device+0x94/0xb0
+ [<00000000c590d936>] device_add+0x656/0x870
+ [<000000003d69bfaa>] nd_async_device_register+0xe/0x50 [libnvdimm]
+ [<000000003f4c52a4>] async_run_entry_fn+0x2e/0x110
+ [<00000000e201f4b0>] process_one_work+0x1ee/0x600
+ [<000000006d90d5a9>] worker_thread+0x183/0x350
+
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Fixes: 1b40e09a1232 ("libnvdimm: blk labels and namespace instantiation")
+Suggested-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Link: https://patch.msgid.link/20240819062045.1481298-1-lizhijian@fujitsu.com
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvdimm/namespace_devs.c | 34 ++++++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c
+index d6d558f94d6bb..35d9f3cc2efab 100644
+--- a/drivers/nvdimm/namespace_devs.c
++++ b/drivers/nvdimm/namespace_devs.c
+@@ -1937,12 +1937,16 @@ static int cmp_dpa(const void *a, const void *b)
+ static struct device **scan_labels(struct nd_region *nd_region)
+ {
+ int i, count = 0;
+- struct device *dev, **devs = NULL;
++ struct device *dev, **devs;
+ struct nd_label_ent *label_ent, *e;
+ struct nd_mapping *nd_mapping = &nd_region->mapping[0];
+ struct nvdimm_drvdata *ndd = to_ndd(nd_mapping);
+ resource_size_t map_end = nd_mapping->start + nd_mapping->size - 1;
+
++ devs = kcalloc(2, sizeof(dev), GFP_KERNEL);
++ if (!devs)
++ return NULL;
++
+ /* "safe" because create_namespace_pmem() might list_move() label_ent */
+ list_for_each_entry_safe(label_ent, e, &nd_mapping->labels, list) {
+ struct nd_namespace_label *nd_label = label_ent->label;
+@@ -1961,12 +1965,14 @@ static struct device **scan_labels(struct nd_region *nd_region)
+ goto err;
+ if (i < count)
+ continue;
+- __devs = kcalloc(count + 2, sizeof(dev), GFP_KERNEL);
+- if (!__devs)
+- goto err;
+- memcpy(__devs, devs, sizeof(dev) * count);
+- kfree(devs);
+- devs = __devs;
++ if (count) {
++ __devs = kcalloc(count + 2, sizeof(dev), GFP_KERNEL);
++ if (!__devs)
++ goto err;
++ memcpy(__devs, devs, sizeof(dev) * count);
++ kfree(devs);
++ devs = __devs;
++ }
+
+ dev = create_namespace_pmem(nd_region, nd_mapping, nd_label);
+ if (IS_ERR(dev)) {
+@@ -1993,11 +1999,6 @@ static struct device **scan_labels(struct nd_region *nd_region)
+
+ /* Publish a zero-sized namespace for userspace to configure. */
+ nd_mapping_free_labels(nd_mapping);
+-
+- devs = kcalloc(2, sizeof(dev), GFP_KERNEL);
+- if (!devs)
+- goto err;
+-
+ nspm = kzalloc(sizeof(*nspm), GFP_KERNEL);
+ if (!nspm)
+ goto err;
+@@ -2036,11 +2037,10 @@ static struct device **scan_labels(struct nd_region *nd_region)
+ return devs;
+
+ err:
+- if (devs) {
+- for (i = 0; devs[i]; i++)
+- namespace_pmem_release(devs[i]);
+- kfree(devs);
+- }
++ for (i = 0; devs[i]; i++)
++ namespace_pmem_release(devs[i]);
++ kfree(devs);
++
+ return NULL;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 41c47ea6df6cd36ca401476dc3db16e08553952b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Sep 2024 14:01:22 +0200
+Subject: nvme-multipath: system fails to create generic nvme device
+
+From: Hannes Reinecke <hare@kernel.org>
+
+[ Upstream commit 63bcf9014e95a7d279d10d8e2caa5d88db2b1855 ]
+
+NVME_NSHEAD_DISK_LIVE is a flag for struct nvme_ns_head, not nvme_ns.
+The current code has a typo causing NVME_NSHEAD_DISK_LIVE never to
+be cleared once device_add_disk_fails, causing the system never to
+create the 'generic' character device. Even several rescan attempts
+will change the situation and the system has to be rebooted to fix
+the issue.
+
+Fixes: 11384580e332 ("nvme-multipath: add error handling support for add_disk()")
+Signed-off-by: Hannes Reinecke <hare@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 518e22dd4f9be..6d97058cde7a1 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -648,7 +648,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns)
+ rc = device_add_disk(&head->subsys->dev, head->disk,
+ nvme_ns_attr_groups);
+ if (rc) {
+- clear_bit(NVME_NSHEAD_DISK_LIVE, &ns->flags);
++ clear_bit(NVME_NSHEAD_DISK_LIVE, &head->flags);
+ return;
+ }
+ nvme_add_ns_head_cdev(head);
+--
+2.43.0
+
--- /dev/null
+From 1a399601e1a13569217be668dcbc9f3fed0640b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 02:32:52 +0530
+Subject: padata: Honor the caller's alignment in case of chunk_size 0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kamlesh Gurudasani <kamlesh@ti.com>
+
+[ Upstream commit 24cc57d8faaa4060fd58adf810b858fcfb71a02f ]
+
+In the case where we are forcing the ps.chunk_size to be at least 1,
+we are ignoring the caller's alignment.
+
+Move the forcing of ps.chunk_size to be at least 1 before rounding it
+up to caller's alignment, so that caller's alignment is honored.
+
+While at it, use max() to force the ps.chunk_size to be at least 1 to
+improve readability.
+
+Fixes: 6d45e1c948a8 ("padata: Fix possible divide-by-0 panic in padata_mt_helper()")
+Signed-off-by: Kamlesh Gurudasani <kamlesh@ti.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/padata.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/padata.c b/kernel/padata.c
+index 0fa6c28954603..9e98afe72a334 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -512,9 +512,12 @@ void __init padata_do_multithreaded(struct padata_mt_job *job)
+ * thread function. Load balance large jobs between threads by
+ * increasing the number of chunks, guarantee at least the minimum
+ * chunk size from the caller, and honor the caller's alignment.
++ * Ensure chunk_size is at least 1 to prevent divide-by-0
++ * panic in padata_mt_helper().
+ */
+ ps.chunk_size = job->size / (ps.nworks * load_balance_factor);
+ ps.chunk_size = max(ps.chunk_size, job->min_chunk);
++ ps.chunk_size = max(ps.chunk_size, 1ul);
+ ps.chunk_size = roundup(ps.chunk_size, job->align);
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 14df27738eef08a8d8ce2f0c89fdaa2200fa90b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 18:53:26 -0500
+Subject: PCI: keystone: Fix if-statement expression in ks_pcie_quirk()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 6188a1c762eb9bbd444f47696eda77a5eae6207a ]
+
+This code accidentally uses && where || was intended. It potentially
+results in a NULL dereference.
+
+Thus, fix the if-statement expression to use the correct condition.
+
+Fixes: 86f271f22bbb ("PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)")
+Link: https://lore.kernel.org/linux-pci/1b762a93-e1b2-4af3-8c04-c8843905c279@stanley.mountain
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pci-keystone.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c
+index 52c6420ae2003..95a471d6a586d 100644
+--- a/drivers/pci/controller/dwc/pci-keystone.c
++++ b/drivers/pci/controller/dwc/pci-keystone.c
+@@ -577,7 +577,7 @@ static void ks_pcie_quirk(struct pci_dev *dev)
+ */
+ if (pci_match_id(am6_pci_devids, bridge)) {
+ bridge_dev = pci_get_host_bridge_device(dev);
+- if (!bridge_dev && !bridge_dev->parent)
++ if (!bridge_dev || !bridge_dev->parent)
+ return;
+
+ ks_pcie = dev_get_drvdata(bridge_dev->parent);
+--
+2.43.0
+
--- /dev/null
+From 88e2c32dbc3eed490c82476afb70579c4e9597ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 14:58:23 +0300
+Subject: PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexandra Diupina <adiupina@astralinux.ru>
+
+[ Upstream commit c500a86693a126c9393e602741e348f80f1b0fc5 ]
+
+Within kirin_pcie_parse_port(), the pcie->num_slots is compared to
+pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead
+to an overflow.
+
+Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
+pcie->num_slots increment below the if-statement to avoid out-of-bounds
+array access.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
+Link: https://lore.kernel.org/linux-pci/20240903115823.30647-1-adiupina@astralinux.ru
+Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-kirin.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
+index 0a29136491b89..85a2c77b1835a 100644
+--- a/drivers/pci/controller/dwc/pcie-kirin.c
++++ b/drivers/pci/controller/dwc/pcie-kirin.c
+@@ -420,11 +420,11 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
+ "unable to get a valid reset gpio\n");
+ }
+
+- pcie->num_slots++;
+- if (pcie->num_slots > MAX_PCI_SLOTS) {
++ if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
+ dev_err(dev, "Too many PCI slots!\n");
+ return -EINVAL;
+ }
++ pcie->num_slots++;
+
+ ret = of_pci_get_devfn(child);
+ if (ret < 0) {
+--
+2.43.0
+
--- /dev/null
+From 1ca5dd825b83a016610e4c84942ecc0ceb580406 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 13:53:19 +0530
+Subject: PCI: qcom-ep: Enable controller resources like PHY only after refclk
+ is available
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit d3745e3ae6c0eec517d431be926742b6e8b9b64a ]
+
+qcom_pcie_enable_resources() is called by qcom_pcie_ep_probe() and it
+enables the controller resources like clocks, regulator, PHY. On one of the
+new unreleased Qcom SoC, PHY enablement depends on the active refclk. And
+on all of the supported Qcom endpoint SoCs, refclk comes from the host
+(RC). So calling qcom_pcie_enable_resources() without refclk causes the
+NoC (Network On Chip) error in the endpoint SoC and in turn results in a
+whole SoC crash and rebooting into EDL (Emergency Download) mode which is
+an unrecoverable state.
+
+But qcom_pcie_enable_resources() is already called by
+qcom_pcie_perst_deassert() when PERST# is deasserted, and refclk is
+available at that time.
+
+Hence, remove the unnecessary call to qcom_pcie_enable_resources() from
+qcom_pcie_ep_probe() to prevent the above mentioned crash.
+
+It should be noted that this commit prevents the crash only under normal
+working condition (booting endpoint before host), but the crash may also
+occur if PERST# assert happens at the wrong time. For avoiding the crash
+completely, it is recommended to use SRIS mode which allows the endpoint
+SoC to generate its own refclk. The driver is not supporting SRIS mode
+currently, but will be added in the future.
+
+Fixes: 869bc5253406 ("PCI: dwc: ep: Fix DBI access failure for drivers requiring refclk from host")
+Link: https://lore.kernel.org/linux-pci/20240830082319.51387-1-manivannan.sadhasivam@linaro.org
+Tested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-qcom-ep.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-qcom-ep.c b/drivers/pci/controller/dwc/pcie-qcom-ep.c
+index a9b263f749b6a..c8bb7cd89678f 100644
+--- a/drivers/pci/controller/dwc/pcie-qcom-ep.c
++++ b/drivers/pci/controller/dwc/pcie-qcom-ep.c
+@@ -858,21 +858,15 @@ static int qcom_pcie_ep_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
+- ret = qcom_pcie_enable_resources(pcie_ep);
+- if (ret) {
+- dev_err(dev, "Failed to enable resources: %d\n", ret);
+- return ret;
+- }
+-
+ ret = dw_pcie_ep_init(&pcie_ep->pci.ep);
+ if (ret) {
+ dev_err(dev, "Failed to initialize endpoint: %d\n", ret);
+- goto err_disable_resources;
++ return ret;
+ }
+
+ ret = qcom_pcie_ep_enable_irq_resources(pdev, pcie_ep);
+ if (ret)
+- goto err_disable_resources;
++ goto err_ep_deinit;
+
+ name = devm_kasprintf(dev, GFP_KERNEL, "%pOFP", dev->of_node);
+ if (!name) {
+@@ -889,8 +883,8 @@ static int qcom_pcie_ep_probe(struct platform_device *pdev)
+ disable_irq(pcie_ep->global_irq);
+ disable_irq(pcie_ep->perst_irq);
+
+-err_disable_resources:
+- qcom_pcie_disable_resources(pcie_ep);
++err_ep_deinit:
++ dw_pcie_ep_deinit(&pcie_ep->pci.ep);
+
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 2a868956c226ab1ed333f584873ac4e71aefd278 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Aug 2024 15:17:07 +0300
+Subject: PCI: Wait for Link before restoring Downstream Buses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 3e40aa29d47e231a54640addf6a09c1f64c5b63f ]
+
+__pci_reset_bus() calls pci_bridge_secondary_bus_reset() to perform the
+reset and also waits for the Secondary Bus to become again accessible.
+__pci_reset_bus() then calls pci_bus_restore_locked() that restores the PCI
+devices connected to the bus, and if necessary, recursively restores also
+the subordinate buses and their devices.
+
+The logic in pci_bus_restore_locked() does not take into account that after
+restoring a device on one level, there might be another Link Downstream
+that can only start to come up after restore has been performed for its
+Downstream Port device. That is, the Link may require additional wait until
+it becomes accessible.
+
+Similarly, pci_slot_restore_locked() lacks wait.
+
+Amend pci_bus_restore_locked() and pci_slot_restore_locked() to wait for
+the Secondary Bus before recursively performing the restore of that bus.
+
+Fixes: 090a3c5322e9 ("PCI: Add pci_reset_slot() and pci_reset_bus()")
+Link: https://lore.kernel.org/r/20240808121708.2523-1-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index ffaaca0978cbc..5c1d53398f95d 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5672,8 +5672,10 @@ static void pci_bus_restore_locked(struct pci_bus *bus)
+
+ list_for_each_entry(dev, &bus->devices, bus_list) {
+ pci_dev_restore(dev);
+- if (dev->subordinate)
++ if (dev->subordinate) {
++ pci_bridge_wait_for_secondary_bus(dev, "bus reset");
+ pci_bus_restore_locked(dev->subordinate);
++ }
+ }
+ }
+
+@@ -5707,8 +5709,10 @@ static void pci_slot_restore_locked(struct pci_slot *slot)
+ if (!dev->slot || dev->slot != slot)
+ continue;
+ pci_dev_restore(dev);
+- if (dev->subordinate)
++ if (dev->subordinate) {
++ pci_bridge_wait_for_secondary_bus(dev, "slot reset");
+ pci_bus_restore_locked(dev->subordinate);
++ }
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From f996db3c6f996336cb408e81071715381d076047 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 12:13:35 -0400
+Subject: PCI: xilinx-nwl: Clean up clock on probe failure/removal
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit cfd67903977b13f63340a4eb5a1cc890994f2c62 ]
+
+Make sure we turn off the clock on probe failure and device removal.
+
+Fixes: de0a01f52966 ("PCI: xilinx-nwl: Enable the clock through CCF")
+Link: https://lore.kernel.org/r/20240531161337.864994-6-sean.anderson@linux.dev
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-xilinx-nwl.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-xilinx-nwl.c b/drivers/pci/controller/pcie-xilinx-nwl.c
+index 1e15852153d6c..2f1bb2e8a840e 100644
+--- a/drivers/pci/controller/pcie-xilinx-nwl.c
++++ b/drivers/pci/controller/pcie-xilinx-nwl.c
+@@ -779,6 +779,7 @@ static int nwl_pcie_probe(struct platform_device *pdev)
+ return -ENODEV;
+
+ pcie = pci_host_bridge_priv(bridge);
++ platform_set_drvdata(pdev, pcie);
+
+ pcie->dev = dev;
+
+@@ -801,13 +802,13 @@ static int nwl_pcie_probe(struct platform_device *pdev)
+ err = nwl_pcie_bridge_init(pcie);
+ if (err) {
+ dev_err(dev, "HW Initialization failed\n");
+- return err;
++ goto err_clk;
+ }
+
+ err = nwl_pcie_init_irq_domain(pcie);
+ if (err) {
+ dev_err(dev, "Failed creating IRQ Domain\n");
+- return err;
++ goto err_clk;
+ }
+
+ bridge->sysdata = pcie;
+@@ -817,11 +818,24 @@ static int nwl_pcie_probe(struct platform_device *pdev)
+ err = nwl_pcie_enable_msi(pcie);
+ if (err < 0) {
+ dev_err(dev, "failed to enable MSI support: %d\n", err);
+- return err;
++ goto err_clk;
+ }
+ }
+
+- return pci_host_probe(bridge);
++ err = pci_host_probe(bridge);
++ if (!err)
++ return 0;
++
++err_clk:
++ clk_disable_unprepare(pcie->clk);
++ return err;
++}
++
++static void nwl_pcie_remove(struct platform_device *pdev)
++{
++ struct nwl_pcie *pcie = platform_get_drvdata(pdev);
++
++ clk_disable_unprepare(pcie->clk);
+ }
+
+ static struct platform_driver nwl_pcie_driver = {
+@@ -831,5 +845,6 @@ static struct platform_driver nwl_pcie_driver = {
+ .of_match_table = nwl_pcie_of_match,
+ },
+ .probe = nwl_pcie_probe,
++ .remove_new = nwl_pcie_remove,
+ };
+ builtin_platform_driver(nwl_pcie_driver);
+--
+2.43.0
+
--- /dev/null
+From 521e241ff5923855b4f689f30002d5531c0889a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 12:13:33 -0400
+Subject: PCI: xilinx-nwl: Fix register misspelling
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit a437027ae1730b8dc379c75fa0dd7d3036917400 ]
+
+MSIC -> MISC
+
+Fixes: c2a7ff18edcd ("PCI: xilinx-nwl: Expand error logging")
+Link: https://lore.kernel.org/r/20240531161337.864994-4-sean.anderson@linux.dev
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-xilinx-nwl.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-xilinx-nwl.c b/drivers/pci/controller/pcie-xilinx-nwl.c
+index 0408f4d612b5a..1e15852153d6c 100644
+--- a/drivers/pci/controller/pcie-xilinx-nwl.c
++++ b/drivers/pci/controller/pcie-xilinx-nwl.c
+@@ -80,8 +80,8 @@
+ #define MSGF_MISC_SR_NON_FATAL_DEV BIT(22)
+ #define MSGF_MISC_SR_FATAL_DEV BIT(23)
+ #define MSGF_MISC_SR_LINK_DOWN BIT(24)
+-#define MSGF_MSIC_SR_LINK_AUTO_BWIDTH BIT(25)
+-#define MSGF_MSIC_SR_LINK_BWIDTH BIT(26)
++#define MSGF_MISC_SR_LINK_AUTO_BWIDTH BIT(25)
++#define MSGF_MISC_SR_LINK_BWIDTH BIT(26)
+
+ #define MSGF_MISC_SR_MASKALL (MSGF_MISC_SR_RXMSG_AVAIL | \
+ MSGF_MISC_SR_RXMSG_OVER | \
+@@ -96,8 +96,8 @@
+ MSGF_MISC_SR_NON_FATAL_DEV | \
+ MSGF_MISC_SR_FATAL_DEV | \
+ MSGF_MISC_SR_LINK_DOWN | \
+- MSGF_MSIC_SR_LINK_AUTO_BWIDTH | \
+- MSGF_MSIC_SR_LINK_BWIDTH)
++ MSGF_MISC_SR_LINK_AUTO_BWIDTH | \
++ MSGF_MISC_SR_LINK_BWIDTH)
+
+ /* Legacy interrupt status mask bits */
+ #define MSGF_LEG_SR_INTA BIT(0)
+@@ -299,10 +299,10 @@ static irqreturn_t nwl_pcie_misc_handler(int irq, void *data)
+ if (misc_stat & MSGF_MISC_SR_FATAL_DEV)
+ dev_err(dev, "Fatal Error Detected\n");
+
+- if (misc_stat & MSGF_MSIC_SR_LINK_AUTO_BWIDTH)
++ if (misc_stat & MSGF_MISC_SR_LINK_AUTO_BWIDTH)
+ dev_info(dev, "Link Autonomous Bandwidth Management Status bit set\n");
+
+- if (misc_stat & MSGF_MSIC_SR_LINK_BWIDTH)
++ if (misc_stat & MSGF_MISC_SR_LINK_BWIDTH)
+ dev_info(dev, "Link Bandwidth Management Status bit set\n");
+
+ /* Clear misc interrupt status */
+--
+2.43.0
+
--- /dev/null
+From edf6b82ddb80aaa609f2fde66cffff74e7b5a2a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 16:58:32 -0700
+Subject: perf annotate-data: Fix off-by-one in location range check
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 3ab0b8b238b5130ae3fa37ddaa329fc0e93b6b9a ]
+
+The location list will have entries with half-open addressing like
+[start, end) which means it doesn't include the end address. So it
+should skip entries at the end address and match to the next entry.
+
+An example location list looks like this (from readelf -wo):
+
+ 00237876 ffffffff8110d32b (base address)
+ 0023787f v000000000000000 v000000000000002 views at 00237868 for:
+ ffffffff8110d32b ffffffff8110d4eb (DW_OP_reg3 (rbx)) <<<--- 1
+ 00237885 v000000000000002 v000000000000000 views at 0023786a for:
+ ffffffff8110d4eb ffffffff8110d50b (DW_OP_reg14 (r14)) <<<--- 2
+ 0023788c v000000000000000 v000000000000001 views at 0023786c for:
+ ffffffff8110d50b ffffffff8110d7c4 (DW_OP_reg3 (rbx))
+ 00237893 v000000000000000 v000000000000000 views at 0023786e for:
+ ffffffff8110d806 ffffffff8110d854 (DW_OP_reg3 (rbx))
+ 0023789a v000000000000000 v000000000000000 views at 00237870 for:
+ ffffffff8110d876 ffffffff8110d88e (DW_OP_reg3 (rbx))
+
+The first entry at 0023787f has [8110d32b, 8110d4eb) (omitting the
+ffffffff at the beginning), and the second one has [8110d4eb, 8110d50b).
+
+Fixes: 2bc3cf575a162a2c ("perf annotate-data: Improve debug message with location info")
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240816235840.2754937-3-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate-data.c | 2 +-
+ tools/perf/util/dwarf-aux.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/annotate-data.c b/tools/perf/util/annotate-data.c
+index 965da6c0b5427..79c1f2ae7affd 100644
+--- a/tools/perf/util/annotate-data.c
++++ b/tools/perf/util/annotate-data.c
+@@ -104,7 +104,7 @@ static void pr_debug_location(Dwarf_Die *die, u64 pc, int reg)
+ return;
+
+ while ((off = dwarf_getlocations(&attr, off, &base, &start, &end, &ops, &nops)) > 0) {
+- if (reg != DWARF_REG_PC && end < pc)
++ if (reg != DWARF_REG_PC && end <= pc)
+ continue;
+ if (reg != DWARF_REG_PC && start > pc)
+ break;
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index e7de5045c43a7..0e7d2060740df 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -1444,7 +1444,7 @@ static int __die_find_var_reg_cb(Dwarf_Die *die_mem, void *arg)
+
+ while ((off = dwarf_getlocations(&attr, off, &base, &start, &end, &ops, &nops)) > 0) {
+ /* Assuming the location list is sorted by address */
+- if (end < data->pc)
++ if (end <= data->pc)
+ continue;
+ if (start > data->pc)
+ break;
+--
+2.43.0
+
--- /dev/null
+From 069641a95fd593611febfc73db7fc70c8787bd6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 18:51:59 +0100
+Subject: perf/arm-cmn: Ensure dtm_idx is big enough
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit 359414b33e00bae91e4eabf3e4ef8e76024c7673 ]
+
+While CMN_MAX_DIMENSION was bumped to 12 for CMN-650, that only supports
+up to a 10x10 mesh, so bumping dtm_idx to 256 bits at the time worked
+out OK in practice. However CMN-700 did finally support up to 144 XPs,
+and thus needs a worst-case 288 bits of dtm_idx for an aggregated XP
+event on a maxed-out config. Oops.
+
+Fixes: 23760a014417 ("perf/arm-cmn: Add CMN-700 support")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/e771b358526a0d7fc06efee2c3a2fdc0c9f51d44.1725296395.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm-cmn.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c
+index 4e2338afe6694..48863b31ccfb1 100644
+--- a/drivers/perf/arm-cmn.c
++++ b/drivers/perf/arm-cmn.c
+@@ -35,6 +35,9 @@
+ #define CMN_MAX_XPS (CMN_MAX_DIMENSION * CMN_MAX_DIMENSION)
+ #define CMN_MAX_DTMS (CMN_MAX_XPS + (CMN_MAX_DIMENSION - 1) * 4)
+
++/* Currently XPs are the node type we can have most of; others top out at 128 */
++#define CMN_MAX_NODES_PER_EVENT CMN_MAX_XPS
++
+ /* The CFG node has various info besides the discovery tree */
+ #define CMN_CFGM_PERIPH_ID_01 0x0008
+ #define CMN_CFGM_PID0_PART_0 GENMASK_ULL(7, 0)
+@@ -564,7 +567,7 @@ static void arm_cmn_debugfs_init(struct arm_cmn *cmn, int id) {}
+
+ struct arm_cmn_hw_event {
+ struct arm_cmn_node *dn;
+- u64 dtm_idx[4];
++ u64 dtm_idx[DIV_ROUND_UP(CMN_MAX_NODES_PER_EVENT * 2, 64)];
+ s8 dtc_idx[CMN_MAX_DTCS];
+ u8 num_dns;
+ u8 dtm_offset;
+--
+2.43.0
+
--- /dev/null
+From 0eca00711acbebfc603f9e5e3dbd3a5989b578bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 18:51:58 +0100
+Subject: perf/arm-cmn: Fix CCLA register offset
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit 88b63a82c84ed9bbcbdefb10cb6f75dd1dd04887 ]
+
+Apparently pmu_event_sel is offset by 8 for all CCLA nodes, not just
+the CCLA_RNI combination type.
+
+Fixes: 23760a014417 ("perf/arm-cmn: Add CMN-700 support")
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Ilkka Koskinen <ilkka@os.amperecomputing.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/6e7bb06fef6046f83e7647aad0e5be544139763f.1725296395.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm-cmn.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c
+index b59ae8513dcee..4e2338afe6694 100644
+--- a/drivers/perf/arm-cmn.c
++++ b/drivers/perf/arm-cmn.c
+@@ -70,7 +70,8 @@
+ /* Technically this is 4 bits wide on DNs, but we only use 2 there anyway */
+ #define CMN__PMU_OCCUP1_ID GENMASK_ULL(34, 32)
+
+-/* HN-Ps are weird... */
++/* Some types are designed to coexist with another device in the same node */
++#define CMN_CCLA_PMU_EVENT_SEL 0x008
+ #define CMN_HNP_PMU_EVENT_SEL 0x008
+
+ /* DTMs live in the PMU space of XP registers */
+@@ -2393,10 +2394,13 @@ static int arm_cmn_discover(struct arm_cmn *cmn, unsigned int rgn_offset)
+ case CMN_TYPE_CXHA:
+ case CMN_TYPE_CCRA:
+ case CMN_TYPE_CCHA:
+- case CMN_TYPE_CCLA:
+ case CMN_TYPE_HNS:
+ dn++;
+ break;
++ case CMN_TYPE_CCLA:
++ dn->pmu_base += CMN_CCLA_PMU_EVENT_SEL;
++ dn++;
++ break;
+ /* Nothing to see here */
+ case CMN_TYPE_MPAM_S:
+ case CMN_TYPE_MPAM_NS:
+@@ -2414,7 +2418,7 @@ static int arm_cmn_discover(struct arm_cmn *cmn, unsigned int rgn_offset)
+ case CMN_TYPE_HNP:
+ case CMN_TYPE_CCLA_RNI:
+ dn[1] = dn[0];
+- dn[0].pmu_base += CMN_HNP_PMU_EVENT_SEL;
++ dn[0].pmu_base += CMN_CCLA_PMU_EVENT_SEL;
+ dn[1].type = arm_cmn_subtype(dn->type);
+ dn += 2;
+ break;
+--
+2.43.0
+
--- /dev/null
+From 815debed99c959513c1ffa7df68016a26bb31f8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 18:51:57 +0100
+Subject: perf/arm-cmn: Refactor node ID handling. Again.
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit e79634b53e398966c49f803c49701bc74dc3ccf8 ]
+
+The scope of the "extra device ports" configuration is not made clear by
+the CMN documentation - so far we've assumed it applies globally, based
+on the sole example which suggests as much. However it transpires that
+this is incorrect, and the format does in fact vary based on each
+individual XP's port configuration. As a consequence, we're currenly
+liable to decode the port/device indices from a node ID incorrectly,
+thus program the wrong event source in the DTM leading to bogus event
+counts, and also show device topology on the wrong ports in debugfs.
+
+To put this right, rework node IDs yet again to carry around the
+additional data necessary to decode them properly per-XP. At this point
+the notion of fully decomposing an ID becomes more impractical than it's
+worth, so unabstracting the XY mesh coordinates (where 2/3 users were
+just debug anyway) ends up leaving things a bit simpler overall.
+
+Fixes: 60d1504070c2 ("perf/arm-cmn: Support new IP features")
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/5195f990152fc37adba5fbf5929a6b11063d9f09.1725296395.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm-cmn.c | 94 ++++++++++++++++++------------------------
+ 1 file changed, 40 insertions(+), 54 deletions(-)
+
+diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c
+index c932d9d355cf0..b59ae8513dcee 100644
+--- a/drivers/perf/arm-cmn.c
++++ b/drivers/perf/arm-cmn.c
+@@ -24,14 +24,6 @@
+ #define CMN_NI_NODE_ID GENMASK_ULL(31, 16)
+ #define CMN_NI_LOGICAL_ID GENMASK_ULL(47, 32)
+
+-#define CMN_NODEID_DEVID(reg) ((reg) & 3)
+-#define CMN_NODEID_EXT_DEVID(reg) ((reg) & 1)
+-#define CMN_NODEID_PID(reg) (((reg) >> 2) & 1)
+-#define CMN_NODEID_EXT_PID(reg) (((reg) >> 1) & 3)
+-#define CMN_NODEID_1x1_PID(reg) (((reg) >> 2) & 7)
+-#define CMN_NODEID_X(reg, bits) ((reg) >> (3 + (bits)))
+-#define CMN_NODEID_Y(reg, bits) (((reg) >> 3) & ((1U << (bits)) - 1))
+-
+ #define CMN_CHILD_INFO 0x0080
+ #define CMN_CI_CHILD_COUNT GENMASK_ULL(15, 0)
+ #define CMN_CI_CHILD_PTR_OFFSET GENMASK_ULL(31, 16)
+@@ -280,8 +272,11 @@ struct arm_cmn_node {
+ u16 id, logid;
+ enum cmn_node_type type;
+
++ /* XP properties really, but replicated to children for convenience */
+ u8 dtm;
+ s8 dtc;
++ u8 portid_bits:4;
++ u8 deviceid_bits:4;
+ /* DN/HN-F/CXHA */
+ struct {
+ u8 val : 4;
+@@ -357,49 +352,33 @@ struct arm_cmn {
+ static int arm_cmn_hp_state;
+
+ struct arm_cmn_nodeid {
+- u8 x;
+- u8 y;
+ u8 port;
+ u8 dev;
+ };
+
+ static int arm_cmn_xyidbits(const struct arm_cmn *cmn)
+ {
+- return fls((cmn->mesh_x - 1) | (cmn->mesh_y - 1) | 2);
++ return fls((cmn->mesh_x - 1) | (cmn->mesh_y - 1));
+ }
+
+-static struct arm_cmn_nodeid arm_cmn_nid(const struct arm_cmn *cmn, u16 id)
++static struct arm_cmn_nodeid arm_cmn_nid(const struct arm_cmn_node *dn)
+ {
+ struct arm_cmn_nodeid nid;
+
+- if (cmn->num_xps == 1) {
+- nid.x = 0;
+- nid.y = 0;
+- nid.port = CMN_NODEID_1x1_PID(id);
+- nid.dev = CMN_NODEID_DEVID(id);
+- } else {
+- int bits = arm_cmn_xyidbits(cmn);
+-
+- nid.x = CMN_NODEID_X(id, bits);
+- nid.y = CMN_NODEID_Y(id, bits);
+- if (cmn->ports_used & 0xc) {
+- nid.port = CMN_NODEID_EXT_PID(id);
+- nid.dev = CMN_NODEID_EXT_DEVID(id);
+- } else {
+- nid.port = CMN_NODEID_PID(id);
+- nid.dev = CMN_NODEID_DEVID(id);
+- }
+- }
++ nid.dev = dn->id & ((1U << dn->deviceid_bits) - 1);
++ nid.port = (dn->id >> dn->deviceid_bits) & ((1U << dn->portid_bits) - 1);
+ return nid;
+ }
+
+ static struct arm_cmn_node *arm_cmn_node_to_xp(const struct arm_cmn *cmn,
+ const struct arm_cmn_node *dn)
+ {
+- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, dn->id);
+- int xp_idx = cmn->mesh_x * nid.y + nid.x;
++ int id = dn->id >> (dn->portid_bits + dn->deviceid_bits);
++ int bits = arm_cmn_xyidbits(cmn);
++ int x = id >> bits;
++ int y = id & ((1U << bits) - 1);
+
+- return cmn->xps + xp_idx;
++ return cmn->xps + cmn->mesh_x * y + x;
+ }
+ static struct arm_cmn_node *arm_cmn_node(const struct arm_cmn *cmn,
+ enum cmn_node_type type)
+@@ -485,13 +464,13 @@ static const char *arm_cmn_device_type(u8 type)
+ }
+ }
+
+-static void arm_cmn_show_logid(struct seq_file *s, int x, int y, int p, int d)
++static void arm_cmn_show_logid(struct seq_file *s, const struct arm_cmn_node *xp, int p, int d)
+ {
+ struct arm_cmn *cmn = s->private;
+ struct arm_cmn_node *dn;
++ u16 id = xp->id | d | (p << xp->deviceid_bits);
+
+ for (dn = cmn->dns; dn->type; dn++) {
+- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, dn->id);
+ int pad = dn->logid < 10;
+
+ if (dn->type == CMN_TYPE_XP)
+@@ -500,7 +479,7 @@ static void arm_cmn_show_logid(struct seq_file *s, int x, int y, int p, int d)
+ if (dn->type < CMN_TYPE_HNI)
+ continue;
+
+- if (nid.x != x || nid.y != y || nid.port != p || nid.dev != d)
++ if (dn->id != id)
+ continue;
+
+ seq_printf(s, " %*c#%-*d |", pad + 1, ' ', 3 - pad, dn->logid);
+@@ -521,6 +500,7 @@ static int arm_cmn_map_show(struct seq_file *s, void *data)
+ y = cmn->mesh_y;
+ while (y--) {
+ int xp_base = cmn->mesh_x * y;
++ struct arm_cmn_node *xp = cmn->xps + xp_base;
+ u8 port[CMN_MAX_PORTS][CMN_MAX_DIMENSION];
+
+ for (x = 0; x < cmn->mesh_x; x++)
+@@ -528,16 +508,14 @@ static int arm_cmn_map_show(struct seq_file *s, void *data)
+
+ seq_printf(s, "\n%-2d |", y);
+ for (x = 0; x < cmn->mesh_x; x++) {
+- struct arm_cmn_node *xp = cmn->xps + xp_base + x;
+-
+ for (p = 0; p < CMN_MAX_PORTS; p++)
+- port[p][x] = arm_cmn_device_connect_info(cmn, xp, p);
++ port[p][x] = arm_cmn_device_connect_info(cmn, xp + x, p);
+ seq_printf(s, " XP #%-3d|", xp_base + x);
+ }
+
+ seq_puts(s, "\n |");
+ for (x = 0; x < cmn->mesh_x; x++) {
+- s8 dtc = cmn->xps[xp_base + x].dtc;
++ s8 dtc = xp[x].dtc;
+
+ if (dtc < 0)
+ seq_puts(s, " DTC ?? |");
+@@ -554,10 +532,10 @@ static int arm_cmn_map_show(struct seq_file *s, void *data)
+ seq_puts(s, arm_cmn_device_type(port[p][x]));
+ seq_puts(s, "\n 0|");
+ for (x = 0; x < cmn->mesh_x; x++)
+- arm_cmn_show_logid(s, x, y, p, 0);
++ arm_cmn_show_logid(s, xp + x, p, 0);
+ seq_puts(s, "\n 1|");
+ for (x = 0; x < cmn->mesh_x; x++)
+- arm_cmn_show_logid(s, x, y, p, 1);
++ arm_cmn_show_logid(s, xp + x, p, 1);
+ }
+ seq_puts(s, "\n-----+");
+ }
+@@ -1815,10 +1793,7 @@ static int arm_cmn_event_init(struct perf_event *event)
+ }
+
+ if (!hw->num_dns) {
+- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, nodeid);
+-
+- dev_dbg(cmn->dev, "invalid node 0x%x (%d,%d,%d,%d) type 0x%x\n",
+- nodeid, nid.x, nid.y, nid.port, nid.dev, type);
++ dev_dbg(cmn->dev, "invalid node 0x%x type 0x%x\n", nodeid, type);
+ return -EINVAL;
+ }
+
+@@ -1921,7 +1896,7 @@ static int arm_cmn_event_add(struct perf_event *event, int flags)
+ arm_cmn_claim_wp_idx(dtm, event, d, wp_idx, i);
+ writel_relaxed(cfg, dtm->base + CMN_DTM_WPn_CONFIG(wp_idx));
+ } else {
+- struct arm_cmn_nodeid nid = arm_cmn_nid(cmn, dn->id);
++ struct arm_cmn_nodeid nid = arm_cmn_nid(dn);
+
+ if (cmn->multi_dtm)
+ nid.port %= 2;
+@@ -2168,10 +2143,12 @@ static int arm_cmn_init_dtcs(struct arm_cmn *cmn)
+ continue;
+
+ xp = arm_cmn_node_to_xp(cmn, dn);
++ dn->portid_bits = xp->portid_bits;
++ dn->deviceid_bits = xp->deviceid_bits;
+ dn->dtc = xp->dtc;
+ dn->dtm = xp->dtm;
+ if (cmn->multi_dtm)
+- dn->dtm += arm_cmn_nid(cmn, dn->id).port / 2;
++ dn->dtm += arm_cmn_nid(dn).port / 2;
+
+ if (dn->type == CMN_TYPE_DTC) {
+ int err = arm_cmn_init_dtc(cmn, dn, dtc_idx++);
+@@ -2341,18 +2318,27 @@ static int arm_cmn_discover(struct arm_cmn *cmn, unsigned int rgn_offset)
+ arm_cmn_init_dtm(dtm++, xp, 0);
+ /*
+ * Keeping track of connected ports will let us filter out
+- * unnecessary XP events easily. We can also reliably infer the
+- * "extra device ports" configuration for the node ID format
+- * from this, since in that case we will see at least one XP
+- * with port 2 connected, for the HN-D.
++ * unnecessary XP events easily, and also infer the per-XP
++ * part of the node ID format.
+ */
+ for (int p = 0; p < CMN_MAX_PORTS; p++)
+ if (arm_cmn_device_connect_info(cmn, xp, p))
+ xp_ports |= BIT(p);
+
+- if (cmn->multi_dtm && (xp_ports & 0xc))
++ if (cmn->num_xps == 1) {
++ xp->portid_bits = 3;
++ xp->deviceid_bits = 2;
++ } else if (xp_ports > 0x3) {
++ xp->portid_bits = 2;
++ xp->deviceid_bits = 1;
++ } else {
++ xp->portid_bits = 1;
++ xp->deviceid_bits = 2;
++ }
++
++ if (cmn->multi_dtm && (xp_ports > 0x3))
+ arm_cmn_init_dtm(dtm++, xp, 1);
+- if (cmn->multi_dtm && (xp_ports & 0x30))
++ if (cmn->multi_dtm && (xp_ports > 0xf))
+ arm_cmn_init_dtm(dtm++, xp, 2);
+
+ cmn->ports_used |= xp_ports;
+--
+2.43.0
+
--- /dev/null
+From cf89593a911f27093c6e7112e90a0365bccc8b12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 11:58:56 -0300
+Subject: perf bpf: Move BPF disassembly routines to separate file to avoid
+ clash with capstone bpf headers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit ea59b70a8418a313d6f2ab48a957de015fc33018 ]
+
+There is a clash of the libbpf and capstone libraries, that ends up
+with:
+
+ In file included from /usr/include/capstone/capstone.h:325,
+ from util/disasm.c:1513:
+ /usr/include/capstone/bpf.h:94:14: error: ‘bpf_insn’ defined as wrong kind of tag
+ 94 | typedef enum bpf_insn {
+
+So far we're just trying to avoid this by not having both headers
+included in the same .c or .h file, do it one more time by moving the
+BPF diassembly routines from util/disasm.c to util/disasm_bpf.c.
+
+This is only being hit when building with BUILD_NONDISTRO=1, i.e.
+building with binutils-devel, that isn't the in the default build due to
+a licencing clash. We need to reimplement what is now isolated in
+util/disasm_bpf.c using some other library to have BPF annotation
+feature that now only is available with BUILD_NONDISTRO=1.
+
+Fixes: 6d17edc113de1e21 ("perf annotate: Use libcapstone to disassemble")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/lkml/ZqpUSKPxMwaQKORr@x1
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/Build | 1 +
+ tools/perf/util/disasm.c | 187 +--------------------------------
+ tools/perf/util/disasm_bpf.c | 195 +++++++++++++++++++++++++++++++++++
+ tools/perf/util/disasm_bpf.h | 12 +++
+ 4 files changed, 209 insertions(+), 186 deletions(-)
+ create mode 100644 tools/perf/util/disasm_bpf.c
+ create mode 100644 tools/perf/util/disasm_bpf.h
+
+diff --git a/tools/perf/util/Build b/tools/perf/util/Build
+index 0f18fe81ef0b2..b24360c04aaea 100644
+--- a/tools/perf/util/Build
++++ b/tools/perf/util/Build
+@@ -13,6 +13,7 @@ perf-util-y += copyfile.o
+ perf-util-y += ctype.o
+ perf-util-y += db-export.o
+ perf-util-y += disasm.o
++perf-util-y += disasm_bpf.o
+ perf-util-y += env.o
+ perf-util-y += event.o
+ perf-util-y += evlist.o
+diff --git a/tools/perf/util/disasm.c b/tools/perf/util/disasm.c
+index e10558b79504b..766cbd005f32a 100644
+--- a/tools/perf/util/disasm.c
++++ b/tools/perf/util/disasm.c
+@@ -15,6 +15,7 @@
+ #include "build-id.h"
+ #include "debug.h"
+ #include "disasm.h"
++#include "disasm_bpf.h"
+ #include "dso.h"
+ #include "env.h"
+ #include "evsel.h"
+@@ -1164,192 +1165,6 @@ static int dso__disassemble_filename(struct dso *dso, char *filename, size_t fil
+ return 0;
+ }
+
+-#if defined(HAVE_LIBBFD_SUPPORT) && defined(HAVE_LIBBPF_SUPPORT)
+-#define PACKAGE "perf"
+-#include <bfd.h>
+-#include <dis-asm.h>
+-#include <bpf/bpf.h>
+-#include <bpf/btf.h>
+-#include <bpf/libbpf.h>
+-#include <linux/btf.h>
+-#include <tools/dis-asm-compat.h>
+-
+-#include "bpf-event.h"
+-#include "bpf-utils.h"
+-
+-static int symbol__disassemble_bpf(struct symbol *sym,
+- struct annotate_args *args)
+-{
+- struct annotation *notes = symbol__annotation(sym);
+- struct bpf_prog_linfo *prog_linfo = NULL;
+- struct bpf_prog_info_node *info_node;
+- int len = sym->end - sym->start;
+- disassembler_ftype disassemble;
+- struct map *map = args->ms.map;
+- struct perf_bpil *info_linear;
+- struct disassemble_info info;
+- struct dso *dso = map__dso(map);
+- int pc = 0, count, sub_id;
+- struct btf *btf = NULL;
+- char tpath[PATH_MAX];
+- size_t buf_size;
+- int nr_skip = 0;
+- char *buf;
+- bfd *bfdf;
+- int ret;
+- FILE *s;
+-
+- if (dso__binary_type(dso) != DSO_BINARY_TYPE__BPF_PROG_INFO)
+- return SYMBOL_ANNOTATE_ERRNO__BPF_INVALID_FILE;
+-
+- pr_debug("%s: handling sym %s addr %" PRIx64 " len %" PRIx64 "\n", __func__,
+- sym->name, sym->start, sym->end - sym->start);
+-
+- memset(tpath, 0, sizeof(tpath));
+- perf_exe(tpath, sizeof(tpath));
+-
+- bfdf = bfd_openr(tpath, NULL);
+- if (bfdf == NULL)
+- abort();
+-
+- if (!bfd_check_format(bfdf, bfd_object))
+- abort();
+-
+- s = open_memstream(&buf, &buf_size);
+- if (!s) {
+- ret = errno;
+- goto out;
+- }
+- init_disassemble_info_compat(&info, s,
+- (fprintf_ftype) fprintf,
+- fprintf_styled);
+- info.arch = bfd_get_arch(bfdf);
+- info.mach = bfd_get_mach(bfdf);
+-
+- info_node = perf_env__find_bpf_prog_info(dso__bpf_prog(dso)->env,
+- dso__bpf_prog(dso)->id);
+- if (!info_node) {
+- ret = SYMBOL_ANNOTATE_ERRNO__BPF_MISSING_BTF;
+- goto out;
+- }
+- info_linear = info_node->info_linear;
+- sub_id = dso__bpf_prog(dso)->sub_id;
+-
+- info.buffer = (void *)(uintptr_t)(info_linear->info.jited_prog_insns);
+- info.buffer_length = info_linear->info.jited_prog_len;
+-
+- if (info_linear->info.nr_line_info)
+- prog_linfo = bpf_prog_linfo__new(&info_linear->info);
+-
+- if (info_linear->info.btf_id) {
+- struct btf_node *node;
+-
+- node = perf_env__find_btf(dso__bpf_prog(dso)->env,
+- info_linear->info.btf_id);
+- if (node)
+- btf = btf__new((__u8 *)(node->data),
+- node->data_size);
+- }
+-
+- disassemble_init_for_target(&info);
+-
+-#ifdef DISASM_FOUR_ARGS_SIGNATURE
+- disassemble = disassembler(info.arch,
+- bfd_big_endian(bfdf),
+- info.mach,
+- bfdf);
+-#else
+- disassemble = disassembler(bfdf);
+-#endif
+- if (disassemble == NULL)
+- abort();
+-
+- fflush(s);
+- do {
+- const struct bpf_line_info *linfo = NULL;
+- struct disasm_line *dl;
+- size_t prev_buf_size;
+- const char *srcline;
+- u64 addr;
+-
+- addr = pc + ((u64 *)(uintptr_t)(info_linear->info.jited_ksyms))[sub_id];
+- count = disassemble(pc, &info);
+-
+- if (prog_linfo)
+- linfo = bpf_prog_linfo__lfind_addr_func(prog_linfo,
+- addr, sub_id,
+- nr_skip);
+-
+- if (linfo && btf) {
+- srcline = btf__name_by_offset(btf, linfo->line_off);
+- nr_skip++;
+- } else
+- srcline = NULL;
+-
+- fprintf(s, "\n");
+- prev_buf_size = buf_size;
+- fflush(s);
+-
+- if (!annotate_opts.hide_src_code && srcline) {
+- args->offset = -1;
+- args->line = strdup(srcline);
+- args->line_nr = 0;
+- args->fileloc = NULL;
+- args->ms.sym = sym;
+- dl = disasm_line__new(args);
+- if (dl) {
+- annotation_line__add(&dl->al,
+- ¬es->src->source);
+- }
+- }
+-
+- args->offset = pc;
+- args->line = buf + prev_buf_size;
+- args->line_nr = 0;
+- args->fileloc = NULL;
+- args->ms.sym = sym;
+- dl = disasm_line__new(args);
+- if (dl)
+- annotation_line__add(&dl->al, ¬es->src->source);
+-
+- pc += count;
+- } while (count > 0 && pc < len);
+-
+- ret = 0;
+-out:
+- free(prog_linfo);
+- btf__free(btf);
+- fclose(s);
+- bfd_close(bfdf);
+- return ret;
+-}
+-#else // defined(HAVE_LIBBFD_SUPPORT) && defined(HAVE_LIBBPF_SUPPORT)
+-static int symbol__disassemble_bpf(struct symbol *sym __maybe_unused,
+- struct annotate_args *args __maybe_unused)
+-{
+- return SYMBOL_ANNOTATE_ERRNO__NO_LIBOPCODES_FOR_BPF;
+-}
+-#endif // defined(HAVE_LIBBFD_SUPPORT) && defined(HAVE_LIBBPF_SUPPORT)
+-
+-static int
+-symbol__disassemble_bpf_image(struct symbol *sym,
+- struct annotate_args *args)
+-{
+- struct annotation *notes = symbol__annotation(sym);
+- struct disasm_line *dl;
+-
+- args->offset = -1;
+- args->line = strdup("to be implemented");
+- args->line_nr = 0;
+- args->fileloc = NULL;
+- dl = disasm_line__new(args);
+- if (dl)
+- annotation_line__add(&dl->al, ¬es->src->source);
+-
+- zfree(&args->line);
+- return 0;
+-}
+-
+ #ifdef HAVE_LIBCAPSTONE_SUPPORT
+ #include <capstone/capstone.h>
+
+diff --git a/tools/perf/util/disasm_bpf.c b/tools/perf/util/disasm_bpf.c
+new file mode 100644
+index 0000000000000..1fee71c79b624
+--- /dev/null
++++ b/tools/perf/util/disasm_bpf.c
+@@ -0,0 +1,195 @@
++// SPDX-License-Identifier: GPL-2.0-only
++
++#include "util/annotate.h"
++#include "util/disasm_bpf.h"
++#include "util/symbol.h"
++#include <linux/zalloc.h>
++#include <string.h>
++
++#if defined(HAVE_LIBBFD_SUPPORT) && defined(HAVE_LIBBPF_SUPPORT)
++#define PACKAGE "perf"
++#include <bfd.h>
++#include <bpf/bpf.h>
++#include <bpf/btf.h>
++#include <bpf/libbpf.h>
++#include <dis-asm.h>
++#include <errno.h>
++#include <linux/btf.h>
++#include <tools/dis-asm-compat.h>
++
++#include "util/bpf-event.h"
++#include "util/bpf-utils.h"
++#include "util/debug.h"
++#include "util/dso.h"
++#include "util/map.h"
++#include "util/env.h"
++#include "util/util.h"
++
++int symbol__disassemble_bpf(struct symbol *sym, struct annotate_args *args)
++{
++ struct annotation *notes = symbol__annotation(sym);
++ struct bpf_prog_linfo *prog_linfo = NULL;
++ struct bpf_prog_info_node *info_node;
++ int len = sym->end - sym->start;
++ disassembler_ftype disassemble;
++ struct map *map = args->ms.map;
++ struct perf_bpil *info_linear;
++ struct disassemble_info info;
++ struct dso *dso = map__dso(map);
++ int pc = 0, count, sub_id;
++ struct btf *btf = NULL;
++ char tpath[PATH_MAX];
++ size_t buf_size;
++ int nr_skip = 0;
++ char *buf;
++ bfd *bfdf;
++ int ret;
++ FILE *s;
++
++ if (dso__binary_type(dso) != DSO_BINARY_TYPE__BPF_PROG_INFO)
++ return SYMBOL_ANNOTATE_ERRNO__BPF_INVALID_FILE;
++
++ pr_debug("%s: handling sym %s addr %" PRIx64 " len %" PRIx64 "\n", __func__,
++ sym->name, sym->start, sym->end - sym->start);
++
++ memset(tpath, 0, sizeof(tpath));
++ perf_exe(tpath, sizeof(tpath));
++
++ bfdf = bfd_openr(tpath, NULL);
++ if (bfdf == NULL)
++ abort();
++
++ if (!bfd_check_format(bfdf, bfd_object))
++ abort();
++
++ s = open_memstream(&buf, &buf_size);
++ if (!s) {
++ ret = errno;
++ goto out;
++ }
++ init_disassemble_info_compat(&info, s,
++ (fprintf_ftype) fprintf,
++ fprintf_styled);
++ info.arch = bfd_get_arch(bfdf);
++ info.mach = bfd_get_mach(bfdf);
++
++ info_node = perf_env__find_bpf_prog_info(dso__bpf_prog(dso)->env,
++ dso__bpf_prog(dso)->id);
++ if (!info_node) {
++ ret = SYMBOL_ANNOTATE_ERRNO__BPF_MISSING_BTF;
++ goto out;
++ }
++ info_linear = info_node->info_linear;
++ sub_id = dso__bpf_prog(dso)->sub_id;
++
++ info.buffer = (void *)(uintptr_t)(info_linear->info.jited_prog_insns);
++ info.buffer_length = info_linear->info.jited_prog_len;
++
++ if (info_linear->info.nr_line_info)
++ prog_linfo = bpf_prog_linfo__new(&info_linear->info);
++
++ if (info_linear->info.btf_id) {
++ struct btf_node *node;
++
++ node = perf_env__find_btf(dso__bpf_prog(dso)->env,
++ info_linear->info.btf_id);
++ if (node)
++ btf = btf__new((__u8 *)(node->data),
++ node->data_size);
++ }
++
++ disassemble_init_for_target(&info);
++
++#ifdef DISASM_FOUR_ARGS_SIGNATURE
++ disassemble = disassembler(info.arch,
++ bfd_big_endian(bfdf),
++ info.mach,
++ bfdf);
++#else
++ disassemble = disassembler(bfdf);
++#endif
++ if (disassemble == NULL)
++ abort();
++
++ fflush(s);
++ do {
++ const struct bpf_line_info *linfo = NULL;
++ struct disasm_line *dl;
++ size_t prev_buf_size;
++ const char *srcline;
++ u64 addr;
++
++ addr = pc + ((u64 *)(uintptr_t)(info_linear->info.jited_ksyms))[sub_id];
++ count = disassemble(pc, &info);
++
++ if (prog_linfo)
++ linfo = bpf_prog_linfo__lfind_addr_func(prog_linfo,
++ addr, sub_id,
++ nr_skip);
++
++ if (linfo && btf) {
++ srcline = btf__name_by_offset(btf, linfo->line_off);
++ nr_skip++;
++ } else
++ srcline = NULL;
++
++ fprintf(s, "\n");
++ prev_buf_size = buf_size;
++ fflush(s);
++
++ if (!annotate_opts.hide_src_code && srcline) {
++ args->offset = -1;
++ args->line = strdup(srcline);
++ args->line_nr = 0;
++ args->fileloc = NULL;
++ args->ms.sym = sym;
++ dl = disasm_line__new(args);
++ if (dl) {
++ annotation_line__add(&dl->al,
++ ¬es->src->source);
++ }
++ }
++
++ args->offset = pc;
++ args->line = buf + prev_buf_size;
++ args->line_nr = 0;
++ args->fileloc = NULL;
++ args->ms.sym = sym;
++ dl = disasm_line__new(args);
++ if (dl)
++ annotation_line__add(&dl->al, ¬es->src->source);
++
++ pc += count;
++ } while (count > 0 && pc < len);
++
++ ret = 0;
++out:
++ free(prog_linfo);
++ btf__free(btf);
++ fclose(s);
++ bfd_close(bfdf);
++ return ret;
++}
++#else // defined(HAVE_LIBBFD_SUPPORT) && defined(HAVE_LIBBPF_SUPPORT)
++int symbol__disassemble_bpf(struct symbol *sym __maybe_unused, struct annotate_args *args __maybe_unused)
++{
++ return SYMBOL_ANNOTATE_ERRNO__NO_LIBOPCODES_FOR_BPF;
++}
++#endif // defined(HAVE_LIBBFD_SUPPORT) && defined(HAVE_LIBBPF_SUPPORT)
++
++int symbol__disassemble_bpf_image(struct symbol *sym, struct annotate_args *args)
++{
++ struct annotation *notes = symbol__annotation(sym);
++ struct disasm_line *dl;
++
++ args->offset = -1;
++ args->line = strdup("to be implemented");
++ args->line_nr = 0;
++ args->fileloc = NULL;
++ dl = disasm_line__new(args);
++ if (dl)
++ annotation_line__add(&dl->al, ¬es->src->source);
++
++ zfree(&args->line);
++ return 0;
++}
+diff --git a/tools/perf/util/disasm_bpf.h b/tools/perf/util/disasm_bpf.h
+new file mode 100644
+index 0000000000000..2ecb19545388b
+--- /dev/null
++++ b/tools/perf/util/disasm_bpf.h
+@@ -0,0 +1,12 @@
++// SPDX-License-Identifier: GPL-2.0-only
++
++#ifndef __PERF_DISASM_BPF_H
++#define __PERF_DISASM_BPF_H
++
++struct symbol;
++struct annotate_args;
++
++int symbol__disassemble_bpf(struct symbol *sym, struct annotate_args *args);
++int symbol__disassemble_bpf_image(struct symbol *sym, struct annotate_args *args);
++
++#endif /* __PERF_DISASM_BPF_H */
+--
+2.43.0
+
--- /dev/null
+From 7b3932512382cfc116702aee1712b3e0674df6c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 10:36:24 -0300
+Subject: perf build: Fix up broken capstone feature detection fast path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 4c55560f23d19051adc7e76818687a88448bef83 ]
+
+The capstone devel headers define 'struct bpf_insn' in a way that clashes with
+what is in the libbpf devel headers, so we so far need to avoid including both.
+
+This is happening on the tools/build/feature/test-all.c file, where we try
+building all the expected set of libraries to be normally available on a
+system:
+
+ ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output
+ In file included from test-bpf.c:3,
+ from test-all.c:150:
+ /home/acme/git/perf-tools-next/tools/include/uapi/linux/bpf.h:77:8: error: ‘bpf_insn’ defined as wrong kind of tag
+ 77 | struct bpf_insn {
+ | ^~~~~~~~
+ ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output
+
+When doing so there is a trick where we define main to be
+main_test_libcapstone, then include the individual
+tools/build/feture/test-libcapstone.c capability query test, and then we undef
+'main' because we'll do it all over again with the next expected library to
+be tested (at this time 'lzma').
+
+To complete this mechanism we need to, in test-all.c 'main' routine, to
+call main_test_libcapstone(), which isn't being done, so the effect of
+adding references to capstone in test-all.c are not achieved.
+
+The only thing that is happening is that test-all.c is failing to build and thus
+all the tests will have to be done individually, which nullifies the test-all.c
+single build speedup.
+
+So lets remove references to capstone from test-all.c to see if this makes it
+build again so that we get faster builds or go on fixing up whatever is
+preventing us to get that benefit.
+
+Nothing: after this fix we get a clean test-all.c build and get the build speedup back:
+
+ ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output
+ ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.
+ test-all.bin test-all.d test-all.make.output
+ ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output
+ ⬢[acme@toolbox perf-tools-next]$ ldd /tmp/build/perf-tools-next/feature/test-all.bin
+ linux-vdso.so.1 (0x00007f13277a1000)
+ libpython3.12.so.1.0 => /lib64/libpython3.12.so.1.0 (0x00007f1326e00000)
+ libm.so.6 => /lib64/libm.so.6 (0x00007f13274be000)
+ libtraceevent.so.1 => /lib64/libtraceevent.so.1 (0x00007f1327496000)
+ libtracefs.so.1 => /lib64/libtracefs.so.1 (0x00007f132746f000)
+ libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f1326800000)
+ libunwind-x86_64.so.8 => /lib64/libunwind-x86_64.so.8 (0x00007f1327452000)
+ libunwind.so.8 => /lib64/libunwind.so.8 (0x00007f1327436000)
+ liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f1327403000)
+ libdw.so.1 => /lib64/libdw.so.1 (0x00007f1326d6f000)
+ libz.so.1 => /lib64/libz.so.1 (0x00007f13273e2000)
+ libelf.so.1 => /lib64/libelf.so.1 (0x00007f1326d53000)
+ libnuma.so.1 => /lib64/libnuma.so.1 (0x00007f13273d4000)
+ libslang.so.2 => /lib64/libslang.so.2 (0x00007f1326400000)
+ libperl.so.5.38 => /lib64/libperl.so.5.38 (0x00007f1326000000)
+ libc.so.6 => /lib64/libc.so.6 (0x00007f1325e0f000)
+ libzstd.so.1 => /lib64/libzstd.so.1 (0x00007f1326741000)
+ /lib64/ld-linux-x86-64.so.2 (0x00007f13277a3000)
+ libbz2.so.1 => /lib64/libbz2.so.1 (0x00007f1326d3f000)
+ libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f1326d07000)
+ ⬢[acme@toolbox perf-tools-next]$
+
+And when having capstone-devel installed we get it detected and linked with
+perf, allowing us to benefit from the features that it enables:
+
+ ⬢[acme@toolbox perf-tools-next]$ rpm -q capstone-devel
+ capstone-devel-5.0.1-3.fc40.x86_64
+ ⬢[acme@toolbox perf-tools-next]$ ldd /tmp/build/perf-tools-next/perf | grep capstone
+ libcapstone.so.5 => /lib64/libcapstone.so.5 (0x00007fe6a5c00000)
+ ⬢[acme@toolbox perf-tools-next]$ /tmp/build/perf-tools-next/perf -vv | grep cap
+ libcapstone: [ on ] # HAVE_LIBCAPSTONE_SUPPORT
+ ⬢[acme@toolbox perf-tools-next]$
+
+Fixes: 8b767db3309595a2 ("perf: build: introduce the libcapstone")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Andi Kleen <andi@firstfloor.org>
+Cc: Changbin Du <changbin.du@huawei.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/lkml/Zry0sepD5Ppa5YKP@x1
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/build/feature/test-all.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/tools/build/feature/test-all.c b/tools/build/feature/test-all.c
+index dd0a18c2ef8fc..6f4bf386a3b5c 100644
+--- a/tools/build/feature/test-all.c
++++ b/tools/build/feature/test-all.c
+@@ -134,10 +134,6 @@
+ #undef main
+ #endif
+
+-#define main main_test_libcapstone
+-# include "test-libcapstone.c"
+-#undef main
+-
+ #define main main_test_lzma
+ # include "test-lzma.c"
+ #undef main
+--
+2.43.0
+
--- /dev/null
+From f3463e6dbd2ab2f265d877cfd3ff53c6ffa83fac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 22:46:43 -0700
+Subject: perf callchain: Fix stitch LBR memory leaks
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 599c19397b17d197fc1184bbc950f163a292efc9 ]
+
+The 'struct callchain_cursor_node' has a 'struct map_symbol' whose maps
+and map members are reference counted. Ensure these values use a _get
+routine to increment the reference counts and use map_symbol__exit() to
+release the reference counts.
+
+Do similar for 'struct thread's prev_lbr_cursor, but save the size of
+the prev_lbr_cursor array so that it may be iterated.
+
+Ensure that when stitch_nodes are placed on the free list the
+map_symbols are exited.
+
+Fix resolve_lbr_callchain_sample() by replacing list_replace_init() to
+list_splice_init(), so the whole list is moved and nodes aren't leaked.
+
+A reproduction of the memory leaks is possible with a leak sanitizer
+build in the perf report command of:
+
+ ```
+ $ perf record -e cycles --call-graph lbr perf test -w thloop
+ $ perf report --stitch-lbr
+ ```
+
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Fixes: ff165628d72644e3 ("perf callchain: Stitch LBR call stack")
+Signed-off-by: Ian Rogers <irogers@google.com>
+[ Basic tests after applying the patch, repeating the example above ]
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Anne Macedo <retpolanne@posteo.net>
+Cc: Changbin Du <changbin.du@huawei.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240808054644.1286065-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/machine.c | 17 +++++++++++++++--
+ tools/perf/util/thread.c | 4 ++++
+ tools/perf/util/thread.h | 1 +
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
+index 8477edefc2997..706be5e4a0761 100644
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -2270,8 +2270,12 @@ static void save_lbr_cursor_node(struct thread *thread,
+ cursor->curr = cursor->first;
+ else
+ cursor->curr = cursor->curr->next;
++
++ map_symbol__exit(&lbr_stitch->prev_lbr_cursor[idx].ms);
+ memcpy(&lbr_stitch->prev_lbr_cursor[idx], cursor->curr,
+ sizeof(struct callchain_cursor_node));
++ lbr_stitch->prev_lbr_cursor[idx].ms.maps = maps__get(cursor->curr->ms.maps);
++ lbr_stitch->prev_lbr_cursor[idx].ms.map = map__get(cursor->curr->ms.map);
+
+ lbr_stitch->prev_lbr_cursor[idx].valid = true;
+ cursor->pos++;
+@@ -2482,6 +2486,9 @@ static bool has_stitched_lbr(struct thread *thread,
+ memcpy(&stitch_node->cursor, &lbr_stitch->prev_lbr_cursor[i],
+ sizeof(struct callchain_cursor_node));
+
++ stitch_node->cursor.ms.maps = maps__get(lbr_stitch->prev_lbr_cursor[i].ms.maps);
++ stitch_node->cursor.ms.map = map__get(lbr_stitch->prev_lbr_cursor[i].ms.map);
++
+ if (callee)
+ list_add(&stitch_node->node, &lbr_stitch->lists);
+ else
+@@ -2505,6 +2512,8 @@ static bool alloc_lbr_stitch(struct thread *thread, unsigned int max_lbr)
+ if (!thread__lbr_stitch(thread)->prev_lbr_cursor)
+ goto free_lbr_stitch;
+
++ thread__lbr_stitch(thread)->prev_lbr_cursor_size = max_lbr + 1;
++
+ INIT_LIST_HEAD(&thread__lbr_stitch(thread)->lists);
+ INIT_LIST_HEAD(&thread__lbr_stitch(thread)->free_lists);
+
+@@ -2560,8 +2569,12 @@ static int resolve_lbr_callchain_sample(struct thread *thread,
+ max_lbr, callee);
+
+ if (!stitched_lbr && !list_empty(&lbr_stitch->lists)) {
+- list_replace_init(&lbr_stitch->lists,
+- &lbr_stitch->free_lists);
++ struct stitch_list *stitch_node;
++
++ list_for_each_entry(stitch_node, &lbr_stitch->lists, node)
++ map_symbol__exit(&stitch_node->cursor.ms);
++
++ list_splice_init(&lbr_stitch->lists, &lbr_stitch->free_lists);
+ }
+ memcpy(&lbr_stitch->prev_sample, sample, sizeof(*sample));
+ }
+diff --git a/tools/perf/util/thread.c b/tools/perf/util/thread.c
+index 87c59aa9fe38b..0ffdd52d86d70 100644
+--- a/tools/perf/util/thread.c
++++ b/tools/perf/util/thread.c
+@@ -476,6 +476,7 @@ void thread__free_stitch_list(struct thread *thread)
+ return;
+
+ list_for_each_entry_safe(pos, tmp, &lbr_stitch->lists, node) {
++ map_symbol__exit(&pos->cursor.ms);
+ list_del_init(&pos->node);
+ free(pos);
+ }
+@@ -485,6 +486,9 @@ void thread__free_stitch_list(struct thread *thread)
+ free(pos);
+ }
+
++ for (unsigned int i = 0 ; i < lbr_stitch->prev_lbr_cursor_size; i++)
++ map_symbol__exit(&lbr_stitch->prev_lbr_cursor[i].ms);
++
+ zfree(&lbr_stitch->prev_lbr_cursor);
+ free(thread__lbr_stitch(thread));
+ thread__set_lbr_stitch(thread, NULL);
+diff --git a/tools/perf/util/thread.h b/tools/perf/util/thread.h
+index 8b4a3c69bad19..6cbf6eb2812e0 100644
+--- a/tools/perf/util/thread.h
++++ b/tools/perf/util/thread.h
+@@ -26,6 +26,7 @@ struct lbr_stitch {
+ struct list_head free_lists;
+ struct perf_sample prev_sample;
+ struct callchain_cursor_node *prev_lbr_cursor;
++ unsigned int prev_lbr_cursor_size;
+ };
+
+ DECLARE_RC_STRUCT(thread) {
+--
+2.43.0
+
--- /dev/null
+From 047812fc25be66e2154d481b1242b20f0c1e964d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 16:58:31 -0700
+Subject: perf dwarf-aux: Check allowed location expressions when collecting
+ variables
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit e8bb03ed6850c6ed4ce2f1600ea73401fc2ebd95 ]
+
+It missed to call check_allowed_ops() in __die_collect_vars_cb() so it
+can take variables with complex location expression incorrectly.
+
+For example, I found some variable has this expression.
+
+ 015d8df8 ffffffff81aacfb3 (base address)
+ 015d8e01 v000000000000004 v000000000000000 views at 015d8df2 for:
+ ffffffff81aacfb3 ffffffff81aacfd2 (DW_OP_fbreg: -176; DW_OP_deref;
+ DW_OP_plus_uconst: 332; DW_OP_deref_size: 4;
+ DW_OP_lit1; DW_OP_shra; DW_OP_const1u: 64;
+ DW_OP_minus; DW_OP_stack_value)
+ 015d8e14 v000000000000000 v000000000000000 views at 015d8df4 for:
+ ffffffff81aacfd2 ffffffff81aacfd7 (DW_OP_reg3 (rbx))
+ 015d8e19 v000000000000000 v000000000000000 views at 015d8df6 for:
+ ffffffff81aacfd7 ffffffff81aad020 (DW_OP_fbreg: -176; DW_OP_deref;
+ DW_OP_plus_uconst: 332; DW_OP_deref_size: 4;
+ DW_OP_lit1; DW_OP_shra; DW_OP_const1u: 64;
+ DW_OP_minus; DW_OP_stack_value)
+ 015d8e2c <End of list>
+
+It looks like '((int *)(-176(%rbp) + 332) >> 1) - 64' but the current
+code thought it's just -176(%rbp) and processed the variable incorrectly.
+It should reject such a complex expression if check_allowed_ops()
+doesn't like it. :)
+
+Fixes: 932dcc2c39aedf54 ("perf dwarf-aux: Add die_collect_vars()")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240816235840.2754937-2-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 44ef968a7ad33..e7de5045c43a7 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -1598,6 +1598,9 @@ static int __die_collect_vars_cb(Dwarf_Die *die_mem, void *arg)
+ if (dwarf_getlocations(&attr, 0, &base, &start, &end, &ops, &nops) <= 0)
+ return DIE_FIND_CB_SIBLING;
+
++ if (!check_allowed_ops(ops, nops))
++ return DIE_FIND_CB_SIBLING;
++
+ if (die_get_real_type(die_mem, &type_die) == NULL)
+ return DIE_FIND_CB_SIBLING;
+
+--
+2.43.0
+
--- /dev/null
+From fe4d06474030d5c6b5b6631f23d43614ab136ac9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 16:26:25 -0700
+Subject: perf dwarf-aux: Handle bitfield members from pointer access
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit a11b4222bb579dcf9646f3c4ecd2212ae762a2c8 ]
+
+The __die_find_member_offset_cb() missed to handle bitfield members
+which don't have DW_AT_data_member_location. Like in adding member
+types in __add_member_cb() it should fallback to check the bit offset
+when it resolves the member type for an offset.
+
+Fixes: 437683a9941891c1 ("perf dwarf-aux: Handle type transfer for memory access")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240821232628.353177-2-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 0e7d2060740df..1b0e59f4d8e93 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -1977,8 +1977,15 @@ static int __die_find_member_offset_cb(Dwarf_Die *die_mem, void *arg)
+ return DIE_FIND_CB_SIBLING;
+
+ /* Unions might not have location */
+- if (die_get_data_member_location(die_mem, &loc) < 0)
+- loc = 0;
++ if (die_get_data_member_location(die_mem, &loc) < 0) {
++ Dwarf_Attribute attr;
++
++ if (dwarf_attr_integrate(die_mem, DW_AT_data_bit_offset, &attr) &&
++ dwarf_formudata(&attr, &loc) == 0)
++ loc /= 8;
++ else
++ loc = 0;
++ }
+
+ if (offset == loc)
+ return DIE_FIND_CB_END;
+--
+2.43.0
+
--- /dev/null
+From 92ee789c1d571d04b5179370eab48f185c2553ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 20:47:22 +0530
+Subject: perf/dwc_pcie: Always register for PCIe bus notifier
+
+From: Krishna chaitanya chundru <quic_krichai@quicinc.com>
+
+[ Upstream commit b94b05478fb6a09033bf70c6edd03f8930a0fe24 ]
+
+When the PCIe devices are discovered late, the driver can't find
+the PCIe devices and returns in the init without registering with
+the bus notifier. Due to that the devices which are discovered late
+the driver can't register for this.
+
+Register for bus notifier & driver even if the device is not found
+as part of init.
+
+Fixes: af9597adc2f1 ("drivers/perf: add DesignWare PCIe PMU driver")
+Signed-off-by: Krishna chaitanya chundru <quic_krichai@quicinc.com>
+Reviewed-by: Yicong Yang <yangyicong@hisilicon.com>
+Link: https://lore.kernel.org/r/20240816-dwc_pmu_fix-v2-3-198b8ab1077c@quicinc.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/dwc_pcie_pmu.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/perf/dwc_pcie_pmu.c b/drivers/perf/dwc_pcie_pmu.c
+index 85a5155d60180..f205ecad2e4c0 100644
+--- a/drivers/perf/dwc_pcie_pmu.c
++++ b/drivers/perf/dwc_pcie_pmu.c
+@@ -726,7 +726,6 @@ static struct platform_driver dwc_pcie_pmu_driver = {
+ static int __init dwc_pcie_pmu_init(void)
+ {
+ struct pci_dev *pdev = NULL;
+- bool found = false;
+ int ret;
+
+ for_each_pci_dev(pdev) {
+@@ -738,11 +737,7 @@ static int __init dwc_pcie_pmu_init(void)
+ pci_dev_put(pdev);
+ return ret;
+ }
+-
+- found = true;
+ }
+- if (!found)
+- return -ENODEV;
+
+ ret = cpuhp_setup_state_multi(CPUHP_AP_ONLINE_DYN,
+ "perf/dwc_pcie_pmu:online",
+--
+2.43.0
+
--- /dev/null
+From 5ba94c54764b8d02de02c6b245037396017a9369 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 20:47:20 +0530
+Subject: perf/dwc_pcie: Fix registration issue in multi PCIe controller
+ instances
+
+From: Krishna chaitanya chundru <quic_krichai@quicinc.com>
+
+[ Upstream commit e669388537c472142804eb5a0449cc23d5409694 ]
+
+When there are multiple of instances of PCIe controllers, registration
+to perf driver fails with this error.
+sysfs: cannot create duplicate filename '/devices/platform/dwc_pcie_pmu.0'
+CPU: 0 PID: 166 Comm: modprobe Not tainted 6.10.0-rc2-next-20240607-dirty
+Hardware name: Qualcomm SA8775P Ride (DT)
+Call trace:
+ dump_backtrace.part.8+0x98/0xf0
+ show_stack+0x14/0x1c
+ dump_stack_lvl+0x74/0x88
+ dump_stack+0x14/0x1c
+ sysfs_warn_dup+0x60/0x78
+ sysfs_create_dir_ns+0xe8/0x100
+ kobject_add_internal+0x94/0x224
+ kobject_add+0xa8/0x118
+ device_add+0x298/0x7b4
+ platform_device_add+0x1a0/0x228
+ platform_device_register_full+0x11c/0x148
+ dwc_pcie_register_dev+0x74/0xf0 [dwc_pcie_pmu]
+ dwc_pcie_pmu_init+0x7c/0x1000 [dwc_pcie_pmu]
+ do_one_initcall+0x58/0x1c0
+ do_init_module+0x58/0x208
+ load_module+0x1804/0x188c
+ __do_sys_init_module+0x18c/0x1f0
+ __arm64_sys_init_module+0x14/0x1c
+ invoke_syscall+0x40/0xf8
+ el0_svc_common.constprop.1+0x70/0xf4
+ do_el0_svc+0x18/0x20
+ el0_svc+0x28/0xb0
+ el0t_64_sync_handler+0x9c/0xc0
+ el0t_64_sync+0x160/0x164
+kobject: kobject_add_internal failed for dwc_pcie_pmu.0 with -EEXIST,
+don't try to register things with the same name in the same directory.
+
+This is because of having same bdf value for devices under two different
+controllers.
+
+Update the logic to use sbdf which is a unique number in case of
+multi instance also.
+
+Fixes: af9597adc2f1 ("drivers/perf: add DesignWare PCIe PMU driver")
+Signed-off-by: Krishna chaitanya chundru <quic_krichai@quicinc.com>
+Reviewed-by: Yicong Yang <yangyicong@hisilicon.com>
+Link: https://lore.kernel.org/r/20240816-dwc_pmu_fix-v2-1-198b8ab1077c@quicinc.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/dwc_pcie_pmu.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/perf/dwc_pcie_pmu.c b/drivers/perf/dwc_pcie_pmu.c
+index c5e328f238419..85a5155d60180 100644
+--- a/drivers/perf/dwc_pcie_pmu.c
++++ b/drivers/perf/dwc_pcie_pmu.c
+@@ -556,10 +556,10 @@ static int dwc_pcie_register_dev(struct pci_dev *pdev)
+ {
+ struct platform_device *plat_dev;
+ struct dwc_pcie_dev_info *dev_info;
+- u32 bdf;
++ u32 sbdf;
+
+- bdf = PCI_DEVID(pdev->bus->number, pdev->devfn);
+- plat_dev = platform_device_register_data(NULL, "dwc_pcie_pmu", bdf,
++ sbdf = (pci_domain_nr(pdev->bus) << 16) | PCI_DEVID(pdev->bus->number, pdev->devfn);
++ plat_dev = platform_device_register_data(NULL, "dwc_pcie_pmu", sbdf,
+ pdev, sizeof(*pdev));
+
+ if (IS_ERR(plat_dev))
+@@ -611,15 +611,15 @@ static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
+ struct pci_dev *pdev = plat_dev->dev.platform_data;
+ struct dwc_pcie_pmu *pcie_pmu;
+ char *name;
+- u32 bdf, val;
++ u32 sbdf, val;
+ u16 vsec;
+ int ret;
+
+ vsec = pci_find_vsec_capability(pdev, pdev->vendor,
+ DWC_PCIE_VSEC_RAS_DES_ID);
+ pci_read_config_dword(pdev, vsec + PCI_VNDR_HEADER, &val);
+- bdf = PCI_DEVID(pdev->bus->number, pdev->devfn);
+- name = devm_kasprintf(&plat_dev->dev, GFP_KERNEL, "dwc_rootport_%x", bdf);
++ sbdf = plat_dev->id;
++ name = devm_kasprintf(&plat_dev->dev, GFP_KERNEL, "dwc_rootport_%x", sbdf);
+ if (!name)
+ return -ENOMEM;
+
+@@ -650,7 +650,7 @@ static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
+ ret = cpuhp_state_add_instance(dwc_pcie_pmu_hp_state,
+ &pcie_pmu->cpuhp_node);
+ if (ret) {
+- pci_err(pdev, "Error %d registering hotplug @%x\n", ret, bdf);
++ pci_err(pdev, "Error %d registering hotplug @%x\n", ret, sbdf);
+ return ret;
+ }
+
+@@ -663,7 +663,7 @@ static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
+
+ ret = perf_pmu_register(&pcie_pmu->pmu, name, -1);
+ if (ret) {
+- pci_err(pdev, "Error %d registering PMU @%x\n", ret, bdf);
++ pci_err(pdev, "Error %d registering PMU @%x\n", ret, sbdf);
+ return ret;
+ }
+ ret = devm_add_action_or_reset(&plat_dev->dev, dwc_pcie_unregister_pmu,
+--
+2.43.0
+
--- /dev/null
+From 060fc25bd9ab310ece5ea152cffc0503b15e13bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 11:32:02 -0700
+Subject: perf hist: Don't set hpp_fmt_value for members in --no-group
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 4f3affe0abf5d5910dc469a1f63257629605d3c3 ]
+
+Perf crashes as below when applying --no-group
+
+ # perf record -e "{cache-misses,branches"} -b sleep 1
+ # perf report --stdio --no-group
+ free(): invalid next size (fast)
+ Aborted (core dumped)
+ #
+
+In the __hpp__fmt(), only 1 hpp_fmt_value is allocated for the current
+event when --no-group is applied.
+
+However, the current implementation tries to assign the hists from all
+members to the hpp_fmt_value, which exceeds the allocated memory.
+
+Fixes: 8f6071a3dce40e69 ("perf hist: Simplify __hpp_fmt() using hpp_fmt_data")
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240820183202.3174323-1-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/ui/hist.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c
+index 5d1f04f66a5a1..e5491995adf08 100644
+--- a/tools/perf/ui/hist.c
++++ b/tools/perf/ui/hist.c
+@@ -62,7 +62,7 @@ static int __hpp__fmt(struct perf_hpp *hpp, struct hist_entry *he,
+ struct evsel *pos;
+ char *buf = hpp->buf;
+ size_t size = hpp->size;
+- int i, nr_members = 1;
++ int i = 0, nr_members = 1;
+ struct hpp_fmt_value *values;
+
+ if (evsel__is_group_event(evsel))
+@@ -72,16 +72,16 @@ static int __hpp__fmt(struct perf_hpp *hpp, struct hist_entry *he,
+ if (values == NULL)
+ return 0;
+
+- i = 0;
+- for_each_group_evsel(pos, evsel)
+- values[i++].hists = evsel__hists(pos);
+-
++ values[0].hists = evsel__hists(evsel);
+ values[0].val = get_field(he);
+ values[0].samples = he->stat.nr_events;
+
+ if (evsel__is_group_event(evsel)) {
+ struct hist_entry *pair;
+
++ for_each_group_member(pos, evsel)
++ values[++i].hists = evsel__hists(pos);
++
+ list_for_each_entry(pair, &he->pairs.head, pairs.node) {
+ for (i = 0; i < nr_members; i++) {
+ if (values[i].hists != pair->hists)
+--
+2.43.0
+
--- /dev/null
+From b497de0968929feaab8307c1dc5cd837bc17a16f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 15:06:20 -0700
+Subject: perf inject: Fix leader sampling inserting additional samples
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 79bcd34e0f3da39fda841406ccc957405e724852 ]
+
+The processing of leader samples would turn an individual sample with
+a group of read values into multiple samples. 'perf inject' would pass
+through the additional samples increasing the output data file size:
+
+ $ perf record -g -e "{instructions,cycles}:S" -o perf.orig.data true
+ $ perf script -D -i perf.orig.data | sed -e 's/perf.orig.data/perf.data/g' > orig.txt
+ $ perf inject -i perf.orig.data -o perf.new.data
+ $ perf script -D -i perf.new.data | sed -e 's/perf.new.data/perf.data/g' > new.txt
+ $ diff -u orig.txt new.txt
+ --- orig.txt 2024-07-29 14:29:40.606576769 -0700
+ +++ new.txt 2024-07-29 14:30:04.142737434 -0700
+ ...
+ -0xc550@perf.data [0x30]: event: 3
+ +0xc550@perf.data [0xd0]: event: 9
+ +.
+ +. ... raw event: size 208 bytes
+ +. 0000: 09 00 00 00 01 00 d0 00 fc 72 01 86 ff ff ff ff .........r......
+ +. 0010: 74 7d 2c 00 74 7d 2c 00 fb c3 79 f9 ba d5 05 00 t},.t},...y.....
+ +. 0020: e6 cb 1a 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
+ +. 0030: 02 00 00 00 00 00 00 00 76 01 00 00 00 00 00 00 ........v.......
+ +. 0040: e6 cb 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ +. 0050: 62 18 00 00 00 00 00 00 f6 cb 1a 00 00 00 00 00 b...............
+ +. 0060: 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 ................
+ +. 0070: 80 ff ff ff ff ff ff ff fc 72 01 86 ff ff ff ff .........r......
+ +. 0080: f3 0e 6e 85 ff ff ff ff 0c cb 7f 85 ff ff ff ff ..n.............
+ +. 0090: bc f2 87 85 ff ff ff ff 44 af 7f 85 ff ff ff ff ........D.......
+ +. 00a0: bd be 7f 85 ff ff ff ff 26 d0 7f 85 ff ff ff ff ........&.......
+ +. 00b0: 6d a4 ff 85 ff ff ff ff ea 00 20 86 ff ff ff ff m......... .....
+ +. 00c0: 00 fe ff ff ff ff ff ff 57 14 4f 43 fc 7e 00 00 ........W.OC.~..
+ +
+ +1642373909693435 0xc550 [0xd0]: PERF_RECORD_SAMPLE(IP, 0x1): 2915700/2915700: 0xffffffff860172fc period: 1 addr: 0
+ +... FP chain: nr:12
+ +..... 0: ffffffffffffff80
+ +..... 1: ffffffff860172fc
+ +..... 2: ffffffff856e0ef3
+ +..... 3: ffffffff857fcb0c
+ +..... 4: ffffffff8587f2bc
+ +..... 5: ffffffff857faf44
+ +..... 6: ffffffff857fbebd
+ +..... 7: ffffffff857fd026
+ +..... 8: ffffffff85ffa46d
+ +..... 9: ffffffff862000ea
+ +..... 10: fffffffffffffe00
+ +..... 11: 00007efc434f1457
+ +... sample_read:
+ +.... group nr 2
+ +..... id 00000000001acbe6, value 0000000000000176, lost 0
+ +..... id 00000000001acbf6, value 0000000000001862, lost 0
+ +
+ +0xc620@perf.data [0x30]: event: 3
+ ...
+
+This behavior is incorrect as in the case above 'perf inject' should
+have done nothing. Fix this behavior by disabling separating samples
+for a tool that requests it. Only request this for `perf inject` so as
+to not affect other perf tools. With the patch and the test above
+there are no differences between the orig.txt and new.txt.
+
+Fixes: e4caec0d1af3d608 ("perf evsel: Add PERF_SAMPLE_READ sample related processing")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240729220620.2957754-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-inject.c | 1 +
+ tools/perf/util/session.c | 3 +++
+ tools/perf/util/tool.h | 1 +
+ 3 files changed, 5 insertions(+)
+
+diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c
+index a212678d47beb..c80fb0f60e611 100644
+--- a/tools/perf/builtin-inject.c
++++ b/tools/perf/builtin-inject.c
+@@ -2204,6 +2204,7 @@ int cmd_inject(int argc, const char **argv)
+ .finished_init = perf_event__repipe_op2_synth,
+ .compressed = perf_event__repipe_op4_synth,
+ .auxtrace = perf_event__repipe_auxtrace,
++ .dont_split_sample_group = true,
+ },
+ .input_name = "-",
+ .samples = LIST_HEAD_INIT(inject.samples),
+diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
+index 5596bed1b8c83..080242c691969 100644
+--- a/tools/perf/util/session.c
++++ b/tools/perf/util/session.c
+@@ -1511,6 +1511,9 @@ static int deliver_sample_group(struct evlist *evlist,
+ int ret = -EINVAL;
+ struct sample_read_value *v = sample->read.group.values;
+
++ if (tool->dont_split_sample_group)
++ return deliver_sample_value(evlist, tool, event, sample, v, machine);
++
+ sample_read_group__for_each(v, sample->read.group.nr, read_format) {
+ ret = deliver_sample_value(evlist, tool, event, sample, v,
+ machine);
+diff --git a/tools/perf/util/tool.h b/tools/perf/util/tool.h
+index c957fb849ac63..62bbc9cec151b 100644
+--- a/tools/perf/util/tool.h
++++ b/tools/perf/util/tool.h
+@@ -85,6 +85,7 @@ struct perf_tool {
+ bool namespace_events;
+ bool cgroup_events;
+ bool no_warn;
++ bool dont_split_sample_group;
+ enum show_feature_header show_feat_hdr;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 1dc9249d69c90f9d5894e675a5bc72cc428eb818 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 10:25:33 -0700
+Subject: perf lock contention: Change stack_id type to s32
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 040c0f887fdcfe747a3f63c94e9cd29e9ed0b872 ]
+
+The bpf_get_stackid() helper returns a signed type to check whether it
+failed to get a stacktrace or not. But it saved the result in u32 and
+checked if the value is negative.
+
+ 376 if (needs_callstack) {
+ 377 pelem->stack_id = bpf_get_stackid(ctx, &stacks,
+ 378 BPF_F_FAST_STACK_CMP | stack_skip);
+ --> 379 if (pelem->stack_id < 0)
+
+ ./tools/perf/util/bpf_skel/lock_contention.bpf.c:379 contention_begin()
+ warn: unsigned 'pelem->stack_id' is never less than zero.
+
+Let's change the type to s32 instead.
+
+Fixes: 6d499a6b3d90277d ("perf lock: Print the number of lost entries for BPF")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240812172533.2015291-1-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/bpf_skel/lock_data.h | 4 ++--
+ tools/perf/util/bpf_skel/vmlinux/vmlinux.h | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/bpf_skel/lock_data.h b/tools/perf/util/bpf_skel/lock_data.h
+index 36af11faad03c..de12892f992f8 100644
+--- a/tools/perf/util/bpf_skel/lock_data.h
++++ b/tools/perf/util/bpf_skel/lock_data.h
+@@ -7,11 +7,11 @@ struct tstamp_data {
+ u64 timestamp;
+ u64 lock;
+ u32 flags;
+- u32 stack_id;
++ s32 stack_id;
+ };
+
+ struct contention_key {
+- u32 stack_id;
++ s32 stack_id;
+ u32 pid;
+ u64 lock_addr_or_cgroup;
+ };
+diff --git a/tools/perf/util/bpf_skel/vmlinux/vmlinux.h b/tools/perf/util/bpf_skel/vmlinux/vmlinux.h
+index e9028235d7717..d818e30c54571 100644
+--- a/tools/perf/util/bpf_skel/vmlinux/vmlinux.h
++++ b/tools/perf/util/bpf_skel/vmlinux/vmlinux.h
+@@ -15,6 +15,7 @@
+
+ typedef __u8 u8;
+ typedef __u32 u32;
++typedef __s32 s32;
+ typedef __u64 u64;
+ typedef __s64 s64;
+
+--
+2.43.0
+
--- /dev/null
+From dc7b363e870e37156b5ec83855ea2f6ec8e7aa9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 10:07:35 -0700
+Subject: perf mem: Check mem_events for all eligible PMUs
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 6e05d28ff232cf445cc6ae59336b7f2081ef9b96 ]
+
+The current perf_pmu__mem_events_init() only checks the availability of
+the mem_events for the first eligible PMU. It works for non-hybrid
+machines and hybrid machines that have the same mem_events.
+
+However, it may bring issues if a hybrid machine has a different
+mem_events on different PMU, e.g., Alder Lake and Raptor Lake. A
+mem-loads-aux event is only required for the p-core. The mem_events on
+both e-core and p-core should be checked and marked.
+
+The issue was not found, because it's hidden by another bug, which only
+records the mem-events for the e-core. The wrong check for the p-core
+events didn't yell.
+
+Fixes: abbdd79b786e036e ("perf mem: Clean up perf_mem_events__name()")
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20240905170737.4070743-1-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-c2c.c | 2 +-
+ tools/perf/builtin-mem.c | 2 +-
+ tools/perf/util/mem-events.c | 14 +++++++++++++-
+ tools/perf/util/mem-events.h | 2 +-
+ 4 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c
+index c157bd31f2e5a..0b2cb59212938 100644
+--- a/tools/perf/builtin-c2c.c
++++ b/tools/perf/builtin-c2c.c
+@@ -3266,7 +3266,7 @@ static int perf_c2c__record(int argc, const char **argv)
+ return -1;
+ }
+
+- if (perf_pmu__mem_events_init(pmu)) {
++ if (perf_pmu__mem_events_init()) {
+ pr_err("failed: memory events not supported\n");
+ return -1;
+ }
+diff --git a/tools/perf/builtin-mem.c b/tools/perf/builtin-mem.c
+index 93413cfcd585a..7fdbaaed14af2 100644
+--- a/tools/perf/builtin-mem.c
++++ b/tools/perf/builtin-mem.c
+@@ -97,7 +97,7 @@ static int __cmd_record(int argc, const char **argv, struct perf_mem *mem)
+ return -1;
+ }
+
+- if (perf_pmu__mem_events_init(pmu)) {
++ if (perf_pmu__mem_events_init()) {
+ pr_err("failed: memory events not supported\n");
+ return -1;
+ }
+diff --git a/tools/perf/util/mem-events.c b/tools/perf/util/mem-events.c
+index be048bd02f36c..17f80013e5743 100644
+--- a/tools/perf/util/mem-events.c
++++ b/tools/perf/util/mem-events.c
+@@ -192,7 +192,7 @@ static bool perf_pmu__mem_events_supported(const char *mnt, struct perf_pmu *pmu
+ return !stat(path, &st);
+ }
+
+-int perf_pmu__mem_events_init(struct perf_pmu *pmu)
++static int __perf_pmu__mem_events_init(struct perf_pmu *pmu)
+ {
+ const char *mnt = sysfs__mount();
+ bool found = false;
+@@ -219,6 +219,18 @@ int perf_pmu__mem_events_init(struct perf_pmu *pmu)
+ return found ? 0 : -ENOENT;
+ }
+
++int perf_pmu__mem_events_init(void)
++{
++ struct perf_pmu *pmu = NULL;
++
++ while ((pmu = perf_pmus__scan_mem(pmu)) != NULL) {
++ if (__perf_pmu__mem_events_init(pmu))
++ return -ENOENT;
++ }
++
++ return 0;
++}
++
+ void perf_pmu__mem_events_list(struct perf_pmu *pmu)
+ {
+ int j;
+diff --git a/tools/perf/util/mem-events.h b/tools/perf/util/mem-events.h
+index ca31014d7934f..a6fc2a5939388 100644
+--- a/tools/perf/util/mem-events.h
++++ b/tools/perf/util/mem-events.h
+@@ -30,7 +30,7 @@ extern unsigned int perf_mem_events__loads_ldlat;
+ extern struct perf_mem_event perf_mem_events[PERF_MEM_EVENTS__MAX];
+
+ int perf_pmu__mem_events_parse(struct perf_pmu *pmu, const char *str);
+-int perf_pmu__mem_events_init(struct perf_pmu *pmu);
++int perf_pmu__mem_events_init(void);
+
+ struct perf_mem_event *perf_pmu__mem_events_ptr(struct perf_pmu *pmu, int i);
+ struct perf_pmu *perf_mem_events_find_pmu(void);
+--
+2.43.0
+
--- /dev/null
+From 1b5db300a01e2e6c268f13b820915eec18f7a798 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 10:07:36 -0700
+Subject: perf mem: Fix missed p-core mem events on ADL and RPL
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 5ad7db2c3f941cde3045ce38a9c4c40b0c7d56b9 ]
+
+The p-core mem events are missed when launching 'perf mem record' on ADL
+and RPL.
+
+ root@number:~# perf mem record sleep 1
+ Memory events are enabled on a subset of CPUs: 16-27
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.032 MB perf.data ]
+ root@number:~# perf evlist
+ cpu_atom/mem-loads,ldlat=30/P
+ cpu_atom/mem-stores/P
+ dummy:u
+
+A variable 'record' in the 'struct perf_mem_event' is to indicate
+whether a mem event in a mem_events[] should be recorded. The current
+code only configure the variable for the first eligible PMU.
+
+It's good enough for a non-hybrid machine or a hybrid machine which has
+the same mem_events[].
+
+However, if a different mem_events[] is used for different PMUs on a
+hybrid machine, e.g., ADL or RPL, the 'record' for the second PMU never
+get a chance to be set.
+
+The mem_events[] of the second PMU are always ignored.
+
+'perf mem' doesn't support the per-PMU configuration now. A per-PMU
+mem_events[] 'record' variable doesn't make sense. Make it global.
+
+That could also avoid searching for the per-PMU mem_events[] via
+perf_pmu__mem_events_ptr every time.
+
+Committer testing:
+
+ root@number:~# perf evlist -g
+ cpu_atom/mem-loads,ldlat=30/P
+ cpu_atom/mem-stores/P
+ {cpu_core/mem-loads-aux/,cpu_core/mem-loads,ldlat=30/}
+ cpu_core/mem-stores/P
+ dummy:u
+ root@number:~#
+
+The :S for '{cpu_core/mem-loads-aux/,cpu_core/mem-loads,ldlat=30/}' is
+not being added by 'perf evlist -g', to be checked.
+
+Fixes: abbdd79b786e036e ("perf mem: Clean up perf_mem_events__name()")
+Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Closes: https://lore.kernel.org/lkml/Zthu81fA3kLC2CS2@x1/
+Link: https://lore.kernel.org/r/20240905170737.4070743-2-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-c2c.c | 12 ++++--------
+ tools/perf/builtin-mem.c | 17 ++++++-----------
+ tools/perf/util/mem-events.c | 6 ++++--
+ tools/perf/util/mem-events.h | 2 +-
+ 4 files changed, 15 insertions(+), 22 deletions(-)
+
+diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c
+index 0b2cb59212938..7298f36070622 100644
+--- a/tools/perf/builtin-c2c.c
++++ b/tools/perf/builtin-c2c.c
+@@ -3290,19 +3290,15 @@ static int perf_c2c__record(int argc, const char **argv)
+ * PERF_MEM_EVENTS__LOAD_STORE if it is supported.
+ */
+ if (e->tag) {
+- e->record = true;
++ perf_mem_record[PERF_MEM_EVENTS__LOAD_STORE] = true;
+ rec_argv[i++] = "-W";
+ } else {
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__LOAD);
+- e->record = true;
+-
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__STORE);
+- e->record = true;
++ perf_mem_record[PERF_MEM_EVENTS__LOAD] = true;
++ perf_mem_record[PERF_MEM_EVENTS__STORE] = true;
+ }
+ }
+
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__LOAD);
+- if (e->record)
++ if (perf_mem_record[PERF_MEM_EVENTS__LOAD])
+ rec_argv[i++] = "-W";
+
+ rec_argv[i++] = "-d";
+diff --git a/tools/perf/builtin-mem.c b/tools/perf/builtin-mem.c
+index 7fdbaaed14af2..08724fa508e14 100644
+--- a/tools/perf/builtin-mem.c
++++ b/tools/perf/builtin-mem.c
+@@ -126,22 +126,17 @@ static int __cmd_record(int argc, const char **argv, struct perf_mem *mem)
+ if (e->tag &&
+ (mem->operation & MEM_OPERATION_LOAD) &&
+ (mem->operation & MEM_OPERATION_STORE)) {
+- e->record = true;
++ perf_mem_record[PERF_MEM_EVENTS__LOAD_STORE] = true;
+ rec_argv[i++] = "-W";
+ } else {
+- if (mem->operation & MEM_OPERATION_LOAD) {
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__LOAD);
+- e->record = true;
+- }
++ if (mem->operation & MEM_OPERATION_LOAD)
++ perf_mem_record[PERF_MEM_EVENTS__LOAD] = true;
+
+- if (mem->operation & MEM_OPERATION_STORE) {
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__STORE);
+- e->record = true;
+- }
++ if (mem->operation & MEM_OPERATION_STORE)
++ perf_mem_record[PERF_MEM_EVENTS__STORE] = true;
+ }
+
+- e = perf_pmu__mem_events_ptr(pmu, PERF_MEM_EVENTS__LOAD);
+- if (e->record)
++ if (perf_mem_record[PERF_MEM_EVENTS__LOAD])
+ rec_argv[i++] = "-W";
+
+ rec_argv[i++] = "-d";
+diff --git a/tools/perf/util/mem-events.c b/tools/perf/util/mem-events.c
+index 17f80013e5743..051feb93ed8d4 100644
+--- a/tools/perf/util/mem-events.c
++++ b/tools/perf/util/mem-events.c
+@@ -29,6 +29,8 @@ struct perf_mem_event perf_mem_events[PERF_MEM_EVENTS__MAX] = {
+ };
+ #undef E
+
++bool perf_mem_record[PERF_MEM_EVENTS__MAX] = { 0 };
++
+ static char mem_loads_name[100];
+ static char mem_stores_name[100];
+
+@@ -163,7 +165,7 @@ int perf_pmu__mem_events_parse(struct perf_pmu *pmu, const char *str)
+ continue;
+
+ if (strstr(e->tag, tok))
+- e->record = found = true;
++ perf_mem_record[j] = found = true;
+ }
+
+ tok = strtok_r(NULL, ",", &saveptr);
+@@ -261,7 +263,7 @@ int perf_mem_events__record_args(const char **rec_argv, int *argv_nr)
+ for (int j = 0; j < PERF_MEM_EVENTS__MAX; j++) {
+ e = perf_pmu__mem_events_ptr(pmu, j);
+
+- if (!e->record)
++ if (!perf_mem_record[j])
+ continue;
+
+ if (!e->supported) {
+diff --git a/tools/perf/util/mem-events.h b/tools/perf/util/mem-events.h
+index a6fc2a5939388..8dc27db9fd52f 100644
+--- a/tools/perf/util/mem-events.h
++++ b/tools/perf/util/mem-events.h
+@@ -6,7 +6,6 @@
+ #include <linux/types.h>
+
+ struct perf_mem_event {
+- bool record;
+ bool supported;
+ bool ldlat;
+ u32 aux_event;
+@@ -28,6 +27,7 @@ struct perf_pmu;
+
+ extern unsigned int perf_mem_events__loads_ldlat;
+ extern struct perf_mem_event perf_mem_events[PERF_MEM_EVENTS__MAX];
++extern bool perf_mem_record[PERF_MEM_EVENTS__MAX];
+
+ int perf_pmu__mem_events_parse(struct perf_pmu *pmu, const char *str);
+ int perf_pmu__mem_events_init(void);
+--
+2.43.0
+
--- /dev/null
+From 08d5a29a96a8aa043984eea61386b6f7292568bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 16:55:01 -0700
+Subject: perf mem: Free the allocated sort string, fixing a leak
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 3da209bb1177462b6fe8e3021a5527a5a49a9336 ]
+
+The get_sort_order() returns either a new string (from strdup) or NULL
+but it never gets freed.
+
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Fixes: 2e7f545096f954a9 ("perf mem: Factor out a function to generate sort order")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: https://lore.kernel.org/r/20240731235505.710436-3-namhyung@kernel.org
+[ Added Fixes tag ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-mem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/builtin-mem.c b/tools/perf/builtin-mem.c
+index 863fcd735daee..93413cfcd585a 100644
+--- a/tools/perf/builtin-mem.c
++++ b/tools/perf/builtin-mem.c
+@@ -372,6 +372,7 @@ static int report_events(int argc, const char **argv, struct perf_mem *mem)
+ rep_argv[i] = argv[j];
+
+ ret = cmd_report(i, rep_argv);
++ free(new_sort_order);
+ free(rep_argv);
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 9739460fd4272c736742efbf6fdac05318177b02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Aug 2024 09:02:00 -0700
+Subject: perf report: Fix --total-cycles --stdio output error
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 3ef44458071a19e5b5832cdfe6f75273aa521b6e ]
+
+The --total-cycles may output wrong information with the --stdio.
+
+For example:
+
+ # perf record -e "{cycles,instructions}",cache-misses -b sleep 1
+ # perf report --total-cycles --stdio
+
+The total cycles output of {cycles,instructions} and cache-misses are
+almost the same.
+
+ # Samples: 938 of events 'anon group { cycles, instructions }'
+ # Event count (approx.): 938
+ #
+ # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range]
+ # ............... .............. ........... .......... ..................................................>
+ #
+ 11.19% 2.6K 0.10% 21 [perf_iterate_ctx+48 -> >
+ 5.79% 1.4K 0.45% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_>
+ 5.11% 1.2K 0.33% 71 [native_write_msr+0 ->>
+
+ # Samples: 293 of event 'cache-misses'
+ # Event count (approx.): 293
+ #
+ # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range]
+ # ............... .............. ........... .......... ..................................................>
+ #
+ 11.19% 2.6K 0.13% 21 [perf_iterate_ctx+48 -> >
+ 5.79% 1.4K 0.59% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_>
+ 5.11% 1.2K 0.43% 71 [native_write_msr+0 ->>
+
+With the symbol_conf.event_group, the 'perf report' should only report the
+block information of the leader event in a group.
+
+However, the current implementation retrieves the next event's block
+information, rather than the next group leader's block information.
+
+Make sure the index is updated even if the event is skipped.
+
+With the patch,
+
+ # Samples: 293 of event 'cache-misses'
+ # Event count (approx.): 293
+ #
+ # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range]
+ # ............... .............. ........... .......... ..................................................>
+ #
+ 37.98% 9.0K 4.05% 299 [perf_event_addr_filters_exec+0 -> perf_event_a>
+ 11.19% 2.6K 0.28% 21 [perf_iterate_ctx+48 -> >
+ 5.79% 1.4K 1.32% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_>
+
+Fixes: 6f7164fa231a5f36 ("perf report: Sort by sampled cycles percent per block for stdio")
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: https://lore.kernel.org/r/20240813160208.2493643-2-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-report.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c
+index 6edc0d4ce6fbe..40826f825c9c2 100644
+--- a/tools/perf/builtin-report.c
++++ b/tools/perf/builtin-report.c
+@@ -565,6 +565,7 @@ static int evlist__tty_browse_hists(struct evlist *evlist, struct report *rep, c
+ struct hists *hists = evsel__hists(pos);
+ const char *evname = evsel__name(pos);
+
++ i++;
+ if (symbol_conf.event_group && !evsel__is_group_leader(pos))
+ continue;
+
+@@ -574,7 +575,7 @@ static int evlist__tty_browse_hists(struct evlist *evlist, struct report *rep, c
+ hists__fprintf_nr_sample_events(hists, rep, evname, stdout);
+
+ if (rep->total_cycles_mode) {
+- report__browse_block_hists(&rep->block_reports[i++].hist,
++ report__browse_block_hists(&rep->block_reports[i - 1].hist,
+ rep->min_percent, pos, NULL);
+ continue;
+ }
+--
+2.43.0
+
--- /dev/null
+From 1f261863dc9eace7613b18f52210621fb183cd23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 10:35:33 +0800
+Subject: perf sched timehist: Fix missing free of session in
+ perf_sched__timehist()
+
+From: Yang Jihong <yangjihong@bytedance.com>
+
+[ Upstream commit 6bdf5168b6fb19541b0c1862bdaa596d116c7bfb ]
+
+When perf_time__parse_str() fails in perf_sched__timehist(),
+need to free session that was previously created, fix it.
+
+Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest")
+Signed-off-by: Yang Jihong <yangjihong@bytedance.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240806023533.1316348-1-yangjihong@bytedance.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index 8750b5f2d49b4..928b9041535d3 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -3121,7 +3121,8 @@ static int perf_sched__timehist(struct perf_sched *sched)
+
+ if (perf_time__parse_str(&sched->ptime, sched->time_str) != 0) {
+ pr_err("Invalid time string\n");
+- return -EINVAL;
++ err = -EINVAL;
++ goto out;
+ }
+
+ if (timehist_check_attr(sched, evlist) != 0)
+--
+2.43.0
+
--- /dev/null
+From e49d8aec6408838293104e7630f283fd8d9d65af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 10:47:20 +0800
+Subject: perf sched timehist: Fixed timestamp error when unable to confirm
+ event sched_in time
+
+From: Yang Jihong <yangjihong@bytedance.com>
+
+[ Upstream commit 39c243411bdb8fb35777adf49ee32549633c4e12 ]
+
+If sched_in event for current task is not recorded, sched_in timestamp
+will be set to end_time of time window interest, causing an error in
+timestamp show. In this case, we choose to ignore this event.
+
+Test scenario:
+
+ perf[1229608] does not record the first sched_in event, run time and sch delay are both 0
+
+ # perf sched timehist
+ Samples of sched_switch event do not have callchains.
+ time cpu task name wait time sch delay run time
+ [tid/pid] (msec) (msec) (msec)
+ --------------- ------ ------------------------------ --------- --------- ---------
+ 2090450.763231 [0000] perf[1229608] 0.000 0.000 0.000
+ 2090450.763235 [0000] migration/0[15] 0.000 0.001 0.003
+ 2090450.763263 [0001] perf[1229608] 0.000 0.000 0.000
+ 2090450.763268 [0001] migration/1[21] 0.000 0.001 0.004
+ 2090450.763302 [0002] perf[1229608] 0.000 0.000 0.000
+ 2090450.763309 [0002] migration/2[27] 0.000 0.001 0.007
+ 2090450.763338 [0003] perf[1229608] 0.000 0.000 0.000
+ 2090450.763343 [0003] migration/3[33] 0.000 0.001 0.004
+
+Before:
+
+ arbitrarily specify a time window of interest, timestamp will be set to an incorrect value
+
+ # perf sched timehist --time 100,200
+ Samples of sched_switch event do not have callchains.
+ time cpu task name wait time sch delay run time
+ [tid/pid] (msec) (msec) (msec)
+ --------------- ------ ------------------------------ --------- --------- ---------
+ 200.000000 [0000] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0001] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0002] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0003] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0004] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0005] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0006] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0007] perf[1229608] 0.000 0.000 0.000
+
+ After:
+
+ # perf sched timehist --time 100,200
+ Samples of sched_switch event do not have callchains.
+ time cpu task name wait time sch delay run time
+ [tid/pid] (msec) (msec) (msec)
+ --------------- ------ ------------------------------ --------- --------- ---------
+
+Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest")
+Signed-off-by: Yang Jihong <yangjihong@bytedance.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@arm.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240819024720.2405244-1-yangjihong@bytedance.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index 928b9041535d3..d0c44f6116ed4 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -2683,9 +2683,12 @@ static int timehist_sched_change_event(struct perf_tool *tool,
+ * - previous sched event is out of window - we are done
+ * - sample time is beyond window user cares about - reset it
+ * to close out stats for time window interest
++ * - If tprev is 0, that is, sched_in event for current task is
++ * not recorded, cannot determine whether sched_in event is
++ * within time window interest - ignore it
+ */
+ if (ptime->end) {
+- if (tprev > ptime->end)
++ if (!tprev || tprev > ptime->end)
+ goto out;
+
+ if (t > ptime->end)
+--
+2.43.0
+
--- /dev/null
+From 7885640b9d6d8fef43f9f1c081252c7eef7d18d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 14:28:58 +0100
+Subject: perf scripts python cs-etm: Restore first sample log in verbose mode
+
+From: James Clark <james.clark@linaro.org>
+
+[ Upstream commit ae8e4f4048b839c1cb333d9e3d20e634b430139e ]
+
+The linked commit moved the early return on the first sample to before
+the verbose log, so move the log earlier too. Now the first sample is
+also logged and not skipped.
+
+Fixes: 2d98dbb4c9c5b09c ("perf scripts python arm-cs-trace-disasm.py: Do not ignore disam first sample")
+Reviewed-by: Leo Yan <leo.yan@arm.com>
+Signed-off-by: James Clark <james.clark@linaro.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Benjamin Gray <bgray@linux.ibm.com>
+Cc: coresight@lists.linaro.org
+Cc: gankulkarni@os.amperecomputing.com
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mike Leach <mike.leach@linaro.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ruidong Tian <tianruidong@linux.alibaba.com>
+Cc: Suzuki Poulouse <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20240723132858.12747-1-james.clark@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/scripts/python/arm-cs-trace-disasm.py | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/tools/perf/scripts/python/arm-cs-trace-disasm.py b/tools/perf/scripts/python/arm-cs-trace-disasm.py
+index d973c2baed1c8..7aff02d84ffb3 100755
+--- a/tools/perf/scripts/python/arm-cs-trace-disasm.py
++++ b/tools/perf/scripts/python/arm-cs-trace-disasm.py
+@@ -192,17 +192,16 @@ def process_event(param_dict):
+ ip = sample["ip"]
+ addr = sample["addr"]
+
++ if (options.verbose == True):
++ print("Event type: %s" % name)
++ print_sample(sample)
++
+ # Initialize CPU data if it's empty, and directly return back
+ # if this is the first tracing event for this CPU.
+ if (cpu_data.get(str(cpu) + 'addr') == None):
+ cpu_data[str(cpu) + 'addr'] = addr
+ return
+
+-
+- if (options.verbose == True):
+- print("Event type: %s" % name)
+- print_sample(sample)
+-
+ # If cannot find dso so cannot dump assembler, bail out
+ if (dso == '[unknown]'):
+ return
+--
+2.43.0
+
--- /dev/null
+From 1dcef1902d580e347188cf73bf41a0cfcc55f3f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 14:58:00 +0800
+Subject: perf stat: Display iostat headers correctly
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit 2615639352420e6e3115952c5b8f46846e1c6d0e ]
+
+Currently we'll only print metric headers for metric leader in
+aggregration mode. This will make `perf iostat` header not shown
+since it'll aggregrated globally but don't have metric events:
+
+ root@ubuntu204:/home/yang/linux/tools/perf# ./perf stat --iostat --timeout 1000
+ Performance counter stats for 'system wide':
+ port
+ 0000:00 0 0 0 0
+ 0000:80 0 0 0 0
+ [...]
+
+Fix this by excluding the iostat in the check of printing metric
+headers. Then we can see the headers:
+
+ root@ubuntu204:/home/yang/linux/tools/perf# ./perf stat --iostat --timeout 1000
+ Performance counter stats for 'system wide':
+ port Inbound Read(MB) Inbound Write(MB) Outbound Read(MB) Outbound Write(MB)
+ 0000:00 0 0 0 0
+ 0000:80 0 0 0 0
+ [...]
+
+Fixes: 193a9e30207f5477 ("perf stat: Don't display metric header for non-leader uncore events")
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jonathan Cameron <jonathan.cameron@huawei.com>
+Cc: Junhao He <hejunhao3@huawei.com>
+Cc: linuxarm@huawei.com
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Shameerali Kolothum Thodi <shameerali.kolothum.thodi@huawei.com>
+Cc: Zeng Tao <prime.zeng@hisilicon.com>
+Link: https://lore.kernel.org/r/20240802065800.48774-1-yangyicong@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/stat-display.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c
+index c38bcb6f4c78e..ea96e4ebad8c8 100644
+--- a/tools/perf/util/stat-display.c
++++ b/tools/perf/util/stat-display.c
+@@ -1237,7 +1237,8 @@ static void print_metric_headers(struct perf_stat_config *config,
+
+ /* Print metrics headers only */
+ evlist__for_each_entry(evlist, counter) {
+- if (config->aggr_mode != AGGR_NONE && counter->metric_leader != counter)
++ if (!config->iostat_run &&
++ config->aggr_mode != AGGR_NONE && counter->metric_leader != counter)
+ continue;
+
+ os.evsel = counter;
+--
+2.43.0
+
--- /dev/null
+From c14673d267d03a01c4df64c1895d6bebba4044bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Aug 2024 00:04:11 -0700
+Subject: perf time-utils: Fix 32-bit nsec parsing
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 38e2648a81204c9fc5b4c87a8ffce93a6ed91b65 ]
+
+The "time utils" test fails in 32-bit builds:
+ ...
+ parse_nsec_time("18446744073.709551615")
+ Failed. ptime 4294967295709551615 expected 18446744073709551615
+ ...
+
+Switch strtoul to strtoull as an unsigned long in 32-bit build isn't
+64-bits.
+
+Fixes: c284d669a20d408b ("perf tools: Move parse_nsec_time to time-utils.c")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Chaitanya S Prakash <chaitanyas.prakash@arm.com>
+Cc: Colin Ian King <colin.i.king@gmail.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Cc: Dominique Martinet <asmadeus@codewreck.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: John Garry <john.g.garry@oracle.com>
+Cc: Junhao He <hejunhao3@huawei.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Yang Jihong <yangjihong@bytedance.com>
+Link: https://lore.kernel.org/r/20240831070415.506194-3-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/time-utils.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/time-utils.c b/tools/perf/util/time-utils.c
+index 3024439216816..1b91ccd4d5234 100644
+--- a/tools/perf/util/time-utils.c
++++ b/tools/perf/util/time-utils.c
+@@ -20,7 +20,7 @@ int parse_nsec_time(const char *str, u64 *ptime)
+ u64 time_sec, time_nsec;
+ char *end;
+
+- time_sec = strtoul(str, &end, 10);
++ time_sec = strtoull(str, &end, 10);
+ if (*end != '.' && *end != '\0')
+ return -1;
+
+@@ -38,7 +38,7 @@ int parse_nsec_time(const char *str, u64 *ptime)
+ for (i = strlen(nsec_buf); i < 9; i++)
+ nsec_buf[i] = '0';
+
+- time_nsec = strtoul(nsec_buf, &end, 10);
++ time_nsec = strtoull(nsec_buf, &end, 10);
+ if (*end != '\0')
+ return -1;
+ } else
+--
+2.43.0
+
--- /dev/null
+From c666b373b9edc3305533e4b6a37f710bfb23f709 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Aug 2024 21:20:04 -0700
+Subject: perf vendor events: SKX, CLX, SNR uncore cache event fixes
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 7a75c6c23a2ea8dd22d90805b3a42bd65c53830e ]
+
+Cache home agent (CHA) events were setting the low rather than high
+config1 bits. SNR was using CLX CHA events, however its CHA is similar
+to ICX so remove the events.
+
+Incorporate the updates in:
+
+ https://github.com/intel/perfmon/pull/215
+ https://github.com/intel/perfmon/pull/216
+
+Fixes: 4cc49942444e958b ("perf vendor events: Update cascadelakex events/metrics")
+Closes: https://lore.kernel.org/linux-perf-users/CAPhsuW4nem9XZP+b=sJJ7kqXG-cafz0djZf51HsgjCiwkGBA+A@mail.gmail.com/
+Reported-by: Song Liu <song@kernel.org>
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Co-authored-by: Weilin Wang <weilin.wang@intel.com>
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240811042004.421869-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../arch/x86/cascadelakex/uncore-cache.json | 60 +++++++++----------
+ .../arch/x86/skylakex/uncore-cache.json | 60 +++++++++----------
+ .../arch/x86/snowridgex/uncore-cache.json | 57 ------------------
+ 3 files changed, 60 insertions(+), 117 deletions(-)
+
+diff --git a/tools/perf/pmu-events/arch/x86/cascadelakex/uncore-cache.json b/tools/perf/pmu-events/arch/x86/cascadelakex/uncore-cache.json
+index c9596e18ec090..6347eba488105 100644
+--- a/tools/perf/pmu-events/arch/x86/cascadelakex/uncore-cache.json
++++ b/tools/perf/pmu-events/arch/x86/cascadelakex/uncore-cache.json
+@@ -4577,7 +4577,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_CRD",
+- "Filter": "config1=0x40233",
++ "Filter": "config1=0x4023300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : CRds issued by iA Cores that Hit the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4588,7 +4588,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_DRD",
+- "Filter": "config1=0x40433",
++ "Filter": "config1=0x4043300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : DRds issued by iA Cores that Hit the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4599,7 +4599,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_LlcPrefCRD",
+- "Filter": "config1=0x4b233",
++ "Filter": "config1=0x4b23300000000",
+ "PerPkg": "1",
+ "UMask": "0x11",
+ "Unit": "CHA"
+@@ -4609,7 +4609,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_LlcPrefDRD",
+- "Filter": "config1=0x4b433",
++ "Filter": "config1=0x4b43300000000",
+ "PerPkg": "1",
+ "UMask": "0x11",
+ "Unit": "CHA"
+@@ -4619,7 +4619,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_LlcPrefRFO",
+- "Filter": "config1=0x4b033",
++ "Filter": "config1=0x4b03300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : LLCPrefRFO issued by iA Cores that hit the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4630,7 +4630,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_RFO",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : RFOs issued by iA Cores that Hit the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4651,7 +4651,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_CRD",
+- "Filter": "config1=0x40233",
++ "Filter": "config1=0x4023300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : CRds issued by iA Cores that Missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -4662,7 +4662,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_DRD",
+- "Filter": "config1=0x40433",
++ "Filter": "config1=0x4043300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : DRds issued by iA Cores that Missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -4673,7 +4673,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_LlcPrefCRD",
+- "Filter": "config1=0x4b233",
++ "Filter": "config1=0x4b23300000000",
+ "PerPkg": "1",
+ "UMask": "0x21",
+ "Unit": "CHA"
+@@ -4683,7 +4683,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_LlcPrefDRD",
+- "Filter": "config1=0x4b433",
++ "Filter": "config1=0x4b43300000000",
+ "PerPkg": "1",
+ "UMask": "0x21",
+ "Unit": "CHA"
+@@ -4693,7 +4693,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_LlcPrefRFO",
+- "Filter": "config1=0x4b033",
++ "Filter": "config1=0x4b03300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : LLCPrefRFO issued by iA Cores that missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -4704,7 +4704,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_RFO",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : RFOs issued by iA Cores that Missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -4747,7 +4747,7 @@
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IO_MISS_ITOM",
+ "Experimental": "1",
+- "Filter": "config1=0x49033",
++ "Filter": "config1=0x4903300000000",
+ "PerPkg": "1",
+ "PublicDescription": "Counts the number of entries successfully inserted into the TOR that are generated from local IO ItoM requests that miss the LLC. An ItoM request is used by IIO to request a data write without first reading the data for ownership.",
+ "UMask": "0x24",
+@@ -4759,7 +4759,7 @@
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IO_MISS_RDCUR",
+ "Experimental": "1",
+- "Filter": "config1=0x43C33",
++ "Filter": "config1=0x43c3300000000",
+ "PerPkg": "1",
+ "PublicDescription": "Counts the number of entries successfully inserted into the TOR that are generated from local IO RdCur requests and miss the LLC. A RdCur request is used by IIO to read data without changing state.",
+ "UMask": "0x24",
+@@ -4771,7 +4771,7 @@
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IO_MISS_RFO",
+ "Experimental": "1",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "Counts the number of entries successfully inserted into the TOR that are generated from local IO RFO requests that miss the LLC. A read for ownership (RFO) requests a cache line to be cached in E state with the intent to modify.",
+ "UMask": "0x24",
+@@ -4999,7 +4999,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_CRD",
+- "Filter": "config1=0x40233",
++ "Filter": "config1=0x4023300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : CRds issued by iA Cores that Hit the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -5010,7 +5010,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_DRD",
+- "Filter": "config1=0x40433",
++ "Filter": "config1=0x4043300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : DRds issued by iA Cores that Hit the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -5021,7 +5021,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_LlcPrefCRD",
+- "Filter": "config1=0x4b233",
++ "Filter": "config1=0x4b23300000000",
+ "PerPkg": "1",
+ "UMask": "0x11",
+ "Unit": "CHA"
+@@ -5031,7 +5031,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_LlcPrefDRD",
+- "Filter": "config1=0x4b433",
++ "Filter": "config1=0x4b43300000000",
+ "PerPkg": "1",
+ "UMask": "0x11",
+ "Unit": "CHA"
+@@ -5041,7 +5041,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_LlcPrefRFO",
+- "Filter": "config1=0x4b033",
++ "Filter": "config1=0x4b03300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : LLCPrefRFO issued by iA Cores that hit the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -5052,7 +5052,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_RFO",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : RFOs issued by iA Cores that Hit the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -5073,7 +5073,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_CRD",
+- "Filter": "config1=0x40233",
++ "Filter": "config1=0x4023300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : CRds issued by iA Cores that Missed the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -5084,7 +5084,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_DRD",
+- "Filter": "config1=0x40433",
++ "Filter": "config1=0x4043300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : DRds issued by iA Cores that Missed the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -5095,7 +5095,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_LlcPrefCRD",
+- "Filter": "config1=0x4b233",
++ "Filter": "config1=0x4b23300000000",
+ "PerPkg": "1",
+ "UMask": "0x21",
+ "Unit": "CHA"
+@@ -5105,7 +5105,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_LlcPrefDRD",
+- "Filter": "config1=0x4b433",
++ "Filter": "config1=0x4b43300000000",
+ "PerPkg": "1",
+ "UMask": "0x21",
+ "Unit": "CHA"
+@@ -5115,7 +5115,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_LlcPrefRFO",
+- "Filter": "config1=0x4b033",
++ "Filter": "config1=0x4b03300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : LLCPrefRFO issued by iA Cores that missed the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -5126,7 +5126,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_RFO",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : RFOs issued by iA Cores that Missed the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -5171,7 +5171,7 @@
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IO_MISS_ITOM",
+ "Experimental": "1",
+- "Filter": "config1=0x49033",
++ "Filter": "config1=0x4903300000000",
+ "PerPkg": "1",
+ "PublicDescription": "For each cycle, this event accumulates the number of valid entries in the TOR that are generated from local IO ItoM requests that miss the LLC. An ItoM is used by IIO to request a data write without first reading the data for ownership.",
+ "UMask": "0x24",
+@@ -5183,7 +5183,7 @@
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IO_MISS_RDCUR",
+ "Experimental": "1",
+- "Filter": "config1=0x43C33",
++ "Filter": "config1=0x43c3300000000",
+ "PerPkg": "1",
+ "PublicDescription": "For each cycle, this event accumulates the number of valid entries in the TOR that are generated from local IO RdCur requests that miss the LLC. A RdCur request is used by IIO to read data without changing state.",
+ "UMask": "0x24",
+@@ -5195,7 +5195,7 @@
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IO_MISS_RFO",
+ "Experimental": "1",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "For each cycle, this event accumulates the number of valid entries in the TOR that are generated from local IO RFO requests that miss the LLC. A read for ownership (RFO) requests data to be cached in E state with the intent to modify.",
+ "UMask": "0x24",
+diff --git a/tools/perf/pmu-events/arch/x86/skylakex/uncore-cache.json b/tools/perf/pmu-events/arch/x86/skylakex/uncore-cache.json
+index da46a3aeb58c7..4fc8186264912 100644
+--- a/tools/perf/pmu-events/arch/x86/skylakex/uncore-cache.json
++++ b/tools/perf/pmu-events/arch/x86/skylakex/uncore-cache.json
+@@ -4454,7 +4454,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_CRD",
+- "Filter": "config1=0x40233",
++ "Filter": "config1=0x4023300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : CRds issued by iA Cores that Hit the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4465,7 +4465,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_DRD",
+- "Filter": "config1=0x40433",
++ "Filter": "config1=0x4043300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : DRds issued by iA Cores that Hit the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4476,7 +4476,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_LlcPrefCRD",
+- "Filter": "config1=0x4b233",
++ "Filter": "config1=0x4b23300000000",
+ "PerPkg": "1",
+ "UMask": "0x11",
+ "Unit": "CHA"
+@@ -4486,7 +4486,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_LlcPrefDRD",
+- "Filter": "config1=0x4b433",
++ "Filter": "config1=0x4b43300000000",
+ "PerPkg": "1",
+ "UMask": "0x11",
+ "Unit": "CHA"
+@@ -4496,7 +4496,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_LlcPrefRFO",
+- "Filter": "config1=0x4b033",
++ "Filter": "config1=0x4b03300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : LLCPrefRFO issued by iA Cores that hit the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4507,7 +4507,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_HIT_RFO",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : RFOs issued by iA Cores that Hit the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4528,7 +4528,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_CRD",
+- "Filter": "config1=0x40233",
++ "Filter": "config1=0x4023300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : CRds issued by iA Cores that Missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -4539,7 +4539,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_DRD",
+- "Filter": "config1=0x40433",
++ "Filter": "config1=0x4043300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : DRds issued by iA Cores that Missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -4550,7 +4550,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_LlcPrefCRD",
+- "Filter": "config1=0x4b233",
++ "Filter": "config1=0x4b23300000000",
+ "PerPkg": "1",
+ "UMask": "0x21",
+ "Unit": "CHA"
+@@ -4560,7 +4560,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_LlcPrefDRD",
+- "Filter": "config1=0x4b433",
++ "Filter": "config1=0x4b43300000000",
+ "PerPkg": "1",
+ "UMask": "0x21",
+ "Unit": "CHA"
+@@ -4570,7 +4570,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_LlcPrefRFO",
+- "Filter": "config1=0x4b033",
++ "Filter": "config1=0x4b03300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : LLCPrefRFO issued by iA Cores that missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -4581,7 +4581,7 @@
+ "Counter": "0,1,2,3",
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IA_MISS_RFO",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Inserts : RFOs issued by iA Cores that Missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -4624,7 +4624,7 @@
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IO_MISS_ITOM",
+ "Experimental": "1",
+- "Filter": "config1=0x49033",
++ "Filter": "config1=0x4903300000000",
+ "PerPkg": "1",
+ "PublicDescription": "Counts the number of entries successfully inserted into the TOR that are generated from local IO ItoM requests that miss the LLC. An ItoM request is used by IIO to request a data write without first reading the data for ownership.",
+ "UMask": "0x24",
+@@ -4636,7 +4636,7 @@
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IO_MISS_RDCUR",
+ "Experimental": "1",
+- "Filter": "config1=0x43C33",
++ "Filter": "config1=0x43c3300000000",
+ "PerPkg": "1",
+ "PublicDescription": "Counts the number of entries successfully inserted into the TOR that are generated from local IO RdCur requests and miss the LLC. A RdCur request is used by IIO to read data without changing state.",
+ "UMask": "0x24",
+@@ -4648,7 +4648,7 @@
+ "EventCode": "0x35",
+ "EventName": "UNC_CHA_TOR_INSERTS.IO_MISS_RFO",
+ "Experimental": "1",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "Counts the number of entries successfully inserted into the TOR that are generated from local IO RFO requests that miss the LLC. A read for ownership (RFO) requests a cache line to be cached in E state with the intent to modify.",
+ "UMask": "0x24",
+@@ -4865,7 +4865,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_CRD",
+- "Filter": "config1=0x40233",
++ "Filter": "config1=0x4023300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : CRds issued by iA Cores that Hit the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4876,7 +4876,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_DRD",
+- "Filter": "config1=0x40433",
++ "Filter": "config1=0x4043300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : DRds issued by iA Cores that Hit the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4887,7 +4887,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_LlcPrefCRD",
+- "Filter": "config1=0x4b233",
++ "Filter": "config1=0x4b23300000000",
+ "PerPkg": "1",
+ "UMask": "0x11",
+ "Unit": "CHA"
+@@ -4897,7 +4897,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_LlcPrefDRD",
+- "Filter": "config1=0x4b433",
++ "Filter": "config1=0x4b43300000000",
+ "PerPkg": "1",
+ "UMask": "0x11",
+ "Unit": "CHA"
+@@ -4907,7 +4907,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_LlcPrefRFO",
+- "Filter": "config1=0x4b033",
++ "Filter": "config1=0x4b03300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : LLCPrefRFO issued by iA Cores that hit the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4918,7 +4918,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_HIT_RFO",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : RFOs issued by iA Cores that Hit the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x11",
+@@ -4939,7 +4939,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_CRD",
+- "Filter": "config1=0x40233",
++ "Filter": "config1=0x4023300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : CRds issued by iA Cores that Missed the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -4950,7 +4950,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_DRD",
+- "Filter": "config1=0x40433",
++ "Filter": "config1=0x4043300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : DRds issued by iA Cores that Missed the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -4961,7 +4961,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_LlcPrefCRD",
+- "Filter": "config1=0x4b233",
++ "Filter": "config1=0x4b23300000000",
+ "PerPkg": "1",
+ "UMask": "0x21",
+ "Unit": "CHA"
+@@ -4971,7 +4971,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_LlcPrefDRD",
+- "Filter": "config1=0x4b433",
++ "Filter": "config1=0x4b43300000000",
+ "PerPkg": "1",
+ "UMask": "0x21",
+ "Unit": "CHA"
+@@ -4981,7 +4981,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_LlcPrefRFO",
+- "Filter": "config1=0x4b033",
++ "Filter": "config1=0x4b03300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : LLCPrefRFO issued by iA Cores that missed the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -4992,7 +4992,7 @@
+ "Counter": "0",
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IA_MISS_RFO",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "TOR Occupancy : RFOs issued by iA Cores that Missed the LLC : For each cycle, this event accumulates the number of valid entries in the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+ "UMask": "0x21",
+@@ -5037,7 +5037,7 @@
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IO_MISS_ITOM",
+ "Experimental": "1",
+- "Filter": "config1=0x49033",
++ "Filter": "config1=0x4903300000000",
+ "PerPkg": "1",
+ "PublicDescription": "For each cycle, this event accumulates the number of valid entries in the TOR that are generated from local IO ItoM requests that miss the LLC. An ItoM is used by IIO to request a data write without first reading the data for ownership.",
+ "UMask": "0x24",
+@@ -5049,7 +5049,7 @@
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IO_MISS_RDCUR",
+ "Experimental": "1",
+- "Filter": "config1=0x43C33",
++ "Filter": "config1=0x43c3300000000",
+ "PerPkg": "1",
+ "PublicDescription": "For each cycle, this event accumulates the number of valid entries in the TOR that are generated from local IO RdCur requests that miss the LLC. A RdCur request is used by IIO to read data without changing state.",
+ "UMask": "0x24",
+@@ -5061,7 +5061,7 @@
+ "EventCode": "0x36",
+ "EventName": "UNC_CHA_TOR_OCCUPANCY.IO_MISS_RFO",
+ "Experimental": "1",
+- "Filter": "config1=0x40033",
++ "Filter": "config1=0x4003300000000",
+ "PerPkg": "1",
+ "PublicDescription": "For each cycle, this event accumulates the number of valid entries in the TOR that are generated from local IO RFO requests that miss the LLC. A read for ownership (RFO) requests data to be cached in E state with the intent to modify.",
+ "UMask": "0x24",
+diff --git a/tools/perf/pmu-events/arch/x86/snowridgex/uncore-cache.json b/tools/perf/pmu-events/arch/x86/snowridgex/uncore-cache.json
+index 7551fb91a9d7d..a81776deb2e61 100644
+--- a/tools/perf/pmu-events/arch/x86/snowridgex/uncore-cache.json
++++ b/tools/perf/pmu-events/arch/x86/snowridgex/uncore-cache.json
+@@ -1,61 +1,4 @@
+ [
+- {
+- "BriefDescription": "MMIO reads. Derived from unc_cha_tor_inserts.ia_miss",
+- "Counter": "0,1,2,3",
+- "EventCode": "0x35",
+- "EventName": "LLC_MISSES.MMIO_READ",
+- "Filter": "config1=0x40040e33",
+- "PerPkg": "1",
+- "PublicDescription": "TOR Inserts : All requests from iA Cores that Missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+- "UMask": "0xc001fe01",
+- "Unit": "CHA"
+- },
+- {
+- "BriefDescription": "MMIO writes. Derived from unc_cha_tor_inserts.ia_miss",
+- "Counter": "0,1,2,3",
+- "EventCode": "0x35",
+- "EventName": "LLC_MISSES.MMIO_WRITE",
+- "Filter": "config1=0x40041e33",
+- "PerPkg": "1",
+- "PublicDescription": "TOR Inserts : All requests from iA Cores that Missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+- "UMask": "0xc001fe01",
+- "Unit": "CHA"
+- },
+- {
+- "BriefDescription": "LLC misses - Uncacheable reads (from cpu) . Derived from unc_cha_tor_inserts.ia_miss",
+- "Counter": "0,1,2,3",
+- "EventCode": "0x35",
+- "EventName": "LLC_MISSES.UNCACHEABLE",
+- "Filter": "config1=0x40e33",
+- "PerPkg": "1",
+- "PublicDescription": "TOR Inserts : All requests from iA Cores that Missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+- "UMask": "0xc001fe01",
+- "Unit": "CHA"
+- },
+- {
+- "BriefDescription": "Streaming stores (full cache line). Derived from unc_cha_tor_inserts.ia_miss",
+- "Counter": "0,1,2,3",
+- "EventCode": "0x35",
+- "EventName": "LLC_REFERENCES.STREAMING_FULL",
+- "Filter": "config1=0x41833",
+- "PerPkg": "1",
+- "PublicDescription": "TOR Inserts : All requests from iA Cores that Missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+- "ScaleUnit": "64Bytes",
+- "UMask": "0xc001fe01",
+- "Unit": "CHA"
+- },
+- {
+- "BriefDescription": "Streaming stores (partial cache line). Derived from unc_cha_tor_inserts.ia_miss",
+- "Counter": "0,1,2,3",
+- "EventCode": "0x35",
+- "EventName": "LLC_REFERENCES.STREAMING_PARTIAL",
+- "Filter": "config1=0x41a33",
+- "PerPkg": "1",
+- "PublicDescription": "TOR Inserts : All requests from iA Cores that Missed the LLC : Counts the number of entries successfully inserted into the TOR that match qualifications specified by the subevent. Does not include addressless requests such as locks and interrupts.",
+- "ScaleUnit": "64Bytes",
+- "UMask": "0xc001fe01",
+- "Unit": "CHA"
+- },
+ {
+ "BriefDescription": "CMS Agent0 AD Credits Acquired : For Transgress 0",
+ "Counter": "0,1,2,3",
+--
+2.43.0
+
--- /dev/null
+From f120ec7cbadcf1c13fea15cc6511312c707455f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2024 03:36:22 +0300
+Subject: phy: phy-rockchip-samsung-hdptx: Explicitly include pm_runtime.h
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+[ Upstream commit 1b369ff94bc36d2e16c8a91c0ea8ebd329555976 ]
+
+Driver makes use of helpers from pm_runtime.h, but relies on the header
+file being implicitly included.
+
+Explicitly pull the header in to avoid potential build failures in some
+configurations.
+
+Fixes: 553be2830c5f ("phy: rockchip: Add Samsung HDMI/eDP Combo PHY driver")
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Link: https://lore.kernel.org/r/20240620-rk3588-hdmiphy-clkprov-v2-1-6a2d2164e508@collabora.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c b/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c
+index 946c01210ac8c..3bd9b62b23dcc 100644
+--- a/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c
++++ b/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c
+@@ -15,6 +15,7 @@
+ #include <linux/of_platform.h>
+ #include <linux/phy/phy.h>
+ #include <linux/platform_device.h>
++#include <linux/pm_runtime.h>
+ #include <linux/rational.h>
+ #include <linux/regmap.h>
+ #include <linux/reset.h>
+--
+2.43.0
+
--- /dev/null
+From c82fec5c677b7bc4a68e22766209cabed43f084b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 14:48:23 +0800
+Subject: pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function
+
+From: Wang Jianzheng <wangjianzheng@vivo.com>
+
+[ Upstream commit c25478419f6fd3f74c324a21ec007cf14f2688d7 ]
+
+When an error occurs during the execution of the function
+__devinit_dove_pinctrl_probe, the clk is not properly disabled.
+
+Fix this by calling clk_disable_unprepare before return.
+
+Fixes: ba607b6238a1 ("pinctrl: mvebu: make pdma clock on dove mandatory")
+Signed-off-by: Wang Jianzheng <wangjianzheng@vivo.com>
+Link: https://lore.kernel.org/20240829064823.19808-1-wangjianzheng@vivo.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mvebu/pinctrl-dove.c | 42 +++++++++++++++++++---------
+ 1 file changed, 29 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pinctrl/mvebu/pinctrl-dove.c b/drivers/pinctrl/mvebu/pinctrl-dove.c
+index 1947da73e5121..dce601d993728 100644
+--- a/drivers/pinctrl/mvebu/pinctrl-dove.c
++++ b/drivers/pinctrl/mvebu/pinctrl-dove.c
+@@ -767,7 +767,7 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ struct resource fb_res;
+ struct mvebu_mpp_ctrl_data *mpp_data;
+ void __iomem *base;
+- int i;
++ int i, ret;
+
+ pdev->dev.platform_data = (void *)device_get_match_data(&pdev->dev);
+
+@@ -783,13 +783,17 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ clk_prepare_enable(clk);
+
+ base = devm_platform_get_and_ioremap_resource(pdev, 0, &mpp_res);
+- if (IS_ERR(base))
+- return PTR_ERR(base);
++ if (IS_ERR(base)) {
++ ret = PTR_ERR(base);
++ goto err_probe;
++ }
+
+ mpp_data = devm_kcalloc(&pdev->dev, dove_pinctrl_info.ncontrols,
+ sizeof(*mpp_data), GFP_KERNEL);
+- if (!mpp_data)
+- return -ENOMEM;
++ if (!mpp_data) {
++ ret = -ENOMEM;
++ goto err_probe;
++ }
+
+ dove_pinctrl_info.control_data = mpp_data;
+ for (i = 0; i < ARRAY_SIZE(dove_mpp_controls); i++)
+@@ -808,8 +812,10 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ }
+
+ mpp4_base = devm_ioremap_resource(&pdev->dev, res);
+- if (IS_ERR(mpp4_base))
+- return PTR_ERR(mpp4_base);
++ if (IS_ERR(mpp4_base)) {
++ ret = PTR_ERR(mpp4_base);
++ goto err_probe;
++ }
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 2);
+ if (!res) {
+@@ -820,8 +826,10 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ }
+
+ pmu_base = devm_ioremap_resource(&pdev->dev, res);
+- if (IS_ERR(pmu_base))
+- return PTR_ERR(pmu_base);
++ if (IS_ERR(pmu_base)) {
++ ret = PTR_ERR(pmu_base);
++ goto err_probe;
++ }
+
+ gconfmap = syscon_regmap_lookup_by_compatible("marvell,dove-global-config");
+ if (IS_ERR(gconfmap)) {
+@@ -831,12 +839,17 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ adjust_resource(&fb_res,
+ (mpp_res->start & INT_REGS_MASK) + GC_REGS_OFFS, 0x14);
+ gc_base = devm_ioremap_resource(&pdev->dev, &fb_res);
+- if (IS_ERR(gc_base))
+- return PTR_ERR(gc_base);
++ if (IS_ERR(gc_base)) {
++ ret = PTR_ERR(gc_base);
++ goto err_probe;
++ }
++
+ gconfmap = devm_regmap_init_mmio(&pdev->dev,
+ gc_base, &gc_regmap_config);
+- if (IS_ERR(gconfmap))
+- return PTR_ERR(gconfmap);
++ if (IS_ERR(gconfmap)) {
++ ret = PTR_ERR(gconfmap);
++ goto err_probe;
++ }
+ }
+
+ /* Warn on any missing DT resource */
+@@ -844,6 +857,9 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ dev_warn(&pdev->dev, FW_BUG "Missing pinctrl regs in DTB. Please update your firmware.\n");
+
+ return mvebu_pinctrl_probe(pdev);
++err_probe:
++ clk_disable_unprepare(clk);
++ return ret;
+ }
+
+ static struct platform_driver dove_pinctrl_driver = {
+--
+2.43.0
+
--- /dev/null
+From 1461ce49c4fdd33a616cf7de3e1d7b2ffc0c6d09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 17:47:44 +0100
+Subject: pinctrl: renesas: rzg2l: Return -EINVAL if the pin doesn't support
+ PIN_CFG_OEN
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit d56abfed1c02814b5ee96b0ed1f989ea9d7f6cbb ]
+
+Update the rzg2l_pinctrl_pinconf_get() function to return -EINVAL for
+PIN_CONFIG_OUTPUT_ENABLE config if the pin doesn't support the PIN_CFG_OEN
+configuration.
+
+-EINVAL is a valid error when dumping the pin configurations. Returning
+-EOPNOTSUPP for a pin that does not support PIN_CFG_OEN resulted in the
+message 'ERROR READING CONFIG SETTING 16' being printed during dumping
+pinconf-pins.
+
+For consistency do similar change in rzg2l_pinctrl_pinconf_set() for
+PIN_CONFIG_OUTPUT_ENABLE config.
+
+Fixes: a9024a323af2 ("pinctrl: renesas: rzg2l: Clean up and refactor OEN read/write functions")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Reviewed-by: Paul Barker <paul.barker.ct@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/20240723164744.505233-1-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/renesas/pinctrl-rzg2l.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
+index 632180570b704..3ef20f2fa88e4 100644
+--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c
++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
+@@ -1261,7 +1261,9 @@ static int rzg2l_pinctrl_pinconf_get(struct pinctrl_dev *pctldev,
+ break;
+
+ case PIN_CONFIG_OUTPUT_ENABLE:
+- if (!pctrl->data->oen_read || !(cfg & PIN_CFG_OEN))
++ if (!(cfg & PIN_CFG_OEN))
++ return -EINVAL;
++ if (!pctrl->data->oen_read)
+ return -EOPNOTSUPP;
+ arg = pctrl->data->oen_read(pctrl, _pin);
+ if (!arg)
+@@ -1402,7 +1404,9 @@ static int rzg2l_pinctrl_pinconf_set(struct pinctrl_dev *pctldev,
+
+ case PIN_CONFIG_OUTPUT_ENABLE:
+ arg = pinconf_to_config_argument(_configs[i]);
+- if (!pctrl->data->oen_write || !(cfg & PIN_CFG_OEN))
++ if (!(cfg & PIN_CFG_OEN))
++ return -EINVAL;
++ if (!pctrl->data->oen_write)
+ return -EOPNOTSUPP;
+ ret = pctrl->data->oen_write(pctrl, _pin, !!arg);
+ if (ret)
+--
+2.43.0
+
--- /dev/null
+From 25f049561a5026b09692b8c29737f7608da77108 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 10:46:25 +0800
+Subject: pinctrl: single: fix missing error code in pcs_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit cacd8cf79d7823b07619865e994a7916fcc8ae91 ]
+
+If pinctrl_enable() fails in pcs_probe(), it should return the error code.
+
+Fixes: 8f773bfbdd42 ("pinctrl: single: fix possible memory leak when pinctrl_enable() fails")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/20240819024625.154441-1-yangyingliang@huaweicloud.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-single.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
+index 4da3c3f422b69..2ec599e383e4b 100644
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1913,7 +1913,8 @@ static int pcs_probe(struct platform_device *pdev)
+
+ dev_info(pcs->dev, "%i pins, size %u\n", pcs->desc.npins, pcs->size);
+
+- if (pinctrl_enable(pcs->pctl))
++ ret = pinctrl_enable(pcs->pctl);
++ if (ret)
+ goto free;
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From b534efb25aa2cea27d7a14bf76d02994ed914325 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jul 2024 22:37:43 +0200
+Subject: pinctrl: ti: ti-iodelay: Fix some error handling paths
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a9f2b249adeef2b9744a884355fa8f5e581d507f ]
+
+In the probe, if an error occurs after the ti_iodelay_pinconf_init_dev()
+call, it is likely that ti_iodelay_pinconf_deinit_dev() should be called,
+as already done in the remove function.
+
+Also in ti_iodelay_pinconf_init_dev(), if an error occurs after the first
+regmap_update_bits() call, it is also likely that the deinit() function
+should be called.
+
+The easier way to fix it is to add a devm_add_action_or_reset() at the
+rigtht place to have ti_iodelay_pinconf_deinit_dev() called when needed.
+
+Doing so, the .remove() function can be removed, and the associated
+platform_set_drvdata() call in the probe as well.
+
+Fixes: 003910ebc83b ("pinctrl: Introduce TI IOdelay configuration driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/0220fa5b925bd08e361be8206a5438f6229deaac.1720556038.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 52 ++++++++++---------------
+ 1 file changed, 21 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c
+index f5e5a23d22260..451801acdc403 100644
+--- a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c
++++ b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c
+@@ -273,6 +273,22 @@ static int ti_iodelay_pinconf_set(struct ti_iodelay_device *iod,
+ return r;
+ }
+
++/**
++ * ti_iodelay_pinconf_deinit_dev() - deinit the iodelay device
++ * @data: IODelay device
++ *
++ * Deinitialize the IODelay device (basically just lock the region back up.
++ */
++static void ti_iodelay_pinconf_deinit_dev(void *data)
++{
++ struct ti_iodelay_device *iod = data;
++ const struct ti_iodelay_reg_data *reg = iod->reg_data;
++
++ /* lock the iodelay region back again */
++ regmap_update_bits(iod->regmap, reg->reg_global_lock_offset,
++ reg->global_lock_mask, reg->global_lock_val);
++}
++
+ /**
+ * ti_iodelay_pinconf_init_dev() - Initialize IODelay device
+ * @iod: iodelay device
+@@ -295,6 +311,11 @@ static int ti_iodelay_pinconf_init_dev(struct ti_iodelay_device *iod)
+ if (r)
+ return r;
+
++ r = devm_add_action_or_reset(iod->dev, ti_iodelay_pinconf_deinit_dev,
++ iod);
++ if (r)
++ return r;
++
+ /* Read up Recalibration sequence done by bootloader */
+ r = regmap_read(iod->regmap, reg->reg_refclk_offset, &val);
+ if (r)
+@@ -353,21 +374,6 @@ static int ti_iodelay_pinconf_init_dev(struct ti_iodelay_device *iod)
+ return 0;
+ }
+
+-/**
+- * ti_iodelay_pinconf_deinit_dev() - deinit the iodelay device
+- * @iod: IODelay device
+- *
+- * Deinitialize the IODelay device (basically just lock the region back up.
+- */
+-static void ti_iodelay_pinconf_deinit_dev(struct ti_iodelay_device *iod)
+-{
+- const struct ti_iodelay_reg_data *reg = iod->reg_data;
+-
+- /* lock the iodelay region back again */
+- regmap_update_bits(iod->regmap, reg->reg_global_lock_offset,
+- reg->global_lock_mask, reg->global_lock_val);
+-}
+-
+ /**
+ * ti_iodelay_get_pingroup() - Find the group mapped by a group selector
+ * @iod: iodelay device
+@@ -877,27 +883,11 @@ static int ti_iodelay_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+- platform_set_drvdata(pdev, iod);
+-
+ return pinctrl_enable(iod->pctl);
+ }
+
+-/**
+- * ti_iodelay_remove() - standard remove
+- * @pdev: platform device
+- */
+-static void ti_iodelay_remove(struct platform_device *pdev)
+-{
+- struct ti_iodelay_device *iod = platform_get_drvdata(pdev);
+-
+- ti_iodelay_pinconf_deinit_dev(iod);
+-
+- /* Expect other allocations to be freed by devm */
+-}
+-
+ static struct platform_driver ti_iodelay_driver = {
+ .probe = ti_iodelay_probe,
+- .remove_new = ti_iodelay_remove,
+ .driver = {
+ .name = DRIVER_NAME,
+ .of_match_table = ti_iodelay_of_match,
+--
+2.43.0
+
--- /dev/null
+From 7967c1db23b58847b9bc327a24557e94ede6aabd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 16:16:53 +0300
+Subject: platform: cznic: turris-omnia-mcu: Fix error check in
+ omnia_mcu_register_trng()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 2d516b8fc0f18ce9c0347a1aea6edb3d8ca1d692 ]
+
+The gpiod_to_irq() function never returns zero. It returns negative
+error codes or a positive IRQ number. Update the checking to check
+for negatives.
+
+Fixes: 41bb142a4028 ("platform: cznic: turris-omnia-mcu: Add support for MCU provided TRNG")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/cznic/turris-omnia-mcu-trng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/cznic/turris-omnia-mcu-trng.c b/drivers/platform/cznic/turris-omnia-mcu-trng.c
+index ad953fb3c37af..9a1d9292dc9ad 100644
+--- a/drivers/platform/cznic/turris-omnia-mcu-trng.c
++++ b/drivers/platform/cznic/turris-omnia-mcu-trng.c
+@@ -70,8 +70,8 @@ int omnia_mcu_register_trng(struct omnia_mcu *mcu)
+
+ irq_idx = omnia_int_to_gpio_idx[__bf_shf(OMNIA_INT_TRNG)];
+ irq = gpiod_to_irq(gpio_device_get_desc(mcu->gc.gpiodev, irq_idx));
+- if (!irq)
+- return dev_err_probe(dev, -ENXIO, "Cannot get TRNG IRQ\n");
++ if (irq < 0)
++ return dev_err_probe(dev, irq, "Cannot get TRNG IRQ\n");
+
+ /*
+ * If someone else cleared the TRNG interrupt but did not read the
+--
+2.43.0
+
--- /dev/null
+From 3bdf05737ade3bb471da5baf640948e13d3f68c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 19:50:32 +0300
+Subject: platform/x86: ideapad-laptop: Make the scope_guard() clear of its
+ scope
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit a093cb667c3ff5eadd4b23ddf996d9ccae9b7ac6 ]
+
+First of all, it's a bit counterintuitive to have something like
+
+ int err;
+ ...
+ scoped_guard(...)
+ err = foo(...);
+ if (err)
+ return err;
+
+Second, with a particular kernel configuration and compiler version in
+one of such cases the objtool is not happy:
+
+ ideapad-laptop.o: warning: objtool: .text.fan_mode_show: unexpected end of section
+
+I'm not an expert on all this, but the theory is that compiler and
+linker in this case can't understand that 'result' variable will be
+always initialized as long as no error has been returned. Assigning
+'result' to a dummy value helps with this. Note, that fixing the
+scoped_guard() scope (as per above) does not make issue gone.
+
+That said, assign dummy value and make the scope_guard() clear of its scope.
+For the sake of consistency do it in the entire file.
+
+Fixes: 7cc06e729460 ("platform/x86: ideapad-laptop: add a mutex to synchronize VPC commands")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202408290219.BrPO8twi-lkp@intel.com/
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20240829165105.1609180-1-andriy.shevchenko@linux.intel.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/ideapad-laptop.c | 48 +++++++++++++++------------
+ 1 file changed, 27 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
+index 98ec30fce9fdd..b58df617d4fda 100644
+--- a/drivers/platform/x86/ideapad-laptop.c
++++ b/drivers/platform/x86/ideapad-laptop.c
+@@ -419,13 +419,14 @@ static ssize_t camera_power_show(struct device *dev,
+ char *buf)
+ {
+ struct ideapad_private *priv = dev_get_drvdata(dev);
+- unsigned long result;
++ unsigned long result = 0;
+ int err;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = read_ec_data(priv->adev->handle, VPCCMD_R_CAMERA, &result);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ return sysfs_emit(buf, "%d\n", !!result);
+ }
+@@ -442,10 +443,11 @@ static ssize_t camera_power_store(struct device *dev,
+ if (err)
+ return err;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = write_ec_cmd(priv->adev->handle, VPCCMD_W_CAMERA, state);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ return count;
+ }
+@@ -493,13 +495,14 @@ static ssize_t fan_mode_show(struct device *dev,
+ char *buf)
+ {
+ struct ideapad_private *priv = dev_get_drvdata(dev);
+- unsigned long result;
++ unsigned long result = 0;
+ int err;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = read_ec_data(priv->adev->handle, VPCCMD_R_FAN, &result);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ return sysfs_emit(buf, "%lu\n", result);
+ }
+@@ -519,10 +522,11 @@ static ssize_t fan_mode_store(struct device *dev,
+ if (state > 4 || state == 3)
+ return -EINVAL;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = write_ec_cmd(priv->adev->handle, VPCCMD_W_FAN, state);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ return count;
+ }
+@@ -602,13 +606,14 @@ static ssize_t touchpad_show(struct device *dev,
+ char *buf)
+ {
+ struct ideapad_private *priv = dev_get_drvdata(dev);
+- unsigned long result;
++ unsigned long result = 0;
+ int err;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = read_ec_data(priv->adev->handle, VPCCMD_R_TOUCHPAD, &result);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ priv->r_touchpad_val = result;
+
+@@ -627,10 +632,11 @@ static ssize_t touchpad_store(struct device *dev,
+ if (err)
+ return err;
+
+- scoped_guard(mutex, &priv->vpc_mutex)
++ scoped_guard(mutex, &priv->vpc_mutex) {
+ err = write_ec_cmd(priv->adev->handle, VPCCMD_W_TOUCHPAD, state);
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+
+ priv->r_touchpad_val = state;
+
+--
+2.43.0
+
--- /dev/null
+From 055e5c4f39395162259a7a716ca2364cbd0b2b85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 22:19:08 -0400
+Subject: pm:cpupower: Add missing powercap_set_enabled() stub function
+
+From: John B. Wyatt IV <jwyatt@redhat.com>
+
+[ Upstream commit 4b80294fb53845dc5c98cca0c989da09150f2ca9 ]
+
+There was a symbol listed in the powercap.h file that was not implemented.
+Implement it with a stub return of 0.
+
+Programs like SWIG require that functions that are defined in the
+headers be implemented.
+
+Fixes: c2294c1496b7 ("cpupower: Introduce powercap intel-rapl library and powercap-info command")
+Suggested-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: John B. Wyatt IV <jwyatt@redhat.com>
+Signed-off-by: John B. Wyatt IV <sageofredondo@gmail.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/cpupower/lib/powercap.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/tools/power/cpupower/lib/powercap.c b/tools/power/cpupower/lib/powercap.c
+index a7a59c6bacda8..94a0c69e55ef5 100644
+--- a/tools/power/cpupower/lib/powercap.c
++++ b/tools/power/cpupower/lib/powercap.c
+@@ -77,6 +77,14 @@ int powercap_get_enabled(int *mode)
+ return sysfs_get_enabled(path, mode);
+ }
+
++/*
++ * TODO: implement function. Returns dummy 0 for now.
++ */
++int powercap_set_enabled(int mode)
++{
++ return 0;
++}
++
+ /*
+ * Hardcoded, because rapl is the only powercap implementation
+ - * this needs to get more generic if more powercap implementations
+--
+2.43.0
+
--- /dev/null
+From 7e12ec0a9d092215e0ea383415fd7199987c147d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 16:30:46 +0200
+Subject: pmdomain: core: Fix "managed by" alignment in debug summary
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 987a43e89ec67cc68518c0558db42ba542581597 ]
+
+The "performance" column contains variable-width values. Hence when
+their printed values contain more than one digit, all values in
+successive columns become misaligned.
+
+Fix this by formatting it as a fixed-width field. Adjust successive
+spaces and field widths to retain the exiting layout.
+
+Fixes: 0155aaf95a2a ("PM: domains: Add the domain HW-managed mode to the summary")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/e004f9d2a75e9a49c269507bb8a4514001751e85.1725459707.git.geert+renesas@glider.be
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pmdomain/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c
+index 6691b42eae476..acdc3e7b2eae2 100644
+--- a/drivers/pmdomain/core.c
++++ b/drivers/pmdomain/core.c
+@@ -3190,7 +3190,7 @@ static void mode_status_str(struct seq_file *s, struct device *dev)
+
+ gpd_data = to_gpd_data(dev->power.subsys_data->domain_data);
+
+- seq_printf(s, "%20s", gpd_data->hw_mode ? "HW" : "SW");
++ seq_printf(s, "%9s", gpd_data->hw_mode ? "HW" : "SW");
+ }
+
+ static void perf_status_str(struct seq_file *s, struct device *dev)
+@@ -3198,7 +3198,7 @@ static void perf_status_str(struct seq_file *s, struct device *dev)
+ struct generic_pm_domain_data *gpd_data;
+
+ gpd_data = to_gpd_data(dev->power.subsys_data->domain_data);
+- seq_put_decimal_ull(s, "", gpd_data->performance_state);
++ seq_printf(s, "%-10u ", gpd_data->performance_state);
+ }
+
+ static int genpd_summary_one(struct seq_file *s,
+--
+2.43.0
+
--- /dev/null
+From 3137327d64643d932db165f346c8b4fdd4905668 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 16:30:45 +0200
+Subject: pmdomain: core: Harden inter-column space in debug summary
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 692c20c4d075bd452acfbbc68200fc226c7c9496 ]
+
+The inter-column space in the debug summary is two spaces. However, in
+one case, the extra space is handled implicitly in a field width
+specifier. Make inter-column space explicit to ease future maintenance.
+
+Fixes: 45fbc464b047 ("PM: domains: Add "performance" column to debug summary")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/ae61eb363621b981edde878e1e74d701702a579f.1725459707.git.geert+renesas@glider.be
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pmdomain/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c
+index 7a61aa88c0614..6691b42eae476 100644
+--- a/drivers/pmdomain/core.c
++++ b/drivers/pmdomain/core.c
+@@ -3226,7 +3226,7 @@ static int genpd_summary_one(struct seq_file *s,
+ else
+ snprintf(state, sizeof(state), "%s",
+ status_lookup[genpd->status]);
+- seq_printf(s, "%-30s %-50s %u", genpd->name, state, genpd->performance_state);
++ seq_printf(s, "%-30s %-49s %u", genpd->name, state, genpd->performance_state);
+
+ /*
+ * Modifications on the list require holding locks on both
+--
+2.43.0
+
--- /dev/null
+From 7bdd80755d34308a93acd1be455c59b0debe9429 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 16:54:43 -0500
+Subject: power: supply: axp20x_battery: Remove design from min and max voltage
+
+From: Chris Morgan <macromorgan@hotmail.com>
+
+[ Upstream commit 61978807b00f8a1817b0e5580981af1cd2f428a5 ]
+
+The POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN and
+POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN values should be immutable
+properties of the battery, but for this driver they are writable values
+and used as the minimum and maximum values for charging. Remove the
+DESIGN designation from these values.
+
+Fixes: 46c202b5f25f ("power: supply: add battery driver for AXP20X and AXP22X PMICs")
+Suggested-by: Chen-Yu Tsai <wens@kernel.org>
+Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20240821215456.962564-3-macroalpha82@gmail.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/axp20x_battery.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/power/supply/axp20x_battery.c b/drivers/power/supply/axp20x_battery.c
+index 6ac5c80cfda21..7520b599eb3d1 100644
+--- a/drivers/power/supply/axp20x_battery.c
++++ b/drivers/power/supply/axp20x_battery.c
+@@ -303,11 +303,11 @@ static int axp20x_battery_get_prop(struct power_supply *psy,
+ val->intval = reg & AXP209_FG_PERCENT;
+ break;
+
+- case POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN:
++ case POWER_SUPPLY_PROP_VOLTAGE_MAX:
+ return axp20x_batt->data->get_max_voltage(axp20x_batt,
+ &val->intval);
+
+- case POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN:
++ case POWER_SUPPLY_PROP_VOLTAGE_MIN:
+ ret = regmap_read(axp20x_batt->regmap, AXP20X_V_OFF, ®);
+ if (ret)
+ return ret;
+@@ -455,10 +455,10 @@ static int axp20x_battery_set_prop(struct power_supply *psy,
+ struct axp20x_batt_ps *axp20x_batt = power_supply_get_drvdata(psy);
+
+ switch (psp) {
+- case POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN:
++ case POWER_SUPPLY_PROP_VOLTAGE_MIN:
+ return axp20x_set_voltage_min_design(axp20x_batt, val->intval);
+
+- case POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN:
++ case POWER_SUPPLY_PROP_VOLTAGE_MAX:
+ return axp20x_batt->data->set_max_voltage(axp20x_batt, val->intval);
+
+ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
+@@ -493,8 +493,8 @@ static enum power_supply_property axp20x_battery_props[] = {
+ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT,
+ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX,
+ POWER_SUPPLY_PROP_HEALTH,
+- POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN,
+- POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN,
++ POWER_SUPPLY_PROP_VOLTAGE_MAX,
++ POWER_SUPPLY_PROP_VOLTAGE_MIN,
+ POWER_SUPPLY_PROP_CAPACITY,
+ };
+
+@@ -502,8 +502,8 @@ static int axp20x_battery_prop_writeable(struct power_supply *psy,
+ enum power_supply_property psp)
+ {
+ return psp == POWER_SUPPLY_PROP_STATUS ||
+- psp == POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN ||
+- psp == POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN ||
++ psp == POWER_SUPPLY_PROP_VOLTAGE_MIN ||
++ psp == POWER_SUPPLY_PROP_VOLTAGE_MAX ||
+ psp == POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT ||
+ psp == POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX;
+ }
+--
+2.43.0
+
--- /dev/null
+From 6f7c5600394d8740d20dc7340baa2196a4d6879d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Aug 2024 12:51:14 +0200
+Subject: power: supply: max17042_battery: Fix SOC threshold calc w/ no current
+ sense
+
+From: Artur Weber <aweber.kernel@gmail.com>
+
+[ Upstream commit 3a3acf839b2cedf092bdd1ff65b0e9895df1656b ]
+
+Commit 223a3b82834f ("power: supply: max17042_battery: use VFSOC for
+capacity when no rsns") made it so that capacity on systems without
+current sensing would be read from VFSOC instead of RepSOC. However,
+the SOC threshold calculation still read RepSOC to get the SOC
+regardless of the current sensing option state.
+
+Fix this by applying the same conditional to determine which register
+should be read.
+
+This also seems to be the intended behavior as per the datasheet - SOC
+alert config value in MiscCFG on setups without current sensing is set
+to a value of 0b11, indicating SOC alerts being generated based on
+VFSOC, instead of 0b00 which indicates SOC alerts being generated based
+on RepSOC.
+
+This fixes an issue on the Galaxy S3/Midas boards, where the alert
+interrupt would be constantly retriggered, causing high CPU usage
+on idle (around ~12%-15%).
+
+Fixes: e5f3872d2044 ("max17042: Add support for signalling change in SOC")
+Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
+Reviewed-by: Henrik Grimler <henrik@grimler.se>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20240817-max17042-soc-threshold-fix-v1-1-72b45899c3cc@gmail.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max17042_battery.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/max17042_battery.c b/drivers/power/supply/max17042_battery.c
+index e7d37e422c3f6..496c3e1f2ee6d 100644
+--- a/drivers/power/supply/max17042_battery.c
++++ b/drivers/power/supply/max17042_battery.c
+@@ -853,7 +853,10 @@ static void max17042_set_soc_threshold(struct max17042_chip *chip, u16 off)
+ /* program interrupt thresholds such that we should
+ * get interrupt for every 'off' perc change in the soc
+ */
+- regmap_read(map, MAX17042_RepSOC, &soc);
++ if (chip->pdata->enable_current_sense)
++ regmap_read(map, MAX17042_RepSOC, &soc);
++ else
++ regmap_read(map, MAX17042_VFSOC, &soc);
+ soc >>= 8;
+ soc_tr = (soc + off) << 8;
+ if (off < soc)
+--
+2.43.0
+
--- /dev/null
+From 15ba74c1d502d26bca5af0c4f2dfb4a76aa7263e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 11:41:34 +0300
+Subject: powercap: intel_rapl: Fix off by one in get_rpi()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 95f6580352a7225e619551febb83595bcb77ab17 ]
+
+The rp->priv->rpi array is either rpi_msr or rpi_tpmi which have
+NR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >=
+to prevent an off by one access.
+
+Fixes: 98ff639a7289 ("powercap: intel_rapl: Support per Interface primitive information")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Acked-by: Zhang Rui <rui.zhang@intel.com>
+Link: https://patch.msgid.link/86e3a059-504d-4795-a5ea-4a653f3b41f8@stanley.mountain
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/powercap/intel_rapl_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c
+index 7c0cea2c828d9..b6f682dac42e7 100644
+--- a/drivers/powercap/intel_rapl_common.c
++++ b/drivers/powercap/intel_rapl_common.c
+@@ -740,7 +740,7 @@ static struct rapl_primitive_info *get_rpi(struct rapl_package *rp, int prim)
+ {
+ struct rapl_primitive_info *rpi = rp->priv->rpi;
+
+- if (prim < 0 || prim > NR_RAPL_PRIMITIVES || !rpi)
++ if (prim < 0 || prim >= NR_RAPL_PRIMITIVES || !rpi)
+ return NULL;
+
+ return &rpi[prim];
+--
+2.43.0
+
--- /dev/null
+From 84f8c70307f370a2b94ef55e1763f2dcefe066fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 19:23:45 +0200
+Subject: powerpc/8xx: Fix initial memory mapping
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit f9f2bff64c2f0dbee57be3d8c2741357ad3d05e6 ]
+
+Commit cf209951fa7f ("powerpc/8xx: Map linear memory with huge pages")
+introduced an initial mapping of kernel TEXT using PAGE_KERNEL_TEXT,
+but the pages that contain kernel TEXT may also contain kernel RODATA,
+and depending on selected debug options PAGE_KERNEL_TEXT may be either
+RWX or ROX. RODATA must be writable during init because it also
+contains ro_after_init data.
+
+So use PAGE_KERNEL_X instead to be sure it is RWX.
+
+Fixes: cf209951fa7f ("powerpc/8xx: Map linear memory with huge pages")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/dac7a828d8497c4548c91840575a706657baa4f1.1724173828.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/nohash/8xx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/mm/nohash/8xx.c b/arch/powerpc/mm/nohash/8xx.c
+index 388bba0ab3e7d..15d918dce27d0 100644
+--- a/arch/powerpc/mm/nohash/8xx.c
++++ b/arch/powerpc/mm/nohash/8xx.c
+@@ -150,11 +150,11 @@ unsigned long __init mmu_mapin_ram(unsigned long base, unsigned long top)
+
+ mmu_mapin_immr();
+
+- mmu_mapin_ram_chunk(0, boundary, PAGE_KERNEL_TEXT, true);
++ mmu_mapin_ram_chunk(0, boundary, PAGE_KERNEL_X, true);
+ if (debug_pagealloc_enabled_or_kfence()) {
+ top = boundary;
+ } else {
+- mmu_mapin_ram_chunk(boundary, einittext8, PAGE_KERNEL_TEXT, true);
++ mmu_mapin_ram_chunk(boundary, einittext8, PAGE_KERNEL_X, true);
+ mmu_mapin_ram_chunk(einittext8, top, PAGE_KERNEL, true);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 8c6dd94b39cb18a132b8410d7d77904e83a8b2d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 19:23:46 +0200
+Subject: powerpc/8xx: Fix kernel vs user address comparison
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 65a82e117ffeeab0baf6f871a1cab11a28ace183 ]
+
+Since commit 9132a2e82adc ("powerpc/8xx: Define a MODULE area below
+kernel text"), module exec space is below PAGE_OFFSET so not only
+space above PAGE_OFFSET, but space above TASK_SIZE need to be seen
+as kernel space.
+
+Until now the problem went undetected because by default TASK_SIZE
+is 0x8000000 which means address space is determined by just
+checking upper address bit. But when TASK_SIZE is over 0x80000000,
+PAGE_OFFSET is used for comparison, leading to thinking module
+addresses are part of user space.
+
+Fix it by using TASK_SIZE instead of PAGE_OFFSET for address
+comparison.
+
+Fixes: 9132a2e82adc ("powerpc/8xx: Define a MODULE area below kernel text")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/3f574c9845ff0a023b46cb4f38d2c45aecd769bd.1724173828.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/head_8xx.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kernel/head_8xx.S b/arch/powerpc/kernel/head_8xx.S
+index ac74321b11928..c955a8196d55e 100644
+--- a/arch/powerpc/kernel/head_8xx.S
++++ b/arch/powerpc/kernel/head_8xx.S
+@@ -41,12 +41,12 @@
+ #include "head_32.h"
+
+ .macro compare_to_kernel_boundary scratch, addr
+-#if CONFIG_TASK_SIZE <= 0x80000000 && CONFIG_PAGE_OFFSET >= 0x80000000
++#if CONFIG_TASK_SIZE <= 0x80000000 && MODULES_VADDR >= 0x80000000
+ /* By simply checking Address >= 0x80000000, we know if its a kernel address */
+ not. \scratch, \addr
+ #else
+ rlwinm \scratch, \addr, 16, 0xfff8
+- cmpli cr0, \scratch, PAGE_OFFSET@h
++ cmpli cr0, \scratch, TASK_SIZE@h
+ #endif
+ .endm
+
+@@ -404,7 +404,7 @@ FixupDAR:/* Entry point for dcbx workaround. */
+ mfspr r10, SPRN_SRR0
+ mtspr SPRN_MD_EPN, r10
+ rlwinm r11, r10, 16, 0xfff8
+- cmpli cr1, r11, PAGE_OFFSET@h
++ cmpli cr1, r11, TASK_SIZE@h
+ mfspr r11, SPRN_M_TWB /* Get level 1 table */
+ blt+ cr1, 3f
+
+--
+2.43.0
+
--- /dev/null
+From cdfa8e2d2c9ad94c9e738932d34a21591e41ebb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 10:33:43 +0200
+Subject: powerpc/vdso: Fix VDSO data access when running in a non-root time
+ namespace
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit c73049389e58c01e2e3bbfae900c8daeee177191 ]
+
+When running in a non-root time namespace, the global VDSO data page
+is replaced by a dedicated namespace data page and the global data
+page is mapped next to it. Detailed explanations can be found at
+commit 660fd04f9317 ("lib/vdso: Prepare for time namespace support").
+
+When it happens, __kernel_get_syscall_map and __kernel_get_tbfreq
+and __kernel_sync_dicache don't work anymore because they read 0
+instead of the data they need.
+
+To address that, clock_mode has to be read. When it is set to
+VDSO_CLOCKMODE_TIMENS, it means it is a dedicated namespace data page
+and the global data is located on the following page.
+
+Add a macro called get_realdatapage which reads clock_mode and add
+PAGE_SIZE to the pointer provided by get_datapage macro when
+clock_mode is equal to VDSO_CLOCKMODE_TIMENS. Use this new macro
+instead of get_datapage macro except for time functions as they handle
+it internally.
+
+Fixes: 74205b3fc2ef ("powerpc/vdso: Add support for time namespaces")
+Reported-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Closes: https://lore.kernel.org/all/ZtnYqZI-nrsNslwy@zx2c4.com/
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/vdso_datapage.h | 15 +++++++++++++++
+ arch/powerpc/kernel/asm-offsets.c | 2 ++
+ arch/powerpc/kernel/vdso/cacheflush.S | 2 +-
+ arch/powerpc/kernel/vdso/datapage.S | 4 ++--
+ 4 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/vdso_datapage.h b/arch/powerpc/include/asm/vdso_datapage.h
+index a585c8e538ff0..939daf6b695ef 100644
+--- a/arch/powerpc/include/asm/vdso_datapage.h
++++ b/arch/powerpc/include/asm/vdso_datapage.h
+@@ -111,6 +111,21 @@ extern struct vdso_arch_data *vdso_data;
+ addi \ptr, \ptr, (_vdso_datapage - 999b)@l
+ .endm
+
++#include <asm/asm-offsets.h>
++#include <asm/page.h>
++
++.macro get_realdatapage ptr scratch
++ get_datapage \ptr
++#ifdef CONFIG_TIME_NS
++ lwz \scratch, VDSO_CLOCKMODE_OFFSET(\ptr)
++ xoris \scratch, \scratch, VDSO_CLOCKMODE_TIMENS@h
++ xori \scratch, \scratch, VDSO_CLOCKMODE_TIMENS@l
++ cntlzw \scratch, \scratch
++ rlwinm \scratch, \scratch, PAGE_SHIFT - 5, 1 << PAGE_SHIFT
++ add \ptr, \ptr, \scratch
++#endif
++.endm
++
+ #endif /* __ASSEMBLY__ */
+
+ #endif /* __KERNEL__ */
+diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c
+index 23733282de4d9..7b3feb6bc2103 100644
+--- a/arch/powerpc/kernel/asm-offsets.c
++++ b/arch/powerpc/kernel/asm-offsets.c
+@@ -346,6 +346,8 @@ int main(void)
+ #else
+ OFFSET(CFG_SYSCALL_MAP32, vdso_arch_data, syscall_map);
+ #endif
++ OFFSET(VDSO_CLOCKMODE_OFFSET, vdso_arch_data, data[0].clock_mode);
++ DEFINE(VDSO_CLOCKMODE_TIMENS, VDSO_CLOCKMODE_TIMENS);
+
+ #ifdef CONFIG_BUG
+ DEFINE(BUG_ENTRY_SIZE, sizeof(struct bug_entry));
+diff --git a/arch/powerpc/kernel/vdso/cacheflush.S b/arch/powerpc/kernel/vdso/cacheflush.S
+index 0085ae464dac9..3b2479bd2f9a1 100644
+--- a/arch/powerpc/kernel/vdso/cacheflush.S
++++ b/arch/powerpc/kernel/vdso/cacheflush.S
+@@ -30,7 +30,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_ICACHE)
+ #ifdef CONFIG_PPC64
+ mflr r12
+ .cfi_register lr,r12
+- get_datapage r10
++ get_realdatapage r10, r11
+ mtlr r12
+ .cfi_restore lr
+ #endif
+diff --git a/arch/powerpc/kernel/vdso/datapage.S b/arch/powerpc/kernel/vdso/datapage.S
+index db8e167f01667..2b19b6201a33a 100644
+--- a/arch/powerpc/kernel/vdso/datapage.S
++++ b/arch/powerpc/kernel/vdso/datapage.S
+@@ -28,7 +28,7 @@ V_FUNCTION_BEGIN(__kernel_get_syscall_map)
+ mflr r12
+ .cfi_register lr,r12
+ mr. r4,r3
+- get_datapage r3
++ get_realdatapage r3, r11
+ mtlr r12
+ #ifdef __powerpc64__
+ addi r3,r3,CFG_SYSCALL_MAP64
+@@ -52,7 +52,7 @@ V_FUNCTION_BEGIN(__kernel_get_tbfreq)
+ .cfi_startproc
+ mflr r12
+ .cfi_register lr,r12
+- get_datapage r3
++ get_realdatapage r3, r11
+ #ifndef __powerpc64__
+ lwz r4,(CFG_TB_TICKS_PER_SEC + 4)(r3)
+ #endif
+--
+2.43.0
+
--- /dev/null
+From 57a54965bf7f302acff94e30355475deb399f692 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 10:00:29 +0200
+Subject: powerpc/vdso: Inconditionally use CFUNC macro
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 65948b0e716a47382731889ee6bbb18642b8b003 ]
+
+During merge of commit 4e991e3c16a3 ("powerpc: add CFUNC assembly
+label annotation") a fallback version of CFUNC macro was added at
+the last minute, so it can be used inconditionally.
+
+Fixes: 4e991e3c16a3 ("powerpc: add CFUNC assembly label annotation")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/0fa863f2f69b2ca4094ae066fcf1430fb31110c9.1724313540.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/vdso/gettimeofday.S | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/arch/powerpc/kernel/vdso/gettimeofday.S b/arch/powerpc/kernel/vdso/gettimeofday.S
+index 48fc6658053aa..894cb939cd2b3 100644
+--- a/arch/powerpc/kernel/vdso/gettimeofday.S
++++ b/arch/powerpc/kernel/vdso/gettimeofday.S
+@@ -38,11 +38,7 @@
+ .else
+ addi r4, r5, VDSO_DATA_OFFSET
+ .endif
+-#ifdef __powerpc64__
+ bl CFUNC(DOTSYM(\funct))
+-#else
+- bl \funct
+-#endif
+ PPC_LL r0, PPC_MIN_STKFRM + PPC_LR_STKOFF(r1)
+ #ifdef __powerpc64__
+ PPC_LL r2, PPC_MIN_STKFRM + STK_GOT(r1)
+--
+2.43.0
+
--- /dev/null
+From e09438ae0125094cb4b0a1144738f17b49e8f445 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jul 2024 21:05:31 +0800
+Subject: quota: avoid missing put_quota_format when DQUOT_SUSPENDED is passed
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit d16a5f852025be546b6e4ceef15899db3490f4d7 ]
+
+Avoid missing put_quota_format when DQUOT_SUSPENDED is passed to
+dquot_load_quota_sb.
+
+Link: https://patch.msgid.link/20240715130534.2112678-2-shikemeng@huaweicloud.com
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Fixes: d44c57663723 ("quota: Remove BUG_ON in dquot_load_quota_sb()")
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index 7ae885e6d5d73..d533b58e21c28 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -2406,7 +2406,7 @@ static int vfs_setup_quota_inode(struct inode *inode, int type)
+ int dquot_load_quota_sb(struct super_block *sb, int type, int format_id,
+ unsigned int flags)
+ {
+- struct quota_format_type *fmt = find_quota_format(format_id);
++ struct quota_format_type *fmt;
+ struct quota_info *dqopt = sb_dqopt(sb);
+ int error;
+
+@@ -2416,6 +2416,7 @@ int dquot_load_quota_sb(struct super_block *sb, int type, int format_id,
+ if (WARN_ON_ONCE(flags & DQUOT_SUSPENDED))
+ return -EINVAL;
+
++ fmt = find_quota_format(format_id);
+ if (!fmt)
+ return -ESRCH;
+ if (!sb->dq_op || !sb->s_qcop ||
+--
+2.43.0
+
--- /dev/null
+From f18bd219d393286704412aa5a59e4d35d1a30e02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 15:51:11 +0200
+Subject: r8169: disable ALDPS per default for RTL8125
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit b9c7ac4fe22c608acf6153a3329df2b6b6cd416c ]
+
+En-Wei reported that traffic breaks if cable is unplugged for more
+than 3s and then re-plugged. This was supposed to be fixed by
+621735f59064 ("r8169: fix rare issue with broken rx after link-down on
+RTL8125"). But apparently this didn't fix the issue for everybody.
+The 3s threshold rang a bell, as this is the delay after which ALDPS
+kicks in. And indeed disabling ALDPS fixes the issue for this user.
+Maybe this fixes the issue in general. In a follow-up step we could
+remove the first fix attempt and see whether anybody complains.
+
+Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125")
+Tested-by: En-Wei WU <en-wei.wu@canonical.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://patch.msgid.link/778b9d86-05c4-4856-be59-cde4487b9e52@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_phy_config.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_phy_config.c b/drivers/net/ethernet/realtek/r8169_phy_config.c
+index 1f74317beb887..e1e5d9672ae44 100644
+--- a/drivers/net/ethernet/realtek/r8169_phy_config.c
++++ b/drivers/net/ethernet/realtek/r8169_phy_config.c
+@@ -1060,6 +1060,7 @@ static void rtl8125a_2_hw_phy_config(struct rtl8169_private *tp,
+ phy_modify_paged(phydev, 0xa86, 0x15, 0x0001, 0x0000);
+ rtl8168g_enable_gphy_10m(phydev);
+
++ rtl8168g_disable_aldps(phydev);
+ rtl8125a_config_eee_phy(phydev);
+ }
+
+@@ -1099,6 +1100,7 @@ static void rtl8125b_hw_phy_config(struct rtl8169_private *tp,
+ phy_modify_paged(phydev, 0xbf8, 0x12, 0xe000, 0xa000);
+
+ rtl8125_legacy_force_mode(phydev);
++ rtl8168g_disable_aldps(phydev);
+ rtl8125b_config_eee_phy(phydev);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3b70f42378d605f7e5e86ddc5b510fd690a699c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 00:56:40 +0200
+Subject: rcu/nocb: Fix RT throttling hrtimer armed from offline CPU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+[ Upstream commit 9139f93209d1ffd7f489ab19dee01b7c3a1a43d2 ]
+
+After a CPU is marked offline and until it reaches its final trip to
+idle, rcuo has several opportunities to be woken up, either because
+a callback has been queued in the meantime or because
+rcutree_report_cpu_dead() has issued the final deferred NOCB wake up.
+
+If RCU-boosting is enabled, RCU kthreads are set to SCHED_FIFO policy.
+And if RT-bandwidth is enabled, the related hrtimer might be armed.
+However this then happens after hrtimers have been migrated at the
+CPUHP_AP_HRTIMERS_DYING stage, which is broken as reported by the
+following warning:
+
+ Call trace:
+ enqueue_hrtimer+0x7c/0xf8
+ hrtimer_start_range_ns+0x2b8/0x300
+ enqueue_task_rt+0x298/0x3f0
+ enqueue_task+0x94/0x188
+ ttwu_do_activate+0xb4/0x27c
+ try_to_wake_up+0x2d8/0x79c
+ wake_up_process+0x18/0x28
+ __wake_nocb_gp+0x80/0x1a0
+ do_nocb_deferred_wakeup_common+0x3c/0xcc
+ rcu_report_dead+0x68/0x1ac
+ cpuhp_report_idle_dead+0x48/0x9c
+ do_idle+0x288/0x294
+ cpu_startup_entry+0x34/0x3c
+ secondary_start_kernel+0x138/0x158
+
+Fix this with waking up rcuo using an IPI if necessary. Since the
+existing API to deal with this situation only handles swait queue, rcuo
+is only woken up from offline CPUs if it's not already waiting on a
+grace period. In the worst case some callbacks will just wait for a
+grace period to complete before being assigned to a subsequent one.
+
+Reported-by: "Cheng-Jui Wang (王正睿)" <Cheng-Jui.Wang@mediatek.com>
+Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier")
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Neeraj Upadhyay <neeraj.upadhyay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_nocb.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h
+index 3ce30841119ad..2686ba122fa08 100644
+--- a/kernel/rcu/tree_nocb.h
++++ b/kernel/rcu/tree_nocb.h
+@@ -220,7 +220,10 @@ static bool __wake_nocb_gp(struct rcu_data *rdp_gp,
+ raw_spin_unlock_irqrestore(&rdp_gp->nocb_gp_lock, flags);
+ if (needwake) {
+ trace_rcu_nocb_wake(rcu_state.name, rdp->cpu, TPS("DoWake"));
+- wake_up_process(rdp_gp->nocb_gp_kthread);
++ if (cpu_is_offline(raw_smp_processor_id()))
++ swake_up_one_online(&rdp_gp->nocb_gp_wq);
++ else
++ wake_up_process(rdp_gp->nocb_gp_kthread);
+ }
+
+ return needwake;
+--
+2.43.0
+
--- /dev/null
+From fe09c8f9b24e53813f97aee0fc2f4d9531f3e6d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Aug 2024 21:47:25 -0700
+Subject: RDMA/bnxt_re: Fix the table size for PSN/MSN entries
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit b930d0bac9c671c053dd66229010ca9298e84aab ]
+
+HW MSN table size is always a power of 2. So the pages should be mapped
+accordingly.
+
+Use the power of two calculation while get the number of PSN/MSN entries.
+
+Fixes: 6f6bfbc595fb ("RDMA/bnxt_re: Expose the MSN table capability for user library")
+Link: https://patch.msgid.link/r/1724042847-1481-4-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index 7c757351a0166..982e85ba211bc 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -1042,6 +1042,8 @@ static int bnxt_re_init_user_qp(struct bnxt_re_dev *rdev, struct bnxt_re_pd *pd,
+ qplib_qp->sq.max_wqe :
+ ((qplib_qp->sq.max_wqe * qplib_qp->sq.wqe_size) /
+ sizeof(struct bnxt_qplib_sge));
++ if (_is_host_msn_table(rdev->qplib_res.dattr->dev_cap_flags2))
++ psn_nume = roundup_pow_of_two(psn_nume);
+ bytes += (psn_nume * psn_sz);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 8316397b7e048bc18e35b44d1e95651a1a4d8c13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 10:58:39 -0400
+Subject: RDMA/cxgb4: Added NULL check for lookup_atid
+
+From: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+
+[ Upstream commit e766e6a92410ca269161de059fff0843b8ddd65f ]
+
+The lookup_atid() function can return NULL if the ATID is
+invalid or does not exist in the identifier table, which
+could lead to dereferencing a null pointer without a
+check in the `act_establish()` and `act_open_rpl()` functions.
+Add a NULL check to prevent null pointer dereferencing.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC")
+Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+Link: https://patch.msgid.link/20240912145844.77516-1-m.lobanov@rosalinux.ru
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index 040ba2224f9ff..b3757c6a0457a 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -1222,6 +1222,8 @@ static int act_establish(struct c4iw_dev *dev, struct sk_buff *skb)
+ int ret;
+
+ ep = lookup_atid(t, atid);
++ if (!ep)
++ return -EINVAL;
+
+ pr_debug("ep %p tid %u snd_isn %u rcv_isn %u\n", ep, tid,
+ be32_to_cpu(req->snd_isn), be32_to_cpu(req->rcv_isn));
+@@ -2279,6 +2281,9 @@ static int act_open_rpl(struct c4iw_dev *dev, struct sk_buff *skb)
+ int ret = 0;
+
+ ep = lookup_atid(t, atid);
++ if (!ep)
++ return -EINVAL;
++
+ la = (struct sockaddr_in *)&ep->com.local_addr;
+ ra = (struct sockaddr_in *)&ep->com.remote_addr;
+ la6 = (struct sockaddr_in6 *)&ep->com.local_addr;
+--
+2.43.0
+
--- /dev/null
+From 5c8822810123c2fa6c907e99807370737c8c67dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 19:29:20 +0800
+Subject: RDMA/erdma: Return QP state in erdma_query_qp
+
+From: Cheng Xu <chengyou@linux.alibaba.com>
+
+[ Upstream commit e77127ff6416b17e0b3e630ac46ee5c9a6570f57 ]
+
+Fix qp_state and cur_qp_state to return correct values in
+struct ib_qp_attr.
+
+Fixes: 155055771704 ("RDMA/erdma: Add verbs implementation")
+Signed-off-by: Cheng Xu <chengyou@linux.alibaba.com>
+Link: https://patch.msgid.link/20240902112920.58749-4-chengyou@linux.alibaba.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/erdma/erdma_verbs.c | 25 ++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.c b/drivers/infiniband/hw/erdma/erdma_verbs.c
+index d7e1cbf9f5c26..7f6e3eaca3bbf 100644
+--- a/drivers/infiniband/hw/erdma/erdma_verbs.c
++++ b/drivers/infiniband/hw/erdma/erdma_verbs.c
+@@ -1544,11 +1544,31 @@ int erdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask,
+ return ret;
+ }
+
++static enum ib_qp_state query_qp_state(struct erdma_qp *qp)
++{
++ switch (qp->attrs.state) {
++ case ERDMA_QP_STATE_IDLE:
++ return IB_QPS_INIT;
++ case ERDMA_QP_STATE_RTR:
++ return IB_QPS_RTR;
++ case ERDMA_QP_STATE_RTS:
++ return IB_QPS_RTS;
++ case ERDMA_QP_STATE_CLOSING:
++ return IB_QPS_ERR;
++ case ERDMA_QP_STATE_TERMINATE:
++ return IB_QPS_ERR;
++ case ERDMA_QP_STATE_ERROR:
++ return IB_QPS_ERR;
++ default:
++ return IB_QPS_ERR;
++ }
++}
++
+ int erdma_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr,
+ int qp_attr_mask, struct ib_qp_init_attr *qp_init_attr)
+ {
+- struct erdma_qp *qp;
+ struct erdma_dev *dev;
++ struct erdma_qp *qp;
+
+ if (ibqp && qp_attr && qp_init_attr) {
+ qp = to_eqp(ibqp);
+@@ -1575,6 +1595,9 @@ int erdma_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr,
+
+ qp_init_attr->cap = qp_attr->cap;
+
++ qp_attr->qp_state = query_qp_state(qp);
++ qp_attr->cur_qp_state = query_qp_state(qp);
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 609fe8b0418e78bdca0e744a5d0760a83c78f95c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:36 +0800
+Subject: RDMA/hns: Don't modify rq next block addr in HIP09 QPC
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 6928d264e328e0cb5ee7663003a6e46e4cba0a7e ]
+
+The field 'rq next block addr' in QPC can be updated by driver only
+on HIP08. On HIP09 HW updates this field while driver is not allowed.
+
+Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-2-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 621b057fb9daa..a166b476977f1 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -4423,12 +4423,14 @@ static int config_qp_rq_buf(struct hns_roce_dev *hr_dev,
+ upper_32_bits(to_hr_hw_page_addr(mtts[0])));
+ hr_reg_clear(qpc_mask, QPC_RQ_CUR_BLK_ADDR_H);
+
+- context->rq_nxt_blk_addr = cpu_to_le32(to_hr_hw_page_addr(mtts[1]));
+- qpc_mask->rq_nxt_blk_addr = 0;
+-
+- hr_reg_write(context, QPC_RQ_NXT_BLK_ADDR_H,
+- upper_32_bits(to_hr_hw_page_addr(mtts[1])));
+- hr_reg_clear(qpc_mask, QPC_RQ_NXT_BLK_ADDR_H);
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) {
++ context->rq_nxt_blk_addr =
++ cpu_to_le32(to_hr_hw_page_addr(mtts[1]));
++ qpc_mask->rq_nxt_blk_addr = 0;
++ hr_reg_write(context, QPC_RQ_NXT_BLK_ADDR_H,
++ upper_32_bits(to_hr_hw_page_addr(mtts[1])));
++ hr_reg_clear(qpc_mask, QPC_RQ_NXT_BLK_ADDR_H);
++ }
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 380067f3c942309c93175becc380db5329d06537 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:42 +0800
+Subject: RDMA/hns: Fix 1bit-ECC recovery address in non-4K OS
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit ce196f6297c7f3ab7780795e40efd6c521f60c8b ]
+
+The 1bit-ECC recovery address read from HW only contain bits 64:12, so
+it should be fixed left-shifted 12 bits when used.
+
+Currently, the driver will shift the address left by PAGE_SHIFT when
+used, which is wrong in non-4K OS.
+
+Fixes: 2de949abd6a5 ("RDMA/hns: Recover 1bit-ECC error of RAM on chip")
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-8-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 5483d04b3ab7e..349b68d7e7db6 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -6285,7 +6285,7 @@ static u64 fmea_get_ram_res_addr(u32 res_type, __le64 *data)
+ res_type == ECC_RESOURCE_SCCC)
+ return le64_to_cpu(*data);
+
+- return le64_to_cpu(*data) << PAGE_SHIFT;
++ return le64_to_cpu(*data) << HNS_HW_PAGE_SHIFT;
+ }
+
+ static int fmea_recover_others(struct hns_roce_dev *hr_dev, u32 res_type,
+--
+2.43.0
+
--- /dev/null
+From bc20d9f9193caadcb31d693901eac855daeb3b13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 19:57:00 +0800
+Subject: RDMA/hns: Fix ah error counter in sw stat not increasing
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 39c047d4047a1242aeefa87513174b56a91080ab ]
+
+There are several error cases where hns_roce_create_ah() returns
+directly without jumping to sw stat path, thus leading to a problem
+that the ah error counter does not increase.
+
+Fixes: ee20cc17e9d8 ("RDMA/hns: Support DSCP")
+Fixes: eb7854d63db5 ("RDMA/hns: Support SW stats with debugfs")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240912115700.2016443-1-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_ah.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_ah.c b/drivers/infiniband/hw/hns/hns_roce_ah.c
+index 3e02c474f59fe..4fc5b9d5fea87 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_ah.c
++++ b/drivers/infiniband/hw/hns/hns_roce_ah.c
+@@ -64,8 +64,10 @@ int hns_roce_create_ah(struct ib_ah *ibah, struct rdma_ah_init_attr *init_attr,
+ u8 tc_mode = 0;
+ int ret;
+
+- if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08 && udata)
+- return -EOPNOTSUPP;
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08 && udata) {
++ ret = -EOPNOTSUPP;
++ goto err_out;
++ }
+
+ ah->av.port = rdma_ah_get_port_num(ah_attr);
+ ah->av.gid_index = grh->sgid_index;
+@@ -83,7 +85,7 @@ int hns_roce_create_ah(struct ib_ah *ibah, struct rdma_ah_init_attr *init_attr,
+ ret = 0;
+
+ if (ret && grh->sgid_attr->gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP)
+- return ret;
++ goto err_out;
+
+ if (tc_mode == HNAE3_TC_MAP_MODE_DSCP &&
+ grh->sgid_attr->gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP)
+@@ -91,8 +93,10 @@ int hns_roce_create_ah(struct ib_ah *ibah, struct rdma_ah_init_attr *init_attr,
+ else
+ ah->av.sl = rdma_ah_get_sl(ah_attr);
+
+- if (!check_sl_valid(hr_dev, ah->av.sl))
+- return -EINVAL;
++ if (!check_sl_valid(hr_dev, ah->av.sl)) {
++ ret = -EINVAL;
++ goto err_out;
++ }
+
+ memcpy(ah->av.dgid, grh->dgid.raw, HNS_ROCE_GID_SIZE);
+ memcpy(ah->av.mac, ah_attr->roce.dmac, ETH_ALEN);
+--
+2.43.0
+
--- /dev/null
+From f0096c090ddc51c43b5f66769e4aaeb82d866f3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 14:53:31 +0800
+Subject: RDMA/hns: Fix restricted __le16 degrades to integer issue
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit f4ccc0a2a0c5977540f519588636b5bc81aae2db ]
+
+Fix sparse warnings: restricted __le16 degrades to integer.
+
+Fixes: 5a87279591a1 ("RDMA/hns: Support hns HW stats")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202409080508.g4mNSLwy-lkp@intel.com/
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240909065331.3950268-1-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 349b68d7e7db6..24e906b9d3ae1 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -1681,8 +1681,8 @@ static int hns_roce_hw_v2_query_counter(struct hns_roce_dev *hr_dev,
+
+ for (i = 0; i < HNS_ROCE_HW_CNT_TOTAL && i < *num_counters; i++) {
+ bd_idx = i / CNT_PER_DESC;
+- if (!(desc[bd_idx].flag & HNS_ROCE_CMD_FLAG_NEXT) &&
+- bd_idx != HNS_ROCE_HW_CNT_TOTAL / CNT_PER_DESC)
++ if (bd_idx != HNS_ROCE_HW_CNT_TOTAL / CNT_PER_DESC &&
++ !(desc[bd_idx].flag & cpu_to_le16(HNS_ROCE_CMD_FLAG_NEXT)))
+ break;
+
+ cnt_data = (__le64 *)&desc[bd_idx].data[0];
+--
+2.43.0
+
--- /dev/null
+From d485253bb0ff9f9cf37940fb51ed26ccce467a7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:40 +0800
+Subject: RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 74d315b5af180220d561684d15897730135733a6 ]
+
+Fix missuse of spin_lock_irq()/spin_unlock_irq() when
+spin_lock_irqsave()/spin_lock_irqrestore() was hold.
+
+This was discovered through the lock debugging, and the corresponding
+log is as follows:
+
+raw_local_irq_restore() called with IRQs enabled
+WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40
+...
+Call trace:
+ warn_bogus_irq_restore+0x30/0x40
+ _raw_spin_unlock_irqrestore+0x84/0xc8
+ add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2]
+ hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2]
+ hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2]
+ create_qp+0x138/0x258
+ ib_create_qp_kernel+0x50/0xe8
+ create_mad_qp+0xa8/0x128
+ ib_mad_port_open+0x218/0x448
+ ib_mad_init_device+0x70/0x1f8
+ add_client_context+0xfc/0x220
+ enable_device_and_get+0xd0/0x140
+ ib_register_device.part.0+0xf4/0x1c8
+ ib_register_device+0x34/0x50
+ hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2]
+ hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2]
+ __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2]
+ hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-6-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_qp.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
+index 1de384ce4d0e1..6b03ba671ff8f 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
+@@ -1460,19 +1460,19 @@ void hns_roce_lock_cqs(struct hns_roce_cq *send_cq, struct hns_roce_cq *recv_cq)
+ __acquire(&send_cq->lock);
+ __acquire(&recv_cq->lock);
+ } else if (unlikely(send_cq != NULL && recv_cq == NULL)) {
+- spin_lock_irq(&send_cq->lock);
++ spin_lock(&send_cq->lock);
+ __acquire(&recv_cq->lock);
+ } else if (unlikely(send_cq == NULL && recv_cq != NULL)) {
+- spin_lock_irq(&recv_cq->lock);
++ spin_lock(&recv_cq->lock);
+ __acquire(&send_cq->lock);
+ } else if (send_cq == recv_cq) {
+- spin_lock_irq(&send_cq->lock);
++ spin_lock(&send_cq->lock);
+ __acquire(&recv_cq->lock);
+ } else if (send_cq->cqn < recv_cq->cqn) {
+- spin_lock_irq(&send_cq->lock);
++ spin_lock(&send_cq->lock);
+ spin_lock_nested(&recv_cq->lock, SINGLE_DEPTH_NESTING);
+ } else {
+- spin_lock_irq(&recv_cq->lock);
++ spin_lock(&recv_cq->lock);
+ spin_lock_nested(&send_cq->lock, SINGLE_DEPTH_NESTING);
+ }
+ }
+@@ -1492,13 +1492,13 @@ void hns_roce_unlock_cqs(struct hns_roce_cq *send_cq,
+ spin_unlock(&recv_cq->lock);
+ } else if (send_cq == recv_cq) {
+ __release(&recv_cq->lock);
+- spin_unlock_irq(&send_cq->lock);
++ spin_unlock(&send_cq->lock);
+ } else if (send_cq->cqn < recv_cq->cqn) {
+ spin_unlock(&recv_cq->lock);
+- spin_unlock_irq(&send_cq->lock);
++ spin_unlock(&send_cq->lock);
+ } else {
+ spin_unlock(&send_cq->lock);
+- spin_unlock_irq(&recv_cq->lock);
++ spin_unlock(&recv_cq->lock);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From dc5d803df77c0608257344962ffadfe2d7afd78b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:39 +0800
+Subject: RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range()
+
+From: wenglianfa <wenglianfa@huawei.com>
+
+[ Upstream commit d586628b169d14bbf36be64d2b3ec9d9d2fe0432 ]
+
+The max value of 'unit' and 'hop_num' is 2^24 and 2, so the value of
+'step' may exceed the range of u32. Change the type of 'step' to u64.
+
+Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing")
+Signed-off-by: wenglianfa <wenglianfa@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-5-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hem.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
+index 02baa853a76c9..42111f31b3715 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
+@@ -1041,9 +1041,9 @@ static bool hem_list_is_bottom_bt(int hopnum, int bt_level)
+ * @bt_level: base address table level
+ * @unit: ba entries per bt page
+ */
+-static u32 hem_list_calc_ba_range(int hopnum, int bt_level, int unit)
++static u64 hem_list_calc_ba_range(int hopnum, int bt_level, int unit)
+ {
+- u32 step;
++ u64 step;
+ int max;
+ int i;
+
+@@ -1079,7 +1079,7 @@ int hns_roce_hem_list_calc_root_ba(const struct hns_roce_buf_region *regions,
+ {
+ struct hns_roce_buf_region *r;
+ int total = 0;
+- int step;
++ u64 step;
+ int i;
+
+ for (i = 0; i < region_cnt; i++) {
+@@ -1110,7 +1110,7 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev,
+ int ret = 0;
+ int max_ofs;
+ int level;
+- u32 step;
++ u64 step;
+ int end;
+
+ if (hopnum <= 1)
+@@ -1147,7 +1147,7 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev,
+ }
+
+ start_aligned = (distance / step) * step + r->offset;
+- end = min_t(int, start_aligned + step - 1, max_ofs);
++ end = min_t(u64, start_aligned + step - 1, max_ofs);
+ cur = hem_list_alloc_item(hr_dev, start_aligned, end, unit,
+ true);
+ if (!cur) {
+@@ -1235,7 +1235,7 @@ static int setup_middle_bt(struct hns_roce_dev *hr_dev, void *cpu_base,
+ struct hns_roce_hem_item *hem, *temp_hem;
+ int total = 0;
+ int offset;
+- int step;
++ u64 step;
+
+ step = hem_list_calc_ba_range(r->hopnum, 1, unit);
+ if (step < 1)
+--
+2.43.0
+
--- /dev/null
+From d40faf353f1d7c615222849b8d5d501a0086fccf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:37 +0800
+Subject: RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08
+
+From: wenglianfa <wenglianfa@huawei.com>
+
+[ Upstream commit fd8489294dd2beefb70f12ec4f6132aeec61a4d0 ]
+
+Currently rsv_qp is freed before ib_unregister_device() is called
+on HIP08. During the time interval, users can still dereg MR and
+rsv_qp will be used in this process, leading to a UAF. Move the
+release of rsv_qp after calling ib_unregister_device() to fix it.
+
+Fixes: 70f92521584f ("RDMA/hns: Use the reserved loopback QPs to free MR before destroying MPT")
+Signed-off-by: wenglianfa <wenglianfa@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-3-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index a166b476977f1..2225c9cc63661 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -2972,6 +2972,9 @@ static int hns_roce_v2_init(struct hns_roce_dev *hr_dev)
+
+ static void hns_roce_v2_exit(struct hns_roce_dev *hr_dev)
+ {
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08)
++ free_mr_exit(hr_dev);
++
+ hns_roce_function_clear(hr_dev);
+
+ if (!hr_dev->is_vf)
+@@ -6951,9 +6954,6 @@ static void __hns_roce_hw_v2_uninit_instance(struct hnae3_handle *handle,
+ hr_dev->state = HNS_ROCE_DEVICE_STATE_UNINIT;
+ hns_roce_handle_device_err(hr_dev);
+
+- if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08)
+- free_mr_exit(hr_dev);
+-
+ hns_roce_exit(hr_dev);
+ kfree(hr_dev->priv);
+ ib_dealloc_device(&hr_dev->ib_dev);
+--
+2.43.0
+
--- /dev/null
+From 124ca257b8c6a4694cdb674975ad15bfb7945710 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:41 +0800
+Subject: RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 4321feefa5501a746ebf6a7d8b59e6b955ae1860 ]
+
+In abnormal interrupt handler, a PF reset will be triggered even if
+the device is a VF. It should be a VF reset.
+
+Fixes: 2b9acb9a97fe ("RDMA/hns: Add the process of AEQ overflow for hip08")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-7-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 2225c9cc63661..5483d04b3ab7e 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -6198,6 +6198,7 @@ static irqreturn_t abnormal_interrupt_basic(struct hns_roce_dev *hr_dev,
+ struct pci_dev *pdev = hr_dev->pci_dev;
+ struct hnae3_ae_dev *ae_dev = pci_get_drvdata(pdev);
+ const struct hnae3_ae_ops *ops = ae_dev->ops;
++ enum hnae3_reset_type reset_type;
+ irqreturn_t int_work = IRQ_NONE;
+ u32 int_en;
+
+@@ -6209,10 +6210,12 @@ static irqreturn_t abnormal_interrupt_basic(struct hns_roce_dev *hr_dev,
+ roce_write(hr_dev, ROCEE_VF_ABN_INT_ST_REG,
+ 1 << HNS_ROCE_V2_VF_INT_ST_AEQ_OVERFLOW_S);
+
++ reset_type = hr_dev->is_vf ?
++ HNAE3_VF_FUNC_RESET : HNAE3_FUNC_RESET;
++
+ /* Set reset level for reset_event() */
+ if (ops->set_default_reset_request)
+- ops->set_default_reset_request(ae_dev,
+- HNAE3_FUNC_RESET);
++ ops->set_default_reset_request(ae_dev, reset_type);
+ if (ops->reset_event)
+ ops->reset_event(pdev, NULL);
+
+--
+2.43.0
+
--- /dev/null
+From ffd8df91f8993dd826c8e4a1376f75fc0dfa7362 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 17:34:43 +0800
+Subject: RDMA/hns: Optimize hem allocation performance
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit fe51f6254d81f5a69c31df16353d6539b2b51630 ]
+
+When allocating MTT hem, for each hop level of each hem that is being
+allocated, the driver iterates the hem list to find out whether the
+bt page has been allocated in this hop level. If not, allocate a new
+one and splice it to the list. The time complexity is O(n^2) in worst
+cases.
+
+Currently the allocation for-loop uses 'unit' as the step size. This
+actually has taken into account the reuse of last-hop-level MTT bt
+pages by multiple buffer pages. Thus pages of last hop level will
+never have been allocated, so there is no need to iterate the hem list
+in last hop level.
+
+Removing this unnecessary iteration can reduce the time complexity to
+O(n).
+
+Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20240906093444.3571619-9-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hem.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
+index 42111f31b3715..c7c167e2a0451 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
+@@ -1134,10 +1134,12 @@ static int hem_list_alloc_mid_bt(struct hns_roce_dev *hr_dev,
+
+ /* config L1 bt to last bt and link them to corresponding parent */
+ for (level = 1; level < hopnum; level++) {
+- cur = hem_list_search_item(&mid_bt[level], offset);
+- if (cur) {
+- hem_ptrs[level] = cur;
+- continue;
++ if (!hem_list_is_bottom_bt(hopnum, level)) {
++ cur = hem_list_search_item(&mid_bt[level], offset);
++ if (cur) {
++ hem_ptrs[level] = cur;
++ continue;
++ }
+ }
+
+ step = hem_list_calc_ba_range(hopnum, level, unit);
+--
+2.43.0
+
--- /dev/null
+From 505d7d07b038280d6373a9395271f42aa61689de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 21:58:05 +0500
+Subject: RDMA/irdma: fix error message in irdma_modify_qp_roce()
+
+From: Vitaliy Shevtsov <v.shevtsov@maxima.ru>
+
+[ Upstream commit 9f0eafe86ea0a589676209d0cff1a1ed49a037d3 ]
+
+Use a correct field max_dest_rd_atomic instead of max_rd_atomic for the
+error output.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Signed-off-by: Vitaliy Shevtsov <v.shevtsov@maxima.ru>
+Link: https://lore.kernel.org/stable/20240916165817.14691-1-v.shevtsov%40maxima.ru
+Link: https://patch.msgid.link/20240916165817.14691-1-v.shevtsov@maxima.ru
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index fc0ce35da14e6..c7475c925d1b4 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -1347,7 +1347,7 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+ if (attr->max_dest_rd_atomic > dev->hw_attrs.max_hw_ird) {
+ ibdev_err(&iwdev->ibdev,
+ "rd_atomic = %d, above max_hw_ird=%d\n",
+- attr->max_rd_atomic,
++ attr->max_dest_rd_atomic,
+ dev->hw_attrs.max_hw_ird);
+ return -EINVAL;
+ }
+--
+2.43.0
+
--- /dev/null
+From 325929c880845d709b699e61142c2db41ede59e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 13:33:36 +0200
+Subject: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit 86dfdd8288907f03c18b7fb462e0e232c4f98d89 ]
+
+In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to
+destroying CM IDs"), the function flush_workqueue is invoked to flush the
+work queue iwcm_wq.
+
+But at that time, the work queue iwcm_wq was created via the function
+alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.
+
+Because the current process is trying to flush the whole iwcm_wq, if
+iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current
+process is not reclaiming memory or running on a workqueue which doesn't
+have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee
+leading to a deadlock.
+
+The call trace is as below:
+
+[ 125.350876][ T1430] Call Trace:
+[ 125.356281][ T1430] <TASK>
+[ 125.361285][ T1430] ? __warn (kernel/panic.c:693)
+[ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
+[ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219)
+[ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239)
+[ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
+[ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)
+[ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
+[ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
+[ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970)
+[ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151)
+[ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm
+[ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910)
+[ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
+[ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
+[ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm
+[ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma
+[ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma
+[ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231)
+[ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393)
+[ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339)
+[ 125.531837][ T1430] kthread (kernel/kthread.c:389)
+[ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
+[ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147)
+[ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
+[ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
+[ 125.566487][ T1430] </TASK>
+[ 125.566488][ T1430] ---[ end trace 0000000000000000 ]---
+
+Fixes: aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs")
+Link: https://patch.msgid.link/r/20240820113336.19860-1-yanjun.zhu@linux.dev
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202408151633.fc01893c-oliver.sang@intel.com
+Tested-by: kernel test robot <oliver.sang@intel.com>
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/iwcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
+index 1a6339f3a63fc..7e3a55349e107 100644
+--- a/drivers/infiniband/core/iwcm.c
++++ b/drivers/infiniband/core/iwcm.c
+@@ -1182,7 +1182,7 @@ static int __init iw_cm_init(void)
+ if (ret)
+ return ret;
+
+- iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", 0);
++ iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", WQ_MEM_RECLAIM);
+ if (!iwcm_wq)
+ goto err_alloc;
+
+--
+2.43.0
+
--- /dev/null
+From 10e273ba09c31d53045d21aeff40cb2681600a17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 14:24:47 +0300
+Subject: RDMA/mlx5: Drop redundant work canceling from clean_keys()
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+[ Upstream commit 30e6bd8d3b5639f8f4261e5e6c0917ce264b8dc2 ]
+
+The canceling of dealyed work in clean_keys() is a leftover from years
+back and was added to prevent races in the cleanup process of MR cache.
+The cleanup process was rewritten a few years ago and the canceling of
+delayed work and flushing of workqueue was added before the call to
+clean_keys().
+
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/943d21f5a9dba7b98a3e1d531e3561ffe9745d71.1725362530.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Stable-dep-of: 7ebb00cea49d ("RDMA/mlx5: Fix MR cache temp entries cleanup")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index ffe1b95ca6853..19f5e5957e180 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -779,7 +779,6 @@ static void clean_keys(struct mlx5_ib_dev *dev, struct mlx5_cache_ent *ent)
+ {
+ u32 mkey;
+
+- cancel_delayed_work(&ent->dwork);
+ spin_lock_irq(&ent->mkeys_queue.lock);
+ while (ent->mkeys_queue.ci) {
+ mkey = pop_mkey_locked(ent);
+--
+2.43.0
+
--- /dev/null
+From 1e097bb7ba1c2125206a5ea2ee71b11f089a5957 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 14:24:48 +0300
+Subject: RDMA/mlx5: Fix counter update on MR cache mkey creation
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+[ Upstream commit 6f5cd6ac9a4201e4ba6f10b76a9da8044d6e38b0 ]
+
+After an mkey is created, update the counter for pending mkeys before
+reshceduling the work that is filling the cache.
+
+Rescheduling the work with a full MR cache entry and a wrong 'pending'
+counter will cause us to miss disabling the fill_to_high_water flag.
+Thus leaving the cache full but with an indication that it's still
+needs to be filled up to it's full size (2 * limit).
+Next time an mkey will be taken from the cache, we'll unnecessarily
+continue the process of filling the cache to it's full size.
+
+Fixes: 57e7071683ef ("RDMA/mlx5: Implement mkeys management via LIFO queue")
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/0f44f462ba22e45f72cb3d0ec6a748634086b8d0.1725362530.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index 98bd8eaa393ef..f384fdcd0c740 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -211,9 +211,9 @@ static void create_mkey_callback(int status, struct mlx5_async_work *context)
+
+ spin_lock_irqsave(&ent->mkeys_queue.lock, flags);
+ push_mkey_locked(ent, mkey_out->mkey);
++ ent->pending--;
+ /* If we are doing fill_to_high_water then keep going. */
+ queue_adjust_cache_locked(ent);
+- ent->pending--;
+ spin_unlock_irqrestore(&ent->mkeys_queue.lock, flags);
+ kfree(mkey_out);
+ }
+--
+2.43.0
+
--- /dev/null
+From 4ee236e82f416d088dffb248c87db61c616c6397 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 14:24:50 +0300
+Subject: RDMA/mlx5: Fix MR cache temp entries cleanup
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+[ Upstream commit 7ebb00cea49db641b458edef0ede389f7004821d ]
+
+Fix the cleanup of the temp cache entries that are dynamically created
+in the MR cache.
+
+The cleanup of the temp cache entries is currently scheduled only when a
+new entry is created. Since in the cleanup of the entries only the mkeys
+are destroyed and the cache entry stays in the cache, subsequent
+registrations might reuse the entry and it will eventually be filled with
+new mkeys without cleanup ever getting scheduled again.
+
+On workloads that register and deregister MRs with a wide range of
+properties we see the cache ends up holding many cache entries, each
+holding the max number of mkeys that were ever used through it.
+
+Additionally, as the cleanup work is scheduled to run over the whole
+cache, any mkey that is returned to the cache after the cleanup was
+scheduled will be held for less than the intended 30 seconds timeout.
+
+Solve both issues by dropping the existing remove_ent_work and reusing
+the existing per-entry work to also handle the temp entries cleanup.
+
+Schedule the work to run with a 30 seconds delay every time we push an
+mkey to a clean temp entry.
+This ensures the cleanup runs on each entry only 30 seconds after the
+first mkey was pushed to an empty entry.
+
+As we have already been distinguishing between persistent and temp entries
+when scheduling the cache_work_func, it is not being scheduled in any
+other flows for the temp entries.
+
+Another benefit from moving to a per-entry cleanup is we now not
+required to hold the rb_tree mutex, thus enabling other flow to run
+concurrently.
+
+Fixes: dd1b913fb0d0 ("RDMA/mlx5: Cache all user cacheable mkeys on dereg MR flow")
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/e4fa4bb03bebf20dceae320f26816cd2dde23a26.1725362530.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mlx5_ib.h | 2 +-
+ drivers/infiniband/hw/mlx5/mr.c | 82 +++++++++++-----------------
+ 2 files changed, 32 insertions(+), 52 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h
+index d5eb1b726675d..85118b7cb63db 100644
+--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h
++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h
+@@ -796,6 +796,7 @@ struct mlx5_cache_ent {
+ u8 is_tmp:1;
+ u8 disabled:1;
+ u8 fill_to_high_water:1;
++ u8 tmp_cleanup_scheduled:1;
+
+ /*
+ * - limit is the low water mark for stored mkeys, 2* limit is the
+@@ -827,7 +828,6 @@ struct mlx5_mkey_cache {
+ struct mutex rb_lock;
+ struct dentry *fs_root;
+ unsigned long last_add;
+- struct delayed_work remove_ent_dwork;
+ };
+
+ struct mlx5_ib_port_resources {
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index 19f5e5957e180..e4db3a9569c14 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -528,6 +528,21 @@ static void queue_adjust_cache_locked(struct mlx5_cache_ent *ent)
+ }
+ }
+
++static void clean_keys(struct mlx5_ib_dev *dev, struct mlx5_cache_ent *ent)
++{
++ u32 mkey;
++
++ spin_lock_irq(&ent->mkeys_queue.lock);
++ while (ent->mkeys_queue.ci) {
++ mkey = pop_mkey_locked(ent);
++ spin_unlock_irq(&ent->mkeys_queue.lock);
++ mlx5_core_destroy_mkey(dev->mdev, mkey);
++ spin_lock_irq(&ent->mkeys_queue.lock);
++ }
++ ent->tmp_cleanup_scheduled = false;
++ spin_unlock_irq(&ent->mkeys_queue.lock);
++}
++
+ static void __cache_work_func(struct mlx5_cache_ent *ent)
+ {
+ struct mlx5_ib_dev *dev = ent->dev;
+@@ -599,7 +614,11 @@ static void delayed_cache_work_func(struct work_struct *work)
+ struct mlx5_cache_ent *ent;
+
+ ent = container_of(work, struct mlx5_cache_ent, dwork.work);
+- __cache_work_func(ent);
++ /* temp entries are never filled, only cleaned */
++ if (ent->is_tmp)
++ clean_keys(ent->dev, ent);
++ else
++ __cache_work_func(ent);
+ }
+
+ static int cache_ent_key_cmp(struct mlx5r_cache_rb_key key1,
+@@ -775,20 +794,6 @@ struct mlx5_ib_mr *mlx5_mr_cache_alloc(struct mlx5_ib_dev *dev,
+ return _mlx5_mr_cache_alloc(dev, ent, access_flags);
+ }
+
+-static void clean_keys(struct mlx5_ib_dev *dev, struct mlx5_cache_ent *ent)
+-{
+- u32 mkey;
+-
+- spin_lock_irq(&ent->mkeys_queue.lock);
+- while (ent->mkeys_queue.ci) {
+- mkey = pop_mkey_locked(ent);
+- spin_unlock_irq(&ent->mkeys_queue.lock);
+- mlx5_core_destroy_mkey(dev->mdev, mkey);
+- spin_lock_irq(&ent->mkeys_queue.lock);
+- }
+- spin_unlock_irq(&ent->mkeys_queue.lock);
+-}
+-
+ static void mlx5_mkey_cache_debugfs_cleanup(struct mlx5_ib_dev *dev)
+ {
+ if (!mlx5_debugfs_root || dev->is_rep)
+@@ -901,10 +906,6 @@ mlx5r_cache_create_ent_locked(struct mlx5_ib_dev *dev,
+ ent->limit = 0;
+
+ mlx5_mkey_cache_debugfs_add_ent(dev, ent);
+- } else {
+- mod_delayed_work(ent->dev->cache.wq,
+- &ent->dev->cache.remove_ent_dwork,
+- msecs_to_jiffies(30 * 1000));
+ }
+
+ return ent;
+@@ -915,35 +916,6 @@ mlx5r_cache_create_ent_locked(struct mlx5_ib_dev *dev,
+ return ERR_PTR(ret);
+ }
+
+-static void remove_ent_work_func(struct work_struct *work)
+-{
+- struct mlx5_mkey_cache *cache;
+- struct mlx5_cache_ent *ent;
+- struct rb_node *cur;
+-
+- cache = container_of(work, struct mlx5_mkey_cache,
+- remove_ent_dwork.work);
+- mutex_lock(&cache->rb_lock);
+- cur = rb_last(&cache->rb_root);
+- while (cur) {
+- ent = rb_entry(cur, struct mlx5_cache_ent, node);
+- cur = rb_prev(cur);
+- mutex_unlock(&cache->rb_lock);
+-
+- spin_lock_irq(&ent->mkeys_queue.lock);
+- if (!ent->is_tmp) {
+- spin_unlock_irq(&ent->mkeys_queue.lock);
+- mutex_lock(&cache->rb_lock);
+- continue;
+- }
+- spin_unlock_irq(&ent->mkeys_queue.lock);
+-
+- clean_keys(ent->dev, ent);
+- mutex_lock(&cache->rb_lock);
+- }
+- mutex_unlock(&cache->rb_lock);
+-}
+-
+ int mlx5_mkey_cache_init(struct mlx5_ib_dev *dev)
+ {
+ struct mlx5_mkey_cache *cache = &dev->cache;
+@@ -959,7 +931,6 @@ int mlx5_mkey_cache_init(struct mlx5_ib_dev *dev)
+ mutex_init(&dev->slow_path_mutex);
+ mutex_init(&dev->cache.rb_lock);
+ dev->cache.rb_root = RB_ROOT;
+- INIT_DELAYED_WORK(&dev->cache.remove_ent_dwork, remove_ent_work_func);
+ cache->wq = alloc_ordered_workqueue("mkey_cache", WQ_MEM_RECLAIM);
+ if (!cache->wq) {
+ mlx5_ib_warn(dev, "failed to create work queue\n");
+@@ -1010,7 +981,6 @@ void mlx5_mkey_cache_cleanup(struct mlx5_ib_dev *dev)
+ return;
+
+ mutex_lock(&dev->cache.rb_lock);
+- cancel_delayed_work(&dev->cache.remove_ent_dwork);
+ for (node = rb_first(root); node; node = rb_next(node)) {
+ ent = rb_entry(node, struct mlx5_cache_ent, node);
+ spin_lock_irq(&ent->mkeys_queue.lock);
+@@ -1861,8 +1831,18 @@ static int mlx5_revoke_mr(struct mlx5_ib_mr *mr)
+ struct mlx5_ib_dev *dev = to_mdev(mr->ibmr.device);
+ struct mlx5_cache_ent *ent = mr->mmkey.cache_ent;
+
+- if (mr->mmkey.cacheable && !mlx5r_umr_revoke_mr(mr) && !cache_ent_find_and_store(dev, mr))
++ if (mr->mmkey.cacheable && !mlx5r_umr_revoke_mr(mr) && !cache_ent_find_and_store(dev, mr)) {
++ ent = mr->mmkey.cache_ent;
++ /* upon storing to a clean temp entry - schedule its cleanup */
++ spin_lock_irq(&ent->mkeys_queue.lock);
++ if (ent->is_tmp && !ent->tmp_cleanup_scheduled) {
++ mod_delayed_work(ent->dev->cache.wq, &ent->dwork,
++ msecs_to_jiffies(30 * 1000));
++ ent->tmp_cleanup_scheduled = true;
++ }
++ spin_unlock_irq(&ent->mkeys_queue.lock);
+ return 0;
++ }
+
+ if (ent) {
+ spin_lock_irq(&ent->mkeys_queue.lock);
+--
+2.43.0
+
--- /dev/null
+From a857377ec814b4ad5a8d40e5f513aa4ad0d9be37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 14:24:49 +0300
+Subject: RDMA/mlx5: Limit usage of over-sized mkeys from the MR cache
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+[ Upstream commit ee6d57a2e13d11ce9050cfc3e3b69ef707a44a63 ]
+
+When searching the MR cache for suitable cache entries, don't use mkeys
+larger than twice the size required for the MR.
+This should ensure the usage of mkeys closer to the minimal required size
+and reduce memory waste.
+
+On driver init we create entries for mkeys with clear attributes and
+powers of 2 sizes from 4 to the max supported size.
+This solves the issue for anyone using mkeys that fit these
+requirements.
+
+In the use case where an MR is registered with different attributes,
+like an access flag we can't UMR, we'll create a new cache entry to store
+it upon dereg.
+Without this fix, any later registration with same attributes and smaller
+size will use the newly created cache entry and it's mkeys, disregarding
+the memory waste of using mkeys larger than required.
+
+For example, one worst-case scenario can be when registering and
+deregistering a 1GB mkey with ATS enabled which will cause the creation of
+a new cache entry to hold those type of mkeys. A user registering a 4k MR
+with ATS will end up using the new cache entry and an mkey that can
+support a 1GB MR, thus wasting x250k memory than actually needed in the HW.
+
+Additionally, allow all small registration to use the smallest size
+cache entry that is initialized on driver load even if size is larger
+than twice the required size.
+
+Fixes: 73d09b2fe833 ("RDMA/mlx5: Introduce mlx5r_cache_rb_key")
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/8ba3a6e3748aace2026de8b83da03aba084f78f4.1725362530.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index f384fdcd0c740..ffe1b95ca6853 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -48,6 +48,7 @@ enum {
+ MAX_PENDING_REG_MR = 8,
+ };
+
++#define MLX5_MR_CACHE_PERSISTENT_ENTRY_MIN_DESCS 4
+ #define MLX5_UMR_ALIGN 2048
+
+ static void
+@@ -659,6 +660,7 @@ mkey_cache_ent_from_rb_key(struct mlx5_ib_dev *dev,
+ {
+ struct rb_node *node = dev->cache.rb_root.rb_node;
+ struct mlx5_cache_ent *cur, *smallest = NULL;
++ u64 ndescs_limit;
+ int cmp;
+
+ /*
+@@ -677,10 +679,18 @@ mkey_cache_ent_from_rb_key(struct mlx5_ib_dev *dev,
+ return cur;
+ }
+
++ /*
++ * Limit the usage of mkeys larger than twice the required size while
++ * also allowing the usage of smallest cache entry for small MRs.
++ */
++ ndescs_limit = max_t(u64, rb_key.ndescs * 2,
++ MLX5_MR_CACHE_PERSISTENT_ENTRY_MIN_DESCS);
++
+ return (smallest &&
+ smallest->rb_key.access_mode == rb_key.access_mode &&
+ smallest->rb_key.access_flags == rb_key.access_flags &&
+- smallest->rb_key.ats == rb_key.ats) ?
++ smallest->rb_key.ats == rb_key.ats &&
++ smallest->rb_key.ndescs <= ndescs_limit) ?
+ smallest :
+ NULL;
+ }
+@@ -962,7 +972,7 @@ int mlx5_mkey_cache_init(struct mlx5_ib_dev *dev)
+ mlx5_mkey_cache_debugfs_init(dev);
+ mutex_lock(&cache->rb_lock);
+ for (i = 0; i <= mkey_cache_max_order(dev); i++) {
+- rb_key.ndescs = 1 << (i + 2);
++ rb_key.ndescs = MLX5_MR_CACHE_PERSISTENT_ENTRY_MIN_DESCS << i;
+ ent = mlx5r_cache_create_ent_locked(dev, rb_key, true);
+ if (IS_ERR(ent)) {
+ ret = PTR_ERR(ent);
+--
+2.43.0
+
--- /dev/null
+From feffbcba72c8889ef296d194f9ec409a2a901d38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 20:30:20 +0300
+Subject: RDMA/mlx5: Obtain upper net device only when needed
+
+From: Mark Bloch <mbloch@nvidia.com>
+
+[ Upstream commit 3ed7f9e239938a0cfaf3689e2f545229ecabec06 ]
+
+Report the upper device's state as the RDMA port state only in RoCE LAG or
+switchdev LAG.
+
+Fixes: 27f9e0ccb6da ("net/mlx5: Lag, Add single RDMA device in multiport mode")
+Signed-off-by: Mark Bloch <mbloch@nvidia.com>
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/20240909173025.30422-3-michaelgur@nvidia.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index 6048b9ad13bb4..5926fd07a6021 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -550,7 +550,7 @@ static int mlx5_query_port_roce(struct ib_device *device, u32 port_num,
+ if (!ndev)
+ goto out;
+
+- if (dev->lag_active) {
++ if (mlx5_lag_is_roce(mdev) || mlx5_lag_is_sriov(mdev)) {
+ rcu_read_lock();
+ upper = netdev_master_upper_dev_get_rcu(ndev);
+ if (upper) {
+--
+2.43.0
+
--- /dev/null
+From 7471e185623c23f0d9aa1d19bc586493dd015afa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 13:22:12 +0200
+Subject: RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds
+
+From: Md Haris Iqbal <haris.iqbal@ionos.com>
+
+[ Upstream commit 3e4289b29e216a55d08a89e126bc0b37cbad9f38 ]
+
+In the function init_conns(), after the create_con() and create_cm() for
+loop if something fails. In the cleanup for loop after the destroy tag, we
+access out of bound memory because cid is set to clt_path->s.con_num.
+
+This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds
+in the cleanup loop later.
+
+Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
+Signed-off-by: Md Haris Iqbal <haris.iqbal@ionos.com>
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Grzegorz Prajsner <grzegorz.prajsner@ionos.com>
+Link: https://patch.msgid.link/20240821112217.41827-7-haris.iqbal@ionos.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 9936a3354b478..84d2dfcd20af6 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -2347,6 +2347,12 @@ static int init_conns(struct rtrs_clt_path *clt_path)
+ if (err)
+ goto destroy;
+ }
++
++ /*
++ * Set the cid to con_num - 1, since if we fail later, we want to stay in bounds.
++ */
++ cid = clt_path->s.con_num - 1;
++
+ err = alloc_path_reqs(clt_path);
+ if (err)
+ goto destroy;
+--
+2.43.0
+
--- /dev/null
+From b3f72442a163a4bb019d60dd8a3d771b846e0f0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 13:22:10 +0200
+Subject: RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from
+ peer
+
+From: Jack Wang <jinpu.wang@ionos.com>
+
+[ Upstream commit 3258cbbd86deaa2675e1799bc3d18bd1ef472641 ]
+
+Reset hb_missed_cnt after receiving traffic from other peer, so
+hb is more robust again high load on host or network.
+
+Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Md Haris Iqbal <haris.iqbal@ionos.com>
+Signed-off-by: Grzegorz Prajsner <grzegorz.prajsner@ionos.com>
+Link: https://patch.msgid.link/20240821112217.41827-5-haris.iqbal@ionos.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 3 ++-
+ drivers/infiniband/ulp/rtrs/rtrs-srv.c | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 88106cf5ce550..9936a3354b478 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -626,6 +626,7 @@ static void rtrs_clt_rdma_done(struct ib_cq *cq, struct ib_wc *wc)
+ */
+ if (WARN_ON(wc->wr_cqe->done != rtrs_clt_rdma_done))
+ return;
++ clt_path->s.hb_missed_cnt = 0;
+ rtrs_from_imm(be32_to_cpu(wc->ex.imm_data),
+ &imm_type, &imm_payload);
+ if (imm_type == RTRS_IO_RSP_IMM ||
+@@ -643,7 +644,6 @@ static void rtrs_clt_rdma_done(struct ib_cq *cq, struct ib_wc *wc)
+ return rtrs_clt_recv_done(con, wc);
+ } else if (imm_type == RTRS_HB_ACK_IMM) {
+ WARN_ON(con->c.cid);
+- clt_path->s.hb_missed_cnt = 0;
+ clt_path->s.hb_cur_latency =
+ ktime_sub(ktime_get(), clt_path->s.hb_last_sent);
+ if (clt_path->flags & RTRS_MSG_NEW_RKEY_F)
+@@ -670,6 +670,7 @@ static void rtrs_clt_rdma_done(struct ib_cq *cq, struct ib_wc *wc)
+ /*
+ * Key invalidations from server side
+ */
++ clt_path->s.hb_missed_cnt = 0;
+ WARN_ON(!(wc->wc_flags & IB_WC_WITH_INVALIDATE ||
+ wc->wc_flags & IB_WC_WITH_IMM));
+ WARN_ON(wc->wr_cqe->done != rtrs_clt_rdma_done);
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+index 1d33efb8fb03b..94ac99a4f696e 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+@@ -1229,6 +1229,7 @@ static void rtrs_srv_rdma_done(struct ib_cq *cq, struct ib_wc *wc)
+ */
+ if (WARN_ON(wc->wr_cqe != &io_comp_cqe))
+ return;
++ srv_path->s.hb_missed_cnt = 0;
+ err = rtrs_post_recv_empty(&con->c, &io_comp_cqe);
+ if (err) {
+ rtrs_err(s, "rtrs_post_recv(), err: %d\n", err);
+--
+2.43.0
+
--- /dev/null
+From 9493db4c968c2b3a99f226f8a13913e6d3c772f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 15:20:45 +0800
+Subject: regulator: Return actual error in of_regulator_bulk_get_all()
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 395a41a1d3e377462f3eea8a205ee72be8885ff6 ]
+
+If regulator_get() in of_regulator_bulk_get_all() returns an error, that
+error gets overridden and -EINVAL is always passed out. This masks probe
+deferral requests and likely won't work properly in all cases.
+
+Fix this by letting of_regulator_bulk_get_all() return the original
+error code.
+
+Fixes: 27b9ecc7a9ba ("regulator: Add of_regulator_bulk_get_all")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://patch.msgid.link/20240822072047.3097740-3-wenst@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/of_regulator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c
+index 03afc160fc72c..86b680adbf01c 100644
+--- a/drivers/regulator/of_regulator.c
++++ b/drivers/regulator/of_regulator.c
+@@ -777,7 +777,7 @@ int of_regulator_bulk_get_all(struct device *dev, struct device_node *np,
+ name[i] = '\0';
+ tmp = regulator_get(dev, name);
+ if (IS_ERR(tmp)) {
+- ret = -EINVAL;
++ ret = PTR_ERR(tmp);
+ goto error;
+ }
+ (*consumers)[n].consumer = tmp;
+--
+2.43.0
+
--- /dev/null
+From 66eaa610302c3192295788ae3a961bba083fe903 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 16:36:11 +0800
+Subject: remoteproc: imx_rproc: Correct ddr alias for i.MX8M
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit c901f817792822eda9cec23814a4621fa3e66695 ]
+
+The DDR Alias address should be 0x40000000 according to RM, so correct
+it.
+
+Fixes: 4ab8f9607aad ("remoteproc: imx_rproc: support i.MX8MQ/M")
+Reported-by: Terry Lv <terry.lv@nxp.com>
+Reviewed-by: Iuliana Prodan <iuliana.prodan@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://lore.kernel.org/r/20240719-imx_rproc-v2-1-10d0268c7eb1@nxp.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/imx_rproc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
+index 144c8e9a642e8..3c8b64db8823c 100644
+--- a/drivers/remoteproc/imx_rproc.c
++++ b/drivers/remoteproc/imx_rproc.c
+@@ -210,7 +210,7 @@ static const struct imx_rproc_att imx_rproc_att_imx8mq[] = {
+ /* QSPI Code - alias */
+ { 0x08000000, 0x08000000, 0x08000000, 0 },
+ /* DDR (Code) - alias */
+- { 0x10000000, 0x80000000, 0x0FFE0000, 0 },
++ { 0x10000000, 0x40000000, 0x0FFE0000, 0 },
+ /* TCML */
+ { 0x1FFE0000, 0x007E0000, 0x00020000, ATT_OWN | ATT_IOMEM},
+ /* TCMU */
+--
+2.43.0
+
--- /dev/null
+From 4e52ed790d746be4fb2a67b25e7dc626cfc29d62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 16:36:13 +0800
+Subject: remoteproc: imx_rproc: Initialize workqueue earlier
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 858e57c1d3dd7b92cc0fa692ba130a0a5d57e49d ]
+
+Initialize workqueue before requesting mailbox channel, otherwise if
+mailbox interrupt comes before workqueue ready, the imx_rproc_rx_callback
+will trigger issue.
+
+Fixes: 2df7062002d0 ("remoteproc: imx_proc: enable virtio/mailbox")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://lore.kernel.org/r/20240719-imx_rproc-v2-3-10d0268c7eb1@nxp.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/imx_rproc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
+index 3c8b64db8823c..448b9a5438e0b 100644
+--- a/drivers/remoteproc/imx_rproc.c
++++ b/drivers/remoteproc/imx_rproc.c
+@@ -1076,6 +1076,8 @@ static int imx_rproc_probe(struct platform_device *pdev)
+ return -ENOMEM;
+ }
+
++ INIT_WORK(&priv->rproc_work, imx_rproc_vq_work);
++
+ ret = imx_rproc_xtr_mbox_init(rproc);
+ if (ret)
+ goto err_put_wkq;
+@@ -1094,8 +1096,6 @@ static int imx_rproc_probe(struct platform_device *pdev)
+ if (ret)
+ goto err_put_scu;
+
+- INIT_WORK(&priv->rproc_work, imx_rproc_vq_work);
+-
+ if (rproc->state != RPROC_DETACHED)
+ rproc->auto_boot = of_property_read_bool(np, "fsl,auto-boot");
+
+--
+2.43.0
+
--- /dev/null
+From 9222b7566d810fa32cdb201e8aef97b51eaba91e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Aug 2024 16:14:24 +0200
+Subject: reset: berlin: fix OF node leak in probe() error path
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 5f58a88cc91075be38cec69b7cb70aaa4ba69e8b ]
+
+Driver is leaking OF node reference on memory allocation failure.
+Acquire the OF node reference after memory allocation to fix this and
+keep it simple.
+
+Fixes: aed6f3cadc86 ("reset: berlin: convert to a platform driver")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20240825-reset-cleanup-scoped-v1-1-03f6d834f8c0@linaro.org
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/reset-berlin.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/reset/reset-berlin.c b/drivers/reset/reset-berlin.c
+index 2537ec05eceef..578fe867080ce 100644
+--- a/drivers/reset/reset-berlin.c
++++ b/drivers/reset/reset-berlin.c
+@@ -68,13 +68,14 @@ static int berlin_reset_xlate(struct reset_controller_dev *rcdev,
+
+ static int berlin2_reset_probe(struct platform_device *pdev)
+ {
+- struct device_node *parent_np = of_get_parent(pdev->dev.of_node);
++ struct device_node *parent_np;
+ struct berlin_reset_priv *priv;
+
+ priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+
++ parent_np = of_get_parent(pdev->dev.of_node);
+ priv->regmap = syscon_node_to_regmap(parent_np);
+ of_node_put(parent_np);
+ if (IS_ERR(priv->regmap))
+--
+2.43.0
+
--- /dev/null
+From 82d4c417df9e8f9252bc5c1a4cabc73712df70ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Aug 2024 16:14:25 +0200
+Subject: reset: k210: fix OF node leak in probe() error path
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit b14e40f5dc7cd0dd7e958010e6ca9ad32ff2ddad ]
+
+Driver is leaking OF node reference on memory allocation failure.
+Acquire the OF node reference after memory allocation to fix this and
+keep it simple.
+
+Fixes: 5a2308da9f60 ("riscv: Add Canaan Kendryte K210 reset controller")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20240825-reset-cleanup-scoped-v1-2-03f6d834f8c0@linaro.org
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/reset-k210.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/reset/reset-k210.c b/drivers/reset/reset-k210.c
+index b62a2fd44e4e4..e77e4cca377dc 100644
+--- a/drivers/reset/reset-k210.c
++++ b/drivers/reset/reset-k210.c
+@@ -90,7 +90,7 @@ static const struct reset_control_ops k210_rst_ops = {
+ static int k210_rst_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+- struct device_node *parent_np = of_get_parent(dev->of_node);
++ struct device_node *parent_np;
+ struct k210_rst *ksr;
+
+ dev_info(dev, "K210 reset controller\n");
+@@ -99,6 +99,7 @@ static int k210_rst_probe(struct platform_device *pdev)
+ if (!ksr)
+ return -ENOMEM;
+
++ parent_np = of_get_parent(dev->of_node);
+ ksr->map = syscon_node_to_regmap(parent_np);
+ of_node_put(parent_np);
+ if (IS_ERR(ksr->map))
+--
+2.43.0
+
--- /dev/null
+From 04f0f65f25ab01a5566061ffd8f8d88d852981e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 15:05:18 +0200
+Subject: Revert "dm: requeue IO if mapping table not yet available"
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit c8691cd0fc11197515ed148de0780d927bfca38b ]
+
+This reverts commit fa247089de9936a46e290d4724cb5f0b845600f5.
+
+The following sequence of commands causes a livelock - there will be
+workqueue process looping and consuming 100% CPU:
+
+dmsetup create --notable test
+truncate -s 1MiB testdata
+losetup /dev/loop0 testdata
+dmsetup load test --table '0 2048 linear /dev/loop0 0'
+dd if=/dev/zero of=/dev/dm-0 bs=16k count=1 conv=fdatasync
+
+The livelock is caused by the commit fa247089de99. The commit claims that
+it fixes a race condition, however, it is unknown what the actual race
+condition is and what program is involved in the race condition.
+
+When the inactive table is loaded, the nodes /dev/dm-0 and
+/sys/block/dm-0 are created. /dev/dm-0 has zero size at this point. When
+the device is suspended and resumed, the nodes /dev/mapper/test and
+/dev/disk/* are created.
+
+If some program opens a block device before it is created by dmsetup or
+lvm, the program is buggy, so dm could just report an error as it used to
+do before.
+
+Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Fixes: fa247089de99 ("dm: requeue IO if mapping table not yet available")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-rq.c | 4 +++-
+ drivers/md/dm.c | 11 ++++++++---
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/dm-rq.c b/drivers/md/dm-rq.c
+index f7e9a3632eb3d..499f8cc8a39fb 100644
+--- a/drivers/md/dm-rq.c
++++ b/drivers/md/dm-rq.c
+@@ -496,8 +496,10 @@ static blk_status_t dm_mq_queue_rq(struct blk_mq_hw_ctx *hctx,
+
+ map = dm_get_live_table(md, &srcu_idx);
+ if (unlikely(!map)) {
++ DMERR_LIMIT("%s: mapping table unavailable, erroring io",
++ dm_device_name(md));
+ dm_put_live_table(md, srcu_idx);
+- return BLK_STS_RESOURCE;
++ return BLK_STS_IOERR;
+ }
+ ti = dm_table_find_target(map, 0);
+ dm_put_live_table(md, srcu_idx);
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 87bb903034358..ff4a6b570b764 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2030,10 +2030,15 @@ static void dm_submit_bio(struct bio *bio)
+ struct dm_table *map;
+
+ map = dm_get_live_table(md, &srcu_idx);
++ if (unlikely(!map)) {
++ DMERR_LIMIT("%s: mapping table unavailable, erroring io",
++ dm_device_name(md));
++ bio_io_error(bio);
++ goto out;
++ }
+
+- /* If suspended, or map not yet available, queue this IO for later */
+- if (unlikely(test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags)) ||
+- unlikely(!map)) {
++ /* If suspended, queue this IO for later */
++ if (unlikely(test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags))) {
+ if (bio->bi_opf & REQ_NOWAIT)
+ bio_wouldblock_error(bio);
+ else if (bio->bi_opf & REQ_RAHEAD)
+--
+2.43.0
+
--- /dev/null
+From a3c38ac880ecc40bca2197b5810d352ae4bf99e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 00:08:08 -0700
+Subject: RISC-V: KVM: Allow legacy PMU access from guest
+
+From: Atish Patra <atishp@rivosinc.com>
+
+[ Upstream commit 7d1ffc8b087e97dbe1985912c7a2d00e53cea169 ]
+
+Currently, KVM traps & emulates PMU counter access only if SBI PMU
+is available as the guest can only configure/read PMU counters via
+SBI only. However, if SBI PMU is not enabled in the host, the
+guest will fallback to the legacy PMU which will try to access
+cycle/instret and result in an illegal instruction trap which
+is not desired.
+
+KVM can allow dummy emulation of cycle/instret only for the guest
+if SBI PMU is not enabled in the host. The dummy emulation will
+still return zero as we don't to expose the host counter values
+from a guest using legacy PMU.
+
+Fixes: a9ac6c37521f ("RISC-V: KVM: Implement trap & emulate for hpmcounters")
+Signed-off-by: Atish Patra <atishp@rivosinc.com>
+Link: https://lore.kernel.org/r/20240816-kvm_pmu_fixes-v1-1-cdfce386dd93@rivosinc.com
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/kvm_vcpu_pmu.h | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/arch/riscv/include/asm/kvm_vcpu_pmu.h b/arch/riscv/include/asm/kvm_vcpu_pmu.h
+index fa0f535bbbf02..c309daa2d75a8 100644
+--- a/arch/riscv/include/asm/kvm_vcpu_pmu.h
++++ b/arch/riscv/include/asm/kvm_vcpu_pmu.h
+@@ -10,6 +10,7 @@
+ #define __KVM_VCPU_RISCV_PMU_H
+
+ #include <linux/perf/riscv_pmu.h>
++#include <asm/kvm_vcpu_insn.h>
+ #include <asm/sbi.h>
+
+ #ifdef CONFIG_RISCV_PMU_SBI
+@@ -104,8 +105,20 @@ void kvm_riscv_vcpu_pmu_reset(struct kvm_vcpu *vcpu);
+ struct kvm_pmu {
+ };
+
++static inline int kvm_riscv_vcpu_pmu_read_legacy(struct kvm_vcpu *vcpu, unsigned int csr_num,
++ unsigned long *val, unsigned long new_val,
++ unsigned long wr_mask)
++{
++ if (csr_num == CSR_CYCLE || csr_num == CSR_INSTRET) {
++ *val = 0;
++ return KVM_INSN_CONTINUE_NEXT_SEPC;
++ } else {
++ return KVM_INSN_ILLEGAL_TRAP;
++ }
++}
++
+ #define KVM_RISCV_VCPU_HPMCOUNTER_CSR_FUNCS \
+-{.base = 0, .count = 0, .func = NULL },
++{.base = CSR_CYCLE, .count = 3, .func = kvm_riscv_vcpu_pmu_read_legacy },
+
+ static inline void kvm_riscv_vcpu_pmu_init(struct kvm_vcpu *vcpu) {}
+ static inline int kvm_riscv_vcpu_pmu_incr_fw(struct kvm_vcpu *vcpu, unsigned long fid)
+--
+2.43.0
+
--- /dev/null
+From cbe3bc6bd856d6f2a17600306562b2ad0486e420 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 22:39:07 +0530
+Subject: RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data
+
+From: Anup Patel <apatel@ventanamicro.com>
+
+[ Upstream commit 47d40d93292d9cff8dabb735bed83d930fa03950 ]
+
+With the latest Linux-6.11-rc3, the below NULL pointer crash is observed
+when SBI PMU snapshot is enabled for the guest and the guest is forcefully
+powered-off.
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508
+ Oops [#1]
+ Modules linked in: kvm
+ CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3
+ Hardware name: riscv-virtio,qemu (DT)
+ epc : __kvm_write_guest_page+0x94/0xa6 [kvm]
+ ra : __kvm_write_guest_page+0x54/0xa6 [kvm]
+ epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0
+ gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000
+ t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0
+ s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086
+ a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0
+ a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc
+ s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000
+ s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000
+ s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001
+ s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3
+ t5 : ffffffff814126e0 t6 : ffffffff81412700
+ status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d
+ [<ffffffff01590e98>] __kvm_write_guest_page+0x94/0xa6 [kvm]
+ [<ffffffff015943a6>] kvm_vcpu_write_guest+0x56/0x90 [kvm]
+ [<ffffffff015a175c>] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm]
+ [<ffffffff015a1972>] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm]
+ [<ffffffff015a2ad0>] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm]
+ [<ffffffff0159b344>] kvm_arch_vcpu_destroy+0x28/0x4c [kvm]
+ [<ffffffff0158e420>] kvm_destroy_vcpus+0x5a/0xda [kvm]
+ [<ffffffff0159930c>] kvm_arch_destroy_vm+0x14/0x28 [kvm]
+ [<ffffffff01593260>] kvm_destroy_vm+0x168/0x2a0 [kvm]
+ [<ffffffff015933d4>] kvm_put_kvm+0x3c/0x58 [kvm]
+ [<ffffffff01593412>] kvm_vm_release+0x22/0x2e [kvm]
+
+Clearly, the kvm_vcpu_write_guest() function is crashing because it is
+being called from kvm_pmu_clear_snapshot_area() upon guest tear down.
+
+To address the above issue, simplify the kvm_pmu_clear_snapshot_area() to
+not zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because
+the guest is anyway being tore down.
+
+The kvm_pmu_clear_snapshot_area() is also called when guest changes
+PMU snapshot area of a VCPU but even in this case the previous PMU
+snaphsot area must not be zeroed-out because the guest might have
+reclaimed the pervious PMU snapshot area for some other purpose.
+
+Fixes: c2f41ddbcdd7 ("RISC-V: KVM: Implement SBI PMU Snapshot feature")
+Signed-off-by: Anup Patel <apatel@ventanamicro.com>
+Link: https://lore.kernel.org/r/20240815170907.2792229-1-apatel@ventanamicro.com
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kvm/vcpu_pmu.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c
+index bcf41d6e0df0e..2707a51b082ca 100644
+--- a/arch/riscv/kvm/vcpu_pmu.c
++++ b/arch/riscv/kvm/vcpu_pmu.c
+@@ -391,19 +391,9 @@ int kvm_riscv_vcpu_pmu_read_hpm(struct kvm_vcpu *vcpu, unsigned int csr_num,
+ static void kvm_pmu_clear_snapshot_area(struct kvm_vcpu *vcpu)
+ {
+ struct kvm_pmu *kvpmu = vcpu_to_pmu(vcpu);
+- int snapshot_area_size = sizeof(struct riscv_pmu_snapshot_data);
+
+- if (kvpmu->sdata) {
+- if (kvpmu->snapshot_addr != INVALID_GPA) {
+- memset(kvpmu->sdata, 0, snapshot_area_size);
+- kvm_vcpu_write_guest(vcpu, kvpmu->snapshot_addr,
+- kvpmu->sdata, snapshot_area_size);
+- } else {
+- pr_warn("snapshot address invalid\n");
+- }
+- kfree(kvpmu->sdata);
+- kvpmu->sdata = NULL;
+- }
++ kfree(kvpmu->sdata);
++ kvpmu->sdata = NULL;
+ kvpmu->snapshot_addr = INVALID_GPA;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 80332834aaa8915d1d7822c0c24b42ae88ae7136 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 17:49:44 +0200
+Subject: RISC-V: KVM: Fix sbiret init before forwarding to userspace
+
+From: Andrew Jones <ajones@ventanamicro.com>
+
+[ Upstream commit 6b7b282e6baea06ba65b55ae7d38326ceb79cebf ]
+
+When forwarding SBI calls to userspace ensure sbiret.error is
+initialized to SBI_ERR_NOT_SUPPORTED first, in case userspace
+neglects to set it to anything. If userspace neglects it then we
+can't be sure it did anything else either, so we just report it
+didn't do or try anything. Just init sbiret.value to zero, which is
+the preferred value to return when nothing special is specified.
+
+KVM was already initializing both sbiret.error and sbiret.value, but
+the values used appear to come from a copy+paste of the __sbi_ecall()
+implementation, i.e. a0 and a1, which don't apply prior to the call
+being executed, nor at all when forwarding to userspace.
+
+Fixes: dea8ee31a039 ("RISC-V: KVM: Add SBI v0.1 support")
+Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
+Link: https://lore.kernel.org/r/20240807154943.150540-2-ajones@ventanamicro.com
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kvm/vcpu_sbi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/kvm/vcpu_sbi.c b/arch/riscv/kvm/vcpu_sbi.c
+index 62f409d4176e4..7de128be8db9b 100644
+--- a/arch/riscv/kvm/vcpu_sbi.c
++++ b/arch/riscv/kvm/vcpu_sbi.c
+@@ -127,8 +127,8 @@ void kvm_riscv_vcpu_sbi_forward(struct kvm_vcpu *vcpu, struct kvm_run *run)
+ run->riscv_sbi.args[3] = cp->a3;
+ run->riscv_sbi.args[4] = cp->a4;
+ run->riscv_sbi.args[5] = cp->a5;
+- run->riscv_sbi.ret[0] = cp->a0;
+- run->riscv_sbi.ret[1] = cp->a1;
++ run->riscv_sbi.ret[0] = SBI_ERR_NOT_SUPPORTED;
++ run->riscv_sbi.ret[1] = 0;
+ }
+
+ void kvm_riscv_vcpu_sbi_system_reset(struct kvm_vcpu *vcpu,
+--
+2.43.0
+
--- /dev/null
+From d6029b0e67c9cfa3abb76d11c218069c248d4b04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 00:08:09 -0700
+Subject: RISC-V: KVM: Fix to allow hpmcounter31 from the guest
+
+From: Atish Patra <atishp@rivosinc.com>
+
+[ Upstream commit 5aa09297a3dcc798d038bd7436f8c90f664045a6 ]
+
+The csr_fun defines a count parameter which defines the total number
+CSRs emulated in KVM starting from the base. This value should be
+equal to total number of counters possible for trap/emulation (32).
+
+Fixes: a9ac6c37521f ("RISC-V: KVM: Implement trap & emulate for hpmcounters")
+Signed-off-by: Atish Patra <atishp@rivosinc.com>
+Link: https://lore.kernel.org/r/20240816-kvm_pmu_fixes-v1-2-cdfce386dd93@rivosinc.com
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/kvm_vcpu_pmu.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/riscv/include/asm/kvm_vcpu_pmu.h b/arch/riscv/include/asm/kvm_vcpu_pmu.h
+index c309daa2d75a8..1d85b66175088 100644
+--- a/arch/riscv/include/asm/kvm_vcpu_pmu.h
++++ b/arch/riscv/include/asm/kvm_vcpu_pmu.h
+@@ -65,11 +65,11 @@ struct kvm_pmu {
+
+ #if defined(CONFIG_32BIT)
+ #define KVM_RISCV_VCPU_HPMCOUNTER_CSR_FUNCS \
+-{.base = CSR_CYCLEH, .count = 31, .func = kvm_riscv_vcpu_pmu_read_hpm }, \
+-{.base = CSR_CYCLE, .count = 31, .func = kvm_riscv_vcpu_pmu_read_hpm },
++{.base = CSR_CYCLEH, .count = 32, .func = kvm_riscv_vcpu_pmu_read_hpm }, \
++{.base = CSR_CYCLE, .count = 32, .func = kvm_riscv_vcpu_pmu_read_hpm },
+ #else
+ #define KVM_RISCV_VCPU_HPMCOUNTER_CSR_FUNCS \
+-{.base = CSR_CYCLE, .count = 31, .func = kvm_riscv_vcpu_pmu_read_hpm },
++{.base = CSR_CYCLE, .count = 32, .func = kvm_riscv_vcpu_pmu_read_hpm },
+ #endif
+
+ int kvm_riscv_vcpu_pmu_incr_fw(struct kvm_vcpu *vcpu, unsigned long fid);
+--
+2.43.0
+
--- /dev/null
+From 48e76a0bedf2f81b116a6ae84c82d976e0c3cd85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jul 2024 11:28:46 +0800
+Subject: riscv: Fix fp alignment bug in perf_callchain_user()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 22ab08955ea13be04a8efd20cc30890e0afaa49c ]
+
+The standard RISC-V calling convention said:
+ "The stack grows downward and the stack pointer is always
+ kept 16-byte aligned".
+
+So perf_callchain_user() should check whether 16-byte aligned for fp.
+
+Link: https://riscv.org/wp-content/uploads/2015/01/riscv-calling.pdf
+
+Fixes: dbeb90b0c1eb ("riscv: Add perf callchain support")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Cc: Björn Töpel <bjorn@kernel.org>
+Link: https://lore.kernel.org/r/20240708032847.2998158-2-ruanjinjie@huawei.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/perf_callchain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/perf_callchain.c b/arch/riscv/kernel/perf_callchain.c
+index 3348a61de7d99..2932791e93882 100644
+--- a/arch/riscv/kernel/perf_callchain.c
++++ b/arch/riscv/kernel/perf_callchain.c
+@@ -62,7 +62,7 @@ void perf_callchain_user(struct perf_callchain_entry_ctx *entry,
+ perf_callchain_store(entry, regs->epc);
+
+ fp = user_backtrace(entry, fp, regs->ra);
+- while (fp && !(fp & 0x3) && entry->nr < entry->max_stack)
++ while (fp && !(fp & 0x7) && entry->nr < entry->max_stack)
+ fp = user_backtrace(entry, fp, 0);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 1424212e1a0c2d31e7f2032a0f39cd9576ff095e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 14:25:08 +0200
+Subject: s390/ap: Fix deadlock caused by recursive lock of the AP bus scan
+ mutex
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+[ Upstream commit 56199bb956c3ea82e39c72d2972ebf8c18c6a8c0 ]
+
+There is a possibility to deadlock with an recursive
+lock of the AP bus scan mutex ap_scan_bus_mutex:
+
+ ... kernel: ============================================
+ ... kernel: WARNING: possible recursive locking detected
+ ... kernel: 5.14.0-496.el9.s390x #3 Not tainted
+ ... kernel: --------------------------------------------
+ ... kernel: kworker/12:1/130 is trying to acquire lock:
+ ... kernel: 0000000358bc1510 (ap_scan_bus_mutex){+.+.}-{3:3}, at: ap_bus_force_rescan+0x92/0x108
+ ... kernel:
+ but task is already holding lock:
+ ... kernel: 0000000358bc1510 (ap_scan_bus_mutex){+.+.}-{3:3}, at: ap_scan_bus_wq_callback+0x28/0x60
+ ... kernel:
+ other info that might help us debug this:
+ ... kernel: Possible unsafe locking scenario:
+ ... kernel: CPU0
+ ... kernel: ----
+ ... kernel: lock(ap_scan_bus_mutex);
+ ... kernel: lock(ap_scan_bus_mutex);
+ ... kernel:
+ *** DEADLOCK ***
+
+Here is how the callstack looks like:
+
+ ... [<00000003576fe9ce>] process_one_work+0x2a6/0x748
+ ... [<0000000358150c00>] ap_scan_bus_wq_callback+0x40/0x60 <- mutex locked
+ ... [<00000003581506e2>] ap_scan_bus+0x5a/0x3b0
+ ... [<000000035815037c>] ap_scan_adapter+0x5b4/0x8c0
+ ... [<000000035814fa34>] ap_scan_domains+0x2d4/0x668
+ ... [<0000000357d989b4>] device_add+0x4a4/0x6b8
+ ... [<0000000357d9bb54>] bus_probe_device+0xb4/0xc8
+ ... [<0000000357d9daa8>] __device_attach+0x120/0x1b0
+ ... [<0000000357d9a632>] bus_for_each_drv+0x8a/0xd0
+ ... [<0000000357d9d548>] __device_attach_driver+0xc0/0x140
+ ... [<0000000357d9d3d8>] driver_probe_device+0x40/0xf0
+ ... [<0000000357d9cec2>] really_probe+0xd2/0x460
+ ... [<000000035814d7b0>] ap_device_probe+0x150/0x208
+ ... [<000003ff802a5c46>] zcrypt_cex4_queue_probe+0xb6/0x1c0 [zcrypt_cex4]
+ ... [<000003ff7fb2d36e>] zcrypt_queue_register+0xe6/0x1b0 [zcrypt]
+ ... [<000003ff7fb2c8ac>] zcrypt_rng_device_add+0x94/0xd8 [zcrypt]
+ ... [<0000000357d7bc52>] hwrng_register+0x212/0x228
+ ... [<0000000357d7b8c2>] add_early_randomness+0x102/0x110
+ ... [<000003ff7fb29c94>] zcrypt_rng_data_read+0x94/0xb8 [zcrypt]
+ ... [<0000000358150aca>] ap_bus_force_rescan+0x92/0x108
+ ... [<0000000358177572>] mutex_lock_interruptible_nested+0x32/0x40 <- lock again
+
+Note this only happens when the very first random data providing
+crypto card appears via hot plug in the system AND is in disabled
+state ("deconfig"). Then the initial pull of random data fails and
+a re-scan of the AP bus is triggered while already in the middle
+of an AP bus scan caused by the appearing new hardware.
+
+The fix is relatively simple once the scenario us understood:
+The AP bus force rescan function will immediately return if there
+is currently an AP bus scan running with the very same thread id.
+
+Fixes: eacf5b3651c5 ("s390/ap: introduce mutex to lock the AP bus scan")
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/ap_bus.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c
+index f9f682f194154..3ba4e1c5e15df 100644
+--- a/drivers/s390/crypto/ap_bus.c
++++ b/drivers/s390/crypto/ap_bus.c
+@@ -107,6 +107,7 @@ debug_info_t *ap_dbf_info;
+ static bool ap_scan_bus(void);
+ static bool ap_scan_bus_result; /* result of last ap_scan_bus() */
+ static DEFINE_MUTEX(ap_scan_bus_mutex); /* mutex ap_scan_bus() invocations */
++static struct task_struct *ap_scan_bus_task; /* thread holding the scan mutex */
+ static atomic64_t ap_scan_bus_count; /* counter ap_scan_bus() invocations */
+ static int ap_scan_bus_time = AP_CONFIG_TIME;
+ static struct timer_list ap_scan_bus_timer;
+@@ -1006,11 +1007,25 @@ bool ap_bus_force_rescan(void)
+ if (scan_counter <= 0)
+ goto out;
+
++ /*
++ * There is one unlikely but nevertheless valid scenario where the
++ * thread holding the mutex may try to send some crypto load but
++ * all cards are offline so a rescan is triggered which causes
++ * a recursive call of ap_bus_force_rescan(). A simple return if
++ * the mutex is already locked by this thread solves this.
++ */
++ if (mutex_is_locked(&ap_scan_bus_mutex)) {
++ if (ap_scan_bus_task == current)
++ goto out;
++ }
++
+ /* Try to acquire the AP scan bus mutex */
+ if (mutex_trylock(&ap_scan_bus_mutex)) {
+ /* mutex acquired, run the AP bus scan */
++ ap_scan_bus_task = current;
+ ap_scan_bus_result = ap_scan_bus();
+ rc = ap_scan_bus_result;
++ ap_scan_bus_task = NULL;
+ mutex_unlock(&ap_scan_bus_mutex);
+ goto out;
+ }
+@@ -2284,7 +2299,9 @@ static void ap_scan_bus_wq_callback(struct work_struct *unused)
+ * system_long_wq which invokes this function here again.
+ */
+ if (mutex_trylock(&ap_scan_bus_mutex)) {
++ ap_scan_bus_task = current;
+ ap_scan_bus_result = ap_scan_bus();
++ ap_scan_bus_task = NULL;
+ mutex_unlock(&ap_scan_bus_mutex);
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 7c78a10eadeff49df224a1975132cbc74aa3965e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 15:26:00 +0200
+Subject: s390/entry: Make early program check handler relocated lowcore aware
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit f101b305a7b9513a8042a2cf09018de4ff371af2 ]
+
+Add the missing pieces so the early program check handler also works
+with a relocated lowcore. Right now the result of an early program
+check in case of a relocated lowcore would be a program check loop.
+
+Fixes: 8f1e70adb1a3 ("s390/boot: Add cmdline option to relocate lowcore")
+Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/early.c | 7 +++++--
+ arch/s390/kernel/entry.S | 11 ++++++-----
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c
+index 14d324865e33f..ee051ad81c711 100644
+--- a/arch/s390/kernel/early.c
++++ b/arch/s390/kernel/early.c
+@@ -183,12 +183,15 @@ void __do_early_pgm_check(struct pt_regs *regs)
+
+ static noinline __init void setup_lowcore_early(void)
+ {
++ struct lowcore *lc = get_lowcore();
+ psw_t psw;
+
+ psw.addr = (unsigned long)early_pgm_check_handler;
+ psw.mask = PSW_KERNEL_BITS;
+- get_lowcore()->program_new_psw = psw;
+- get_lowcore()->preempt_count = INIT_PREEMPT_COUNT;
++ lc->program_new_psw = psw;
++ lc->preempt_count = INIT_PREEMPT_COUNT;
++ lc->return_lpswe = gen_lpswe(__LC_RETURN_PSW);
++ lc->return_mcck_lpswe = gen_lpswe(__LC_RETURN_MCCK_PSW);
+ }
+
+ static __init void detect_diag9c(void)
+diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S
+index b01f4ac43f729..6539ec4800cd1 100644
+--- a/arch/s390/kernel/entry.S
++++ b/arch/s390/kernel/entry.S
+@@ -600,18 +600,19 @@ SYM_CODE_START(restart_int_handler)
+ SYM_CODE_END(restart_int_handler)
+
+ SYM_CODE_START(early_pgm_check_handler)
+- stmg %r8,%r15,__LC_SAVE_AREA_SYNC
++ STMG_LC %r8,%r15,__LC_SAVE_AREA_SYNC
++ GET_LC %r13
+ aghi %r15,-(STACK_FRAME_OVERHEAD+__PT_SIZE)
+ la %r11,STACK_FRAME_OVERHEAD(%r15)
+ xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15)
+ stmg %r0,%r7,__PT_R0(%r11)
+- mvc __PT_PSW(16,%r11),__LC_PGM_OLD_PSW
+- mvc __PT_R8(64,%r11),__LC_SAVE_AREA_SYNC
++ mvc __PT_PSW(16,%r11),__LC_PGM_OLD_PSW(%r13)
++ mvc __PT_R8(64,%r11),__LC_SAVE_AREA_SYNC(%r13)
+ lgr %r2,%r11
+ brasl %r14,__do_early_pgm_check
+- mvc __LC_RETURN_PSW(16),STACK_FRAME_OVERHEAD+__PT_PSW(%r15)
++ mvc __LC_RETURN_PSW(16,%r13),STACK_FRAME_OVERHEAD+__PT_PSW(%r15)
+ lmg %r0,%r15,STACK_FRAME_OVERHEAD+__PT_R0(%r15)
+- lpswe __LC_RETURN_PSW
++ LPSWEY __LC_RETURN_PSW,__LC_RETURN_LPSWE
+ SYM_CODE_END(early_pgm_check_handler)
+
+ .section .kprobes.text, "ax"
+--
+2.43.0
+
--- /dev/null
+From 3cfdfd185ee9c4f512ceab31504305dea2460722 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 15:25:59 +0200
+Subject: s390/entry: Move early program check handler to entry.S
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit f2bb5b97b51ce5425e8f59f899643ce4eadba667 ]
+
+Have all program check handlers in one file to make future changes easy.
+
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Stable-dep-of: f101b305a7b9 ("s390/entry: Make early program check handler relocated lowcore aware")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/Makefile | 2 +-
+ arch/s390/kernel/earlypgm.S | 23 -----------------------
+ arch/s390/kernel/entry.S | 15 +++++++++++++++
+ 3 files changed, 16 insertions(+), 24 deletions(-)
+ delete mode 100644 arch/s390/kernel/earlypgm.S
+
+diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile
+index e47a4be54ff8e..a70f25e9c17da 100644
+--- a/arch/s390/kernel/Makefile
++++ b/arch/s390/kernel/Makefile
+@@ -36,7 +36,7 @@ CFLAGS_stacktrace.o += -fno-optimize-sibling-calls
+ CFLAGS_dumpstack.o += -fno-optimize-sibling-calls
+ CFLAGS_unwind_bc.o += -fno-optimize-sibling-calls
+
+-obj-y := head64.o traps.o time.o process.o earlypgm.o early.o setup.o idle.o vtime.o
++obj-y := head64.o traps.o time.o process.o early.o setup.o idle.o vtime.o
+ obj-y += processor.o syscall.o ptrace.o signal.o cpcmd.o ebcdic.o nmi.o
+ obj-y += debug.o irq.o ipl.o dis.o diag.o vdso.o cpufeature.o
+ obj-y += sysinfo.o lgr.o os_info.o ctlreg.o
+diff --git a/arch/s390/kernel/earlypgm.S b/arch/s390/kernel/earlypgm.S
+deleted file mode 100644
+index c634871f0d905..0000000000000
+--- a/arch/s390/kernel/earlypgm.S
++++ /dev/null
+@@ -1,23 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0 */
+-/*
+- * Copyright IBM Corp. 2006, 2007
+- * Author(s): Michael Holzheu <holzheu@de.ibm.com>
+- */
+-
+-#include <linux/linkage.h>
+-#include <asm/asm-offsets.h>
+-
+-SYM_CODE_START(early_pgm_check_handler)
+- stmg %r8,%r15,__LC_SAVE_AREA_SYNC
+- aghi %r15,-(STACK_FRAME_OVERHEAD+__PT_SIZE)
+- la %r11,STACK_FRAME_OVERHEAD(%r15)
+- xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15)
+- stmg %r0,%r7,__PT_R0(%r11)
+- mvc __PT_PSW(16,%r11),__LC_PGM_OLD_PSW
+- mvc __PT_R8(64,%r11),__LC_SAVE_AREA_SYNC
+- lgr %r2,%r11
+- brasl %r14,__do_early_pgm_check
+- mvc __LC_RETURN_PSW(16),STACK_FRAME_OVERHEAD+__PT_PSW(%r15)
+- lmg %r0,%r15,STACK_FRAME_OVERHEAD+__PT_R0(%r15)
+- lpswe __LC_RETURN_PSW
+-SYM_CODE_END(early_pgm_check_handler)
+diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S
+index 749410cfdbc07..b01f4ac43f729 100644
+--- a/arch/s390/kernel/entry.S
++++ b/arch/s390/kernel/entry.S
+@@ -599,6 +599,21 @@ SYM_CODE_START(restart_int_handler)
+ 3: j 3b
+ SYM_CODE_END(restart_int_handler)
+
++SYM_CODE_START(early_pgm_check_handler)
++ stmg %r8,%r15,__LC_SAVE_AREA_SYNC
++ aghi %r15,-(STACK_FRAME_OVERHEAD+__PT_SIZE)
++ la %r11,STACK_FRAME_OVERHEAD(%r15)
++ xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15)
++ stmg %r0,%r7,__PT_R0(%r11)
++ mvc __PT_PSW(16,%r11),__LC_PGM_OLD_PSW
++ mvc __PT_R8(64,%r11),__LC_SAVE_AREA_SYNC
++ lgr %r2,%r11
++ brasl %r14,__do_early_pgm_check
++ mvc __LC_RETURN_PSW(16),STACK_FRAME_OVERHEAD+__PT_PSW(%r15)
++ lmg %r0,%r15,STACK_FRAME_OVERHEAD+__PT_R0(%r15)
++ lpswe __LC_RETURN_PSW
++SYM_CODE_END(early_pgm_check_handler)
++
+ .section .kprobes.text, "ax"
+
+ #if defined(CONFIG_CHECK_STACK) || defined(CONFIG_VMAP_STACK)
+--
+2.43.0
+
--- /dev/null
+From 912f7776b383c5006e6ca555456ae8c8b9f202a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 21:55:24 +0800
+Subject: samples/bpf: Fix compilation errors with cf-protection option
+
+From: Jiangshan Yi <yijiangshan@kylinos.cn>
+
+[ Upstream commit fdf1c728fac541891ef1aa773bfd42728626769c ]
+
+Currently, compiling the bpf programs will result the compilation errors
+with the cf-protection option as follows in arm64 and loongarch64 machine
+when using gcc 12.3.1 and clang 17.0.6. This commit fixes the compilation
+errors by limited the cf-protection option only used in x86 platform.
+
+[root@localhost linux]# make M=samples/bpf
+ ......
+ CLANG-bpf samples/bpf/xdp2skb_meta_kern.o
+error: option 'cf-protection=return' cannot be specified on this target
+error: option 'cf-protection=branch' cannot be specified on this target
+2 errors generated.
+ CLANG-bpf samples/bpf/syscall_tp_kern.o
+error: option 'cf-protection=return' cannot be specified on this target
+error: option 'cf-protection=branch' cannot be specified on this target
+2 errors generated.
+ ......
+
+Fixes: 34f6e38f58db ("samples/bpf: fix warning with ignored-attributes")
+Reported-by: Jiangshan Yi <yijiangshan@kylinos.cn>
+Signed-off-by: Jiangshan Yi <yijiangshan@kylinos.cn>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Tested-by: Qiang Wang <wangqiang1@kylinos.cn>
+Link: https://lore.kernel.org/bpf/20240815135524.140675-1-13667453960@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/Makefile | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
+index 3e003dd6bea09..dca56aa360ff3 100644
+--- a/samples/bpf/Makefile
++++ b/samples/bpf/Makefile
+@@ -169,6 +169,10 @@ BPF_EXTRA_CFLAGS += -I$(srctree)/arch/mips/include/asm/mach-generic
+ endif
+ endif
+
++ifeq ($(ARCH), x86)
++BPF_EXTRA_CFLAGS += -fcf-protection
++endif
++
+ TPROGS_CFLAGS += -Wall -O2
+ TPROGS_CFLAGS += -Wmissing-prototypes
+ TPROGS_CFLAGS += -Wstrict-prototypes
+@@ -405,7 +409,7 @@ $(obj)/%.o: $(src)/%.c
+ -Wno-gnu-variable-sized-type-not-at-end \
+ -Wno-address-of-packed-member -Wno-tautological-compare \
+ -Wno-unknown-warning-option $(CLANG_ARCH_ARGS) \
+- -fno-asynchronous-unwind-tables -fcf-protection \
++ -fno-asynchronous-unwind-tables \
+ -I$(srctree)/samples/bpf/ -include asm_goto_workaround.h \
+ -O2 -emit-llvm -Xclang -disable-llvm-passes -c $< -o - | \
+ $(OPT) -O2 -mtriple=bpf-pc-linux | $(LLVM_DIS) | \
+--
+2.43.0
+
--- /dev/null
+From 66c30d66521901154cdf08fe4518cf7940ce69fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 11:11:11 +0800
+Subject: sched/deadline: Fix schedstats vs deadline servers
+
+From: Huang Shijie <shijie@os.amperecomputing.com>
+
+[ Upstream commit 9c602adb799e72ee537c0c7ca7e828c3fe2acad6 ]
+
+In dl_server_start(), when schedstats is enabled, the following
+happens:
+
+ dl_server_start()
+ dl_se->dl_server = 1;
+ enqueue_dl_entity()
+ update_stats_enqueue_dl()
+ __schedstats_from_dl_se()
+ dl_task_of()
+ BUG_ON(dl_server(dl_se));
+
+Since only tasks have schedstats and internal entries do not, avoid
+trying to update stats in this case.
+
+Fixes: 63ba8422f876 ("sched/deadline: Introduce deadline servers")
+Signed-off-by: Huang Shijie <shijie@os.amperecomputing.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Link: https://lkml.kernel.org/r/20240829031111.12142-1-shijie@os.amperecomputing.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 38 ++++++++++++++++----------------------
+ 1 file changed, 16 insertions(+), 22 deletions(-)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index f59e5c19d9445..c5a3691ba6cc1 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -1599,46 +1599,40 @@ static inline bool __dl_less(struct rb_node *a, const struct rb_node *b)
+ return dl_time_before(__node_2_dle(a)->deadline, __node_2_dle(b)->deadline);
+ }
+
+-static inline struct sched_statistics *
++static __always_inline struct sched_statistics *
+ __schedstats_from_dl_se(struct sched_dl_entity *dl_se)
+ {
++ if (!schedstat_enabled())
++ return NULL;
++
++ if (dl_server(dl_se))
++ return NULL;
++
+ return &dl_task_of(dl_se)->stats;
+ }
+
+ static inline void
+ update_stats_wait_start_dl(struct dl_rq *dl_rq, struct sched_dl_entity *dl_se)
+ {
+- struct sched_statistics *stats;
+-
+- if (!schedstat_enabled())
+- return;
+-
+- stats = __schedstats_from_dl_se(dl_se);
+- __update_stats_wait_start(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
++ struct sched_statistics *stats = __schedstats_from_dl_se(dl_se);
++ if (stats)
++ __update_stats_wait_start(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
+ }
+
+ static inline void
+ update_stats_wait_end_dl(struct dl_rq *dl_rq, struct sched_dl_entity *dl_se)
+ {
+- struct sched_statistics *stats;
+-
+- if (!schedstat_enabled())
+- return;
+-
+- stats = __schedstats_from_dl_se(dl_se);
+- __update_stats_wait_end(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
++ struct sched_statistics *stats = __schedstats_from_dl_se(dl_se);
++ if (stats)
++ __update_stats_wait_end(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
+ }
+
+ static inline void
+ update_stats_enqueue_sleeper_dl(struct dl_rq *dl_rq, struct sched_dl_entity *dl_se)
+ {
+- struct sched_statistics *stats;
+-
+- if (!schedstat_enabled())
+- return;
+-
+- stats = __schedstats_from_dl_se(dl_se);
+- __update_stats_enqueue_sleeper(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
++ struct sched_statistics *stats = __schedstats_from_dl_se(dl_se);
++ if (stats)
++ __update_stats_enqueue_sleeper(rq_of_dl_rq(dl_rq), dl_task_of(dl_se), stats);
+ }
+
+ static inline void
+--
+2.43.0
+
--- /dev/null
+From 4da4e4333dc30e0b9932550145e3018950e90464 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 10:35:05 +0800
+Subject: sched/fair: Make SCHED_IDLE entity be preempted in strict hierarchy
+
+From: Tianchen Ding <dtcccc@linux.alibaba.com>
+
+[ Upstream commit faa42d29419def58d3c3e5b14ad4037f0af3b496 ]
+
+Consider the following cgroup:
+
+ root
+ |
+ ------------------------
+ | |
+ normal_cgroup idle_cgroup
+ | |
+ SCHED_IDLE task_A SCHED_NORMAL task_B
+
+According to the cgroup hierarchy, A should preempt B. But current
+check_preempt_wakeup_fair() treats cgroup se and task separately, so B
+will preempt A unexpectedly.
+Unify the wakeup logic by {c,p}se_is_idle only. This makes SCHED_IDLE of
+a task a relative policy that is effective only within its own cgroup,
+similar to the behavior of NICE.
+
+Also fix se_is_idle() definition when !CONFIG_FAIR_GROUP_SCHED.
+
+Fixes: 304000390f88 ("sched: Cgroup SCHED_IDLE support")
+Signed-off-by: Tianchen Ding <dtcccc@linux.alibaba.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Josh Don <joshdon@google.com>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lkml.kernel.org/r/20240626023505.1332596-1-dtcccc@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 9057584ec06de..82ff874953b55 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -511,7 +511,7 @@ static int cfs_rq_is_idle(struct cfs_rq *cfs_rq)
+
+ static int se_is_idle(struct sched_entity *se)
+ {
+- return 0;
++ return task_has_idle_policy(task_of(se));
+ }
+
+ #endif /* CONFIG_FAIR_GROUP_SCHED */
+@@ -8381,16 +8381,7 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
+ if (test_tsk_need_resched(curr))
+ return;
+
+- /* Idle tasks are by definition preempted by non-idle tasks. */
+- if (unlikely(task_has_idle_policy(curr)) &&
+- likely(!task_has_idle_policy(p)))
+- goto preempt;
+-
+- /*
+- * Batch and idle tasks do not preempt non-idle tasks (their preemption
+- * is driven by the tick):
+- */
+- if (unlikely(p->policy != SCHED_NORMAL) || !sched_feat(WAKEUP_PREEMPTION))
++ if (!sched_feat(WAKEUP_PREEMPTION))
+ return;
+
+ find_matching_se(&se, &pse);
+@@ -8400,7 +8391,7 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
+ pse_is_idle = se_is_idle(pse);
+
+ /*
+- * Preempt an idle group in favor of a non-idle group (and don't preempt
++ * Preempt an idle entity in favor of a non-idle entity (and don't preempt
+ * in the inverse case).
+ */
+ if (cse_is_idle && !pse_is_idle)
+@@ -8408,9 +8399,14 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int
+ if (cse_is_idle != pse_is_idle)
+ return;
+
++ /*
++ * BATCH and IDLE tasks do not preempt others.
++ */
++ if (unlikely(p->policy != SCHED_NORMAL))
++ return;
++
+ cfs_rq = cfs_rq_of(se);
+ update_curr(cfs_rq);
+-
+ /*
+ * XXX pick_eevdf(cfs_rq) != se ?
+ */
+--
+2.43.0
+
--- /dev/null
+From f04ea421b8dfc33aa9703bb4cd1927f8fe518270 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 19:29:58 +0800
+Subject: sched/numa: Fix the vma scan starving issue
+
+From: Yujie Liu <yujie.liu@intel.com>
+
+[ Upstream commit f22cde4371f3c624e947a35b075c06c771442a43 ]
+
+Problem statement:
+Since commit fc137c0ddab2 ("sched/numa: enhance vma scanning logic"), the
+Numa vma scan overhead has been reduced a lot. Meanwhile, the reducing of
+the vma scan might create less Numa page fault information. The
+insufficient information makes it harder for the Numa balancer to make
+decision. Later, commit b7a5b537c55c08 ("sched/numa: Complete scanning of
+partial VMAs regardless of PID activity") and commit 84db47ca7146d7
+("sched/numa: Fix mm numa_scan_seq based unconditional scan") are found to
+bring back part of the performance.
+
+Recently when running SPECcpu omnetpp_r on a 320 CPUs/2 Sockets system, a
+long duration of remote Numa node read was observed by PMU events: A few
+cores having ~500MB/s remote memory access for ~20 seconds. It causes
+high core-to-core variance and performance penalty. After the
+investigation, it is found that many vmas are skipped due to the active
+PID check. According to the trace events, in most cases,
+vma_is_accessed() returns false because the history access info stored in
+pids_active array has been cleared.
+
+Proposal:
+The main idea is to adjust vma_is_accessed() to let it return true easier.
+Thus compare the diff between mm->numa_scan_seq and
+vma->numab_state->prev_scan_seq. If the diff has exceeded the threshold,
+scan the vma.
+
+This patch especially helps the cases where there are small number of
+threads, like the process-based SPECcpu. Without this patch, if the
+SPECcpu process access the vma at the beginning, then sleeps for a long
+time, the pid_active array will be cleared. A a result, if this process
+is woken up again, it never has a chance to set prot_none anymore.
+Because only the first 2 times of access is granted for vma scan:
+(current->mm->numa_scan_seq) - vma->numab_state->start_scan_seq) < 2 to be
+worse, no other threads within the task can help set the prot_none. This
+causes information lost.
+
+Raghavendra helped test current patch and got the positive result
+on the AMD platform:
+
+autonumabench NUMA01
+ base patched
+Amean syst-NUMA01 194.05 ( 0.00%) 165.11 * 14.92%*
+Amean elsp-NUMA01 324.86 ( 0.00%) 315.58 * 2.86%*
+
+Duration User 380345.36 368252.04
+Duration System 1358.89 1156.23
+Duration Elapsed 2277.45 2213.25
+
+autonumabench NUMA02
+
+Amean syst-NUMA02 1.12 ( 0.00%) 1.09 * 2.93%*
+Amean elsp-NUMA02 3.50 ( 0.00%) 3.56 * -1.84%*
+
+Duration User 1513.23 1575.48
+Duration System 8.33 8.13
+Duration Elapsed 28.59 29.71
+
+kernbench
+
+Amean user-256 22935.42 ( 0.00%) 22535.19 * 1.75%*
+Amean syst-256 7284.16 ( 0.00%) 7608.72 * -4.46%*
+Amean elsp-256 159.01 ( 0.00%) 158.17 * 0.53%*
+
+Duration User 68816.41 67615.74
+Duration System 21873.94 22848.08
+Duration Elapsed 506.66 504.55
+
+Intel 256 CPUs/2 Sockets:
+autonuma benchmark also shows improvements:
+
+ v6.10-rc5 v6.10-rc5
+ +patch
+Amean syst-NUMA01 245.85 ( 0.00%) 230.84 * 6.11%*
+Amean syst-NUMA01_THREADLOCAL 205.27 ( 0.00%) 191.86 * 6.53%*
+Amean syst-NUMA02 18.57 ( 0.00%) 18.09 * 2.58%*
+Amean syst-NUMA02_SMT 2.63 ( 0.00%) 2.54 * 3.47%*
+Amean elsp-NUMA01 517.17 ( 0.00%) 526.34 * -1.77%*
+Amean elsp-NUMA01_THREADLOCAL 99.92 ( 0.00%) 100.59 * -0.67%*
+Amean elsp-NUMA02 15.81 ( 0.00%) 15.72 * 0.59%*
+Amean elsp-NUMA02_SMT 13.23 ( 0.00%) 12.89 * 2.53%*
+
+ v6.10-rc5 v6.10-rc5
+ +patch
+Duration User 1064010.16 1075416.23
+Duration System 3307.64 3104.66
+Duration Elapsed 4537.54 4604.73
+
+The SPECcpu remote node access issue disappears with the patch applied.
+
+Link: https://lkml.kernel.org/r/20240827112958.181388-1-yu.c.chen@intel.com
+Fixes: fc137c0ddab2 ("sched/numa: enhance vma scanning logic")
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Co-developed-by: Chen Yu <yu.c.chen@intel.com>
+Signed-off-by: Yujie Liu <yujie.liu@intel.com>
+Reported-by: Xiaoping Zhou <xiaoping.zhou@intel.com>
+Reviewed-and-tested-by: Raghavendra K T <raghavendra.kt@amd.com>
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Cc: "Chen, Tim C" <tim.c.chen@intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Juri Lelli <juri.lelli@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Raghavendra K T <raghavendra.kt@amd.com>
+Cc: Vincent Guittot <vincent.guittot@linaro.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 82ff874953b55..d87e5e95f4a76 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -3188,6 +3188,15 @@ static bool vma_is_accessed(struct mm_struct *mm, struct vm_area_struct *vma)
+ return true;
+ }
+
++ /*
++ * This vma has not been accessed for a while, and if the number
++ * the threads in the same process is low, which means no other
++ * threads can help scan this vma, force a vma scan.
++ */
++ if (READ_ONCE(mm->numa_scan_seq) >
++ (vma->numab_state->prev_scan_seq + get_nr_threads(current)))
++ return true;
++
+ return false;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From e9560e6f773a84826f00d5e8f0c0385ce9e6786a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 19:26:07 +0800
+Subject: sched/pelt: Use rq_clock_task() for hw_pressure
+
+From: Chen Yu <yu.c.chen@intel.com>
+
+[ Upstream commit 84d265281d6cea65353fc24146280e0d86ac50cb ]
+
+commit 97450eb90965 ("sched/pelt: Remove shift of thermal clock")
+removed the decay_shift for hw_pressure. This commit uses the
+sched_clock_task() in sched_tick() while it replaces the
+sched_clock_task() with rq_clock_pelt() in __update_blocked_others().
+This could bring inconsistence. One possible scenario I can think of
+is in ___update_load_sum():
+
+ u64 delta = now - sa->last_update_time
+
+'now' could be calculated by rq_clock_pelt() from
+__update_blocked_others(), and last_update_time was calculated by
+rq_clock_task() previously from sched_tick(). Usually the former
+chases after the latter, it cause a very large 'delta' and brings
+unexpected behavior.
+
+Fixes: 97450eb90965 ("sched/pelt: Remove shift of thermal clock")
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Hongyan Xia <hongyan.xia2@arm.com>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lkml.kernel.org/r/20240827112607.181206-1-yu.c.chen@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index d87e5e95f4a76..1d2cbdb162a67 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -9365,9 +9365,10 @@ static bool __update_blocked_others(struct rq *rq, bool *done)
+
+ hw_pressure = arch_scale_hw_pressure(cpu_of(rq));
+
++ /* hw_pressure doesn't care about invariance */
+ decayed = update_rt_rq_load_avg(now, rq, curr_class == &rt_sched_class) |
+ update_dl_rq_load_avg(now, rq, curr_class == &dl_sched_class) |
+- update_hw_load_avg(now, rq, hw_pressure) |
++ update_hw_load_avg(rq_clock_task(rq), rq, hw_pressure) |
+ update_irq_load_avg(rq, 0);
+
+ if (others_have_blocked(rq))
+--
+2.43.0
+
--- /dev/null
+From 2ee6f7f92ef95cb6cd79f2e4000f5e6be34c846a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 11:33:15 +0000
+Subject: scsi: block: Don't check REQ_ATOMIC for reads
+
+From: John Garry <john.g.garry@oracle.com>
+
+[ Upstream commit ea6787c695ab7595d851c3506f67c157f3b593c0 ]
+
+We check in submit_bio_noacct() if flag REQ_ATOMIC is set for both read and
+write operations, and then validate the atomic operation if set. Flag
+REQ_ATOMIC can only be set for writes, so don't bother checking for reads.
+
+Fixes: 9da3d1e912f3 ("block: Add core atomic write support")
+Signed-off-by: John Garry <john.g.garry@oracle.com>
+Link: https://lore.kernel.org/r/20240805113315.1048591-3-john.g.garry@oracle.com
+Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 1217c2cd66dd8..bc5e8c5eaac9f 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -799,6 +799,7 @@ void submit_bio_noacct(struct bio *bio)
+
+ switch (bio_op(bio)) {
+ case REQ_OP_READ:
++ break;
+ case REQ_OP_WRITE:
+ if (bio->bi_opf & REQ_ATOMIC) {
+ status = blk_validate_atomic_write_op_size(q, bio);
+--
+2.43.0
+
--- /dev/null
+From 1590bbc7b62f42daed3a7cde9a699035a00380a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 14:29:05 +0300
+Subject: scsi: elx: libefc: Fix potential use after free in
+ efc_nport_vport_del()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 2e4b02fad094976763af08fec2c620f4f8edd9ae ]
+
+The kref_put() function will call nport->release if the refcount drops to
+zero. The nport->release release function is _efc_nport_free() which frees
+"nport". But then we dereference "nport" on the next line which is a use
+after free. Re-order these lines to avoid the use after free.
+
+Fixes: fcd427303eb9 ("scsi: elx: libefc: SLI and FC PORT state machine interfaces")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/b666ab26-6581-4213-9a3d-32a9147f0399@stanley.mountain
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/elx/libefc/efc_nport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/elx/libefc/efc_nport.c b/drivers/scsi/elx/libefc/efc_nport.c
+index 2e83a667901fe..1a7437f4328e8 100644
+--- a/drivers/scsi/elx/libefc/efc_nport.c
++++ b/drivers/scsi/elx/libefc/efc_nport.c
+@@ -705,9 +705,9 @@ efc_nport_vport_del(struct efc *efc, struct efc_domain *domain,
+ spin_lock_irqsave(&efc->lock, flags);
+ list_for_each_entry(nport, &domain->nport_list, list_entry) {
+ if (nport->wwpn == wwpn && nport->wwnn == wwnn) {
+- kref_put(&nport->ref, nport->release);
+ /* Shutdown this NPORT */
+ efc_sm_post_event(&nport->sm, EFC_EVT_SHUTDOWN, NULL);
++ kref_put(&nport->ref, nport->release);
+ break;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 6f97c307a7db0c8811b2e554ca6b03fef55bae7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 13:36:28 +1000
+Subject: scsi: NCR5380: Check for phase match during PDMA fixup
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 5768718da9417331803fc4bc090544c2a93b88dc ]
+
+It's not an error for a target to change the bus phase during a transfer.
+Unfortunately, the FLAG_DMA_FIXUP workaround does not allow for that -- a
+phase change produces a DRQ timeout error and the device borken flag will
+be set.
+
+Check the phase match bit during FLAG_DMA_FIXUP processing. Don't forget to
+decrement the command residual. While we are here, change shost_printk()
+into scmd_printk() for better consistency with other DMA error messages.
+
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Fixes: 55181be8ced1 ("ncr5380: Replace redundant flags with FLAG_NO_DMA_FIXUP")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Link: https://lore.kernel.org/r/99dc7d1f4c825621b5b120963a69f6cd3e9ca659.1723001788.git.fthain@linux-m68k.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/NCR5380.c | 78 +++++++++++++++++++++---------------------
+ 1 file changed, 39 insertions(+), 39 deletions(-)
+
+diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c
+index cea3a79d538e4..00e245173320c 100644
+--- a/drivers/scsi/NCR5380.c
++++ b/drivers/scsi/NCR5380.c
+@@ -1485,6 +1485,7 @@ static int NCR5380_transfer_dma(struct Scsi_Host *instance,
+ unsigned char **data)
+ {
+ struct NCR5380_hostdata *hostdata = shost_priv(instance);
++ struct NCR5380_cmd *ncmd = NCR5380_to_ncmd(hostdata->connected);
+ int c = *count;
+ unsigned char p = *phase;
+ unsigned char *d = *data;
+@@ -1496,7 +1497,7 @@ static int NCR5380_transfer_dma(struct Scsi_Host *instance,
+ return -1;
+ }
+
+- NCR5380_to_ncmd(hostdata->connected)->phase = p;
++ ncmd->phase = p;
+
+ if (p & SR_IO) {
+ if (hostdata->read_overruns)
+@@ -1608,45 +1609,44 @@ static int NCR5380_transfer_dma(struct Scsi_Host *instance,
+ * request.
+ */
+
+- if (hostdata->flags & FLAG_DMA_FIXUP) {
+- if (p & SR_IO) {
+- /*
+- * The workaround was to transfer fewer bytes than we
+- * intended to with the pseudo-DMA read function, wait for
+- * the chip to latch the last byte, read it, and then disable
+- * pseudo-DMA mode.
+- *
+- * After REQ is asserted, the NCR5380 asserts DRQ and ACK.
+- * REQ is deasserted when ACK is asserted, and not reasserted
+- * until ACK goes false. Since the NCR5380 won't lower ACK
+- * until DACK is asserted, which won't happen unless we twiddle
+- * the DMA port or we take the NCR5380 out of DMA mode, we
+- * can guarantee that we won't handshake another extra
+- * byte.
+- */
+-
+- if (NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG,
+- BASR_DRQ, BASR_DRQ, 0) < 0) {
+- result = -1;
+- shost_printk(KERN_ERR, instance, "PDMA read: DRQ timeout\n");
+- }
+- if (NCR5380_poll_politely(hostdata, STATUS_REG,
+- SR_REQ, 0, 0) < 0) {
+- result = -1;
+- shost_printk(KERN_ERR, instance, "PDMA read: !REQ timeout\n");
+- }
+- d[*count - 1] = NCR5380_read(INPUT_DATA_REG);
+- } else {
+- /*
+- * Wait for the last byte to be sent. If REQ is being asserted for
+- * the byte we're interested, we'll ACK it and it will go false.
+- */
+- if (NCR5380_poll_politely2(hostdata,
+- BUS_AND_STATUS_REG, BASR_DRQ, BASR_DRQ,
+- BUS_AND_STATUS_REG, BASR_PHASE_MATCH, 0, 0) < 0) {
+- result = -1;
+- shost_printk(KERN_ERR, instance, "PDMA write: DRQ and phase timeout\n");
++ if ((hostdata->flags & FLAG_DMA_FIXUP) &&
++ (NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) {
++ /*
++ * The workaround was to transfer fewer bytes than we
++ * intended to with the pseudo-DMA receive function, wait for
++ * the chip to latch the last byte, read it, and then disable
++ * DMA mode.
++ *
++ * After REQ is asserted, the NCR5380 asserts DRQ and ACK.
++ * REQ is deasserted when ACK is asserted, and not reasserted
++ * until ACK goes false. Since the NCR5380 won't lower ACK
++ * until DACK is asserted, which won't happen unless we twiddle
++ * the DMA port or we take the NCR5380 out of DMA mode, we
++ * can guarantee that we won't handshake another extra
++ * byte.
++ *
++ * If sending, wait for the last byte to be sent. If REQ is
++ * being asserted for the byte we're interested, we'll ACK it
++ * and it will go false.
++ */
++ if (!NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG,
++ BASR_DRQ, BASR_DRQ, 0)) {
++ if ((p & SR_IO) &&
++ (NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) {
++ if (!NCR5380_poll_politely(hostdata, STATUS_REG,
++ SR_REQ, 0, 0)) {
++ d[c] = NCR5380_read(INPUT_DATA_REG);
++ --ncmd->this_residual;
++ } else {
++ result = -1;
++ scmd_printk(KERN_ERR, hostdata->connected,
++ "PDMA fixup: !REQ timeout\n");
++ }
+ }
++ } else if (NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH) {
++ result = -1;
++ scmd_printk(KERN_ERR, hostdata->connected,
++ "PDMA fixup: DRQ timeout\n");
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From e44db0030bab4096ae518492c528f229bdc546c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 11:33:14 +0000
+Subject: scsi: sd: Don't check if a write for REQ_ATOMIC
+
+From: John Garry <john.g.garry@oracle.com>
+
+[ Upstream commit 0c150b30d3d51a8c2e09fadd004a640fa12985c6 ]
+
+Flag REQ_ATOMIC can only be set for writes, so don't check if the operation
+is also a write in sd_setup_read_write_cmnd().
+
+Fixes: bf4ae8f2e640 ("scsi: sd: Atomic write support")
+Signed-off-by: John Garry <john.g.garry@oracle.com>
+Link: https://lore.kernel.org/r/20240805113315.1048591-2-john.g.garry@oracle.com
+Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 9db86943d04cf..76f488ef6a7ee 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -1382,7 +1382,7 @@ static blk_status_t sd_setup_read_write_cmnd(struct scsi_cmnd *cmd)
+ if (protect && sdkp->protection_type == T10_PI_TYPE2_PROTECTION) {
+ ret = sd_setup_rw32_cmnd(cmd, write, lba, nr_blocks,
+ protect | fua, dld);
+- } else if (rq->cmd_flags & REQ_ATOMIC && write) {
++ } else if (rq->cmd_flags & REQ_ATOMIC) {
+ ret = sd_setup_atomic_cmnd(cmd, lba, nr_blocks,
+ sdkp->use_atomic_write_boundary,
+ protect | fua);
+--
+2.43.0
+
--- /dev/null
+From be26826a65c22340728805ffa091912e02ff8eae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jul 2024 14:47:02 -0500
+Subject: scsi: smartpqi: revert propagate-the-multipath-failure-to-SML-quickly
+
+From: Gilbert Wu <Gilbert.Wu@microchip.com>
+
+[ Upstream commit f1393d52e6cda9c20f12643cbecf1e1dc357e0e2 ]
+
+Correct a rare multipath failure issue by reverting commit 94a68c814328
+("scsi: smartpqi: Quickly propagate path failures to SCSI midlayer") [1].
+
+Reason for revert: The patch propagated the path failure to SML quickly
+when one of the path fails during IO and AIO path gets disabled for a
+multipath device.
+
+But it created a new issue: when creating a volume on an encryption-enabled
+controller, the firmware reports the AIO path is disabled, which cause the
+driver to report a path failure to SML for a multipath device.
+
+There will be a new fix to handle "Illegal request" and "Invalid field in
+parameter list" on RAID path when the AIO path is disabled on a multipath
+device.
+
+[1] https://lore.kernel.org/all/164375209313.440833.9992416628621839233.stgit@brunhilda.pdev.net/
+
+Fixes: 94a68c814328 ("scsi: smartpqi: Quickly propagate path failures to SCSI midlayer")
+Reviewed-by: Scott Benesh <scott.benesh@microchip.com>
+Reviewed-by: Scott Teel <scott.teel@microchip.com>
+Reviewed-by: Mike McGowen <mike.mcgowen@microchip.com>
+Signed-off-by: Gilbert Wu <Gilbert.Wu@microchip.com>
+Signed-off-by: Don Brace <don.brace@microchip.com>
+Link: https://lore.kernel.org/r/20240711194704.982400-4-don.brace@microchip.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/smartpqi/smartpqi_init.c | 20 ++------------------
+ 1 file changed, 2 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index 24c7cb285dca0..c1524fb334eb5 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -2354,14 +2354,6 @@ static inline void pqi_mask_device(u8 *scsi3addr)
+ scsi3addr[3] |= 0xc0;
+ }
+
+-static inline bool pqi_is_multipath_device(struct pqi_scsi_dev *device)
+-{
+- if (pqi_is_logical_device(device))
+- return false;
+-
+- return (device->path_map & (device->path_map - 1)) != 0;
+-}
+-
+ static inline bool pqi_expose_device(struct pqi_scsi_dev *device)
+ {
+ return !device->is_physical_device || !pqi_skip_device(device->scsi3addr);
+@@ -3258,14 +3250,12 @@ static void pqi_process_aio_io_error(struct pqi_io_request *io_request)
+ int residual_count;
+ int xfer_count;
+ bool device_offline;
+- struct pqi_scsi_dev *device;
+
+ scmd = io_request->scmd;
+ error_info = io_request->error_info;
+ host_byte = DID_OK;
+ sense_data_length = 0;
+ device_offline = false;
+- device = scmd->device->hostdata;
+
+ switch (error_info->service_response) {
+ case PQI_AIO_SERV_RESPONSE_COMPLETE:
+@@ -3290,14 +3280,8 @@ static void pqi_process_aio_io_error(struct pqi_io_request *io_request)
+ break;
+ case PQI_AIO_STATUS_AIO_PATH_DISABLED:
+ pqi_aio_path_disabled(io_request);
+- if (pqi_is_multipath_device(device)) {
+- pqi_device_remove_start(device);
+- host_byte = DID_NO_CONNECT;
+- scsi_status = SAM_STAT_CHECK_CONDITION;
+- } else {
+- scsi_status = SAM_STAT_GOOD;
+- io_request->status = -EAGAIN;
+- }
++ scsi_status = SAM_STAT_GOOD;
++ io_request->status = -EAGAIN;
+ break;
+ case PQI_AIO_STATUS_NO_PATH_TO_DEVICE:
+ case PQI_AIO_STATUS_INVALID_DEVICE:
+--
+2.43.0
+
--- /dev/null
+From 11b12000f120261fd924c79638ee0dde281e7c52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 16:38:43 -0700
+Subject: selftests/bpf: __arch_* macro to limit test cases to specific archs
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit ee7fe84468b1732fe65c5af3836437d54ac4c419 ]
+
+Add annotations __arch_x86_64, __arch_arm64, __arch_riscv64
+to specify on which architecture the test case should be tested.
+Several __arch_* annotations could be specified at once.
+When test case is not run on current arch it is marked as skipped.
+
+For example, the following would be tested only on arm64 and riscv64:
+
+ SEC("raw_tp")
+ __arch_arm64
+ __arch_riscv64
+ __xlated("1: *(u64 *)(r10 - 16) = r1")
+ __xlated("2: call")
+ __xlated("3: r1 = *(u64 *)(r10 - 16);")
+ __success
+ __naked void canary_arm64_riscv64(void)
+ {
+ asm volatile (
+ "r1 = 1;"
+ "*(u64 *)(r10 - 16) = r1;"
+ "call %[bpf_get_smp_processor_id];"
+ "r1 = *(u64 *)(r10 - 16);"
+ "exit;"
+ :
+ : __imm(bpf_get_smp_processor_id)
+ : __clobber_all);
+ }
+
+On x86 it would be skipped:
+
+ #467/2 verifier_nocsr/canary_arm64_riscv64:SKIP
+
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240722233844.1406874-10-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/bpf_misc.h | 8 ++++
+ tools/testing/selftests/bpf/test_loader.c | 43 ++++++++++++++++++++
+ 2 files changed, 51 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h
+index a70939c7bc26b..a225cd87897c4 100644
+--- a/tools/testing/selftests/bpf/progs/bpf_misc.h
++++ b/tools/testing/selftests/bpf/progs/bpf_misc.h
+@@ -63,6 +63,10 @@
+ * __auxiliary Annotated program is not a separate test, but used as auxiliary
+ * for some other test cases and should always be loaded.
+ * __auxiliary_unpriv Same, but load program in unprivileged mode.
++ *
++ * __arch_* Specify on which architecture the test case should be tested.
++ * Several __arch_* annotations could be specified at once.
++ * When test case is not run on current arch it is marked as skipped.
+ */
+ #define __msg(msg) __attribute__((btf_decl_tag("comment:test_expect_msg=" msg)))
+ #define __regex(regex) __attribute__((btf_decl_tag("comment:test_expect_regex=" regex)))
+@@ -82,6 +86,10 @@
+ #define __auxiliary __attribute__((btf_decl_tag("comment:test_auxiliary")))
+ #define __auxiliary_unpriv __attribute__((btf_decl_tag("comment:test_auxiliary_unpriv")))
+ #define __btf_path(path) __attribute__((btf_decl_tag("comment:test_btf_path=" path)))
++#define __arch(arch) __attribute__((btf_decl_tag("comment:test_arch=" arch)))
++#define __arch_x86_64 __arch("X86_64")
++#define __arch_arm64 __arch("ARM64")
++#define __arch_riscv64 __arch("RISCV64")
+
+ /* Convenience macro for use with 'asm volatile' blocks */
+ #define __naked __attribute__((naked))
+diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
+index b44b6a2fc82ce..12b0c41e8d64c 100644
+--- a/tools/testing/selftests/bpf/test_loader.c
++++ b/tools/testing/selftests/bpf/test_loader.c
+@@ -34,6 +34,7 @@
+ #define TEST_TAG_AUXILIARY "comment:test_auxiliary"
+ #define TEST_TAG_AUXILIARY_UNPRIV "comment:test_auxiliary_unpriv"
+ #define TEST_BTF_PATH "comment:test_btf_path="
++#define TEST_TAG_ARCH "comment:test_arch="
+
+ /* Warning: duplicated in bpf_misc.h */
+ #define POINTER_VALUE 0xcafe4all
+@@ -80,6 +81,7 @@ struct test_spec {
+ int log_level;
+ int prog_flags;
+ int mode_mask;
++ int arch_mask;
+ bool auxiliary;
+ bool valid;
+ };
+@@ -213,6 +215,12 @@ static void update_flags(int *flags, int flag, bool clear)
+ *flags |= flag;
+ }
+
++enum arch {
++ ARCH_X86_64 = 0x1,
++ ARCH_ARM64 = 0x2,
++ ARCH_RISCV64 = 0x4,
++};
++
+ /* Uses btf_decl_tag attributes to describe the expected test
+ * behavior, see bpf_misc.h for detailed description of each attribute
+ * and attribute combinations.
+@@ -226,6 +234,7 @@ static int parse_test_spec(struct test_loader *tester,
+ bool has_unpriv_result = false;
+ bool has_unpriv_retval = false;
+ int func_id, i, err = 0;
++ u32 arch_mask = 0;
+ struct btf *btf;
+
+ memset(spec, 0, sizeof(*spec));
+@@ -364,11 +373,26 @@ static int parse_test_spec(struct test_loader *tester,
+ goto cleanup;
+ update_flags(&spec->prog_flags, flags, clear);
+ }
++ } else if (str_has_pfx(s, TEST_TAG_ARCH)) {
++ val = s + sizeof(TEST_TAG_ARCH) - 1;
++ if (strcmp(val, "X86_64") == 0) {
++ arch_mask |= ARCH_X86_64;
++ } else if (strcmp(val, "ARM64") == 0) {
++ arch_mask |= ARCH_ARM64;
++ } else if (strcmp(val, "RISCV64") == 0) {
++ arch_mask |= ARCH_RISCV64;
++ } else {
++ PRINT_FAIL("bad arch spec: '%s'", val);
++ err = -EINVAL;
++ goto cleanup;
++ }
+ } else if (str_has_pfx(s, TEST_BTF_PATH)) {
+ spec->btf_custom_path = s + sizeof(TEST_BTF_PATH) - 1;
+ }
+ }
+
++ spec->arch_mask = arch_mask;
++
+ if (spec->mode_mask == 0)
+ spec->mode_mask = PRIV;
+
+@@ -677,6 +701,20 @@ static int get_xlated_program_text(int prog_fd, char *text, size_t text_sz)
+ return err;
+ }
+
++static bool run_on_current_arch(int arch_mask)
++{
++ if (arch_mask == 0)
++ return true;
++#if defined(__x86_64__)
++ return arch_mask & ARCH_X86_64;
++#elif defined(__aarch64__)
++ return arch_mask & ARCH_ARM64;
++#elif defined(__riscv) && __riscv_xlen == 64
++ return arch_mask & ARCH_RISCV64;
++#endif
++ return false;
++}
++
+ /* this function is forced noinline and has short generic name to look better
+ * in test_progs output (in case of a failure)
+ */
+@@ -701,6 +739,11 @@ void run_subtest(struct test_loader *tester,
+ if (!test__start_subtest(subspec->name))
+ return;
+
++ if (!run_on_current_arch(spec->arch_mask)) {
++ test__skip();
++ return;
++ }
++
+ if (unpriv) {
+ if (!can_execute_unpriv(tester, spec)) {
+ test__skip();
+--
+2.43.0
+
--- /dev/null
+From ba624d9c980ec730c82cfddbc7fb41d6ad8e808f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 16:38:42 -0700
+Subject: selftests/bpf: allow checking xlated programs in verifier_* tests
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 9c9f7339131030949a8ef111080427ff1a8085b5 ]
+
+Add a macro __xlated("...") for use with test_loader tests.
+
+When such annotations are present for the test case:
+- bpf_prog_get_info_by_fd() is used to get BPF program after all
+ rewrites are applied by verifier.
+- the program is disassembled and patterns specified in __xlated are
+ searched for in the disassembly text.
+
+__xlated matching follows the same mechanics as __msg:
+each subsequent pattern is matched from the point where
+previous pattern ended.
+
+This allows to write tests like below, where the goal is to verify the
+behavior of one of the of the transformations applied by verifier:
+
+ SEC("raw_tp")
+ __xlated("1: w0 = ")
+ __xlated("2: r0 = &(void __percpu *)(r0)")
+ __xlated("3: r0 = *(u32 *)(r0 +0)")
+ __xlated("4: exit")
+ __success __naked void simple(void)
+ {
+ asm volatile (
+ "call %[bpf_get_smp_processor_id];"
+ "exit;"
+ :
+ : __imm(bpf_get_smp_processor_id)
+ : __clobber_all);
+ }
+
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240722233844.1406874-9-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/bpf_misc.h | 5 ++
+ tools/testing/selftests/bpf/test_loader.c | 82 +++++++++++++++++++-
+ 2 files changed, 84 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h
+index 81097a3f15eb5..a70939c7bc26b 100644
+--- a/tools/testing/selftests/bpf/progs/bpf_misc.h
++++ b/tools/testing/selftests/bpf/progs/bpf_misc.h
+@@ -26,6 +26,9 @@
+ *
+ * __regex Same as __msg, but using a regular expression.
+ * __regex_unpriv Same as __msg_unpriv but using a regular expression.
++ * __xlated Expect a line in a disassembly log after verifier applies rewrites.
++ * Multiple __xlated attributes could be specified.
++ * __xlated_unpriv Same as __xlated but for unprivileged mode.
+ *
+ * __success Expect program load success in privileged mode.
+ * __success_unpriv Expect program load success in unprivileged mode.
+@@ -63,11 +66,13 @@
+ */
+ #define __msg(msg) __attribute__((btf_decl_tag("comment:test_expect_msg=" msg)))
+ #define __regex(regex) __attribute__((btf_decl_tag("comment:test_expect_regex=" regex)))
++#define __xlated(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated=" msg)))
+ #define __failure __attribute__((btf_decl_tag("comment:test_expect_failure")))
+ #define __success __attribute__((btf_decl_tag("comment:test_expect_success")))
+ #define __description(desc) __attribute__((btf_decl_tag("comment:test_description=" desc)))
+ #define __msg_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_msg_unpriv=" msg)))
+ #define __regex_unpriv(regex) __attribute__((btf_decl_tag("comment:test_expect_regex_unpriv=" regex)))
++#define __xlated_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated_unpriv=" msg)))
+ #define __failure_unpriv __attribute__((btf_decl_tag("comment:test_expect_failure_unpriv")))
+ #define __success_unpriv __attribute__((btf_decl_tag("comment:test_expect_success_unpriv")))
+ #define __log_level(lvl) __attribute__((btf_decl_tag("comment:test_log_level="#lvl)))
+diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
+index 3f84903558dd8..b44b6a2fc82ce 100644
+--- a/tools/testing/selftests/bpf/test_loader.c
++++ b/tools/testing/selftests/bpf/test_loader.c
+@@ -7,6 +7,7 @@
+ #include <bpf/btf.h>
+
+ #include "autoconf_helper.h"
++#include "disasm_helpers.h"
+ #include "unpriv_helpers.h"
+ #include "cap_helpers.h"
+
+@@ -19,10 +20,12 @@
+ #define TEST_TAG_EXPECT_SUCCESS "comment:test_expect_success"
+ #define TEST_TAG_EXPECT_MSG_PFX "comment:test_expect_msg="
+ #define TEST_TAG_EXPECT_REGEX_PFX "comment:test_expect_regex="
++#define TEST_TAG_EXPECT_XLATED_PFX "comment:test_expect_xlated="
+ #define TEST_TAG_EXPECT_FAILURE_UNPRIV "comment:test_expect_failure_unpriv"
+ #define TEST_TAG_EXPECT_SUCCESS_UNPRIV "comment:test_expect_success_unpriv"
+ #define TEST_TAG_EXPECT_MSG_PFX_UNPRIV "comment:test_expect_msg_unpriv="
+ #define TEST_TAG_EXPECT_REGEX_PFX_UNPRIV "comment:test_expect_regex_unpriv="
++#define TEST_TAG_EXPECT_XLATED_PFX_UNPRIV "comment:test_expect_xlated_unpriv="
+ #define TEST_TAG_LOG_LEVEL_PFX "comment:test_log_level="
+ #define TEST_TAG_PROG_FLAGS_PFX "comment:test_prog_flags="
+ #define TEST_TAG_DESCRIPTION_PFX "comment:test_description="
+@@ -64,6 +67,7 @@ struct test_subspec {
+ char *name;
+ bool expect_failure;
+ struct expected_msgs expect_msgs;
++ struct expected_msgs expect_xlated;
+ int retval;
+ bool execute;
+ };
+@@ -117,6 +121,8 @@ static void free_test_spec(struct test_spec *spec)
+ /* Deallocate expect_msgs arrays. */
+ free_msgs(&spec->priv.expect_msgs);
+ free_msgs(&spec->unpriv.expect_msgs);
++ free_msgs(&spec->priv.expect_xlated);
++ free_msgs(&spec->unpriv.expect_xlated);
+
+ free(spec->priv.name);
+ free(spec->unpriv.name);
+@@ -299,6 +305,18 @@ static int parse_test_spec(struct test_loader *tester,
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= UNPRIV;
++ } else if (str_has_pfx(s, TEST_TAG_EXPECT_XLATED_PFX)) {
++ msg = s + sizeof(TEST_TAG_EXPECT_XLATED_PFX) - 1;
++ err = push_msg(msg, NULL, &spec->priv.expect_xlated);
++ if (err)
++ goto cleanup;
++ spec->mode_mask |= PRIV;
++ } else if (str_has_pfx(s, TEST_TAG_EXPECT_XLATED_PFX_UNPRIV)) {
++ msg = s + sizeof(TEST_TAG_EXPECT_XLATED_PFX_UNPRIV) - 1;
++ err = push_msg(msg, NULL, &spec->unpriv.expect_xlated);
++ if (err)
++ goto cleanup;
++ spec->mode_mask |= UNPRIV;
+ } else if (str_has_pfx(s, TEST_TAG_RETVAL_PFX)) {
+ val = s + sizeof(TEST_TAG_RETVAL_PFX) - 1;
+ err = parse_retval(val, &spec->priv.retval, "__retval");
+@@ -402,6 +420,16 @@ static int parse_test_spec(struct test_loader *tester,
+ goto cleanup;
+ }
+ }
++ if (spec->unpriv.expect_xlated.cnt == 0) {
++ for (i = 0; i < spec->priv.expect_xlated.cnt; i++) {
++ struct expect_msg *msg = &spec->priv.expect_xlated.patterns[i];
++
++ err = push_msg(msg->substr, msg->regex_str,
++ &spec->unpriv.expect_xlated);
++ if (err)
++ goto cleanup;
++ }
++ }
+ }
+
+ spec->valid = true;
+@@ -449,7 +477,15 @@ static void emit_verifier_log(const char *log_buf, bool force)
+ fprintf(stdout, "VERIFIER LOG:\n=============\n%s=============\n", log_buf);
+ }
+
+-static void validate_msgs(char *log_buf, struct expected_msgs *msgs)
++static void emit_xlated(const char *xlated, bool force)
++{
++ if (!force && env.verbosity == VERBOSE_NONE)
++ return;
++ fprintf(stdout, "XLATED:\n=============\n%s=============\n", xlated);
++}
++
++static void validate_msgs(char *log_buf, struct expected_msgs *msgs,
++ void (*emit_fn)(const char *buf, bool force))
+ {
+ regmatch_t reg_match[1];
+ const char *log = log_buf;
+@@ -473,7 +509,7 @@ static void validate_msgs(char *log_buf, struct expected_msgs *msgs)
+
+ if (!ASSERT_OK_PTR(match, "expect_msg")) {
+ if (env.verbosity == VERBOSE_NONE)
+- emit_verifier_log(log_buf, true /*force*/);
++ emit_fn(log_buf, true /*force*/);
+ for (j = 0; j <= i; j++) {
+ msg = &msgs->patterns[j];
+ fprintf(stderr, "%s %s: '%s'\n",
+@@ -610,6 +646,37 @@ static bool should_do_test_run(struct test_spec *spec, struct test_subspec *subs
+ return true;
+ }
+
++/* Get a disassembly of BPF program after verifier applies all rewrites */
++static int get_xlated_program_text(int prog_fd, char *text, size_t text_sz)
++{
++ struct bpf_insn *insn_start = NULL, *insn, *insn_end;
++ __u32 insns_cnt = 0, i;
++ char buf[64];
++ FILE *out = NULL;
++ int err;
++
++ err = get_xlated_program(prog_fd, &insn_start, &insns_cnt);
++ if (!ASSERT_OK(err, "get_xlated_program"))
++ goto out;
++ out = fmemopen(text, text_sz, "w");
++ if (!ASSERT_OK_PTR(out, "open_memstream"))
++ goto out;
++ insn_end = insn_start + insns_cnt;
++ insn = insn_start;
++ while (insn < insn_end) {
++ i = insn - insn_start;
++ insn = disasm_insn(insn, buf, sizeof(buf));
++ fprintf(out, "%d: %s\n", i, buf);
++ }
++ fflush(out);
++
++out:
++ free(insn_start);
++ if (out)
++ fclose(out);
++ return err;
++}
++
+ /* this function is forced noinline and has short generic name to look better
+ * in test_progs output (in case of a failure)
+ */
+@@ -695,7 +762,16 @@ void run_subtest(struct test_loader *tester,
+ }
+ }
+ emit_verifier_log(tester->log_buf, false /*force*/);
+- validate_msgs(tester->log_buf, &subspec->expect_msgs);
++ validate_msgs(tester->log_buf, &subspec->expect_msgs, emit_verifier_log);
++
++ if (subspec->expect_xlated.cnt) {
++ err = get_xlated_program_text(bpf_program__fd(tprog),
++ tester->log_buf, tester->log_buf_sz);
++ if (err)
++ goto tobj_cleanup;
++ emit_xlated(tester->log_buf, false /*force*/);
++ validate_msgs(tester->log_buf, &subspec->expect_xlated, emit_xlated);
++ }
+
+ if (should_do_test_run(spec, subspec)) {
+ /* For some reason test_verifier executes programs
+--
+2.43.0
+
--- /dev/null
+From f1f223921160900a5a8b1214bae8bed78bfe71c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:31 -0700
+Subject: selftests/bpf: Drop unneeded error.h includes
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 69f409469c9b1515a5db40d5a36fda372376fa2d ]
+
+The addition of general support for unprivileged tests in test_loader.c
+breaks building test_verifier on non-glibc (e.g. musl) systems, due to the
+inclusion of glibc extension '<error.h>' in 'unpriv_helpers.c'. However,
+the header is actually not needed, so remove it to restore building.
+
+Similarly for sk_lookup.c and flow_dissector.c, error.h is not necessary
+and causes problems, so drop them.
+
+Fixes: 1d56ade032a4 ("selftests/bpf: Unprivileged tests for test_loader.c")
+Fixes: 0ab5539f8584 ("selftests/bpf: Tests for BPF_SK_LOOKUP attach point")
+Fixes: 0905beec9f52 ("selftests/bpf: run flow dissector tests in skb-less mode")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/5664367edf5fea4f3f4b4aec3b182bcfc6edff9c.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/flow_dissector.c | 1 -
+ tools/testing/selftests/bpf/prog_tests/sk_lookup.c | 1 -
+ tools/testing/selftests/bpf/unpriv_helpers.c | 1 -
+ 3 files changed, 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
+index 9e5f38739104b..9625e6d217913 100644
+--- a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
++++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
+@@ -1,7 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <test_progs.h>
+ #include <network_helpers.h>
+-#include <error.h>
+ #include <linux/if_tun.h>
+ #include <sys/uio.h>
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
+index ae87c00867ba4..dcb2f62cdec6c 100644
+--- a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
++++ b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c
+@@ -18,7 +18,6 @@
+ #include <arpa/inet.h>
+ #include <assert.h>
+ #include <errno.h>
+-#include <error.h>
+ #include <fcntl.h>
+ #include <sched.h>
+ #include <stdio.h>
+diff --git a/tools/testing/selftests/bpf/unpriv_helpers.c b/tools/testing/selftests/bpf/unpriv_helpers.c
+index b6d016461fb02..220f6a9638134 100644
+--- a/tools/testing/selftests/bpf/unpriv_helpers.c
++++ b/tools/testing/selftests/bpf/unpriv_helpers.c
+@@ -2,7 +2,6 @@
+
+ #include <stdbool.h>
+ #include <stdlib.h>
+-#include <error.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <unistd.h>
+--
+2.43.0
+
--- /dev/null
+From a25fd4b72acfdbc02a940ce226eaf852a8de047a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 16:38:41 -0700
+Subject: selftests/bpf: extract test_loader->expect_msgs as a data structure
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 64f01e935ddb26f48baec71883c27878ac4231dc ]
+
+Non-functional change: use a separate data structure to represented
+expected messages in test_loader.
+This would allow to use the same functionality for expected set of
+disassembled instructions in the follow-up commit.
+
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240722233844.1406874-8-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_loader.c | 81 ++++++++++++-----------
+ 1 file changed, 41 insertions(+), 40 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
+index 47508cf66e896..3f84903558dd8 100644
+--- a/tools/testing/selftests/bpf/test_loader.c
++++ b/tools/testing/selftests/bpf/test_loader.c
+@@ -55,11 +55,15 @@ struct expect_msg {
+ regex_t regex;
+ };
+
++struct expected_msgs {
++ struct expect_msg *patterns;
++ size_t cnt;
++};
++
+ struct test_subspec {
+ char *name;
+ bool expect_failure;
+- struct expect_msg *expect_msgs;
+- size_t expect_msg_cnt;
++ struct expected_msgs expect_msgs;
+ int retval;
+ bool execute;
+ };
+@@ -96,44 +100,45 @@ void test_loader_fini(struct test_loader *tester)
+ free(tester->log_buf);
+ }
+
+-static void free_test_spec(struct test_spec *spec)
++static void free_msgs(struct expected_msgs *msgs)
+ {
+ int i;
+
++ for (i = 0; i < msgs->cnt; i++)
++ if (msgs->patterns[i].regex_str)
++ regfree(&msgs->patterns[i].regex);
++ free(msgs->patterns);
++ msgs->patterns = NULL;
++ msgs->cnt = 0;
++}
++
++static void free_test_spec(struct test_spec *spec)
++{
+ /* Deallocate expect_msgs arrays. */
+- for (i = 0; i < spec->priv.expect_msg_cnt; i++)
+- if (spec->priv.expect_msgs[i].regex_str)
+- regfree(&spec->priv.expect_msgs[i].regex);
+- for (i = 0; i < spec->unpriv.expect_msg_cnt; i++)
+- if (spec->unpriv.expect_msgs[i].regex_str)
+- regfree(&spec->unpriv.expect_msgs[i].regex);
++ free_msgs(&spec->priv.expect_msgs);
++ free_msgs(&spec->unpriv.expect_msgs);
+
+ free(spec->priv.name);
+ free(spec->unpriv.name);
+- free(spec->priv.expect_msgs);
+- free(spec->unpriv.expect_msgs);
+-
+ spec->priv.name = NULL;
+ spec->unpriv.name = NULL;
+- spec->priv.expect_msgs = NULL;
+- spec->unpriv.expect_msgs = NULL;
+ }
+
+-static int push_msg(const char *substr, const char *regex_str, struct test_subspec *subspec)
++static int push_msg(const char *substr, const char *regex_str, struct expected_msgs *msgs)
+ {
+ void *tmp;
+ int regcomp_res;
+ char error_msg[100];
+ struct expect_msg *msg;
+
+- tmp = realloc(subspec->expect_msgs,
+- (1 + subspec->expect_msg_cnt) * sizeof(struct expect_msg));
++ tmp = realloc(msgs->patterns,
++ (1 + msgs->cnt) * sizeof(struct expect_msg));
+ if (!tmp) {
+ ASSERT_FAIL("failed to realloc memory for messages\n");
+ return -ENOMEM;
+ }
+- subspec->expect_msgs = tmp;
+- msg = &subspec->expect_msgs[subspec->expect_msg_cnt];
++ msgs->patterns = tmp;
++ msg = &msgs->patterns[msgs->cnt];
+
+ if (substr) {
+ msg->substr = substr;
+@@ -150,7 +155,7 @@ static int push_msg(const char *substr, const char *regex_str, struct test_subsp
+ }
+ }
+
+- subspec->expect_msg_cnt += 1;
++ msgs->cnt += 1;
+ return 0;
+ }
+
+@@ -272,25 +277,25 @@ static int parse_test_spec(struct test_loader *tester,
+ spec->mode_mask |= UNPRIV;
+ } else if (str_has_pfx(s, TEST_TAG_EXPECT_MSG_PFX)) {
+ msg = s + sizeof(TEST_TAG_EXPECT_MSG_PFX) - 1;
+- err = push_msg(msg, NULL, &spec->priv);
++ err = push_msg(msg, NULL, &spec->priv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= PRIV;
+ } else if (str_has_pfx(s, TEST_TAG_EXPECT_MSG_PFX_UNPRIV)) {
+ msg = s + sizeof(TEST_TAG_EXPECT_MSG_PFX_UNPRIV) - 1;
+- err = push_msg(msg, NULL, &spec->unpriv);
++ err = push_msg(msg, NULL, &spec->unpriv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= UNPRIV;
+ } else if (str_has_pfx(s, TEST_TAG_EXPECT_REGEX_PFX)) {
+ msg = s + sizeof(TEST_TAG_EXPECT_REGEX_PFX) - 1;
+- err = push_msg(NULL, msg, &spec->priv);
++ err = push_msg(NULL, msg, &spec->priv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= PRIV;
+ } else if (str_has_pfx(s, TEST_TAG_EXPECT_REGEX_PFX_UNPRIV)) {
+ msg = s + sizeof(TEST_TAG_EXPECT_REGEX_PFX_UNPRIV) - 1;
+- err = push_msg(NULL, msg, &spec->unpriv);
++ err = push_msg(NULL, msg, &spec->unpriv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= UNPRIV;
+@@ -387,11 +392,12 @@ static int parse_test_spec(struct test_loader *tester,
+ spec->unpriv.execute = spec->priv.execute;
+ }
+
+- if (!spec->unpriv.expect_msgs) {
+- for (i = 0; i < spec->priv.expect_msg_cnt; i++) {
+- struct expect_msg *msg = &spec->priv.expect_msgs[i];
++ if (spec->unpriv.expect_msgs.cnt == 0) {
++ for (i = 0; i < spec->priv.expect_msgs.cnt; i++) {
++ struct expect_msg *msg = &spec->priv.expect_msgs.patterns[i];
+
+- err = push_msg(msg->substr, msg->regex_str, &spec->unpriv);
++ err = push_msg(msg->substr, msg->regex_str,
++ &spec->unpriv.expect_msgs);
+ if (err)
+ goto cleanup;
+ }
+@@ -443,18 +449,14 @@ static void emit_verifier_log(const char *log_buf, bool force)
+ fprintf(stdout, "VERIFIER LOG:\n=============\n%s=============\n", log_buf);
+ }
+
+-static void validate_case(struct test_loader *tester,
+- struct test_subspec *subspec,
+- struct bpf_object *obj,
+- struct bpf_program *prog,
+- int load_err)
++static void validate_msgs(char *log_buf, struct expected_msgs *msgs)
+ {
+ regmatch_t reg_match[1];
+- const char *log = tester->log_buf;
++ const char *log = log_buf;
+ int i, j, err;
+
+- for (i = 0; i < subspec->expect_msg_cnt; i++) {
+- struct expect_msg *msg = &subspec->expect_msgs[i];
++ for (i = 0; i < msgs->cnt; i++) {
++ struct expect_msg *msg = &msgs->patterns[i];
+ const char *match = NULL;
+
+ if (msg->substr) {
+@@ -471,9 +473,9 @@ static void validate_case(struct test_loader *tester,
+
+ if (!ASSERT_OK_PTR(match, "expect_msg")) {
+ if (env.verbosity == VERBOSE_NONE)
+- emit_verifier_log(tester->log_buf, true /*force*/);
++ emit_verifier_log(log_buf, true /*force*/);
+ for (j = 0; j <= i; j++) {
+- msg = &subspec->expect_msgs[j];
++ msg = &msgs->patterns[j];
+ fprintf(stderr, "%s %s: '%s'\n",
+ j < i ? "MATCHED " : "EXPECTED",
+ msg->substr ? "SUBSTR" : " REGEX",
+@@ -692,9 +694,8 @@ void run_subtest(struct test_loader *tester,
+ goto tobj_cleanup;
+ }
+ }
+-
+ emit_verifier_log(tester->log_buf, false /*force*/);
+- validate_case(tester, subspec, tobj, tprog, err);
++ validate_msgs(tester->log_buf, &subspec->expect_msgs);
+
+ if (should_do_test_run(spec, subspec)) {
+ /* For some reason test_verifier executes programs
+--
+2.43.0
+
--- /dev/null
+From 91d97c936477e71e385dd16ad4c891cdbda129e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:18 -0700
+Subject: selftests/bpf: Fix arg parsing in veristat, test_progs
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 03bfcda1fbc37ef34aa21d2b9e09138335afc6ee ]
+
+Current code parses arguments with strtok_r() using a construct like
+
+ char *state = NULL;
+ while ((next = strtok_r(state ? NULL : input, ",", &state))) {
+ ...
+ }
+
+where logic assumes the 'state' var can distinguish between first and
+subsequent strtok_r() calls, and adjusts parameters accordingly. However,
+'state' is strictly internal context for strtok_r() and no such assumptions
+are supported in the man page. Moreover, the exact behaviour of 'state'
+depends on the libc implementation, making the above code fragile.
+
+Indeed, invoking "./test_progs -t <test_name>" on mips64el/musl will hang,
+with the above code in an infinite loop.
+
+Similarly, we see strange behaviour running 'veristat' on mips64el/musl:
+
+ $ ./veristat -e file,prog,verdict,insns -C two-ok add-failure
+ Can't specify more than 9 stats
+
+Rewrite code using a counter to distinguish between strtok_r() calls.
+
+Fixes: 61ddff373ffa ("selftests/bpf: Improve by-name subtest selection logic in prog_tests")
+Fixes: 394169b079b5 ("selftests/bpf: add comparison mode to veristat")
+Fixes: c8bc5e050976 ("selftests/bpf: Add veristat tool for mass-verifying BPF object files")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/392d8bf5559f85fa37926c1494e62312ef252c3d.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/testing_helpers.c | 4 ++--
+ tools/testing/selftests/bpf/veristat.c | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/testing_helpers.c b/tools/testing/selftests/bpf/testing_helpers.c
+index d5379a0e6da80..4230420ef2940 100644
+--- a/tools/testing/selftests/bpf/testing_helpers.c
++++ b/tools/testing/selftests/bpf/testing_helpers.c
+@@ -220,13 +220,13 @@ int parse_test_list(const char *s,
+ bool is_glob_pattern)
+ {
+ char *input, *state = NULL, *test_spec;
+- int err = 0;
++ int err = 0, cnt = 0;
+
+ input = strdup(s);
+ if (!input)
+ return -ENOMEM;
+
+- while ((test_spec = strtok_r(state ? NULL : input, ",", &state))) {
++ while ((test_spec = strtok_r(cnt++ ? NULL : input, ",", &state))) {
+ err = insert_test(set, test_spec, is_glob_pattern);
+ if (err)
+ break;
+diff --git a/tools/testing/selftests/bpf/veristat.c b/tools/testing/selftests/bpf/veristat.c
+index b2854238d4a0e..fd9780082ff48 100644
+--- a/tools/testing/selftests/bpf/veristat.c
++++ b/tools/testing/selftests/bpf/veristat.c
+@@ -784,13 +784,13 @@ static int parse_stat(const char *stat_name, struct stat_specs *specs)
+ static int parse_stats(const char *stats_str, struct stat_specs *specs)
+ {
+ char *input, *state = NULL, *next;
+- int err;
++ int err, cnt = 0;
+
+ input = strdup(stats_str);
+ if (!input)
+ return -ENOMEM;
+
+- while ((next = strtok_r(state ? NULL : input, ",", &state))) {
++ while ((next = strtok_r(cnt++ ? NULL : input, ",", &state))) {
+ err = parse_stat(next, specs);
+ if (err) {
+ free(input);
+@@ -1493,7 +1493,7 @@ static int parse_stats_csv(const char *filename, struct stat_specs *specs,
+ while (fgets(line, sizeof(line), f)) {
+ char *input = line, *state = NULL, *next;
+ struct verif_stats *st = NULL;
+- int col = 0;
++ int col = 0, cnt = 0;
+
+ if (!header) {
+ void *tmp;
+@@ -1511,7 +1511,7 @@ static int parse_stats_csv(const char *filename, struct stat_specs *specs,
+ *stat_cntp += 1;
+ }
+
+- while ((next = strtok_r(state ? NULL : input, ",\n", &state))) {
++ while ((next = strtok_r(cnt++ ? NULL : input, ",\n", &state))) {
+ if (header) {
+ /* for the first line, set up spec stats */
+ err = parse_stat(next, specs);
+--
+2.43.0
+
--- /dev/null
+From fe7489139811cf607207a3d4260904a794e637be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:20 -0700
+Subject: selftests/bpf: Fix C++ compile error from missing _Bool type
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit aa95073fd290b5b3e45f067fa22bb25e59e1ff7c ]
+
+While building, bpftool makes a skeleton from test_core_extern.c, which
+itself includes <stdbool.h> and uses the 'bool' type. However, the skeleton
+test_core_extern.skel.h generated *does not* include <stdbool.h> or use the
+'bool' type, instead using the C-only '_Bool' type. Compiling test_cpp.cpp
+with g++ 12.3 for mips64el/musl-libc then fails with error:
+
+ In file included from test_cpp.cpp:9:
+ test_core_extern.skel.h:45:17: error: '_Bool' does not name a type
+ 45 | _Bool CONFIG_BOOL;
+ | ^~~~~
+
+This was likely missed previously because glibc uses a GNU extension for
+<stdbool.h> with C++ (#define _Bool bool), not supported by musl libc.
+
+Normally, a C fragment would include <stdbool.h> and use the 'bool' type,
+and thus cleanly work after import by C++. The ideal fix would be for
+'bpftool gen skeleton' to output the correct type/include supporting C++,
+but in the meantime add a conditional define as above.
+
+Fixes: 7c8dce4b1661 ("bpftool: Make skeleton C code compilable with C++ compiler")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/6fc1dd28b8bda49e51e4f610bdc9d22f4455632d.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_cpp.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/test_cpp.cpp b/tools/testing/selftests/bpf/test_cpp.cpp
+index dde0bb16e782e..abc2a56ab2616 100644
+--- a/tools/testing/selftests/bpf/test_cpp.cpp
++++ b/tools/testing/selftests/bpf/test_cpp.cpp
+@@ -6,6 +6,10 @@
+ #include <bpf/libbpf.h>
+ #include <bpf/bpf.h>
+ #include <bpf/btf.h>
++
++#ifndef _Bool
++#define _Bool bool
++#endif
+ #include "test_core_extern.skel.h"
+ #include "struct_ops_module.skel.h"
+
+--
+2.43.0
+
--- /dev/null
+From 1daa0369cfb92299502c20ed1863c0234c96321a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:29 -0700
+Subject: selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit d393f9479d4aaab0fa4c3caf513f28685e831f13 ]
+
+Cast 'rlim_t' argument to match expected type of printf() format and avoid
+compile errors seen building for mips64el/musl-libc:
+
+ In file included from map_tests/sk_storage_map.c:20:
+ map_tests/sk_storage_map.c: In function 'test_sk_storage_map_stress_free':
+ map_tests/sk_storage_map.c:414:56: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'rlim_t' {aka 'long long unsigned int'} [-Werror=format=]
+ 414 | CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d",
+ | ^~~~~~~~~~~~~~~~~~~~~~~
+ 415 | rlim_new.rlim_cur, errno);
+ | ~~~~~~~~~~~~~~~~~
+ | |
+ | rlim_t {aka long long unsigned int}
+ ./test_maps.h:12:24: note: in definition of macro 'CHECK'
+ 12 | printf(format); \
+ | ^~~~~~
+ map_tests/sk_storage_map.c:414:68: note: format string is defined here
+ 414 | CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d",
+ | ~~^
+ | |
+ | long unsigned int
+ | %llu
+ cc1: all warnings being treated as errors
+
+Fixes: 51a0e301a563 ("bpf: Add BPF_MAP_TYPE_SK_STORAGE test to test_maps")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/1e00a1fa7acf91b4ca135c4102dc796d518bad86.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/map_tests/sk_storage_map.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/map_tests/sk_storage_map.c b/tools/testing/selftests/bpf/map_tests/sk_storage_map.c
+index 18405c3b7cee9..af10c309359a7 100644
+--- a/tools/testing/selftests/bpf/map_tests/sk_storage_map.c
++++ b/tools/testing/selftests/bpf/map_tests/sk_storage_map.c
+@@ -412,7 +412,7 @@ static void test_sk_storage_map_stress_free(void)
+ rlim_new.rlim_max = rlim_new.rlim_cur + 128;
+ err = setrlimit(RLIMIT_NOFILE, &rlim_new);
+ CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d",
+- rlim_new.rlim_cur, errno);
++ (unsigned long) rlim_new.rlim_cur, errno);
+ }
+
+ err = do_sk_storage_map_stress_free();
+--
+2.43.0
+
--- /dev/null
+From 26237a783e08fbb1733790dcf9f966c0798ceb07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:22 -0700
+Subject: selftests/bpf: Fix compile if backtrace support missing in libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit c9a83e76b5a96801a2c7ea0a79ca77c356d8b38d ]
+
+Include GNU <execinfo.h> header only with glibc and provide weak, stubbed
+backtrace functions as a fallback in test_progs.c. This allows for non-GNU
+replacements while avoiding compile errors (e.g. with musl libc) like:
+
+ test_progs.c:13:10: fatal error: execinfo.h: No such file or directory
+ 13 | #include <execinfo.h> /* backtrace */
+ | ^~~~~~~~~~~~
+ test_progs.c: In function 'crash_handler':
+ test_progs.c:1034:14: error: implicit declaration of function 'backtrace' [-Werror=implicit-function-declaration]
+ 1034 | sz = backtrace(bt, ARRAY_SIZE(bt));
+ | ^~~~~~~~~
+ test_progs.c:1045:9: error: implicit declaration of function 'backtrace_symbols_fd' [-Werror=implicit-function-declaration]
+ 1045 | backtrace_symbols_fd(bt, sz, STDERR_FILENO);
+ | ^~~~~~~~~~~~~~~~~~~~
+
+Fixes: 9fb156bb82a3 ("selftests/bpf: Print backtrace on SIGSEGV in test_progs")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/aa6dc8e23710cb457b278039d0081de7e7b4847d.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_progs.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
+index 60c5ec0f6abf6..d5d0cb4eb1975 100644
+--- a/tools/testing/selftests/bpf/test_progs.c
++++ b/tools/testing/selftests/bpf/test_progs.c
+@@ -10,7 +10,6 @@
+ #include <sched.h>
+ #include <signal.h>
+ #include <string.h>
+-#include <execinfo.h> /* backtrace */
+ #include <sys/sysinfo.h> /* get_nprocs */
+ #include <netinet/in.h>
+ #include <sys/select.h>
+@@ -19,6 +18,21 @@
+ #include <bpf/btf.h>
+ #include "json_writer.h"
+
++#ifdef __GLIBC__
++#include <execinfo.h> /* backtrace */
++#endif
++
++/* Default backtrace funcs if missing at link */
++__weak int backtrace(void **buffer, int size)
++{
++ return 0;
++}
++
++__weak void backtrace_symbols_fd(void *const *buffer, int size, int fd)
++{
++ dprintf(fd, "<backtrace not supported>\n");
++}
++
+ static bool verbose(void)
+ {
+ return env.verbosity > VERBOSE_NONE;
+--
+2.43.0
+
--- /dev/null
+From c1e8b94d15a42341e9a0156b5f2eb3f4028ef329 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:42 -0700
+Subject: selftests/bpf: Fix compiling core_reloc.c with musl-libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit debfa4f628f271f72933bf38d581cc53cfe1def5 ]
+
+The type 'loff_t' is a GNU extension and not exposed by the musl 'fcntl.h'
+header unless _GNU_SOURCE is defined. Add this definition to fix errors
+seen compiling for mips64el/musl-libc:
+
+ In file included from tools/testing/selftests/bpf/prog_tests/core_reloc.c:4:
+ ./bpf_testmod/bpf_testmod.h:10:9: error: unknown type name 'loff_t'
+ 10 | loff_t off;
+ | ^~~~~~
+ ./bpf_testmod/bpf_testmod.h:16:9: error: unknown type name 'loff_t'
+ 16 | loff_t off;
+ | ^~~~~~
+
+Fixes: 6bcd39d366b6 ("selftests/bpf: Add CO-RE relocs selftest relying on kernel module BTF")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/11c3af75a7eb6bcb7ad9acfae6a6f470c572eb82.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/core_reloc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/core_reloc.c b/tools/testing/selftests/bpf/prog_tests/core_reloc.c
+index 47f42e6801056..26019313e1fc2 100644
+--- a/tools/testing/selftests/bpf/prog_tests/core_reloc.c
++++ b/tools/testing/selftests/bpf/prog_tests/core_reloc.c
+@@ -1,4 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
++#define _GNU_SOURCE
+ #include <test_progs.h>
+ #include "progs/core_reloc_types.h"
+ #include "bpf_testmod/bpf_testmod.h"
+--
+2.43.0
+
--- /dev/null
+From eba6916ee23c872d8273c9f8247c532b3b29d149 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:40 -0700
+Subject: selftests/bpf: Fix compiling flow_dissector.c with musl-libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 5e4c43bcb85973243d7274e0058b6e8f5810e4f7 ]
+
+The GNU version of 'struct tcphdr' has members 'doff', 'source' and 'dest',
+which are not exposed by musl libc headers unless _GNU_SOURCE is defined.
+
+Add this definition to fix errors seen compiling for mips64el/musl-libc:
+
+ flow_dissector.c:118:30: error: 'struct tcphdr' has no member named 'doff'
+ 118 | .tcp.doff = 5,
+ | ^~~~
+ flow_dissector.c:119:30: error: 'struct tcphdr' has no member named 'source'
+ 119 | .tcp.source = 80,
+ | ^~~~~~
+ flow_dissector.c:120:30: error: 'struct tcphdr' has no member named 'dest'
+ 120 | .tcp.dest = 8080,
+ | ^~~~
+
+Fixes: ae173a915785 ("selftests/bpf: support BPF_FLOW_DISSECTOR_F_PARSE_1ST_FRAG")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/8f7ab21a73f678f9cebd32b26c444a686e57414d.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/flow_dissector.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
+index 9625e6d217913..3171047414a7d 100644
+--- a/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
++++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector.c
+@@ -1,4 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
++#define _GNU_SOURCE
+ #include <test_progs.h>
+ #include <network_helpers.h>
+ #include <linux/if_tun.h>
+--
+2.43.0
+
--- /dev/null
+From 9d3a4281f6b9c9905cf135c4c73c3a5111d2cdcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:39 -0700
+Subject: selftests/bpf: Fix compiling kfree_skb.c with musl-libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit bae9a5ce7d3a9b3a9e07b31ab9e9c58450e3e9fd ]
+
+The GNU version of 'struct tcphdr' with member 'doff' is not exposed by
+musl headers unless _GNU_SOURCE is defined. Add this definition to fix
+errors seen compiling for mips64el/musl-libc:
+
+ In file included from kfree_skb.c:2:
+ kfree_skb.c: In function 'on_sample':
+ kfree_skb.c:45:30: error: 'struct tcphdr' has no member named 'doff'
+ 45 | if (CHECK(pkt_v6->tcp.doff != 5, "check_tcp",
+ | ^
+
+Fixes: 580d656d80cf ("selftests/bpf: Add kfree_skb raw_tp test")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/e2d8cedc790959c10d6822a51f01a7a3616bea1b.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/kfree_skb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/kfree_skb.c b/tools/testing/selftests/bpf/prog_tests/kfree_skb.c
+index c07991544a789..34f8822fd2219 100644
+--- a/tools/testing/selftests/bpf/prog_tests/kfree_skb.c
++++ b/tools/testing/selftests/bpf/prog_tests/kfree_skb.c
+@@ -1,4 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
++#define _GNU_SOURCE
+ #include <test_progs.h>
+ #include <network_helpers.h>
+ #include "kfree_skb.skel.h"
+--
+2.43.0
+
--- /dev/null
+From f4e8c85af28a147271b8ff46f3512f52e46620a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:38 -0700
+Subject: selftests/bpf: Fix compiling parse_tcp_hdr_opt.c with musl-libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 4c329b99ef9c118343379bde9f97e8ce5cac9fc9 ]
+
+The GNU version of 'struct tcphdr', with members 'doff' and 'urg_ptr', is
+not exposed by musl headers unless _GNU_SOURCE is defined.
+
+Add this definition to fix errors seen compiling for mips64el/musl-libc:
+
+ parse_tcp_hdr_opt.c:18:21: error: 'struct tcphdr' has no member named 'urg_ptr'
+ 18 | .pk6_v6.tcp.urg_ptr = 123,
+ | ^~~~~~~
+ parse_tcp_hdr_opt.c:19:21: error: 'struct tcphdr' has no member named 'doff'
+ 19 | .pk6_v6.tcp.doff = 9, /* 16 bytes of options */
+ | ^~~~
+
+Fixes: cfa7b011894d ("selftests/bpf: tests for using dynptrs to parse skb and xdp buffers")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/ac5440213c242c62cb4e0d9e0a9cd5058b6a31f6.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c b/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c
+index daa952711d8fd..e9c07d561ded6 100644
+--- a/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c
++++ b/tools/testing/selftests/bpf/prog_tests/parse_tcp_hdr_opt.c
+@@ -1,5 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0
+
++#define _GNU_SOURCE
+ #include <test_progs.h>
+ #include <network_helpers.h>
+ #include "test_parse_tcp_hdr_opt.skel.h"
+--
+2.43.0
+
--- /dev/null
+From 7c990fc940616c063ae2bff6b5b35ca400d3e247 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:41 -0700
+Subject: selftests/bpf: Fix compiling tcp_rtt.c with musl-libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 18826fb0b79c3c3cd1fe765d85f9c6f1a902c722 ]
+
+The GNU version of 'struct tcp_info' in 'netinet/tcp.h' is not exposed by
+musl headers unless _GNU_SOURCE is defined.
+
+Add this definition to fix errors seen compiling for mips64el/musl-libc:
+
+ tcp_rtt.c: In function 'wait_for_ack':
+ tcp_rtt.c:24:25: error: storage size of 'info' isn't known
+ 24 | struct tcp_info info;
+ | ^~~~
+ tcp_rtt.c:24:25: error: unused variable 'info' [-Werror=unused-variable]
+ cc1: all warnings being treated as errors
+
+Fixes: 1f4f80fed217 ("selftests/bpf: test_progs: convert test_tcp_rtt")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/f2329767b15df206f08a5776d35a47c37da855ae.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/tcp_rtt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c b/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c
+index f2b99d95d9160..c38784c1c066e 100644
+--- a/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c
++++ b/tools/testing/selftests/bpf/prog_tests/tcp_rtt.c
+@@ -1,4 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
++#define _GNU_SOURCE
+ #include <test_progs.h>
+ #include "cgroup_helpers.h"
+ #include "network_helpers.h"
+--
+2.43.0
+
--- /dev/null
+From b10799152112899b45d7a75f0cd2e6b49cd4730e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:30 -0700
+Subject: selftests/bpf: Fix error compiling bpf_iter_setsockopt.c with musl
+ libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 7b10f0c227ce3fa055d601f058dc411092a62a78 ]
+
+Existing code calls getsockname() with a 'struct sockaddr_in6 *' argument
+where a 'struct sockaddr *' argument is declared, yielding compile errors
+when building for mips64el/musl-libc:
+
+ bpf_iter_setsockopt.c: In function 'get_local_port':
+ bpf_iter_setsockopt.c:98:30: error: passing argument 2 of 'getsockname' from incompatible pointer type [-Werror=incompatible-pointer-types]
+ 98 | if (!getsockname(fd, &addr, &addrlen))
+ | ^~~~~
+ | |
+ | struct sockaddr_in6 *
+ In file included from .../netinet/in.h:10,
+ from .../arpa/inet.h:9,
+ from ./test_progs.h:17,
+ from bpf_iter_setsockopt.c:5:
+ .../sys/socket.h:391:23: note: expected 'struct sockaddr * restrict' but argument is of type 'struct sockaddr_in6 *'
+ 391 | int getsockname (int, struct sockaddr *__restrict, socklen_t *__restrict);
+ | ^
+ cc1: all warnings being treated as errors
+
+This compiled under glibc only because the argument is declared to be a
+"funky" transparent union which includes both types above. Explicitly cast
+the argument to allow compiling for both musl and glibc.
+
+Fixes: eed92afdd14c ("bpf: selftest: Test batching and bpf_(get|set)sockopt in bpf tcp iter")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Geliang Tang <geliang@kernel.org>
+Link: https://lore.kernel.org/bpf/f41def0f17b27a23b1709080e4e3f37f4cc11ca9.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c b/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c
+index b52ff8ce34db8..16bed9dd8e6a3 100644
+--- a/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c
++++ b/tools/testing/selftests/bpf/prog_tests/bpf_iter_setsockopt.c
+@@ -95,7 +95,7 @@ static unsigned short get_local_port(int fd)
+ struct sockaddr_in6 addr;
+ socklen_t addrlen = sizeof(addr);
+
+- if (!getsockname(fd, &addr, &addrlen))
++ if (!getsockname(fd, (struct sockaddr *)&addr, &addrlen))
+ return ntohs(addr.sin6_port);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 1f36d15179ab7732c4d312f62d2196f09f5d4f2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:24 -0700
+Subject: selftests/bpf: Fix error compiling tc_redirect.c with musl libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 21c5f4f55da759c7444a1ef13e90b6e6f674eeeb ]
+
+Linux 5.1 implemented 64-bit time types and related syscalls to address the
+Y2038 problem generally across archs. Userspace handling of Y2038 varies
+with the libc however. While musl libc uses 64-bit time across all 32-bit
+and 64-bit platforms, GNU glibc uses 64-bit time on 64-bit platforms but
+defaults to 32-bit time on 32-bit platforms unless they "opt-in" to 64-bit
+time or explicitly use 64-bit syscalls and time structures.
+
+One specific area is the standard setsockopt() call, SO_TIMESTAMPNS option
+used for timestamping, and the related output 'struct timespec'. GNU glibc
+defaults as above, also exposing the SO_TIMESTAMPNS_NEW flag to explicitly
+use a 64-bit call and 'struct __kernel_timespec'. Since these are not
+exposed or needed with musl libc, their use in tc_redirect.c leads to
+compile errors building for mips64el/musl:
+
+ tc_redirect.c: In function 'rcv_tstamp':
+ tc_redirect.c:425:32: error: 'SO_TIMESTAMPNS_NEW' undeclared (first use in this function); did you mean 'SO_TIMESTAMPNS'?
+ 425 | cmsg->cmsg_type == SO_TIMESTAMPNS_NEW)
+ | ^~~~~~~~~~~~~~~~~~
+ | SO_TIMESTAMPNS
+ tc_redirect.c:425:32: note: each undeclared identifier is reported only once for each function it appears in
+ tc_redirect.c: In function 'test_inet_dtime':
+ tc_redirect.c:491:49: error: 'SO_TIMESTAMPNS_NEW' undeclared (first use in this function); did you mean 'SO_TIMESTAMPNS'?
+ 491 | err = setsockopt(listen_fd, SOL_SOCKET, SO_TIMESTAMPNS_NEW,
+ | ^~~~~~~~~~~~~~~~~~
+ | SO_TIMESTAMPNS
+
+However, using SO_TIMESTAMPNS_NEW isn't strictly needed, nor is Y2038 being
+explicitly tested. The timestamp checks in tc_redirect.c are simple: the
+packet receive timestamp is non-zero and processed/handled in less than 5
+seconds.
+
+Switch to using the standard setsockopt() call and SO_TIMESTAMPNS option to
+ensure compatibility across glibc and musl libc. In the worst-case, there
+is a 5-second window 14 years from now where tc_redirect tests may fail on
+32-bit systems. However, we should reasonably expect glibc to adopt a
+64-bit mandate rather than the current "opt-in" policy before the Y2038
+roll-over.
+
+Fixes: ce6f6cffaeaa ("selftests/bpf: Wait for the netstamp_needed_key static key to be turned on")
+Fixes: c803475fd8dd ("bpf: selftests: test skb->tstamp in redirect_neigh")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/031d656c058b4e55ceae56ef49c4e1729b5090f3.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/tc_redirect.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/tc_redirect.c b/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
+index 327d51f591427..53b8ffc943dce 100644
+--- a/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
++++ b/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
+@@ -471,7 +471,7 @@ static int set_forwarding(bool enable)
+
+ static int __rcv_tstamp(int fd, const char *expected, size_t s, __u64 *tstamp)
+ {
+- struct __kernel_timespec pkt_ts = {};
++ struct timespec pkt_ts = {};
+ char ctl[CMSG_SPACE(sizeof(pkt_ts))];
+ struct timespec now_ts;
+ struct msghdr msg = {};
+@@ -495,7 +495,7 @@ static int __rcv_tstamp(int fd, const char *expected, size_t s, __u64 *tstamp)
+
+ cmsg = CMSG_FIRSTHDR(&msg);
+ if (cmsg && cmsg->cmsg_level == SOL_SOCKET &&
+- cmsg->cmsg_type == SO_TIMESTAMPNS_NEW)
++ cmsg->cmsg_type == SO_TIMESTAMPNS)
+ memcpy(&pkt_ts, CMSG_DATA(cmsg), sizeof(pkt_ts));
+
+ pkt_ns = pkt_ts.tv_sec * NSEC_PER_SEC + pkt_ts.tv_nsec;
+@@ -537,9 +537,9 @@ static int wait_netstamp_needed_key(void)
+ if (!ASSERT_GE(srv_fd, 0, "start_server"))
+ goto done;
+
+- err = setsockopt(srv_fd, SOL_SOCKET, SO_TIMESTAMPNS_NEW,
++ err = setsockopt(srv_fd, SOL_SOCKET, SO_TIMESTAMPNS,
+ &opt, sizeof(opt));
+- if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS_NEW)"))
++ if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS)"))
+ goto done;
+
+ cli_fd = connect_to_fd(srv_fd, TIMEOUT_MILLIS);
+@@ -621,9 +621,9 @@ static void test_inet_dtime(int family, int type, const char *addr, __u16 port)
+ return;
+
+ /* Ensure the kernel puts the (rcv) timestamp for all skb */
+- err = setsockopt(listen_fd, SOL_SOCKET, SO_TIMESTAMPNS_NEW,
++ err = setsockopt(listen_fd, SOL_SOCKET, SO_TIMESTAMPNS,
+ &opt, sizeof(opt));
+- if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS_NEW)"))
++ if (!ASSERT_OK(err, "setsockopt(SO_TIMESTAMPNS)"))
+ goto done;
+
+ if (type == SOCK_STREAM) {
+--
+2.43.0
+
--- /dev/null
+From 02d30704f688ecd661c49c7b2d344cdba99523d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:19 -0700
+Subject: selftests/bpf: Fix error compiling test_lru_map.c
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit cacf2a5a78cd1f5f616eae043ebc6f024104b721 ]
+
+Although the post-increment in macro 'CPU_SET(next++, &cpuset)' seems safe,
+the sequencing can raise compile errors, so move the increment outside the
+macro. This avoids an error seen using gcc 12.3.0 for mips64el/musl-libc:
+
+ In file included from test_lru_map.c:11:
+ test_lru_map.c: In function 'sched_next_online':
+ test_lru_map.c:129:29: error: operation on 'next' may be undefined [-Werror=sequence-point]
+ 129 | CPU_SET(next++, &cpuset);
+ | ^
+ cc1: all warnings being treated as errors
+
+Fixes: 3fbfadce6012 ("bpf: Fix test_lru_sanity5() in test_lru_map.c")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/22993dfb11ccf27925a626b32672fd3324cb76c4.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_lru_map.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_lru_map.c b/tools/testing/selftests/bpf/test_lru_map.c
+index 4d0650cfb5cd8..fda7589c50236 100644
+--- a/tools/testing/selftests/bpf/test_lru_map.c
++++ b/tools/testing/selftests/bpf/test_lru_map.c
+@@ -126,7 +126,8 @@ static int sched_next_online(int pid, int *next_to_try)
+
+ while (next < nr_cpus) {
+ CPU_ZERO(&cpuset);
+- CPU_SET(next++, &cpuset);
++ CPU_SET(next, &cpuset);
++ next++;
+ if (!sched_setaffinity(pid, sizeof(cpuset), &cpuset)) {
+ ret = 0;
+ break;
+--
+2.43.0
+
--- /dev/null
+From 86b6fa08834b2f9d86bf1852ddbd5366643098cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 17:13:29 -0700
+Subject: selftests/bpf: Fix error linking uprobe_multi on mips
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit a5f40d596bff182b4b47547712f540885e8fb17b ]
+
+Linking uprobe_multi.c on mips64el fails due to relocation overflows, when
+the GOT entries required exceeds the default maximum. Add a specific CFLAGS
+(-mxgot) for uprobe_multi.c on MIPS that allows using a larger GOT and
+avoids errors such as:
+
+ /tmp/ccBTNQzv.o: in function `bench':
+ uprobe_multi.c:49:(.text+0x1d7720): relocation truncated to fit: R_MIPS_GOT_DISP against `uprobe_multi_func_08188'
+ uprobe_multi.c:49:(.text+0x1d7730): relocation truncated to fit: R_MIPS_GOT_DISP against `uprobe_multi_func_08189'
+ ...
+ collect2: error: ld returned 1 exit status
+
+Fixes: 519dfeaf5119 ("selftests/bpf: Add uprobe_multi test program")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/14eb7b70f8ccef9834874d75eb373cb9292129da.1721692479.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index 81d4757ecd4c6..9351f37b720cf 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -762,6 +762,8 @@ $(OUTPUT)/veristat: $(OUTPUT)/veristat.o
+ $(call msg,BINARY,,$@)
+ $(Q)$(CC) $(CFLAGS) $(LDFLAGS) $(filter %.a %.o,$^) $(LDLIBS) -o $@
+
++# Linking uprobe_multi can fail due to relocation overflows on mips.
++$(OUTPUT)/uprobe_multi: CFLAGS += $(if $(filter mips, $(ARCH)),-mxgot)
+ $(OUTPUT)/uprobe_multi: uprobe_multi.c
+ $(call msg,BINARY,,$@)
+ $(Q)$(CC) $(CFLAGS) -O0 $(LDFLAGS) $^ $(LDLIBS) -o $@
+--
+2.43.0
+
--- /dev/null
+From 3239e104a4adefd568f98b0c37c29c219aed6f51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:46 -0700
+Subject: selftests/bpf: Fix errors compiling cg_storage_multi.h with musl libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 730561d3c08d4a327cceaabf11365958a1c00cec ]
+
+Remove a redundant include of '<asm/types.h>', whose needed definitions are
+already included (via '<linux/types.h>') in cg_storage_multi_egress_only.c,
+cg_storage_multi_isolated.c, and cg_storage_multi_shared.c. This avoids
+redefinition errors seen compiling for mips64el/musl-libc like:
+
+ In file included from progs/cg_storage_multi_egress_only.c:13:
+ In file included from progs/cg_storage_multi.h:6:
+ In file included from /usr/mips64el-linux-gnuabi64/include/asm/types.h:23:
+ /usr/include/asm-generic/int-l64.h:29:25: error: typedef redefinition with different types ('long' vs 'long long')
+ 29 | typedef __signed__ long __s64;
+ | ^
+ /usr/include/asm-generic/int-ll64.h:30:44: note: previous definition is here
+ 30 | __extension__ typedef __signed__ long long __s64;
+ | ^
+
+Fixes: 9e5bd1f7633b ("selftests/bpf: Test CGROUP_STORAGE map can't be used by multiple progs")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/4f4702e9f6115b7f84fea01b2326ca24c6df7ba8.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/cg_storage_multi.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/cg_storage_multi.h b/tools/testing/selftests/bpf/progs/cg_storage_multi.h
+index a0778fe7857a1..41d59f0ee606c 100644
+--- a/tools/testing/selftests/bpf/progs/cg_storage_multi.h
++++ b/tools/testing/selftests/bpf/progs/cg_storage_multi.h
+@@ -3,8 +3,6 @@
+ #ifndef __PROGS_CG_STORAGE_MULTI_H
+ #define __PROGS_CG_STORAGE_MULTI_H
+
+-#include <asm/types.h>
+-
+ struct cgroup_value {
+ __u32 egress_pkts;
+ __u32 ingress_pkts;
+--
+2.43.0
+
--- /dev/null
+From edc1f1864ba75ec074a9cf737b72b0d15e43804c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:45 -0700
+Subject: selftests/bpf: Fix errors compiling crypto_sanity.c with musl libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 9822be702fe6e1c3e0933ef4b68a8c56683d930d ]
+
+Remove a redundant include of '<linux/in6.h>', whose needed definitions are
+already provided by 'test_progs.h'. This avoids errors seen compiling for
+mips64el/musl-libc:
+
+ In file included from .../arpa/inet.h:9,
+ from ./test_progs.h:17,
+ from prog_tests/crypto_sanity.c:10:
+ .../netinet/in.h:23:8: error: redefinition of 'struct in6_addr'
+ 23 | struct in6_addr {
+ | ^~~~~~~~
+ In file included from crypto_sanity.c:7:
+ .../linux/in6.h:33:8: note: originally defined here
+ 33 | struct in6_addr {
+ | ^~~~~~~~
+ .../netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6'
+ 34 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../linux/in6.h:50:8: note: originally defined here
+ 50 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq'
+ 42 | struct ipv6_mreq {
+ | ^~~~~~~~~
+ .../linux/in6.h:60:8: note: originally defined here
+ 60 | struct ipv6_mreq {
+ | ^~~~~~~~~
+
+Fixes: 91541ab192fc ("selftests: bpf: crypto skcipher algo selftests")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://lore.kernel.org/bpf/911293968f424ad7b462d8805aeb3baee8f4985b.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/crypto_sanity.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/crypto_sanity.c b/tools/testing/selftests/bpf/prog_tests/crypto_sanity.c
+index b1a3a49a822a7..42bd07f7218dc 100644
+--- a/tools/testing/selftests/bpf/prog_tests/crypto_sanity.c
++++ b/tools/testing/selftests/bpf/prog_tests/crypto_sanity.c
+@@ -4,7 +4,6 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <net/if.h>
+-#include <linux/in6.h>
+ #include <linux/if_alg.h>
+
+ #include "test_progs.h"
+--
+2.43.0
+
--- /dev/null
+From eb5cd2019e94b2add894d1095fe4fa6b8090c1d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:44 -0700
+Subject: selftests/bpf: Fix errors compiling decap_sanity.c with musl libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 1b00f355130a5dfc38a01ad02458ae2cb2ebe609 ]
+
+Remove a redundant include of '<linux/in6.h>', whose needed definitions are
+already provided by 'test_progs.h'. This avoids errors seen compiling for
+mips64el/musl-libc:
+
+ In file included from .../arpa/inet.h:9,
+ from ./test_progs.h:17,
+ from prog_tests/decap_sanity.c:9:
+ .../netinet/in.h:23:8: error: redefinition of 'struct in6_addr'
+ 23 | struct in6_addr {
+ | ^~~~~~~~
+ In file included from decap_sanity.c:7:
+ .../linux/in6.h:33:8: note: originally defined here
+ 33 | struct in6_addr {
+ | ^~~~~~~~
+ .../netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6'
+ 34 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../linux/in6.h:50:8: note: originally defined here
+ 50 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq'
+ 42 | struct ipv6_mreq {
+ | ^~~~~~~~~
+ .../linux/in6.h:60:8: note: originally defined here
+ 60 | struct ipv6_mreq {
+ | ^~~~~~~~~
+
+Fixes: 70a00e2f1dba ("selftests/bpf: Test bpf_skb_adjust_room on CHECKSUM_PARTIAL")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/e986ba2d7edccd254b54f7cd049b98f10bafa8c3.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/decap_sanity.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/decap_sanity.c b/tools/testing/selftests/bpf/prog_tests/decap_sanity.c
+index dcb9e5070cc3d..d79f398ec6b7c 100644
+--- a/tools/testing/selftests/bpf/prog_tests/decap_sanity.c
++++ b/tools/testing/selftests/bpf/prog_tests/decap_sanity.c
+@@ -4,7 +4,6 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <net/if.h>
+-#include <linux/in6.h>
+
+ #include "test_progs.h"
+ #include "network_helpers.h"
+--
+2.43.0
+
--- /dev/null
+From 8568e69cfeed3b277c00e0b4baee68f987f595e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:43 -0700
+Subject: selftests/bpf: Fix errors compiling lwt_redirect.c with musl libc
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 27c4797ce51c8dd51e35e68e9024a892f62d78b2 ]
+
+Remove a redundant include of '<linux/icmp.h>' which is already provided in
+'lwt_helpers.h'. This avoids errors seen compiling for mips64el/musl-libc:
+
+ In file included from .../arpa/inet.h:9,
+ from lwt_redirect.c:51:
+ .../netinet/in.h:23:8: error: redefinition of 'struct in6_addr'
+ 23 | struct in6_addr {
+ | ^~~~~~~~
+ In file included from .../linux/icmp.h:24,
+ from lwt_redirect.c:50:
+ .../linux/in6.h:33:8: note: originally defined here
+ 33 | struct in6_addr {
+ | ^~~~~~~~
+ .../netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6'
+ 34 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../linux/in6.h:50:8: note: originally defined here
+ 50 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+ .../netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq'
+ 42 | struct ipv6_mreq {
+ | ^~~~~~~~~
+ .../linux/in6.h:60:8: note: originally defined here
+ 60 | struct ipv6_mreq {
+ | ^~~~~~~~~
+
+Fixes: 43a7c3ef8a15 ("selftests/bpf: Add lwt_xmit tests for BPF_REDIRECT")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/3869dda876d5206d2f8d4dd67331c739ceb0c7f8.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/lwt_redirect.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c b/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c
+index 835a1d756c166..b6e8d822e8e95 100644
+--- a/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c
++++ b/tools/testing/selftests/bpf/prog_tests/lwt_redirect.c
+@@ -47,7 +47,6 @@
+ #include <linux/if_ether.h>
+ #include <linux/if_packet.h>
+ #include <linux/if_tun.h>
+-#include <linux/icmp.h>
+ #include <arpa/inet.h>
+ #include <unistd.h>
+ #include <errno.h>
+--
+2.43.0
+
--- /dev/null
+From 865dfc329791918ae604cffb307100c429b3e2d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:37 -0700
+Subject: selftests/bpf: Fix include of <sys/fcntl.h>
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 21f0b0af977203220ad58aff95e372151288ec47 ]
+
+Update ns_current_pid_tgid.c to use '#include <fcntl.h>' and avoid compile
+error against mips64el/musl libc:
+
+ In file included from .../prog_tests/ns_current_pid_tgid.c:14:
+ .../include/sys/fcntl.h:1:2: error: #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.h> [-Werror=cpp]
+ 1 | #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.h>
+ | ^~~~~~~
+ cc1: all warnings being treated as errors
+
+Fixes: 09c02d553c49 ("bpf, selftests: Fold test_current_pid_tgid_new_ns into test_progs.")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/8bdc869749177b575025bf69600a4ce591822609.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
+index e72d75d6baa71..c29787e092d66 100644
+--- a/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
++++ b/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c
+@@ -11,7 +11,7 @@
+ #include <sched.h>
+ #include <sys/wait.h>
+ #include <sys/mount.h>
+-#include <sys/fcntl.h>
++#include <fcntl.h>
+ #include "network_helpers.h"
+
+ #define STACK_SIZE (1024 * 1024)
+--
+2.43.0
+
--- /dev/null
+From 7af6d20c777eb20ea6e6bd010374dfb0cb339fdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 10:36:22 +0800
+Subject: selftests/bpf: Fix incorrect parameters in NULL pointer checking
+
+From: Hao Ge <gehao@kylinos.cn>
+
+[ Upstream commit c264487e5410e5a72db8a414566ab7d144223e6c ]
+
+Smatch reported the following warning:
+ ./tools/testing/selftests/bpf/testing_helpers.c:455 get_xlated_program()
+ warn: variable dereferenced before check 'buf' (see line 454)
+
+It seems correct,so let's modify it based on it's suggestion.
+
+Actually,commit b23ed4d74c4d ("selftests/bpf: Fix invalid pointer
+check in get_xlated_program()") fixed an issue in the test_verifier.c
+once,but it was reverted this time.
+
+Let's solve this issue with the minimal changes possible.
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/1eb3732f-605a-479d-ba64-cd14250cbf91@stanley.mountain/
+Fixes: b4b7a4099b8c ("selftests/bpf: Factor out get_xlated_program() helper")
+Signed-off-by: Hao Ge <gehao@kylinos.cn>
+Link: https://lore.kernel.org/r/20240820023622.29190-1-hao.ge@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/testing_helpers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/testing_helpers.c b/tools/testing/selftests/bpf/testing_helpers.c
+index 4230420ef2940..680e452583a78 100644
+--- a/tools/testing/selftests/bpf/testing_helpers.c
++++ b/tools/testing/selftests/bpf/testing_helpers.c
+@@ -451,7 +451,7 @@ int get_xlated_program(int fd_prog, struct bpf_insn **buf, __u32 *cnt)
+
+ *cnt = xlated_prog_len / buf_element_size;
+ *buf = calloc(*cnt, buf_element_size);
+- if (!buf) {
++ if (!*buf) {
+ perror("can't allocate xlated program buffer");
+ return -ENOMEM;
+ }
+--
+2.43.0
+
--- /dev/null
+From 4c54e5e23d7a877aa0d3e58743382835034b7469 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:34 -0700
+Subject: selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit d44c93fc2f5a0c47b23fa03d374e45259abd92d2 ]
+
+Add a "bpf_util.h" include to avoid the following error seen compiling for
+mips64el with musl libc:
+
+ bench.c: In function 'find_benchmark':
+ bench.c:590:25: error: implicit declaration of function 'ARRAY_SIZE' [-Werror=implicit-function-declaration]
+ 590 | for (i = 0; i < ARRAY_SIZE(benchs); i++) {
+ | ^~~~~~~~~~
+ cc1: all warnings being treated as errors
+
+Fixes: 8e7c2a023ac0 ("selftests/bpf: Add benchmark runner infrastructure")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/bc4dde77dfcd17a825d8f28f72f3292341966810.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/bench.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/bench.c b/tools/testing/selftests/bpf/bench.c
+index 627b74ae041b5..90dc3aca32bd8 100644
+--- a/tools/testing/selftests/bpf/bench.c
++++ b/tools/testing/selftests/bpf/bench.c
+@@ -10,6 +10,7 @@
+ #include <sys/sysinfo.h>
+ #include <signal.h>
+ #include "bench.h"
++#include "bpf_util.h"
+ #include "testing_helpers.h"
+
+ struct env env = {
+--
+2.43.0
+
--- /dev/null
+From 13a7e6594c50b71654b96e814878daf0f20b8bcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:36 -0700
+Subject: selftests/bpf: Fix missing BUILD_BUG_ON() declaration
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 6495eb79ca7d15bd87c38d77307e8f9b6b7bf4ef ]
+
+Explicitly include '<linux/build_bug.h>' to fix errors seen compiling with
+gcc targeting mips64el/musl-libc:
+
+ user_ringbuf.c: In function 'test_user_ringbuf_loop':
+ user_ringbuf.c:426:9: error: implicit declaration of function 'BUILD_BUG_ON' [-Werror=implicit-function-declaration]
+ 426 | BUILD_BUG_ON(total_samples <= c_max_entries);
+ | ^~~~~~~~~~~~
+ cc1: all warnings being treated as errors
+
+Fixes: e5a9df51c746 ("selftests/bpf: Add selftests validating the user ringbuf")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/b28575f9221ec54871c46a2e87612bb4bbf46ccd.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/user_ringbuf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
+index e51721df14fc1..dfff6feac12c3 100644
+--- a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
++++ b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
+@@ -4,6 +4,7 @@
+ #define _GNU_SOURCE
+ #include <linux/compiler.h>
+ #include <linux/ring_buffer.h>
++#include <linux/build_bug.h>
+ #include <pthread.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+--
+2.43.0
+
--- /dev/null
+From a7c3fa65a5b18b4358a172b6e0819c2c85f929a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:35 -0700
+Subject: selftests/bpf: Fix missing UINT_MAX definitions in benchmarks
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit a2c155131b710959beb508ca6a54769b6b1bd488 ]
+
+Include <limits.h> in 'bench.h' to provide a UINT_MAX definition and avoid
+multiple compile errors against mips64el/musl-libc like:
+
+ benchs/bench_local_storage.c: In function 'parse_arg':
+ benchs/bench_local_storage.c:40:38: error: 'UINT_MAX' undeclared (first use in this function)
+ 40 | if (ret < 1 || ret > UINT_MAX) {
+ | ^~~~~~~~
+ benchs/bench_local_storage.c:11:1: note: 'UINT_MAX' is defined in header '<limits.h>'; did you forget to '#include <limits.h>'?
+ 10 | #include <test_btf.h>
+ +++ |+#include <limits.h>
+ 11 |
+
+seen with bench_local_storage.c, bench_local_storage_rcu_tasks_trace.c, and
+bench_bpf_hashmap_lookup.c.
+
+Fixes: 73087489250d ("selftests/bpf: Add benchmark for local_storage get")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/8f64a9d9fcff40a7fca090a65a68a9b62a468e16.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/bench.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/bench.h b/tools/testing/selftests/bpf/bench.h
+index 68180d8f8558e..005c401b3e227 100644
+--- a/tools/testing/selftests/bpf/bench.h
++++ b/tools/testing/selftests/bpf/bench.h
+@@ -10,6 +10,7 @@
+ #include <math.h>
+ #include <time.h>
+ #include <sys/syscall.h>
++#include <limits.h>
+
+ struct cpu_set {
+ bool *cpus;
+--
+2.43.0
+
--- /dev/null
+From f8b16ffd4fe591f4fb79af54019c09f1c5104853 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:21 -0700
+Subject: selftests/bpf: Fix redefinition errors compiling lwt_reroute.c
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 16b795cc59528cf280abc79af3c70bda42f715b9 ]
+
+Compiling lwt_reroute.c with GCC 12.3 for mips64el/musl-libc yields errors:
+
+In file included from .../include/arpa/inet.h:9,
+ from ./test_progs.h:18,
+ from tools/testing/selftests/bpf/prog_tests/lwt_helpers.h:11,
+ from tools/testing/selftests/bpf/prog_tests/lwt_reroute.c:52:
+.../include/netinet/in.h:23:8: error: redefinition of 'struct in6_addr'
+ 23 | struct in6_addr {
+ | ^~~~~~~~
+In file included from .../include/linux/icmp.h:24,
+ from tools/testing/selftests/bpf/prog_tests/lwt_helpers.h:9:
+.../include/linux/in6.h:33:8: note: originally defined here
+ 33 | struct in6_addr {
+ | ^~~~~~~~
+.../include/netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6'
+ 34 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+.../include/linux/in6.h:50:8: note: originally defined here
+ 50 | struct sockaddr_in6 {
+ | ^~~~~~~~~~~~
+.../include/netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq'
+ 42 | struct ipv6_mreq {
+ | ^~~~~~~~~
+.../include/linux/in6.h:60:8: note: originally defined here
+ 60 | struct ipv6_mreq {
+ | ^~~~~~~~~
+
+These errors occur because <linux/in6.h> is included before <netinet/in.h>,
+bypassing the Linux uapi/libc compat mechanism's partial musl support. As
+described in [1] and [2], fix these errors by including <netinet/in.h> in
+lwt_reroute.c before any uapi headers.
+
+[1]: commit c0bace798436 ("uapi libc compat: add fallback for unsupported libcs")
+[2]: https://git.musl-libc.org/cgit/musl/commit/?id=04983f227238
+
+Fixes: 6c77997bc639 ("selftests/bpf: Add lwt_xmit tests for BPF_REROUTE")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/bd2908aec0755ba8b75f5dc41848b00585f5c73e.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/lwt_reroute.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c b/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c
+index 03825d2b45a8b..6c50c0f63f436 100644
+--- a/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c
++++ b/tools/testing/selftests/bpf/prog_tests/lwt_reroute.c
+@@ -49,6 +49,7 @@
+ * is not crashed, it is considered successful.
+ */
+ #define NETNS "ns_lwt_reroute"
++#include <netinet/in.h>
+ #include "lwt_helpers.h"
+ #include "network_helpers.h"
+ #include <linux/net_tstamp.h>
+--
+2.43.0
+
--- /dev/null
+From f8a2d9589d777f3ab6f3706880b1b5b954d9a9c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 03:23:51 -0700
+Subject: selftests/bpf: fix to avoid __msg tag de-duplication by clang
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit f00bb757ed630affc951691ddaff206039cbb7ee ]
+
+__msg, __regex and __xlated tags are based on
+__attribute__((btf_decl_tag("..."))) annotations.
+
+Clang de-duplicates such annotations, e.g. the following
+two sequences of tags are identical in final BTF:
+
+ /* seq A */ /* seq B */
+ __tag("foo") __tag("foo")
+ __tag("bar") __tag("bar")
+ __tag("foo")
+
+Fix this by adding a unique suffix for each tag using __COUNTER__
+pre-processor macro. E.g. here is a new definition for __msg:
+
+ #define __msg(msg) \
+ __attribute__((btf_decl_tag("comment:test_expect_msg=" XSTR(__COUNTER__) "=" msg)))
+
+Using this definition the "seq A" from example above is translated to
+BTF as follows:
+
+ [..] DECL_TAG 'comment:test_expect_msg=0=foo' type_id=X component_idx=-1
+ [..] DECL_TAG 'comment:test_expect_msg=1=bar' type_id=X component_idx=-1
+ [..] DECL_TAG 'comment:test_expect_msg=2=foo' type_id=X component_idx=-1
+
+Surprisingly, this bug affects a single existing test:
+verifier_spill_fill/old_stack_misc_vs_cur_ctx_ptr,
+where sequence of identical messages was expected in the log.
+
+Fixes: 537c3f66eac1 ("selftests/bpf: add generic BPF program tester-loader")
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240820102357.3372779-4-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/bpf_misc.h | 15 +++---
+ .../selftests/bpf/progs/verifier_spill_fill.c | 8 ++--
+ tools/testing/selftests/bpf/test_loader.c | 47 ++++++++++++++-----
+ 3 files changed, 48 insertions(+), 22 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h
+index a225cd87897c4..4f10297437341 100644
+--- a/tools/testing/selftests/bpf/progs/bpf_misc.h
++++ b/tools/testing/selftests/bpf/progs/bpf_misc.h
+@@ -2,6 +2,9 @@
+ #ifndef __BPF_MISC_H__
+ #define __BPF_MISC_H__
+
++#define XSTR(s) STR(s)
++#define STR(s) #s
++
+ /* This set of attributes controls behavior of the
+ * test_loader.c:test_loader__run_subtests().
+ *
+@@ -68,15 +71,15 @@
+ * Several __arch_* annotations could be specified at once.
+ * When test case is not run on current arch it is marked as skipped.
+ */
+-#define __msg(msg) __attribute__((btf_decl_tag("comment:test_expect_msg=" msg)))
+-#define __regex(regex) __attribute__((btf_decl_tag("comment:test_expect_regex=" regex)))
+-#define __xlated(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated=" msg)))
++#define __msg(msg) __attribute__((btf_decl_tag("comment:test_expect_msg=" XSTR(__COUNTER__) "=" msg)))
++#define __regex(regex) __attribute__((btf_decl_tag("comment:test_expect_regex=" XSTR(__COUNTER__) "=" regex)))
++#define __xlated(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated=" XSTR(__COUNTER__) "=" msg)))
+ #define __failure __attribute__((btf_decl_tag("comment:test_expect_failure")))
+ #define __success __attribute__((btf_decl_tag("comment:test_expect_success")))
+ #define __description(desc) __attribute__((btf_decl_tag("comment:test_description=" desc)))
+-#define __msg_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_msg_unpriv=" msg)))
+-#define __regex_unpriv(regex) __attribute__((btf_decl_tag("comment:test_expect_regex_unpriv=" regex)))
+-#define __xlated_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated_unpriv=" msg)))
++#define __msg_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_msg_unpriv=" XSTR(__COUNTER__) "=" msg)))
++#define __regex_unpriv(regex) __attribute__((btf_decl_tag("comment:test_expect_regex_unpriv=" XSTR(__COUNTER__) "=" regex)))
++#define __xlated_unpriv(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated_unpriv=" XSTR(__COUNTER__) "=" msg)))
+ #define __failure_unpriv __attribute__((btf_decl_tag("comment:test_expect_failure_unpriv")))
+ #define __success_unpriv __attribute__((btf_decl_tag("comment:test_expect_success_unpriv")))
+ #define __log_level(lvl) __attribute__((btf_decl_tag("comment:test_log_level="#lvl)))
+diff --git a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+index 85e48069c9e61..d4b99c3b4719b 100644
+--- a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
++++ b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+@@ -1213,10 +1213,10 @@ __success __log_level(2)
+ * - once for path entry - label 2;
+ * - once for path entry - label 1 - label 2.
+ */
+-__msg("r1 = *(u64 *)(r10 -8)")
+-__msg("exit")
+-__msg("r1 = *(u64 *)(r10 -8)")
+-__msg("exit")
++__msg("8: (79) r1 = *(u64 *)(r10 -8)")
++__msg("9: (95) exit")
++__msg("from 2 to 7")
++__msg("8: safe")
+ __msg("processed 11 insns")
+ __flag(BPF_F_TEST_STATE_FREQ)
+ __naked void old_stack_misc_vs_cur_ctx_ptr(void)
+diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
+index 12b0c41e8d64c..0f59bc33a666c 100644
+--- a/tools/testing/selftests/bpf/test_loader.c
++++ b/tools/testing/selftests/bpf/test_loader.c
+@@ -215,6 +215,35 @@ static void update_flags(int *flags, int flag, bool clear)
+ *flags |= flag;
+ }
+
++/* Matches a string of form '<pfx>[^=]=.*' and returns it's suffix.
++ * Used to parse btf_decl_tag values.
++ * Such values require unique prefix because compiler does not add
++ * same __attribute__((btf_decl_tag(...))) twice.
++ * Test suite uses two-component tags for such cases:
++ *
++ * <pfx> __COUNTER__ '='
++ *
++ * For example, two consecutive __msg tags '__msg("foo") __msg("foo")'
++ * would be encoded as:
++ *
++ * [18] DECL_TAG 'comment:test_expect_msg=0=foo' type_id=15 component_idx=-1
++ * [19] DECL_TAG 'comment:test_expect_msg=1=foo' type_id=15 component_idx=-1
++ *
++ * And the purpose of this function is to extract 'foo' from the above.
++ */
++static const char *skip_dynamic_pfx(const char *s, const char *pfx)
++{
++ const char *msg;
++
++ if (strncmp(s, pfx, strlen(pfx)) != 0)
++ return NULL;
++ msg = s + strlen(pfx);
++ msg = strchr(msg, '=');
++ if (!msg)
++ return NULL;
++ return msg + 1;
++}
++
+ enum arch {
+ ARCH_X86_64 = 0x1,
+ ARCH_ARM64 = 0x2,
+@@ -290,38 +319,32 @@ static int parse_test_spec(struct test_loader *tester,
+ } else if (strcmp(s, TEST_TAG_AUXILIARY_UNPRIV) == 0) {
+ spec->auxiliary = true;
+ spec->mode_mask |= UNPRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_MSG_PFX)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_MSG_PFX) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_MSG_PFX))) {
+ err = push_msg(msg, NULL, &spec->priv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= PRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_MSG_PFX_UNPRIV)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_MSG_PFX_UNPRIV) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_MSG_PFX_UNPRIV))) {
+ err = push_msg(msg, NULL, &spec->unpriv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= UNPRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_REGEX_PFX)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_REGEX_PFX) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_REGEX_PFX))) {
+ err = push_msg(NULL, msg, &spec->priv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= PRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_REGEX_PFX_UNPRIV)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_REGEX_PFX_UNPRIV) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_REGEX_PFX_UNPRIV))) {
+ err = push_msg(NULL, msg, &spec->unpriv.expect_msgs);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= UNPRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_XLATED_PFX)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_XLATED_PFX) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_XLATED_PFX))) {
+ err = push_msg(msg, NULL, &spec->priv.expect_xlated);
+ if (err)
+ goto cleanup;
+ spec->mode_mask |= PRIV;
+- } else if (str_has_pfx(s, TEST_TAG_EXPECT_XLATED_PFX_UNPRIV)) {
+- msg = s + sizeof(TEST_TAG_EXPECT_XLATED_PFX_UNPRIV) - 1;
++ } else if ((msg = skip_dynamic_pfx(s, TEST_TAG_EXPECT_XLATED_PFX_UNPRIV))) {
+ err = push_msg(msg, NULL, &spec->unpriv.expect_xlated);
+ if (err)
+ goto cleanup;
+--
+2.43.0
+
--- /dev/null
+From e78019ec3d2f18f501854ea715ecd833bd3effad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 22:25:35 -0700
+Subject: selftests/bpf: Fix wrong binary in Makefile log output
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit 3ece93a4087b2db7b99ebb2412bd60cf26bbbb51 ]
+
+Make log output incorrectly shows 'test_maps' as the binary name for every
+'CLNG-BPF' build step, apparently picking up the last value defined for the
+$(TRUNNER_BINARY) variable. Update the 'CLANG_BPF_BUILD_RULE' variants to
+fix this confusing output.
+
+Current output:
+ CLNG-BPF [test_maps] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs] access_map_in_map.skel.h
+ ...
+ CLNG-BPF [test_maps] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs-no_alu32] access_map_in_map.skel.h
+ ...
+ CLNG-BPF [test_maps] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs-cpuv4] access_map_in_map.skel.h
+
+After fix:
+ CLNG-BPF [test_progs] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs] access_map_in_map.skel.h
+ ...
+ CLNG-BPF [test_progs-no_alu32] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs-no_alu32] access_map_in_map.skel.h
+ ...
+ CLNG-BPF [test_progs-cpuv4] access_map_in_map.bpf.o
+ GEN-SKEL [test_progs-cpuv4] access_map_in_map.skel.h
+
+Fixes: a5d0c26a2784 ("selftests/bpf: Add a cpuv4 test runner for cpu=v4 testing")
+Fixes: 89ad7420b25c ("selftests/bpf: Drop the need for LLVM's llc")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/bpf/20240720052535.2185967-1-tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/Makefile | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index 9351f37b720cf..848fffa250227 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -427,23 +427,24 @@ $(OUTPUT)/cgroup_getset_retval_hooks.o: cgroup_getset_retval_hooks.h
+ # $1 - input .c file
+ # $2 - output .o file
+ # $3 - CFLAGS
++# $4 - binary name
+ define CLANG_BPF_BUILD_RULE
+- $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2)
++ $(call msg,CLNG-BPF,$4,$2)
+ $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v3 -o $2
+ endef
+ # Similar to CLANG_BPF_BUILD_RULE, but with disabled alu32
+ define CLANG_NOALU32_BPF_BUILD_RULE
+- $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2)
++ $(call msg,CLNG-BPF,$4,$2)
+ $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v2 -o $2
+ endef
+ # Similar to CLANG_BPF_BUILD_RULE, but with cpu-v4
+ define CLANG_CPUV4_BPF_BUILD_RULE
+- $(call msg,CLNG-BPF,$(TRUNNER_BINARY),$2)
++ $(call msg,CLNG-BPF,$4,$2)
+ $(Q)$(CLANG) $3 -O2 --target=bpf -c $1 -mcpu=v4 -o $2
+ endef
+ # Build BPF object using GCC
+ define GCC_BPF_BUILD_RULE
+- $(call msg,GCC-BPF,$(TRUNNER_BINARY),$2)
++ $(call msg,GCC-BPF,$4,$2)
+ $(Q)$(BPF_GCC) $3 -DBPF_NO_PRESERVE_ACCESS_INDEX -Wno-attributes -O2 -c $1 -o $2
+ endef
+
+@@ -535,7 +536,7 @@ $(TRUNNER_BPF_OBJS): $(TRUNNER_OUTPUT)/%.bpf.o: \
+ $$(call $(TRUNNER_BPF_BUILD_RULE),$$<,$$@, \
+ $(TRUNNER_BPF_CFLAGS) \
+ $$($$<-CFLAGS) \
+- $$($$<-$2-CFLAGS))
++ $$($$<-$2-CFLAGS),$(TRUNNER_BINARY))
+
+ $(TRUNNER_BPF_SKELS): %.skel.h: %.bpf.o $(BPFTOOL) | $(TRUNNER_OUTPUT)
+ $$(call msg,GEN-SKEL,$(TRUNNER_BINARY),$$@)
+--
+2.43.0
+
--- /dev/null
+From 7bcb849b14a400761071ac9f0a05e6f039b1e219 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 16:38:40 -0700
+Subject: selftests/bpf: no need to track next_match_pos in struct test_loader
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 4ef5d6af493558124b7a6c13cace58b938fe27d4 ]
+
+The call stack for validate_case() function looks as follows:
+- test_loader__run_subtests()
+ - process_subtest()
+ - run_subtest()
+ - prepare_case(), which does 'tester->next_match_pos = 0';
+ - validate_case(), which increments tester->next_match_pos.
+
+Hence, each subtest is run with next_match_pos freshly set to zero.
+Meaning that there is no need to persist this variable in the
+struct test_loader, use local variable instead.
+
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240722233844.1406874-7-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_loader.c | 19 ++++++++-----------
+ tools/testing/selftests/bpf/test_progs.h | 1 -
+ 2 files changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c
+index f14e10b0de96e..47508cf66e896 100644
+--- a/tools/testing/selftests/bpf/test_loader.c
++++ b/tools/testing/selftests/bpf/test_loader.c
+@@ -434,7 +434,6 @@ static void prepare_case(struct test_loader *tester,
+ bpf_program__set_flags(prog, prog_flags | spec->prog_flags);
+
+ tester->log_buf[0] = '\0';
+- tester->next_match_pos = 0;
+ }
+
+ static void emit_verifier_log(const char *log_buf, bool force)
+@@ -450,25 +449,23 @@ static void validate_case(struct test_loader *tester,
+ struct bpf_program *prog,
+ int load_err)
+ {
+- int i, j, err;
+- char *match;
+ regmatch_t reg_match[1];
++ const char *log = tester->log_buf;
++ int i, j, err;
+
+ for (i = 0; i < subspec->expect_msg_cnt; i++) {
+ struct expect_msg *msg = &subspec->expect_msgs[i];
++ const char *match = NULL;
+
+ if (msg->substr) {
+- match = strstr(tester->log_buf + tester->next_match_pos, msg->substr);
++ match = strstr(log, msg->substr);
+ if (match)
+- tester->next_match_pos = match - tester->log_buf + strlen(msg->substr);
++ log += strlen(msg->substr);
+ } else {
+- err = regexec(&msg->regex,
+- tester->log_buf + tester->next_match_pos, 1, reg_match, 0);
++ err = regexec(&msg->regex, log, 1, reg_match, 0);
+ if (err == 0) {
+- match = tester->log_buf + tester->next_match_pos + reg_match[0].rm_so;
+- tester->next_match_pos += reg_match[0].rm_eo;
+- } else {
+- match = NULL;
++ match = log + reg_match[0].rm_so;
++ log += reg_match[0].rm_eo;
+ }
+ }
+
+diff --git a/tools/testing/selftests/bpf/test_progs.h b/tools/testing/selftests/bpf/test_progs.h
+index 51341d50213b9..b1e949fb16cf3 100644
+--- a/tools/testing/selftests/bpf/test_progs.h
++++ b/tools/testing/selftests/bpf/test_progs.h
+@@ -447,7 +447,6 @@ typedef int (*pre_execution_cb)(struct bpf_object *obj);
+ struct test_loader {
+ char *log_buf;
+ size_t log_buf_sz;
+- size_t next_match_pos;
+ pre_execution_cb pre_execution_cb;
+
+ struct bpf_object *obj;
+--
+2.43.0
+
--- /dev/null
+From 7283dd1a620ed88c554c873417a17719ecb22cb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 22:54:28 -0700
+Subject: selftests/bpf: Use pid_t consistently in test_progs.c
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit ec4fe2f0fa12fd2d0115df7e58414dc26899cc5e ]
+
+Use pid_t rather than __pid_t when allocating memory for 'worker_pids' in
+'struct test_env', as this is its declared type and also avoids compile
+errors seen building against musl libc on mipsel64:
+
+ test_progs.c:1738:49: error: '__pid_t' undeclared (first use in this function); did you mean 'pid_t'?
+ 1738 | env.worker_pids = calloc(sizeof(__pid_t), env.workers);
+ | ^~~~~~~
+ | pid_t
+ test_progs.c:1738:49: note: each undeclared identifier is reported only once for each function it appears in
+
+Fixes: 91b2c0afd00c ("selftests/bpf: Add parallelism to test_progs")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Geliang Tang <geliang@kernel.org>
+Link: https://lore.kernel.org/bpf/c6447da51a94babc1931711a43e2ceecb135c93d.1721713597.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_progs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
+index 89ff704e9dad5..60c5ec0f6abf6 100644
+--- a/tools/testing/selftests/bpf/test_progs.c
++++ b/tools/testing/selftests/bpf/test_progs.c
+@@ -1731,7 +1731,7 @@ int main(int argc, char **argv)
+ /* launch workers if requested */
+ env.worker_id = -1; /* main process */
+ if (env.workers) {
+- env.worker_pids = calloc(sizeof(__pid_t), env.workers);
++ env.worker_pids = calloc(sizeof(pid_t), env.workers);
+ env.worker_socks = calloc(sizeof(int), env.workers);
+ if (env.debug)
+ fprintf(stdout, "Launching %d workers.\n", env.workers);
+--
+2.43.0
+
--- /dev/null
+From 646f4341856cd685f39d9d14122ee589766f071e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 19:08:15 -0700
+Subject: selftests/bpf: Workaround strict bpf_lsm return value check.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit aa8ebb270c66cea1f56a25d0f938036e91ad085a ]
+
+test_progs-no_alu32 -t libbpf_get_fd_by_id_opts
+is being rejected by the verifier with the following error
+due to compiler optimization:
+
+6: (67) r0 <<= 62 ; R0_w=scalar(smax=0x4000000000000000,umax=0xc000000000000000,smin32=0,smax32=umax32=0,var_off=(0x0; 0xc000000000000000))
+7: (c7) r0 s>>= 63 ; R0_w=scalar(smin=smin32=-1,smax=smax32=0)
+; @ test_libbpf_get_fd_by_id_opts.c:0
+8: (57) r0 &= -13 ; R0_w=scalar(smax=0x7ffffffffffffff3,umax=0xfffffffffffffff3,smax32=0x7ffffff3,umax32=0xfffffff3,var_off=(0x0; 0xfffffffffffffff3))
+; int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode) @ test_libbpf_get_fd_by_id_opts.c:27
+9: (95) exit
+At program exit the register R0 has smax=9223372036854775795 should have been in [-4095, 0]
+
+Workaround by adding barrier().
+Eventually the verifier will be able to recognize it.
+
+Fixes: 5d99e198be27 ("bpf, lsm: Add check for BPF LSM return value")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c b/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
+index f5ac5f3e89196..568816307f712 100644
+--- a/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
++++ b/tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c
+@@ -31,6 +31,7 @@ int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode)
+
+ if (fmode & FMODE_WRITE)
+ return -EACCES;
++ barrier();
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From f26e8c0b38fbf30131ebe8383f7a5358504fbb5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 07:12:10 +0900
+Subject: selftests/ftrace: Add required dependency for kprobe tests
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+[ Upstream commit 41f37c852ac3fbfd072a00281b60dc7ba056be8c ]
+
+kprobe_args_{char,string}.tc are using available_filter_functions file
+which is provided by function tracer. Thus if function tracer is disabled,
+these tests are failed on recent kernels because tracefs_create_dir is
+not raised events by adding a dynamic event.
+Add available_filter_functions to requires line.
+
+Fixes: 7c1130ea5cae ("test: ftrace: Fix kprobe test for eventfs")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc | 2 +-
+ .../selftests/ftrace/test.d/kprobe/kprobe_args_string.tc | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc
+index e21c9c27ece47..77f4c07cdcb89 100644
+--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc
++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_char.tc
+@@ -1,7 +1,7 @@
+ #!/bin/sh
+ # SPDX-License-Identifier: GPL-2.0
+ # description: Kprobe event char type argument
+-# requires: kprobe_events
++# requires: kprobe_events available_filter_functions
+
+ case `uname -m` in
+ x86_64)
+diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
+index 93217d4595563..39001073f7ed5 100644
+--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc
+@@ -1,7 +1,7 @@
+ #!/bin/sh
+ # SPDX-License-Identifier: GPL-2.0
+ # description: Kprobe event string type argument
+-# requires: kprobe_events
++# requires: kprobe_events available_filter_functions
+
+ case `uname -m` in
+ x86_64)
+--
+2.43.0
+
--- /dev/null
+From 163d66a42faa251a4b15a0471f2bae33748c3c5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 00:30:21 +0900
+Subject: selftests/ftrace: Fix eventfs ownership testcase to find mount point
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+[ Upstream commit f0a6ecebd858658df213d114b0530f8f0b96e396 ]
+
+Fix eventfs ownership testcase to find mount point if stat -c "%m" failed.
+This can happen on the system based on busybox. In this case, this will
+try to use the current working directory, which should be a tracefs top
+directory (and eventfs is mounted as a part of tracefs.)
+If it does not work, the test is skipped as UNRESOLVED because of
+the environmental problem.
+
+Fixes: ee9793be08b1 ("tracing/selftests: Add ownership modification tests for eventfs")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/00basic/test_ownership.tc | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/00basic/test_ownership.tc b/tools/testing/selftests/ftrace/test.d/00basic/test_ownership.tc
+index c45094d1e1d2d..803efd7b56c77 100644
+--- a/tools/testing/selftests/ftrace/test.d/00basic/test_ownership.tc
++++ b/tools/testing/selftests/ftrace/test.d/00basic/test_ownership.tc
+@@ -6,6 +6,18 @@ original_group=`stat -c "%g" .`
+ original_owner=`stat -c "%u" .`
+
+ mount_point=`stat -c '%m' .`
++
++# If stat -c '%m' does not work (e.g. busybox) or failed, try to use the
++# current working directory (which should be a tracefs) as the mount point.
++if [ ! -d "$mount_point" ]; then
++ if mount | grep -qw $PWD ; then
++ mount_point=$PWD
++ else
++ # If PWD doesn't work, that is an environmental problem.
++ exit_unresolved
++ fi
++fi
++
+ mount_options=`mount | grep "$mount_point" | sed -e 's/.*(\(.*\)).*/\1/'`
+
+ # find another owner and group that is not the original
+--
+2.43.0
+
--- /dev/null
+From 93b0aa60ff31589a2c438b7c2ca0a0c63881c73c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 May 2024 01:36:20 -0400
+Subject: selftests/ftrace: Fix test to handle both old and new kernels
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+[ Upstream commit c049acee3c71cfc26c739f82617a84e13e471a45 ]
+
+The function "scheduler_tick" was renamed to "sched_tick" and a selftest
+that used that function for testing function trace filtering used that
+function as part of the test.
+
+But the change causes it to fail when run on older kernels. As tests
+should not fail on older kernels, add a check to see which name is
+available before testing.
+
+Fixes: 86dd6c04ef9f ("sched/balancing: Rename scheduler_tick() => sched_tick()")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/ftrace/func_set_ftrace_file.tc | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc
+index 073a748b9380a..263f6b798c853 100644
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_set_ftrace_file.tc
+@@ -19,7 +19,14 @@ fail() { # mesg
+
+ FILTER=set_ftrace_filter
+ FUNC1="schedule"
+-FUNC2="sched_tick"
++if grep '^sched_tick\b' available_filter_functions; then
++ FUNC2="sched_tick"
++elif grep '^scheduler_tick\b' available_filter_functions; then
++ FUNC2="scheduler_tick"
++else
++ exit_unresolved
++fi
++
+
+ ALL_FUNCS="#### all functions enabled ####"
+
+--
+2.43.0
+
--- /dev/null
+From 29f140cd535350e56e6e8677af0b5e11ce6098d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 14:40:00 +0200
+Subject: selftests: netfilter: Avoid hanging ipvs.sh
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit fc786304ad9803e8bb86b8599bc64d1c1746c75f ]
+
+If the client can't reach the server, the latter remains listening
+forever. Kill it after 5s of waiting.
+
+Fixes: 867d2190799a ("selftests: netfilter: add ipvs test script")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/netfilter/ipvs.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/netfilter/ipvs.sh b/tools/testing/selftests/net/netfilter/ipvs.sh
+index 4ceee9fb39495..d3edb16cd4b3f 100755
+--- a/tools/testing/selftests/net/netfilter/ipvs.sh
++++ b/tools/testing/selftests/net/netfilter/ipvs.sh
+@@ -97,7 +97,7 @@ cleanup() {
+ }
+
+ server_listen() {
+- ip netns exec "$ns2" socat -u -4 TCP-LISTEN:8080,reuseaddr STDOUT > "${outfile}" &
++ ip netns exec "$ns2" timeout 5 socat -u -4 TCP-LISTEN:8080,reuseaddr STDOUT > "${outfile}" &
+ server_pid=$!
+ sleep 0.2
+ }
+--
+2.43.0
+
--- /dev/null
+From 125ae0e471647e68cba3b60acc8cdd283d6f33fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 12:02:31 -0600
+Subject: selftests:resctrl: Fix build failure on archs without __cpuid_count()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+[ Upstream commit 7beaf1da074f7ea25454d6c11da142c3892d3c4e ]
+
+When resctrl is built on architectures without __cpuid_count()
+support, build fails. resctrl uses __cpuid_count() defined in
+kselftest.h.
+
+Even though the problem is seen while building resctrl on aarch64,
+this error can be seen on any platform that doesn't support CPUID.
+
+CPUID is a x86/x86-64 feature and code paths with CPUID asm commands
+will fail to build on all other architectures.
+
+All others tests call __cpuid_count() do so from x86/x86_64 code paths
+when _i386__ or __x86_64__ are defined. resctrl is an exception.
+
+Fix the problem by defining __cpuid_count() only when __i386__ or
+__x86_64__ are defined in kselftest.h and changing resctrl to call
+__cpuid_count() only when __i386__ or __x86_64__ are defined.
+
+In file included from resctrl.h:24,
+ from cat_test.c:11:
+In function ‘arch_supports_noncont_cat’,
+ inlined from ‘noncont_cat_run_test’ at cat_test.c:326:6:
+../kselftest.h:74:9: error: impossible constraint in ‘asm’
+ 74 | __asm__ __volatile__ ("cpuid\n\t" \
+ | ^~~~~~~
+cat_test.c:304:17: note: in expansion of macro ‘__cpuid_count’
+ 304 | __cpuid_count(0x10, 1, eax, ebx, ecx, edx);
+ | ^~~~~~~~~~~~~
+../kselftest.h:74:9: error: impossible constraint in ‘asm’
+ 74 | __asm__ __volatile__ ("cpuid\n\t" \
+ | ^~~~~~~
+cat_test.c:306:17: note: in expansion of macro ‘__cpuid_count’
+ 306 | __cpuid_count(0x10, 2, eax, ebx, ecx, edx);
+
+Fixes: ae638551ab64 ("selftests/resctrl: Add non-contiguous CBMs CAT test")
+Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Closes: https://lore.kernel.org/lkml/20240809071059.265914-1-usama.anjum@collabora.com/
+Reported-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Acked-by: Reinette Chatre <reinette.chatre@intel.com>
+Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kselftest.h | 2 ++
+ tools/testing/selftests/resctrl/cat_test.c | 7 +++++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/kselftest.h b/tools/testing/selftests/kselftest.h
+index b8967b6e29d50..e195ec1568599 100644
+--- a/tools/testing/selftests/kselftest.h
++++ b/tools/testing/selftests/kselftest.h
+@@ -61,6 +61,7 @@
+ #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
+ #endif
+
++#if defined(__i386__) || defined(__x86_64__) /* arch */
+ /*
+ * gcc cpuid.h provides __cpuid_count() since v4.4.
+ * Clang/LLVM cpuid.h provides __cpuid_count() since v3.4.0.
+@@ -75,6 +76,7 @@
+ : "=a" (a), "=b" (b), "=c" (c), "=d" (d) \
+ : "0" (level), "2" (count))
+ #endif
++#endif /* end arch */
+
+ /* define kselftest exit codes */
+ #define KSFT_PASS 0
+diff --git a/tools/testing/selftests/resctrl/cat_test.c b/tools/testing/selftests/resctrl/cat_test.c
+index 742782438ca3b..94cfdba5308d8 100644
+--- a/tools/testing/selftests/resctrl/cat_test.c
++++ b/tools/testing/selftests/resctrl/cat_test.c
+@@ -290,12 +290,12 @@ static int cat_run_test(const struct resctrl_test *test, const struct user_param
+
+ static bool arch_supports_noncont_cat(const struct resctrl_test *test)
+ {
+- unsigned int eax, ebx, ecx, edx;
+-
+ /* AMD always supports non-contiguous CBM. */
+ if (get_vendor() == ARCH_AMD)
+ return true;
+
++#if defined(__i386__) || defined(__x86_64__) /* arch */
++ unsigned int eax, ebx, ecx, edx;
+ /* Intel support for non-contiguous CBM needs to be discovered. */
+ if (!strcmp(test->resource, "L3"))
+ __cpuid_count(0x10, 1, eax, ebx, ecx, edx);
+@@ -305,6 +305,9 @@ static bool arch_supports_noncont_cat(const struct resctrl_test *test)
+ return false;
+
+ return ((ecx >> 3) & 1);
++#endif /* end arch */
++
++ return false;
+ }
+
+ static int noncont_cat_run_test(const struct resctrl_test *test,
+--
+2.43.0
+
--- /dev/null
+From bdcb58890971ff66f676f261f20dfb19e678b071 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 10:50:14 +0200
+Subject: selftests: vDSO: fix ELF hash table entry size for s390x
+
+From: Jens Remus <jremus@linux.ibm.com>
+
+[ Upstream commit 14be4e6f35221c4731b004553ecf7cbc6dc1d2d8 ]
+
+The vDSO self tests fail on s390x for a vDSO linked with the GNU linker
+ld as follows:
+
+ # ./vdso_test_gettimeofday
+ Floating point exception (core dumped)
+
+On s390x the ELF hash table entries are 64 bits instead of 32 bits in
+size (see Glibc sysdeps/unix/sysv/linux/s390/bits/elfclass.h).
+
+Fixes: 40723419f407 ("kselftest: Enable vDSO test on non x86 platforms")
+Reported-by: Heiko Carstens <hca@linux.ibm.com>
+Tested-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Jens Remus <jremus@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/parse_vdso.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c
+index d9ccc5acac182..7dd5668ea8a6e 100644
+--- a/tools/testing/selftests/vDSO/parse_vdso.c
++++ b/tools/testing/selftests/vDSO/parse_vdso.c
+@@ -36,6 +36,12 @@
+ #define ELF_BITS_XFORM(bits, x) ELF_BITS_XFORM2(bits, x)
+ #define ELF(x) ELF_BITS_XFORM(ELF_BITS, x)
+
++#ifdef __s390x__
++#define ELF_HASH_ENTRY ELF(Xword)
++#else
++#define ELF_HASH_ENTRY ELF(Word)
++#endif
++
+ static struct vdso_info
+ {
+ bool valid;
+@@ -47,8 +53,8 @@ static struct vdso_info
+ /* Symbol table */
+ ELF(Sym) *symtab;
+ const char *symstrings;
+- ELF(Word) *bucket, *chain;
+- ELF(Word) nbucket, nchain;
++ ELF_HASH_ENTRY *bucket, *chain;
++ ELF_HASH_ENTRY nbucket, nchain;
+
+ /* Version table */
+ ELF(Versym) *versym;
+@@ -115,7 +121,7 @@ void vdso_init_from_sysinfo_ehdr(uintptr_t base)
+ /*
+ * Fish out the useful bits of the dynamic table.
+ */
+- ELF(Word) *hash = 0;
++ ELF_HASH_ENTRY *hash = 0;
+ vdso_info.symstrings = 0;
+ vdso_info.symtab = 0;
+ vdso_info.versym = 0;
+@@ -133,7 +139,7 @@ void vdso_init_from_sysinfo_ehdr(uintptr_t base)
+ + vdso_info.load_offset);
+ break;
+ case DT_HASH:
+- hash = (ELF(Word) *)
++ hash = (ELF_HASH_ENTRY *)
+ ((uintptr_t)dyn[i].d_un.d_ptr
+ + vdso_info.load_offset);
+ break;
+--
+2.43.0
+
--- /dev/null
+From 768c397f50d08415807c129965abcf7d920afd1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 14:28:38 +0200
+Subject: selftests: vDSO: fix the way vDSO functions are called for powerpc
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 6eda706a535c3d0119eaefaad5fc119609639ed2 ]
+
+vdso_test_correctness test fails on powerpc:
+
+~ # ./vdso_test_correctness
+...
+[RUN] Testing clock_gettime for clock CLOCK_REALTIME_ALARM (8)...
+[FAIL] No such clock, but __vdso_clock_gettime returned 22
+[RUN] Testing clock_gettime for clock CLOCK_BOOTTIME_ALARM (9)...
+[FAIL] No such clock, but __vdso_clock_gettime returned 22
+[RUN] Testing clock_gettime for clock CLOCK_SGI_CYCLE (10)...
+[FAIL] No such clock, but __vdso_clock_gettime returned 22
+...
+[RUN] Testing clock_gettime for clock invalid (-1)...
+[FAIL] No such clock, but __vdso_clock_gettime returned 22
+[RUN] Testing clock_gettime for clock invalid (-2147483648)...
+[FAIL] No such clock, but __vdso_clock_gettime returned 22
+[RUN] Testing clock_gettime for clock invalid (2147483647)...
+[FAIL] No such clock, but __vdso_clock_gettime returned 22
+
+On powerpc, a call to a VDSO function is not an ordinary C function
+call. Unlike several architectures which returns a negative error code
+in case of an error, powerpc sets CR[SO] and returns the error code
+as a positive value.
+
+Define and use a macro called VDSO_CALL() which takes a pointer
+to the function to call, the number of arguments and the arguments.
+
+Also update ABI vdso documentation to reflect this subtlety.
+
+Provide a specific version of VDSO_CALL() for powerpc that negates
+the error code on return when CR[SO] is set.
+
+Fixes: c7e5789b24d3 ("kselftest: Move test_vdso to the vDSO test suite")
+Fixes: 2e9a97256616 ("selftests: vdso: Add a selftest for vDSO getcpu()")
+Fixes: 693f5ca08ca0 ("kselftest: Extend vDSO selftest")
+Fixes: b2f1c3db2887 ("kselftest: Extend vdso correctness test to clock_gettime64")
+Fixes: 4920a2590e91 ("selftests/vDSO: add tests for vgetrandom")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/stable/vdso | 8 ++-
+ tools/testing/selftests/vDSO/vdso_call.h | 70 +++++++++++++++++++
+ tools/testing/selftests/vDSO/vdso_test_abi.c | 9 +--
+ .../selftests/vDSO/vdso_test_correctness.c | 15 ++--
+ .../testing/selftests/vDSO/vdso_test_getcpu.c | 3 +-
+ .../selftests/vDSO/vdso_test_getrandom.c | 5 +-
+ .../selftests/vDSO/vdso_test_gettimeofday.c | 3 +-
+ 7 files changed, 95 insertions(+), 18 deletions(-)
+ create mode 100644 tools/testing/selftests/vDSO/vdso_call.h
+
+diff --git a/Documentation/ABI/stable/vdso b/Documentation/ABI/stable/vdso
+index 951838d427811..85dbb6a160df8 100644
+--- a/Documentation/ABI/stable/vdso
++++ b/Documentation/ABI/stable/vdso
+@@ -9,9 +9,11 @@ maps an ELF DSO into that program's address space. This DSO is called
+ the vDSO and it often contains useful and highly-optimized alternatives
+ to real syscalls.
+
+-These functions are called just like ordinary C function according to
+-your platform's ABI. Call them from a sensible context. (For example,
+-if you set CS on x86 to something strange, the vDSO functions are
++These functions are called according to your platform's ABI. On many
++platforms they are called just like ordinary C function. On other platforms
++(ex: powerpc) they are called with the same convention as system calls which
++is different from ordinary C functions. Call them from a sensible context.
++(For example, if you set CS on x86 to something strange, the vDSO functions are
+ within their rights to crash.) In addition, if you pass a bad
+ pointer to a vDSO function, you might get SIGSEGV instead of -EFAULT.
+
+diff --git a/tools/testing/selftests/vDSO/vdso_call.h b/tools/testing/selftests/vDSO/vdso_call.h
+new file mode 100644
+index 0000000000000..bb237d771051b
+--- /dev/null
++++ b/tools/testing/selftests/vDSO/vdso_call.h
+@@ -0,0 +1,70 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++/*
++ * Macro to call vDSO functions
++ *
++ * Copyright (C) 2024 Christophe Leroy <christophe.leroy@csgroup.eu>, CS GROUP France
++ */
++#ifndef __VDSO_CALL_H__
++#define __VDSO_CALL_H__
++
++#ifdef __powerpc__
++
++#define LOADARGS_1(fn, __arg1) do { \
++ _r0 = fn; \
++ _r3 = (long)__arg1; \
++} while (0)
++
++#define LOADARGS_2(fn, __arg1, __arg2) do { \
++ _r0 = fn; \
++ _r3 = (long)__arg1; \
++ _r4 = (long)__arg2; \
++} while (0)
++
++#define LOADARGS_3(fn, __arg1, __arg2, __arg3) do { \
++ _r0 = fn; \
++ _r3 = (long)__arg1; \
++ _r4 = (long)__arg2; \
++ _r5 = (long)__arg3; \
++} while (0)
++
++#define LOADARGS_5(fn, __arg1, __arg2, __arg3, __arg4, __arg5) do { \
++ _r0 = fn; \
++ _r3 = (long)__arg1; \
++ _r4 = (long)__arg2; \
++ _r5 = (long)__arg3; \
++ _r6 = (long)__arg4; \
++ _r7 = (long)__arg5; \
++} while (0)
++
++#define VDSO_CALL(fn, nr, args...) ({ \
++ register void *_r0 asm ("r0"); \
++ register long _r3 asm ("r3"); \
++ register long _r4 asm ("r4"); \
++ register long _r5 asm ("r5"); \
++ register long _r6 asm ("r6"); \
++ register long _r7 asm ("r7"); \
++ register long _r8 asm ("r8"); \
++ register long _rval asm ("r3"); \
++ \
++ LOADARGS_##nr(fn, args); \
++ \
++ asm volatile( \
++ " mtctr %0\n" \
++ " bctrl\n" \
++ " bns+ 1f\n" \
++ " neg 3, 3\n" \
++ "1:" \
++ : "+r" (_r0), "=r" (_r3), "+r" (_r4), "+r" (_r5), \
++ "+r" (_r6), "+r" (_r7), "+r" (_r8) \
++ : "r" (_rval) \
++ : "r9", "r10", "r11", "r12", "cr0", "cr1", "cr5", \
++ "cr6", "cr7", "xer", "lr", "ctr", "memory" \
++ ); \
++ _rval; \
++})
++
++#else
++#define VDSO_CALL(fn, nr, args...) fn(args)
++#endif
++
++#endif
+diff --git a/tools/testing/selftests/vDSO/vdso_test_abi.c b/tools/testing/selftests/vDSO/vdso_test_abi.c
+index 96d32fd65b42b..00034208c4c64 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_abi.c
++++ b/tools/testing/selftests/vDSO/vdso_test_abi.c
+@@ -20,6 +20,7 @@
+
+ #include "../kselftest.h"
+ #include "vdso_config.h"
++#include "vdso_call.h"
+
+ extern void *vdso_sym(const char *version, const char *name);
+ extern void vdso_init_from_sysinfo_ehdr(uintptr_t base);
+@@ -61,7 +62,7 @@ static void vdso_test_gettimeofday(void)
+ }
+
+ struct timeval tv;
+- long ret = vdso_gettimeofday(&tv, 0);
++ long ret = VDSO_CALL(vdso_gettimeofday, 2, &tv, 0);
+
+ if (ret == 0) {
+ ksft_print_msg("The time is %lld.%06lld\n",
+@@ -86,7 +87,7 @@ static void vdso_test_clock_gettime(clockid_t clk_id)
+ }
+
+ struct timespec ts;
+- long ret = vdso_clock_gettime(clk_id, &ts);
++ long ret = VDSO_CALL(vdso_clock_gettime, 2, clk_id, &ts);
+
+ if (ret == 0) {
+ ksft_print_msg("The time is %lld.%06lld\n",
+@@ -111,7 +112,7 @@ static void vdso_test_time(void)
+ return;
+ }
+
+- long ret = vdso_time(NULL);
++ long ret = VDSO_CALL(vdso_time, 1, NULL);
+
+ if (ret > 0) {
+ ksft_print_msg("The time in hours since January 1, 1970 is %lld\n",
+@@ -138,7 +139,7 @@ static void vdso_test_clock_getres(clockid_t clk_id)
+ }
+
+ struct timespec ts, sys_ts;
+- long ret = vdso_clock_getres(clk_id, &ts);
++ long ret = VDSO_CALL(vdso_clock_getres, 2, clk_id, &ts);
+
+ if (ret == 0) {
+ ksft_print_msg("The vdso resolution is %lld %lld\n",
+diff --git a/tools/testing/selftests/vDSO/vdso_test_correctness.c b/tools/testing/selftests/vDSO/vdso_test_correctness.c
+index cdb697ae8343c..5fb97ad67eeaf 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_correctness.c
++++ b/tools/testing/selftests/vDSO/vdso_test_correctness.c
+@@ -20,6 +20,7 @@
+ #include <limits.h>
+
+ #include "vdso_config.h"
++#include "vdso_call.h"
+ #include "../kselftest.h"
+
+ static const char **name;
+@@ -186,7 +187,7 @@ static void test_getcpu(void)
+
+ ret_sys = sys_getcpu(&cpu_sys, &node_sys, 0);
+ if (vdso_getcpu)
+- ret_vdso = vdso_getcpu(&cpu_vdso, &node_vdso, 0);
++ ret_vdso = VDSO_CALL(vdso_getcpu, 3, &cpu_vdso, &node_vdso, 0);
+ if (vgetcpu)
+ ret_vsys = vgetcpu(&cpu_vsys, &node_vsys, 0);
+
+@@ -269,7 +270,7 @@ static void test_one_clock_gettime(int clock, const char *name)
+
+ if (sys_clock_gettime(clock, &start) < 0) {
+ if (errno == EINVAL) {
+- vdso_ret = vdso_clock_gettime(clock, &vdso);
++ vdso_ret = VDSO_CALL(vdso_clock_gettime, 2, clock, &vdso);
+ if (vdso_ret == -EINVAL) {
+ printf("[OK]\tNo such clock.\n");
+ } else {
+@@ -282,7 +283,7 @@ static void test_one_clock_gettime(int clock, const char *name)
+ return;
+ }
+
+- vdso_ret = vdso_clock_gettime(clock, &vdso);
++ vdso_ret = VDSO_CALL(vdso_clock_gettime, 2, clock, &vdso);
+ end_ret = sys_clock_gettime(clock, &end);
+
+ if (vdso_ret != 0 || end_ret != 0) {
+@@ -331,7 +332,7 @@ static void test_one_clock_gettime64(int clock, const char *name)
+
+ if (sys_clock_gettime64(clock, &start) < 0) {
+ if (errno == EINVAL) {
+- vdso_ret = vdso_clock_gettime64(clock, &vdso);
++ vdso_ret = VDSO_CALL(vdso_clock_gettime64, 2, clock, &vdso);
+ if (vdso_ret == -EINVAL) {
+ printf("[OK]\tNo such clock.\n");
+ } else {
+@@ -344,7 +345,7 @@ static void test_one_clock_gettime64(int clock, const char *name)
+ return;
+ }
+
+- vdso_ret = vdso_clock_gettime64(clock, &vdso);
++ vdso_ret = VDSO_CALL(vdso_clock_gettime64, 2, clock, &vdso);
+ end_ret = sys_clock_gettime64(clock, &end);
+
+ if (vdso_ret != 0 || end_ret != 0) {
+@@ -401,7 +402,7 @@ static void test_gettimeofday(void)
+ return;
+ }
+
+- vdso_ret = vdso_gettimeofday(&vdso, &vdso_tz);
++ vdso_ret = VDSO_CALL(vdso_gettimeofday, 2, &vdso, &vdso_tz);
+ end_ret = sys_gettimeofday(&end, NULL);
+
+ if (vdso_ret != 0 || end_ret != 0) {
+@@ -431,7 +432,7 @@ static void test_gettimeofday(void)
+ }
+
+ /* And make sure that passing NULL for tz doesn't crash. */
+- vdso_gettimeofday(&vdso, NULL);
++ VDSO_CALL(vdso_gettimeofday, 2, &vdso, NULL);
+ }
+
+ int main(int argc, char **argv)
+diff --git a/tools/testing/selftests/vDSO/vdso_test_getcpu.c b/tools/testing/selftests/vDSO/vdso_test_getcpu.c
+index b758f68c6c9c2..cdeaed45fb26c 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_getcpu.c
++++ b/tools/testing/selftests/vDSO/vdso_test_getcpu.c
+@@ -14,6 +14,7 @@
+ #include "../kselftest.h"
+ #include "parse_vdso.h"
+ #include "vdso_config.h"
++#include "vdso_call.h"
+
+ struct getcpu_cache;
+ typedef long (*getcpu_t)(unsigned int *, unsigned int *,
+@@ -42,7 +43,7 @@ int main(int argc, char **argv)
+ return KSFT_SKIP;
+ }
+
+- ret = get_cpu(&cpu, &node, 0);
++ ret = VDSO_CALL(get_cpu, 3, &cpu, &node, 0);
+ if (ret == 0) {
+ printf("Running on CPU %u node %u\n", cpu, node);
+ } else {
+diff --git a/tools/testing/selftests/vDSO/vdso_test_getrandom.c b/tools/testing/selftests/vDSO/vdso_test_getrandom.c
+index 5db8ac8999cd0..351daeb649c84 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_getrandom.c
++++ b/tools/testing/selftests/vDSO/vdso_test_getrandom.c
+@@ -22,6 +22,7 @@
+ #include "../kselftest.h"
+ #include "parse_vdso.h"
+ #include "vdso_config.h"
++#include "vdso_call.h"
+
+ #ifndef timespecsub
+ #define timespecsub(tsp, usp, vsp) \
+@@ -116,7 +117,7 @@ static void vgetrandom_init(void)
+ printf("%s is missing!\n", name);
+ exit(KSFT_FAIL);
+ }
+- ret = vgrnd.fn(NULL, 0, 0, &vgrnd.params, ~0UL);
++ ret = VDSO_CALL(vgrnd.fn, 5, NULL, 0, 0, &vgrnd.params, ~0UL);
+ if (ret == -ENOSYS) {
+ printf("unsupported architecture\n");
+ exit(KSFT_SKIP);
+@@ -137,7 +138,7 @@ static ssize_t vgetrandom(void *buf, size_t len, unsigned long flags)
+ exit(KSFT_FAIL);
+ }
+ }
+- return vgrnd.fn(buf, len, flags, state, vgrnd.params.size_of_opaque_state);
++ return VDSO_CALL(vgrnd.fn, 5, buf, len, flags, state, vgrnd.params.size_of_opaque_state);
+ }
+
+ enum { TRIALS = 25000000, THREADS = 256 };
+diff --git a/tools/testing/selftests/vDSO/vdso_test_gettimeofday.c b/tools/testing/selftests/vDSO/vdso_test_gettimeofday.c
+index ee4f1ca56a71a..e31b18ffae338 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_gettimeofday.c
++++ b/tools/testing/selftests/vDSO/vdso_test_gettimeofday.c
+@@ -19,6 +19,7 @@
+ #include "../kselftest.h"
+ #include "parse_vdso.h"
+ #include "vdso_config.h"
++#include "vdso_call.h"
+
+ int main(int argc, char **argv)
+ {
+@@ -43,7 +44,7 @@ int main(int argc, char **argv)
+ }
+
+ struct timeval tv;
+- long ret = gtod(&tv, 0);
++ long ret = VDSO_CALL(gtod, 2, &tv, 0);
+
+ if (ret == 0) {
+ printf("The time is %lld.%06lld\n",
+--
+2.43.0
+
--- /dev/null
+From b06597d5c47cdbac1858263bb0e4facb5e8a53f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 14:28:35 +0200
+Subject: selftests: vDSO: fix vDSO name for powerpc
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 59eb856c3ed9b3552befd240c0c339f22eed3fa1 ]
+
+Following error occurs when running vdso_test_correctness on powerpc:
+
+~ # ./vdso_test_correctness
+[WARN] failed to find vDSO
+[SKIP] No vDSO, so skipping clock_gettime() tests
+[SKIP] No vDSO, so skipping clock_gettime64() tests
+[RUN] Testing getcpu...
+[OK] CPU 0: syscall: cpu 0, node 0
+
+On powerpc, vDSO is neither called linux-vdso.so.1 nor linux-gate.so.1
+but linux-vdso32.so.1 or linux-vdso64.so.1.
+
+Also search those two names before giving up.
+
+Fixes: c7e5789b24d3 ("kselftest: Move test_vdso to the vDSO test suite")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/vdso_test_correctness.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/testing/selftests/vDSO/vdso_test_correctness.c b/tools/testing/selftests/vDSO/vdso_test_correctness.c
+index e691a3cf14911..cdb697ae8343c 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_correctness.c
++++ b/tools/testing/selftests/vDSO/vdso_test_correctness.c
+@@ -114,6 +114,12 @@ static void fill_function_pointers()
+ if (!vdso)
+ vdso = dlopen("linux-gate.so.1",
+ RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD);
++ if (!vdso)
++ vdso = dlopen("linux-vdso32.so.1",
++ RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD);
++ if (!vdso)
++ vdso = dlopen("linux-vdso64.so.1",
++ RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD);
+ if (!vdso) {
+ printf("[WARN]\tfailed to find vDSO\n");
+ return;
+--
+2.43.0
+
--- /dev/null
+From 1abf0182089b9f372b0ca10f2dc384b4b04f339b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 14:28:37 +0200
+Subject: selftests: vDSO: fix vDSO symbols lookup for powerpc64
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit ba83b3239e657469709d15dcea5f9b65bf9dbf34 ]
+
+On powerpc64, following tests fail locating vDSO functions:
+
+ ~ # ./vdso_test_abi
+ TAP version 13
+ 1..16
+ # [vDSO kselftest] VDSO_VERSION: LINUX_2.6.15
+ # Couldn't find __kernel_gettimeofday
+ ok 1 # SKIP __kernel_gettimeofday
+ # clock_id: CLOCK_REALTIME
+ # Couldn't find __kernel_clock_gettime
+ ok 2 # SKIP __kernel_clock_gettime CLOCK_REALTIME
+ # Couldn't find __kernel_clock_getres
+ ok 3 # SKIP __kernel_clock_getres CLOCK_REALTIME
+ ...
+ # Couldn't find __kernel_time
+ ok 16 # SKIP __kernel_time
+ # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:16 error:0
+
+ ~ # ./vdso_test_getrandom
+ __kernel_getrandom is missing!
+
+ ~ # ./vdso_test_gettimeofday
+ Could not find __kernel_gettimeofday
+
+ ~ # ./vdso_test_getcpu
+ Could not find __kernel_getcpu
+
+On powerpc64, as shown below by readelf, vDSO functions symbols have
+type NOTYPE, so also accept that type when looking for symbols.
+
+$ powerpc64-linux-gnu-readelf -a arch/powerpc/kernel/vdso/vdso64.so.dbg
+ELF Header:
+ Magic: 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00
+ Class: ELF64
+ Data: 2's complement, big endian
+ Version: 1 (current)
+ OS/ABI: UNIX - System V
+ ABI Version: 0
+ Type: DYN (Shared object file)
+ Machine: PowerPC64
+ Version: 0x1
+...
+
+Symbol table '.dynsym' contains 12 entries:
+ Num: Value Size Type Bind Vis Ndx Name
+ 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
+ 1: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 2: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 3: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 4: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15
+ 5: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 6: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 7: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 8: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 9: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 10: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 11: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+
+Symbol table '.symtab' contains 56 entries:
+ Num: Value Size Type Bind Vis Ndx Name
+...
+ 45: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15
+ 46: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __kernel_getcpu
+ 47: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_getres
+ 48: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __kernel_get_tbfreq
+ 49: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __kernel_gettimeofday
+ 50: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __kernel_sync_dicache
+ 51: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_getrandom
+ 52: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __kernel_sigtram[...]
+ 53: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __kernel_time
+ 54: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_g[...]
+ 55: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __kernel_get_sys[...]
+
+Fixes: 98eedc3a9dbf ("Document the vDSO and add a reference parser")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/parse_vdso.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c
+index 4ae417372e9eb..d9ccc5acac182 100644
+--- a/tools/testing/selftests/vDSO/parse_vdso.c
++++ b/tools/testing/selftests/vDSO/parse_vdso.c
+@@ -216,7 +216,8 @@ void *vdso_sym(const char *version, const char *name)
+ ELF(Sym) *sym = &vdso_info.symtab[chain];
+
+ /* Check for a defined global or weak function w/ right name. */
+- if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC)
++ if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC &&
++ ELF64_ST_TYPE(sym->st_info) != STT_NOTYPE)
+ continue;
+ if (ELF64_ST_BIND(sym->st_info) != STB_GLOBAL &&
+ ELF64_ST_BIND(sym->st_info) != STB_WEAK)
+--
+2.43.0
+
--- /dev/null
+From 9d04144347dcebeaa3d46c7a849e62094938c296 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 14:28:36 +0200
+Subject: selftests: vDSO: fix vdso_config for powerpc
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 7d297c419b08eafa69ce27243ee9bbecab4fcaa4 ]
+
+Running vdso_test_correctness on powerpc64 gives the following warning:
+
+ ~ # ./vdso_test_correctness
+ Warning: failed to find clock_gettime64 in vDSO
+
+This is because vdso_test_correctness was built with VDSO_32BIT defined.
+
+__powerpc__ macro is defined on both powerpc32 and powerpc64 so
+__powerpc64__ needs to be checked first in vdso_config.h
+
+Fixes: 693f5ca08ca0 ("kselftest: Extend vDSO selftest")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/vdso_config.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/vDSO/vdso_config.h b/tools/testing/selftests/vDSO/vdso_config.h
+index 7b543e7f04d7b..00bfed6e4922e 100644
+--- a/tools/testing/selftests/vDSO/vdso_config.h
++++ b/tools/testing/selftests/vDSO/vdso_config.h
+@@ -18,13 +18,13 @@
+ #elif defined(__aarch64__)
+ #define VDSO_VERSION 3
+ #define VDSO_NAMES 0
+-#elif defined(__powerpc__)
++#elif defined(__powerpc64__)
+ #define VDSO_VERSION 1
+ #define VDSO_NAMES 0
+-#define VDSO_32BIT 1
+-#elif defined(__powerpc64__)
++#elif defined(__powerpc__)
+ #define VDSO_VERSION 1
+ #define VDSO_NAMES 0
++#define VDSO_32BIT 1
+ #elif defined (__s390__)
+ #define VDSO_VERSION 2
+ #define VDSO_NAMES 0
+--
+2.43.0
+
--- /dev/null
+From b6f9476396bb83c400ccd96aa40bc07ee73bb61f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 10:50:15 +0200
+Subject: selftests: vDSO: fix vdso_config for s390
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit a6e23fb8d3c0e3904da70beaf5d7e840a983c97f ]
+
+Running vdso_test_correctness on s390x (aka s390 64 bit) emits a warning:
+
+Warning: failed to find clock_gettime64 in vDSO
+
+This is caused by the "#elif defined (__s390__)" check in vdso_config.h
+which the defines VDSO_32BIT.
+
+If __s390x__ is defined also __s390__ is defined. Therefore the correct
+check must make sure that only __s390__ is defined.
+
+Therefore add the missing !defined(__s390x__). Also use common
+__s390x__ define instead of __s390X__.
+
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Fixes: 693f5ca08ca0 ("kselftest: Extend vDSO selftest")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/vdso_config.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/vDSO/vdso_config.h b/tools/testing/selftests/vDSO/vdso_config.h
+index 740ce8c98d2e7..722260f975619 100644
+--- a/tools/testing/selftests/vDSO/vdso_config.h
++++ b/tools/testing/selftests/vDSO/vdso_config.h
+@@ -25,11 +25,11 @@
+ #define VDSO_VERSION 1
+ #define VDSO_NAMES 0
+ #define VDSO_32BIT 1
+-#elif defined (__s390__)
++#elif defined (__s390__) && !defined(__s390x__)
+ #define VDSO_VERSION 2
+ #define VDSO_NAMES 0
+ #define VDSO_32BIT 1
+-#elif defined (__s390X__)
++#elif defined (__s390x__)
+ #define VDSO_VERSION 2
+ #define VDSO_NAMES 0
+ #elif defined(__mips__)
+--
+2.43.0
+
--- /dev/null
+From f424ad78d98cddf6bc24eec245423c258e40c88e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 09:13:22 +0200
+Subject: selftests: vDSO: look for arch-specific function name in getrandom
+ test
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit e1bbcab496f745d963e43a6e0f669359e82c4934 ]
+
+Don't hard-code x86 specific names. Rather, use vdso_config definitions
+to find the correct function matching the architecture.
+
+Add random VDSO function names in names[][]. Remove the #ifdef
+CONFIG_VDSO32, as having the name there all the time is harmless and
+guaranties a steady index for following strings.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+[Jason: add [6] to variable declaration rather than each usage site.]
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Stable-dep-of: 6eda706a535c ("selftests: vDSO: fix the way vDSO functions are called for powerpc")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/vdso_config.h | 8 +++-----
+ tools/testing/selftests/vDSO/vdso_test_getrandom.c | 8 ++++++--
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/tools/testing/selftests/vDSO/vdso_config.h b/tools/testing/selftests/vDSO/vdso_config.h
+index 00bfed6e4922e..740ce8c98d2e7 100644
+--- a/tools/testing/selftests/vDSO/vdso_config.h
++++ b/tools/testing/selftests/vDSO/vdso_config.h
+@@ -68,16 +68,15 @@ static const char *versions[7] = {
+ "LINUX_5.10"
+ };
+
+-static const char *names[2][6] = {
++static const char *names[2][7] = {
+ {
+ "__kernel_gettimeofday",
+ "__kernel_clock_gettime",
+ "__kernel_time",
+ "__kernel_clock_getres",
+ "__kernel_getcpu",
+-#if defined(VDSO_32BIT)
+ "__kernel_clock_gettime64",
+-#endif
++ "__kernel_getrandom",
+ },
+ {
+ "__vdso_gettimeofday",
+@@ -85,9 +84,8 @@ static const char *names[2][6] = {
+ "__vdso_time",
+ "__vdso_clock_getres",
+ "__vdso_getcpu",
+-#if defined(VDSO_32BIT)
+ "__vdso_clock_gettime64",
+-#endif
++ "__vdso_getrandom",
+ },
+ };
+
+diff --git a/tools/testing/selftests/vDSO/vdso_test_getrandom.c b/tools/testing/selftests/vDSO/vdso_test_getrandom.c
+index 89c961175956d..20bbef992c486 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_getrandom.c
++++ b/tools/testing/selftests/vDSO/vdso_test_getrandom.c
+@@ -21,6 +21,7 @@
+
+ #include "../kselftest.h"
+ #include "parse_vdso.h"
++#include "vdso_config.h"
+
+ #ifndef timespecsub
+ #define timespecsub(tsp, usp, vsp) \
+@@ -100,15 +101,18 @@ static void vgetrandom_put_state(void *state)
+
+ static void vgetrandom_init(void)
+ {
++ const char *version = versions[VDSO_VERSION];
++ const char *name = names[VDSO_NAMES][6];
+ unsigned long sysinfo_ehdr = getauxval(AT_SYSINFO_EHDR);
++
+ if (!sysinfo_ehdr) {
+ printf("AT_SYSINFO_EHDR is not present!\n");
+ exit(KSFT_SKIP);
+ }
+ vdso_init_from_sysinfo_ehdr(sysinfo_ehdr);
+- vgrnd.fn = (__typeof__(vgrnd.fn))vdso_sym("LINUX_2.6", "__vdso_getrandom");
++ vgrnd.fn = (__typeof__(vgrnd.fn))vdso_sym(version, name);
+ if (!vgrnd.fn) {
+- printf("__vdso_getrandom is missing!\n");
++ printf("%s is missing!\n", name);
+ exit(KSFT_FAIL);
+ }
+ if (vgrnd.fn(NULL, 0, 0, &vgrnd.params, ~0UL) != 0) {
+--
+2.43.0
+
--- /dev/null
+From c9b50796cf3a4d36922dd89158ddbf65c0d2009c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 18:02:11 +0200
+Subject: selftests: vDSO: simplify getrandom thread local storage and structs
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+[ Upstream commit 01b52f01c5a6bdc3b3e4229dccc84ed667e6867b ]
+
+Rather than using pthread_get/set_specific, just use gcc's __thread
+annotation, which is noticeably faster and makes the code more obvious.
+
+Also, just have one simplified struct called vgrnd, instead of trying to
+split things up semantically. Those divisions were useful when this code
+was split across several commit *messages*, but doesn't make as much
+sense within a single file. This should make the code more clear and
+provide a better example for implementers.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Stable-dep-of: 6eda706a535c ("selftests: vDSO: fix the way vDSO functions are called for powerpc")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/vDSO/vdso_test_getrandom.c | 67 ++++++++-----------
+ 1 file changed, 27 insertions(+), 40 deletions(-)
+
+diff --git a/tools/testing/selftests/vDSO/vdso_test_getrandom.c b/tools/testing/selftests/vDSO/vdso_test_getrandom.c
+index 05122425a873f..89c961175956d 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_getrandom.c
++++ b/tools/testing/selftests/vDSO/vdso_test_getrandom.c
+@@ -38,50 +38,43 @@ static struct {
+ pthread_mutex_t lock;
+ void **states;
+ size_t len, cap;
+-} grnd_allocator = {
+- .lock = PTHREAD_MUTEX_INITIALIZER
+-};
+-
+-static struct {
+ ssize_t(*fn)(void *, size_t, unsigned long, void *, size_t);
+- pthread_key_t key;
+- pthread_once_t initialized;
+ struct vgetrandom_opaque_params params;
+-} grnd_ctx = {
+- .initialized = PTHREAD_ONCE_INIT
++} vgrnd = {
++ .lock = PTHREAD_MUTEX_INITIALIZER
+ };
+
+ static void *vgetrandom_get_state(void)
+ {
+ void *state = NULL;
+
+- pthread_mutex_lock(&grnd_allocator.lock);
+- if (!grnd_allocator.len) {
++ pthread_mutex_lock(&vgrnd.lock);
++ if (!vgrnd.len) {
+ size_t page_size = getpagesize();
+ size_t new_cap;
+ size_t alloc_size, num = sysconf(_SC_NPROCESSORS_ONLN); /* Just a decent heuristic. */
+ void *new_block, *new_states;
+
+- alloc_size = (num * grnd_ctx.params.size_of_opaque_state + page_size - 1) & (~(page_size - 1));
+- num = (page_size / grnd_ctx.params.size_of_opaque_state) * (alloc_size / page_size);
+- new_block = mmap(0, alloc_size, grnd_ctx.params.mmap_prot, grnd_ctx.params.mmap_flags, -1, 0);
++ alloc_size = (num * vgrnd.params.size_of_opaque_state + page_size - 1) & (~(page_size - 1));
++ num = (page_size / vgrnd.params.size_of_opaque_state) * (alloc_size / page_size);
++ new_block = mmap(0, alloc_size, vgrnd.params.mmap_prot, vgrnd.params.mmap_flags, -1, 0);
+ if (new_block == MAP_FAILED)
+ goto out;
+
+- new_cap = grnd_allocator.cap + num;
+- new_states = reallocarray(grnd_allocator.states, new_cap, sizeof(*grnd_allocator.states));
++ new_cap = vgrnd.cap + num;
++ new_states = reallocarray(vgrnd.states, new_cap, sizeof(*vgrnd.states));
+ if (!new_states)
+ goto unmap;
+- grnd_allocator.cap = new_cap;
+- grnd_allocator.states = new_states;
++ vgrnd.cap = new_cap;
++ vgrnd.states = new_states;
+
+ for (size_t i = 0; i < num; ++i) {
+- if (((uintptr_t)new_block & (page_size - 1)) + grnd_ctx.params.size_of_opaque_state > page_size)
++ if (((uintptr_t)new_block & (page_size - 1)) + vgrnd.params.size_of_opaque_state > page_size)
+ new_block = (void *)(((uintptr_t)new_block + page_size - 1) & (~(page_size - 1)));
+- grnd_allocator.states[i] = new_block;
+- new_block += grnd_ctx.params.size_of_opaque_state;
++ vgrnd.states[i] = new_block;
++ new_block += vgrnd.params.size_of_opaque_state;
+ }
+- grnd_allocator.len = num;
++ vgrnd.len = num;
+ goto success;
+
+ unmap:
+@@ -89,10 +82,10 @@ static void *vgetrandom_get_state(void)
+ goto out;
+ }
+ success:
+- state = grnd_allocator.states[--grnd_allocator.len];
++ state = vgrnd.states[--vgrnd.len];
+
+ out:
+- pthread_mutex_unlock(&grnd_allocator.lock);
++ pthread_mutex_unlock(&vgrnd.lock);
+ return state;
+ }
+
+@@ -100,27 +93,25 @@ static void vgetrandom_put_state(void *state)
+ {
+ if (!state)
+ return;
+- pthread_mutex_lock(&grnd_allocator.lock);
+- grnd_allocator.states[grnd_allocator.len++] = state;
+- pthread_mutex_unlock(&grnd_allocator.lock);
++ pthread_mutex_lock(&vgrnd.lock);
++ vgrnd.states[vgrnd.len++] = state;
++ pthread_mutex_unlock(&vgrnd.lock);
+ }
+
+ static void vgetrandom_init(void)
+ {
+- if (pthread_key_create(&grnd_ctx.key, vgetrandom_put_state) != 0)
+- return;
+ unsigned long sysinfo_ehdr = getauxval(AT_SYSINFO_EHDR);
+ if (!sysinfo_ehdr) {
+ printf("AT_SYSINFO_EHDR is not present!\n");
+ exit(KSFT_SKIP);
+ }
+ vdso_init_from_sysinfo_ehdr(sysinfo_ehdr);
+- grnd_ctx.fn = (__typeof__(grnd_ctx.fn))vdso_sym("LINUX_2.6", "__vdso_getrandom");
+- if (!grnd_ctx.fn) {
++ vgrnd.fn = (__typeof__(vgrnd.fn))vdso_sym("LINUX_2.6", "__vdso_getrandom");
++ if (!vgrnd.fn) {
+ printf("__vdso_getrandom is missing!\n");
+ exit(KSFT_FAIL);
+ }
+- if (grnd_ctx.fn(NULL, 0, 0, &grnd_ctx.params, ~0UL) != 0) {
++ if (vgrnd.fn(NULL, 0, 0, &vgrnd.params, ~0UL) != 0) {
+ printf("failed to fetch vgetrandom params!\n");
+ exit(KSFT_FAIL);
+ }
+@@ -128,22 +119,16 @@ static void vgetrandom_init(void)
+
+ static ssize_t vgetrandom(void *buf, size_t len, unsigned long flags)
+ {
+- void *state;
++ static __thread void *state;
+
+- pthread_once(&grnd_ctx.initialized, vgetrandom_init);
+- state = pthread_getspecific(grnd_ctx.key);
+ if (!state) {
+ state = vgetrandom_get_state();
+- if (pthread_setspecific(grnd_ctx.key, state) != 0) {
+- vgetrandom_put_state(state);
+- state = NULL;
+- }
+ if (!state) {
+ printf("vgetrandom_get_state failed!\n");
+ exit(KSFT_FAIL);
+ }
+ }
+- return grnd_ctx.fn(buf, len, flags, state, grnd_ctx.params.size_of_opaque_state);
++ return vgrnd.fn(buf, len, flags, state, vgrnd.params.size_of_opaque_state);
+ }
+
+ enum { TRIALS = 25000000, THREADS = 256 };
+@@ -265,6 +250,8 @@ static void usage(const char *argv0)
+
+ int main(int argc, char *argv[])
+ {
++ vgetrandom_init();
++
+ if (argc == 1) {
+ kselftest();
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 5b9342ad3069af81c4d7d7998a90e2066961a737 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 20:23:23 +0200
+Subject: selftests: vDSO: skip getrandom test if architecture is unsupported
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+[ Upstream commit f78280b1a3cedd9f68d5f596179675514a15bd1d ]
+
+If the getrandom test compiles for an arch, don't exit fatally if the
+actual cpu it's running on is unsupported.
+
+Suggested-by: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Stable-dep-of: 6eda706a535c ("selftests: vDSO: fix the way vDSO functions are called for powerpc")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/vdso_test_getrandom.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/vDSO/vdso_test_getrandom.c b/tools/testing/selftests/vDSO/vdso_test_getrandom.c
+index 20bbef992c486..5db8ac8999cd0 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_getrandom.c
++++ b/tools/testing/selftests/vDSO/vdso_test_getrandom.c
+@@ -104,6 +104,7 @@ static void vgetrandom_init(void)
+ const char *version = versions[VDSO_VERSION];
+ const char *name = names[VDSO_NAMES][6];
+ unsigned long sysinfo_ehdr = getauxval(AT_SYSINFO_EHDR);
++ size_t ret;
+
+ if (!sysinfo_ehdr) {
+ printf("AT_SYSINFO_EHDR is not present!\n");
+@@ -115,7 +116,11 @@ static void vgetrandom_init(void)
+ printf("%s is missing!\n", name);
+ exit(KSFT_FAIL);
+ }
+- if (vgrnd.fn(NULL, 0, 0, &vgrnd.params, ~0UL) != 0) {
++ ret = vgrnd.fn(NULL, 0, 0, &vgrnd.params, ~0UL);
++ if (ret == -ENOSYS) {
++ printf("unsupported architecture\n");
++ exit(KSFT_SKIP);
++ } else if (ret) {
+ printf("failed to fetch vgetrandom params!\n");
+ exit(KSFT_FAIL);
+ }
+--
+2.43.0
+
--- /dev/null
+From ab1ae916ae0ae8e8241fa0297f11b7b7973d6e32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 14:28:39 +0200
+Subject: selftests: vDSO: use parse_vdso.h in vdso_test_abi
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit f0d0dbbc101a5ed2cd844eae0c2cc0546327ef89 ]
+
+Don't duplicate parse_vdso function prototypes, include
+the header instead.
+
+Fixes: 693f5ca08ca0 ("kselftest: Extend vDSO selftest")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/vdso_test_abi.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/vDSO/vdso_test_abi.c b/tools/testing/selftests/vDSO/vdso_test_abi.c
+index 00034208c4c64..a54424e2336f4 100644
+--- a/tools/testing/selftests/vDSO/vdso_test_abi.c
++++ b/tools/testing/selftests/vDSO/vdso_test_abi.c
+@@ -21,10 +21,7 @@
+ #include "../kselftest.h"
+ #include "vdso_config.h"
+ #include "vdso_call.h"
+-
+-extern void *vdso_sym(const char *version, const char *name);
+-extern void vdso_init_from_sysinfo_ehdr(uintptr_t base);
+-extern void vdso_init_from_auxv(void *auxv);
++#include "parse_vdso.h"
+
+ static const char *version;
+ static const char **name;
+--
+2.43.0
+
--- /dev/null
+From d96b07cf44d4c00acee324f81f733cef4face390 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 16:12:25 +0200
+Subject: serial: 8250: omap: Cleanup on error in request_irq
+
+From: Markus Schneider-Pargmann <msp@baylibre.com>
+
+[ Upstream commit 35e648a16018b747897be2ccc3ce95ff23237bb5 ]
+
+If devm_request_irq fails, the code does not cleanup many things that
+were setup before. Instead of directly returning ret we should jump to
+err.
+
+Fixes: fef4f600319e ("serial: 8250: omap: Fix life cycle issues for interrupt handlers")
+Signed-off-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Reviewed-by: Kevin Hilman <khilman@baylibre.com>
+Tested-by: Kevin Hilman <khilman@baylibre.com>
+Link: https://lore.kernel.org/r/20240807141227.1093006-4-msp@baylibre.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_omap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
+index afef1dd4ddf49..fca5f25d693a7 100644
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -1581,7 +1581,7 @@ static int omap8250_probe(struct platform_device *pdev)
+ ret = devm_request_irq(&pdev->dev, up.port.irq, omap8250_irq, 0,
+ dev_name(&pdev->dev), priv);
+ if (ret < 0)
+- return ret;
++ goto err;
+
+ priv->wakeirq = irq_of_parse_and_map(np, 1);
+
+--
+2.43.0
+
--- /dev/null
+wifi-ath11k-use-work-queue-to-process-beacon-tx-even.patch
+edac-synopsys-fix-error-injection-on-zynq-ultrascale.patch
+wifi-rtw88-always-wait-for-both-firmware-loading-att.patch
+crypto-xor-fix-template-benchmarking.patch
+crypto-qat-disable-iov-in-adf_dev_stop.patch
+crypto-qat-fix-recovery-flow-for-vfs.patch
+crypto-qat-ensure-correct-order-in-vf-restarting-han.patch
+crypto-iaa-fix-potential-use-after-free-bug.patch
+acpi-pmic-remove-unneeded-check-in-tps68470_pmic_opr.patch
+eth-fbnic-select-devlink-and-page_pool.patch
+wifi-brcmfmac-introducing-fwil-query-functions.patch
+wifi-ath9k-remove-error-checks-when-creating-debugfs.patch
+wifi-ath12k-fix-bss-chan-info-request-wmi-command.patch
+wifi-ath12k-match-wmi-bss-chan-info-structure-with-f.patch
+wifi-ath12k-fix-invalid-ampdu-factor-calculation-in-.patch
+hwrng-cn10k-enable-by-default-cn10k-driver-if-thunde.patch
+crypto-x86-aes-gcm-fix-preempt_rt-issue-in-gcm_crypt.patch
+net-stmmac-dwmac-loongson-init-ref-and-ptp-clocks-ra.patch
+virtio-rename-virtio_config_enabled-to-virtio_config.patch
+virtio-allow-driver-to-disable-the-configure-change-.patch
+virtio-net-synchronize-operstate-with-admin-state-on.patch
+virtio-net-synchronize-probe-with-ndo_set_features.patch
+arm64-signal-fix-some-under-bracketed-uapi-macros.patch
+wifi-rtw89-remove-unused-c2h-event-id-rtw89_mac_c2h_.patch
+wifi-rtw88-remove-cpt-execution-branch-never-used.patch
+risc-v-kvm-fix-sbiret-init-before-forwarding-to-user.patch
+risc-v-kvm-don-t-zero-out-pmu-snapshot-area-before-f.patch
+risc-v-kvm-allow-legacy-pmu-access-from-guest.patch
+risc-v-kvm-fix-to-allow-hpmcounter31-from-the-guest.patch
+mount-handle-oom-on-mnt_warn_timestamp_expiry.patch
+autofs-fix-missing-fput-for-fsconfig_set_fd.patch
+netfilter-nf_tables-store-new-sets-in-dedicated-list.patch
+arm-9410-1-vfp-use-asm-volatile-in-fmrx-fmxr-macros.patch
+powercap-intel_rapl-fix-off-by-one-in-get_rpi.patch
+wifi-rtw89-limit-the-ppdu-length-for-vht-rate-to-0x4.patch
+kselftest-arm64-signal-fix-refactor-sve-vector-lengt.patch
+arm64-smp-smp_send_stop-and-crash_smp_send_stop-shou.patch
+thermal-core-fold-two-functions-into-their-respectiv.patch
+thermal-core-fix-rounding-of-delay-jiffies.patch
+drivers-perf-fix-ali_drw_pmu-driver-interrupt-status.patch
+perf-dwc_pcie-fix-registration-issue-in-multi-pcie-c.patch
+perf-dwc_pcie-always-register-for-pcie-bus-notifier.patch
+crypto-qat-fix-full-going-true-macro-definition.patch
+acpi-video-force-native-for-apple-macbookpro9-2.patch
+wifi-mac80211_hwsim-correct-module_parm_desc-of-mult.patch
+wifi-mac80211-don-t-use-rate-mask-for-offchannel-tx-.patch
+wifi-iwlwifi-config-label-gl-devices-as-discrete.patch
+wifi-iwlwifi-mvm-set-the-cipher-for-secured-ndp-rang.patch
+wifi-iwlwifi-mvm-increase-the-time-between-ranging-m.patch
+wifi-cfg80211-fix-bug-of-mapping-af3x-to-incorrect-u.patch
+wifi-mac80211-fix-the-comeback-long-retry-times.patch
+wifi-iwlwifi-mvm-allow-esr-when-we-the-roc-expires.patch
+wifi-mac80211-check-for-missing-vht-elements-only-fo.patch
+acpica-implement-acpi_warning_once-and-acpi_error_on.patch
+acpica-executer-exsystem-don-t-nag-user-about-every-.patch
+padata-honor-the-caller-s-alignment-in-case-of-chunk.patch
+drivers-perf-hisi_pcie-record-hardware-counts-correc.patch
+drivers-perf-hisi_pcie-fix-tlp-headers-bandwidth-cou.patch
+kselftest-arm64-actually-test-sme-vector-length-chan.patch
+can-j1939-use-correct-function-name-in-comment.patch
+wifi-rtw89-wow-fix-wait-condition-for-aoac-report-re.patch
+acpi-cppc-fix-mask_val-usage.patch
+netfilter-nf_tables-elements-with-timeout-below-conf.patch
+netfilter-nf_tables-reject-element-expiration-with-n.patch
+netfilter-nf_tables-reject-expiration-higher-than-ti.patch
+netfilter-nf_tables-remove-annotation-to-access-set-.patch
+netfilter-nft_dynset-annotate-data-races-around-set-.patch
+perf-arm-cmn-refactor-node-id-handling.-again.patch
+perf-arm-cmn-fix-ccla-register-offset.patch
+perf-arm-cmn-ensure-dtm_idx-is-big-enough.patch
+cpufreq-ti-cpufreq-introduce-quirks-to-handle-syscon.patch
+thermal-gov_bang_bang-adjust-states-of-all-uninitial.patch
+wifi-mt76-mt7915-fix-oops-on-non-dbdc-mt7986.patch
+wifi-mt76-mt7921-fix-wrong-unii-4-freq-range-check-f.patch
+wifi-mt76-mt7996-use-hweight16-to-get-correct-tx-ant.patch
+wifi-mt76-mt7996-fix-traffic-delay-when-switching-ba.patch
+wifi-mt76-mt7996-fix-wmm-set-of-station-interface-to.patch
+wifi-mt76-mt7996-fix-he-and-eht-beamforming-capabili.patch
+wifi-mt76-mt7996-fix-eht-beamforming-capability-chec.patch
+x86-sgx-fix-deadlock-in-sgx-numa-node-search.patch
+pm-cpupower-add-missing-powercap_set_enabled-stub-fu.patch
+crypto-ccp-do-not-request-interrupt-on-cmd-completio.patch
+crypto-hisilicon-hpre-mask-cluster-timeout-error.patch
+crypto-hisilicon-qm-reset-device-before-enabling-it.patch
+crypto-hisilicon-qm-inject-error-before-stopping-que.patch
+wifi-mt76-mt7996-fix-handling-mbss-enable-disable.patch
+wifi-mt76-connac-fix-checksum-offload-fields-of-conn.patch
+wifi-mt76-mt7603-fix-mixed-declarations-and-code.patch
+wifi-cfg80211-fix-ubsan-noise-in-cfg80211_wext_siwsc.patch
+wifi-mt76-mt7915-fix-rx-filter-setting-for-bfee-func.patch
+wifi-mt76-mt7996-fix-uninitialized-tlv-data.patch
+wifi-cfg80211-fix-two-more-possible-ubsan-detected-o.patch
+wifi-mac80211-use-two-phase-skb-reclamation-in-ieee8.patch
+wifi-wilc1000-fix-potential-rcu-dereference-issue-in.patch
+idpf-enable-wb_on_itr.patch
+af_unix-don-t-call-skb_get-for-oob-skb.patch
+af_unix-remove-single-nest-in-manage_oob.patch
+af_unix-rename-unlinked_skb-in-manage_oob.patch
+af_unix-move-spin_lock-in-manage_oob.patch
+af_unix-don-t-return-oob-skb-in-manage_oob.patch
+bluetooth-hci_core-fix-sending-mgmt_ev_connect_faile.patch
+bluetooth-hci_sync-ignore-errors-from-hci_op_remote_.patch
+sock_map-add-a-cond_resched-in-sock_hash_free.patch
+can-bcm-clear-bo-bcm_proc_read-after-remove_proc_ent.patch
+can-m_can-enable-napi-before-enabling-interrupts.patch
+can-m_can-m_can_close-stop-clocks-after-device-has-b.patch
+bluetooth-btusb-fix-not-handling-zpl-short-transfer.patch
+bareudp-pull-inner-ip-header-in-bareudp_udp_encap_re.patch
+bareudp-pull-inner-ip-header-on-xmit.patch
+net-enetc-use-irqf_no_autoen-flag-in-request_irq.patch
+crypto-n2-set-err-to-einval-if-snprintf-fails-for-hm.patch
+xsk-fix-batch-alloc-api-on-non-coherent-systems.patch
+netkit-assign-missing-bpf_net_context.patch
+r8169-disable-aldps-per-default-for-rtl8125.patch
+net-ipv6-rpl_iptunnel-fix-memory-leak-in-rpl_input.patch
+fbnic-set-napi-irq-value-after-calling-netif_napi_ad.patch
+net-tipc-avoid-possible-garbage-value.patch
+ipv6-avoid-possible-null-deref-in-rt6_uncached_list_.patch
+ublk-move-zone-report-data-out-of-request-pdu.patch
+nbd-fix-race-between-timeout-and-normal-completion.patch
+block-bfq-fix-possible-uaf-for-bfqq-bic-with-merge-c.patch
+block-bfq-choose-the-last-bfqq-from-merge-chain-in-b.patch
+block-bfq-don-t-break-merge-chain-in-bfq_split_bfqq.patch
+cachefiles-fix-non-taking-of-sb_writers-around-set-r.patch
+nbd-correct-the-maximum-value-for-discard-sectors.patch
+erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch
+erofs-fix-error-handling-in-z_erofs_init_decompresso.patch
+erofs-handle-overlapped-pclusters-out-of-crafted-ima.patch
+block-bfq-fix-uaf-for-accessing-waker_bfqq-after-spl.patch
+block-bfq-fix-procress-reference-leakage-for-bfqq-in.patch
+io_uring-io-wq-do-not-allow-pinning-outside-of-cpuse.patch
+io_uring-io-wq-inherit-cpuset-of-cgroup-in-io-worker.patch
+block-fix-potential-invalid-pointer-dereference-in-b.patch
+spi-ppc4xx-handle-irq_of_parse_and_map-errors.patch
+arm64-dts-exynos-exynos7885-jackpotlte-correct-ram-a.patch
+arm64-dts-mediatek-mt8186-fix-supported-hw-mask-for-.patch
+firmware-arm_scmi-fix-double-free-in-optee-transport.patch
+spi-ppc4xx-avoid-returning-0-when-failed-to-parse-an.patch
+firmware-qcom-scm-disable-sdi-and-write-no-dump-to-d.patch
+regulator-return-actual-error-in-of_regulator_bulk_g.patch
+arm64-dts-renesas-r9a08g045-correct-gicd-and-gicr-si.patch
+arm64-dts-renesas-r9a07g043u-correct-gicd-and-gicr-s.patch
+arm64-dts-renesas-r9a07g054-correct-gicd-and-gicr-si.patch
+arm64-dts-renesas-r9a07g044-correct-gicd-and-gicr-si.patch
+arm-dts-microchip-sam9x60-fix-rtc-rtt-clocks.patch
+arm64-tegra-correct-location-of-power-sensors-for-ig.patch
+arm64-dts-rockchip-correct-vendor-prefix-for-hardker.patch
+arm64-dts-ti-k3-j721e-sk-fix-reversed-c6x-carveout-l.patch
+arm64-dts-ti-k3-j721e-beagleboneai64-fix-reversed-c6.patch
+spi-bcmbca-hsspi-fix-missing-pm_runtime_disable.patch
+arm64-dts-qcom-x1e80100-fix-phy-for-dp2.patch
+arm-dts-microchip-sama7g5-fix-rtt-clock.patch
+arm-dts-imx7d-zii-rmu2-fix-ethernet-phy-pinctrl-prop.patch
+arm64-dts-ti-k3-am654-idk-fix-dtbs_check-warning-in-.patch
+arm-versatile-fix-of-node-leak-in-cpus-prepare.patch
+reset-berlin-fix-of-node-leak-in-probe-error-path.patch
+reset-k210-fix-of-node-leak-in-probe-error-path.patch
+platform-cznic-turris-omnia-mcu-fix-error-check-in-o.patch
+clocksource-drivers-qcom-add-missing-iounmap-on-erro.patch
+arm64-dts-mediatek-mt8195-correct-clock-order-for-dp.patch
+x86-mm-use-ipis-to-synchronize-lam-enablement.patch
+asoc-rt5682s-return-devm_of_clk_add_hw_provider-to-t.patch
+asoc-tas2781-fix-a-compiling-warning-reported-by-rob.patch
+asoc-tas2781-i2c-drop-weird-gpio-code.patch
+asoc-tas2781-i2c-get-the-right-gpio-line.patch
+selftests-ftrace-add-required-dependency-for-kprobe-.patch
+alsa-hda-cs35l41-fix-module-autoloading.patch
+selftests-ftrace-fix-test-to-handle-both-old-and-new.patch
+x86-boot-64-strip-percpu-address-space-when-setting-.patch
+m68k-fix-kernel_clone_args.flags-in-m68k_clone.patch
+asoc-loongson-fix-error-release.patch
+selftests-ftrace-fix-eventfs-ownership-testcase-to-f.patch
+selftests-resctrl-fix-build-failure-on-archs-without.patch
+cgroup-pids-avoid-spurious-event-notification.patch
+hwmon-max16065-fix-overflows-seen-when-writing-limit.patch
+hwmon-max16065-fix-alarm-attributes.patch
+iommu-arm-smmu-un-demote-unhandled-fault-msg.patch
+iommu-arm-smmu-v3-fix-a-null-vs-is_err-check.patch
+mtd-slram-insert-break-after-errors-in-parsing-the-m.patch
+hwmon-ntc_thermistor-fix-module-autoloading.patch
+power-supply-axp20x_battery-remove-design-from-min-a.patch
+power-supply-max17042_battery-fix-soc-threshold-calc.patch
+fbdev-hpfb-fix-an-error-handling-path-in-hpfb_dio_pr.patch
+iommu-amd-handle-error-path-in-amd_iommu_probe_devic.patch
+iommu-amd-allocate-the-page-table-root-using-gfp_ker.patch
+iommu-amd-move-allocation-of-the-top-table-into-v1_a.patch
+iommu-amd-set-the-pgsize_bitmap-correctly.patch
+iommu-amd-do-not-set-the-d-bit-on-amd-v2-table-entri.patch
+mtd-powernv-add-check-devm_kasprintf-returned-value.patch
+rcu-nocb-fix-rt-throttling-hrtimer-armed-from-offlin.patch
+mtd-rawnand-mtk-use-for_each_child_of_node_scoped.patch
+mtd-rawnand-mtk-factorize-out-the-logic-cleaning-mtk.patch
+mtd-rawnand-mtk-fix-init-error-path.patch
+iommu-arm-smmu-qcom-hide-last-lpass-smmu-context-ban.patch
+iommu-arm-smmu-qcom-work-around-sdm845-adreno-smmu-w.patch
+iommu-arm-smmu-qcom-apply-num_context_bank-fixes-for.patch
+pmdomain-core-harden-inter-column-space-in-debug-sum.patch
+pmdomain-core-fix-managed-by-alignment-in-debug-summ.patch
+drm-stm-fix-an-error-handling-path-in-stm_drm_platfo.patch
+drm-stm-ltdc-check-memory-returned-by-devm_kzalloc.patch
+drm-amd-display-free-bo-used-for-dmub-bounding-box.patch
+drm-amd-display-check-link_res-hpo_dp_link_enc-befor.patch
+drm-amd-display-add-null-check-for-set_output_gamma-.patch
+drm-amdgpu-properly-handle-vbios-fake-edid-sizing.patch
+drm-radeon-properly-handle-vbios-fake-edid-sizing.patch
+drm-amd-display-reset-vrr-config-during-resume.patch
+scsi-smartpqi-revert-propagate-the-multipath-failure.patch
+scsi-sd-don-t-check-if-a-write-for-req_atomic.patch
+scsi-block-don-t-check-req_atomic-for-reads.patch
+scsi-ncr5380-check-for-phase-match-during-pdma-fixup.patch
+drm-amd-amdgpu-properly-tune-the-size-of-struct.patch
+drm-amd-display-improve-fam-control-for-dcn401.patch
+drm-rockchip-vop-allow-4096px-width-scaling.patch
+drm-rockchip-dw_hdmi-fix-reading-edid-when-using-a-f.patch
+drm-radeon-evergreen_cs-fix-int-overflow-errors-in-c.patch
+drm-xe-move-and-export-xe_hw_engine-lookup.patch
+drm-xe-use-reserved-copy-engine-for-user-binds-on-fa.patch
+drm-bridge-lontium-lt8912b-validate-mode-in-drm_brid.patch
+drm-vc4-hdmi-handle-error-case-of-pm_runtime_resume_.patch
+scsi-elx-libefc-fix-potential-use-after-free-in-efc_.patch
+jfs-fix-out-of-bounds-in-dbnextag-and-dialloc.patch
+drm-mediatek-fix-missing-configuration-flags-in-mtk_.patch
+drm-mediatek-use-spin_lock_irqsave-for-crtc-event-lo.patch
+powerpc-8xx-fix-initial-memory-mapping.patch
+powerpc-8xx-fix-kernel-vs-user-address-comparison.patch
+powerpc-vdso-inconditionally-use-cfunc-macro.patch
+selftests-vdso-fix-vdso-name-for-powerpc.patch
+selftests-vdso-fix-vdso_config-for-powerpc.patch
+selftests-vdso-fix-vdso-symbols-lookup-for-powerpc64.patch
+selftests-vdso-simplify-getrandom-thread-local-stora.patch
+selftests-vdso-look-for-arch-specific-function-name-.patch
+selftests-vdso-skip-getrandom-test-if-architecture-i.patch
+selftests-vdso-fix-the-way-vdso-functions-are-called.patch
+selftests-vdso-use-parse_vdso.h-in-vdso_test_abi.patch
+drm-msm-use-a7xx-family-directly-in-gpu_state.patch
+drm-msm-dump-correct-dbgahb-clusters-on-a750.patch
+drm-msm-fix-cp_bv_draw_state_addr-name.patch
+drm-msm-fix-incorrect-file-name-output-in-adreno_req.patch
+drm-msm-a5xx-disable-preemption-in-submits-by-defaul.patch
+drm-msm-a5xx-properly-clear-preemption-records-on-re.patch
+drm-msm-a5xx-fix-races-in-preemption-evaluation-stag.patch
+drm-msm-a5xx-workaround-early-ring-buffer-emptiness-.patch
+ipmi-docs-don-t-advertise-deprecated-sysfs-entries.patch
+drm-msm-dp-enable-widebus-on-all-relevant-chipsets.patch
+drm-msm-dsi-correct-programming-sequence-for-sm8350-.patch
+drm-msm-fix-s-null-argument-error.patch
+platform-x86-ideapad-laptop-make-the-scope_guard-cle.patch
+kselftest-dt-ignore-nodes-that-have-ancestors-disabl.patch
+drivers-drm-exynos_drm_gsc-fix-wrong-assignment-in-g.patch
+drm-amdgpu-fix-invalid-fence-handling-in-amdgpu_vm_t.patch
+xen-use-correct-end-address-of-kernel-for-conflict-c.patch
+hid-wacom-support-sequence-numbers-smaller-than-16-b.patch
+hid-wacom-do-not-warn-about-dropped-packets-for-firs.patch
+ata-libata-clear-did_time_out-for-ata-pt-commands-wi.patch
+xen-introduce-generic-helper-checking-for-memory-map.patch
+xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch
+xen-add-capability-to-remap-non-ram-pages-to-differe.patch
+xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch
+drm-xe-fix-missing-xe_vm_put.patch
+powerpc-vdso-fix-vdso-data-access-when-running-in-a-.patch
+selftests-vdso-fix-elf-hash-table-entry-size-for-s39.patch
+selftests-vdso-fix-vdso_config-for-s390.patch
+xen-swiotlb-add-alignment-check-for-dma-buffers.patch
+xen-swiotlb-fix-allocated-size.patch
+tpm-clean-up-tpm-space-after-command-failure.patch
+sched-fair-make-sched_idle-entity-be-preempted-in-st.patch
+bpf-x64-fix-tailcall-hierarchy.patch
+bpf-arm64-fix-tailcall-hierarchy.patch
+bpf-lsm-add-check-for-bpf-lsm-return-value.patch
+bpf-fix-compare-error-in-function-retval_range_withi.patch
+selftests-bpf-workaround-strict-bpf_lsm-return-value.patch
+selftests-bpf-fix-error-linking-uprobe_multi-on-mips.patch
+selftests-bpf-fix-wrong-binary-in-makefile-log-outpu.patch
+tools-runqslower-fix-ldflags-and-add-ldlibs-support.patch
+bpf-fail-verification-for-sign-extension-of-packet-d.patch
+selftests-bpf-use-pid_t-consistently-in-test_progs.c.patch
+selftests-bpf-fix-compile-error-from-rlim_t-in-sk_st.patch
+selftests-bpf-fix-error-compiling-bpf_iter_setsockop.patch
+selftests-bpf-drop-unneeded-error.h-includes.patch
+selftests-bpf-fix-missing-array_size-definition-in-b.patch
+selftests-bpf-fix-missing-uint_max-definitions-in-be.patch
+selftests-bpf-fix-missing-build_bug_on-declaration.patch
+selftests-bpf-fix-include-of-sys-fcntl.h.patch
+selftests-bpf-fix-compiling-parse_tcp_hdr_opt.c-with.patch
+selftests-bpf-fix-compiling-kfree_skb.c-with-musl-li.patch
+selftests-bpf-fix-compiling-flow_dissector.c-with-mu.patch
+selftests-bpf-fix-compiling-tcp_rtt.c-with-musl-libc.patch
+selftests-bpf-fix-compiling-core_reloc.c-with-musl-l.patch
+selftests-bpf-fix-errors-compiling-lwt_redirect.c-wi.patch
+selftests-bpf-fix-errors-compiling-decap_sanity.c-wi.patch
+selftests-bpf-fix-errors-compiling-crypto_sanity.c-w.patch
+selftests-bpf-fix-errors-compiling-cg_storage_multi..patch
+libbpf-don-t-take-direct-pointers-into-btf-data-from.patch
+selftests-bpf-fix-arg-parsing-in-veristat-test_progs.patch
+selftests-bpf-fix-error-compiling-test_lru_map.c.patch
+selftests-bpf-fix-c-compile-error-from-missing-_bool.patch
+selftests-bpf-fix-redefinition-errors-compiling-lwt_.patch
+selftests-bpf-fix-compile-if-backtrace-support-missi.patch
+selftests-bpf-fix-error-compiling-tc_redirect.c-with.patch
+s390-entry-move-early-program-check-handler-to-entry.patch
+s390-entry-make-early-program-check-handler-relocate.patch
+libbpf-fix-license-for-btf_relocate.c.patch
+samples-bpf-fix-compilation-errors-with-cf-protectio.patch
+selftests-bpf-no-need-to-track-next_match_pos-in-str.patch
+selftests-bpf-extract-test_loader-expect_msgs-as-a-d.patch
+selftests-bpf-allow-checking-xlated-programs-in-veri.patch
+selftests-bpf-__arch_-macro-to-limit-test-cases-to-s.patch
+selftests-bpf-fix-to-avoid-__msg-tag-de-duplication-.patch
+bpf-correctly-handle-malformed-bpf_core_type_id_loca.patch
+selftests-bpf-fix-incorrect-parameters-in-null-point.patch
+libbpf-fix-bpf_object__open_skeleton-s-mishandling-o.patch
+s390-ap-fix-deadlock-caused-by-recursive-lock-of-the.patch
+libbpf-ensure-new-btf-objects-inherit-input-endianne.patch
+xz-cleanup-crc32-edits-from-2018.patch
+kthread-fix-task-state-in-kthread-worker-if-being-fr.patch
+ext4-clear-ext4_group_info_was_trimmed_bit-even-moun.patch
+bpftool-fix-handling-enum64-in-btf-dump-sorting.patch
+sched-deadline-fix-schedstats-vs-deadline-servers.patch
+smackfs-use-rcu_assign_pointer-to-ensure-safe-assign.patch
+ext4-avoid-buffer_head-leak-in-ext4_mark_inode_used.patch
+ext4-avoid-potential-buffer_head-leak-in-__ext4_new_.patch
+ext4-avoid-negative-min_clusters-in-find_group_orlov.patch
+ext4-return-error-on-ext4_find_inline_entry.patch
+ext4-avoid-oob-when-system.data-xattr-changes-undern.patch
+ext4-check-stripe-size-compatibility-on-remount-as-w.patch
+sched-numa-fix-the-vma-scan-starving-issue.patch
+nilfs2-fix-potential-null-ptr-deref-in-nilfs_btree_i.patch
+nilfs2-determine-empty-node-blocks-as-corrupted.patch
+nilfs2-fix-potential-oob-read-in-nilfs_btree_check_d.patch
+sched-pelt-use-rq_clock_task-for-hw_pressure.patch
+bpf-fix-bpf_strtol-and-bpf_strtoul-helpers-for-32bit.patch
+bpf-fix-helper-writes-to-read-only-maps.patch
+bpf-improve-check_raw_mode_ok-test-for-mem_uninit-ta.patch
+bpf-zero-former-arg_ptr_to_-long-int-args-in-case-of.patch
+perf-scripts-python-cs-etm-restore-first-sample-log-.patch
+perf-bpf-move-bpf-disassembly-routines-to-separate-f.patch
+perf-mem-free-the-allocated-sort-string-fixing-a-lea.patch
+perf-callchain-fix-stitch-lbr-memory-leaks.patch
+perf-lock-contention-change-stack_id-type-to-s32.patch
+perf-vendor-events-skx-clx-snr-uncore-cache-event-fi.patch
+perf-inject-fix-leader-sampling-inserting-additional.patch
+perf-report-fix-total-cycles-stdio-output-error.patch
+perf-build-fix-up-broken-capstone-feature-detection-.patch
+perf-sched-timehist-fix-missing-free-of-session-in-p.patch
+perf-stat-display-iostat-headers-correctly.patch
+perf-dwarf-aux-check-allowed-location-expressions-wh.patch
+perf-annotate-data-fix-off-by-one-in-location-range-.patch
+perf-dwarf-aux-handle-bitfield-members-from-pointer-.patch
+perf-hist-don-t-set-hpp_fmt_value-for-members-in-no-.patch
+perf-sched-timehist-fixed-timestamp-error-when-unabl.patch
+perf-time-utils-fix-32-bit-nsec-parsing.patch
+perf-mem-check-mem_events-for-all-eligible-pmus.patch
+perf-mem-fix-missed-p-core-mem-events-on-adl-and-rpl.patch
+clk-imx-clk-audiomix-correct-parent-clock-for-earc_p.patch
+clk-imx-imx6ul-fix-default-parent-for-enet-_ref_sel.patch
+clk-imx-composite-8m-enable-gate-clk-with-mcore_boot.patch
+clk-imx-composite-93-keep-root-clock-on-when-mcore-e.patch
+clk-imx-composite-7ulp-check-the-pcc-present-bit.patch
+clk-imx-fracn-gppll-fix-fractional-part-of-pll-getti.patch
+clk-imx-imx8mp-fix-clock-tree-update-of-tf-a-managed.patch
+clk-imx-imx8qxp-register-dc0_bypass0_clk-before-disp.patch
+clk-imx-imx8qxp-parent-should-be-initialized-earlier.patch
+quota-avoid-missing-put_quota_format-when-dquot_susp.patch
+remoteproc-imx_rproc-correct-ddr-alias-for-i.mx8m.patch
+remoteproc-imx_rproc-initialize-workqueue-earlier.patch
+clk-rockchip-set-parent-rate-for-dclk_vop-clock-on-r.patch
+clk-qcom-dispcc-sm8550-fix-several-supposed-typos.patch
+clk-qcom-dispcc-sm8550-use-rcg2_ops-for-mdss_dptx1_a.patch
+clk-qcom-dispcc-sm8650-update-the-gdsc-flags.patch
+clk-qcom-dispcc-sm8550-use-rcg2_shared_ops-for-esc-r.patch
+leds-bd2606mvv-fix-device-child-node-usage-in-bd2606.patch
+pinctrl-renesas-rzg2l-return-einval-if-the-pin-doesn.patch
+pinctrl-ti-ti-iodelay-fix-some-error-handling-paths.patch
+phy-phy-rockchip-samsung-hdptx-explicitly-include-pm.patch
+input-ilitek_ts_i2c-avoid-wrong-input-subsystem-sync.patch
+input-ilitek_ts_i2c-add-report-id-message-validation.patch
+drivers-media-dvb-frontends-rtl2832-fix-an-out-of-bo.patch
+drivers-media-dvb-frontends-rtl2830-fix-an-out-of-bo.patch
+media-raspberrypi-video_raspberrypi_pisp_be-should-d.patch
+pci-wait-for-link-before-restoring-downstream-buses.patch
+firewire-core-correct-range-of-block-for-case-of-swi.patch
+pci-keystone-fix-if-statement-expression-in-ks_pcie_.patch
+media-staging-media-starfive-camss-drop-obsolete-ret.patch
+clk-qcom-ipq5332-register-gcc_qdss_tsctr_clk_src.patch
+clk-qcom-dispcc-sm8250-use-special-function-for-luci.patch
+leds-pca995x-use-device_for_each_child_node-to-acces.patch
+leds-pca995x-fix-device-child-node-usage-in-pca995x_.patch
+x86-pci-check-pcie_find_root_port-return-for-null.patch
+nvdimm-fix-devs-leaks-in-scan_labels.patch
+pci-xilinx-nwl-fix-register-misspelling.patch
+pci-xilinx-nwl-clean-up-clock-on-probe-failure-remov.patch
+leds-gpio-set-num_leds-after-allocation.patch
+media-platform-rzg2l-cru-rzg2l-csi2-add-missing-modu.patch
+rdma-iwcm-fix-warning-at_kernel-workqueue.c-check_fl.patch
+pinctrl-single-fix-missing-error-code-in-pcs_probe.patch
+clk-at91-sama7g5-allocate-only-the-needed-amount-of-.patch
+iommufd-selftest-fix-buffer-read-overrrun-in-the-dir.patch
+rdma-bnxt_re-fix-the-table-size-for-psn-msn-entries.patch
+media-mediatek-vcodec-fix-h264-multi-stateless-decod.patch
+media-mediatek-vcodec-fix-vp8-stateless-decoder-smat.patch
+media-mediatek-vcodec-fix-h264-stateless-decoder-sma.patch
+media-imagination-video_e5010_jpeg_enc-should-depend.patch
+rdma-rtrs-reset-hb_missed_cnt-after-receiving-other-.patch
+rdma-rtrs-clt-reset-cid-to-con_num-1-to-stay-in-boun.patch
+clk-ti-dra7-atl-fix-leak-of-of_nodes.patch
+clk-starfive-use-pm_runtime_resume_and_get-to-fix-pm.patch
+clk-rockchip-rk3588-fix-32k-clock-name-for-pmu_24m_3.patch
+nfsd-remove-unneeded-eexist-error-check-in-nfsd_do_f.patch
+nfsd-fix-refcount-leak-when-file-is-unhashed-after-b.patch
+pinctrl-mvebu-fix-devinit_dove_pinctrl_probe-functio.patch
+ib-mlx5-fix-umr-pd-cleanup-on-error-flow-of-driver-i.patch
+ib-core-fix-ib_cache_setup_one-error-flow-cleanup.patch
+dt-bindings-pci-layerscape-pci-replace-fsl-lx2160a-p.patch
+iommufd-check-the-domain-owner-of-the-parent-before-.patch
+pci-kirin-fix-buffer-overflow-in-kirin_pcie_parse_po.patch
+rdma-erdma-return-qp-state-in-erdma_query_qp.patch
+rdma-mlx5-fix-counter-update-on-mr-cache-mkey-creati.patch
+rdma-mlx5-limit-usage-of-over-sized-mkeys-from-the-m.patch
+rdma-mlx5-drop-redundant-work-canceling-from-clean_k.patch
+rdma-mlx5-fix-mr-cache-temp-entries-cleanup.patch
+watchdog-imx_sc_wdt-don-t-disable-wdt-in-suspend.patch
+rdma-hns-don-t-modify-rq-next-block-addr-in-hip09-qp.patch
+rdma-hns-fix-use-after-free-of-rsv_qp-on-hip08.patch
+rdma-hns-fix-the-overflow-risk-of-hem_list_calc_ba_r.patch
+rdma-hns-fix-spin_unlock_irqrestore-called-with-irqs.patch
+rdma-hns-fix-vf-triggering-pf-reset-in-abnormal-inte.patch
+rdma-hns-fix-1bit-ecc-recovery-address-in-non-4k-os.patch
+rdma-hns-optimize-hem-allocation-performance.patch
+rdma-hns-fix-restricted-__le16-degrades-to-integer-i.patch
+input-ims-pcu-fix-calling-interruptible-mutex.patch
+rdma-mlx5-obtain-upper-net-device-only-when-needed.patch
+pci-qcom-ep-enable-controller-resources-like-phy-onl.patch
+input-ps2-gpio-use-irqf_no_autoen-flag-in-request_ir.patch
+riscv-fix-fp-alignment-bug-in-perf_callchain_user.patch
+rdma-hns-fix-ah-error-counter-in-sw-stat-not-increas.patch
+rdma-cxgb4-added-null-check-for-lookup_atid.patch
+rdma-irdma-fix-error-message-in-irdma_modify_qp_roce.patch
+ntb-intel-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch
+ntb_perf-fix-printk-format.patch
+ntb-force-physically-contiguous-allocation-of-rx-rin.patch
+nfsd-call-cache_put-if-xdr_reserve_space-returns-nul.patch
+nfsd-return-einval-when-namelen-is-0.patch
+nfsd-untangle-code-in-nfsd4_deleg_getattr_conflict.patch
+nfsd-fix-initial-getattr-on-write-delegation.patch
+crypto-caam-pad-sg-length-when-allocating-hash-edesc.patch
+crypto-powerpc-p10-aes-gcm-disable-crypto_aes_gcm_p1.patch
+f2fs-atomic-fix-to-avoid-racing-w-gc.patch
+f2fs-reduce-expensive-checkpoint-trigger-frequency.patch
+f2fs-fix-to-avoid-racing-in-between-read-and-opu-dio.patch
+f2fs-create-cow-inode-from-parent-dentry-for-atomic-.patch
+f2fs-fix-to-wait-page-writeback-before-setting-gcing.patch
+f2fs-atomic-fix-to-truncate-pagecache-before-on-disk.patch
+f2fs-fix-to-avoid-use-after-free-in-f2fs_stop_gc_thr.patch
+f2fs-compress-don-t-redirty-sparse-cluster-during-de.patch
+f2fs-prevent-atomic-file-from-being-dirtied-before-c.patch
+f2fs-get-rid-of-online-repaire-on-corrupted-director.patch
+f2fs-fix-to-don-t-set-sb_rdonly-in-f2fs_handle_criti.patch
+spi-airoha-fix-dirmap_-read-write-operations.patch
+spi-airoha-fix-airoha_snand_-write-read-_data-data_l.patch
+spi-atmel-quadspi-undo-runtime-pm-changes-at-driver-.patch
+spi-spi-fsl-lpspi-undo-runtime-pm-changes-at-driver-.patch
+lib-sbitmap-define-swap_lock-as-raw_spinlock_t.patch
+spi-airoha-remove-read-cache-in-airoha_snand_dirmap_.patch
+spi-atmel-quadspi-avoid-overwriting-delay-register-s.patch
+nfsv4.2-fix-detection-of-proxying-of-times-server-su.patch
+nvme-multipath-system-fails-to-create-generic-nvme-d.patch
+iio-adc-ad7606-fix-oversampling-gpio-array.patch
+iio-adc-ad7606-fix-standby-gpio-state-to-match-the-d.patch
+usb-dwc2-skip-clock-gating-on-broadcom-socs.patch
+driver-core-fix-error-handling-in-driver-api-device_.patch
+abi-testing-fix-admv8818-attr-description.patch
+iio-chemical-bme680-fix-read-write-ops-to-device-by-.patch
+iio-magnetometer-ak8975-drop-incorrect-ak09116-compa.patch
+dt-bindings-iio-asahi-kasei-ak8975-drop-incorrect-ak.patch
+driver-core-fix-a-potential-null-ptr-deref-in-module.patch
+serial-8250-omap-cleanup-on-error-in-request_irq.patch
+coresight-set-correct-cs_mode-for-tpdm-to-fix-disabl.patch
+coresight-set-correct-cs_mode-for-dummy-source-to-fi.patch
+coresight-tmc-sg-do-not-leak-sg_table.patch
+interconnect-icc-clk-add-missed-num_nodes-initializa.patch
+interconnect-qcom-sm8250-enable-sync_state.patch
+dm-integrity-fix-gcc-5-warning.patch
+cxl-pci-fix-to-record-only-non-zero-ranges.patch
+vdpa-mlx5-fix-invalid-mr-resource-destroy.patch
+vhost_vdpa-assign-irq-bypass-producer-token-correctl.patch
+ep93xx-clock-fix-off-by-one-in-ep93xx_div_recalc_rat.patch
+um-remove-arch_no_preempt_dynamic.patch
+revert-dm-requeue-io-if-mapping-table-not-yet-availa.patch
+net-phy-aquantia-fix-etimedout-phy-probe-failure-whe.patch
+net-xilinx-axienet-schedule-napi-in-two-steps.patch
+net-xilinx-axienet-fix-packet-counting.patch
+netfilter-nf_reject_ipv6-fix-nf_reject_ip6_tcphdr_pu.patch
+net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch
+net-ipv6-select-dst_cache-from-ipv6_rpl_lwtunnel.patch
+tcp-check-skb-is-non-null-in-tcp_rto_delta_us.patch
+net-qrtr-update-packets-cloning-when-broadcasting.patch
+net-phy-aquantia-fix-setting-active_low-bit.patch
+net-phy-aquantia-fix-applying-active_low-bit-after-r.patch
+net-ravb-fix-maximum-tx-frame-size-for-gbeth-devices.patch
+net-ravb-fix-r-car-rx-frame-size-limit.patch
+bonding-fix-unnecessary-warnings-and-logs-from-bond_.patch
+virtio_net-fix-mismatched-buf-address-when-unmapping.patch
+net-stmmac-set-pp_flag_dma_sync_dev-only-if-xdp-is-e.patch
+netfilter-nf_tables-keep-deleted-flowtable-hooks-unt.patch
+netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch
+netfilter-nf_tables-use-rcu-chain-hook-list-iterator.patch
+netfilter-nf_tables-missing-objects-with-no-memcg-ac.patch
+selftests-netfilter-avoid-hanging-ipvs.sh.patch
--- /dev/null
+From d625474f5816cb816d92f82e3e4efd708fe5d6c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 08:47:26 +0000
+Subject: smackfs: Use rcu_assign_pointer() to ensure safe assignment in
+ smk_set_cipso
+
+From: Jiawei Ye <jiawei.ye@foxmail.com>
+
+[ Upstream commit 2749749afa071f8a0e405605de9da615e771a7ce ]
+
+In the `smk_set_cipso` function, the `skp->smk_netlabel.attr.mls.cat`
+field is directly assigned to a new value without using the appropriate
+RCU pointer assignment functions. According to RCU usage rules, this is
+illegal and can lead to unpredictable behavior, including data
+inconsistencies and impossible-to-diagnose memory corruption issues.
+
+This possible bug was identified using a static analysis tool developed
+by myself, specifically designed to detect RCU-related issues.
+
+To address this, the assignment is now done using rcu_assign_pointer(),
+which ensures that the pointer assignment is done safely, with the
+necessary memory barriers and synchronization. This change prevents
+potential RCU dereference issues by ensuring that the `cat` field is
+safely updated while still adhering to RCU's requirements.
+
+Fixes: 0817534ff9ea ("smackfs: Fix use-after-free in netlbl_catmap_walk()")
+Signed-off-by: Jiawei Ye <jiawei.ye@foxmail.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index e22aad7604e8a..5dd1e164f9b13 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -932,7 +932,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+ }
+ if (rc >= 0) {
+ old_cat = skp->smk_netlabel.attr.mls.cat;
+- skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
++ rcu_assign_pointer(skp->smk_netlabel.attr.mls.cat, ncats.attr.mls.cat);
+ skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
+ synchronize_rcu();
+ netlbl_catmap_free(old_cat);
+--
+2.43.0
+
--- /dev/null
+From 5370906972cc3476282536248a1951160112ba3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 15:44:49 +0000
+Subject: sock_map: Add a cond_resched() in sock_hash_free()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b1339be951ad31947ae19bc25cb08769bf255100 ]
+
+Several syzbot soft lockup reports all have in common sock_hash_free()
+
+If a map with a large number of buckets is destroyed, we need to yield
+the cpu when needed.
+
+Fixes: 75e68e5bf2c7 ("bpf, sockhash: Synchronize delete from bucket list on map free")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20240906154449.3742932-1-edumazet@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock_map.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index d3dbb92153f2f..724b6856fcc3e 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -1183,6 +1183,7 @@ static void sock_hash_free(struct bpf_map *map)
+ sock_put(elem->sk);
+ sock_hash_free_elem(htab, elem);
+ }
++ cond_resched();
+ }
+
+ /* wait for psock readers accessing its map link */
+--
+2.43.0
+
--- /dev/null
+From 879e026b7cb70b2271a5dc746033dc200c994204 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 23:07:14 +0200
+Subject: spi: airoha: fix airoha_snand_{write,read}_data data_len estimation
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 0e58637eb968c636725dcd6c7055249b4e5326fb ]
+
+Fix data length written and read in airoha_snand_write_data and
+airoha_snand_read_data routines respectively if it is bigger than
+SPI_MAX_TRANSFER_SIZE.
+
+Fixes: a403997c1201 ("spi: airoha: add SPI-NAND Flash controller driver")
+Tested-by: Christian Marangi <ansuelsmth@gmail.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20240913-airoha-spi-fixes-v1-2-de2e74ed4664@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-airoha-snfi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-airoha-snfi.c b/drivers/spi/spi-airoha-snfi.c
+index be3e4ac42153e..c71be702cf6f6 100644
+--- a/drivers/spi/spi-airoha-snfi.c
++++ b/drivers/spi/spi-airoha-snfi.c
+@@ -405,7 +405,7 @@ static int airoha_snand_write_data(struct airoha_snand_ctrl *as_ctrl, u8 cmd,
+ for (i = 0; i < len; i += data_len) {
+ int err;
+
+- data_len = min(len, SPI_MAX_TRANSFER_SIZE);
++ data_len = min(len - i, SPI_MAX_TRANSFER_SIZE);
+ err = airoha_snand_set_fifo_op(as_ctrl, cmd, data_len);
+ if (err)
+ return err;
+@@ -427,7 +427,7 @@ static int airoha_snand_read_data(struct airoha_snand_ctrl *as_ctrl, u8 *data,
+ for (i = 0; i < len; i += data_len) {
+ int err;
+
+- data_len = min(len, SPI_MAX_TRANSFER_SIZE);
++ data_len = min(len - i, SPI_MAX_TRANSFER_SIZE);
+ err = airoha_snand_set_fifo_op(as_ctrl, 0xc, data_len);
+ if (err)
+ return err;
+--
+2.43.0
+
--- /dev/null
+From b79a98d168e9682a3360b3221fc969fce8dca6ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 23:07:13 +0200
+Subject: spi: airoha: fix dirmap_{read,write} operations
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 2e6bbfe7b0c0607001b784082c2685b134174fac ]
+
+SPI_NFI_READ_FROM_CACHE_DONE bit must be written at the end of
+dirmap_read operation even if it is already set.
+In the same way, SPI_NFI_LOAD_TO_CACHE_DONE bit must be written at the
+end of dirmap_write operation even if it is already set.
+For this reason use regmap_write_bits() instead of regmap_set_bits().
+This patch fixes mtd_pagetest kernel module test.
+
+Fixes: a403997c1201 ("spi: airoha: add SPI-NAND Flash controller driver")
+Tested-by: Christian Marangi <ansuelsmth@gmail.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20240913-airoha-spi-fixes-v1-1-de2e74ed4664@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-airoha-snfi.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-airoha-snfi.c b/drivers/spi/spi-airoha-snfi.c
+index 9d97ec98881cc..be3e4ac42153e 100644
+--- a/drivers/spi/spi-airoha-snfi.c
++++ b/drivers/spi/spi-airoha-snfi.c
+@@ -739,8 +739,13 @@ static ssize_t airoha_snand_dirmap_read(struct spi_mem_dirmap_desc *desc,
+ if (err)
+ return err;
+
+- err = regmap_set_bits(as_ctrl->regmap_nfi, REG_SPI_NFI_SNF_STA_CTL1,
+- SPI_NFI_READ_FROM_CACHE_DONE);
++ /*
++ * SPI_NFI_READ_FROM_CACHE_DONE bit must be written at the end
++ * of dirmap_read operation even if it is already set.
++ */
++ err = regmap_write_bits(as_ctrl->regmap_nfi, REG_SPI_NFI_SNF_STA_CTL1,
++ SPI_NFI_READ_FROM_CACHE_DONE,
++ SPI_NFI_READ_FROM_CACHE_DONE);
+ if (err)
+ return err;
+
+@@ -870,8 +875,13 @@ static ssize_t airoha_snand_dirmap_write(struct spi_mem_dirmap_desc *desc,
+ if (err)
+ return err;
+
+- err = regmap_set_bits(as_ctrl->regmap_nfi, REG_SPI_NFI_SNF_STA_CTL1,
+- SPI_NFI_LOAD_TO_CACHE_DONE);
++ /*
++ * SPI_NFI_LOAD_TO_CACHE_DONE bit must be written at the end
++ * of dirmap_write operation even if it is already set.
++ */
++ err = regmap_write_bits(as_ctrl->regmap_nfi, REG_SPI_NFI_SNF_STA_CTL1,
++ SPI_NFI_LOAD_TO_CACHE_DONE,
++ SPI_NFI_LOAD_TO_CACHE_DONE);
+ if (err)
+ return err;
+
+--
+2.43.0
+
--- /dev/null
+From 40f0d5cdece19ab1c8bad5d2b17c473097168a23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 18:57:16 +0200
+Subject: spi: airoha: remove read cache in airoha_snand_dirmap_read()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit fffca269e4f31c3633c6d810833ba1b184407915 ]
+
+Current upstream driver reports errors running mtd_oobtest kernel module
+test:
+
+root@OpenWrt:/# insmod mtd_test.ko
+root@OpenWrt:/# insmod mtd_oobtest.ko dev=5
+[ 7023.730584] =================================================
+[ 7023.736399] mtd_oobtest: MTD device: 5
+[ 7023.740160] mtd_oobtest: MTD device size 3670016, eraseblock size 131072, page size 2048, count of eraseblocks 28, pages per eraseblock 64, OOB size 128
+[ 7023.753837] mtd_test: scanning for bad eraseblocks
+[ 7023.758636] mtd_test: scanned 28 eraseblocks, 0 are bad
+[ 7023.763861] mtd_oobtest: test 1 of 5
+[ 7024.042076] mtd_oobtest: writing OOBs of whole device
+[ 7024.682069] mtd_oobtest: written up to eraseblock 0
+[ 7041.962077] mtd_oobtest: written 28 eraseblocks
+[ 7041.966626] mtd_oobtest: verifying all eraseblocks
+[ 7041.972276] mtd_oobtest: error @addr[0x0:0x0] 0xff -> 0xe diff 0xf1
+[ 7041.978550] mtd_oobtest: error @addr[0x0:0x1] 0xff -> 0x10 diff 0xef
+[ 7041.984932] mtd_oobtest: error @addr[0x0:0x2] 0xff -> 0x82 diff 0x7d
+[ 7041.991293] mtd_oobtest: error @addr[0x0:0x3] 0xff -> 0x10 diff 0xef
+[ 7041.997659] mtd_oobtest: error @addr[0x0:0x4] 0xff -> 0x0 diff 0xff
+[ 7042.003942] mtd_oobtest: error @addr[0x0:0x5] 0xff -> 0x8a diff 0x75
+[ 7042.010294] mtd_oobtest: error @addr[0x0:0x6] 0xff -> 0x20 diff 0xdf
+[ 7042.016659] mtd_oobtest: error @addr[0x0:0x7] 0xff -> 0x1 diff 0xfe
+[ 7042.022935] mtd_oobtest: error @addr[0x0:0x8] 0xff -> 0x2e diff 0xd1
+[ 7042.029295] mtd_oobtest: error @addr[0x0:0x9] 0xff -> 0x40 diff 0xbf
+[ 7042.035661] mtd_oobtest: error @addr[0x0:0xa] 0xff -> 0x0 diff 0xff
+[ 7042.041935] mtd_oobtest: error @addr[0x0:0xb] 0xff -> 0x89 diff 0x76
+[ 7042.048300] mtd_oobtest: error @addr[0x0:0xc] 0xff -> 0x82 diff 0x7d
+[ 7042.054662] mtd_oobtest: error @addr[0x0:0xd] 0xff -> 0x15 diff 0xea
+[ 7042.061014] mtd_oobtest: error @addr[0x0:0xe] 0xff -> 0x90 diff 0x6f
+[ 7042.067380] mtd_oobtest: error @addr[0x0:0xf] 0xff -> 0x0 diff 0xff
+....
+[ 7432.421369] mtd_oobtest: error @addr[0x237800:0x36] 0xff -> 0x5f diff 0xa0
+[ 7432.428242] mtd_oobtest: error @addr[0x237800:0x37] 0xff -> 0x21 diff 0xde
+[ 7432.435118] mtd_oobtest: error: verify failed at 0x237800
+[ 7432.440510] mtd_oobtest: error: too many errors
+[ 7432.445053] mtd_oobtest: error -1 occurred
+
+The above errors are due to the buggy logic in the 'read cache' available
+in airoha_snand_dirmap_read() routine since there are some corner cases
+where we are missing data updates. Since we do not get any read/write speed
+improvement using the cache (according to the mtd_speedtest kernel
+module test), in order to fix the mtd_oobtest test, remove the 'read cache'
+in airoha_snand_dirmap_read routine. Now the driver is passing all the
+tests available in mtd_test suite.
+
+Fixes: a403997c1201 ("spi: airoha: add SPI-NAND Flash controller driver")
+Tested-by: Christian Marangi <ansuelsmth@gmail.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/20240919-airoha-spi-fixes-v2-1-cb0f0ed9920a@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-airoha-snfi.c | 21 ---------------------
+ 1 file changed, 21 deletions(-)
+
+diff --git a/drivers/spi/spi-airoha-snfi.c b/drivers/spi/spi-airoha-snfi.c
+index c71be702cf6f6..94458df53eae2 100644
+--- a/drivers/spi/spi-airoha-snfi.c
++++ b/drivers/spi/spi-airoha-snfi.c
+@@ -211,9 +211,6 @@ struct airoha_snand_dev {
+
+ u8 *txrx_buf;
+ dma_addr_t dma_addr;
+-
+- u64 cur_page_num;
+- bool data_need_update;
+ };
+
+ struct airoha_snand_ctrl {
+@@ -644,11 +641,6 @@ static ssize_t airoha_snand_dirmap_read(struct spi_mem_dirmap_desc *desc,
+ u32 val, rd_mode;
+ int err;
+
+- if (!as_dev->data_need_update)
+- return len;
+-
+- as_dev->data_need_update = false;
+-
+ switch (op->cmd.opcode) {
+ case SPI_NAND_OP_READ_FROM_CACHE_DUAL:
+ rd_mode = 1;
+@@ -895,23 +887,11 @@ static ssize_t airoha_snand_dirmap_write(struct spi_mem_dirmap_desc *desc,
+ static int airoha_snand_exec_op(struct spi_mem *mem,
+ const struct spi_mem_op *op)
+ {
+- struct airoha_snand_dev *as_dev = spi_get_ctldata(mem->spi);
+ u8 data[8], cmd, opcode = op->cmd.opcode;
+ struct airoha_snand_ctrl *as_ctrl;
+ int i, err;
+
+ as_ctrl = spi_controller_get_devdata(mem->spi->controller);
+- if (opcode == SPI_NAND_OP_PROGRAM_EXECUTE &&
+- op->addr.val == as_dev->cur_page_num) {
+- as_dev->data_need_update = true;
+- } else if (opcode == SPI_NAND_OP_PAGE_READ) {
+- if (!as_dev->data_need_update &&
+- op->addr.val == as_dev->cur_page_num)
+- return 0;
+-
+- as_dev->data_need_update = true;
+- as_dev->cur_page_num = op->addr.val;
+- }
+
+ /* switch to manual mode */
+ err = airoha_snand_set_mode(as_ctrl, SPI_MODE_MANUAL);
+@@ -996,7 +976,6 @@ static int airoha_snand_setup(struct spi_device *spi)
+ if (dma_mapping_error(as_ctrl->dev, as_dev->dma_addr))
+ return -ENOMEM;
+
+- as_dev->data_need_update = true;
+ spi_set_ctldata(spi, as_dev);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 31c4b7ed588ee6f2619e30a845a39c1874df3f3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 10:27:43 +0200
+Subject: spi: atmel-quadspi: Avoid overwriting delay register settings
+
+From: Alexander Dahl <ada@thorsis.com>
+
+[ Upstream commit 329ca3eed4a9a161515a8714be6ba182321385c7 ]
+
+Previously the MR and SCR registers were just set with the supposedly
+required values, from cached register values (cached reg content
+initialized to zero).
+
+All parts fixed here did not consider the current register (cache)
+content, which would make future support of cs_setup, cs_hold, and
+cs_inactive impossible.
+
+Setting SCBR in atmel_qspi_setup() erases a possible DLYBS setting from
+atmel_qspi_set_cs_timing(). The DLYBS setting is applied by ORing over
+the current setting, without resetting the bits first. All writes to MR
+did not consider possible settings of DLYCS and DLYBCT.
+
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
+Fixes: f732646d0ccd ("spi: atmel-quadspi: Add support for configuring CS timing")
+Link: https://patch.msgid.link/20240918082744.379610-2-ada@thorsis.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/atmel-quadspi.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c
+index 466c01b31123b..b557ce94da209 100644
+--- a/drivers/spi/atmel-quadspi.c
++++ b/drivers/spi/atmel-quadspi.c
+@@ -375,9 +375,9 @@ static int atmel_qspi_set_cfg(struct atmel_qspi *aq,
+ * If the QSPI controller is set in regular SPI mode, set it in
+ * Serial Memory Mode (SMM).
+ */
+- if (aq->mr != QSPI_MR_SMM) {
+- atmel_qspi_write(QSPI_MR_SMM, aq, QSPI_MR);
+- aq->mr = QSPI_MR_SMM;
++ if (!(aq->mr & QSPI_MR_SMM)) {
++ aq->mr |= QSPI_MR_SMM;
++ atmel_qspi_write(aq->scr, aq, QSPI_MR);
+ }
+
+ /* Clear pending interrupts */
+@@ -501,7 +501,8 @@ static int atmel_qspi_setup(struct spi_device *spi)
+ if (ret < 0)
+ return ret;
+
+- aq->scr = QSPI_SCR_SCBR(scbr);
++ aq->scr &= ~QSPI_SCR_SCBR_MASK;
++ aq->scr |= QSPI_SCR_SCBR(scbr);
+ atmel_qspi_write(aq->scr, aq, QSPI_SCR);
+
+ pm_runtime_mark_last_busy(ctrl->dev.parent);
+@@ -534,6 +535,7 @@ static int atmel_qspi_set_cs_timing(struct spi_device *spi)
+ if (ret < 0)
+ return ret;
+
++ aq->scr &= ~QSPI_SCR_DLYBS_MASK;
+ aq->scr |= QSPI_SCR_DLYBS(cs_setup);
+ atmel_qspi_write(aq->scr, aq, QSPI_SCR);
+
+@@ -549,8 +551,8 @@ static void atmel_qspi_init(struct atmel_qspi *aq)
+ atmel_qspi_write(QSPI_CR_SWRST, aq, QSPI_CR);
+
+ /* Set the QSPI controller by default in Serial Memory Mode */
+- atmel_qspi_write(QSPI_MR_SMM, aq, QSPI_MR);
+- aq->mr = QSPI_MR_SMM;
++ aq->mr |= QSPI_MR_SMM;
++ atmel_qspi_write(aq->mr, aq, QSPI_MR);
+
+ /* Enable the QSPI controller */
+ atmel_qspi_write(QSPI_CR_QSPIEN, aq, QSPI_CR);
+--
+2.43.0
+
--- /dev/null
+From 3ae58762f5a32933be0d13670f9fdbc234f6172b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 10:39:56 +0800
+Subject: spi: atmel-quadspi: Undo runtime PM changes at driver exit time
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 438efb23f9581659495b85f1f6c7d5946200660c ]
+
+It's important to undo pm_runtime_use_autosuspend() with
+pm_runtime_dont_use_autosuspend() at driver exit time unless driver
+initially enabled pm_runtime with devm_pm_runtime_enable()
+(which handles it for you).
+
+Hence, call pm_runtime_dont_use_autosuspend() at driver exit time
+to fix it.
+
+Fixes: 4a2f83b7f780 ("spi: atmel-quadspi: add runtime pm support")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://patch.msgid.link/20240906023956.1004440-1-ruanjinjie@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/atmel-quadspi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c
+index 5aaff3bee1b78..466c01b31123b 100644
+--- a/drivers/spi/atmel-quadspi.c
++++ b/drivers/spi/atmel-quadspi.c
+@@ -726,6 +726,7 @@ static void atmel_qspi_remove(struct platform_device *pdev)
+ clk_unprepare(aq->pclk);
+
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 30ff8a7d1e8ed380a84f4c1ea303a9763d6275f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 20:49:02 +0800
+Subject: spi: bcmbca-hsspi: Fix missing pm_runtime_disable()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 4439a2e92cb89028b22c5d7ba1b99e75d7d889f6 ]
+
+The pm_runtime_disable() is missing in remove function, use
+devm_pm_runtime_enable() to fix it. So the pm_runtime_disable() in
+the probe error path can also be removed.
+
+Fixes: a38a2233f23b ("spi: bcmbca-hsspi: Add driver for newer HSSPI controller")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: William Zhang <william.zhang@broadcom.com>
+Link: https://patch.msgid.link/20240826124903.3429235-2-ruanjinjie@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcmbca-hsspi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-bcmbca-hsspi.c b/drivers/spi/spi-bcmbca-hsspi.c
+index 9f64afd8164ea..4965bc86d7f52 100644
+--- a/drivers/spi/spi-bcmbca-hsspi.c
++++ b/drivers/spi/spi-bcmbca-hsspi.c
+@@ -546,12 +546,14 @@ static int bcmbca_hsspi_probe(struct platform_device *pdev)
+ goto out_put_host;
+ }
+
+- pm_runtime_enable(&pdev->dev);
++ ret = devm_pm_runtime_enable(&pdev->dev);
++ if (ret)
++ goto out_put_host;
+
+ ret = sysfs_create_group(&pdev->dev.kobj, &bcmbca_hsspi_group);
+ if (ret) {
+ dev_err(&pdev->dev, "couldn't register sysfs group\n");
+- goto out_pm_disable;
++ goto out_put_host;
+ }
+
+ /* register and we are done */
+@@ -565,8 +567,6 @@ static int bcmbca_hsspi_probe(struct platform_device *pdev)
+
+ out_sysgroup_disable:
+ sysfs_remove_group(&pdev->dev.kobj, &bcmbca_hsspi_group);
+-out_pm_disable:
+- pm_runtime_disable(&pdev->dev);
+ out_put_host:
+ spi_controller_put(host);
+ out_disable_pll_clk:
+--
+2.43.0
+
--- /dev/null
+From a892751c37eacc70129f216ea02cece1a84c968a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 17:45:12 +0300
+Subject: spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 7781f1d120fec8624fc654eda900fc8748262082 ]
+
+0 is incorrect error code when failed to parse and map IRQ.
+Replace OF specific old API for IRQ retrieval with a generic
+one to fix this issue.
+
+Fixes: 0f245463b01e ("spi: ppc4xx: handle irq_of_parse_and_map() errors")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/20240814144525.2648450-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-ppc4xx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-ppc4xx.c b/drivers/spi/spi-ppc4xx.c
+index 01fdecbf132d6..8f6309f32de0b 100644
+--- a/drivers/spi/spi-ppc4xx.c
++++ b/drivers/spi/spi-ppc4xx.c
+@@ -27,7 +27,6 @@
+ #include <linux/wait.h>
+ #include <linux/platform_device.h>
+ #include <linux/of_address.h>
+-#include <linux/of_irq.h>
+ #include <linux/of_platform.h>
+ #include <linux/interrupt.h>
+ #include <linux/delay.h>
+@@ -412,9 +411,10 @@ static int spi_ppc4xx_of_probe(struct platform_device *op)
+ }
+
+ /* Request IRQ */
+- hw->irqnum = irq_of_parse_and_map(np, 0);
+- if (hw->irqnum <= 0)
++ ret = platform_get_irq(op, 0);
++ if (ret < 0)
+ goto free_host;
++ hw->irqnum = ret;
+
+ ret = request_irq(hw->irqnum, spi_ppc4xx_int,
+ 0, "spi_ppc4xx_of", (void *)hw);
+--
+2.43.0
+
--- /dev/null
+From c6444605bf3283fae41d6a03fac398723d6c9ad1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 16:40:47 +0800
+Subject: spi: ppc4xx: handle irq_of_parse_and_map() errors
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+[ Upstream commit 0f245463b01ea254ae90e1d0389e90b0e7d8dc75 ]
+
+Zero and negative number is not a valid IRQ for in-kernel code and the
+irq_of_parse_and_map() function returns zero on error. So this check for
+valid IRQs should only accept values > 0.
+
+Fixes: 44dab88e7cc9 ("spi: add spi_ppc4xx driver")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://patch.msgid.link/20240724084047.1506084-1-make24@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-ppc4xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/spi/spi-ppc4xx.c b/drivers/spi/spi-ppc4xx.c
+index 942c3117ab3a9..01fdecbf132d6 100644
+--- a/drivers/spi/spi-ppc4xx.c
++++ b/drivers/spi/spi-ppc4xx.c
+@@ -413,6 +413,9 @@ static int spi_ppc4xx_of_probe(struct platform_device *op)
+
+ /* Request IRQ */
+ hw->irqnum = irq_of_parse_and_map(np, 0);
++ if (hw->irqnum <= 0)
++ goto free_host;
++
+ ret = request_irq(hw->irqnum, spi_ppc4xx_int,
+ 0, "spi_ppc4xx_of", (void *)hw);
+ if (ret) {
+--
+2.43.0
+
--- /dev/null
+From d1a2cffb55cc2a06a5638d76bd0d309038d32082 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 10:12:51 +0800
+Subject: spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 3b577de206d52dbde9428664b6d823d35a803d75 ]
+
+It's important to undo pm_runtime_use_autosuspend() with
+pm_runtime_dont_use_autosuspend() at driver exit time unless driver
+initially enabled pm_runtime with devm_pm_runtime_enable()
+(which handles it for you).
+
+Hence, call pm_runtime_dont_use_autosuspend() at driver exit time
+to fix it.
+
+Fixes: 944c01a889d9 ("spi: lpspi: enable runtime pm for lpspi")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://patch.msgid.link/20240906021251.610462-1-ruanjinjie@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-lpspi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c
+index 8ecb426be45c7..977e8b55c82b7 100644
+--- a/drivers/spi/spi-fsl-lpspi.c
++++ b/drivers/spi/spi-fsl-lpspi.c
+@@ -986,6 +986,7 @@ static void fsl_lpspi_remove(struct platform_device *pdev)
+
+ fsl_lpspi_dma_exit(controller);
+
++ pm_runtime_dont_use_autosuspend(fsl_lpspi->dev);
+ pm_runtime_disable(fsl_lpspi->dev);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 7e6d9351c006a571f9583f0a19f3f5c9c0148850 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 15:08:22 -0400
+Subject: tcp: check skb is non-NULL in tcp_rto_delta_us()
+
+From: Josh Hunt <johunt@akamai.com>
+
+[ Upstream commit c8770db2d54437a5f49417ae7b46f7de23d14db6 ]
+
+We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic
+kernel that are running ceph and recently hit a null ptr dereference in
+tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also
+saw it getting hit from the RACK case as well. Here are examples of the oops
+messages we saw in each of those cases:
+
+Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020
+Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode
+Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page
+Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0
+Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI
+Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu
+Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
+Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
+Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246
+Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
+Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60
+Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8
+Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900
+Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30
+Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000
+Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0
+Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554
+Jul 26 15:05:02 rx [11061395.916786] Call Trace:
+Jul 26 15:05:02 rx [11061395.919488]
+Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f
+Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9
+Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380
+Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0
+Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50
+Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0
+Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20
+Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450
+Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140
+Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90
+Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0
+Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40
+Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220
+Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240
+Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0
+Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240
+Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130
+Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280
+Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10
+Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30
+Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_event+0x21/0x30
+Jul 26 15:05:02 rx [11061396.021984] ? clockevents_program_event+0x8f/0xe0
+Jul 26 15:05:02 rx [11061396.027035] run_timer_softirq+0x2a/0x50
+Jul 26 15:05:02 rx [11061396.031212] __do_softirq+0xd1/0x2c1
+Jul 26 15:05:02 rx [11061396.035044] do_softirq_own_stack+0x2a/0x40
+Jul 26 15:05:02 rx [11061396.039480]
+Jul 26 15:05:02 rx [11061396.041840] do_softirq.part.0+0x46/0x50
+Jul 26 15:05:02 rx [11061396.046022] __local_bh_enable_ip+0x50/0x60
+Jul 26 15:05:02 rx [11061396.050460] _raw_spin_unlock_bh+0x1e/0x20
+Jul 26 15:05:02 rx [11061396.054817] nf_conntrack_tcp_packet+0x29e/0xbe0 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.060994] ? get_l4proto+0xe7/0x190 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.066220] nf_conntrack_in+0xe9/0x670 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.071618] ipv6_conntrack_local+0x14/0x20 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.077356] nf_hook_slow+0x45/0xb0
+Jul 26 15:05:02 rx [11061396.081098] ip6_xmit+0x3f0/0x5d0
+Jul 26 15:05:02 rx [11061396.084670] ? ipv6_anycast_cleanup+0x50/0x50
+Jul 26 15:05:02 rx [11061396.089282] ? __sk_dst_check+0x38/0x70
+Jul 26 15:05:02 rx [11061396.093381] ? inet6_csk_route_socket+0x13b/0x200
+Jul 26 15:05:02 rx [11061396.098346] inet6_csk_xmit+0xa7/0xf0
+Jul 26 15:05:02 rx [11061396.102263] __tcp_transmit_skb+0x550/0xb30
+Jul 26 15:05:02 rx [11061396.106701] tcp_write_xmit+0x3c6/0xc20
+Jul 26 15:05:02 rx [11061396.110792] ? __alloc_skb+0x98/0x1d0
+Jul 26 15:05:02 rx [11061396.114708] __tcp_push_pending_frames+0x37/0x100
+Jul 26 15:05:02 rx [11061396.119667] tcp_push+0xfd/0x100
+Jul 26 15:05:02 rx [11061396.123150] tcp_sendmsg_locked+0xc70/0xdd0
+Jul 26 15:05:02 rx [11061396.127588] tcp_sendmsg+0x2d/0x50
+Jul 26 15:05:02 rx [11061396.131245] inet6_sendmsg+0x43/0x70
+Jul 26 15:05:02 rx [11061396.135075] __sock_sendmsg+0x48/0x70
+Jul 26 15:05:02 rx [11061396.138994] ____sys_sendmsg+0x212/0x280
+Jul 26 15:05:02 rx [11061396.143172] ___sys_sendmsg+0x88/0xd0
+Jul 26 15:05:02 rx [11061396.147098] ? __seccomp_filter+0x7e/0x6b0
+Jul 26 15:05:02 rx [11061396.151446] ? __switch_to+0x39c/0x460
+Jul 26 15:05:02 rx [11061396.155453] ? __switch_to_asm+0x42/0x80
+Jul 26 15:05:02 rx [11061396.159636] ? __switch_to_asm+0x5a/0x80
+Jul 26 15:05:02 rx [11061396.163816] __sys_sendmsg+0x5c/0xa0
+Jul 26 15:05:02 rx [11061396.167647] __x64_sys_sendmsg+0x1f/0x30
+Jul 26 15:05:02 rx [11061396.171832] do_syscall_64+0x57/0x190
+Jul 26 15:05:02 rx [11061396.175748] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
+Jul 26 15:05:02 rx [11061396.181055] RIP: 0033:0x7f1ef692618d
+Jul 26 15:05:02 rx [11061396.184893] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ca ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 48 89 44 24 08 e8 fe ee ff ff 48
+Jul 26 15:05:02 rx [11061396.203889] RSP: 002b:00007f1ef4a26aa0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
+Jul 26 15:05:02 rx [11061396.211708] RAX: ffffffffffffffda RBX: 000000000000084b RCX: 00007f1ef692618d
+Jul 26 15:05:02 rx [11061396.219091] RDX: 0000000000004000 RSI: 00007f1ef4a26b10 RDI: 0000000000000275
+Jul 26 15:05:02 rx [11061396.226475] RBP: 0000000000004000 R08: 0000000000000000 R09: 0000000000000020
+Jul 26 15:05:02 rx [11061396.233859] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000084b
+Jul 26 15:05:02 rx [11061396.241243] R13: 00007f1ef4a26b10 R14: 0000000000000275 R15: 000055592030f1e8
+Jul 26 15:05:02 rx [11061396.248628] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler nft_ct sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 mlx5_core hid_generic pci_hyperv_intf crc32_pclmul tls usbhid ahci mlxfw bnxt_en libahci hid nvme i2c_piix4 nvme_core wmi
+Jul 26 15:05:02 rx [11061396.324334] CR2: 0000000000000020
+Jul 26 15:05:02 rx [11061396.327944] ---[ end trace 68a2b679d1cfb4f1 ]---
+Jul 26 15:05:02 rx [11061396.433435] RIP: 0010:tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061396.438137] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
+Jul 26 15:05:02 rx [11061396.457144] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246
+Jul 26 15:05:02 rx [11061396.462629] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
+Jul 26 15:05:02 rx [11061396.470012] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60
+Jul 26 15:05:02 rx [11061396.477396] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8
+Jul 26 15:05:02 rx [11061396.484779] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900
+Jul 26 15:05:02 rx [11061396.492164] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30
+Jul 26 15:05:02 rx [11061396.499547] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000
+Jul 26 15:05:02 rx [11061396.507886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Jul 26 15:05:02 rx [11061396.513884] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0
+Jul 26 15:05:02 rx [11061396.521267] PKRU: 55555554
+Jul 26 15:05:02 rx [11061396.524230] Kernel panic - not syncing: Fatal exception in interrupt
+Jul 26 15:05:02 rx [11061396.530885] Kernel Offset: 0x1b200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+Jul 26 15:05:03 rx [11061396.660181] ---[ end Kernel panic - not syncing: Fatal
+ exception in interrupt ]---
+
+After we hit this we disabled TLP by setting tcp_early_retrans to 0 and then hit the crash in the RACK case:
+
+Aug 7 07:26:16 rx [1006006.265582] BUG: kernel NULL pointer dereference, address: 0000000000000020
+Aug 7 07:26:16 rx [1006006.272719] #PF: supervisor read access in kernel mode
+Aug 7 07:26:16 rx [1006006.278030] #PF: error_code(0x0000) - not-present page
+Aug 7 07:26:16 rx [1006006.283343] PGD 0 P4D 0
+Aug 7 07:26:16 rx [1006006.286057] Oops: 0000 [#1] SMP NOPTI
+Aug 7 07:26:16 rx [1006006.289896] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.4.0-174-generic #193-Ubuntu
+Aug 7 07:26:16 rx [1006006.299107] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
+Aug 7 07:26:16 rx [1006006.309970] RIP: 0010:tcp_rearm_rto+0xe4/0x160
+Aug 7 07:26:16 rx [1006006.314584] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
+Aug 7 07:26:16 rx [1006006.333499] RSP: 0018:ffffb42600a50960 EFLAGS: 00010246
+Aug 7 07:26:16 rx [1006006.338895] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
+Aug 7 07:26:16 rx [1006006.346193] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff92d687ed8160
+Aug 7 07:26:16 rx [1006006.353489] RBP: ffffb42600a50978 R08: 0000000000000000 R09: 00000000cd896dcc
+Aug 7 07:26:16 rx [1006006.360786] R10: ffff92dc3404f400 R11: 0000000000000001 R12: ffff92d687ed8000
+Aug 7 07:26:16 rx [1006006.368084] R13: ffff92d687ed8160 R14: 00000000cd896dcc R15: 00000000cd8fca81
+Aug 7 07:26:16 rx [1006006.375381] FS: 0000000000000000(0000) GS:ffff93158ad40000(0000) knlGS:0000000000000000
+Aug 7 07:26:16 rx [1006006.383632] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Aug 7 07:26:16 rx [1006006.389544] CR2: 0000000000000020 CR3: 0000003e775ce006 CR4: 0000000000760ee0
+Aug 7 07:26:16 rx [1006006.396839] PKRU: 55555554
+Aug 7 07:26:16 rx [1006006.399717] Call Trace:
+Aug 7 07:26:16 rx [1006006.402335]
+Aug 7 07:26:16 rx [1006006.404525] ? show_regs.cold+0x1a/0x1f
+Aug 7 07:26:16 rx [1006006.408532] ? __die+0x90/0xd9
+Aug 7 07:26:16 rx [1006006.411760] ? no_context+0x196/0x380
+Aug 7 07:26:16 rx [1006006.415599] ? __bad_area_nosemaphore+0x50/0x1a0
+Aug 7 07:26:16 rx [1006006.420392] ? _raw_spin_lock+0x1e/0x30
+Aug 7 07:26:16 rx [1006006.424401] ? bad_area_nosemaphore+0x16/0x20
+Aug 7 07:26:16 rx [1006006.428927] ? do_user_addr_fault+0x267/0x450
+Aug 7 07:26:16 rx [1006006.433450] ? __do_page_fault+0x58/0x90
+Aug 7 07:26:16 rx [1006006.437542] ? do_page_fault+0x2c/0xe0
+Aug 7 07:26:16 rx [1006006.441470] ? page_fault+0x34/0x40
+Aug 7 07:26:16 rx [1006006.445134] ? tcp_rearm_rto+0xe4/0x160
+Aug 7 07:26:16 rx [1006006.449145] tcp_ack+0xa32/0xb30
+Aug 7 07:26:16 rx [1006006.452542] tcp_rcv_established+0x13c/0x670
+Aug 7 07:26:16 rx [1006006.456981] ? sk_filter_trim_cap+0x48/0x220
+Aug 7 07:26:16 rx [1006006.461419] tcp_v6_do_rcv+0xdb/0x450
+Aug 7 07:26:16 rx [1006006.465257] tcp_v6_rcv+0xc2b/0xd10
+Aug 7 07:26:16 rx [1006006.468918] ip6_protocol_deliver_rcu+0xd3/0x4e0
+Aug 7 07:26:16 rx [1006006.473706] ip6_input_finish+0x15/0x20
+Aug 7 07:26:16 rx [1006006.477710] ip6_input+0xa2/0xb0
+Aug 7 07:26:16 rx [1006006.481109] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0
+Aug 7 07:26:16 rx [1006006.486151] ip6_sublist_rcv_finish+0x3d/0x50
+Aug 7 07:26:16 rx [1006006.490679] ip6_sublist_rcv+0x1aa/0x250
+Aug 7 07:26:16 rx [1006006.494779] ? ip6_rcv_finish_core.isra.0+0xa0/0xa0
+Aug 7 07:26:16 rx [1006006.499828] ipv6_list_rcv+0x112/0x140
+Aug 7 07:26:16 rx [1006006.503748] __netif_receive_skb_list_core+0x1a4/0x250
+Aug 7 07:26:16 rx [1006006.509057] netif_receive_skb_list_internal+0x1a1/0x2b0
+Aug 7 07:26:16 rx [1006006.514538] gro_normal_list.part.0+0x1e/0x40
+Aug 7 07:26:16 rx [1006006.519068] napi_complete_done+0x91/0x130
+Aug 7 07:26:16 rx [1006006.523352] mlx5e_napi_poll+0x18e/0x610 [mlx5_core]
+Aug 7 07:26:16 rx [1006006.528481] net_rx_action+0x142/0x390
+Aug 7 07:26:16 rx [1006006.532398] __do_softirq+0xd1/0x2c1
+Aug 7 07:26:16 rx [1006006.536142] irq_exit+0xae/0xb0
+Aug 7 07:26:16 rx [1006006.539452] do_IRQ+0x5a/0xf0
+Aug 7 07:26:16 rx [1006006.542590] common_interrupt+0xf/0xf
+Aug 7 07:26:16 rx [1006006.546421]
+Aug 7 07:26:16 rx [1006006.548695] RIP: 0010:native_safe_halt+0xe/0x10
+Aug 7 07:26:16 rx [1006006.553399] Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65
+Aug 7 07:26:16 rx [1006006.572309] RSP: 0018:ffffb42600177e70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffc2
+Aug 7 07:26:16 rx [1006006.580040] RAX: ffffffff8ed08b20 RBX: 0000000000000005 RCX: 0000000000000001
+Aug 7 07:26:16 rx [1006006.587337] RDX: 00000000f48eeca2 RSI: 0000000000000082 RDI: 0000000000000082
+Aug 7 07:26:16 rx [1006006.594635] RBP: ffffb42600177e90 R08: 0000000000000000 R09: 000000000000020f
+Aug 7 07:26:16 rx [1006006.601931] R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000005
+Aug 7 07:26:16 rx [1006006.609229] R13: ffff93157deb5f00 R14: 0000000000000000 R15: 0000000000000000
+Aug 7 07:26:16 rx [1006006.616530] ? __cpuidle_text_start+0x8/0x8
+Aug 7 07:26:16 rx [1006006.620886] ? default_idle+0x20/0x140
+Aug 7 07:26:16 rx [1006006.624804] arch_cpu_idle+0x15/0x20
+Aug 7 07:26:16 rx [1006006.628545] default_idle_call+0x23/0x30
+Aug 7 07:26:16 rx [1006006.632640] do_idle+0x1fb/0x270
+Aug 7 07:26:16 rx [1006006.636035] cpu_startup_entry+0x20/0x30
+Aug 7 07:26:16 rx [1006006.640126] start_secondary+0x178/0x1d0
+Aug 7 07:26:16 rx [1006006.644218] secondary_startup_64+0xa4/0xb0
+Aug 7 07:26:17 rx [1006006.648568] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet ast mii drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 hid_generic mlx5_core pci_hyperv_intf crc32_pclmul usbhid ahci tls mlxfw bnxt_en hid libahci nvme i2c_piix4 nvme_core wmi [last unloaded: cpuid]
+Aug 7 07:26:17 rx [1006006.726180] CR2: 0000000000000020
+Aug 7 07:26:17 rx [1006006.729718] ---[ end trace e0e2e37e4e612984 ]---
+
+Prior to seeing the first crash and on other machines we also see the warning in
+tcp_send_loss_probe() where packets_out is non-zero, but both transmit and retrans
+queues are empty so we know the box is seeing some accounting issue in this area:
+
+Jul 26 09:15:27 kernel: ------------[ cut here ]------------
+Jul 26 09:15:27 kernel: invalid inflight: 2 state 1 cwnd 68 mss 8988
+Jul 26 09:15:27 kernel: WARNING: CPU: 16 PID: 0 at net/ipv4/tcp_output.c:2605 tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif joydev input_leds rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_he>
+Jul 26 09:15:27 kernel: CPU: 16 PID: 0 Comm: swapper/16 Not tainted 5.4.0-174-generic #193-Ubuntu
+Jul 26 09:15:27 kernel: Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
+Jul 26 09:15:27 kernel: RIP: 0010:tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: Code: 08 26 01 00 75 e2 41 0f b6 54 24 12 41 8b 8c 24 c0 06 00 00 45 89 f0 48 c7 c7 e0 b4 20 a7 c6 05 8d 08 26 01 01 e8 4a c0 0f 00 <0f> 0b eb ba 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
+Jul 26 09:15:27 kernel: RSP: 0018:ffffb7838088ce00 EFLAGS: 00010286
+Jul 26 09:15:27 kernel: RAX: 0000000000000000 RBX: ffff9b84b5630430 RCX: 0000000000000006
+Jul 26 09:15:27 kernel: RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9b8e4621c8c0
+Jul 26 09:15:27 kernel: RBP: ffffb7838088ce18 R08: 0000000000000927 R09: 0000000000000004
+Jul 26 09:15:27 kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff9b84b5630000
+Jul 26 09:15:27 kernel: R13: 0000000000000000 R14: 000000000000231c R15: ffff9b84b5630430
+Jul 26 09:15:27 kernel: FS: 0000000000000000(0000) GS:ffff9b8e46200000(0000) knlGS:0000000000000000
+Jul 26 09:15:27 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Jul 26 09:15:27 kernel: CR2: 000056238cec2380 CR3: 0000003e49ede005 CR4: 0000000000760ee0
+Jul 26 09:15:27 kernel: PKRU: 55555554
+Jul 26 09:15:27 kernel: Call Trace:
+Jul 26 09:15:27 kernel: <IRQ>
+Jul 26 09:15:27 kernel: ? show_regs.cold+0x1a/0x1f
+Jul 26 09:15:27 kernel: ? __warn+0x98/0xe0
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: ? report_bug+0xd1/0x100
+Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0
+Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240
+Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0
+Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240
+Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130
+Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280
+Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0
+Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90
+Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0
+Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240
+Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0
+Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240
+Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130
+Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280
+Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0
+Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90
+Jul 26 09:15:27 kernel: ? recalibrate_cpu_khz+0x10/0x10
+Jul 26 09:15:27 kernel: ? ktime_get+0x3e/0xa0
+Jul 26 09:15:27 kernel: ? native_x2apic_icr_write+0x30/0x30
+Jul 26 09:15:27 kernel: run_timer_softirq+0x2a/0x50
+Jul 26 09:15:27 kernel: __do_softirq+0xd1/0x2c1
+Jul 26 09:15:27 kernel: irq_exit+0xae/0xb0
+Jul 26 09:15:27 kernel: smp_apic_timer_interrupt+0x7b/0x140
+Jul 26 09:15:27 kernel: apic_timer_interrupt+0xf/0x20
+Jul 26 09:15:27 kernel: </IRQ>
+Jul 26 09:15:27 kernel: RIP: 0010:native_safe_halt+0xe/0x10
+Jul 26 09:15:27 kernel: Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 <c3> 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65
+Jul 26 09:15:27 kernel: RSP: 0018:ffffb783801cfe70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+Jul 26 09:15:27 kernel: RAX: ffffffffa6908b20 RBX: 0000000000000010 RCX: 0000000000000001
+Jul 26 09:15:27 kernel: RDX: 000000006fc0c97e RSI: 0000000000000082 RDI: 0000000000000082
+Jul 26 09:15:27 kernel: RBP: ffffb783801cfe90 R08: 0000000000000000 R09: 0000000000000225
+Jul 26 09:15:27 kernel: R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000010
+Jul 26 09:15:27 kernel: R13: ffff9b8e390b0000 R14: 0000000000000000 R15: 0000000000000000
+Jul 26 09:15:27 kernel: ? __cpuidle_text_start+0x8/0x8
+Jul 26 09:15:27 kernel: ? default_idle+0x20/0x140
+Jul 26 09:15:27 kernel: arch_cpu_idle+0x15/0x20
+Jul 26 09:15:27 kernel: default_idle_call+0x23/0x30
+Jul 26 09:15:27 kernel: do_idle+0x1fb/0x270
+Jul 26 09:15:27 kernel: cpu_startup_entry+0x20/0x30
+Jul 26 09:15:27 kernel: start_secondary+0x178/0x1d0
+Jul 26 09:15:27 kernel: secondary_startup_64+0xa4/0xb0
+Jul 26 09:15:27 kernel: ---[ end trace e7ac822987e33be1 ]---
+
+The NULL ptr deref is coming from tcp_rto_delta_us() attempting to pull an skb
+off the head of the retransmit queue and then dereferencing that skb to get the
+skb_mstamp_ns value via tcp_skb_timestamp_us(skb).
+
+The crash is the same one that was reported a # of years ago here:
+https://lore.kernel.org/netdev/86c0f836-9a7c-438b-d81a-839be45f1f58@gmail.com/T/#t
+
+and the kernel we're running has the fix which was added to resolve this issue.
+
+Unfortunately we've been unsuccessful so far in reproducing this problem in the
+lab and do not have the luxury of pushing out a new kernel to try and test if
+newer kernels resolve this issue at the moment. I realize this is a report
+against both an Ubuntu kernel and also an older 5.4 kernel. I have reported this
+issue to Ubuntu here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2077657
+however I feel like since this issue has possibly cropped up again it makes
+sense to build in some protection in this path (even on the latest kernel
+versions) since the code in question just blindly assumes there's a valid skb
+without testing if it's NULL b/f it looks at the timestamp.
+
+Given we have seen crashes in this path before and now this case it seems like
+we should protect ourselves for when packets_out accounting is incorrect.
+While we should fix that root cause we should also just make sure the skb
+is not NULL before dereferencing it. Also add a warn once here to capture
+some information if/when the problem case is hit again.
+
+Fixes: e1a10ef7fa87 ("tcp: introduce tcp_rto_delta_us() helper for xmit timer fix")
+Signed-off-by: Josh Hunt <johunt@akamai.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tcp.h | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 2aac11e7e1cc5..196c148fce8a8 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -2434,9 +2434,26 @@ static inline s64 tcp_rto_delta_us(const struct sock *sk)
+ {
+ const struct sk_buff *skb = tcp_rtx_queue_head(sk);
+ u32 rto = inet_csk(sk)->icsk_rto;
+- u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto);
+
+- return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp;
++ if (likely(skb)) {
++ u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto);
++
++ return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp;
++ } else {
++ WARN_ONCE(1,
++ "rtx queue emtpy: "
++ "out:%u sacked:%u lost:%u retrans:%u "
++ "tlp_high_seq:%u sk_state:%u ca_state:%u "
++ "advmss:%u mss_cache:%u pmtu:%u\n",
++ tcp_sk(sk)->packets_out, tcp_sk(sk)->sacked_out,
++ tcp_sk(sk)->lost_out, tcp_sk(sk)->retrans_out,
++ tcp_sk(sk)->tlp_high_seq, sk->sk_state,
++ inet_csk(sk)->icsk_ca_state,
++ tcp_sk(sk)->advmss, tcp_sk(sk)->mss_cache,
++ inet_csk(sk)->icsk_pmtu_cookie);
++ return jiffies_to_usecs(rto);
++ }
++
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 3671f6da9f2879ba88f7a2a56564d296f85a3157 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 21:47:36 +0200
+Subject: thermal: core: Fix rounding of delay jiffies
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 8144dbe68c493baa412d78f41a57e90a6461f6c3 ]
+
+Using round_jiffies() in thermal_set_delay_jiffies() is invalid because
+its argument should be time in the future in absolute jiffies and it
+computes the result with respect to the current jiffies value at the
+invocation time. Fortunately, in the majority of cases it does not
+make any difference due to the time_is_after_jiffies() check in
+round_jiffies_common().
+
+While using round_jiffies_relative() instead of round_jiffies() might
+reflect the intent a bit better, it still would not be defensible
+because that function should be called when the timer is about to be
+set and it is not suitable for pre-computation of delay values.
+
+Accordingly, drop thermal_set_delay_jiffies() altogether, simply
+convert polling_delay and passive_delay to jiffies during thermal
+zone initialization and make thermal_zone_device_set_polling() call
+round_jiffies_relative() on the delay if it is greather than 1 second.
+
+Fixes: 17d399cd9c89 ("thermal/core: Precompute the delays from msecs to jiffies")
+Fixes: e5f2cda61d06 ("thermal/core: Move thermal_set_delay_jiffies to static")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://patch.msgid.link/1994438.PYKUYFuaPT@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index 3ba8dd804026f..93c16aff0df20 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -323,11 +323,15 @@ static void thermal_zone_broken_disable(struct thermal_zone_device *tz)
+ static void thermal_zone_device_set_polling(struct thermal_zone_device *tz,
+ unsigned long delay)
+ {
+- if (delay)
+- mod_delayed_work(system_freezable_power_efficient_wq,
+- &tz->poll_queue, delay);
+- else
++ if (!delay) {
+ cancel_delayed_work(&tz->poll_queue);
++ return;
++ }
++
++ if (delay > HZ)
++ delay = round_jiffies_relative(delay);
++
++ mod_delayed_work(system_freezable_power_efficient_wq, &tz->poll_queue, delay);
+ }
+
+ static void thermal_zone_recheck(struct thermal_zone_device *tz, int error)
+@@ -1330,13 +1334,6 @@ void thermal_cooling_device_unregister(struct thermal_cooling_device *cdev)
+ }
+ EXPORT_SYMBOL_GPL(thermal_cooling_device_unregister);
+
+-static void thermal_set_delay_jiffies(unsigned long *delay_jiffies, int delay_ms)
+-{
+- *delay_jiffies = msecs_to_jiffies(delay_ms);
+- if (delay_ms > 1000)
+- *delay_jiffies = round_jiffies(*delay_jiffies);
+-}
+-
+ int thermal_zone_get_crit_temp(struct thermal_zone_device *tz, int *temp)
+ {
+ const struct thermal_trip_desc *td;
+@@ -1482,8 +1479,8 @@ thermal_zone_device_register_with_trips(const char *type,
+ td->threshold = INT_MAX;
+ }
+
+- thermal_set_delay_jiffies(&tz->passive_delay_jiffies, passive_delay);
+- thermal_set_delay_jiffies(&tz->polling_delay_jiffies, polling_delay);
++ tz->polling_delay_jiffies = msecs_to_jiffies(polling_delay);
++ tz->passive_delay_jiffies = msecs_to_jiffies(passive_delay);
+ tz->recheck_delay_jiffies = THERMAL_RECHECK_DELAY;
+
+ /* sys I/F */
+--
+2.43.0
+
--- /dev/null
+From b18c758491feef56dde117cb3cc0498fa45b0992 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 17:50:30 +0200
+Subject: thermal: core: Fold two functions into their respective callers
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit a8bbe6f10f78f85243ff821432c5d798a6d99ed4 ]
+
+Fold bind_cdev() into __thermal_cooling_device_register() and bind_tz()
+into thermal_zone_device_register_with_trips() to reduce code bloat and
+make it somewhat easier to follow the code flow.
+
+No intentional functional impact.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Zhang Rui <rui.zhang@intel.com>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://patch.msgid.link/2962184.e9J7NaK4W3@rjwysocki.net
+Stable-dep-of: 8144dbe68c49 ("thermal: core: Fix rounding of delay jiffies")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 55 ++++++++++++----------------------
+ 1 file changed, 19 insertions(+), 36 deletions(-)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index e6669aeda1fff..3ba8dd804026f 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -991,20 +991,6 @@ void print_bind_err_msg(struct thermal_zone_device *tz,
+ tz->type, cdev->type, ret);
+ }
+
+-static void bind_cdev(struct thermal_cooling_device *cdev)
+-{
+- int ret;
+- struct thermal_zone_device *pos = NULL;
+-
+- list_for_each_entry(pos, &thermal_tz_list, node) {
+- if (pos->ops.bind) {
+- ret = pos->ops.bind(pos, cdev);
+- if (ret)
+- print_bind_err_msg(pos, cdev, ret);
+- }
+- }
+-}
+-
+ /**
+ * __thermal_cooling_device_register() - register a new thermal cooling device
+ * @np: a pointer to a device tree node.
+@@ -1100,7 +1086,13 @@ __thermal_cooling_device_register(struct device_node *np,
+ list_add(&cdev->node, &thermal_cdev_list);
+
+ /* Update binding information for 'this' new cdev */
+- bind_cdev(cdev);
++ list_for_each_entry(pos, &thermal_tz_list, node) {
++ if (pos->ops.bind) {
++ ret = pos->ops.bind(pos, cdev);
++ if (ret)
++ print_bind_err_msg(pos, cdev, ret);
++ }
++ }
+
+ list_for_each_entry(pos, &thermal_tz_list, node)
+ if (atomic_cmpxchg(&pos->need_update, 1, 0))
+@@ -1338,25 +1330,6 @@ void thermal_cooling_device_unregister(struct thermal_cooling_device *cdev)
+ }
+ EXPORT_SYMBOL_GPL(thermal_cooling_device_unregister);
+
+-static void bind_tz(struct thermal_zone_device *tz)
+-{
+- int ret;
+- struct thermal_cooling_device *pos = NULL;
+-
+- if (!tz->ops.bind)
+- return;
+-
+- mutex_lock(&thermal_list_lock);
+-
+- list_for_each_entry(pos, &thermal_cdev_list, node) {
+- ret = tz->ops.bind(tz, pos);
+- if (ret)
+- print_bind_err_msg(tz, pos, ret);
+- }
+-
+- mutex_unlock(&thermal_list_lock);
+-}
+-
+ static void thermal_set_delay_jiffies(unsigned long *delay_jiffies, int delay_ms)
+ {
+ *delay_jiffies = msecs_to_jiffies(delay_ms);
+@@ -1554,13 +1527,23 @@ thermal_zone_device_register_with_trips(const char *type,
+ }
+
+ mutex_lock(&thermal_list_lock);
++
+ mutex_lock(&tz->lock);
+ list_add_tail(&tz->node, &thermal_tz_list);
+ mutex_unlock(&tz->lock);
+- mutex_unlock(&thermal_list_lock);
+
+ /* Bind cooling devices for this zone */
+- bind_tz(tz);
++ if (tz->ops.bind) {
++ struct thermal_cooling_device *cdev;
++
++ list_for_each_entry(cdev, &thermal_cdev_list, node) {
++ result = tz->ops.bind(tz, cdev);
++ if (result)
++ print_bind_err_msg(tz, cdev, result);
++ }
++ }
++
++ mutex_unlock(&thermal_list_lock);
+
+ thermal_zone_device_init(tz);
+ /* Update the new thermal zone and mark it as already updated. */
+--
+2.43.0
+
--- /dev/null
+From 3751653990bf72433bc0fd0a6fa269b5e2d3776b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 18:23:49 +0200
+Subject: thermal: gov_bang_bang: Adjust states of all uninitialized instances
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 15cb56bd529868d9242b22812fc69bd144bfdc94 ]
+
+If a cooling device is registered after a thermal zone it should be
+bound to and the trip point it should be bound to has already been
+crossed by the zone temperature on the way up, the cooling device's
+state may need to be adjusted, but the Bang-bang governor will not
+do that because its .manage() callback only looks at thermal instances
+for trip points whose thresholds are below or at the zone temperature.
+
+Address this by updating bang_bang_manage() to look at all of the
+uninitialized thermal instances and setting their target states in
+accordance with the position of the zone temperature with respect to
+the threshold of the given trip point.
+
+Fixes: 5f64b4a1ab1b ("thermal: gov_bang_bang: Add .manage() callback")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
+Link: https://patch.msgid.link/6103874.lOV4Wx5bFT@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/gov_bang_bang.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/thermal/gov_bang_bang.c b/drivers/thermal/gov_bang_bang.c
+index daed67d19efb8..863e7a4272e66 100644
+--- a/drivers/thermal/gov_bang_bang.c
++++ b/drivers/thermal/gov_bang_bang.c
+@@ -92,23 +92,21 @@ static void bang_bang_manage(struct thermal_zone_device *tz)
+
+ for_each_trip_desc(tz, td) {
+ const struct thermal_trip *trip = &td->trip;
++ bool turn_on;
+
+- if (tz->temperature >= td->threshold ||
+- trip->temperature == THERMAL_TEMP_INVALID ||
++ if (trip->temperature == THERMAL_TEMP_INVALID ||
+ trip->type == THERMAL_TRIP_CRITICAL ||
+ trip->type == THERMAL_TRIP_HOT)
+ continue;
+
+ /*
+- * If the initial cooling device state is "on", but the zone
+- * temperature is not above the trip point, the core will not
+- * call bang_bang_control() until the zone temperature reaches
+- * the trip point temperature which may be never. In those
+- * cases, set the initial state of the cooling device to 0.
++ * Adjust the target states for uninitialized thermal instances
++ * to the thermal zone temperature and the trip point threshold.
+ */
++ turn_on = tz->temperature >= td->threshold;
+ list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
+ if (!instance->initialized && instance->trip == trip)
+- bang_bang_set_instance_target(instance, 0);
++ bang_bang_set_instance_target(instance, turn_on);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3ecef4bc22b67877e74429be033649b40b14db95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 17:30:45 -0700
+Subject: tools/runqslower: Fix LDFLAGS and add LDLIBS support
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit f86601c3661946721e8f260bdd812b759854ac22 ]
+
+Actually use previously defined LDFLAGS during build and add support for
+LDLIBS to link extra standalone libraries e.g. 'argp' which is not provided
+by musl libc.
+
+Fixes: 585bf4640ebe ("tools: runqslower: Add EXTRA_CFLAGS and EXTRA_LDFLAGS support")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/bpf/20240723003045.2273499-1-tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/runqslower/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/bpf/runqslower/Makefile b/tools/bpf/runqslower/Makefile
+index d8288936c9120..c4f1f1735af65 100644
+--- a/tools/bpf/runqslower/Makefile
++++ b/tools/bpf/runqslower/Makefile
+@@ -15,6 +15,7 @@ INCLUDES := -I$(OUTPUT) -I$(BPF_INCLUDE) -I$(abspath ../../include/uapi)
+ CFLAGS := -g -Wall $(CLANG_CROSS_FLAGS)
+ CFLAGS += $(EXTRA_CFLAGS)
+ LDFLAGS += $(EXTRA_LDFLAGS)
++LDLIBS += -lelf -lz
+
+ # Try to detect best kernel BTF source
+ KERNEL_REL := $(shell uname -r)
+@@ -51,7 +52,7 @@ clean:
+ libbpf_hdrs: $(BPFOBJ)
+
+ $(OUTPUT)/runqslower: $(OUTPUT)/runqslower.o $(BPFOBJ)
+- $(QUIET_LINK)$(CC) $(CFLAGS) $^ -lelf -lz -o $@
++ $(QUIET_LINK)$(CC) $(CFLAGS) $(LDFLAGS) $^ $(LDLIBS) -o $@
+
+ $(OUTPUT)/runqslower.o: runqslower.h $(OUTPUT)/runqslower.skel.h \
+ $(OUTPUT)/runqslower.bpf.o | libbpf_hdrs
+--
+2.43.0
+
--- /dev/null
+From f99edf3431490795cfa6d729277f6aa1bf16c8d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 12:55:46 +0100
+Subject: tpm: Clean up TPM space after command failure
+
+From: Jonathan McDowell <noodles@meta.com>
+
+[ Upstream commit e3aaebcbb7c6b403416f442d1de70d437ce313a7 ]
+
+tpm_dev_transmit prepares the TPM space before attempting command
+transmission. However if the command fails no rollback of this
+preparation is done. This can result in transient handles being leaked
+if the device is subsequently closed with no further commands performed.
+
+Fix this by flushing the space in the event of command transmission
+failure.
+
+Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces")
+Signed-off-by: Jonathan McDowell <noodles@meta.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm-dev-common.c | 2 ++
+ drivers/char/tpm/tpm2-space.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
+index 30b4c288c1bbc..c3fbbf4d3db79 100644
+--- a/drivers/char/tpm/tpm-dev-common.c
++++ b/drivers/char/tpm/tpm-dev-common.c
+@@ -47,6 +47,8 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space,
+
+ if (!ret)
+ ret = tpm2_commit_space(chip, space, buf, &len);
++ else
++ tpm2_flush_space(chip);
+
+ out_rc:
+ return ret ? ret : len;
+diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
+index 4892d491da8da..25a66870c165c 100644
+--- a/drivers/char/tpm/tpm2-space.c
++++ b/drivers/char/tpm/tpm2-space.c
+@@ -169,6 +169,9 @@ void tpm2_flush_space(struct tpm_chip *chip)
+ struct tpm_space *space = &chip->work_space;
+ int i;
+
++ if (!space)
++ return;
++
+ for (i = 0; i < ARRAY_SIZE(space->context_tbl); i++)
+ if (space->context_tbl[i] && ~space->context_tbl[i])
+ tpm2_flush_context(chip, space->context_tbl[i]);
+--
+2.43.0
+
--- /dev/null
+From 958ef3a70f089246c01aa3c7d07ac0be9549dbf2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 09:36:24 +0800
+Subject: ublk: move zone report data out of request pdu
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 9327b51c9a9c864f5177127e09851da9d78b4943 ]
+
+ublk zoned takes 16 bytes in each request pdu just for handling REPORT_ZONE
+operation, this way does waste memory since request pdu is allocated
+statically.
+
+Store the transient zone report data into one global xarray, and remove
+it after the report zone request is completed. This way is reasonable
+since report zone is run in slow code path.
+
+Fixes: 29802d7ca33b ("ublk: enable zoned storage support")
+Cc: Damien Le Moal <dlemoal@kernel.org>
+Cc: Andreas Hindborg <a.hindborg@samsung.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20240812013624.587587-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 62 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 46 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index 1d53a3f48a0eb..bca06bfb4bc32 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -71,9 +71,6 @@ struct ublk_rq_data {
+ struct llist_node node;
+
+ struct kref ref;
+- __u64 sector;
+- __u32 operation;
+- __u32 nr_zones;
+ };
+
+ struct ublk_uring_cmd_pdu {
+@@ -214,6 +211,33 @@ static inline bool ublk_queue_is_zoned(struct ublk_queue *ubq)
+
+ #ifdef CONFIG_BLK_DEV_ZONED
+
++struct ublk_zoned_report_desc {
++ __u64 sector;
++ __u32 operation;
++ __u32 nr_zones;
++};
++
++static DEFINE_XARRAY(ublk_zoned_report_descs);
++
++static int ublk_zoned_insert_report_desc(const struct request *req,
++ struct ublk_zoned_report_desc *desc)
++{
++ return xa_insert(&ublk_zoned_report_descs, (unsigned long)req,
++ desc, GFP_KERNEL);
++}
++
++static struct ublk_zoned_report_desc *ublk_zoned_erase_report_desc(
++ const struct request *req)
++{
++ return xa_erase(&ublk_zoned_report_descs, (unsigned long)req);
++}
++
++static struct ublk_zoned_report_desc *ublk_zoned_get_report_desc(
++ const struct request *req)
++{
++ return xa_load(&ublk_zoned_report_descs, (unsigned long)req);
++}
++
+ static int ublk_get_nr_zones(const struct ublk_device *ub)
+ {
+ const struct ublk_param_basic *p = &ub->params.basic;
+@@ -308,7 +332,7 @@ static int ublk_report_zones(struct gendisk *disk, sector_t sector,
+ unsigned int zones_in_request =
+ min_t(unsigned int, remaining_zones, max_zones_per_request);
+ struct request *req;
+- struct ublk_rq_data *pdu;
++ struct ublk_zoned_report_desc desc;
+ blk_status_t status;
+
+ memset(buffer, 0, buffer_length);
+@@ -319,20 +343,23 @@ static int ublk_report_zones(struct gendisk *disk, sector_t sector,
+ goto out;
+ }
+
+- pdu = blk_mq_rq_to_pdu(req);
+- pdu->operation = UBLK_IO_OP_REPORT_ZONES;
+- pdu->sector = sector;
+- pdu->nr_zones = zones_in_request;
++ desc.operation = UBLK_IO_OP_REPORT_ZONES;
++ desc.sector = sector;
++ desc.nr_zones = zones_in_request;
++ ret = ublk_zoned_insert_report_desc(req, &desc);
++ if (ret)
++ goto free_req;
+
+ ret = blk_rq_map_kern(disk->queue, req, buffer, buffer_length,
+ GFP_KERNEL);
+- if (ret) {
+- blk_mq_free_request(req);
+- goto out;
+- }
++ if (ret)
++ goto erase_desc;
+
+ status = blk_execute_rq(req, 0);
+ ret = blk_status_to_errno(status);
++erase_desc:
++ ublk_zoned_erase_report_desc(req);
++free_req:
+ blk_mq_free_request(req);
+ if (ret)
+ goto out;
+@@ -366,7 +393,7 @@ static blk_status_t ublk_setup_iod_zoned(struct ublk_queue *ubq,
+ {
+ struct ublksrv_io_desc *iod = ublk_get_iod(ubq, req->tag);
+ struct ublk_io *io = &ubq->ios[req->tag];
+- struct ublk_rq_data *pdu = blk_mq_rq_to_pdu(req);
++ struct ublk_zoned_report_desc *desc;
+ u32 ublk_op;
+
+ switch (req_op(req)) {
+@@ -389,12 +416,15 @@ static blk_status_t ublk_setup_iod_zoned(struct ublk_queue *ubq,
+ ublk_op = UBLK_IO_OP_ZONE_RESET_ALL;
+ break;
+ case REQ_OP_DRV_IN:
+- ublk_op = pdu->operation;
++ desc = ublk_zoned_get_report_desc(req);
++ if (!desc)
++ return BLK_STS_IOERR;
++ ublk_op = desc->operation;
+ switch (ublk_op) {
+ case UBLK_IO_OP_REPORT_ZONES:
+ iod->op_flags = ublk_op | ublk_req_build_flags(req);
+- iod->nr_zones = pdu->nr_zones;
+- iod->start_sector = pdu->sector;
++ iod->nr_zones = desc->nr_zones;
++ iod->start_sector = desc->sector;
+ return BLK_STS_OK;
+ default:
+ return BLK_STS_IOERR;
+--
+2.43.0
+
--- /dev/null
+From a601cb80ed9ff5a4e8e1da52751d124aa9131aad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 14:24:56 +0200
+Subject: um: remove ARCH_NO_PREEMPT_DYNAMIC
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 64dcf0b8779363ca07dfb5649a4cc71f9fdf390b ]
+
+There's no such symbol and we currently don't have any of the
+mechanisms to make boot-time selection cheap enough, so we can't
+have HAVE_PREEMPT_DYNAMIC_CALL or HAVE_PREEMPT_DYNAMIC_KEY.
+
+Remove the select statement.
+
+Reported-by: Lukas Bulwahn <lbulwahn@redhat.com>
+Fixes: cd01672d64a3 ("um: Enable preemption in UML")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/um/Kconfig b/arch/um/Kconfig
+index dca84fd6d00a5..c89575d05021f 100644
+--- a/arch/um/Kconfig
++++ b/arch/um/Kconfig
+@@ -11,7 +11,6 @@ config UML
+ select ARCH_HAS_KCOV
+ select ARCH_HAS_STRNCPY_FROM_USER
+ select ARCH_HAS_STRNLEN_USER
+- select ARCH_NO_PREEMPT_DYNAMIC
+ select HAVE_ARCH_AUDITSYSCALL
+ select HAVE_ARCH_KASAN if X86_64
+ select HAVE_ARCH_KASAN_VMALLOC if HAVE_ARCH_KASAN
+--
+2.43.0
+
--- /dev/null
+From f2e9c654eb420e15992ef1e6f5e0ceaca92aacbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jul 2024 15:00:26 +0200
+Subject: usb: dwc2: Skip clock gating on Broadcom SoCs
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit d483f034f03261c8c8450d106aa243837122b5f0 ]
+
+On resume of the Raspberry Pi the dwc2 driver fails to enable
+HCD_FLAG_HW_ACCESSIBLE before re-enabling the interrupts.
+This causes a situation where both handler ignore a incoming port
+interrupt and force the upper layers to disable the dwc2 interrupt line.
+This leaves the USB interface in a unusable state:
+
+irq 66: nobody cared (try booting with the "irqpoll" option)
+CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.10.0-rc3
+Hardware name: BCM2835
+Call trace:
+unwind_backtrace from show_stack+0x10/0x14
+show_stack from dump_stack_lvl+0x50/0x64
+dump_stack_lvl from __report_bad_irq+0x38/0xc0
+__report_bad_irq from note_interrupt+0x2ac/0x2f4
+note_interrupt from handle_irq_event+0x88/0x8c
+handle_irq_event from handle_level_irq+0xb4/0x1ac
+handle_level_irq from generic_handle_domain_irq+0x24/0x34
+generic_handle_domain_irq from bcm2836_chained_handle_irq+0x24/0x28
+bcm2836_chained_handle_irq from generic_handle_domain_irq+0x24/0x34
+generic_handle_domain_irq from generic_handle_arch_irq+0x34/0x44
+generic_handle_arch_irq from __irq_svc+0x88/0xb0
+Exception stack(0xc1b01f20 to 0xc1b01f68)
+1f20: 0005c0d4 00000001 00000000 00000000 c1b09780 c1d6b32c c1b04e54 c1a5eae8
+1f40: c1b04e90 00000000 00000000 00000000 c1d6a8a0 c1b01f70 c11d2da8 c11d4160
+1f60: 60000013 ffffffff
+__irq_svc from default_idle_call+0x1c/0xb0
+default_idle_call from do_idle+0x21c/0x284
+do_idle from cpu_startup_entry+0x28/0x2c
+cpu_startup_entry from kernel_init+0x0/0x12c
+handlers:
+[<f539e0f4>] dwc2_handle_common_intr
+[<75cd278b>] usb_hcd_irq
+Disabling IRQ #66
+
+Disabling clock gating workaround this issue.
+
+Fixes: 0112b7ce68ea ("usb: dwc2: Update dwc2_handle_usb_suspend_intr function.")
+Link: https://lore.kernel.org/linux-usb/3fd0c2fb-4752-45b3-94eb-42352703e1fd@gmx.net/T/
+Link: https://lore.kernel.org/all/5e8cbce0-3260-2971-484f-fc73a3b2bd28@synopsys.com/
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Acked-by: Minas Harutyunyan <hminas@synopsys.com>
+Link: https://lore.kernel.org/r/20240728130029.78279-5-wahrenst@gmx.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/params.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/dwc2/params.c b/drivers/usb/dwc2/params.c
+index a937eadbc9b3e..214dca7044163 100644
+--- a/drivers/usb/dwc2/params.c
++++ b/drivers/usb/dwc2/params.c
+@@ -23,6 +23,7 @@ static void dwc2_set_bcm_params(struct dwc2_hsotg *hsotg)
+ p->max_transfer_size = 65535;
+ p->max_packet_count = 511;
+ p->ahbcfg = 0x10;
++ p->no_clock_gating = true;
+ }
+
+ static void dwc2_set_his_params(struct dwc2_hsotg *hsotg)
+--
+2.43.0
+
--- /dev/null
+From c8065ade6d1463a889fde60bec63d02075a18447 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 19:08:08 +0300
+Subject: vdpa/mlx5: Fix invalid mr resource destroy
+
+From: Dragos Tatulea <dtatulea@nvidia.com>
+
+[ Upstream commit dc12502905b7a3de9097ea6b98870470c2921e09 ]
+
+Certain error paths from mlx5_vdpa_dev_add() can end up releasing mr
+resources which never got initialized in the first place.
+
+This patch adds the missing check in mlx5_vdpa_destroy_mr_resources()
+to block releasing non-initialized mr resources.
+
+Reference trace:
+
+ mlx5_core 0000:08:00.2: mlx5_vdpa_dev_add:3274:(pid 2700) warning: No mac address provisioned?
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 140216067 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 8 PID: 2700 Comm: vdpa Kdump: loaded Not tainted 5.14.0-496.el9.x86_64 #1
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]
+ Code: [...]
+ RSP: 0018:ff1c823ac23077f0 EFLAGS: 00010246
+ RAX: ffffffffc1a21a60 RBX: ffffffff899567a0 RCX: 0000000000000000
+ RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ff1bda1f7c21e800 R08: 0000000000000000 R09: ff1c823ac2307670
+ R10: ff1c823ac2307668 R11: ffffffff8a9e7b68 R12: 0000000000000000
+ R13: 0000000000000000 R14: ff1bda1f43e341a0 R15: 00000000ffffffea
+ FS: 00007f56eba7c740(0000) GS:ff1bda269f800000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 0000000104d90001 CR4: 0000000000771ef0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+
+ ? show_trace_log_lvl+0x1c4/0x2df
+ ? show_trace_log_lvl+0x1c4/0x2df
+ ? mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]
+ ? __die_body.cold+0x8/0xd
+ ? page_fault_oops+0x134/0x170
+ ? __irq_work_queue_local+0x2b/0xc0
+ ? irq_work_queue+0x2c/0x50
+ ? exc_page_fault+0x62/0x150
+ ? asm_exc_page_fault+0x22/0x30
+ ? __pfx_mlx5_vdpa_free+0x10/0x10 [mlx5_vdpa]
+ ? vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]
+ mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]
+ vdpa_release_dev+0x1e/0x50 [vdpa]
+ device_release+0x31/0x90
+ kobject_cleanup+0x37/0x130
+ mlx5_vdpa_dev_add+0x2d2/0x7a0 [mlx5_vdpa]
+ vdpa_nl_cmd_dev_add_set_doit+0x277/0x4c0 [vdpa]
+ genl_family_rcv_msg_doit+0xd9/0x130
+ genl_family_rcv_msg+0x14d/0x220
+ ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]
+ ? _copy_to_user+0x1a/0x30
+ ? move_addr_to_user+0x4b/0xe0
+ genl_rcv_msg+0x47/0xa0
+ ? __import_iovec+0x46/0x150
+ ? __pfx_genl_rcv_msg+0x10/0x10
+ netlink_rcv_skb+0x54/0x100
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x245/0x370
+ netlink_sendmsg+0x206/0x440
+ __sys_sendto+0x1dc/0x1f0
+ ? do_read_fault+0x10c/0x1d0
+ ? do_pte_missing+0x10d/0x190
+ __x64_sys_sendto+0x20/0x30
+ do_syscall_64+0x5c/0xf0
+ ? __count_memcg_events+0x4f/0xb0
+ ? mm_account_fault+0x6c/0x100
+ ? handle_mm_fault+0x116/0x270
+ ? do_user_addr_fault+0x1d6/0x6a0
+ ? do_syscall_64+0x6b/0xf0
+ ? clear_bhb_loop+0x25/0x80
+ ? clear_bhb_loop+0x25/0x80
+ ? clear_bhb_loop+0x25/0x80
+ ? clear_bhb_loop+0x25/0x80
+ ? clear_bhb_loop+0x25/0x80
+ entry_SYSCALL_64_after_hwframe+0x78/0x80
+
+Fixes: 512c0cdd80c1 ("vdpa/mlx5: Decouple cvq iotlb handling from hw mapping code")
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Message-Id: <20240827160808.2448017-2-dtatulea@nvidia.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/mlx5/core/mr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/vdpa/mlx5/core/mr.c b/drivers/vdpa/mlx5/core/mr.c
+index 4758914ccf860..bf56f3d696253 100644
+--- a/drivers/vdpa/mlx5/core/mr.c
++++ b/drivers/vdpa/mlx5/core/mr.c
+@@ -581,6 +581,9 @@ static void mlx5_vdpa_show_mr_leaks(struct mlx5_vdpa_dev *mvdev)
+
+ void mlx5_vdpa_destroy_mr_resources(struct mlx5_vdpa_dev *mvdev)
+ {
++ if (!mvdev->res.valid)
++ return;
++
+ for (int i = 0; i < MLX5_VDPA_NUM_AS; i++)
+ mlx5_vdpa_update_mr(mvdev, NULL, i);
+
+--
+2.43.0
+
--- /dev/null
+From 7ddec9916d86641686dd2e63485680d3cec4330b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 11:19:00 +0800
+Subject: vhost_vdpa: assign irq bypass producer token correctly
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 02e9e9366fefe461719da5d173385b6685f70319 ]
+
+We used to call irq_bypass_unregister_producer() in
+vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the
+token pointer is still valid or not.
+
+Actually, we use the eventfd_ctx as the token so the life cycle of the
+token should be bound to the VHOST_SET_VRING_CALL instead of
+vhost_vdpa_setup_vq_irq() which could be called by set_status().
+
+Fixing this by setting up irq bypass producer's token when handling
+VHOST_SET_VRING_CALL and un-registering the producer before calling
+vhost_vring_ioctl() to prevent a possible use after free as eventfd
+could have been released in vhost_vring_ioctl(). And such registering
+and unregistering will only be done if DRIVER_OK is set.
+
+Reported-by: Dragos Tatulea <dtatulea@nvidia.com>
+Tested-by: Dragos Tatulea <dtatulea@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Fixes: 2cf1ba9a4d15 ("vhost_vdpa: implement IRQ offloading in vhost_vdpa")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20240816031900.18013-1-jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vdpa.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
+index 478cd46a49ede..5a49b5a6d4964 100644
+--- a/drivers/vhost/vdpa.c
++++ b/drivers/vhost/vdpa.c
+@@ -209,11 +209,9 @@ static void vhost_vdpa_setup_vq_irq(struct vhost_vdpa *v, u16 qid)
+ if (irq < 0)
+ return;
+
+- irq_bypass_unregister_producer(&vq->call_ctx.producer);
+ if (!vq->call_ctx.ctx)
+ return;
+
+- vq->call_ctx.producer.token = vq->call_ctx.ctx;
+ vq->call_ctx.producer.irq = irq;
+ ret = irq_bypass_register_producer(&vq->call_ctx.producer);
+ if (unlikely(ret))
+@@ -709,6 +707,14 @@ static long vhost_vdpa_vring_ioctl(struct vhost_vdpa *v, unsigned int cmd,
+ vq->last_avail_idx = vq_state.split.avail_index;
+ }
+ break;
++ case VHOST_SET_VRING_CALL:
++ if (vq->call_ctx.ctx) {
++ if (ops->get_status(vdpa) &
++ VIRTIO_CONFIG_S_DRIVER_OK)
++ vhost_vdpa_unsetup_vq_irq(v, idx);
++ vq->call_ctx.producer.token = NULL;
++ }
++ break;
+ }
+
+ r = vhost_vring_ioctl(&v->vdev, cmd, argp);
+@@ -747,13 +753,16 @@ static long vhost_vdpa_vring_ioctl(struct vhost_vdpa *v, unsigned int cmd,
+ cb.callback = vhost_vdpa_virtqueue_cb;
+ cb.private = vq;
+ cb.trigger = vq->call_ctx.ctx;
++ vq->call_ctx.producer.token = vq->call_ctx.ctx;
++ if (ops->get_status(vdpa) &
++ VIRTIO_CONFIG_S_DRIVER_OK)
++ vhost_vdpa_setup_vq_irq(v, idx);
+ } else {
+ cb.callback = NULL;
+ cb.private = NULL;
+ cb.trigger = NULL;
+ }
+ ops->set_vq_cb(vdpa, idx, &cb);
+- vhost_vdpa_setup_vq_irq(v, idx);
+ break;
+
+ case VHOST_SET_VRING_NUM:
+@@ -1419,6 +1428,7 @@ static int vhost_vdpa_open(struct inode *inode, struct file *filep)
+ for (i = 0; i < nvqs; i++) {
+ vqs[i] = &v->vqs[i];
+ vqs[i]->handle_kick = handle_vq_kick;
++ vqs[i]->call_ctx.ctx = NULL;
+ }
+ vhost_dev_init(dev, vqs, nvqs, 0, 0, 0, false,
+ vhost_vdpa_process_iotlb_msg);
+--
+2.43.0
+
--- /dev/null
+From d9911970d14285164bba60ebddf7707fb1ef5b1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 13:22:26 +0800
+Subject: virtio: allow driver to disable the configure change notification
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 224de6f886f8184fd448700a6d78f216694de948 ]
+
+Sometime, it would be useful to disable the configure change
+notification from the driver. So this patch allows this by introducing
+a variable config_change_driver_disabled and only allow the configure
+change notification callback to be triggered when it is allowed by
+both the virtio core and the driver. It is set to false by default to
+hold the current semantic so we don't need to change any drivers.
+
+The first user for this would be virtio-net.
+
+Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+Cc: Gia-Khanh Nguyen <gia-khanh.nguyen@oracle.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Link: https://patch.msgid.link/20240814052228.4654-3-jasowang@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: c392d6019398 ("virtio-net: synchronize probe with ndo_set_features")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio.c | 39 ++++++++++++++++++++++++++++++++++++---
+ include/linux/virtio.h | 7 +++++++
+ 2 files changed, 43 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c
+index 6b692b0fa578b..b9095751e43bb 100644
+--- a/drivers/virtio/virtio.c
++++ b/drivers/virtio/virtio.c
+@@ -127,10 +127,12 @@ static void __virtio_config_changed(struct virtio_device *dev)
+ {
+ struct virtio_driver *drv = drv_to_virtio(dev->dev.driver);
+
+- if (!dev->config_core_enabled)
++ if (!dev->config_core_enabled || dev->config_driver_disabled)
+ dev->config_change_pending = true;
+- else if (drv && drv->config_changed)
++ else if (drv && drv->config_changed) {
+ drv->config_changed(dev);
++ dev->config_change_pending = false;
++ }
+ }
+
+ void virtio_config_changed(struct virtio_device *dev)
+@@ -143,6 +145,38 @@ void virtio_config_changed(struct virtio_device *dev)
+ }
+ EXPORT_SYMBOL_GPL(virtio_config_changed);
+
++/**
++ * virtio_config_driver_disable - disable config change reporting by drivers
++ * @dev: the device to reset
++ *
++ * This is only allowed to be called by a driver and disabling can't
++ * be nested.
++ */
++void virtio_config_driver_disable(struct virtio_device *dev)
++{
++ spin_lock_irq(&dev->config_lock);
++ dev->config_driver_disabled = true;
++ spin_unlock_irq(&dev->config_lock);
++}
++EXPORT_SYMBOL_GPL(virtio_config_driver_disable);
++
++/**
++ * virtio_config_driver_enable - enable config change reporting by drivers
++ * @dev: the device to reset
++ *
++ * This is only allowed to be called by a driver and enabling can't
++ * be nested.
++ */
++void virtio_config_driver_enable(struct virtio_device *dev)
++{
++ spin_lock_irq(&dev->config_lock);
++ dev->config_driver_disabled = false;
++ if (dev->config_change_pending)
++ __virtio_config_changed(dev);
++ spin_unlock_irq(&dev->config_lock);
++}
++EXPORT_SYMBOL_GPL(virtio_config_driver_enable);
++
+ static void virtio_config_core_disable(struct virtio_device *dev)
+ {
+ spin_lock_irq(&dev->config_lock);
+@@ -156,7 +190,6 @@ static void virtio_config_core_enable(struct virtio_device *dev)
+ dev->config_core_enabled = true;
+ if (dev->config_change_pending)
+ __virtio_config_changed(dev);
+- dev->config_change_pending = false;
+ spin_unlock_irq(&dev->config_lock);
+ }
+
+diff --git a/include/linux/virtio.h b/include/linux/virtio.h
+index de6d3cc176d96..306137a15d075 100644
+--- a/include/linux/virtio.h
++++ b/include/linux/virtio.h
+@@ -119,6 +119,8 @@ struct virtio_admin_cmd {
+ * @index: unique position on the virtio bus
+ * @failed: saved value for VIRTIO_CONFIG_S_FAILED bit (for restore)
+ * @config_core_enabled: configuration change reporting enabled by core
++ * @config_driver_disabled: configuration change reporting disabled by
++ * a driver
+ * @config_change_pending: configuration change reported while disabled
+ * @config_lock: protects configuration change reporting
+ * @vqs_list_lock: protects @vqs.
+@@ -136,6 +138,7 @@ struct virtio_device {
+ int index;
+ bool failed;
+ bool config_core_enabled;
++ bool config_driver_disabled;
+ bool config_change_pending;
+ spinlock_t config_lock;
+ spinlock_t vqs_list_lock;
+@@ -166,6 +169,10 @@ void __virtqueue_break(struct virtqueue *_vq);
+ void __virtqueue_unbreak(struct virtqueue *_vq);
+
+ void virtio_config_changed(struct virtio_device *dev);
++
++void virtio_config_driver_disable(struct virtio_device *dev);
++void virtio_config_driver_enable(struct virtio_device *dev);
++
+ #ifdef CONFIG_PM_SLEEP
+ int virtio_device_freeze(struct virtio_device *dev);
+ int virtio_device_restore(struct virtio_device *dev);
+--
+2.43.0
+
--- /dev/null
+From c20a556f7a96557afc135ca0ab1a1fbfe2095019 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 13:22:27 +0800
+Subject: virtio-net: synchronize operstate with admin state on up/down
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit df28de7b00502761eba62490f413c65c9b175ed9 ]
+
+This patch synchronizes operstate with admin state per RFC2863.
+
+This is done by trying to toggle the carrier upon open/close and
+synchronize with the config change work. This allows to propagate
+status correctly to stacked devices like:
+
+ip link add link enp0s3 macvlan0 type macvlan
+ip link set link enp0s3 down
+ip link show
+
+Before this patch:
+
+3: enp0s3: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
+ link/ether 00:00:05:00:00:09 brd ff:ff:ff:ff:ff:ff
+......
+5: macvlan0@enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
+ link/ether b2:a9:c5:04:da:53 brd ff:ff:ff:ff:ff:ff
+
+After this patch:
+
+3: enp0s3: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
+ link/ether 00:00:05:00:00:09 brd ff:ff:ff:ff:ff:ff
+...
+5: macvlan0@enp0s3: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
+ link/ether b2:a9:c5:04:da:53 brd ff:ff:ff:ff:ff:ff
+
+Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+Cc: Gia-Khanh Nguyen <gia-khanh.nguyen@oracle.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Link: https://patch.msgid.link/20240814052228.4654-4-jasowang@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: c392d6019398 ("virtio-net: synchronize probe with ndo_set_features")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 78 +++++++++++++++++++++++++---------------
+ 1 file changed, 50 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 5a1c1ec5a64b8..60833e7b5a935 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -2884,6 +2884,25 @@ static void virtnet_cancel_dim(struct virtnet_info *vi, struct dim *dim)
+ net_dim_work_cancel(dim);
+ }
+
++static void virtnet_update_settings(struct virtnet_info *vi)
++{
++ u32 speed;
++ u8 duplex;
++
++ if (!virtio_has_feature(vi->vdev, VIRTIO_NET_F_SPEED_DUPLEX))
++ return;
++
++ virtio_cread_le(vi->vdev, struct virtio_net_config, speed, &speed);
++
++ if (ethtool_validate_speed(speed))
++ vi->speed = speed;
++
++ virtio_cread_le(vi->vdev, struct virtio_net_config, duplex, &duplex);
++
++ if (ethtool_validate_duplex(duplex))
++ vi->duplex = duplex;
++}
++
+ static int virtnet_open(struct net_device *dev)
+ {
+ struct virtnet_info *vi = netdev_priv(dev);
+@@ -2902,6 +2921,15 @@ static int virtnet_open(struct net_device *dev)
+ goto err_enable_qp;
+ }
+
++ if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) {
++ if (vi->status & VIRTIO_NET_S_LINK_UP)
++ netif_carrier_on(vi->dev);
++ virtio_config_driver_enable(vi->vdev);
++ } else {
++ vi->status = VIRTIO_NET_S_LINK_UP;
++ netif_carrier_on(dev);
++ }
++
+ return 0;
+
+ err_enable_qp:
+@@ -3380,12 +3408,22 @@ static int virtnet_close(struct net_device *dev)
+ disable_delayed_refill(vi);
+ /* Make sure refill_work doesn't re-enable napi! */
+ cancel_delayed_work_sync(&vi->refill);
++ /* Prevent the config change callback from changing carrier
++ * after close
++ */
++ virtio_config_driver_disable(vi->vdev);
++ /* Stop getting status/speed updates: we don't care until next
++ * open
++ */
++ cancel_work_sync(&vi->config_work);
+
+ for (i = 0; i < vi->max_queue_pairs; i++) {
+ virtnet_disable_queue_pair(vi, i);
+ virtnet_cancel_dim(vi, &vi->rq[i].dim);
+ }
+
++ netif_carrier_off(dev);
++
+ return 0;
+ }
+
+@@ -5094,25 +5132,6 @@ static void virtnet_init_settings(struct net_device *dev)
+ vi->duplex = DUPLEX_UNKNOWN;
+ }
+
+-static void virtnet_update_settings(struct virtnet_info *vi)
+-{
+- u32 speed;
+- u8 duplex;
+-
+- if (!virtio_has_feature(vi->vdev, VIRTIO_NET_F_SPEED_DUPLEX))
+- return;
+-
+- virtio_cread_le(vi->vdev, struct virtio_net_config, speed, &speed);
+-
+- if (ethtool_validate_speed(speed))
+- vi->speed = speed;
+-
+- virtio_cread_le(vi->vdev, struct virtio_net_config, duplex, &duplex);
+-
+- if (ethtool_validate_duplex(duplex))
+- vi->duplex = duplex;
+-}
+-
+ static u32 virtnet_get_rxfh_key_size(struct net_device *dev)
+ {
+ return ((struct virtnet_info *)netdev_priv(dev))->rss_key_size;
+@@ -6521,6 +6540,9 @@ static int virtnet_probe(struct virtio_device *vdev)
+ goto free_failover;
+ }
+
++ /* Disable config change notification until ndo_open. */
++ virtio_config_driver_disable(vi->vdev);
++
+ virtio_device_ready(vdev);
+
+ virtnet_set_queues(vi, vi->curr_queue_pairs);
+@@ -6570,25 +6592,25 @@ static int virtnet_probe(struct virtio_device *vdev)
+ vi->device_stats_cap = le64_to_cpu(v);
+ }
+
+- rtnl_unlock();
+-
+- err = virtnet_cpu_notif_add(vi);
+- if (err) {
+- pr_debug("virtio_net: registering cpu notifier failed\n");
+- goto free_unregister_netdev;
+- }
+-
+ /* Assume link up if device can't report link status,
+ otherwise get link status from config. */
+ netif_carrier_off(dev);
+ if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) {
+- schedule_work(&vi->config_work);
++ virtnet_config_changed_work(&vi->config_work);
+ } else {
+ vi->status = VIRTIO_NET_S_LINK_UP;
+ virtnet_update_settings(vi);
+ netif_carrier_on(dev);
+ }
+
++ rtnl_unlock();
++
++ err = virtnet_cpu_notif_add(vi);
++ if (err) {
++ pr_debug("virtio_net: registering cpu notifier failed\n");
++ goto free_unregister_netdev;
++ }
++
+ for (i = 0; i < ARRAY_SIZE(guest_offloads); i++)
+ if (virtio_has_feature(vi->vdev, guest_offloads[i]))
+ set_bit(guest_offloads[i], &vi->guest_offloads);
+--
+2.43.0
+
--- /dev/null
+From 0b52ac2da9f6fbe77ac3572e5b916f16a54144e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 13:22:28 +0800
+Subject: virtio-net: synchronize probe with ndo_set_features
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit c392d6019398315526b0b508282f87c7b2318c72 ]
+
+We calculate guest offloads during probe without the protection of
+rtnl_lock. This lead to race between probe and ndo_set_features. Fix
+this by moving the calculation under the rtnl_lock.
+
+Fixes: 3f93522ffab2 ("virtio-net: switch off offloads on demand if possible on XDP set")
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Link: https://patch.msgid.link/20240814052228.4654-5-jasowang@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 60833e7b5a935..6f4781ec2b369 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -6603,6 +6603,11 @@ static int virtnet_probe(struct virtio_device *vdev)
+ netif_carrier_on(dev);
+ }
+
++ for (i = 0; i < ARRAY_SIZE(guest_offloads); i++)
++ if (virtio_has_feature(vi->vdev, guest_offloads[i]))
++ set_bit(guest_offloads[i], &vi->guest_offloads);
++ vi->guest_offloads_capable = vi->guest_offloads;
++
+ rtnl_unlock();
+
+ err = virtnet_cpu_notif_add(vi);
+@@ -6611,11 +6616,6 @@ static int virtnet_probe(struct virtio_device *vdev)
+ goto free_unregister_netdev;
+ }
+
+- for (i = 0; i < ARRAY_SIZE(guest_offloads); i++)
+- if (virtio_has_feature(vi->vdev, guest_offloads[i]))
+- set_bit(guest_offloads[i], &vi->guest_offloads);
+- vi->guest_offloads_capable = vi->guest_offloads;
+-
+ pr_debug("virtnet: registered device %s with %d RX and TX vq's\n",
+ dev->name, max_queue_pairs);
+
+--
+2.43.0
+
--- /dev/null
+From abe05b33a2335d0d3cd0d7628f11a6384f582d59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 13:22:25 +0800
+Subject: virtio: rename virtio_config_enabled to virtio_config_core_enabled
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 0cb70ee4a6ee6b0a4b0e0f70a64a094c6fe05944 ]
+
+Following patch will allow the config interrupt to be disabled by a
+specific driver via another boolean. So this patch renames
+virtio_config_enabled and relevant helpers to
+virtio_config_core_enabled.
+
+Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+Cc: Gia-Khanh Nguyen <gia-khanh.nguyen@oracle.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Link: https://patch.msgid.link/20240814052228.4654-2-jasowang@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: c392d6019398 ("virtio-net: synchronize probe with ndo_set_features")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio.c | 22 +++++++++++-----------
+ include/linux/virtio.h | 4 ++--
+ 2 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c
+index bc1f962e483b9..6b692b0fa578b 100644
+--- a/drivers/virtio/virtio.c
++++ b/drivers/virtio/virtio.c
+@@ -127,7 +127,7 @@ static void __virtio_config_changed(struct virtio_device *dev)
+ {
+ struct virtio_driver *drv = drv_to_virtio(dev->dev.driver);
+
+- if (!dev->config_enabled)
++ if (!dev->config_core_enabled)
+ dev->config_change_pending = true;
+ else if (drv && drv->config_changed)
+ drv->config_changed(dev);
+@@ -143,17 +143,17 @@ void virtio_config_changed(struct virtio_device *dev)
+ }
+ EXPORT_SYMBOL_GPL(virtio_config_changed);
+
+-static void virtio_config_disable(struct virtio_device *dev)
++static void virtio_config_core_disable(struct virtio_device *dev)
+ {
+ spin_lock_irq(&dev->config_lock);
+- dev->config_enabled = false;
++ dev->config_core_enabled = false;
+ spin_unlock_irq(&dev->config_lock);
+ }
+
+-static void virtio_config_enable(struct virtio_device *dev)
++static void virtio_config_core_enable(struct virtio_device *dev)
+ {
+ spin_lock_irq(&dev->config_lock);
+- dev->config_enabled = true;
++ dev->config_core_enabled = true;
+ if (dev->config_change_pending)
+ __virtio_config_changed(dev);
+ dev->config_change_pending = false;
+@@ -316,7 +316,7 @@ static int virtio_dev_probe(struct device *_d)
+ if (drv->scan)
+ drv->scan(dev);
+
+- virtio_config_enable(dev);
++ virtio_config_core_enable(dev);
+
+ return 0;
+
+@@ -331,7 +331,7 @@ static void virtio_dev_remove(struct device *_d)
+ struct virtio_device *dev = dev_to_virtio(_d);
+ struct virtio_driver *drv = drv_to_virtio(dev->dev.driver);
+
+- virtio_config_disable(dev);
++ virtio_config_core_disable(dev);
+
+ drv->remove(dev);
+
+@@ -443,7 +443,7 @@ int register_virtio_device(struct virtio_device *dev)
+ goto out_ida_remove;
+
+ spin_lock_init(&dev->config_lock);
+- dev->config_enabled = false;
++ dev->config_core_enabled = false;
+ dev->config_change_pending = false;
+
+ INIT_LIST_HEAD(&dev->vqs);
+@@ -500,14 +500,14 @@ int virtio_device_freeze(struct virtio_device *dev)
+ struct virtio_driver *drv = drv_to_virtio(dev->dev.driver);
+ int ret;
+
+- virtio_config_disable(dev);
++ virtio_config_core_disable(dev);
+
+ dev->failed = dev->config->get_status(dev) & VIRTIO_CONFIG_S_FAILED;
+
+ if (drv && drv->freeze) {
+ ret = drv->freeze(dev);
+ if (ret) {
+- virtio_config_enable(dev);
++ virtio_config_core_enable(dev);
+ return ret;
+ }
+ }
+@@ -557,7 +557,7 @@ int virtio_device_restore(struct virtio_device *dev)
+ if (!(dev->config->get_status(dev) & VIRTIO_CONFIG_S_DRIVER_OK))
+ virtio_device_ready(dev);
+
+- virtio_config_enable(dev);
++ virtio_config_core_enable(dev);
+
+ return 0;
+
+diff --git a/include/linux/virtio.h b/include/linux/virtio.h
+index 4b16844c6bc29..de6d3cc176d96 100644
+--- a/include/linux/virtio.h
++++ b/include/linux/virtio.h
+@@ -118,7 +118,7 @@ struct virtio_admin_cmd {
+ * struct virtio_device - representation of a device using virtio
+ * @index: unique position on the virtio bus
+ * @failed: saved value for VIRTIO_CONFIG_S_FAILED bit (for restore)
+- * @config_enabled: configuration change reporting enabled
++ * @config_core_enabled: configuration change reporting enabled by core
+ * @config_change_pending: configuration change reported while disabled
+ * @config_lock: protects configuration change reporting
+ * @vqs_list_lock: protects @vqs.
+@@ -135,7 +135,7 @@ struct virtio_admin_cmd {
+ struct virtio_device {
+ int index;
+ bool failed;
+- bool config_enabled;
++ bool config_core_enabled;
+ bool config_change_pending;
+ spinlock_t config_lock;
+ spinlock_t vqs_list_lock;
+--
+2.43.0
+
--- /dev/null
+From cce6a1599517cae7f2a3eb8cdf521507cb336ca3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 16:13:51 +0800
+Subject: virtio_net: Fix mismatched buf address when unmapping for small
+ packets
+
+From: Wenbo Li <liwenbo.martin@bytedance.com>
+
+[ Upstream commit c11a49d58ad229a1be1ebe08a2b68fedf83db6c8 ]
+
+Currently, the virtio-net driver will perform a pre-dma-mapping for
+small or mergeable RX buffer. But for small packets, a mismatched address
+without VIRTNET_RX_PAD and xdp_headroom is used for unmapping.
+
+That will result in unsynchronized buffers when SWIOTLB is enabled, for
+example, when running as a TDX guest.
+
+This patch unifies the address passed to the virtio core as the address of
+the virtnet header and fixes the mismatched buffer address.
+
+Changes from v2: unify the buf that passed to the virtio core in small
+and merge mode.
+Changes from v1: Use ctx to get xdp_headroom.
+
+Fixes: 295525e29a5b ("virtio_net: merge dma operations when filling mergeable buffers")
+Signed-off-by: Wenbo Li <liwenbo.martin@bytedance.com>
+Signed-off-by: Jiahui Cen <cenjiahui@bytedance.com>
+Signed-off-by: Ying Fang <fangying.tommy@bytedance.com>
+Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Link: https://patch.msgid.link/20240919081351.51772-1-liwenbo.martin@bytedance.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 6f4781ec2b369..f8131f92a3928 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1807,6 +1807,11 @@ static struct sk_buff *receive_small(struct net_device *dev,
+ struct page *page = virt_to_head_page(buf);
+ struct sk_buff *skb;
+
++ /* We passed the address of virtnet header to virtio-core,
++ * so truncate the padding.
++ */
++ buf -= VIRTNET_RX_PAD + xdp_headroom;
++
+ len -= vi->hdr_len;
+ u64_stats_add(&stats->bytes, len);
+
+@@ -2422,8 +2427,9 @@ static int add_recvbuf_small(struct virtnet_info *vi, struct receive_queue *rq,
+ if (unlikely(!buf))
+ return -ENOMEM;
+
+- virtnet_rq_init_one_sg(rq, buf + VIRTNET_RX_PAD + xdp_headroom,
+- vi->hdr_len + GOOD_PACKET_LEN);
++ buf += VIRTNET_RX_PAD + xdp_headroom;
++
++ virtnet_rq_init_one_sg(rq, buf, vi->hdr_len + GOOD_PACKET_LEN);
+
+ err = virtqueue_add_inbuf_ctx(rq->vq, rq->sg, 1, buf, ctx, gfp);
+ if (err < 0) {
+--
+2.43.0
+
--- /dev/null
+From 7da68fd4ffbed1f8645ade1002bf66f207aed1d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2024 14:18:45 +0200
+Subject: watchdog: imx_sc_wdt: Don't disable WDT in suspend
+
+From: Jonas Blixt <jonas.blixt@actia.se>
+
+[ Upstream commit 2d9d6d300fb0a4ae4431bb308027ac9385746d42 ]
+
+Parts of the suspend and resume chain is left unprotected if we disable
+the WDT here.
+
+>From experiments we can see that the SCU disables and re-enables the WDT
+when we enter and leave suspend to ram. By not touching the WDT here we
+are protected by the WDT all the way to the SCU.
+
+Signed-off-by: Jonas Blixt <jonas.blixt@actia.se>
+CC: Anson Huang <anson.huang@nxp.com>
+Fixes: 986857acbc9a ("watchdog: imx_sc: Add i.MX system controller watchdog support")
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20240801121845.1465765-1-jonas.blixt@actia.se
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/imx_sc_wdt.c | 24 ------------------------
+ 1 file changed, 24 deletions(-)
+
+diff --git a/drivers/watchdog/imx_sc_wdt.c b/drivers/watchdog/imx_sc_wdt.c
+index e51fe1b78518f..d73076b686d8c 100644
+--- a/drivers/watchdog/imx_sc_wdt.c
++++ b/drivers/watchdog/imx_sc_wdt.c
+@@ -216,29 +216,6 @@ static int imx_sc_wdt_probe(struct platform_device *pdev)
+ return devm_watchdog_register_device(dev, wdog);
+ }
+
+-static int __maybe_unused imx_sc_wdt_suspend(struct device *dev)
+-{
+- struct imx_sc_wdt_device *imx_sc_wdd = dev_get_drvdata(dev);
+-
+- if (watchdog_active(&imx_sc_wdd->wdd))
+- imx_sc_wdt_stop(&imx_sc_wdd->wdd);
+-
+- return 0;
+-}
+-
+-static int __maybe_unused imx_sc_wdt_resume(struct device *dev)
+-{
+- struct imx_sc_wdt_device *imx_sc_wdd = dev_get_drvdata(dev);
+-
+- if (watchdog_active(&imx_sc_wdd->wdd))
+- imx_sc_wdt_start(&imx_sc_wdd->wdd);
+-
+- return 0;
+-}
+-
+-static SIMPLE_DEV_PM_OPS(imx_sc_wdt_pm_ops,
+- imx_sc_wdt_suspend, imx_sc_wdt_resume);
+-
+ static const struct of_device_id imx_sc_wdt_dt_ids[] = {
+ { .compatible = "fsl,imx-sc-wdt", },
+ { /* sentinel */ }
+@@ -250,7 +227,6 @@ static struct platform_driver imx_sc_wdt_driver = {
+ .driver = {
+ .name = "imx-sc-wdt",
+ .of_match_table = imx_sc_wdt_dt_ids,
+- .pm = &imx_sc_wdt_pm_ops,
+ },
+ };
+ module_platform_driver(imx_sc_wdt_driver);
+--
+2.43.0
+
--- /dev/null
+From fba6136d3b878195eb759c541479795301f01ddf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 17:40:49 +0300
+Subject: wifi: ath11k: use work queue to process beacon tx event
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kang Yang <quic_kangyang@quicinc.com>
+
+[ Upstream commit 177b49dbf9c1d8f9f25a22ffafa416fc2c8aa6a3 ]
+
+Commit 3a415daa3e8b ("wifi: ath11k: add P2P IE in beacon template")
+from Feb 28, 2024 (linux-next), leads to the following Smatch static
+checker warning:
+
+drivers/net/wireless/ath/ath11k/wmi.c:1742 ath11k_wmi_p2p_go_bcn_ie()
+warn: sleeping in atomic context
+
+The reason is that ath11k_bcn_tx_status_event() will directly call might
+sleep function ath11k_wmi_cmd_send() during RCU read-side critical
+sections. The call trace is like:
+
+ath11k_bcn_tx_status_event()
+-> rcu_read_lock()
+-> ath11k_mac_bcn_tx_event()
+ -> ath11k_mac_setup_bcn_tmpl()
+ ……
+ -> ath11k_wmi_bcn_tmpl()
+ -> ath11k_wmi_cmd_send()
+-> rcu_read_unlock()
+
+Commit 886433a98425 ("ath11k: add support for BSS color change") added the
+ath11k_mac_bcn_tx_event(), commit 01e782c89108 ("ath11k: fix warning
+of RCU usage for ath11k_mac_get_arvif_by_vdev_id()") added the RCU lock
+to avoid warning but also introduced this BUG.
+
+Use work queue to avoid directly calling ath11k_mac_bcn_tx_event()
+during RCU critical sections. No need to worry about the deletion of vif
+because cancel_work_sync() will drop the work if it doesn't start or
+block vif deletion until the running work is done.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
+
+Fixes: 3a415daa3e8b ("wifi: ath11k: add P2P IE in beacon template")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/2d277abd-5e7b-4da0-80e0-52bd96337f6e@moroto.mountain/
+Signed-off-by: Kang Yang <quic_kangyang@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240626053543.1946-1-quic_kangyang@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.h | 1 +
+ drivers/net/wireless/ath/ath11k/mac.c | 12 ++++++++++++
+ drivers/net/wireless/ath/ath11k/wmi.c | 4 +++-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index b655967a465bb..76faa55fd0f3a 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -399,6 +399,7 @@ struct ath11k_vif {
+ u8 bssid[ETH_ALEN];
+ struct cfg80211_bitrate_mask bitrate_mask;
+ struct delayed_work connection_loss_work;
++ struct work_struct bcn_tx_work;
+ int num_legacy_stations;
+ int rtscts_prot_mode;
+ int txpower;
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 7c0ef6916dd25..f8068d2e848c3 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -6599,6 +6599,16 @@ static int ath11k_mac_vdev_delete(struct ath11k *ar, struct ath11k_vif *arvif)
+ return ret;
+ }
+
++static void ath11k_mac_bcn_tx_work(struct work_struct *work)
++{
++ struct ath11k_vif *arvif = container_of(work, struct ath11k_vif,
++ bcn_tx_work);
++
++ mutex_lock(&arvif->ar->conf_mutex);
++ ath11k_mac_bcn_tx_event(arvif);
++ mutex_unlock(&arvif->ar->conf_mutex);
++}
++
+ static int ath11k_mac_op_add_interface(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif)
+ {
+@@ -6637,6 +6647,7 @@ static int ath11k_mac_op_add_interface(struct ieee80211_hw *hw,
+ arvif->vif = vif;
+
+ INIT_LIST_HEAD(&arvif->list);
++ INIT_WORK(&arvif->bcn_tx_work, ath11k_mac_bcn_tx_work);
+ INIT_DELAYED_WORK(&arvif->connection_loss_work,
+ ath11k_mac_vif_sta_connection_loss_work);
+
+@@ -6879,6 +6890,7 @@ static void ath11k_mac_op_remove_interface(struct ieee80211_hw *hw,
+ int i;
+
+ cancel_delayed_work_sync(&arvif->connection_loss_work);
++ cancel_work_sync(&arvif->bcn_tx_work);
+
+ mutex_lock(&ar->conf_mutex);
+
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index 38f175dd15578..2662092ee00a9 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -7404,7 +7404,9 @@ static void ath11k_bcn_tx_status_event(struct ath11k_base *ab, struct sk_buff *s
+ rcu_read_unlock();
+ return;
+ }
+- ath11k_mac_bcn_tx_event(arvif);
++
++ queue_work(ab->workqueue, &arvif->bcn_tx_work);
++
+ rcu_read_unlock();
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 7debfee615a4f43ef63fe0dd1ad5aee734671fac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Apr 2024 00:02:31 +0530
+Subject: wifi: ath12k: fix BSS chan info request WMI command
+
+From: P Praneesh <quic_ppranees@quicinc.com>
+
+[ Upstream commit 59529c982f85047650fd473db903b23006a796c6 ]
+
+Currently, the firmware returns incorrect pdev_id information in
+WMI_PDEV_BSS_CHAN_INFO_EVENTID, leading to incorrect filling of
+the pdev's survey information.
+
+To prevent this issue, when requesting BSS channel information
+through WMI_PDEV_BSS_CHAN_INFO_REQUEST_CMDID, firmware expects
+pdev_id as one of the arguments in this WMI command.
+
+Add pdev_id to the struct wmi_pdev_bss_chan_info_req_cmd and fill it
+during ath12k_wmi_pdev_bss_chan_info_request(). This resolves the
+issue of sending the correct pdev_id in WMI_PDEV_BSS_CHAN_INFO_EVENTID.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
+Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240331183232.2158756-2-quic_kathirve@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/wmi.c | 1 +
+ drivers/net/wireless/ath/ath12k/wmi.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
+index 9f6be557365e9..a76413320dbf2 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.c
++++ b/drivers/net/wireless/ath/ath12k/wmi.c
+@@ -1538,6 +1538,7 @@ int ath12k_wmi_pdev_bss_chan_info_request(struct ath12k *ar,
+ cmd->tlv_header = ath12k_wmi_tlv_cmd_hdr(WMI_TAG_PDEV_BSS_CHAN_INFO_REQUEST,
+ sizeof(*cmd));
+ cmd->req_type = cpu_to_le32(type);
++ cmd->pdev_id = cpu_to_le32(ar->pdev->pdev_id);
+
+ ath12k_dbg(ar->ab, ATH12K_DBG_WMI,
+ "WMI bss chan info req type %d\n", type);
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.h b/drivers/net/wireless/ath/ath12k/wmi.h
+index f1f52175a52b3..9f4c2f026b4c1 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.h
++++ b/drivers/net/wireless/ath/ath12k/wmi.h
+@@ -3121,6 +3121,7 @@ struct wmi_pdev_bss_chan_info_req_cmd {
+ __le32 tlv_header;
+ /* ref wmi_bss_chan_info_req_type */
+ __le32 req_type;
++ __le32 pdev_id;
+ } __packed;
+
+ struct wmi_ap_ps_peer_cmd {
+--
+2.43.0
+
--- /dev/null
+From 85417c6704e9dae7236744e82754c13fa08356a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jul 2024 10:18:19 +0800
+Subject: wifi: ath12k: fix invalid AMPDU factor calculation in
+ ath12k_peer_assoc_h_he()
+
+From: Baochen Qiang <quic_bqiang@quicinc.com>
+
+[ Upstream commit a66de2d0f22b1740f3f9777776ad98c4bee62dff ]
+
+Currently ampdu_factor is wrongly calculated in ath12k_peer_assoc_h_he(), fix it.
+
+This is found during code review.
+
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240710021819.87216-1-quic_bqiang@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index ce41c8153080c..a3248d9775329 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -2196,9 +2196,8 @@ static void ath12k_peer_assoc_h_he(struct ath12k *ar,
+ * request, then use MAX_AMPDU_LEN_FACTOR as 16 to calculate max_ampdu
+ * length.
+ */
+- ampdu_factor = (he_cap->he_cap_elem.mac_cap_info[3] &
+- IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_MASK) >>
+- IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_MASK;
++ ampdu_factor = u8_get_bits(he_cap->he_cap_elem.mac_cap_info[3],
++ IEEE80211_HE_MAC_CAP3_MAX_AMPDU_LEN_EXP_MASK);
+
+ if (ampdu_factor) {
+ if (sta->deflink.vht_cap.vht_supported)
+--
+2.43.0
+
--- /dev/null
+From 2692bc43085054f30b9cbabf8874ca0687d33da9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Apr 2024 00:02:32 +0530
+Subject: wifi: ath12k: match WMI BSS chan info structure with firmware
+ definition
+
+From: P Praneesh <quic_ppranees@quicinc.com>
+
+[ Upstream commit dd98d54db29fb553839f43ade5f547baa93392c8 ]
+
+struct wmi_pdev_bss_chan_info_event is not similar to the firmware
+struct definition, this will cause some random failures.
+
+Fix by matching the struct wmi_pdev_bss_chan_info_event with the
+firmware structure definition.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
+Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240331183232.2158756-3-quic_kathirve@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/wmi.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.h b/drivers/net/wireless/ath/ath12k/wmi.h
+index 9f4c2f026b4c1..6a913f9b83158 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.h
++++ b/drivers/net/wireless/ath/ath12k/wmi.h
+@@ -4086,7 +4086,6 @@ struct wmi_vdev_stopped_event {
+ } __packed;
+
+ struct wmi_pdev_bss_chan_info_event {
+- __le32 pdev_id;
+ __le32 freq; /* Units in MHz */
+ __le32 noise_floor; /* units are dBm */
+ /* rx clear - how often the channel was unused */
+@@ -4104,6 +4103,7 @@ struct wmi_pdev_bss_chan_info_event {
+ /*rx_cycle cnt for my bss in 64bits format */
+ __le32 rx_bss_cycle_count_low;
+ __le32 rx_bss_cycle_count_high;
++ __le32 pdev_id;
+ } __packed;
+
+ #define WMI_VDEV_INSTALL_KEY_COMPL_STATUS_SUCCESS 0
+--
+2.43.0
+
--- /dev/null
+From d02dd460c74afaaaeca37232e75a37de2b126c55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 13:02:22 +0200
+Subject: wifi: ath9k: Remove error checks when creating debugfs entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit f6ffe7f0184792c2f99aca6ae5b916683973d7d3 ]
+
+We should not be checking the return values from debugfs creation at all: the
+debugfs functions are designed to handle errors of previously called functions
+and just transparently abort the creation of debugfs entries when debugfs is
+disabled. If we check the return value and abort driver initialisation, we break
+the driver if debugfs is disabled (such as when booting with debugfs=off).
+
+Earlier versions of ath9k accidentally did the right thing by checking the
+return value, but only for NULL, not for IS_ERR(). This was "fixed" by the two
+commits referenced below, breaking ath9k with debugfs=off starting from the 6.6
+kernel (as reported in the Bugzilla linked below).
+
+Restore functionality by just getting rid of the return value check entirely.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219122
+Fixes: 1e4134610d93 ("wifi: ath9k: use IS_ERR() with debugfs_create_dir()")
+Fixes: 6edb4ba6fb5b ("wifi: ath9k: fix parameter check in ath9k_init_debug()")
+Reported-by: Daniel Tobias <dan.g.tob@gmail.com>
+Tested-by: Daniel Tobias <dan.g.tob@gmail.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240805110225.19690-1-toke@toke.dk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/debug.c | 2 --
+ drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 --
+ 2 files changed, 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c
+index d84e3ee7b5d90..bf3da631c69fd 100644
+--- a/drivers/net/wireless/ath/ath9k/debug.c
++++ b/drivers/net/wireless/ath/ath9k/debug.c
+@@ -1380,8 +1380,6 @@ int ath9k_init_debug(struct ath_hw *ah)
+
+ sc->debug.debugfs_phy = debugfs_create_dir("ath9k",
+ sc->hw->wiphy->debugfsdir);
+- if (IS_ERR(sc->debug.debugfs_phy))
+- return -ENOMEM;
+
+ #ifdef CONFIG_ATH_DEBUG
+ debugfs_create_file("debug", 0600, sc->debug.debugfs_phy,
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
+index f7c6d9bc93119..9437d69877cc5 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
+@@ -486,8 +486,6 @@ int ath9k_htc_init_debug(struct ath_hw *ah)
+
+ priv->debug.debugfs_phy = debugfs_create_dir(KBUILD_MODNAME,
+ priv->hw->wiphy->debugfsdir);
+- if (IS_ERR(priv->debug.debugfs_phy))
+- return -ENOMEM;
+
+ ath9k_cmn_spectral_init_debug(&priv->spec_priv, priv->debug.debugfs_phy);
+
+--
+2.43.0
+
--- /dev/null
+From b1d0e2c2c4b497b2f661bbe34b65b992f970d0f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Jul 2024 20:56:17 +0200
+Subject: wifi: brcmfmac: introducing fwil query functions
+
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+
+[ Upstream commit c6002b6c05f3edfa12fd25990cc637281f200442 ]
+
+When the firmware interface layer was refactored it provided various
+"get" and "set" functions. For the "get" in some cases a parameter
+needed to be passed down to firmware as a key indicating what to
+"get" turning the output parameter of the "get" function into an
+input parameter as well. To accommodate this the "get" function blindly
+copies the parameter which in some places resulted in an uninitialized
+warnings from the compiler. These have been fixed by initializing the
+input parameter in the past. Recently another batch of similar fixes
+were submitted to address clang static checker warnings [1].
+
+Proposing another solution by introducing a "query" variant which is used
+when the (input) parameter is needed by firmware. The "get" variant will
+only fill the (output) parameter with the result received from firmware
+taking care of proper endianess conversion.
+
+[1] https://lore.kernel.org/all/20240702122450.2213833-1-suhui@nfschina.com/
+
+Fixes: 81f5dcb80830 ("brcmfmac: refactor firmware interface layer.")
+Reported-by: Su Hui <suhui@nfschina.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20240727185617.253210-1-arend.vanspriel@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../broadcom/brcm80211/brcmfmac/btcoex.c | 2 +-
+ .../broadcom/brcm80211/brcmfmac/cfg80211.c | 30 +++++++-------
+ .../broadcom/brcm80211/brcmfmac/core.c | 2 +-
+ .../broadcom/brcm80211/brcmfmac/feature.c | 2 +-
+ .../broadcom/brcm80211/brcmfmac/fwil.h | 40 ++++++++++++++-----
+ 5 files changed, 48 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
+index 0c3d119d12199..1e8495f50c16a 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
+@@ -123,7 +123,7 @@ static s32 brcmf_btcoex_params_read(struct brcmf_if *ifp, u32 addr, u32 *data)
+ {
+ *data = addr;
+
+- return brcmf_fil_iovar_int_get(ifp, "btc_params", data);
++ return brcmf_fil_iovar_int_query(ifp, "btc_params", data);
+ }
+
+ /**
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index d4cc5fa92341d..815f6b3c79fc0 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -663,8 +663,8 @@ static int brcmf_cfg80211_request_sta_if(struct brcmf_if *ifp, u8 *macaddr)
+ /* interface_create version 3+ */
+ /* get supported version from firmware side */
+ iface_create_ver = 0;
+- err = brcmf_fil_bsscfg_int_get(ifp, "interface_create",
+- &iface_create_ver);
++ err = brcmf_fil_bsscfg_int_query(ifp, "interface_create",
++ &iface_create_ver);
+ if (err) {
+ brcmf_err("fail to get supported version, err=%d\n", err);
+ return -EOPNOTSUPP;
+@@ -756,8 +756,8 @@ static int brcmf_cfg80211_request_ap_if(struct brcmf_if *ifp)
+ /* interface_create version 3+ */
+ /* get supported version from firmware side */
+ iface_create_ver = 0;
+- err = brcmf_fil_bsscfg_int_get(ifp, "interface_create",
+- &iface_create_ver);
++ err = brcmf_fil_bsscfg_int_query(ifp, "interface_create",
++ &iface_create_ver);
+ if (err) {
+ brcmf_err("fail to get supported version, err=%d\n", err);
+ return -EOPNOTSUPP;
+@@ -2101,7 +2101,8 @@ brcmf_set_key_mgmt(struct net_device *ndev, struct cfg80211_connect_params *sme)
+ if (!sme->crypto.n_akm_suites)
+ return 0;
+
+- err = brcmf_fil_bsscfg_int_get(netdev_priv(ndev), "wpa_auth", &val);
++ err = brcmf_fil_bsscfg_int_get(netdev_priv(ndev),
++ "wpa_auth", &val);
+ if (err) {
+ bphy_err(drvr, "could not get wpa_auth (%d)\n", err);
+ return err;
+@@ -2680,7 +2681,7 @@ brcmf_cfg80211_get_tx_power(struct wiphy *wiphy, struct wireless_dev *wdev,
+ struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
+ struct brcmf_cfg80211_vif *vif = wdev_to_vif(wdev);
+ struct brcmf_pub *drvr = cfg->pub;
+- s32 qdbm = 0;
++ s32 qdbm;
+ s32 err;
+
+ brcmf_dbg(TRACE, "Enter\n");
+@@ -3067,7 +3068,7 @@ brcmf_cfg80211_get_station_ibss(struct brcmf_if *ifp,
+ struct brcmf_scb_val_le scbval;
+ struct brcmf_pktcnt_le pktcnt;
+ s32 err;
+- u32 rate = 0;
++ u32 rate;
+ u32 rssi;
+
+ /* Get the current tx rate */
+@@ -7046,8 +7047,8 @@ static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg,
+ ch.bw = BRCMU_CHAN_BW_20;
+ cfg->d11inf.encchspec(&ch);
+ chaninfo = ch.chspec;
+- err = brcmf_fil_bsscfg_int_get(ifp, "per_chan_info",
+- &chaninfo);
++ err = brcmf_fil_bsscfg_int_query(ifp, "per_chan_info",
++ &chaninfo);
+ if (!err) {
+ if (chaninfo & WL_CHAN_RADAR)
+ channel->flags |=
+@@ -7081,7 +7082,7 @@ static int brcmf_enable_bw40_2g(struct brcmf_cfg80211_info *cfg)
+
+ /* verify support for bw_cap command */
+ val = WLC_BAND_5G;
+- err = brcmf_fil_iovar_int_get(ifp, "bw_cap", &val);
++ err = brcmf_fil_iovar_int_query(ifp, "bw_cap", &val);
+
+ if (!err) {
+ /* only set 2G bandwidth using bw_cap command */
+@@ -7157,11 +7158,11 @@ static void brcmf_get_bwcap(struct brcmf_if *ifp, u32 bw_cap[])
+ int err;
+
+ band = WLC_BAND_2G;
+- err = brcmf_fil_iovar_int_get(ifp, "bw_cap", &band);
++ err = brcmf_fil_iovar_int_query(ifp, "bw_cap", &band);
+ if (!err) {
+ bw_cap[NL80211_BAND_2GHZ] = band;
+ band = WLC_BAND_5G;
+- err = brcmf_fil_iovar_int_get(ifp, "bw_cap", &band);
++ err = brcmf_fil_iovar_int_query(ifp, "bw_cap", &band);
+ if (!err) {
+ bw_cap[NL80211_BAND_5GHZ] = band;
+ return;
+@@ -7170,7 +7171,6 @@ static void brcmf_get_bwcap(struct brcmf_if *ifp, u32 bw_cap[])
+ return;
+ }
+ brcmf_dbg(INFO, "fallback to mimo_bw_cap info\n");
+- mimo_bwcap = 0;
+ err = brcmf_fil_iovar_int_get(ifp, "mimo_bw_cap", &mimo_bwcap);
+ if (err)
+ /* assume 20MHz if firmware does not give a clue */
+@@ -7266,10 +7266,10 @@ static int brcmf_setup_wiphybands(struct brcmf_cfg80211_info *cfg)
+ struct brcmf_pub *drvr = cfg->pub;
+ struct brcmf_if *ifp = brcmf_get_ifp(drvr, 0);
+ struct wiphy *wiphy = cfg_to_wiphy(cfg);
+- u32 nmode = 0;
++ u32 nmode;
+ u32 vhtmode = 0;
+ u32 bw_cap[2] = { WLC_BW_20MHZ_BIT, WLC_BW_20MHZ_BIT };
+- u32 rxchain = 0;
++ u32 rxchain;
+ u32 nchain;
+ int err;
+ s32 i;
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+index bf91b1e1368f0..df53dd1d7e748 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -691,7 +691,7 @@ static int brcmf_net_mon_open(struct net_device *ndev)
+ {
+ struct brcmf_if *ifp = netdev_priv(ndev);
+ struct brcmf_pub *drvr = ifp->drvr;
+- u32 monitor = 0;
++ u32 monitor;
+ int err;
+
+ brcmf_dbg(TRACE, "Enter\n");
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+index f23310a77a5d1..0d9ae197fa1ec 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
+@@ -184,7 +184,7 @@ static void brcmf_feat_wlc_version_overrides(struct brcmf_pub *drv)
+ static void brcmf_feat_iovar_int_get(struct brcmf_if *ifp,
+ enum brcmf_feat_id id, char *name)
+ {
+- u32 data = 0;
++ u32 data;
+ int err;
+
+ /* we need to know firmware error */
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h
+index a315a7fac6a06..31e080e4da669 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil.h
+@@ -96,15 +96,22 @@ static inline
+ s32 brcmf_fil_cmd_int_get(struct brcmf_if *ifp, u32 cmd, u32 *data)
+ {
+ s32 err;
+- __le32 data_le = cpu_to_le32(*data);
+
+- err = brcmf_fil_cmd_data_get(ifp, cmd, &data_le, sizeof(data_le));
++ err = brcmf_fil_cmd_data_get(ifp, cmd, data, sizeof(*data));
+ if (err == 0)
+- *data = le32_to_cpu(data_le);
++ *data = le32_to_cpu(*(__le32 *)data);
+ brcmf_dbg(FIL, "ifidx=%d, cmd=%d, value=%d\n", ifp->ifidx, cmd, *data);
+
+ return err;
+ }
++static inline
++s32 brcmf_fil_cmd_int_query(struct brcmf_if *ifp, u32 cmd, u32 *data)
++{
++ __le32 *data_le = (__le32 *)data;
++
++ *data_le = cpu_to_le32(*data);
++ return brcmf_fil_cmd_int_get(ifp, cmd, data);
++}
+
+ s32 brcmf_fil_iovar_data_set(struct brcmf_if *ifp, const char *name,
+ const void *data, u32 len);
+@@ -120,14 +127,21 @@ s32 brcmf_fil_iovar_int_set(struct brcmf_if *ifp, const char *name, u32 data)
+ static inline
+ s32 brcmf_fil_iovar_int_get(struct brcmf_if *ifp, const char *name, u32 *data)
+ {
+- __le32 data_le = cpu_to_le32(*data);
+ s32 err;
+
+- err = brcmf_fil_iovar_data_get(ifp, name, &data_le, sizeof(data_le));
++ err = brcmf_fil_iovar_data_get(ifp, name, data, sizeof(*data));
+ if (err == 0)
+- *data = le32_to_cpu(data_le);
++ *data = le32_to_cpu(*(__le32 *)data);
+ return err;
+ }
++static inline
++s32 brcmf_fil_iovar_int_query(struct brcmf_if *ifp, const char *name, u32 *data)
++{
++ __le32 *data_le = (__le32 *)data;
++
++ *data_le = cpu_to_le32(*data);
++ return brcmf_fil_iovar_int_get(ifp, name, data);
++}
+
+
+ s32 brcmf_fil_bsscfg_data_set(struct brcmf_if *ifp, const char *name,
+@@ -145,15 +159,21 @@ s32 brcmf_fil_bsscfg_int_set(struct brcmf_if *ifp, const char *name, u32 data)
+ static inline
+ s32 brcmf_fil_bsscfg_int_get(struct brcmf_if *ifp, const char *name, u32 *data)
+ {
+- __le32 data_le = cpu_to_le32(*data);
+ s32 err;
+
+- err = brcmf_fil_bsscfg_data_get(ifp, name, &data_le,
+- sizeof(data_le));
++ err = brcmf_fil_bsscfg_data_get(ifp, name, data, sizeof(*data));
+ if (err == 0)
+- *data = le32_to_cpu(data_le);
++ *data = le32_to_cpu(*(__le32 *)data);
+ return err;
+ }
++static inline
++s32 brcmf_fil_bsscfg_int_query(struct brcmf_if *ifp, const char *name, u32 *data)
++{
++ __le32 *data_le = (__le32 *)data;
++
++ *data_le = cpu_to_le32(*data);
++ return brcmf_fil_bsscfg_int_get(ifp, name, data);
++}
+
+ s32 brcmf_fil_xtlv_data_set(struct brcmf_if *ifp, const char *name, u16 id,
+ void *data, u32 len);
+--
+2.43.0
+
--- /dev/null
+From 8931edb162a497f5546f517f6efa03e2954450ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Aug 2024 16:22:05 +0800
+Subject: wifi: cfg80211: fix bug of mapping AF3x to incorrect User Priority
+
+From: hhorace <hhoracehsu@gmail.com>
+
+[ Upstream commit a68b22e2905b04f376e2fa116be5e48b948f81c8 ]
+
+According to RFC8325 4.3, Multimedia Streaming: AF31(011010, 26),
+AF32(011100, 28), AF33(011110, 30) maps to User Priority = 4
+and AC_VI (Video).
+
+However, the original code remain the default three Most Significant
+Bits (MSBs) of the DSCP, which makes AF3x map to User Priority = 3
+and AC_BE (Best Effort).
+
+Fixes: 6fdb8b8781d5 ("wifi: cfg80211: Update the default DSCP-to-UP mapping")
+Signed-off-by: hhorace <hhoracehsu@gmail.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20240807082205.1369-1-hhoracehsu@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/util.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index 9a7c3adc8a3bf..edeeb056fe4da 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -998,10 +998,10 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb,
+ * Diffserv Service Classes no update is needed:
+ * - Standard: DF
+ * - Low Priority Data: CS1
+- * - Multimedia Streaming: AF31, AF32, AF33
+ * - Multimedia Conferencing: AF41, AF42, AF43
+ * - Network Control Traffic: CS7
+ * - Real-Time Interactive: CS4
++ * - Signaling: CS5
+ */
+ switch (dscp >> 2) {
+ case 10:
+@@ -1026,9 +1026,11 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb,
+ /* Broadcasting video: CS3 */
+ ret = 4;
+ break;
+- case 40:
+- /* Signaling: CS5 */
+- ret = 5;
++ case 26:
++ case 28:
++ case 30:
++ /* Multimedia Streaming: AF31, AF32, AF33 */
++ ret = 4;
+ break;
+ case 44:
+ /* Voice Admit: VA */
+--
+2.43.0
+
--- /dev/null
+From ded681909e729097e543b86b2ecfd33b3bf9b43e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 12:08:06 +0300
+Subject: wifi: cfg80211: fix two more possible UBSAN-detected off-by-one
+ errors
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 15ea13b1b1fbf6364d4cd568e65e4c8479632999 ]
+
+Although not reproduced in practice, these two cases may be
+considered by UBSAN as off-by-one errors. So fix them in the
+same way as in commit a26a5107bc52 ("wifi: cfg80211: fix UBSAN
+noise in cfg80211_wext_siwscan()").
+
+Fixes: 807f8a8c3004 ("cfg80211/nl80211: add support for scheduled scans")
+Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20240909090806.1091956-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 3 ++-
+ net/wireless/sme.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 7397a372c78eb..1d83bc3de5ca5 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -9778,7 +9778,8 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
+ return ERR_PTR(-ENOMEM);
+
+ if (n_ssids)
+- request->ssids = (void *)&request->channels[n_channels];
++ request->ssids = (void *)request +
++ struct_size(request, channels, n_channels);
+ request->n_ssids = n_ssids;
+ if (ie_len) {
+ if (n_ssids)
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index d9d7bf8bb5c1a..431da30817a6f 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -115,7 +115,8 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev)
+ n_channels = i;
+ }
+ request->n_channels = n_channels;
+- request->ssids = (void *)&request->channels[n_channels];
++ request->ssids = (void *)request +
++ struct_size(request, channels, n_channels);
+ request->n_ssids = 1;
+
+ memcpy(request->ssids[0].ssid, wdev->conn->params.ssid,
+--
+2.43.0
+
--- /dev/null
+From d1f0b44882e18ca69015ff4e0ca769c27dcea97a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 18:04:00 +0300
+Subject: wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit a26a5107bc52922cf5f67361e307ad66547b51c7 ]
+
+Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819
+and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the
+following:
+
+[ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25
+[ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]'
+<...skipped...>
+[ T4985] Call Trace:
+[ T4985] <TASK>
+[ T4985] dump_stack_lvl+0x1c2/0x2a0
+[ T4985] ? __pfx_dump_stack_lvl+0x10/0x10
+[ T4985] ? __pfx__printk+0x10/0x10
+[ T4985] __ubsan_handle_out_of_bounds+0x127/0x150
+[ T4985] cfg80211_wext_siwscan+0x11a4/0x1260
+<...the rest is not too useful...>
+
+Even if we do 'creq->n_channels = n_channels' before 'creq->ssids =
+(void *)&creq->channels[n_channels]', UBSAN treats the latter as
+off-by-one error. Fix this by using pointer arithmetic rather than
+an expression with explicit array indexing and use convenient
+'struct_size()' to simplify the math here and in 'kzalloc()' above.
+
+Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reviewed-by: Kees Cook <kees@kernel.org>
+Link: https://patch.msgid.link/20240905150400.126386-1-dmantipov@yandex.ru
+[fix coding style for multi-line calculation]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 64eeed82d43d5..3ff818849d83a 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -3467,8 +3467,8 @@ int cfg80211_wext_siwscan(struct net_device *dev,
+ n_channels = ieee80211_get_num_supported_channels(wiphy);
+ }
+
+- creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) +
+- n_channels * sizeof(void *),
++ creq = kzalloc(struct_size(creq, channels, n_channels) +
++ sizeof(struct cfg80211_ssid),
+ GFP_ATOMIC);
+ if (!creq)
+ return -ENOMEM;
+@@ -3476,7 +3476,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
+ creq->wiphy = wiphy;
+ creq->wdev = dev->ieee80211_ptr;
+ /* SSIDs come after channels */
+- creq->ssids = (void *)&creq->channels[n_channels];
++ creq->ssids = (void *)creq + struct_size(creq, channels, n_channels);
+ creq->n_channels = n_channels;
+ creq->n_ssids = 1;
+ creq->scan_start = jiffies;
+--
+2.43.0
+
--- /dev/null
+From d813a1c2e8155c7c74582425849d0e14c362986c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 20:20:07 +0300
+Subject: wifi: iwlwifi: config: label 'gl' devices as discrete
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 8131dd52810dfcdb49fcdc78f5e18e1538b6c441 ]
+
+The 'gl' devices are in the bz family, but they're not,
+integrated, so should have their own trans config struct.
+Fix that, also necessitating the removal of LTR config,
+and while at it remove 0x2727 and 0x272D IDs that were
+only used for test chips.
+
+Fixes: c30a2a64788b ("wifi: iwlwifi: add a new PCI device ID for BZ device")ticket=none
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20240729201718.95aed0620080.Ib9129512c95aa57acc9876bdff8b99dd41e1562c@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/cfg/bz.c | 11 +++++++++++
+ drivers/net/wireless/intel/iwlwifi/iwl-config.h | 1 +
+ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 4 +---
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/cfg/bz.c b/drivers/net/wireless/intel/iwlwifi/cfg/bz.c
+index 3b6b8b410be58..b230441abc16a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/cfg/bz.c
++++ b/drivers/net/wireless/intel/iwlwifi/cfg/bz.c
+@@ -148,6 +148,17 @@ const struct iwl_cfg_trans_params iwl_bz_trans_cfg = {
+ .ltr_delay = IWL_CFG_TRANS_LTR_DELAY_2500US,
+ };
+
++const struct iwl_cfg_trans_params iwl_gl_trans_cfg = {
++ .device_family = IWL_DEVICE_FAMILY_BZ,
++ .base_params = &iwl_bz_base_params,
++ .mq_rx_supported = true,
++ .rf_id = true,
++ .gen2 = true,
++ .umac_prph_offset = 0x300000,
++ .xtal_latency = 12000,
++ .low_latency_xtal = true,
++};
++
+ const char iwl_bz_name[] = "Intel(R) TBD Bz device";
+ const char iwl_fm_name[] = "Intel(R) Wi-Fi 7 BE201 320MHz";
+ const char iwl_gl_name[] = "Intel(R) Wi-Fi 7 BE200 320MHz";
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-config.h b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+index b2abd4fd19444..34c91deca57b1 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-config.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-config.h
+@@ -504,6 +504,7 @@ extern const struct iwl_cfg_trans_params iwl_so_long_latency_trans_cfg;
+ extern const struct iwl_cfg_trans_params iwl_so_long_latency_imr_trans_cfg;
+ extern const struct iwl_cfg_trans_params iwl_ma_trans_cfg;
+ extern const struct iwl_cfg_trans_params iwl_bz_trans_cfg;
++extern const struct iwl_cfg_trans_params iwl_gl_trans_cfg;
+ extern const struct iwl_cfg_trans_params iwl_sc_trans_cfg;
+ extern const char iwl9162_name[];
+ extern const char iwl9260_name[];
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+index 84fd93278450b..805fb249a0c6a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+@@ -500,9 +500,7 @@ VISIBLE_IF_IWLWIFI_KUNIT const struct pci_device_id iwl_hw_card_ids[] = {
+ {IWL_PCI_DEVICE(0x7E40, PCI_ANY_ID, iwl_ma_trans_cfg)},
+
+ /* Bz devices */
+- {IWL_PCI_DEVICE(0x2727, PCI_ANY_ID, iwl_bz_trans_cfg)},
+- {IWL_PCI_DEVICE(0x272D, PCI_ANY_ID, iwl_bz_trans_cfg)},
+- {IWL_PCI_DEVICE(0x272b, PCI_ANY_ID, iwl_bz_trans_cfg)},
++ {IWL_PCI_DEVICE(0x272b, PCI_ANY_ID, iwl_gl_trans_cfg)},
+ {IWL_PCI_DEVICE(0xA840, 0x0000, iwl_bz_trans_cfg)},
+ {IWL_PCI_DEVICE(0xA840, 0x0090, iwl_bz_trans_cfg)},
+ {IWL_PCI_DEVICE(0xA840, 0x0094, iwl_bz_trans_cfg)},
+--
+2.43.0
+
--- /dev/null
+From 4dc1b13a74c4e951a0da7d4d2c0c8c8fcc5c8443 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Aug 2024 19:17:11 +0300
+Subject: wifi: iwlwifi: mvm: allow ESR when we the ROC expires
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 76364f3edfde60aa2fa20b578ba9b96797d7bff5 ]
+
+We forgot to release the ROC reason for ESR prevention when the remain
+on channel expires.
+Add this.
+
+Fixes: a1efeb823084 ("wifi: iwlwifi: mvm: Block EMLSR when a p2p/softAP vif is active")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20240825191257.8f8765f359cc.I16fcd6198072d422ff36dce68070aafaf011f4c1@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/mvm/time-event.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+index a8c42ce3b6300..72fa7ac86516c 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+@@ -114,16 +114,14 @@ static void iwl_mvm_cleanup_roc(struct iwl_mvm *mvm)
+ iwl_mvm_flush_sta(mvm, mvm->aux_sta.sta_id,
+ mvm->aux_sta.tfd_queue_msk);
+
+- if (mvm->mld_api_is_used) {
+- iwl_mvm_mld_rm_aux_sta(mvm);
+- mutex_unlock(&mvm->mutex);
+- return;
+- }
+-
+ /* In newer version of this command an aux station is added only
+ * in cases of dedicated tx queue and need to be removed in end
+- * of use */
+- if (iwl_mvm_has_new_station_api(mvm->fw))
++ * of use. For the even newer mld api, use the appropriate
++ * function.
++ */
++ if (mvm->mld_api_is_used)
++ iwl_mvm_mld_rm_aux_sta(mvm);
++ else if (iwl_mvm_has_new_station_api(mvm->fw))
+ iwl_mvm_rm_aux_sta(mvm);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 5bf08070ea4ccce4f088891e05d9b195f137938d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 20:20:12 +0300
+Subject: wifi: iwlwifi: mvm: increase the time between ranging measurements
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit 3a7ee94559dfd640604d0265739e86dec73b64e8 ]
+
+The algo running in fw may take a little longer than 5 milliseconds,
+(e.g. measurement on 80MHz while associated). Increase the minimum
+time between measurements to 7 milliseconds.
+
+Fixes: 830aa3e7d1ca ("iwlwifi: mvm: add support for range request command version 13")
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20240729201718.d3f3c26e00d9.I09e951290e8a3d73f147b88166fd9a678d1d69ed@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/constants.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/constants.h b/drivers/net/wireless/intel/iwlwifi/mvm/constants.h
+index c4c1e67b9ac76..8f63cbe9e50da 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/constants.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/constants.h
+@@ -109,7 +109,7 @@
+ #define IWL_MVM_FTM_INITIATOR_SECURE_LTF false
+ #define IWL_MVM_FTM_RESP_NDP_SUPPORT true
+ #define IWL_MVM_FTM_RESP_LMR_FEEDBACK_SUPPORT true
+-#define IWL_MVM_FTM_NON_TB_MIN_TIME_BETWEEN_MSR 5
++#define IWL_MVM_FTM_NON_TB_MIN_TIME_BETWEEN_MSR 7
+ #define IWL_MVM_FTM_NON_TB_MAX_TIME_BETWEEN_MSR 1000
+ #define IWL_MVM_D3_DEBUG false
+ #define IWL_MVM_USE_TWT true
+--
+2.43.0
+
--- /dev/null
+From 54faa822ffb0088229184d214cf95124bbbf0838 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 20:20:11 +0300
+Subject: wifi: iwlwifi: mvm: set the cipher for secured NDP ranging
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit a949075d4bbf1ca83ccdeaa6ef4ac2ce7526c5f4 ]
+
+The cipher pointer is not set, but is derefereced trying to set its
+content, which leads to a NULL pointer dereference.
+Fix it by pointing to the cipher parameter before dereferencing.
+
+Fixes: 626be4bf99f6 ("wifi: iwlwifi: mvm: modify iwl_mvm_ftm_set_secured_ranging() parameters")
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20240729201718.24e83369f136.I80501ddcb82920561f450d00020d860e7a3f90c6@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+index afd90a52d4ecb..55245f913286b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+@@ -772,6 +772,7 @@ iwl_mvm_ftm_set_secured_ranging(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
+ struct iwl_mvm_ftm_iter_data target;
+
+ target.bssid = bssid;
++ target.cipher = cipher;
+ ieee80211_iter_keys(mvm->hw, vif, iter, &target);
+ } else {
+ memcpy(tk, entry->tk, sizeof(entry->tk));
+--
+2.43.0
+
--- /dev/null
+From da518d38f6769a4a8304d609d5012708336482b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 10:39:20 +0200
+Subject: wifi: mac80211: Check for missing VHT elements only for 5 GHz
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 67bb124cd9ae38870667e4f9c876ef8e0f82ec44 ]
+
+Check for missing VHT Capabilities and VHT Operation elements in
+association response frame only for 5 GHz links.
+
+Fixes: 310c8387c638 ("wifi: mac80211: clean up connection process")
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20240827103920.dd711282d543.Iaba245cebc52209b0499d5bab7d8a8ef1df9dd65@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 0a4a25a10eaea..9e3d2ed9cf678 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -4715,7 +4715,7 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
+ ((assoc_data->wmm && !elems->wmm_param) ||
+ (link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT &&
+ (!elems->ht_cap_elem || !elems->ht_operation)) ||
+- (link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT &&
++ (is_5ghz && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT &&
+ (!elems->vht_cap_elem || !elems->vht_operation)))) {
+ const struct cfg80211_bss_ies *ies;
+ struct ieee802_11_elems *bss_elems;
+@@ -4763,19 +4763,22 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
+ sdata_info(sdata,
+ "AP bug: HT operation missing from AssocResp\n");
+ }
+- if (!elems->vht_cap_elem && bss_elems->vht_cap_elem &&
+- link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
+- elems->vht_cap_elem = bss_elems->vht_cap_elem;
+- sdata_info(sdata,
+- "AP bug: VHT capa missing from AssocResp\n");
+- }
+- if (!elems->vht_operation && bss_elems->vht_operation &&
+- link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
+- elems->vht_operation = bss_elems->vht_operation;
+- sdata_info(sdata,
+- "AP bug: VHT operation missing from AssocResp\n");
+- }
+
++ if (is_5ghz) {
++ if (!elems->vht_cap_elem && bss_elems->vht_cap_elem &&
++ link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
++ elems->vht_cap_elem = bss_elems->vht_cap_elem;
++ sdata_info(sdata,
++ "AP bug: VHT capa missing from AssocResp\n");
++ }
++
++ if (!elems->vht_operation && bss_elems->vht_operation &&
++ link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
++ elems->vht_operation = bss_elems->vht_operation;
++ sdata_info(sdata,
++ "AP bug: VHT operation missing from AssocResp\n");
++ }
++ }
+ kfree(bss_elems);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 70590d19f2d5e5302efc40805d1e2099882dad3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 15:48:16 +0800
+Subject: wifi: mac80211: don't use rate mask for offchannel TX either
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit e7a7ef9a0742dbd0818d5b15fba2c5313ace765b ]
+
+Like the commit ab9177d83c04 ("wifi: mac80211: don't use rate mask for
+scanning"), ignore incorrect settings to avoid no supported rate warning
+reported by syzbot.
+
+The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211:
+fix default HE tx bitrate mask in 2G band"), which however corrects
+bitmask of HE MCS and recognizes correctly settings of empty legacy rate
+plus HE MCS rate instead of returning -EINVAL.
+
+As suggestions [1], follow the change of SCAN TX to consider this case of
+offchannel TX as well.
+
+[1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024
+
+Reported-by: syzbot+8dd98a9e98ee28dc484a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-wireless/000000000000fdef8706191a3f7b@google.com/
+Fixes: 9df66d5b9f45 ("cfg80211: fix default HE tx bitrate mask in 2G band")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20240729074816.20323-1-pkshih@realtek.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mac80211.h | 7 ++++---
+ net/mac80211/offchannel.c | 1 +
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/scan.c | 2 +-
+ net/mac80211/tx.c | 2 +-
+ 5 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index 0a04eaf5343c6..fae37598c1106 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -994,8 +994,9 @@ enum mac80211_tx_info_flags {
+ * of their QoS TID or other priority field values.
+ * @IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX: first MLO TX, used mostly internally
+ * for sequence number assignment
+- * @IEEE80211_TX_CTRL_SCAN_TX: Indicates that this frame is transmitted
+- * due to scanning, not in normal operation on the interface.
++ * @IEEE80211_TX_CTRL_DONT_USE_RATE_MASK: Don't use rate mask for this frame
++ * which is transmitted due to scanning or offchannel TX, not in normal
++ * operation on the interface.
+ * @IEEE80211_TX_CTRL_MLO_LINK: If not @IEEE80211_LINK_UNSPECIFIED, this
+ * frame should be transmitted on the specific link. This really is
+ * only relevant for frames that do not have data present, and is
+@@ -1016,7 +1017,7 @@ enum mac80211_tx_control_flags {
+ IEEE80211_TX_CTRL_NO_SEQNO = BIT(7),
+ IEEE80211_TX_CTRL_DONT_REORDER = BIT(8),
+ IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX = BIT(9),
+- IEEE80211_TX_CTRL_SCAN_TX = BIT(10),
++ IEEE80211_TX_CTRL_DONT_USE_RATE_MASK = BIT(10),
+ IEEE80211_TX_CTRL_MLO_LINK = 0xf0000000,
+ };
+
+diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
+index 28d03196ef75a..29fab7ae47b4c 100644
+--- a/net/mac80211/offchannel.c
++++ b/net/mac80211/offchannel.c
+@@ -997,6 +997,7 @@ int ieee80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ }
+
+ IEEE80211_SKB_CB(skb)->flags = flags;
++ IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_DONT_USE_RATE_MASK;
+
+ skb->dev = sdata->dev;
+
+diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
+index 4dc1def695486..3dc9752188d58 100644
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -890,7 +890,7 @@ void ieee80211_get_tx_rates(struct ieee80211_vif *vif,
+ if (ieee80211_is_tx_data(skb))
+ rate_control_apply_mask(sdata, sta, sband, dest, max_rates);
+
+- if (!(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX))
++ if (!(info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK))
+ mask = sdata->rc_rateidx_mask[info->band];
+
+ if (dest[0].idx < 0)
+diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
+index b5f2df61c7f67..1c5d99975ad04 100644
+--- a/net/mac80211/scan.c
++++ b/net/mac80211/scan.c
+@@ -649,7 +649,7 @@ static void ieee80211_send_scan_probe_req(struct ieee80211_sub_if_data *sdata,
+ cpu_to_le16(IEEE80211_SN_TO_SEQ(sn));
+ }
+ IEEE80211_SKB_CB(skb)->flags |= tx_flags;
+- IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_SCAN_TX;
++ IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_DONT_USE_RATE_MASK;
+ ieee80211_tx_skb_tid_band(sdata, skb, 7, channel->band);
+ }
+ }
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index bca7b341dd772..a9ee869822592 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -699,7 +699,7 @@ ieee80211_tx_h_rate_ctrl(struct ieee80211_tx_data *tx)
+ txrc.skb = tx->skb;
+ txrc.reported_rate.idx = -1;
+
+- if (unlikely(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX)) {
++ if (unlikely(info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK)) {
+ txrc.rate_idx_mask = ~0;
+ } else {
+ txrc.rate_idx_mask = tx->sdata->rc_rateidx_mask[info->band];
+--
+2.43.0
+
--- /dev/null
+From 79ddd80023cc223db9aeedd9b2d99bd8488b7eb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Aug 2024 11:59:16 +0300
+Subject: wifi: mac80211: fix the comeback long retry times
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 1524173a3745899612c71d9e83ff8fe29dbb2cfb ]
+
+When we had a comeback, we will never use the default timeout values
+again because comeback is never cleared.
+Clear comeback if we send another association request which will allow
+to start a default timer after Tx status.
+
+The problem was seen with iwlwifi where the tx_status on the association
+request is handled before the association response frame (which is the
+usual case).
+
+1) Tx assoc request 1/3
+2) Rx assoc response (comeback, timeout = 1 second)
+3) wait 1 second
+4) Tx assoc request 2/3
+5) Set timer to IEEE80211_ASSOC_TIMEOUT_LONG = 500ms (1 second after
+ round_up)
+6) tx_status on frame sent in 4) is ignored because comeback is still
+ true
+7) AP does not reply with assoc response
+8) wait 1s <= This is where the bug is felt
+9) Tx assoc request 3/3
+
+With this fix, in step 6 we will reset the timer to
+IEEE80211_ASSOC_TIMEOUT_SHORT = 100ms and we will wait only 100ms in
+step 8.
+
+Fixes: b133fdf07db8 ("wifi: mac80211: Skip association timeout update after comeback rejection")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Link: https://patch.msgid.link/20240808085916.23519-1-emmanuel.grumbach@intel.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index f9526bbc36337..0a4a25a10eaea 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -7660,6 +7660,7 @@ static int ieee80211_do_assoc(struct ieee80211_sub_if_data *sdata)
+ lockdep_assert_wiphy(sdata->local->hw.wiphy);
+
+ assoc_data->tries++;
++ assoc_data->comeback = false;
+ if (assoc_data->tries > IEEE80211_ASSOC_MAX_TRIES) {
+ sdata_info(sdata, "association with %pM timed out\n",
+ assoc_data->ap_addr);
+--
+2.43.0
+
--- /dev/null
+From c8d49bc2cda88e2baa31e116a644d0afd76e20ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 15:31:51 +0300
+Subject: wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 9d301de12da6e1bb069a9835c38359b8e8135121 ]
+
+Since '__dev_queue_xmit()' should be called with interrupts enabled,
+the following backtrace:
+
+ieee80211_do_stop()
+ ...
+ spin_lock_irqsave(&local->queue_stop_reason_lock, flags)
+ ...
+ ieee80211_free_txskb()
+ ieee80211_report_used_skb()
+ ieee80211_report_ack_skb()
+ cfg80211_mgmt_tx_status_ext()
+ nl80211_frame_tx_status()
+ genlmsg_multicast_netns()
+ genlmsg_multicast_netns_filtered()
+ nlmsg_multicast_filtered()
+ netlink_broadcast_filtered()
+ do_one_broadcast()
+ netlink_broadcast_deliver()
+ __netlink_sendskb()
+ netlink_deliver_tap()
+ __netlink_deliver_tap_skb()
+ dev_queue_xmit()
+ __dev_queue_xmit() ; with IRQS disabled
+ ...
+ spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags)
+
+issues the warning (as reported by syzbot reproducer):
+
+WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120
+
+Fix this by implementing a two-phase skb reclamation in
+'ieee80211_do_stop()', where actual work is performed
+outside of a section with interrupts disabled.
+
+Fixes: 5061b0c2b906 ("mac80211: cooperate more with network namespaces")
+Reported-by: syzbot+1a3986bbd3169c307819@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20240906123151.351647-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/iface.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index b4ad66af3af31..f735e41560a32 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -462,6 +462,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do
+ {
+ struct ieee80211_local *local = sdata->local;
+ unsigned long flags;
++ struct sk_buff_head freeq;
+ struct sk_buff *skb, *tmp;
+ u32 hw_reconf_flags = 0;
+ int i, flushed;
+@@ -637,18 +638,32 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do
+ skb_queue_purge(&sdata->status_queue);
+ }
+
++ /*
++ * Since ieee80211_free_txskb() may issue __dev_queue_xmit()
++ * which should be called with interrupts enabled, reclamation
++ * is done in two phases:
++ */
++ __skb_queue_head_init(&freeq);
++
++ /* unlink from local queues... */
+ spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
+ for (i = 0; i < IEEE80211_MAX_QUEUES; i++) {
+ skb_queue_walk_safe(&local->pending[i], skb, tmp) {
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+ if (info->control.vif == &sdata->vif) {
+ __skb_unlink(skb, &local->pending[i]);
+- ieee80211_free_txskb(&local->hw, skb);
++ __skb_queue_tail(&freeq, skb);
+ }
+ }
+ }
+ spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
+
++ /* ... and perform actual reclamation with interrupts enabled. */
++ skb_queue_walk_safe(&freeq, skb, tmp) {
++ __skb_unlink(skb, &freeq);
++ ieee80211_free_txskb(&local->hw, skb);
++ }
++
+ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+ ieee80211_txq_remove_vlan(local, sdata);
+
+--
+2.43.0
+
--- /dev/null
+From cec92fc06d3b244f436adcd9467a7cee6383121a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jul 2024 15:49:38 +0800
+Subject: wifi: mac80211_hwsim: correct MODULE_PARM_DESC of multi_radio
+
+From: Zong-Zhe Yang <kevin_yang@realtek.com>
+
+[ Upstream commit 7c24c5bdf489c8f3a9c701a950126da871ebdaca ]
+
+Correct the name field in multi_radio's MODULE_PARM_DESC.
+
+Fixes: d2601e34a102 ("wifi: mac80211_hwsim: add support for multi-radio wiphy")
+Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Acked-by: Felix Fietkau <nbd@nbd.name>
+Link: https://patch.msgid.link/20240712074938.26437-1-kevin_yang@realtek.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/virtual/mac80211_hwsim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
+index d86e6ff4523db..5fe9e4e261429 100644
+--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
+@@ -71,7 +71,7 @@ MODULE_PARM_DESC(mlo, "Support MLO");
+
+ static bool multi_radio;
+ module_param(multi_radio, bool, 0444);
+-MODULE_PARM_DESC(mlo, "Support Multiple Radios per wiphy");
++MODULE_PARM_DESC(multi_radio, "Support Multiple Radios per wiphy");
+
+ /**
+ * enum hwsim_regtest - the type of regulatory tests we offer
+--
+2.43.0
+
--- /dev/null
+From 5f8cca72abca597b7b239c253b0626a83329fa95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:50:40 +0800
+Subject: wifi: mt76: connac: fix checksum offload fields of connac3 RXD
+
+From: Peter Chiu <chui-hao.chiu@mediatek.com>
+
+[ Upstream commit a04b920fbc707deb699292cdae47006e8ea57d87 ]
+
+Fix incorrect RXD offset and bitfield related to RX checksum offload.
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Fixes: 4e9011fcdfc4 ("wifi: mt76: connac: move connac3 definitions in mt76_connac3_mac.h")
+Co-developed-by: Shayne Chen <shayne.chen@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Link: https://patch.msgid.link/20240816095040.2574-1-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h | 4 ++--
+ drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 5 ++---
+ drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 4 ++--
+ 3 files changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h b/drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h
+index 353e660698409..ef003d1620a5b 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h
+@@ -28,8 +28,6 @@ enum {
+ #define MT_RXD0_MESH BIT(18)
+ #define MT_RXD0_MHCP BIT(19)
+ #define MT_RXD0_NORMAL_ETH_TYPE_OFS GENMASK(22, 16)
+-#define MT_RXD0_NORMAL_IP_SUM BIT(23)
+-#define MT_RXD0_NORMAL_UDP_TCP_SUM BIT(24)
+
+ #define MT_RXD0_SW_PKT_TYPE_MASK GENMASK(31, 16)
+ #define MT_RXD0_SW_PKT_TYPE_MAP 0x380F
+@@ -80,6 +78,8 @@ enum {
+ #define MT_RXD3_NORMAL_BEACON_UC BIT(21)
+ #define MT_RXD3_NORMAL_CO_ANT BIT(22)
+ #define MT_RXD3_NORMAL_FCS_ERR BIT(24)
++#define MT_RXD3_NORMAL_IP_SUM BIT(26)
++#define MT_RXD3_NORMAL_UDP_TCP_SUM BIT(27)
+ #define MT_RXD3_NORMAL_VLAN2ETH BIT(31)
+
+ /* RXD DW4 */
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+index cf36750cf7092..634c42bbf23f6 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+@@ -352,7 +352,7 @@ mt7925_mac_fill_rx_rate(struct mt792x_dev *dev,
+ static int
+ mt7925_mac_fill_rx(struct mt792x_dev *dev, struct sk_buff *skb)
+ {
+- u32 csum_mask = MT_RXD0_NORMAL_IP_SUM | MT_RXD0_NORMAL_UDP_TCP_SUM;
++ u32 csum_mask = MT_RXD3_NORMAL_IP_SUM | MT_RXD3_NORMAL_UDP_TCP_SUM;
+ struct mt76_rx_status *status = (struct mt76_rx_status *)skb->cb;
+ bool hdr_trans, unicast, insert_ccmp_hdr = false;
+ u8 chfreq, qos_ctl = 0, remove_pad, amsdu_info;
+@@ -362,7 +362,6 @@ mt7925_mac_fill_rx(struct mt792x_dev *dev, struct sk_buff *skb)
+ struct mt792x_phy *phy = &dev->phy;
+ struct ieee80211_supported_band *sband;
+ u32 csum_status = *(u32 *)skb->cb;
+- u32 rxd0 = le32_to_cpu(rxd[0]);
+ u32 rxd1 = le32_to_cpu(rxd[1]);
+ u32 rxd2 = le32_to_cpu(rxd[2]);
+ u32 rxd3 = le32_to_cpu(rxd[3]);
+@@ -420,7 +419,7 @@ mt7925_mac_fill_rx(struct mt792x_dev *dev, struct sk_buff *skb)
+ if (!sband->channels)
+ return -EINVAL;
+
+- if (mt76_is_mmio(&dev->mt76) && (rxd0 & csum_mask) == csum_mask &&
++ if (mt76_is_mmio(&dev->mt76) && (rxd3 & csum_mask) == csum_mask &&
+ !(csum_status & (BIT(0) | BIT(2) | BIT(3))))
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+index bc7111a71f98c..fd5fe96c32e3d 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+@@ -435,7 +435,7 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, enum mt76_rxq_id q,
+ u32 rxd2 = le32_to_cpu(rxd[2]);
+ u32 rxd3 = le32_to_cpu(rxd[3]);
+ u32 rxd4 = le32_to_cpu(rxd[4]);
+- u32 csum_mask = MT_RXD0_NORMAL_IP_SUM | MT_RXD0_NORMAL_UDP_TCP_SUM;
++ u32 csum_mask = MT_RXD3_NORMAL_IP_SUM | MT_RXD3_NORMAL_UDP_TCP_SUM;
+ u32 csum_status = *(u32 *)skb->cb;
+ u32 mesh_mask = MT_RXD0_MESH | MT_RXD0_MHCP;
+ bool is_mesh = (rxd0 & mesh_mask) == mesh_mask;
+@@ -497,7 +497,7 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, enum mt76_rxq_id q,
+ if (!sband->channels)
+ return -EINVAL;
+
+- if ((rxd0 & csum_mask) == csum_mask &&
++ if ((rxd3 & csum_mask) == csum_mask &&
+ !(csum_status & (BIT(0) | BIT(2) | BIT(3))))
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+--
+2.43.0
+
--- /dev/null
+From ba0621b1beadd99713526877e4050ee264591e39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 11:29:48 +0200
+Subject: wifi: mt76: mt7603: fix mixed declarations and code
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 9b8d932053b8b45d650360b36f701cf0f9b6470e ]
+
+Move the qid variable declaration further up
+
+Fixes: b473c0e47f04 ("wifi: mt76: mt7603: fix tx queue of loopback packets")
+Link: https://patch.msgid.link/20240827093011.18621-1-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7603/dma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/dma.c b/drivers/net/wireless/mediatek/mt76/mt7603/dma.c
+index ea017f22fff22..863e5770df51d 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7603/dma.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7603/dma.c
+@@ -29,7 +29,7 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb)
+ struct ieee80211_sta *sta;
+ struct mt7603_sta *msta;
+ struct mt76_wcid *wcid;
+- u8 tid = 0, hwq = 0;
++ u8 qid, tid = 0, hwq = 0;
+ void *priv;
+ int idx;
+ u32 val;
+@@ -57,7 +57,7 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb)
+ if (ieee80211_is_data_qos(hdr->frame_control)) {
+ tid = *ieee80211_get_qos_ctl(hdr) &
+ IEEE80211_QOS_CTL_TAG1D_MASK;
+- u8 qid = tid_to_ac[tid];
++ qid = tid_to_ac[tid];
+ hwq = wmm_queue_map[qid];
+ skb_set_queue_mapping(skb, qid);
+ } else if (ieee80211_is_data(hdr->frame_control)) {
+--
+2.43.0
+
--- /dev/null
+From f7768d5fa0a22d46a0bba4b7067c86a0b71e66e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jul 2024 15:00:10 +0200
+Subject: wifi: mt76: mt7915: fix oops on non-dbdc mt7986
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjørn Mork <bjorn@mork.no>
+
+[ Upstream commit 862bf7cbd772c2bad570ef0c5b5556a1330656dd ]
+
+mt7915_band_config() sets band_idx = 1 on the main phy for mt7986
+with MT7975_ONE_ADIE or MT7976_ONE_ADIE.
+
+Commit 0335c034e726 ("wifi: mt76: fix race condition related to
+checking tx queue fill status") introduced a dereference of the
+phys array indirectly indexed by band_idx via wcid->phy_idx in
+mt76_wcid_cleanup(). This caused the following Oops on affected
+mt7986 devices:
+
+ Unable to handle kernel read from unreadable memory at virtual address 0000000000000024
+ Mem abort info:
+ ESR = 0x0000000096000005
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x05: level 1 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000005
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000
+ [0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
+ Internal error: Oops: 0000000096000005 [#1] SMP
+ Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ...
+ CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0
+ Hardware name: ZyXEL EX5700 (Telenor) (DT)
+ pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : mt76_wcid_cleanup+0x84/0x22c [mt76]
+ lr : mt76_wcid_cleanup+0x64/0x22c [mt76]
+ sp : ffffffc00a803700
+ x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00
+ x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001
+ x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8
+ x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000
+ x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0
+ x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000
+ x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28
+ x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000
+ x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001
+ x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024
+ Call trace:
+ mt76_wcid_cleanup+0x84/0x22c [mt76]
+ __mt76_sta_remove+0x70/0xbc [mt76]
+ mt76_sta_state+0x8c/0x1a4 [mt76]
+ mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e]
+ drv_sta_state+0x144/0x274 [mac80211]
+ sta_info_move_state+0x1cc/0x2a4 [mac80211]
+ sta_set_sinfo+0xaf8/0xc24 [mac80211]
+ sta_info_destroy_addr_bss+0x4c/0x6c [mac80211]
+
+ ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211]
+ cfg80211_check_station_change+0x1360/0x4710 [cfg80211]
+ genl_family_rcv_msg_doit+0xb4/0x110
+ genl_rcv_msg+0xd0/0x1bc
+ netlink_rcv_skb+0x58/0x120
+ genl_rcv+0x34/0x50
+ netlink_unicast+0x1f0/0x2ec
+ netlink_sendmsg+0x198/0x3d0
+ ____sys_sendmsg+0x1b0/0x210
+ ___sys_sendmsg+0x80/0xf0
+ __sys_sendmsg+0x44/0xa0
+ __arm64_sys_sendmsg+0x20/0x30
+ invoke_syscall.constprop.0+0x4c/0xe0
+ do_el0_svc+0x40/0xd0
+ el0_svc+0x14/0x4c
+ el0t_64_sync_handler+0x100/0x110
+ el0t_64_sync+0x15c/0x160
+ Code: d2800002 910092c0 52800023 f9800011 (885f7c01)
+ ---[ end trace 7e42dd9a39ed2281 ]---
+
+Fix by using mt76_dev_phy() which will map band_idx to the correct phy
+for all hardware combinations.
+
+Fixes: 0335c034e726 ("wifi: mt76: fix race condition related to checking tx queue fill status")
+Link: https://github.com/openwrt/openwrt/issues/14548
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Link: https://patch.msgid.link/20240713130010.516037-1-bjorn@mork.no
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mac80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
+index bb291fe314fb4..d96ee759828ed 100644
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
+@@ -1529,7 +1529,7 @@ EXPORT_SYMBOL_GPL(mt76_wcid_init);
+
+ void mt76_wcid_cleanup(struct mt76_dev *dev, struct mt76_wcid *wcid)
+ {
+- struct mt76_phy *phy = dev->phys[wcid->phy_idx];
++ struct mt76_phy *phy = mt76_dev_phy(dev, wcid->phy_idx);
+ struct ieee80211_hw *hw;
+ struct sk_buff_head list;
+ struct sk_buff *skb;
+--
+2.43.0
+
--- /dev/null
+From cabde716718edcbefe9cc54e5f7c51c0835b2937 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 11:30:08 +0200
+Subject: wifi: mt76: mt7915: fix rx filter setting for bfee functionality
+
+From: Howard Hsu <howard-yh.hsu@mediatek.com>
+
+[ Upstream commit 6ac80fce713e875a316a58975b830720a3e27721 ]
+
+Fix rx filter setting to prevent dropping NDPA frames. Without this
+change, bfee functionality may behave abnormally.
+
+Fixes: e57b7901469f ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets")
+Signed-off-by: Howard Hsu <howard-yh.hsu@mediatek.com>
+Link: https://patch.msgid.link/20240827093011.18621-21-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+index 049223df9beb1..efbb8b23e4719 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+@@ -564,8 +564,7 @@ static void mt7915_configure_filter(struct ieee80211_hw *hw,
+
+ MT76_FILTER(CONTROL, MT_WF_RFCR_DROP_CTS |
+ MT_WF_RFCR_DROP_RTS |
+- MT_WF_RFCR_DROP_CTL_RSV |
+- MT_WF_RFCR_DROP_NDPA);
++ MT_WF_RFCR_DROP_CTL_RSV);
+
+ *total_flags = flags;
+ rxfilter = phy->rxfilter;
+--
+2.43.0
+
--- /dev/null
+From 7299f8ea1d228ee61e32bfa4d97a73849e4dce2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 09:34:08 +0800
+Subject: wifi: mt76: mt7921: fix wrong UNII-4 freq range check for the channel
+ usage
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+[ Upstream commit 723762a7a7e6fdb3cc6953f127a3fe9c5162beb7 ]
+
+The check should start from 5845 to 5925, which includes
+channels 169, 173, and 177.
+
+Fixes: 09382d8f8641 ("wifi: mt76: mt7921: update the channel usage when the regd domain changed")
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20240806013408.17874-1-mingyen.hsieh@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/init.c b/drivers/net/wireless/mediatek/mt76/mt7921/init.c
+index ef0c721d26e33..57672c69150e4 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/init.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/init.c
+@@ -83,7 +83,7 @@ mt7921_regd_channel_update(struct wiphy *wiphy, struct mt792x_dev *dev)
+ }
+
+ /* UNII-4 */
+- if (IS_UNII_INVALID(0, 5850, 5925))
++ if (IS_UNII_INVALID(0, 5845, 5925))
+ ch->flags |= IEEE80211_CHAN_DISABLED;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 6018eaf5e931d54db1ebfff3149bbe81bfcd7958 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:31 +0800
+Subject: wifi: mt76: mt7996: fix EHT beamforming capability check
+
+From: Howard Hsu <howard-yh.hsu@mediatek.com>
+
+[ Upstream commit 9ca65757f0a5b393a7737d37f377d5daf91716af ]
+
+If a VIF acts as a beamformer, it should check peer's beamformee
+capability, and vice versa.
+
+Fixes: ba01944adee9 ("wifi: mt76: mt7996: add EHT beamforming support")
+Signed-off-by: Howard Hsu <howard-yh.hsu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-7-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+index e68724e54013c..daef014954d02 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -1429,10 +1429,10 @@ mt7996_is_ebf_supported(struct mt7996_phy *phy, struct ieee80211_vif *vif,
+
+ if (bfee)
+ return vif->bss_conf.eht_su_beamformee &&
+- EHT_PHY(CAP0_SU_BEAMFORMEE, pe->phy_cap_info[0]);
++ EHT_PHY(CAP0_SU_BEAMFORMER, pe->phy_cap_info[0]);
+ else
+ return vif->bss_conf.eht_su_beamformer &&
+- EHT_PHY(CAP0_SU_BEAMFORMER, pe->phy_cap_info[0]);
++ EHT_PHY(CAP0_SU_BEAMFORMEE, pe->phy_cap_info[0]);
+ }
+
+ if (sta->deflink.he_cap.has_he) {
+--
+2.43.0
+
--- /dev/null
+From 25979f0b1d19fb9c31367a0f867ef9d4f47272de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:33 +0800
+Subject: wifi: mt76: mt7996: fix handling mbss enable/disable
+
+From: Rex Lu <rex.lu@mediatek.com>
+
+[ Upstream commit ded1a6d9e13a32d4e8bef0c63accf49b9415ff5f ]
+
+When mbss was previously enabled, the TLV needs to be included when
+disabling it again, in order to clear the firmware state.
+
+Fixes: a7908d5b61e5 ("wifi: mt76: mt7996: fix non-main BSS no beacon issue for MBSS scenario")
+Signed-off-by: Rex Lu <rex.lu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-9-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+index daef014954d02..c4c60c60155d3 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -822,7 +822,7 @@ mt7996_mcu_bss_mbssid_tlv(struct sk_buff *skb, struct ieee80211_vif *vif,
+ struct bss_info_uni_mbssid *mbssid;
+ struct tlv *tlv;
+
+- if (!vif->bss_conf.bssid_indicator)
++ if (!vif->bss_conf.bssid_indicator && enable)
+ return;
+
+ tlv = mt7996_mcu_add_uni_tlv(skb, UNI_BSS_INFO_11V_MBSSID, sizeof(*mbssid));
+--
+2.43.0
+
--- /dev/null
+From 436665ec5334f7a33d55efcc88cfbd172bb17b4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:29 +0800
+Subject: wifi: mt76: mt7996: fix HE and EHT beamforming capabilities
+
+From: Howard Hsu <howard-yh.hsu@mediatek.com>
+
+[ Upstream commit e1f4847fdbdf5d44ae60e035c131920e5ab88598 ]
+
+Fix HE and EHT beamforming capabilities for different bands and
+interface types.
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Fixes: 348533eb968d ("wifi: mt76: mt7996: add EHT capability init")
+Signed-off-by: Howard Hsu <howard-yh.hsu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-5-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7996/init.c | 65 ++++++++++++-------
+ 1 file changed, 43 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/init.c b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
+index 283df84f1b433..a98dcb40490bf 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/init.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
+@@ -1011,8 +1011,6 @@ mt7996_set_stream_he_txbf_caps(struct mt7996_phy *phy,
+ return;
+
+ elem->phy_cap_info[3] |= IEEE80211_HE_PHY_CAP3_SU_BEAMFORMER;
+- if (vif == NL80211_IFTYPE_AP)
+- elem->phy_cap_info[4] |= IEEE80211_HE_PHY_CAP4_MU_BEAMFORMER;
+
+ c = FIELD_PREP(IEEE80211_HE_PHY_CAP5_BEAMFORMEE_NUM_SND_DIM_UNDER_80MHZ_MASK,
+ sts - 1) |
+@@ -1020,6 +1018,11 @@ mt7996_set_stream_he_txbf_caps(struct mt7996_phy *phy,
+ sts - 1);
+ elem->phy_cap_info[5] |= c;
+
++ if (vif != NL80211_IFTYPE_AP)
++ return;
++
++ elem->phy_cap_info[4] |= IEEE80211_HE_PHY_CAP4_MU_BEAMFORMER;
++
+ c = IEEE80211_HE_PHY_CAP6_TRIG_SU_BEAMFORMING_FB |
+ IEEE80211_HE_PHY_CAP6_TRIG_MU_BEAMFORMING_PARTIAL_BW_FB;
+ elem->phy_cap_info[6] |= c;
+@@ -1179,7 +1182,6 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band,
+ IEEE80211_EHT_MAC_CAP0_OM_CONTROL;
+
+ eht_cap_elem->phy_cap_info[0] =
+- IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ |
+ IEEE80211_EHT_PHY_CAP0_NDP_4_EHT_LFT_32_GI |
+ IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMER |
+ IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMEE;
+@@ -1193,30 +1195,36 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band,
+ u8_encode_bits(u8_get_bits(val, GENMASK(2, 1)),
+ IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_80MHZ_MASK) |
+ u8_encode_bits(val,
+- IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_160MHZ_MASK) |
+- u8_encode_bits(val,
+- IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_320MHZ_MASK);
++ IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_160MHZ_MASK);
+
+ eht_cap_elem->phy_cap_info[2] =
+ u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_80MHZ_MASK) |
+- u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_160MHZ_MASK) |
+- u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_320MHZ_MASK);
++ u8_encode_bits(sts - 1, IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_160MHZ_MASK);
++
++ if (band == NL80211_BAND_6GHZ) {
++ eht_cap_elem->phy_cap_info[0] |=
++ IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ;
++
++ eht_cap_elem->phy_cap_info[1] |=
++ u8_encode_bits(val,
++ IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_320MHZ_MASK);
++
++ eht_cap_elem->phy_cap_info[2] |=
++ u8_encode_bits(sts - 1,
++ IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_320MHZ_MASK);
++ }
+
+ eht_cap_elem->phy_cap_info[3] =
+ IEEE80211_EHT_PHY_CAP3_NG_16_SU_FEEDBACK |
+ IEEE80211_EHT_PHY_CAP3_NG_16_MU_FEEDBACK |
+ IEEE80211_EHT_PHY_CAP3_CODEBOOK_4_2_SU_FDBK |
+- IEEE80211_EHT_PHY_CAP3_CODEBOOK_7_5_MU_FDBK |
+- IEEE80211_EHT_PHY_CAP3_TRIG_SU_BF_FDBK |
+- IEEE80211_EHT_PHY_CAP3_TRIG_MU_BF_PART_BW_FDBK |
+- IEEE80211_EHT_PHY_CAP3_TRIG_CQI_FDBK;
++ IEEE80211_EHT_PHY_CAP3_CODEBOOK_7_5_MU_FDBK;
+
+ eht_cap_elem->phy_cap_info[4] =
+ u8_encode_bits(min_t(int, sts - 1, 2),
+ IEEE80211_EHT_PHY_CAP4_MAX_NC_MASK);
+
+ eht_cap_elem->phy_cap_info[5] =
+- IEEE80211_EHT_PHY_CAP5_NON_TRIG_CQI_FEEDBACK |
+ u8_encode_bits(IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_16US,
+ IEEE80211_EHT_PHY_CAP5_COMMON_NOMINAL_PKT_PAD_MASK) |
+ u8_encode_bits(u8_get_bits(0x11, GENMASK(1, 0)),
+@@ -1230,14 +1238,6 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band,
+ IEEE80211_EHT_PHY_CAP6_MAX_NUM_SUPP_EHT_LTF_MASK) |
+ u8_encode_bits(val, IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_MASK);
+
+- eht_cap_elem->phy_cap_info[7] =
+- IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_80MHZ |
+- IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_160MHZ |
+- IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_320MHZ |
+- IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_80MHZ |
+- IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_160MHZ |
+- IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_320MHZ;
+-
+ val = u8_encode_bits(nss, IEEE80211_EHT_MCS_NSS_RX) |
+ u8_encode_bits(nss, IEEE80211_EHT_MCS_NSS_TX);
+ #define SET_EHT_MAX_NSS(_bw, _val) do { \
+@@ -1248,8 +1248,29 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band,
+
+ SET_EHT_MAX_NSS(80, val);
+ SET_EHT_MAX_NSS(160, val);
+- SET_EHT_MAX_NSS(320, val);
++ if (band == NL80211_BAND_6GHZ)
++ SET_EHT_MAX_NSS(320, val);
+ #undef SET_EHT_MAX_NSS
++
++ if (iftype != NL80211_IFTYPE_AP)
++ return;
++
++ eht_cap_elem->phy_cap_info[3] |=
++ IEEE80211_EHT_PHY_CAP3_TRIG_SU_BF_FDBK |
++ IEEE80211_EHT_PHY_CAP3_TRIG_MU_BF_PART_BW_FDBK;
++
++ eht_cap_elem->phy_cap_info[7] =
++ IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_80MHZ |
++ IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_160MHZ |
++ IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_80MHZ |
++ IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_160MHZ;
++
++ if (band != NL80211_BAND_6GHZ)
++ return;
++
++ eht_cap_elem->phy_cap_info[7] |=
++ IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_320MHZ |
++ IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_320MHZ;
+ }
+
+ static void
+--
+2.43.0
+
--- /dev/null
+From cb28641082a1e1954f607ddc9de1a58e9dfa3984 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:26 +0800
+Subject: wifi: mt76: mt7996: fix traffic delay when switching back to working
+ channel
+
+From: Peter Chiu <chui-hao.chiu@mediatek.com>
+
+[ Upstream commit 376200f095d0c3a7096199b336204698d7086279 ]
+
+During scanning, UNI_CHANNEL_RX_PATH tag is necessary for the firmware to
+properly stop and resume MAC TX queue. Without this tag, HW needs more time
+to resume traffic when switching back to working channel.
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-2-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+index bce0820382194..f3f78e11a65f2 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+@@ -307,6 +307,10 @@ int mt7996_set_channel(struct mt7996_phy *phy)
+ if (ret)
+ goto out;
+
++ ret = mt7996_mcu_set_chan_info(phy, UNI_CHANNEL_RX_PATH);
++ if (ret)
++ goto out;
++
+ ret = mt7996_dfs_init_radar_detector(phy);
+ mt7996_mac_cca_stats_reset(phy);
+
+--
+2.43.0
+
--- /dev/null
+From a57b07b6e5c8f96fc2b99df92e80707e9b2e6d85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 11:30:10 +0200
+Subject: wifi: mt76: mt7996: fix uninitialized TLV data
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 9e461f4a2329109571f4b10f9bcad28d07e6ebb3 ]
+
+Use skb_put_zero instead of skb_put
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Link: https://patch.msgid.link/20240827093011.18621-23-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+index c4c60c60155d3..0484caf3ed833 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -735,7 +735,7 @@ void mt7996_mcu_rx_event(struct mt7996_dev *dev, struct sk_buff *skb)
+ static struct tlv *
+ mt7996_mcu_add_uni_tlv(struct sk_buff *skb, u16 tag, u16 len)
+ {
+- struct tlv *ptlv = skb_put(skb, len);
++ struct tlv *ptlv = skb_put_zero(skb, len);
+
+ ptlv->tag = cpu_to_le16(tag);
+ ptlv->len = cpu_to_le16(len);
+--
+2.43.0
+
--- /dev/null
+From 558d2b4b327b00513611f0c62379608b7f0f3b63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:27 +0800
+Subject: wifi: mt76: mt7996: fix wmm set of station interface to 3
+
+From: Peter Chiu <chui-hao.chiu@mediatek.com>
+
+[ Upstream commit 9265397caacf5c0c2d10c40b2958a474664ebd9e ]
+
+According to connac3 HW design, the WMM index of AP and STA interface
+should be 0 and 3, respectively.
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-3-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+index f3f78e11a65f2..1ab2fb2922662 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+@@ -206,7 +206,7 @@ static int mt7996_add_interface(struct ieee80211_hw *hw,
+ mvif->mt76.omac_idx = idx;
+ mvif->phy = phy;
+ mvif->mt76.band_idx = band_idx;
+- mvif->mt76.wmm_idx = vif->type != NL80211_IFTYPE_AP;
++ mvif->mt76.wmm_idx = vif->type == NL80211_IFTYPE_AP ? 0 : 3;
+
+ ret = mt7996_mcu_add_dev_info(phy, vif, true);
+ if (ret)
+--
+2.43.0
+
--- /dev/null
+From 3202a42fac9b1cdb2ba07982b68452e4e01e6320 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 17:46:25 +0800
+Subject: wifi: mt76: mt7996: use hweight16 to get correct tx antenna
+
+From: Peter Chiu <chui-hao.chiu@mediatek.com>
+
+[ Upstream commit f98c3de92bb05dac4a4969df8a4595ed380b4604 ]
+
+The chainmask is u16 so using hweight8 cannot get correct tx_ant.
+Without this patch, the tx_ant of band 2 would be -1 and lead to the
+following issue:
+BUG: KASAN: stack-out-of-bounds in mt7996_mcu_add_sta+0x12e0/0x16e0 [mt7996e]
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20240816094635.2391-1-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+index 2e4fa9f48dfbe..e68724e54013c 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -1653,7 +1653,7 @@ mt7996_mcu_sta_bfer_tlv(struct mt7996_dev *dev, struct sk_buff *skb,
+ {
+ struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
+ struct mt7996_phy *phy = mvif->phy;
+- int tx_ant = hweight8(phy->mt76->chainmask) - 1;
++ int tx_ant = hweight16(phy->mt76->chainmask) - 1;
+ struct sta_rec_bf *bf;
+ struct tlv *tlv;
+ static const u8 matrix[4][4] = {
+--
+2.43.0
+
--- /dev/null
+From 6361d4fc8cd1cc29f520ae73d029411ec3189aec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jul 2024 14:46:57 +0300
+Subject: wifi: rtw88: always wait for both firmware loading attempts
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d ]
+
+In 'rtw_wait_firmware_completion()', always wait for both (regular and
+wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()'
+has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue
+'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually
+the wowlan one) is still in progress, causing UAF detected by KASAN.
+
+Fixes: c8e5695eae99 ("rtw88: load wowlan firmware if wowlan is supported")
+Reported-by: syzbot+6c6c08700f9480c41fe3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=6c6c08700f9480c41fe3
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20240726114657.25396-1-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
+index 7ab7a988b123f..33a7577557a56 100644
+--- a/drivers/net/wireless/realtek/rtw88/main.c
++++ b/drivers/net/wireless/realtek/rtw88/main.c
+@@ -1313,20 +1313,21 @@ static int rtw_wait_firmware_completion(struct rtw_dev *rtwdev)
+ {
+ const struct rtw_chip_info *chip = rtwdev->chip;
+ struct rtw_fw_state *fw;
++ int ret = 0;
+
+ fw = &rtwdev->fw;
+ wait_for_completion(&fw->completion);
+ if (!fw->firmware)
+- return -EINVAL;
++ ret = -EINVAL;
+
+ if (chip->wow_fw_name) {
+ fw = &rtwdev->wow_fw;
+ wait_for_completion(&fw->completion);
+ if (!fw->firmware)
+- return -EINVAL;
++ ret = -EINVAL;
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static enum rtw_lps_deep_mode rtw_update_lps_deep_mode(struct rtw_dev *rtwdev,
+--
+2.43.0
+
--- /dev/null
+From 2f7ef26d1ba69469a64ab6f711682796c492a927 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Aug 2024 11:53:10 +0300
+Subject: wifi: rtw88: remove CPT execution branch never used
+
+From: Dmitry Kandybka <d.kandybka@gmail.com>
+
+[ Upstream commit 77c977327dfaa9ae2e154964cdb89ceb5c7b7cf1 ]
+
+In 'rtw_coex_action_bt_a2dp_pan', 'wl_cpt_test' and 'bt_cpt_test' are
+hardcoded to false, so corresponding 'table_case' and 'tdma_case'
+assignments are never met.
+Also 'rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[1])' is never
+executed. Assuming that CPT was never fully implemented, remove
+lookalike leftovers. Compile tested only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 76f631cb401f ("rtw88: coex: update the mechanism for A2DP + PAN")
+
+Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20240809085310.10512-1-d.kandybka@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/coex.c | 38 ++++++-----------------
+ 1 file changed, 10 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c
+index de3332eb7a227..a99776af56c27 100644
+--- a/drivers/net/wireless/realtek/rtw88/coex.c
++++ b/drivers/net/wireless/realtek/rtw88/coex.c
+@@ -2194,7 +2194,6 @@ static void rtw_coex_action_bt_a2dp_pan(struct rtw_dev *rtwdev)
+ struct rtw_coex_stat *coex_stat = &coex->stat;
+ struct rtw_efuse *efuse = &rtwdev->efuse;
+ u8 table_case, tdma_case;
+- bool wl_cpt_test = false, bt_cpt_test = false;
+
+ rtw_dbg(rtwdev, RTW_DBG_COEX, "[BTCoex], %s()\n", __func__);
+
+@@ -2202,29 +2201,16 @@ static void rtw_coex_action_bt_a2dp_pan(struct rtw_dev *rtwdev)
+ rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[0]);
+ if (efuse->share_ant) {
+ /* Shared-Ant */
+- if (wl_cpt_test) {
+- if (coex_stat->wl_gl_busy) {
+- table_case = 20;
+- tdma_case = 17;
+- } else {
+- table_case = 10;
+- tdma_case = 15;
+- }
+- } else if (bt_cpt_test) {
+- table_case = 26;
+- tdma_case = 26;
+- } else {
+- if (coex_stat->wl_gl_busy &&
+- coex_stat->wl_noisy_level == 0)
+- table_case = 14;
+- else
+- table_case = 10;
++ if (coex_stat->wl_gl_busy &&
++ coex_stat->wl_noisy_level == 0)
++ table_case = 14;
++ else
++ table_case = 10;
+
+- if (coex_stat->wl_gl_busy)
+- tdma_case = 15;
+- else
+- tdma_case = 20;
+- }
++ if (coex_stat->wl_gl_busy)
++ tdma_case = 15;
++ else
++ tdma_case = 20;
+ } else {
+ /* Non-Shared-Ant */
+ table_case = 112;
+@@ -2235,11 +2221,7 @@ static void rtw_coex_action_bt_a2dp_pan(struct rtw_dev *rtwdev)
+ tdma_case = 120;
+ }
+
+- if (wl_cpt_test)
+- rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[1]);
+- else
+- rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[0]);
+-
++ rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[0]);
+ rtw_coex_table(rtwdev, false, table_case);
+ rtw_coex_tdma(rtwdev, false, tdma_case);
+ }
+--
+2.43.0
+
--- /dev/null
+From 3979f089523887362aeecae11aaaa19c23acf323 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 21:40:54 +0800
+Subject: wifi: rtw89: limit the PPDU length for VHT rate to 0x40000
+
+From: Chia-Yuan Li <leo.li@realtek.com>
+
+[ Upstream commit 124410976bf807e76c45e36685ed8bf959229545 ]
+
+If the PPDU length for VHT rate exceeds 0x40000, calculating the PSDU
+length will overflow. TMAC will determine the length to be too small and
+as a result, all packets will be sent as ZLD (Zero Length Delimiter).
+
+Fixes: 5f7e92c59b8e ("wifi: rtw89: 8852b: set AMSDU limit to 5000")
+Signed-off-by: Chia-Yuan Li <leo.li@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20240815134054.44649-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/mac.c | 7 +++++++
+ drivers/net/wireless/realtek/rtw89/reg.h | 4 ++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/mac.c b/drivers/net/wireless/realtek/rtw89/mac.c
+index e2399796aeb1e..facd32de37bce 100644
+--- a/drivers/net/wireless/realtek/rtw89/mac.c
++++ b/drivers/net/wireless/realtek/rtw89/mac.c
+@@ -2728,6 +2728,7 @@ bool rtw89_mac_is_qta_dbcc(struct rtw89_dev *rtwdev, enum rtw89_qta_mode mode)
+
+ static int ptcl_init_ax(struct rtw89_dev *rtwdev, u8 mac_idx)
+ {
++ enum rtw89_core_chip_id chip_id = rtwdev->chip->chip_id;
+ u32 val, reg;
+ int ret;
+
+@@ -2766,6 +2767,12 @@ static int ptcl_init_ax(struct rtw89_dev *rtwdev, u8 mac_idx)
+ B_AX_SPE_RPT_PATH_MASK, FWD_TO_WLCPU);
+ }
+
++ if (chip_id == RTL8852A || rtw89_is_rtl885xb(rtwdev)) {
++ reg = rtw89_mac_reg_by_idx(rtwdev, R_AX_AGG_LEN_VHT_0, mac_idx);
++ rtw89_write32_mask(rtwdev, reg,
++ B_AX_AMPDU_MAX_LEN_VHT_MASK, 0x3FF80);
++ }
++
+ return 0;
+ }
+
+diff --git a/drivers/net/wireless/realtek/rtw89/reg.h b/drivers/net/wireless/realtek/rtw89/reg.h
+index 7df36f3bff0b0..b1c24eedc7e08 100644
+--- a/drivers/net/wireless/realtek/rtw89/reg.h
++++ b/drivers/net/wireless/realtek/rtw89/reg.h
+@@ -2440,6 +2440,10 @@
+ #define B_AX_RTS_TXTIME_TH_MASK GENMASK(15, 8)
+ #define B_AX_RTS_LEN_TH_MASK GENMASK(7, 0)
+
++#define R_AX_AGG_LEN_VHT_0 0xC618
++#define R_AX_AGG_LEN_VHT_0_C1 0xE618
++#define B_AX_AMPDU_MAX_LEN_VHT_MASK GENMASK(19, 0)
++
+ #define S_AX_CTS2S_TH_SEC_256B 1
+ #define R_AX_SIFS_SETTING 0xC624
+ #define R_AX_SIFS_SETTING_C1 0xE624
+--
+2.43.0
+
--- /dev/null
+From bf0ad8bf884114f28893bbb1097337e86a932eab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Aug 2024 15:20:09 +0800
+Subject: wifi: rtw89: remove unused C2H event ID
+ RTW89_MAC_C2H_FUNC_READ_WOW_CAM to prevent out-of-bounds reading
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit 56310ddb50b190b3390fdc974aec455d0a516bd2 ]
+
+The handler of firmware C2H event RTW89_MAC_C2H_FUNC_READ_WOW_CAM isn't
+implemented, but driver expects number of handlers is
+NUM_OF_RTW89_MAC_C2H_FUNC_WOW causing out-of-bounds access. Fix it by
+removing ID.
+
+Addresses-Coverity-ID: 1598775 ("Out-of-bounds read")
+
+Fixes: ff53fce5c78b ("wifi: rtw89: wow: update latest PTK GTK info to mac80211 after resume")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20240809072012.84152-4-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/mac.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/mac.h b/drivers/net/wireless/realtek/rtw89/mac.h
+index d5895516b3ed5..4c619cec602fc 100644
+--- a/drivers/net/wireless/realtek/rtw89/mac.h
++++ b/drivers/net/wireless/realtek/rtw89/mac.h
+@@ -421,7 +421,6 @@ enum rtw89_mac_c2h_mrc_func {
+
+ enum rtw89_mac_c2h_wow_func {
+ RTW89_MAC_C2H_FUNC_AOAC_REPORT,
+- RTW89_MAC_C2H_FUNC_READ_WOW_CAM,
+
+ NUM_OF_RTW89_MAC_C2H_FUNC_WOW,
+ };
+--
+2.43.0
+
--- /dev/null
+From 05861dc4c0ddf630be7746de6445403cb55c0fff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 17:04:36 +0800
+Subject: wifi: rtw89: wow: fix wait condition for AOAC report request
+
+From: Zong-Zhe Yang <kevin_yang@realtek.com>
+
+[ Upstream commit d9dd3ac77cf7cabd35732893f3aefba1daa1c2e1 ]
+
+Each condition binding to the same wait should be unique. AOAC code misused
+the wait of FW offload series and broke the above rule. It added another
+macro to generate wait condition of WoWLAN/AOAC, but the results conflict
+to the ones of FW offload series. It means that we might be completed
+wrongly in logic. We don't want things work/read like this and should
+have avoided this.
+
+Fix this by adding another wait which aims for WoWLAN functions.
+
+Fixes: ff53fce5c78b ("wifi: rtw89: wow: update latest PTK GTK info to mac80211 after resume")
+Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20240826090439.17242-2-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/core.c | 1 +
+ drivers/net/wireless/realtek/rtw89/core.h | 3 +++
+ drivers/net/wireless/realtek/rtw89/fw.c | 6 ++----
+ drivers/net/wireless/realtek/rtw89/fw.h | 7 +++++--
+ drivers/net/wireless/realtek/rtw89/mac.c | 6 ++----
+ 5 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
+index 7019f7d482a88..fc172964349bd 100644
+--- a/drivers/net/wireless/realtek/rtw89/core.c
++++ b/drivers/net/wireless/realtek/rtw89/core.c
+@@ -4278,6 +4278,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev)
+
+ rtw89_init_wait(&rtwdev->mcc.wait);
+ rtw89_init_wait(&rtwdev->mac.fw_ofld_wait);
++ rtw89_init_wait(&rtwdev->wow.wait);
+
+ INIT_WORK(&rtwdev->c2h_work, rtw89_fw_c2h_work);
+ INIT_WORK(&rtwdev->ips_work, rtw89_ips_work);
+diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h
+index 11fa003a9788c..9c282d84743b9 100644
+--- a/drivers/net/wireless/realtek/rtw89/core.h
++++ b/drivers/net/wireless/realtek/rtw89/core.h
+@@ -5293,6 +5293,9 @@ struct rtw89_wow_param {
+ u8 gtk_alg;
+ u8 ptk_keyidx;
+ u8 akm;
++
++ /* see RTW89_WOW_WAIT_COND series for wait condition */
++ struct rtw89_wait_info wait;
+ };
+
+ struct rtw89_mcc_limit {
+diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c
+index fbe08c162b93d..c322148d6daf5 100644
+--- a/drivers/net/wireless/realtek/rtw89/fw.c
++++ b/drivers/net/wireless/realtek/rtw89/fw.c
+@@ -6825,11 +6825,10 @@ int rtw89_fw_h2c_wow_gtk_ofld(struct rtw89_dev *rtwdev,
+
+ int rtw89_fw_h2c_wow_request_aoac(struct rtw89_dev *rtwdev)
+ {
+- struct rtw89_wait_info *wait = &rtwdev->mac.fw_ofld_wait;
++ struct rtw89_wait_info *wait = &rtwdev->wow.wait;
+ struct rtw89_h2c_wow_aoac *h2c;
+ u32 len = sizeof(*h2c);
+ struct sk_buff *skb;
+- unsigned int cond;
+
+ skb = rtw89_fw_h2c_alloc_skb_with_hdr(rtwdev, len);
+ if (!skb) {
+@@ -6848,8 +6847,7 @@ int rtw89_fw_h2c_wow_request_aoac(struct rtw89_dev *rtwdev)
+ H2C_FUNC_AOAC_REPORT_REQ, 1, 0,
+ len);
+
+- cond = RTW89_WOW_WAIT_COND(H2C_FUNC_AOAC_REPORT_REQ);
+- return rtw89_h2c_tx_and_wait(rtwdev, skb, wait, cond);
++ return rtw89_h2c_tx_and_wait(rtwdev, skb, wait, RTW89_WOW_WAIT_COND_AOAC);
+ }
+
+ /* Return < 0, if failures happen during waiting for the condition.
+diff --git a/drivers/net/wireless/realtek/rtw89/fw.h b/drivers/net/wireless/realtek/rtw89/fw.h
+index c3b4324c621c1..df6f2424fa911 100644
+--- a/drivers/net/wireless/realtek/rtw89/fw.h
++++ b/drivers/net/wireless/realtek/rtw89/fw.h
+@@ -3942,8 +3942,11 @@ enum rtw89_wow_h2c_func {
+ NUM_OF_RTW89_WOW_H2C_FUNC,
+ };
+
+-#define RTW89_WOW_WAIT_COND(func) \
+- (NUM_OF_RTW89_WOW_H2C_FUNC + (func))
++#define RTW89_WOW_WAIT_COND(tag, func) \
++ ((tag) * NUM_OF_RTW89_WOW_H2C_FUNC + (func))
++
++#define RTW89_WOW_WAIT_COND_AOAC \
++ RTW89_WOW_WAIT_COND(0 /* don't care */, H2C_FUNC_AOAC_REPORT_REQ)
+
+ /* CLASS 2 - PS */
+ #define H2C_CL_MAC_PS 0x2
+diff --git a/drivers/net/wireless/realtek/rtw89/mac.c b/drivers/net/wireless/realtek/rtw89/mac.c
+index facd32de37bce..9a4f23d83bf2a 100644
+--- a/drivers/net/wireless/realtek/rtw89/mac.c
++++ b/drivers/net/wireless/realtek/rtw89/mac.c
+@@ -5151,11 +5151,10 @@ rtw89_mac_c2h_wow_aoac_rpt(struct rtw89_dev *rtwdev, struct sk_buff *skb, u32 le
+ {
+ struct rtw89_wow_param *rtw_wow = &rtwdev->wow;
+ struct rtw89_wow_aoac_report *aoac_rpt = &rtw_wow->aoac_rpt;
+- struct rtw89_wait_info *wait = &rtwdev->mac.fw_ofld_wait;
++ struct rtw89_wait_info *wait = &rtw_wow->wait;
+ const struct rtw89_c2h_wow_aoac_report *c2h =
+ (const struct rtw89_c2h_wow_aoac_report *)skb->data;
+ struct rtw89_completion_data data = {};
+- unsigned int cond;
+
+ aoac_rpt->rpt_ver = c2h->rpt_ver;
+ aoac_rpt->sec_type = c2h->sec_type;
+@@ -5173,8 +5172,7 @@ rtw89_mac_c2h_wow_aoac_rpt(struct rtw89_dev *rtwdev, struct sk_buff *skb, u32 le
+ aoac_rpt->igtk_ipn = le64_to_cpu(c2h->igtk_ipn);
+ memcpy(aoac_rpt->igtk, c2h->igtk, sizeof(aoac_rpt->igtk));
+
+- cond = RTW89_WOW_WAIT_COND(H2C_FUNC_AOAC_REPORT_REQ);
+- rtw89_complete_cond(wait, cond, &data);
++ rtw89_complete_cond(wait, RTW89_WOW_WAIT_COND_AOAC, &data);
+ }
+
+ static void
+--
+2.43.0
+
--- /dev/null
+From a73c5e8900da5498d466172306daf94938a30128 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 08:17:09 +0000
+Subject: wifi: wilc1000: fix potential RCU dereference issue in
+ wilc_parse_join_bss_param
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiawei Ye <jiawei.ye@foxmail.com>
+
+[ Upstream commit 6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8 ]
+
+In the `wilc_parse_join_bss_param` function, the TSF field of the `ies`
+structure is accessed after the RCU read-side critical section is
+unlocked. According to RCU usage rules, this is illegal. Reusing this
+pointer can lead to unpredictable behavior, including accessing memory
+that has been updated or causing use-after-free issues.
+
+This possible bug was identified using a static analysis tool developed
+by myself, specifically designed to detect RCU-related issues.
+
+To address this, the TSF value is now stored in a local variable
+`ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is
+then assigned using this local variable, ensuring that the TSF value is
+safely accessed.
+
+Fixes: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path")
+Signed-off-by: Jiawei Ye <jiawei.ye@foxmail.com>
+Reviewed-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/tencent_466225AA599BA49627FB26F707EE17BC5407@qq.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/microchip/wilc1000/hif.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c
+index 3c48e1a57b24c..bba53307b960d 100644
+--- a/drivers/net/wireless/microchip/wilc1000/hif.c
++++ b/drivers/net/wireless/microchip/wilc1000/hif.c
+@@ -384,6 +384,7 @@ wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ struct wilc_join_bss_param *param;
+ u8 rates_len = 0;
+ int ies_len;
++ u64 ies_tsf;
+ int ret;
+
+ param = kzalloc(sizeof(*param), GFP_KERNEL);
+@@ -399,6 +400,7 @@ wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ return NULL;
+ }
+ ies_len = ies->len;
++ ies_tsf = ies->tsf;
+ rcu_read_unlock();
+
+ param->beacon_period = cpu_to_le16(bss->beacon_interval);
+@@ -454,7 +456,7 @@ wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
+ (u8 *)&noa_attr, sizeof(noa_attr));
+ if (ret > 0) {
+- param->tsf_lo = cpu_to_le32(ies->tsf);
++ param->tsf_lo = cpu_to_le32(ies_tsf);
+ param->noa_enabled = 1;
+ param->idx = noa_attr.index;
+ if (noa_attr.oppps_ctwindow & IEEE80211_P2P_OPPPS_ENABLE_BIT) {
+--
+2.43.0
+
--- /dev/null
+From 2e1cfb77fb07976fe5f5cd31368c168111820ff0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 10:33:13 +0200
+Subject: x86/boot/64: Strip percpu address space when setting up GDT
+ descriptors
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+[ Upstream commit b51207dc02ec3aeaa849e419f79055d7334845b6 ]
+
+init_per_cpu_var() returns a pointer in the percpu address space while
+rip_rel_ptr() expects a pointer in the generic address space.
+
+When strict address space checks are enabled, GCC's named address space
+checks fail:
+
+ asm.h:124:63: error: passing argument 1 of 'rip_rel_ptr' from
+ pointer to non-enclosed address space
+
+Add a explicit cast to remove address space of the returned pointer.
+
+Fixes: 11e36b0f7c21 ("x86/boot/64: Load the final kernel GDT during early boot directly, remove startup_gdt[]")
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/20240819083334.148536-1-ubizjak@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/head64.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
+index a817ed0724d1e..4b9d4557fc94a 100644
+--- a/arch/x86/kernel/head64.c
++++ b/arch/x86/kernel/head64.c
+@@ -559,10 +559,11 @@ void early_setup_idt(void)
+ */
+ void __head startup_64_setup_gdt_idt(void)
+ {
++ struct desc_struct *gdt = (void *)(__force unsigned long)init_per_cpu_var(gdt_page.gdt);
+ void *handler = NULL;
+
+ struct desc_ptr startup_gdt_descr = {
+- .address = (unsigned long)&RIP_REL_REF(init_per_cpu_var(gdt_page.gdt)),
++ .address = (unsigned long)&RIP_REL_REF(*gdt),
+ .size = GDT_SIZE - 1,
+ };
+
+--
+2.43.0
+
--- /dev/null
+From cc5aa61200495644dd9ff1579ca05c761eed1e75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 13:21:37 +0000
+Subject: x86/mm: Use IPIs to synchronize LAM enablement
+
+From: Yosry Ahmed <yosryahmed@google.com>
+
+[ Upstream commit 3b299b99556c1753923f8d9bbd9304bcd139282f ]
+
+LAM can only be enabled when a process is single-threaded. But _kernel_
+threads can temporarily use a single-threaded process's mm.
+
+If LAM is enabled by a userspace process while a kthread is using its
+mm, the kthread will not observe LAM enablement (i.e. LAM will be
+disabled in CR3). This could be fine for the kthread itself, as LAM only
+affects userspace addresses. However, if the kthread context switches to
+a thread in the same userspace process, CR3 may or may not be updated
+because the mm_struct doesn't change (based on pending TLB flushes). If
+CR3 is not updated, the userspace thread will run incorrectly with LAM
+disabled, which may cause page faults when using tagged addresses.
+Example scenario:
+
+CPU 1 CPU 2
+/* kthread */
+kthread_use_mm()
+ /* user thread */
+ prctl_enable_tagged_addr()
+ /* LAM enabled on CPU 2 */
+/* LAM disabled on CPU 1 */
+ context_switch() /* to CPU 1 */
+/* Switching to user thread */
+switch_mm_irqs_off()
+/* CR3 not updated */
+/* LAM is still disabled on CPU 1 */
+
+Synchronize LAM enablement by sending an IPI to all CPUs running with
+the mm_struct to enable LAM. This makes sure LAM is enabled on CPU 1
+in the above scenario before prctl_enable_tagged_addr() returns and
+userspace starts using tagged addresses, and before it's possible to
+run the userspace process on CPU 1.
+
+In switch_mm_irqs_off(), move reading the LAM mask until after
+mm_cpumask() is updated. This ensures that if an outdated LAM mask is
+written to CR3, an IPI is received to update it right after IRQs are
+re-enabled.
+
+[ dhansen: Add a LAM enabling helper and comment it ]
+
+Fixes: 82721d8b25d7 ("x86/mm: Handle LAM on context switch")
+Suggested-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Yosry Ahmed <yosryahmed@google.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Link: https://lore.kernel.org/all/20240702132139.3332013-2-yosryahmed%40google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/process_64.c | 29 ++++++++++++++++++++++++++---
+ arch/x86/mm/tlb.c | 7 +++----
+ 2 files changed, 29 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
+index 6d3d20e3e43a9..d8d582b750d4f 100644
+--- a/arch/x86/kernel/process_64.c
++++ b/arch/x86/kernel/process_64.c
+@@ -798,6 +798,27 @@ static long prctl_map_vdso(const struct vdso_image *image, unsigned long addr)
+
+ #define LAM_U57_BITS 6
+
++static void enable_lam_func(void *__mm)
++{
++ struct mm_struct *mm = __mm;
++
++ if (this_cpu_read(cpu_tlbstate.loaded_mm) == mm) {
++ write_cr3(__read_cr3() | mm->context.lam_cr3_mask);
++ set_tlbstate_lam_mode(mm);
++ }
++}
++
++static void mm_enable_lam(struct mm_struct *mm)
++{
++ /*
++ * Even though the process must still be single-threaded at this
++ * point, kernel threads may be using the mm. IPI those kernel
++ * threads if they exist.
++ */
++ on_each_cpu_mask(mm_cpumask(mm), enable_lam_func, mm, true);
++ set_bit(MM_CONTEXT_LOCK_LAM, &mm->context.flags);
++}
++
+ static int prctl_enable_tagged_addr(struct mm_struct *mm, unsigned long nr_bits)
+ {
+ if (!cpu_feature_enabled(X86_FEATURE_LAM))
+@@ -814,6 +835,10 @@ static int prctl_enable_tagged_addr(struct mm_struct *mm, unsigned long nr_bits)
+ if (mmap_write_lock_killable(mm))
+ return -EINTR;
+
++ /*
++ * MM_CONTEXT_LOCK_LAM is set on clone. Prevent LAM from
++ * being enabled unless the process is single threaded:
++ */
+ if (test_bit(MM_CONTEXT_LOCK_LAM, &mm->context.flags)) {
+ mmap_write_unlock(mm);
+ return -EBUSY;
+@@ -830,9 +855,7 @@ static int prctl_enable_tagged_addr(struct mm_struct *mm, unsigned long nr_bits)
+ return -EINVAL;
+ }
+
+- write_cr3(__read_cr3() | mm->context.lam_cr3_mask);
+- set_tlbstate_lam_mode(mm);
+- set_bit(MM_CONTEXT_LOCK_LAM, &mm->context.flags);
++ mm_enable_lam(mm);
+
+ mmap_write_unlock(mm);
+
+diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
+index 44ac64f3a047c..a041d2ecd8380 100644
+--- a/arch/x86/mm/tlb.c
++++ b/arch/x86/mm/tlb.c
+@@ -503,9 +503,9 @@ void switch_mm_irqs_off(struct mm_struct *unused, struct mm_struct *next,
+ {
+ struct mm_struct *prev = this_cpu_read(cpu_tlbstate.loaded_mm);
+ u16 prev_asid = this_cpu_read(cpu_tlbstate.loaded_mm_asid);
+- unsigned long new_lam = mm_lam_cr3_mask(next);
+ bool was_lazy = this_cpu_read(cpu_tlbstate_shared.is_lazy);
+ unsigned cpu = smp_processor_id();
++ unsigned long new_lam;
+ u64 next_tlb_gen;
+ bool need_flush;
+ u16 new_asid;
+@@ -619,9 +619,7 @@ void switch_mm_irqs_off(struct mm_struct *unused, struct mm_struct *next,
+ cpumask_clear_cpu(cpu, mm_cpumask(prev));
+ }
+
+- /*
+- * Start remote flushes and then read tlb_gen.
+- */
++ /* Start receiving IPIs and then read tlb_gen (and LAM below) */
+ if (next != &init_mm)
+ cpumask_set_cpu(cpu, mm_cpumask(next));
+ next_tlb_gen = atomic64_read(&next->context.tlb_gen);
+@@ -633,6 +631,7 @@ void switch_mm_irqs_off(struct mm_struct *unused, struct mm_struct *next,
+ barrier();
+ }
+
++ new_lam = mm_lam_cr3_mask(next);
+ set_tlbstate_lam_mode(next);
+ if (need_flush) {
+ this_cpu_write(cpu_tlbstate.ctxs[new_asid].ctx_id, next->context.ctx_id);
+--
+2.43.0
+
--- /dev/null
+From a06745cc646e04d2b8c31f28b20434cc6cf3c8b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 13:26:59 -0700
+Subject: x86/PCI: Check pcie_find_root_port() return for NULL
+
+From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+
+[ Upstream commit dbc3171194403d0d40e4bdeae666f6e76e428b53 ]
+
+If pcie_find_root_port() is unable to locate a Root Port, it will return
+NULL. Check the pointer for NULL before dereferencing it.
+
+This particular case is in a quirk for devices that are always below a Root
+Port, so this won't avoid a problem and doesn't need to be backported, but
+check as a matter of style and to prevent copy/paste mistakes.
+
+Link: https://lore.kernel.org/r/20240812202659.1649121-1-samasth.norway.ananda@oracle.com
+Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
+[bhelgaas: drop Fixes: and explain why there's no problem in this case]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/pci/fixup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c
+index b33afb240601b..98a9bb92d75c8 100644
+--- a/arch/x86/pci/fixup.c
++++ b/arch/x86/pci/fixup.c
+@@ -980,7 +980,7 @@ static void amd_rp_pme_suspend(struct pci_dev *dev)
+ return;
+
+ rp = pcie_find_root_port(dev);
+- if (!rp->pm_cap)
++ if (!rp || !rp->pm_cap)
+ return;
+
+ rp->pme_support &= ~((PCI_PM_CAP_PME_D3hot|PCI_PM_CAP_PME_D3cold) >>
+@@ -994,7 +994,7 @@ static void amd_rp_pme_resume(struct pci_dev *dev)
+ u16 pmc;
+
+ rp = pcie_find_root_port(dev);
+- if (!rp->pm_cap)
++ if (!rp || !rp->pm_cap)
+ return;
+
+ pci_read_config_word(rp, rp->pm_cap + PCI_PM_PMC, &pmc);
+--
+2.43.0
+
--- /dev/null
+From b964fec73266616e06494c9ecf71082138d05b72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 16:08:54 +0800
+Subject: x86/sgx: Fix deadlock in SGX NUMA node search
+
+From: Aaron Lu <aaron.lu@intel.com>
+
+[ Upstream commit 9c936844010466535bd46ea4ce4656ef17653644 ]
+
+When the current node doesn't have an EPC section configured by firmware
+and all other EPC sections are used up, CPU can get stuck inside the
+while loop that looks for an available EPC page from remote nodes
+indefinitely, leading to a soft lockup. Note how nid_of_current will
+never be equal to nid in that while loop because nid_of_current is not
+set in sgx_numa_mask.
+
+Also worth mentioning is that it's perfectly fine for the firmware not
+to setup an EPC section on a node. While setting up an EPC section on
+each node can enhance performance, it is not a requirement for
+functionality.
+
+Rework the loop to start and end on *a* node that has SGX memory. This
+avoids the deadlock looking for the current SGX-lacking node to show up
+in the loop when it never will.
+
+Fixes: 901ddbb9ecf5 ("x86/sgx: Add a basic NUMA allocation scheme to sgx_alloc_epc_page()")
+Reported-by: "Molina Sabido, Gerardo" <gerardo.molina.sabido@intel.com>
+Signed-off-by: Aaron Lu <aaron.lu@intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Kai Huang <kai.huang@intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Tested-by: Zhimin Luo <zhimin.luo@intel.com>
+Link: https://lore.kernel.org/all/20240905080855.1699814-2-aaron.lu%40intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/sgx/main.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
+index 27892e57c4ef9..6aeeb43dd3f6a 100644
+--- a/arch/x86/kernel/cpu/sgx/main.c
++++ b/arch/x86/kernel/cpu/sgx/main.c
+@@ -475,24 +475,25 @@ struct sgx_epc_page *__sgx_alloc_epc_page(void)
+ {
+ struct sgx_epc_page *page;
+ int nid_of_current = numa_node_id();
+- int nid = nid_of_current;
++ int nid_start, nid;
+
+- if (node_isset(nid_of_current, sgx_numa_mask)) {
+- page = __sgx_alloc_epc_page_from_node(nid_of_current);
+- if (page)
+- return page;
+- }
+-
+- /* Fall back to the non-local NUMA nodes: */
+- while (true) {
+- nid = next_node_in(nid, sgx_numa_mask);
+- if (nid == nid_of_current)
+- break;
++ /*
++ * Try local node first. If it doesn't have an EPC section,
++ * fall back to the non-local NUMA nodes.
++ */
++ if (node_isset(nid_of_current, sgx_numa_mask))
++ nid_start = nid_of_current;
++ else
++ nid_start = next_node_in(nid_of_current, sgx_numa_mask);
+
++ nid = nid_start;
++ do {
+ page = __sgx_alloc_epc_page_from_node(nid);
+ if (page)
+ return page;
+- }
++
++ nid = next_node_in(nid, sgx_numa_mask);
++ } while (nid != nid_start);
+
+ return ERR_PTR(-ENOMEM);
+ }
+--
+2.43.0
+
--- /dev/null
+From 611566f563b8bf4bb8518e91c1980ac529221804 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 16:47:25 +0200
+Subject: xen: add capability to remap non-RAM pages to different PFNs
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit d05208cf7f05420ad10cc7f9550f91d485523659 ]
+
+When running as a Xen PV dom0 it can happen that the kernel is being
+loaded to a guest physical address conflicting with the host memory
+map.
+
+In order to be able to resolve this conflict, add the capability to
+remap non-RAM areas to different guest PFNs. A function to use this
+remapping information for other purposes than doing the remap will be
+added when needed.
+
+As the number of conflicts should be rather low (currently only
+machines with max. 1 conflict are known), save the remap data in a
+small statically allocated array.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/p2m.c | 63 ++++++++++++++++++++++++++++++++++++++++++
+ arch/x86/xen/xen-ops.h | 3 ++
+ 2 files changed, 66 insertions(+)
+
+diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c
+index 7c735b730acd2..2809bded30ea3 100644
+--- a/arch/x86/xen/p2m.c
++++ b/arch/x86/xen/p2m.c
+@@ -80,6 +80,7 @@
+ #include <asm/xen/hypervisor.h>
+ #include <xen/balloon.h>
+ #include <xen/grant_table.h>
++#include <xen/hvc-console.h>
+
+ #include "xen-ops.h"
+
+@@ -792,6 +793,68 @@ int clear_foreign_p2m_mapping(struct gnttab_unmap_grant_ref *unmap_ops,
+ return ret;
+ }
+
++/* Remapped non-RAM areas */
++#define NR_NONRAM_REMAP 4
++static struct nonram_remap {
++ phys_addr_t maddr;
++ phys_addr_t paddr;
++ size_t size;
++} xen_nonram_remap[NR_NONRAM_REMAP] __ro_after_init;
++static unsigned int nr_nonram_remap __ro_after_init;
++
++/*
++ * Do the real remapping of non-RAM regions as specified in the
++ * xen_nonram_remap[] array.
++ * In case of an error just crash the system.
++ */
++void __init xen_do_remap_nonram(void)
++{
++ unsigned int i;
++ unsigned int remapped = 0;
++ const struct nonram_remap *remap = xen_nonram_remap;
++ unsigned long pfn, mfn, end_pfn;
++
++ for (i = 0; i < nr_nonram_remap; i++) {
++ end_pfn = PFN_UP(remap->paddr + remap->size);
++ pfn = PFN_DOWN(remap->paddr);
++ mfn = PFN_DOWN(remap->maddr);
++ while (pfn < end_pfn) {
++ if (!set_phys_to_machine(pfn, mfn))
++ panic("Failed to set p2m mapping for pfn=%lx mfn=%lx\n",
++ pfn, mfn);
++
++ pfn++;
++ mfn++;
++ remapped++;
++ }
++
++ remap++;
++ }
++
++ pr_info("Remapped %u non-RAM page(s)\n", remapped);
++}
++
++/*
++ * Add a new non-RAM remap entry.
++ * In case of no free entry found, just crash the system.
++ */
++void __init xen_add_remap_nonram(phys_addr_t maddr, phys_addr_t paddr,
++ unsigned long size)
++{
++ BUG_ON((maddr & ~PAGE_MASK) != (paddr & ~PAGE_MASK));
++
++ if (nr_nonram_remap == NR_NONRAM_REMAP) {
++ xen_raw_console_write("Number of required E820 entry remapping actions exceed maximum value\n");
++ BUG();
++ }
++
++ xen_nonram_remap[nr_nonram_remap].maddr = maddr;
++ xen_nonram_remap[nr_nonram_remap].paddr = paddr;
++ xen_nonram_remap[nr_nonram_remap].size = size;
++
++ nr_nonram_remap++;
++}
++
+ #ifdef CONFIG_XEN_DEBUG_FS
+ #include <linux/debugfs.h>
+ static int p2m_dump_show(struct seq_file *m, void *v)
+diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
+index 9a27d1d653d3d..e1b782e823e6b 100644
+--- a/arch/x86/xen/xen-ops.h
++++ b/arch/x86/xen/xen-ops.h
+@@ -47,6 +47,9 @@ void xen_mm_unpin_all(void);
+ #ifdef CONFIG_X86_64
+ void __init xen_relocate_p2m(void);
+ #endif
++void __init xen_do_remap_nonram(void);
++void __init xen_add_remap_nonram(phys_addr_t maddr, phys_addr_t paddr,
++ unsigned long size);
+
+ void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
+ const char *component);
+--
+2.43.0
+
--- /dev/null
+From d41912cb7da90a9dc94dd45616636958d4d0fb8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 14:11:06 +0200
+Subject: xen: introduce generic helper checking for memory map conflicts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit ba88829706e2c5b7238638fc2b0713edf596495e ]
+
+When booting as a Xen PV dom0 the memory layout of the dom0 is
+modified to match that of the host, as this requires less changes in
+the kernel for supporting Xen.
+
+There are some cases, though, which are problematic, as it is the Xen
+hypervisor selecting the kernel's load address plus some other data,
+which might conflict with the host's memory map.
+
+These conflicts are detected at boot time and result in a boot error.
+In order to support handling at least some of these conflicts in
+future, introduce a generic helper function which will later gain the
+ability to adapt the memory layout when possible.
+
+Add the missing check for the xen_start_info area.
+
+Note that possible p2m map and initrd memory conflicts are handled
+already by copying the data to memory areas not conflicting with the
+memory map. The initial stack allocated by Xen doesn't need to be
+checked, as early boot code is switching to the statically allocated
+initial kernel stack. Initial page tables and the kernel itself will
+be handled later.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/mmu_pv.c | 5 +----
+ arch/x86/xen/setup.c | 34 ++++++++++++++++++++++++++++------
+ arch/x86/xen/xen-ops.h | 3 ++-
+ 3 files changed, 31 insertions(+), 11 deletions(-)
+
+diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
+index f1ce39d6d32cb..839e6613753dd 100644
+--- a/arch/x86/xen/mmu_pv.c
++++ b/arch/x86/xen/mmu_pv.c
+@@ -2018,10 +2018,7 @@ void __init xen_reserve_special_pages(void)
+
+ void __init xen_pt_check_e820(void)
+ {
+- if (xen_is_e820_reserved(xen_pt_base, xen_pt_size)) {
+- xen_raw_console_write("Xen hypervisor allocated page table memory conflicts with E820 map\n");
+- BUG();
+- }
++ xen_chk_is_e820_usable(xen_pt_base, xen_pt_size, "page table");
+ }
+
+ static unsigned char dummy_mapping[PAGE_SIZE] __page_aligned_bss;
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 4bcc70a71b7d4..96765180514bd 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -567,7 +567,7 @@ static void __init xen_ignore_unusable(void)
+ }
+ }
+
+-bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size)
++static bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size)
+ {
+ struct e820_entry *entry;
+ unsigned mapcnt;
+@@ -624,6 +624,23 @@ phys_addr_t __init xen_find_free_area(phys_addr_t size)
+ return 0;
+ }
+
++/*
++ * Check for an area in physical memory to be usable for non-movable purposes.
++ * An area is considered to usable if the used E820 map lists it to be RAM.
++ * In case the area is not usable, crash the system with an error message.
++ */
++void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
++ const char *component)
++{
++ if (!xen_is_e820_reserved(start, size))
++ return;
++
++ xen_raw_console_write("Xen hypervisor allocated ");
++ xen_raw_console_write(component);
++ xen_raw_console_write(" memory conflicts with E820 map\n");
++ BUG();
++}
++
+ /*
+ * Like memcpy, but with physical addresses for dest and src.
+ */
+@@ -824,11 +841,16 @@ char * __init xen_memory_setup(void)
+ * Failing now is better than running into weird problems later due
+ * to relocating (and even reusing) pages with kernel text or data.
+ */
+- if (xen_is_e820_reserved(__pa_symbol(_text),
+- __pa_symbol(_end) - __pa_symbol(_text))) {
+- xen_raw_console_write("Xen hypervisor allocated kernel memory conflicts with E820 map\n");
+- BUG();
+- }
++ xen_chk_is_e820_usable(__pa_symbol(_text),
++ __pa_symbol(_end) - __pa_symbol(_text),
++ "kernel");
++
++ /*
++ * Check for a conflict of the xen_start_info memory with the target
++ * E820 map.
++ */
++ xen_chk_is_e820_usable(__pa(xen_start_info), sizeof(*xen_start_info),
++ "xen_start_info");
+
+ /*
+ * Check for a conflict of the hypervisor supplied page tables with
+diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
+index 0cf16fc79e0bf..9a27d1d653d3d 100644
+--- a/arch/x86/xen/xen-ops.h
++++ b/arch/x86/xen/xen-ops.h
+@@ -48,7 +48,8 @@ void xen_mm_unpin_all(void);
+ void __init xen_relocate_p2m(void);
+ #endif
+
+-bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size);
++void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
++ const char *component);
+ unsigned long __ref xen_chk_extra_mem(unsigned long pfn);
+ void __init xen_inv_extra_mem(void);
+ void __init xen_remap_memory(void);
+--
+2.43.0
+
--- /dev/null
+From d8e68bd494f621cb0fd187ce9bda05c123fa0492 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 10:24:41 +0200
+Subject: xen: move max_pfn in xen_memory_setup() out of function scope
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 43dc2a0f479b9cd30f6674986d7a40517e999d31 ]
+
+Instead of having max_pfn as a local variable of xen_memory_setup(),
+make it a static variable in setup.c instead. This avoids having to
+pass it to subfunctions, which will be needed in more cases in future.
+
+Rename it to ini_nr_pages, as the value denotes the currently usable
+number of memory pages as passed from the hypervisor at boot time.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/setup.c | 52 ++++++++++++++++++++++----------------------
+ 1 file changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 96765180514bd..4c18d8b1cdf10 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -46,6 +46,9 @@ bool xen_pv_pci_possible;
+ /* E820 map used during setting up memory. */
+ static struct e820_table xen_e820_table __initdata;
+
++/* Number of initially usable memory pages. */
++static unsigned long ini_nr_pages __initdata;
++
+ /*
+ * Buffer used to remap identity mapped pages. We only need the virtual space.
+ * The physical page behind this address is remapped as needed to different
+@@ -212,7 +215,7 @@ static int __init xen_free_mfn(unsigned long mfn)
+ * as a fallback if the remapping fails.
+ */
+ static void __init xen_set_identity_and_release_chunk(unsigned long start_pfn,
+- unsigned long end_pfn, unsigned long nr_pages)
++ unsigned long end_pfn)
+ {
+ unsigned long pfn, end;
+ int ret;
+@@ -220,7 +223,7 @@ static void __init xen_set_identity_and_release_chunk(unsigned long start_pfn,
+ WARN_ON(start_pfn > end_pfn);
+
+ /* Release pages first. */
+- end = min(end_pfn, nr_pages);
++ end = min(end_pfn, ini_nr_pages);
+ for (pfn = start_pfn; pfn < end; pfn++) {
+ unsigned long mfn = pfn_to_mfn(pfn);
+
+@@ -341,15 +344,14 @@ static void __init xen_do_set_identity_and_remap_chunk(
+ * to Xen and not remapped.
+ */
+ static unsigned long __init xen_set_identity_and_remap_chunk(
+- unsigned long start_pfn, unsigned long end_pfn, unsigned long nr_pages,
+- unsigned long remap_pfn)
++ unsigned long start_pfn, unsigned long end_pfn, unsigned long remap_pfn)
+ {
+ unsigned long pfn;
+ unsigned long i = 0;
+ unsigned long n = end_pfn - start_pfn;
+
+ if (remap_pfn == 0)
+- remap_pfn = nr_pages;
++ remap_pfn = ini_nr_pages;
+
+ while (i < n) {
+ unsigned long cur_pfn = start_pfn + i;
+@@ -358,19 +360,19 @@ static unsigned long __init xen_set_identity_and_remap_chunk(
+ unsigned long remap_range_size;
+
+ /* Do not remap pages beyond the current allocation */
+- if (cur_pfn >= nr_pages) {
++ if (cur_pfn >= ini_nr_pages) {
+ /* Identity map remaining pages */
+ set_phys_range_identity(cur_pfn, cur_pfn + size);
+ break;
+ }
+- if (cur_pfn + size > nr_pages)
+- size = nr_pages - cur_pfn;
++ if (cur_pfn + size > ini_nr_pages)
++ size = ini_nr_pages - cur_pfn;
+
+ remap_range_size = xen_find_pfn_range(&remap_pfn);
+ if (!remap_range_size) {
+ pr_warn("Unable to find available pfn range, not remapping identity pages\n");
+ xen_set_identity_and_release_chunk(cur_pfn,
+- cur_pfn + left, nr_pages);
++ cur_pfn + left);
+ break;
+ }
+ /* Adjust size to fit in current e820 RAM region */
+@@ -397,18 +399,18 @@ static unsigned long __init xen_set_identity_and_remap_chunk(
+ }
+
+ static unsigned long __init xen_count_remap_pages(
+- unsigned long start_pfn, unsigned long end_pfn, unsigned long nr_pages,
++ unsigned long start_pfn, unsigned long end_pfn,
+ unsigned long remap_pages)
+ {
+- if (start_pfn >= nr_pages)
++ if (start_pfn >= ini_nr_pages)
+ return remap_pages;
+
+- return remap_pages + min(end_pfn, nr_pages) - start_pfn;
++ return remap_pages + min(end_pfn, ini_nr_pages) - start_pfn;
+ }
+
+-static unsigned long __init xen_foreach_remap_area(unsigned long nr_pages,
++static unsigned long __init xen_foreach_remap_area(
+ unsigned long (*func)(unsigned long start_pfn, unsigned long end_pfn,
+- unsigned long nr_pages, unsigned long last_val))
++ unsigned long last_val))
+ {
+ phys_addr_t start = 0;
+ unsigned long ret_val = 0;
+@@ -436,8 +438,7 @@ static unsigned long __init xen_foreach_remap_area(unsigned long nr_pages,
+ end_pfn = PFN_UP(entry->addr);
+
+ if (start_pfn < end_pfn)
+- ret_val = func(start_pfn, end_pfn, nr_pages,
+- ret_val);
++ ret_val = func(start_pfn, end_pfn, ret_val);
+ start = end;
+ }
+ }
+@@ -700,7 +701,7 @@ static void __init xen_reserve_xen_mfnlist(void)
+ **/
+ char * __init xen_memory_setup(void)
+ {
+- unsigned long max_pfn, pfn_s, n_pfns;
++ unsigned long pfn_s, n_pfns;
+ phys_addr_t mem_end, addr, size, chunk_size;
+ u32 type;
+ int rc;
+@@ -712,9 +713,8 @@ char * __init xen_memory_setup(void)
+ int op;
+
+ xen_parse_512gb();
+- max_pfn = xen_get_pages_limit();
+- max_pfn = min(max_pfn, xen_start_info->nr_pages);
+- mem_end = PFN_PHYS(max_pfn);
++ ini_nr_pages = min(xen_get_pages_limit(), xen_start_info->nr_pages);
++ mem_end = PFN_PHYS(ini_nr_pages);
+
+ memmap.nr_entries = ARRAY_SIZE(xen_e820_table.entries);
+ set_xen_guest_handle(memmap.buffer, xen_e820_table.entries);
+@@ -767,10 +767,10 @@ char * __init xen_memory_setup(void)
+ max_pages = xen_get_max_pages();
+
+ /* How many extra pages do we need due to remapping? */
+- max_pages += xen_foreach_remap_area(max_pfn, xen_count_remap_pages);
++ max_pages += xen_foreach_remap_area(xen_count_remap_pages);
+
+- if (max_pages > max_pfn)
+- extra_pages += max_pages - max_pfn;
++ if (max_pages > ini_nr_pages)
++ extra_pages += max_pages - ini_nr_pages;
+
+ /*
+ * Clamp the amount of extra memory to a EXTRA_MEM_RATIO
+@@ -779,8 +779,8 @@ char * __init xen_memory_setup(void)
+ * Make sure we have no memory above max_pages, as this area
+ * isn't handled by the p2m management.
+ */
+- maxmem_pages = EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM));
+- extra_pages = min3(maxmem_pages, extra_pages, max_pages - max_pfn);
++ maxmem_pages = EXTRA_MEM_RATIO * min(ini_nr_pages, PFN_DOWN(MAXMEM));
++ extra_pages = min3(maxmem_pages, extra_pages, max_pages - ini_nr_pages);
+ i = 0;
+ addr = xen_e820_table.entries[0].addr;
+ size = xen_e820_table.entries[0].size;
+@@ -885,7 +885,7 @@ char * __init xen_memory_setup(void)
+ * Set identity map on non-RAM pages and prepare remapping the
+ * underlying RAM.
+ */
+- xen_foreach_remap_area(max_pfn, xen_set_identity_and_remap_chunk);
++ xen_foreach_remap_area(xen_set_identity_and_remap_chunk);
+
+ pr_info("Released %ld page(s)\n", xen_released_pages);
+
+--
+2.43.0
+
--- /dev/null
+From 13d718121636b5d250ef87b4429c90c8746839b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 12:05:02 +0200
+Subject: xen/swiotlb: add alignment check for dma buffers
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 9f40ec84a7976d95c34e7cc070939deb103652b0 ]
+
+When checking a memory buffer to be consecutive in machine memory,
+the alignment needs to be checked, too. Failing to do so might result
+in DMA memory not being aligned according to its requested size,
+leading to error messages like:
+
+ 4xxx 0000:2b:00.0: enabling device (0140 -> 0142)
+ 4xxx 0000:2b:00.0: Ring address not aligned
+ 4xxx 0000:2b:00.0: Failed to initialise service qat_crypto
+ 4xxx 0000:2b:00.0: Resetting device qat_dev0
+ 4xxx: probe of 0000:2b:00.0 failed with error -14
+
+Fixes: 9435cce87950 ("xen/swiotlb: Add support for 64KB page granularity")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/swiotlb-xen.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
+index 35155258a7e2d..d7fbba8b47003 100644
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -78,9 +78,15 @@ static inline int range_straddles_page_boundary(phys_addr_t p, size_t size)
+ {
+ unsigned long next_bfn, xen_pfn = XEN_PFN_DOWN(p);
+ unsigned int i, nr_pages = XEN_PFN_UP(xen_offset_in_page(p) + size);
++ phys_addr_t algn = 1ULL << (get_order(size) + PAGE_SHIFT);
+
+ next_bfn = pfn_to_bfn(xen_pfn);
+
++ /* If buffer is physically aligned, ensure DMA alignment. */
++ if (IS_ALIGNED(p, algn) &&
++ !IS_ALIGNED((phys_addr_t)next_bfn << XEN_PAGE_SHIFT, algn))
++ return 1;
++
+ for (i = 1; i < nr_pages; i++)
+ if (pfn_to_bfn(++xen_pfn) != ++next_bfn)
+ return 1;
+--
+2.43.0
+
--- /dev/null
+From e862fb68679d8c031d343b85d521f640946a8078 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Sep 2024 13:06:44 +0200
+Subject: xen/swiotlb: fix allocated size
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit c3dea3d54f4d399f8044547f0f1abdccbdfb0fee ]
+
+The allocated size in xen_swiotlb_alloc_coherent() and
+xen_swiotlb_free_coherent() is calculated wrong for the case of
+XEN_PAGE_SIZE not matching PAGE_SIZE. Fix that.
+
+Fixes: 7250f422da04 ("xen-swiotlb: use actually allocated size on check physical continuous")
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/swiotlb-xen.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
+index d7fbba8b47003..a337edcf8faf7 100644
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -147,7 +147,7 @@ xen_swiotlb_alloc_coherent(struct device *dev, size_t size,
+ void *ret;
+
+ /* Align the allocation to the Xen page size */
+- size = 1UL << (order + XEN_PAGE_SHIFT);
++ size = ALIGN(size, XEN_PAGE_SIZE);
+
+ ret = (void *)__get_free_pages(flags, get_order(size));
+ if (!ret)
+@@ -179,7 +179,7 @@ xen_swiotlb_free_coherent(struct device *dev, size_t size, void *vaddr,
+ int order = get_order(size);
+
+ /* Convert the size to actually allocated. */
+- size = 1UL << (order + XEN_PAGE_SHIFT);
++ size = ALIGN(size, XEN_PAGE_SIZE);
+
+ if (WARN_ON_ONCE(dma_handle + size - 1 > dev->coherent_dma_mask) ||
+ WARN_ON_ONCE(range_straddles_page_boundary(phys, size)))
+--
+2.43.0
+
--- /dev/null
+From 8302ac200e3fb2e8b669b96d7c36cdc266e47138 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 20:14:22 +0200
+Subject: xen: tolerate ACPI NVS memory overlapping with Xen allocated memory
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit be35d91c8880650404f3bf813573222dfb106935 ]
+
+In order to minimize required special handling for running as Xen PV
+dom0, the memory layout is modified to match that of the host. This
+requires to have only RAM at the locations where Xen allocated memory
+is living. Unfortunately there seem to be some machines, where ACPI
+NVS is located at 64 MB, resulting in a conflict with the loaded
+kernel or the initial page tables built by Xen.
+
+Avoid this conflict by swapping the ACPI NVS area in the memory map
+with unused RAM. This is possible via modification of the dom0 P2M map.
+Accesses to the ACPI NVS area are done either for saving and restoring
+it across suspend operations (this will work the same way as before),
+or by ACPI code when NVS memory is referenced from other ACPI tables.
+The latter case is handled by a Xen specific indirection of
+acpi_os_ioremap().
+
+While the E820 map can (and should) be modified right away, the P2M
+map can be updated only after memory allocation is working, as the P2M
+map might need to be extended.
+
+Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/setup.c | 92 +++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 91 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 4c18d8b1cdf10..e066782972c15 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -495,6 +495,8 @@ void __init xen_remap_memory(void)
+ set_pte_mfn(buf, mfn_save, PAGE_KERNEL);
+
+ pr_info("Remapped %ld page(s)\n", remapped);
++
++ xen_do_remap_nonram();
+ }
+
+ static unsigned long __init xen_get_pages_limit(void)
+@@ -625,14 +627,102 @@ phys_addr_t __init xen_find_free_area(phys_addr_t size)
+ return 0;
+ }
+
++/*
++ * Swap a non-RAM E820 map entry with RAM above ini_nr_pages.
++ * Note that the E820 map is modified accordingly, but the P2M map isn't yet.
++ * The adaption of the P2M must be deferred until page allocation is possible.
++ */
++static void __init xen_e820_swap_entry_with_ram(struct e820_entry *swap_entry)
++{
++ struct e820_entry *entry;
++ unsigned int mapcnt;
++ phys_addr_t mem_end = PFN_PHYS(ini_nr_pages);
++ phys_addr_t swap_addr, swap_size, entry_end;
++
++ swap_addr = PAGE_ALIGN_DOWN(swap_entry->addr);
++ swap_size = PAGE_ALIGN(swap_entry->addr - swap_addr + swap_entry->size);
++ entry = xen_e820_table.entries;
++
++ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) {
++ entry_end = entry->addr + entry->size;
++ if (entry->type == E820_TYPE_RAM && entry->size >= swap_size &&
++ entry_end - swap_size >= mem_end) {
++ /* Reduce RAM entry by needed space (whole pages). */
++ entry->size -= swap_size;
++
++ /* Add new entry at the end of E820 map. */
++ entry = xen_e820_table.entries +
++ xen_e820_table.nr_entries;
++ xen_e820_table.nr_entries++;
++
++ /* Fill new entry (keep size and page offset). */
++ entry->type = swap_entry->type;
++ entry->addr = entry_end - swap_size +
++ swap_addr - swap_entry->addr;
++ entry->size = swap_entry->size;
++
++ /* Convert old entry to RAM, align to pages. */
++ swap_entry->type = E820_TYPE_RAM;
++ swap_entry->addr = swap_addr;
++ swap_entry->size = swap_size;
++
++ /* Remember PFN<->MFN relation for P2M update. */
++ xen_add_remap_nonram(swap_addr, entry_end - swap_size,
++ swap_size);
++
++ /* Order E820 table and merge entries. */
++ e820__update_table(&xen_e820_table);
++
++ return;
++ }
++
++ entry++;
++ }
++
++ xen_raw_console_write("No suitable area found for required E820 entry remapping action\n");
++ BUG();
++}
++
++/*
++ * Look for non-RAM memory types in a specific guest physical area and move
++ * those away if possible (ACPI NVS only for now).
++ */
++static void __init xen_e820_resolve_conflicts(phys_addr_t start,
++ phys_addr_t size)
++{
++ struct e820_entry *entry;
++ unsigned int mapcnt;
++ phys_addr_t end;
++
++ if (!size)
++ return;
++
++ end = start + size;
++ entry = xen_e820_table.entries;
++
++ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) {
++ if (entry->addr >= end)
++ return;
++
++ if (entry->addr + entry->size > start &&
++ entry->type == E820_TYPE_NVS)
++ xen_e820_swap_entry_with_ram(entry);
++
++ entry++;
++ }
++}
++
+ /*
+ * Check for an area in physical memory to be usable for non-movable purposes.
+- * An area is considered to usable if the used E820 map lists it to be RAM.
++ * An area is considered to usable if the used E820 map lists it to be RAM or
++ * some other type which can be moved to higher PFNs while keeping the MFNs.
+ * In case the area is not usable, crash the system with an error message.
+ */
+ void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
+ const char *component)
+ {
++ xen_e820_resolve_conflicts(start, size);
++
+ if (!xen_is_e820_reserved(start, size))
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From d5d41f3ff119f75e46fec7f87df5bf4945dbe3c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Aug 2024 08:01:22 +0200
+Subject: xen: use correct end address of kernel for conflict checking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit fac1bceeeb04886fc2ee952672e6e6c85ce41dca ]
+
+When running as a Xen PV dom0 the kernel is loaded by the hypervisor
+using a different memory map than that of the host. In order to
+minimize the required changes in the kernel, the kernel adapts its
+memory map to that of the host. In order to do that it is checking
+for conflicts of its load address with the host memory map.
+
+Unfortunately the tested memory range does not include the .brk
+area, which might result in crashes or memory corruption when this
+area does conflict with the memory map of the host.
+
+Fix the test by using the _end label instead of __bss_stop.
+
+Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout")
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 806ddb2391d9b..4bcc70a71b7d4 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -825,7 +825,7 @@ char * __init xen_memory_setup(void)
+ * to relocating (and even reusing) pages with kernel text or data.
+ */
+ if (xen_is_e820_reserved(__pa_symbol(_text),
+- __pa_symbol(__bss_stop) - __pa_symbol(_text))) {
++ __pa_symbol(_end) - __pa_symbol(_text))) {
+ xen_raw_console_write("Xen hypervisor allocated kernel memory conflicts with E820 map\n");
+ BUG();
+ }
+--
+2.43.0
+
--- /dev/null
+From 9d0643f4fcadca71bbdc2dde2816993ef1ec1b10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 21:10:19 +0200
+Subject: xsk: fix batch alloc API on non-coherent systems
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 4144a1059b47e821c82c3c82eb23a4c7312dce3a ]
+
+In cases when synchronizing DMA operations is necessary,
+xsk_buff_alloc_batch() returns a single buffer instead of the requested
+count. This puts the pressure on drivers that use batch API as they have
+to check for this corner case on their side and take care of allocations
+by themselves, which feels counter productive. Let us improve the core
+by looping over xp_alloc() @max times when slow path needs to be taken.
+
+Another issue with current interface, as spotted and fixed by Dries, was
+that when driver called xsk_buff_alloc_batch() with @max == 0, for slow
+path case it still allocated and returned a single buffer, which should
+not happen. By introducing the logic from first paragraph we kill two
+birds with one stone and address this problem as well.
+
+Fixes: 47e4075df300 ("xsk: Batched buffer allocation for the pool")
+Reported-and-tested-by: Dries De Winter <ddewinter@synamedia.com>
+Co-developed-by: Dries De Winter <ddewinter@synamedia.com>
+Signed-off-by: Dries De Winter <ddewinter@synamedia.com>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://patch.msgid.link/20240911191019.296480-1-maciej.fijalkowski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_buff_pool.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index c0e0204b96304..b0f24ebd05f0b 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -623,20 +623,31 @@ static u32 xp_alloc_reused(struct xsk_buff_pool *pool, struct xdp_buff **xdp, u3
+ return nb_entries;
+ }
+
+-u32 xp_alloc_batch(struct xsk_buff_pool *pool, struct xdp_buff **xdp, u32 max)
++static u32 xp_alloc_slow(struct xsk_buff_pool *pool, struct xdp_buff **xdp,
++ u32 max)
+ {
+- u32 nb_entries1 = 0, nb_entries2;
++ int i;
+
+- if (unlikely(pool->dev && dma_dev_need_sync(pool->dev))) {
++ for (i = 0; i < max; i++) {
+ struct xdp_buff *buff;
+
+- /* Slow path */
+ buff = xp_alloc(pool);
+- if (buff)
+- *xdp = buff;
+- return !!buff;
++ if (unlikely(!buff))
++ return i;
++ *xdp = buff;
++ xdp++;
+ }
+
++ return max;
++}
++
++u32 xp_alloc_batch(struct xsk_buff_pool *pool, struct xdp_buff **xdp, u32 max)
++{
++ u32 nb_entries1 = 0, nb_entries2;
++
++ if (unlikely(pool->dev && dma_dev_need_sync(pool->dev)))
++ return xp_alloc_slow(pool, xdp, max);
++
+ if (unlikely(pool->free_list_cnt)) {
+ nb_entries1 = xp_alloc_reused(pool, xdp, max);
+ if (nb_entries1 == max)
+--
+2.43.0
+
--- /dev/null
+From 1ddf2c001a56e453163ee70c4ee7ae4ed956cc16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Jul 2024 16:36:24 +0300
+Subject: xz: cleanup CRC32 edits from 2018
+
+From: Lasse Collin <lasse.collin@tukaani.org>
+
+[ Upstream commit 2ee96abef214550d9e92f5143ee3ac1fd1323e67 ]
+
+In 2018, a dependency on <linux/crc32poly.h> was added to avoid
+duplicating the same constant in multiple files. Two months later it was
+found to be a bad idea and the definition of CRC32_POLY_LE macro was moved
+into xz_private.h to avoid including <linux/crc32poly.h>.
+
+xz_private.h is a wrong place for it too. Revert back to the upstream
+version which has the poly in xz_crc32_init() in xz_crc32.c.
+
+Link: https://lkml.kernel.org/r/20240721133633.47721-10-lasse.collin@tukaani.org
+Fixes: faa16bc404d7 ("lib: Use existing define with polynomial")
+Fixes: 242cdad873a7 ("lib/xz: Put CRC32_POLY_LE in xz_private.h")
+Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
+Reviewed-by: Sam James <sam@gentoo.org>
+Tested-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Joel Stanley <joel@jms.id.au>
+Cc: Albert Ou <aou@eecs.berkeley.edu>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Emil Renner Berthing <emil.renner.berthing@canonical.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Jubin Zhong <zhongjubin@huawei.com>
+Cc: Jules Maselbas <jmaselbas@zdiv.net>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Rui Li <me@lirui.org>
+Cc: Simon Glass <sjg@chromium.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/xz/xz_crc32.c | 2 +-
+ lib/xz/xz_private.h | 4 ----
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/lib/xz/xz_crc32.c b/lib/xz/xz_crc32.c
+index 88a2c35e1b597..5627b00fca296 100644
+--- a/lib/xz/xz_crc32.c
++++ b/lib/xz/xz_crc32.c
+@@ -29,7 +29,7 @@ STATIC_RW_DATA uint32_t xz_crc32_table[256];
+
+ XZ_EXTERN void xz_crc32_init(void)
+ {
+- const uint32_t poly = CRC32_POLY_LE;
++ const uint32_t poly = 0xEDB88320;
+
+ uint32_t i;
+ uint32_t j;
+diff --git a/lib/xz/xz_private.h b/lib/xz/xz_private.h
+index bf1e94ec7873c..d9fd49b45fd75 100644
+--- a/lib/xz/xz_private.h
++++ b/lib/xz/xz_private.h
+@@ -105,10 +105,6 @@
+ # endif
+ #endif
+
+-#ifndef CRC32_POLY_LE
+-#define CRC32_POLY_LE 0xedb88320
+-#endif
+-
+ /*
+ * Allocate memory for LZMA2 decoder. xz_dec_lzma2_reset() must be used
+ * before calling xz_dec_lzma2_run().
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
