--- /dev/null
+From 247ca452f5b0b289a88f0a546a2e219315a731e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 13:12:39 +0300
+Subject: acpi/arm64: Adjust error handling procedure in
+ gtdt_parse_timer_block()
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit 1a9de2f6fda69d5f105dd8af776856a66abdaa64 ]
+
+In case of error in gtdt_parse_timer_block() invalid 'gtdt_frame'
+will be used in 'do {} while (i-- >= 0 && gtdt_frame--);' statement block
+because do{} block will be executed even if 'i == 0'.
+
+Adjust error handling procedure by replacing 'i-- >= 0' with 'i-- > 0'.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: a712c3ed9b8a ("acpi/arm64: Add memory-mapped timer support in GTDT driver")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Acked-by: Hanjun Guo <guohanjun@huawei.com>
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Acked-by: Aleksandr Mishin <amishin@t-argos.ru>
+Link: https://lore.kernel.org/r/20240827101239.22020-1-amishin@t-argos.ru
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/arm64/gtdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/arm64/gtdt.c b/drivers/acpi/arm64/gtdt.c
+index c0e77c1c8e09d..eb6c2d3603874 100644
+--- a/drivers/acpi/arm64/gtdt.c
++++ b/drivers/acpi/arm64/gtdt.c
+@@ -283,7 +283,7 @@ static int __init gtdt_parse_timer_block(struct acpi_gtdt_timer_block *block,
+ if (frame->virt_irq > 0)
+ acpi_unregister_gsi(gtdt_frame->virtual_timer_interrupt);
+ frame->virt_irq = 0;
+- } while (i-- >= 0 && gtdt_frame--);
++ } while (i-- > 0 && gtdt_frame--);
+
+ return -EINVAL;
+ }
+--
+2.43.0
+
--- /dev/null
+From c788382a7cc7aa2e9430ab9d8c980e815998f537 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 18:33:09 +0800
+Subject: ACPI: CPPC: Fix _CPC register setting issue
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit 2388b266c9fcc7c9169ba85c7f9ebe325b7622d7 ]
+
+Since commit 60949b7b8054 ("ACPI: CPPC: Fix MASK_VAL() usage"), _CPC
+registers cannot be changed from 1 to 0.
+
+It turns out that there is an extra OR after MASK_VAL_WRITE(), which
+has already ORed prev_val with the register mask.
+
+Remove the extra OR to fix the problem.
+
+Fixes: 60949b7b8054 ("ACPI: CPPC: Fix MASK_VAL() usage")
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://patch.msgid.link/20241113103309.761031-1-zhenglifeng1@huawei.com
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/cppc_acpi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
+index 31ea76b6fa045..0e1fb97d5d763 100644
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -1136,7 +1136,6 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val)
+ return -EFAULT;
+ }
+ val = MASK_VAL_WRITE(reg, prev_val, val);
+- val |= prev_val;
+ }
+
+ switch (size) {
+--
+2.43.0
+
--- /dev/null
+From 409b81256883768f1450a0fea98416ca008acea1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 12:10:39 +0100
+Subject: ALSA: 6fire: Release resources at card release
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit a0810c3d6dd2d29a9b92604d682eacd2902ce947 ]
+
+The current 6fire code tries to release the resources right after the
+call of usb6fire_chip_abort(). But at this moment, the card object
+might be still in use (as we're calling snd_card_free_when_closed()).
+
+For avoid potential UAFs, move the release of resources to the card's
+private_free instead of the manual call of usb6fire_chip_destroy() at
+the USB disconnect callback.
+
+Fixes: c6d43ba816d1 ("ALSA: usb/6fire - Driver for TerraTec DMX 6Fire USB")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20241113111042.15058-6-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/6fire/chip.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/sound/usb/6fire/chip.c b/sound/usb/6fire/chip.c
+index 33e962178c936..d562a30b087f0 100644
+--- a/sound/usb/6fire/chip.c
++++ b/sound/usb/6fire/chip.c
+@@ -61,8 +61,10 @@ static void usb6fire_chip_abort(struct sfire_chip *chip)
+ }
+ }
+
+-static void usb6fire_chip_destroy(struct sfire_chip *chip)
++static void usb6fire_card_free(struct snd_card *card)
+ {
++ struct sfire_chip *chip = card->private_data;
++
+ if (chip) {
+ if (chip->pcm)
+ usb6fire_pcm_destroy(chip);
+@@ -72,8 +74,6 @@ static void usb6fire_chip_destroy(struct sfire_chip *chip)
+ usb6fire_comm_destroy(chip);
+ if (chip->control)
+ usb6fire_control_destroy(chip);
+- if (chip->card)
+- snd_card_free(chip->card);
+ }
+ }
+
+@@ -136,6 +136,7 @@ static int usb6fire_chip_probe(struct usb_interface *intf,
+ chip->regidx = regidx;
+ chip->intf_count = 1;
+ chip->card = card;
++ card->private_free = usb6fire_card_free;
+
+ ret = usb6fire_comm_init(chip);
+ if (ret < 0)
+@@ -162,7 +163,7 @@ static int usb6fire_chip_probe(struct usb_interface *intf,
+ return 0;
+
+ destroy_chip:
+- usb6fire_chip_destroy(chip);
++ snd_card_free(card);
+ return ret;
+ }
+
+@@ -181,7 +182,6 @@ static void usb6fire_chip_disconnect(struct usb_interface *intf)
+
+ chip->shutdown = true;
+ usb6fire_chip_abort(chip);
+- usb6fire_chip_destroy(chip);
+ }
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 6e1082a3dae14374045c9fff587794f4a00ccb13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 12:10:38 +0100
+Subject: ALSA: caiaq: Use snd_card_free_when_closed() at disconnection
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit b04dcbb7f7b1908806b7dc22671cdbe78ff2b82c ]
+
+The USB disconnect callback is supposed to be short and not too-long
+waiting. OTOH, the current code uses snd_card_free() at
+disconnection, but this waits for the close of all used fds, hence it
+can take long. It eventually blocks the upper layer USB ioctls, which
+may trigger a soft lockup.
+
+An easy workaround is to replace snd_card_free() with
+snd_card_free_when_closed(). This variant returns immediately while
+the release of resources is done asynchronously by the card device
+release at the last close.
+
+This patch also splits the code to the disconnect and the free phases;
+the former is called immediately at the USB disconnect callback while
+the latter is called from the card destructor.
+
+Fixes: 523f1dce3743 ("[ALSA] Add Native Instrument usb audio device support")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20241113111042.15058-5-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/caiaq/audio.c | 10 ++++++++--
+ sound/usb/caiaq/audio.h | 1 +
+ sound/usb/caiaq/device.c | 19 +++++++++++++++----
+ sound/usb/caiaq/input.c | 12 +++++++++---
+ sound/usb/caiaq/input.h | 1 +
+ 5 files changed, 34 insertions(+), 9 deletions(-)
+
+diff --git a/sound/usb/caiaq/audio.c b/sound/usb/caiaq/audio.c
+index 4981753652a7f..7a89872aa0cbd 100644
+--- a/sound/usb/caiaq/audio.c
++++ b/sound/usb/caiaq/audio.c
+@@ -869,14 +869,20 @@ int snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *cdev)
+ return 0;
+ }
+
+-void snd_usb_caiaq_audio_free(struct snd_usb_caiaqdev *cdev)
++void snd_usb_caiaq_audio_disconnect(struct snd_usb_caiaqdev *cdev)
+ {
+ struct device *dev = caiaqdev_to_dev(cdev);
+
+ dev_dbg(dev, "%s(%p)\n", __func__, cdev);
+ stream_stop(cdev);
++}
++
++void snd_usb_caiaq_audio_free(struct snd_usb_caiaqdev *cdev)
++{
++ struct device *dev = caiaqdev_to_dev(cdev);
++
++ dev_dbg(dev, "%s(%p)\n", __func__, cdev);
+ free_urbs(cdev->data_urbs_in);
+ free_urbs(cdev->data_urbs_out);
+ kfree(cdev->data_cb_info);
+ }
+-
+diff --git a/sound/usb/caiaq/audio.h b/sound/usb/caiaq/audio.h
+index 869bf6264d6a0..07f5d064456cf 100644
+--- a/sound/usb/caiaq/audio.h
++++ b/sound/usb/caiaq/audio.h
+@@ -3,6 +3,7 @@
+ #define CAIAQ_AUDIO_H
+
+ int snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *cdev);
++void snd_usb_caiaq_audio_disconnect(struct snd_usb_caiaqdev *cdev);
+ void snd_usb_caiaq_audio_free(struct snd_usb_caiaqdev *cdev);
+
+ #endif /* CAIAQ_AUDIO_H */
+diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
+index 49f63f878e6fe..d5c01d3f126ee 100644
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -376,6 +376,17 @@ static void setup_card(struct snd_usb_caiaqdev *cdev)
+ dev_err(dev, "Unable to set up control system (ret=%d)\n", ret);
+ }
+
++static void card_free(struct snd_card *card)
++{
++ struct snd_usb_caiaqdev *cdev = caiaqdev(card);
++
++#ifdef CONFIG_SND_USB_CAIAQ_INPUT
++ snd_usb_caiaq_input_free(cdev);
++#endif
++ snd_usb_caiaq_audio_free(cdev);
++ usb_reset_device(cdev->chip.dev);
++}
++
+ static int create_card(struct usb_device *usb_dev,
+ struct usb_interface *intf,
+ struct snd_card **cardp)
+@@ -489,6 +500,7 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
+ cdev->vendor_name, cdev->product_name, usbpath);
+
+ setup_card(cdev);
++ card->private_free = card_free;
+ return 0;
+
+ err_kill_urb:
+@@ -534,15 +546,14 @@ static void snd_disconnect(struct usb_interface *intf)
+ snd_card_disconnect(card);
+
+ #ifdef CONFIG_SND_USB_CAIAQ_INPUT
+- snd_usb_caiaq_input_free(cdev);
++ snd_usb_caiaq_input_disconnect(cdev);
+ #endif
+- snd_usb_caiaq_audio_free(cdev);
++ snd_usb_caiaq_audio_disconnect(cdev);
+
+ usb_kill_urb(&cdev->ep1_in_urb);
+ usb_kill_urb(&cdev->midi_out_urb);
+
+- snd_card_free(card);
+- usb_reset_device(interface_to_usbdev(intf));
++ snd_card_free_when_closed(card);
+ }
+
+
+diff --git a/sound/usb/caiaq/input.c b/sound/usb/caiaq/input.c
+index 84f26dce7f5d0..a9130891bb696 100644
+--- a/sound/usb/caiaq/input.c
++++ b/sound/usb/caiaq/input.c
+@@ -829,15 +829,21 @@ int snd_usb_caiaq_input_init(struct snd_usb_caiaqdev *cdev)
+ return ret;
+ }
+
+-void snd_usb_caiaq_input_free(struct snd_usb_caiaqdev *cdev)
++void snd_usb_caiaq_input_disconnect(struct snd_usb_caiaqdev *cdev)
+ {
+ if (!cdev || !cdev->input_dev)
+ return;
+
+ usb_kill_urb(cdev->ep4_in_urb);
++ input_unregister_device(cdev->input_dev);
++}
++
++void snd_usb_caiaq_input_free(struct snd_usb_caiaqdev *cdev)
++{
++ if (!cdev || !cdev->input_dev)
++ return;
++
+ usb_free_urb(cdev->ep4_in_urb);
+ cdev->ep4_in_urb = NULL;
+-
+- input_unregister_device(cdev->input_dev);
+ cdev->input_dev = NULL;
+ }
+diff --git a/sound/usb/caiaq/input.h b/sound/usb/caiaq/input.h
+index c42891e7be884..fbe267f85d025 100644
+--- a/sound/usb/caiaq/input.h
++++ b/sound/usb/caiaq/input.h
+@@ -4,6 +4,7 @@
+
+ void snd_usb_caiaq_input_dispatch(struct snd_usb_caiaqdev *cdev, char *buf, unsigned int len);
+ int snd_usb_caiaq_input_init(struct snd_usb_caiaqdev *cdev);
++void snd_usb_caiaq_input_disconnect(struct snd_usb_caiaqdev *cdev);
+ void snd_usb_caiaq_input_free(struct snd_usb_caiaqdev *cdev);
+
+ #endif
+--
+2.43.0
+
--- /dev/null
+From 5ab4af7c279a37072725a084a4df7452e526fa2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2024 15:21:09 +0800
+Subject: ALSA: hda/realtek: Update ALC256 depop procedure
+
+From: Kailang Yang <kailang@realtek.com>
+
+[ Upstream commit cc3d0b5dd989d3238d456f9fd385946379a9c13d ]
+
+Old procedure has a chance to meet Headphone no output.
+
+Fixes: 4a219ef8f370 ("ALSA: hda/realtek - Add ALC256 HP depop function")
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Link: https://lore.kernel.org/463c5f93715d4714967041a0a8cec28e@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 42 ++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 23 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index f3e368f82be9b..465d9b7befe56 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3599,25 +3599,22 @@ static void alc256_init(struct hda_codec *codec)
+
+ hp_pin_sense = snd_hda_jack_detect(codec, hp_pin);
+
+- if (hp_pin_sense)
++ if (hp_pin_sense) {
+ msleep(2);
++ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */
+
+- alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */
+-
+- snd_hda_codec_write(codec, hp_pin, 0,
+- AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE);
+-
+- if (hp_pin_sense || spec->ultra_low_power)
+- msleep(85);
+-
+- snd_hda_codec_write(codec, hp_pin, 0,
++ snd_hda_codec_write(codec, hp_pin, 0,
+ AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT);
+
+- if (hp_pin_sense || spec->ultra_low_power)
+- msleep(100);
++ msleep(75);
++
++ snd_hda_codec_write(codec, hp_pin, 0,
++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE);
+
++ msleep(75);
++ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x4); /* Hight power */
++ }
+ alc_update_coef_idx(codec, 0x46, 3 << 12, 0);
+- alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x4); /* Hight power */
+ alc_update_coefex_idx(codec, 0x53, 0x02, 0x8000, 1 << 15); /* Clear bit */
+ alc_update_coefex_idx(codec, 0x53, 0x02, 0x8000, 0 << 15);
+ /*
+@@ -3641,29 +3638,28 @@ static void alc256_shutup(struct hda_codec *codec)
+ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */
+ hp_pin_sense = snd_hda_jack_detect(codec, hp_pin);
+
+- if (hp_pin_sense)
++ if (hp_pin_sense) {
+ msleep(2);
+
+- snd_hda_codec_write(codec, hp_pin, 0,
++ snd_hda_codec_write(codec, hp_pin, 0,
+ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE);
+
+- if (hp_pin_sense || spec->ultra_low_power)
+- msleep(85);
++ msleep(75);
+
+ /* 3k pull low control for Headset jack. */
+ /* NOTE: call this before clearing the pin, otherwise codec stalls */
+ /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly
+ * when booting with headset plugged. So skip setting it for the codec alc257
+ */
+- if (spec->en_3kpull_low)
+- alc_update_coef_idx(codec, 0x46, 0, 3 << 12);
++ if (spec->en_3kpull_low)
++ alc_update_coef_idx(codec, 0x46, 0, 3 << 12);
+
+- if (!spec->no_shutup_pins)
+- snd_hda_codec_write(codec, hp_pin, 0,
++ if (!spec->no_shutup_pins)
++ snd_hda_codec_write(codec, hp_pin, 0,
+ AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0);
+
+- if (hp_pin_sense || spec->ultra_low_power)
+- msleep(100);
++ msleep(75);
++ }
+
+ alc_auto_setup_eapd(codec, false);
+ alc_shutup_pins(codec);
+--
+2.43.0
+
--- /dev/null
+From 85be8b6d7d5dfd31fdcedb2b6b3da8f334e4efa7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 12:10:36 +0100
+Subject: ALSA: us122l: Use snd_card_free_when_closed() at disconnection
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit b7df09bb348016943f56b09dcaafe221e3f73947 ]
+
+The USB disconnect callback is supposed to be short and not too-long
+waiting. OTOH, the current code uses snd_card_free() at
+disconnection, but this waits for the close of all used fds, hence it
+can take long. It eventually blocks the upper layer USB ioctls, which
+may trigger a soft lockup.
+
+An easy workaround is to replace snd_card_free() with
+snd_card_free_when_closed(). This variant returns immediately while
+the release of resources is done asynchronously by the card device
+release at the last close.
+
+The loop of us122l->mmap_count check is dropped as well. The check is
+useless for the asynchronous operation with *_when_closed().
+
+Fixes: 030a07e44129 ("ALSA: Add USB US122L driver")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20241113111042.15058-3-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/usx2y/us122l.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/sound/usb/usx2y/us122l.c b/sound/usb/usx2y/us122l.c
+index e558931cce16e..23d7d542a3de6 100644
+--- a/sound/usb/usx2y/us122l.c
++++ b/sound/usb/usx2y/us122l.c
+@@ -617,10 +617,7 @@ static void snd_us122l_disconnect(struct usb_interface *intf)
+ usb_put_intf(usb_ifnum_to_if(us122l->dev, 1));
+ usb_put_dev(us122l->dev);
+
+- while (atomic_read(&us122l->mmap_count))
+- msleep(500);
+-
+- snd_card_free(card);
++ snd_card_free_when_closed(card);
+ }
+
+ static int snd_us122l_suspend(struct usb_interface *intf, pm_message_t message)
+--
+2.43.0
+
--- /dev/null
+From 08835b4f4a50108e3f102b20f87e01af5e36232b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 12:10:35 +0100
+Subject: ALSA: usx2y: Use snd_card_free_when_closed() at disconnection
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit dafb28f02be407e07a6f679e922a626592b481b0 ]
+
+The USB disconnect callback is supposed to be short and not too-long
+waiting. OTOH, the current code uses snd_card_free() at
+disconnection, but this waits for the close of all used fds, hence it
+can take long. It eventually blocks the upper layer USB ioctls, which
+may trigger a soft lockup.
+
+An easy workaround is to replace snd_card_free() with
+snd_card_free_when_closed(). This variant returns immediately while
+the release of resources is done asynchronously by the card device
+release at the last close.
+
+Fixes: 230cd5e24853 ("[ALSA] prevent oops & dead keyboard on usb unplugging while the device is be ing used")
+Reported-by: syzbot+73582d08864d8268b6fd@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20241113111042.15058-2-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/usx2y/usbusx2y.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
+index 52f4e6652407d..4c4ce0319d624 100644
+--- a/sound/usb/usx2y/usbusx2y.c
++++ b/sound/usb/usx2y/usbusx2y.c
+@@ -423,7 +423,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf)
+ }
+ if (usx2y->us428ctls_sharedmem)
+ wake_up(&usx2y->us428ctls_wait_queue_head);
+- snd_card_free(card);
++ snd_card_free_when_closed(card);
+ }
+
+ static int snd_usx2y_probe(struct usb_interface *intf,
+--
+2.43.0
+
--- /dev/null
+From 225d8190602b1b918d5bbd3aeb8715425c1074fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jun 2023 10:03:16 +0800
+Subject: apparmor: fix 'Do simple duplicate message elimination'
+
+From: chao liu <liuzgyid@outlook.com>
+
+[ Upstream commit 9b897132424fe76bf6c61f22f9cf12af7f1d1e6a ]
+
+Multiple profiles shared 'ent->caps', so some logs missed.
+
+Fixes: 0ed3b28ab8bf ("AppArmor: mediation of non file objects")
+Signed-off-by: chao liu <liuzgyid@outlook.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/capability.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
+index deccea8654ad8..1b13fd89d5a9f 100644
+--- a/security/apparmor/capability.c
++++ b/security/apparmor/capability.c
+@@ -94,6 +94,8 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
+ return error;
+ } else {
+ aa_put_profile(ent->profile);
++ if (profile != ent->profile)
++ cap_clear(ent->caps);
+ ent->profile = aa_get_profile(profile);
+ cap_raise(ent->caps, cap);
+ }
+--
+2.43.0
+
--- /dev/null
+From 7b83afd76a062a8822ee8a45d0eb80c274c4432c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 23:29:16 +0100
+Subject: ARM: dts: cubieboard4: Fix DCDC5 regulator constraints
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit dd36ad71ad65968f97630808bc8d605c929b128e ]
+
+The DCDC5 voltage rail in the X-Powers AXP809 PMIC has a resolution of
+50mV, so the currently enforced limits of 1.475 and 1.525 volts cannot
+be set, when the existing regulator value is beyond this range.
+
+This will lead to the whole regulator driver to give up and fail
+probing, which in turn will hang the system, as essential devices depend
+on the PMIC.
+In this case a bug in U-Boot set the voltage to 1.75V (meant for DCDC4),
+and the AXP driver's attempt to correct this lead to this error:
+==================
+[ 4.447653] axp20x-rsb sunxi-rsb-3a3: AXP20X driver loaded
+[ 4.450066] vcc-dram: Bringing 1750000uV into 1575000-1575000uV
+[ 4.460272] vcc-dram: failed to apply 1575000-1575000uV constraint: -EINVAL
+[ 4.474788] axp20x-regulator axp20x-regulator.0: Failed to register dcdc5
+[ 4.482276] axp20x-regulator axp20x-regulator.0: probe with driver axp20x-regulator failed with error -22
+==================
+
+Set the limits to values that can be programmed, so any correction will
+be successful.
+
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Fixes: 1e1dea72651b ("ARM: dts: sun9i: cubieboard4: Add AXP809 PMIC device node and regulators")
+Link: https://patch.msgid.link/20241007222916.19013-1-andre.przywara@arm.com
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/sun9i-a80-cubieboard4.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/sun9i-a80-cubieboard4.dts b/arch/arm/boot/dts/sun9i-a80-cubieboard4.dts
+index c8ca8cb7f5c94..52ad95a2063aa 100644
+--- a/arch/arm/boot/dts/sun9i-a80-cubieboard4.dts
++++ b/arch/arm/boot/dts/sun9i-a80-cubieboard4.dts
+@@ -280,8 +280,8 @@ reg_dcdc4: dcdc4 {
+
+ reg_dcdc5: dcdc5 {
+ regulator-always-on;
+- regulator-min-microvolt = <1425000>;
+- regulator-max-microvolt = <1575000>;
++ regulator-min-microvolt = <1450000>;
++ regulator-max-microvolt = <1550000>;
+ regulator-name = "vcc-dram";
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 1cf966a7fc78e51e735368afb32d3266aad09206 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 16:20:00 +0800
+Subject: arm64: dts: mediatek: mt8173-elm-hana: Add vdd-supply to second
+ source trackpad
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit f766fae08f6a2eaeb45d8d2c053724c91526835c ]
+
+The Hana device has a second source option trackpad, but it is missing
+its regulator supply. It only works because the regulator is marked as
+always-on.
+
+Add the regulator supply, but leave out the post-power-on delay. Instead,
+document the post-power-on delay along with the reason for not adding
+it in a comment.
+
+Fixes: 689b937bedde ("arm64: dts: mediatek: add mt8173 elm and hana board")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20241018082001.1296963-1-wenst@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8173-elm-hana.dtsi | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8173-elm-hana.dtsi b/arch/arm64/boot/dts/mediatek/mt8173-elm-hana.dtsi
+index bdcd35cecad90..fd6230352f4fd 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8173-elm-hana.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8173-elm-hana.dtsi
+@@ -43,6 +43,14 @@ trackpad2: trackpad@2c {
+ interrupts = <117 IRQ_TYPE_LEVEL_LOW>;
+ reg = <0x2c>;
+ hid-descr-addr = <0x0020>;
++ /*
++ * The trackpad needs a post-power-on delay of 100ms,
++ * but at time of writing, the power supply for it on
++ * this board is always on. The delay is therefore not
++ * added to avoid impacting the readiness of the
++ * trackpad.
++ */
++ vdd-supply = <&mt6397_vgp6_reg>;
+ wakeup-source;
+ };
+ };
+--
+2.43.0
+
--- /dev/null
+From dfa259d807f62bbebe8c8ceeb492ab094cca091c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 15:02:22 +0800
+Subject: arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add supplies for fixed
+ regulators
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit aaecb1da58a72bfbd2c35d4aadc43caa02f11862 ]
+
+When the fixed regulators for the LCD panel and DP bridge were added,
+their supplies were not modeled in. These, except for the 1.0V supply,
+are just load switches, and need and have a supply.
+
+Add the supplies for each of the fixed regulators.
+
+Fixes: cabc71b08eb5 ("arm64: dts: mt8183: Add kukui-jacuzzi-damu board")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://lore.kernel.org/r/20241030070224.1006331-4-wenst@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi
+index beec6f0e4f274..629c4b7ecbc62 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi
+@@ -20,6 +20,7 @@ pp1000_mipibrdg: pp1000-mipibrdg {
+ regulator-boot-on;
+
+ gpio = <&pio 54 GPIO_ACTIVE_HIGH>;
++ vin-supply = <&pp1800_alw>;
+ };
+
+ pp1800_mipibrdg: pp1800-mipibrdg {
+@@ -32,6 +33,7 @@ pp1800_mipibrdg: pp1800-mipibrdg {
+ regulator-boot-on;
+
+ gpio = <&pio 36 GPIO_ACTIVE_HIGH>;
++ vin-supply = <&pp1800_alw>;
+ };
+
+ pp3300_panel: pp3300-panel {
+@@ -46,6 +48,7 @@ pp3300_panel: pp3300-panel {
+ regulator-boot-on;
+
+ gpio = <&pio 35 GPIO_ACTIVE_HIGH>;
++ vin-supply = <&pp3300_alw>;
+ };
+
+ pp3300_mipibrdg: pp3300-mipibrdg {
+@@ -58,6 +61,7 @@ pp3300_mipibrdg: pp3300-mipibrdg {
+ regulator-boot-on;
+
+ gpio = <&pio 37 GPIO_ACTIVE_HIGH>;
++ vin-supply = <&pp3300_alw>;
+ };
+
+ volume_buttons: volume-buttons {
+--
+2.43.0
+
--- /dev/null
+From 93eafafdf3e5a3eed380a30d0d157ebd8af1cfa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 15:02:21 +0800
+Subject: arm64: dts: mediatek: mt8183-kukui-jacuzzi: Fix DP bridge supply
+ names
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit c4e8cf13f1740037483565d5b802764e2426515b ]
+
+Some of the regulator supplies for the MIPI-DPI-to-DP bridge and their
+associated nodes are incorrectly named. In particular, the 1.0V supply
+was modeled as a 1.2V supply.
+
+Fix all the incorrect names, and also fix the voltage of the 1.0V
+regulator.
+
+Fixes: cabc71b08eb5 ("arm64: dts: mt8183: Add kukui-jacuzzi-damu board")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://lore.kernel.org/r/20241030070224.1006331-3-wenst@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../dts/mediatek/mt8183-kukui-jacuzzi.dtsi | 26 ++++++++++---------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi
+index 32f6899f885ef..beec6f0e4f274 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi
+@@ -8,11 +8,13 @@
+ #include <arm/cros-ec-keyboard.dtsi>
+
+ / {
+- pp1200_mipibrdg: pp1200-mipibrdg {
++ pp1000_mipibrdg: pp1000-mipibrdg {
+ compatible = "regulator-fixed";
+- regulator-name = "pp1200_mipibrdg";
++ regulator-name = "pp1000_mipibrdg";
++ regulator-min-microvolt = <1000000>;
++ regulator-max-microvolt = <1000000>;
+ pinctrl-names = "default";
+- pinctrl-0 = <&pp1200_mipibrdg_en>;
++ pinctrl-0 = <&pp1000_mipibrdg_en>;
+
+ enable-active-high;
+ regulator-boot-on;
+@@ -24,7 +26,7 @@ pp1800_mipibrdg: pp1800-mipibrdg {
+ compatible = "regulator-fixed";
+ regulator-name = "pp1800_mipibrdg";
+ pinctrl-names = "default";
+- pinctrl-0 = <&pp1800_lcd_en>;
++ pinctrl-0 = <&pp1800_mipibrdg_en>;
+
+ enable-active-high;
+ regulator-boot-on;
+@@ -46,11 +48,11 @@ pp3300_panel: pp3300-panel {
+ gpio = <&pio 35 GPIO_ACTIVE_HIGH>;
+ };
+
+- vddio_mipibrdg: vddio-mipibrdg {
++ pp3300_mipibrdg: pp3300-mipibrdg {
+ compatible = "regulator-fixed";
+- regulator-name = "vddio_mipibrdg";
++ regulator-name = "pp3300_mipibrdg";
+ pinctrl-names = "default";
+- pinctrl-0 = <&vddio_mipibrdg_en>;
++ pinctrl-0 = <&pp3300_mipibrdg_en>;
+
+ enable-active-high;
+ regulator-boot-on;
+@@ -152,9 +154,9 @@ anx_bridge: anx7625@58 {
+ panel_flags = <1>;
+ enable-gpios = <&pio 45 GPIO_ACTIVE_HIGH>;
+ reset-gpios = <&pio 73 GPIO_ACTIVE_HIGH>;
+- vdd10-supply = <&pp1200_mipibrdg>;
++ vdd10-supply = <&pp1000_mipibrdg>;
+ vdd18-supply = <&pp1800_mipibrdg>;
+- vdd33-supply = <&vddio_mipibrdg>;
++ vdd33-supply = <&pp3300_mipibrdg>;
+
+ ports {
+ #address-cells = <1>;
+@@ -397,14 +399,14 @@ &pio {
+ "",
+ "";
+
+- pp1200_mipibrdg_en: pp1200-mipibrdg-en {
++ pp1000_mipibrdg_en: pp1000-mipibrdg-en {
+ pins1 {
+ pinmux = <PINMUX_GPIO54__FUNC_GPIO54>;
+ output-low;
+ };
+ };
+
+- pp1800_lcd_en: pp1800-lcd-en {
++ pp1800_mipibrdg_en: pp1800-mipibrdg-en {
+ pins1 {
+ pinmux = <PINMUX_GPIO36__FUNC_GPIO36>;
+ output-low;
+@@ -466,7 +468,7 @@ trackpad-int {
+ };
+ };
+
+- vddio_mipibrdg_en: vddio-mipibrdg-en {
++ pp3300_mipibrdg_en: pp3300-mipibrdg-en {
+ pins1 {
+ pinmux = <PINMUX_GPIO37__FUNC_GPIO37>;
+ output-low;
+--
+2.43.0
+
--- /dev/null
+From 89a93e204d36197fc13c9bd4733fd63066f95b50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 16:03:49 +0800
+Subject: arm64: dts: mt8183: burnet: add i2c2's i2c-scl-internal-delay-ns
+
+From: Daolong Zhu <jg_daolongzhu@mediatek.corp-partner.google.com>
+
+[ Upstream commit 85af64983889c621e8868b744c8ca03bd5038c02 ]
+
+Add i2c2's i2c-scl-internal-delay-ns.
+
+Fixes: dd6e3b06214f ("arm64: dts: mt8183: Add kukui-jacuzzi-burnet board")
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Daolong Zhu <jg_daolongzhu@mediatek.corp-partner.google.com>
+Signed-off-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
+Link: https://lore.kernel.org/r/20241025-i2c-delay-v2-2-9be1bcaf35e0@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dts | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dts b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dts
+index 1a2ec0787d3ca..09c5dca12fb0e 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dts
++++ b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dts
+@@ -29,3 +29,6 @@ touchscreen@2c {
+ };
+ };
+
++&i2c2 {
++ i2c-scl-internal-delay-ns = <4100>;
++};
+--
+2.43.0
+
--- /dev/null
+From ba7bbbdc185160dee083baa46b4d7b7d701ff179 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 16:03:50 +0800
+Subject: arm64: dts: mt8183: cozmo: add i2c2's i2c-scl-internal-delay-ns
+
+From: Daolong Zhu <jg_daolongzhu@mediatek.corp-partner.google.com>
+
+[ Upstream commit bd0eb3b1f7aee698b86513edf10a50e2d0c7cb14 ]
+
+Add i2c2's i2c-scl-internal-delay-ns.
+
+Fixes: 52e84f233459 ("arm64: dts: mt8183: Add kukui-jacuzzi-cozmo board")
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Daolong Zhu <jg_daolongzhu@mediatek.corp-partner.google.com>
+Signed-off-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
+Link: https://lore.kernel.org/r/20241025-i2c-delay-v2-3-9be1bcaf35e0@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-cozmo.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-cozmo.dts b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-cozmo.dts
+index 072133fb0f016..47905f84bc161 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-cozmo.dts
++++ b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-cozmo.dts
+@@ -17,6 +17,8 @@ &i2c_tunnel {
+ };
+
+ &i2c2 {
++ i2c-scl-internal-delay-ns = <25000>;
++
+ trackpad@2c {
+ compatible = "hid-over-i2c";
+ reg = <0x2c>;
+--
+2.43.0
+
--- /dev/null
+From 7daa4e29db67dde45e45e6ac783a6c96560d2496 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 16:03:51 +0800
+Subject: arm64: dts: mt8183: Damu: add i2c2's i2c-scl-internal-delay-ns
+
+From: Daolong Zhu <jg_daolongzhu@mediatek.corp-partner.google.com>
+
+[ Upstream commit 6ff2d45f2121c698a57c959ae21885a048615908 ]
+
+Add i2c2's i2c-scl-internal-delay-ns.
+
+Fixes: cabc71b08eb5 ("arm64: dts: mt8183: Add kukui-jacuzzi-damu board")
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Daolong Zhu <jg_daolongzhu@mediatek.corp-partner.google.com>
+Signed-off-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
+Link: https://lore.kernel.org/r/20241025-i2c-delay-v2-4-9be1bcaf35e0@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-damu.dts | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-damu.dts b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-damu.dts
+index 0eca3ff8672a7..5cbb5a1ae3f2f 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-damu.dts
++++ b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-damu.dts
+@@ -30,3 +30,6 @@ &qca_wifi {
+ qcom,ath10k-calibration-variant = "GO_DAMU";
+ };
+
++&i2c2 {
++ i2c-scl-internal-delay-ns = <20000>;
++};
+--
+2.43.0
+
--- /dev/null
+From 4aa625d567e82ece45693bd64aaaf593af9a20cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 16:03:48 +0800
+Subject: arm64: dts: mt8183: fennel: add i2c2's i2c-scl-internal-delay-ns
+
+From: Daolong Zhu <jg_daolongzhu@mediatek.corp-partner.google.com>
+
+[ Upstream commit c802db127dfb9602aaa9338e433c0553d34f1a9c ]
+
+Add i2c2's i2c-scl-internal-delay-ns.
+
+Fixes: 6cd7fdc8c530 ("arm64: dts: mt8183: Add kukui-jacuzzi-fennel board")
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Daolong Zhu <jg_daolongzhu@mediatek.corp-partner.google.com>
+Signed-off-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
+Reviewed-by:
+Link: https://lore.kernel.org/r/20241025-i2c-delay-v2-1-9be1bcaf35e0@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-fennel.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-fennel.dtsi b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-fennel.dtsi
+index bbe6c338f465e..f9c1ec366b266 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-fennel.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-fennel.dtsi
+@@ -25,3 +25,6 @@ trackpad@2c {
+ };
+ };
+
++&i2c2 {
++ i2c-scl-internal-delay-ns = <21500>;
++};
+--
+2.43.0
+
--- /dev/null
+From c8bbdfed4f6871e52d0aa8b84a3aa835e32605ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Dec 2022 19:32:04 +0800
+Subject: arm64: dts: mt8183: jacuzzi: Move panel under aux-bus
+
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+
+[ Upstream commit 474c162878ba3dbd620538d129f576f2bca7b9e1 ]
+
+Read edp panel edid through aux bus, which is a more preferred way. Also
+use a more generic compatible since each jacuzzi models use different
+panels.
+
+Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Link: https://lore.kernel.org/r/20221228113204.1551180-1-hsinyi@chromium.org
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Stable-dep-of: c4e8cf13f174 ("arm64: dts: mediatek: mt8183-kukui-jacuzzi: Fix DP bridge supply names")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../dts/mediatek/mt8183-kukui-jacuzzi.dtsi | 26 ++++++++++---------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi
+index d7fc924a9d0e3..32f6899f885ef 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi.dtsi
+@@ -8,18 +8,6 @@
+ #include <arm/cros-ec-keyboard.dtsi>
+
+ / {
+- panel: panel {
+- compatible = "auo,b116xw03";
+- power-supply = <&pp3300_panel>;
+- backlight = <&backlight_lcd0>;
+-
+- port {
+- panel_in: endpoint {
+- remote-endpoint = <&anx7625_out>;
+- };
+- };
+- };
+-
+ pp1200_mipibrdg: pp1200-mipibrdg {
+ compatible = "regulator-fixed";
+ regulator-name = "pp1200_mipibrdg";
+@@ -188,6 +176,20 @@ anx7625_out: endpoint {
+ };
+ };
+ };
++
++ aux-bus {
++ panel: panel {
++ compatible = "edp-panel";
++ power-supply = <&pp3300_panel>;
++ backlight = <&backlight_lcd0>;
++
++ port {
++ panel_in: endpoint {
++ remote-endpoint = <&anx7625_out>;
++ };
++ };
++ };
++ };
+ };
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 700f4556f2715e6f9c704d2d3c9773d2b4cb1185 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 08:33:46 +0000
+Subject: arm64: dts: mt8183: krane: Fix the address of eeprom at i2c4
+
+From: Hsin-Te Yuan <yuanhsinte@chromium.org>
+
+[ Upstream commit e9c60c34948662b5d47573490ee538439b29e462 ]
+
+The address of eeprom should be 50.
+
+Fixes: cd894e274b74 ("arm64: dts: mt8183: Add krane-sku176 board")
+Signed-off-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Link: https://lore.kernel.org/r/20240909-eeprom-v1-1-1ed2bc5064f4@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8183-kukui-krane.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8183-kukui-krane.dtsi b/arch/arm64/boot/dts/mediatek/mt8183-kukui-krane.dtsi
+index 181da69d18f46..b0469a95ddc43 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8183-kukui-krane.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8183-kukui-krane.dtsi
+@@ -89,9 +89,9 @@ &i2c4 {
+ clock-frequency = <400000>;
+ vbus-supply = <&mt6358_vcn18_reg>;
+
+- eeprom@54 {
++ eeprom@50 {
+ compatible = "atmel,24c32";
+- reg = <0x54>;
++ reg = <0x50>;
+ pagesize = <32>;
+ vcc-supply = <&mt6358_vcn18_reg>;
+ };
+--
+2.43.0
+
--- /dev/null
+From 14e941d4c905eeb13ffe690360f3117529fa954d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 08:33:47 +0000
+Subject: arm64: dts: mt8183: kukui: Fix the address of eeprom at i2c4
+
+From: Hsin-Te Yuan <yuanhsinte@chromium.org>
+
+[ Upstream commit edbde4923f208aa83abb48d4b2463299e5fc2586 ]
+
+The address of eeprom should be 50.
+
+Fixes: ff33d889567e ("arm64: dts: mt8183: Add kukui kodama board")
+Fixes: d1eaf77f2c66 ("arm64: dts: mt8183: Add kukui kakadu board")
+Signed-off-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20240909-eeprom-v1-2-1ed2bc5064f4@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8183-kukui-kakadu.dtsi | 4 ++--
+ arch/arm64/boot/dts/mediatek/mt8183-kukui-kodama.dtsi | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8183-kukui-kakadu.dtsi b/arch/arm64/boot/dts/mediatek/mt8183-kukui-kakadu.dtsi
+index 0d3c7b8162ff0..9eca1c80fe010 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8183-kukui-kakadu.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8183-kukui-kakadu.dtsi
+@@ -105,9 +105,9 @@ &i2c4 {
+ clock-frequency = <400000>;
+ vbus-supply = <&mt6358_vcn18_reg>;
+
+- eeprom@54 {
++ eeprom@50 {
+ compatible = "atmel,24c32";
+- reg = <0x54>;
++ reg = <0x50>;
+ pagesize = <32>;
+ vcc-supply = <&mt6358_vcn18_reg>;
+ };
+diff --git a/arch/arm64/boot/dts/mediatek/mt8183-kukui-kodama.dtsi b/arch/arm64/boot/dts/mediatek/mt8183-kukui-kodama.dtsi
+index e73113cb51f53..29216ebe4de84 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8183-kukui-kodama.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8183-kukui-kodama.dtsi
+@@ -80,9 +80,9 @@ &i2c4 {
+ clock-frequency = <400000>;
+ vbus-supply = <&mt6358_vcn18_reg>;
+
+- eeprom@54 {
++ eeprom@50 {
+ compatible = "atmel,24c64";
+- reg = <0x54>;
++ reg = <0x50>;
+ pagesize = <32>;
+ vcc-supply = <&mt6358_vcn18_reg>;
+ };
+--
+2.43.0
+
--- /dev/null
+From 7ce64159de5ab023539b031e67807279602b2498 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 13:16:16 +0800
+Subject: arm64: dts: mt8195: Fix dtbs_check error for infracfg_ao node
+
+From: Macpaul Lin <macpaul.lin@mediatek.com>
+
+[ Upstream commit c14ab45f5d458073248ddc62d31045d5d616806f ]
+
+The infracfg_ao node in mt8195.dtsi was causing a dtbs_check error.
+The error message was:
+
+syscon@10001000: compatible: ['mediatek,mt8195-infracfg_ao', 'syscon',
+ 'simple-mfd'] is too long
+
+To resolve this, remove 'simple-mfd' from the 'compatible' property of the
+infracfg_ao node.
+
+Fixes: 37f2582883be ("arm64: dts: Add mediatek SoC mt8195 and evaluation board")
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20241002051620.2050-1-macpaul.lin@mediatek.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8195.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+index bdf002e9cece1..aa8fbaf15e629 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+@@ -332,7 +332,7 @@ topckgen: syscon@10000000 {
+ };
+
+ infracfg_ao: syscon@10001000 {
+- compatible = "mediatek,mt8195-infracfg_ao", "syscon", "simple-mfd";
++ compatible = "mediatek,mt8195-infracfg_ao", "syscon";
+ reg = <0 0x10001000 0 0x1000>;
+ #clock-cells = <1>;
+ #reset-cells = <1>;
+--
+2.43.0
+
--- /dev/null
+From 6ac093f7cea2b4dd560fbe908b19bb024546f89f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 01:18:42 +0900
+Subject: arm64: fix .data.rel.ro size assertion when CONFIG_LTO_CLANG
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 340fd66c856651d8c1d29f392dd26ad674d2db0e ]
+
+Commit be2881824ae9 ("arm64/build: Assert for unwanted sections")
+introduced an assertion to ensure that the .data.rel.ro section does
+not exist.
+
+However, this check does not work when CONFIG_LTO_CLANG is enabled,
+because .data.rel.ro matches the .data.[0-9a-zA-Z_]* pattern in the
+DATA_MAIN macro.
+
+Move the ASSERT() above the RW_DATA() line.
+
+Fixes: be2881824ae9 ("arm64/build: Assert for unwanted sections")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Acked-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20241106161843.189927-1-masahiroy@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/vmlinux.lds.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
+index 45131e354e27f..b0226eac7bda8 100644
+--- a/arch/arm64/kernel/vmlinux.lds.S
++++ b/arch/arm64/kernel/vmlinux.lds.S
+@@ -272,6 +272,9 @@ SECTIONS
+ __initdata_end = .;
+ __init_end = .;
+
++ .data.rel.ro : { *(.data.rel.ro) }
++ ASSERT(SIZEOF(.data.rel.ro) == 0, "Unexpected RELRO detected!")
++
+ _data = .;
+ _sdata = .;
+ RW_DATA(L1_CACHE_BYTES, PAGE_SIZE, THREAD_ALIGN)
+@@ -323,9 +326,6 @@ SECTIONS
+ *(.plt) *(.plt.*) *(.iplt) *(.igot .igot.plt)
+ }
+ ASSERT(SIZEOF(.plt) == 0, "Unexpected run-time procedure linkages detected!")
+-
+- .data.rel.ro : { *(.data.rel.ro) }
+- ASSERT(SIZEOF(.data.rel.ro) == 0, "Unexpected RELRO detected!")
+ }
+
+ #include "image-vars.h"
+--
+2.43.0
+
--- /dev/null
+From bf240d4703f705cf4fd52b9780d8a7175f778fa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2024 16:52:25 +0530
+Subject: ASoC: amd: yc: Fix for enabling DMIC on acp6x via _DSD entry
+
+From: Venkata Prasad Potturu <venkataprasad.potturu@amd.com>
+
+[ Upstream commit 4095cf872084ecfdfdb0e681f3e9ff9745acfa75 ]
+
+Add condition check to register ACP PDM sound card by reading
+_WOV acpi entry.
+
+Fixes: 5426f506b584 ("ASoC: amd: Add support for enabling DMIC on acp6x via _DSD")
+
+Signed-off-by: Venkata Prasad Potturu <venkataprasad.potturu@amd.com>
+Link: https://patch.msgid.link/20241127112227.227106-1-venkataprasad.potturu@amd.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index f46158b840a51..1ff894045718d 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -439,8 +439,14 @@ static int acp6x_probe(struct platform_device *pdev)
+ struct acp6x_pdm *machine = NULL;
+ struct snd_soc_card *card;
+ struct acpi_device *adev;
++ acpi_handle handle;
++ acpi_integer dmic_status;
+ int ret;
++ bool is_dmic_enable, wov_en;
+
++ /* IF WOV entry not found, enable dmic based on AcpDmicConnected entry*/
++ is_dmic_enable = false;
++ wov_en = true;
+ /* check the parent device's firmware node has _DSD or not */
+ adev = ACPI_COMPANION(pdev->dev.parent);
+ if (adev) {
+@@ -448,9 +454,19 @@ static int acp6x_probe(struct platform_device *pdev)
+
+ if (!acpi_dev_get_property(adev, "AcpDmicConnected", ACPI_TYPE_INTEGER, &obj) &&
+ obj->integer.value == 1)
+- platform_set_drvdata(pdev, &acp6x_card);
++ is_dmic_enable = true;
+ }
+
++ handle = ACPI_HANDLE(pdev->dev.parent);
++ ret = acpi_evaluate_integer(handle, "_WOV", NULL, &dmic_status);
++ if (!ACPI_FAILURE(ret))
++ wov_en = dmic_status;
++
++ if (is_dmic_enable && wov_en)
++ platform_set_drvdata(pdev, &acp6x_card);
++ else
++ return 0;
++
+ /* check for any DMI overrides */
+ dmi_id = dmi_first_match(yc_acp_quirk_table);
+ if (dmi_id)
+--
+2.43.0
+
--- /dev/null
+From 8bc50f511c2792437170266488477b1b91fdc360 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 15:54:50 +0800
+Subject: ASoC: dt-bindings: mt6359: Update generic node name and dmic-mode
+
+From: Macpaul Lin <macpaul.lin@mediatek.com>
+
+[ Upstream commit 4649cbd97fdae5069e9a71cd7669b62b90e03669 ]
+
+Some fix and updates in the following items:
+1. examples:
+ Update generic node name to 'audio-codec' to comply with the
+ coming change in 'mt6359.dtsi'. This change is necessary to fix the
+ dtbs_check error:
+ pmic: 'mt6359codec' does not match any of the regexes: 'pinctrl-[0-9]+'
+
+2. mediatek,dmic-mode:
+ After inspecting the .dts and .dtsi files using 'mt6359-codec', it was
+ discovered that the definitions of 'two wires' and 'one wire' are
+ inverted compared to the DT schema.
+ For example, the following boards using MT6359 PMIC:
+ - mt8192-asurada.dtsi
+ - mt8195-cherry.dtsi
+ These boards use the same definitions of 'dmic-mode' as other boards
+ using MT6358 PMIC. The meaning of '0' or '1' has been noted as comments
+ in the device trees.
+
+ Upon examining the code in [1] and [2], it was confirmed that the
+ definitions of 'dmic-mode' are consistent between "MT6359 PMIC" and
+ "MT6358 PMIC". Therefore, the DT Schema should be correct as is.
+
+References:
+[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/sound/soc/codecs/mt6358.c#n1875
+[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/sound/soc/codecs/mt6359.c#L1515
+
+Fixes: 539237d1c609 ("dt-bindings: mediatek: mt6359: add codec document")
+Signed-off-by: Jiaxin Yu <jiaxin.yu@mediatek.com>
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patch.msgid.link/20240930075451.14196-1-macpaul.lin@mediatek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/sound/mt6359.yaml | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/sound/mt6359.yaml b/Documentation/devicetree/bindings/sound/mt6359.yaml
+index 23d411fc4200e..128698630c865 100644
+--- a/Documentation/devicetree/bindings/sound/mt6359.yaml
++++ b/Documentation/devicetree/bindings/sound/mt6359.yaml
+@@ -23,8 +23,8 @@ properties:
+ Indicates how many data pins are used to transmit two channels of PDM
+ signal. 0 means two wires, 1 means one wire. Default value is 0.
+ enum:
+- - 0 # one wire
+- - 1 # two wires
++ - 0 # two wires
++ - 1 # one wire
+
+ mediatek,mic-type-0:
+ $ref: /schemas/types.yaml#/definitions/uint32
+@@ -53,9 +53,9 @@ additionalProperties: false
+
+ examples:
+ - |
+- mt6359codec: mt6359codec {
+- mediatek,dmic-mode = <0>;
+- mediatek,mic-type-0 = <2>;
++ mt6359codec: audio-codec {
++ mediatek,dmic-mode = <0>;
++ mediatek,mic-type-0 = <2>;
+ };
+
+ ...
+--
+2.43.0
+
--- /dev/null
+From ac68d8792d9bdcf2ce5183ac4218a42f1d4d97c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2024 16:00:29 +0800
+Subject: ASoC: fsl_micfil: fix regmap_write_bits usage
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 06df673d20230afb0e383e39235a4fa8b9a62464 ]
+
+The last parameter 1 means BIT(0), which should be the
+correct BIT(X).
+
+Fixes: 47a70e6fc9a8 ("ASoC: Add MICFIL SoC Digital Audio Interface driver.")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://patch.msgid.link/1727424031-19551-2-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_micfil.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
+index 3a03f49452fa3..6fa900302aa82 100644
+--- a/sound/soc/fsl/fsl_micfil.c
++++ b/sound/soc/fsl/fsl_micfil.c
+@@ -563,7 +563,7 @@ static irqreturn_t micfil_isr(int irq, void *devid)
+ regmap_write_bits(micfil->regmap,
+ REG_MICFIL_STAT,
+ MICFIL_STAT_CHXF(i),
+- 1);
++ MICFIL_STAT_CHXF(i));
+ }
+
+ for (i = 0; i < MICFIL_FIFO_NUM; i++) {
+@@ -598,7 +598,7 @@ static irqreturn_t micfil_err_isr(int irq, void *devid)
+ if (stat_reg & MICFIL_STAT_LOWFREQF) {
+ dev_dbg(&pdev->dev, "isr: ipg_clk_app is too low\n");
+ regmap_write_bits(micfil->regmap, REG_MICFIL_STAT,
+- MICFIL_STAT_LOWFREQF, 1);
++ MICFIL_STAT_LOWFREQF, MICFIL_STAT_LOWFREQF);
+ }
+
+ return IRQ_HANDLED;
+--
+2.43.0
+
--- /dev/null
+From 9124de785c035dc112108f22fd2ff47304fafe27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 07:26:30 +0100
+Subject: block: fix bio_split_rw_at to take zone_write_granularity into
+ account
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 7ecd2cd4fae3e8410c0a6620f3a83dcdbb254f02 ]
+
+Otherwise it can create unaligned writes on zoned devices.
+
+Fixes: a805a4fa4fa3 ("block: introduce zone_write_granularity limit")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Link: https://lore.kernel.org/r/20241104062647.91160-3-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-merge.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/block/blk-merge.c b/block/blk-merge.c
+index 13a47b37acb7d..b90c413c83c44 100644
+--- a/block/blk-merge.c
++++ b/block/blk-merge.c
+@@ -247,6 +247,14 @@ static bool bvec_split_segs(struct queue_limits *lim, const struct bio_vec *bv,
+ return len > 0 || bv->bv_len > max_len;
+ }
+
++static unsigned int bio_split_alignment(struct bio *bio,
++ const struct queue_limits *lim)
++{
++ if (op_is_write(bio_op(bio)) && lim->zone_write_granularity)
++ return lim->zone_write_granularity;
++ return lim->logical_block_size;
++}
++
+ /**
+ * bio_split_rw - split a bio in two bios
+ * @bio: [in] bio to be split
+@@ -317,7 +325,7 @@ static struct bio *bio_split_rw(struct bio *bio, struct queue_limits *lim,
+ * split size so that each bio is properly block size aligned, even if
+ * we do not use the full hardware limits.
+ */
+- bytes = ALIGN_DOWN(bytes, lim->logical_block_size);
++ bytes = ALIGN_DOWN(bytes, bio_split_alignment(bio, lim));
+
+ /*
+ * Bio splitting may cause subtle trouble such as hang when doing sync
+--
+2.43.0
+
--- /dev/null
+From 03455e816269a39aec30fd9150ae61c9946b7960 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 14:44:10 +0300
+Subject: Bluetooth: fix use-after-free in device_for_each_child()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 27aabf27fd014ae037cc179c61b0bee7cff55b3d ]
+
+Syzbot has reported the following KASAN splat:
+
+BUG: KASAN: slab-use-after-free in device_for_each_child+0x18f/0x1a0
+Read of size 8 at addr ffff88801f605308 by task kbnepd bnep0/4980
+
+CPU: 0 UID: 0 PID: 4980 Comm: kbnepd bnep0 Not tainted 6.12.0-rc4-00161-gae90f6a6170d #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x100/0x190
+ ? device_for_each_child+0x18f/0x1a0
+ print_report+0x13a/0x4cb
+ ? __virt_addr_valid+0x5e/0x590
+ ? __phys_addr+0xc6/0x150
+ ? device_for_each_child+0x18f/0x1a0
+ kasan_report+0xda/0x110
+ ? device_for_each_child+0x18f/0x1a0
+ ? __pfx_dev_memalloc_noio+0x10/0x10
+ device_for_each_child+0x18f/0x1a0
+ ? __pfx_device_for_each_child+0x10/0x10
+ pm_runtime_set_memalloc_noio+0xf2/0x180
+ netdev_unregister_kobject+0x1ed/0x270
+ unregister_netdevice_many_notify+0x123c/0x1d80
+ ? __mutex_trylock_common+0xde/0x250
+ ? __pfx_unregister_netdevice_many_notify+0x10/0x10
+ ? trace_contention_end+0xe6/0x140
+ ? __mutex_lock+0x4e7/0x8f0
+ ? __pfx_lock_acquire.part.0+0x10/0x10
+ ? rcu_is_watching+0x12/0xc0
+ ? unregister_netdev+0x12/0x30
+ unregister_netdevice_queue+0x30d/0x3f0
+ ? __pfx_unregister_netdevice_queue+0x10/0x10
+ ? __pfx_down_write+0x10/0x10
+ unregister_netdev+0x1c/0x30
+ bnep_session+0x1fb3/0x2ab0
+ ? __pfx_bnep_session+0x10/0x10
+ ? __pfx_lock_release+0x10/0x10
+ ? __pfx_woken_wake_function+0x10/0x10
+ ? __kthread_parkme+0x132/0x200
+ ? __pfx_bnep_session+0x10/0x10
+ ? kthread+0x13a/0x370
+ ? __pfx_bnep_session+0x10/0x10
+ kthread+0x2b7/0x370
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x48/0x80
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+Allocated by task 4974:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0xaa/0xb0
+ __kmalloc_noprof+0x1d1/0x440
+ hci_alloc_dev_priv+0x1d/0x2820
+ __vhci_create_device+0xef/0x7d0
+ vhci_write+0x2c7/0x480
+ vfs_write+0x6a0/0xfc0
+ ksys_write+0x12f/0x260
+ do_syscall_64+0xc7/0x250
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 4979:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ kasan_save_free_info+0x3b/0x60
+ __kasan_slab_free+0x4f/0x70
+ kfree+0x141/0x490
+ hci_release_dev+0x4d9/0x600
+ bt_host_release+0x6a/0xb0
+ device_release+0xa4/0x240
+ kobject_put+0x1ec/0x5a0
+ put_device+0x1f/0x30
+ vhci_release+0x81/0xf0
+ __fput+0x3f6/0xb30
+ task_work_run+0x151/0x250
+ do_exit+0xa79/0x2c30
+ do_group_exit+0xd5/0x2a0
+ get_signal+0x1fcd/0x2210
+ arch_do_signal_or_restart+0x93/0x780
+ syscall_exit_to_user_mode+0x140/0x290
+ do_syscall_64+0xd4/0x250
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+In 'hci_conn_del_sysfs()', 'device_unregister()' may be called when
+an underlying (kobject) reference counter is greater than 1. This
+means that reparenting (happened when the device is actually freed)
+is delayed and, during that delay, parent controller device (hciX)
+may be deleted. Since the latter may create a dangling pointer to
+freed parent, avoid that scenario by reparenting to NULL explicitly.
+
+Reported-by: syzbot+6cf5652d3df49fae2e3f@syzkaller.appspotmail.com
+Tested-by: syzbot+6cf5652d3df49fae2e3f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=6cf5652d3df49fae2e3f
+Fixes: a85fb91e3d72 ("Bluetooth: Fix double free in hci_conn_cleanup")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sysfs.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
+index 633b82d542728..cc7d4a8ed8ce2 100644
+--- a/net/bluetooth/hci_sysfs.c
++++ b/net/bluetooth/hci_sysfs.c
+@@ -19,16 +19,6 @@ static const struct device_type bt_link = {
+ .release = bt_link_release,
+ };
+
+-/*
+- * The rfcomm tty device will possibly retain even when conn
+- * is down, and sysfs doesn't support move zombie device,
+- * so we should move the device before conn device is destroyed.
+- */
+-static int __match_tty(struct device *dev, void *data)
+-{
+- return !strncmp(dev_name(dev), "rfcomm", 6);
+-}
+-
+ void hci_conn_init_sysfs(struct hci_conn *conn)
+ {
+ struct hci_dev *hdev = conn->hdev;
+@@ -71,10 +61,13 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
+ return;
+ }
+
++ /* If there are devices using the connection as parent reset it to NULL
++ * before unregistering the device.
++ */
+ while (1) {
+ struct device *dev;
+
+- dev = device_find_child(&conn->dev, NULL, __match_tty);
++ dev = device_find_any_child(&conn->dev);
+ if (!dev)
+ break;
+ device_move(dev, NULL, DPM_ORDER_DEV_LAST);
+--
+2.43.0
+
--- /dev/null
+From 26bc58f40af2bf5299a796373ebe0057fe9a7f25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2024 10:45:31 -0500
+Subject: Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 0b882940665ca2849386ee459d4331aa2f8c4e7d ]
+
+This fixes the following crash:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353
+Read of size 8 at addr ffff888029b4dd18 by task kworker/u9:0/54
+
+CPU: 1 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-01155-gf723224742fc #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+Workqueue: hci0 hci_cmd_sync_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:93 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+q kasan_report+0x143/0x180 mm/kasan/report.c:601
+ set_powered_sync+0x3a/0xc0 net/bluetooth/mgmt.c:1353
+ hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:328
+ process_one_work kernel/workqueue.c:3231 [inline]
+ process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
+ worker_thread+0x86d/0xd10 kernel/workqueue.c:3389
+ kthread+0x2f0/0x390 kernel/kthread.c:389
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+ </TASK>
+
+Allocated by task 5247:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
+ __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
+ kasan_kmalloc include/linux/kasan.h:211 [inline]
+ __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4193
+ kmalloc_noprof include/linux/slab.h:681 [inline]
+ kzalloc_noprof include/linux/slab.h:807 [inline]
+ mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269
+ mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296
+ set_powered+0x3cd/0x5e0 net/bluetooth/mgmt.c:1394
+ hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712
+ hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x221/0x270 net/socket.c:745
+ sock_write_iter+0x2dd/0x400 net/socket.c:1160
+ new_sync_write fs/read_write.c:497 [inline]
+ vfs_write+0xa72/0xc90 fs/read_write.c:590
+ ksys_write+0x1a0/0x2c0 fs/read_write.c:643
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 5246:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
+ poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
+ __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
+ kasan_slab_free include/linux/kasan.h:184 [inline]
+ slab_free_hook mm/slub.c:2256 [inline]
+ slab_free mm/slub.c:4477 [inline]
+ kfree+0x149/0x360 mm/slub.c:4598
+ settings_rsp+0x2bc/0x390 net/bluetooth/mgmt.c:1443
+ mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
+ __mgmt_power_off+0x112/0x420 net/bluetooth/mgmt.c:9455
+ hci_dev_close_sync+0x665/0x11a0 net/bluetooth/hci_sync.c:5191
+ hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]
+ hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508
+ sock_do_ioctl+0x158/0x460 net/socket.c:1222
+ sock_ioctl+0x629/0x8e0 net/socket.c:1341
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83gv
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Reported-by: syzbot+03d6270b6425df1605bf@syzkaller.appspotmail.com
+Tested-by: syzbot+03d6270b6425df1605bf@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=03d6270b6425df1605bf
+Fixes: 275f3f648702 ("Bluetooth: Fix not checking MGMT cmd pending queue")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 82edd9981ab07..2876db19b071d 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -1329,7 +1329,8 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
+ struct mgmt_mode *cp;
+
+ /* Make sure cmd still outstanding. */
+- if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
++ if (err == -ECANCELED ||
++ cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
+ return;
+
+ cp = cmd->param;
+@@ -1362,7 +1363,13 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
+ static int set_powered_sync(struct hci_dev *hdev, void *data)
+ {
+ struct mgmt_pending_cmd *cmd = data;
+- struct mgmt_mode *cp = cmd->param;
++ struct mgmt_mode *cp;
++
++ /* Make sure cmd still outstanding. */
++ if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
++ return -ECANCELED;
++
++ cp = cmd->param;
+
+ BT_DBG("%s", hdev->name);
+
+--
+2.43.0
+
--- /dev/null
+From d78ef0c58b2e3df9ada76e09dbce2aabc25753c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 14:45:41 -0800
+Subject: bnxt_en: Reserve rings after PCIe AER recovery if NIC interface is
+ down
+
+From: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+
+[ Upstream commit 5311598f7f3293683cdc761df71ae3469327332c ]
+
+After successful PCIe AER recovery, FW will reset all resource
+reservations. If it is IF_UP, the driver will call bnxt_open() and
+all resources will be reserved again. It it is IF_DOWN, we should
+call bnxt_reserve_rings() so that we can reserve resources including
+RoCE resources to allow RoCE to resume after AER. Without this
+patch, RoCE fails to resume in this IF_DOWN scenario.
+
+Later, if it becomes IF_UP, bnxt_open() will see that resources have
+been reserved and will not reserve again.
+
+Fixes: fb1e6e562b37 ("bnxt_en: Fix AER recovery.")
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 20e2fae64e67f..7d9677d0f7304 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -14113,8 +14113,12 @@ static void bnxt_io_resume(struct pci_dev *pdev)
+ rtnl_lock();
+
+ err = bnxt_hwrm_func_qcaps(bp);
+- if (!err && netif_running(netdev))
+- err = bnxt_open(netdev);
++ if (!err) {
++ if (netif_running(netdev))
++ err = bnxt_open(netdev);
++ else
++ err = bnxt_reserve_rings(bp, true);
++ }
+
+ bnxt_ulp_start(bp, err);
+ if (!err) {
+--
+2.43.0
+
--- /dev/null
+From d945cd5b9b7d3ba8d8541e6df01b9bef10c36a7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 16:52:20 +0800
+Subject: bpf, arm64: Remove garbage frame for struct_ops trampoline
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 87cb58aebdf7005661a07e9fd5a900f924d48c75 ]
+
+The callsite layout for arm64 fentry is:
+
+mov x9, lr
+nop
+
+When a bpf prog is attached, the nop instruction is patched to a call
+to bpf trampoline:
+
+mov x9, lr
+bl <bpf trampoline>
+
+So two return addresses are passed to bpf trampoline: the return address
+for the traced function/prog, stored in x9, and the return address for
+the bpf trampoline itself, stored in lr. To obtain a full and accurate
+call stack, the bpf trampoline constructs two fake function frames using
+x9 and lr.
+
+However, struct_ops progs are invoked directly as function callbacks,
+meaning that x9 is not set as it is in the fentry callsite. In this case,
+the frame constructed using x9 is garbage. The following stack trace for
+struct_ops, captured by perf sampling, illustrates this issue, where
+tcp_ack+0x404 is a garbage frame:
+
+ffffffc0801a04b4 bpf_prog_50992e55a0f655a9_bpf_cubic_cong_avoid+0x98 (bpf_prog_50992e55a0f655a9_bpf_cubic_cong_avoid)
+ffffffc0801a228c [unknown] ([kernel.kallsyms]) // bpf trampoline
+ffffffd08d362590 tcp_ack+0x798 ([kernel.kallsyms]) // caller for bpf trampoline
+ffffffd08d3621fc tcp_ack+0x404 ([kernel.kallsyms]) // garbage frame
+ffffffd08d36452c tcp_rcv_established+0x4ac ([kernel.kallsyms])
+ffffffd08d375c58 tcp_v4_do_rcv+0x1f0 ([kernel.kallsyms])
+ffffffd08d378630 tcp_v4_rcv+0xeb8 ([kernel.kallsyms])
+
+To fix it, construct only one frame using lr for struct_ops.
+
+The above stack trace also indicates that there is no kernel symbol for
+struct_ops bpf trampoline. This will be addressed in a follow-up patch.
+
+Fixes: efc9909fdce0 ("bpf, arm64: Add bpf trampoline for arm64")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Acked-by: Puranjay Mohan <puranjay@kernel.org>
+Tested-by: Puranjay Mohan <puranjay@kernel.org>
+Link: https://lore.kernel.org/r/20241025085220.533949-1-xukuohai@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/net/bpf_jit_comp.c | 47 +++++++++++++++++++++++------------
+ 1 file changed, 31 insertions(+), 16 deletions(-)
+
+diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
+index afb79209d4132..c04ace8f48435 100644
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -1757,6 +1757,12 @@ static void restore_args(struct jit_ctx *ctx, int args_off, int nargs)
+ }
+ }
+
++static bool is_struct_ops_tramp(const struct bpf_tramp_links *fentry_links)
++{
++ return fentry_links->nr_links == 1 &&
++ fentry_links->links[0]->link.type == BPF_LINK_TYPE_STRUCT_OPS;
++}
++
+ /* Based on the x86's implementation of arch_prepare_bpf_trampoline().
+ *
+ * bpf prog and function entry before bpf trampoline hooked:
+@@ -1786,6 +1792,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
+ struct bpf_tramp_links *fmod_ret = &tlinks[BPF_TRAMP_MODIFY_RETURN];
+ bool save_ret;
+ __le32 **branches = NULL;
++ bool is_struct_ops = is_struct_ops_tramp(fentry);
+
+ /* trampoline stack layout:
+ * [ parent ip ]
+@@ -1854,11 +1861,14 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
+ */
+ emit_bti(A64_BTI_JC, ctx);
+
+- /* frame for parent function */
+- emit(A64_PUSH(A64_FP, A64_R(9), A64_SP), ctx);
+- emit(A64_MOV(1, A64_FP, A64_SP), ctx);
++ /* x9 is not set for struct_ops */
++ if (!is_struct_ops) {
++ /* frame for parent function */
++ emit(A64_PUSH(A64_FP, A64_R(9), A64_SP), ctx);
++ emit(A64_MOV(1, A64_FP, A64_SP), ctx);
++ }
+
+- /* frame for patched function */
++ /* frame for patched function for tracing, or caller for struct_ops */
+ emit(A64_PUSH(A64_FP, A64_LR, A64_SP), ctx);
+ emit(A64_MOV(1, A64_FP, A64_SP), ctx);
+
+@@ -1944,19 +1954,24 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
+ /* reset SP */
+ emit(A64_MOV(1, A64_SP, A64_FP), ctx);
+
+- /* pop frames */
+- emit(A64_POP(A64_FP, A64_LR, A64_SP), ctx);
+- emit(A64_POP(A64_FP, A64_R(9), A64_SP), ctx);
+-
+- if (flags & BPF_TRAMP_F_SKIP_FRAME) {
+- /* skip patched function, return to parent */
+- emit(A64_MOV(1, A64_LR, A64_R(9)), ctx);
+- emit(A64_RET(A64_R(9)), ctx);
++ if (is_struct_ops) {
++ emit(A64_POP(A64_FP, A64_LR, A64_SP), ctx);
++ emit(A64_RET(A64_LR), ctx);
+ } else {
+- /* return to patched function */
+- emit(A64_MOV(1, A64_R(10), A64_LR), ctx);
+- emit(A64_MOV(1, A64_LR, A64_R(9)), ctx);
+- emit(A64_RET(A64_R(10)), ctx);
++ /* pop frames */
++ emit(A64_POP(A64_FP, A64_LR, A64_SP), ctx);
++ emit(A64_POP(A64_FP, A64_R(9), A64_SP), ctx);
++
++ if (flags & BPF_TRAMP_F_SKIP_FRAME) {
++ /* skip patched function, return to parent */
++ emit(A64_MOV(1, A64_LR, A64_R(9)), ctx);
++ emit(A64_RET(A64_R(9)), ctx);
++ } else {
++ /* return to patched function */
++ emit(A64_MOV(1, A64_R(10), A64_LR), ctx);
++ emit(A64_MOV(1, A64_LR, A64_R(9)), ctx);
++ emit(A64_RET(A64_R(10)), ctx);
++ }
+ }
+
+ if (ctx->image)
+--
+2.43.0
+
--- /dev/null
+From 198bb5884aa28e2e4189fc8f1e3ad81e95a84eec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 11:09:09 +0800
+Subject: bpf: fix recursive lock when verdict program return SK_PASS
+
+From: Jiayuan Chen <mrpre@163.com>
+
+[ Upstream commit 8ca2a1eeadf09862190b2810697702d803ceef2d ]
+
+When the stream_verdict program returns SK_PASS, it places the received skb
+into its own receive queue, but a recursive lock eventually occurs, leading
+to an operating system deadlock. This issue has been present since v6.9.
+
+'''
+sk_psock_strp_data_ready
+ write_lock_bh(&sk->sk_callback_lock)
+ strp_data_ready
+ strp_read_sock
+ read_sock -> tcp_read_sock
+ strp_recv
+ cb.rcv_msg -> sk_psock_strp_read
+ # now stream_verdict return SK_PASS without peer sock assign
+ __SK_PASS = sk_psock_map_verd(SK_PASS, NULL)
+ sk_psock_verdict_apply
+ sk_psock_skb_ingress_self
+ sk_psock_skb_ingress_enqueue
+ sk_psock_data_ready
+ read_lock_bh(&sk->sk_callback_lock) <= dead lock
+
+'''
+
+This topic has been discussed before, but it has not been fixed.
+Previous discussion:
+https://lore.kernel.org/all/6684a5864ec86_403d20898@john.notmuch
+
+Fixes: 6648e613226e ("bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue")
+Reported-by: Vincent Whitchurch <vincent.whitchurch@datadoghq.com>
+Signed-off-by: Jiayuan Chen <mrpre@163.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20241118030910.36230-2-mrpre@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 746d950de0e14..584516387fdab 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -1114,9 +1114,9 @@ static void sk_psock_strp_data_ready(struct sock *sk)
+ if (tls_sw_has_ctx_rx(sk)) {
+ psock->saved_data_ready(sk);
+ } else {
+- write_lock_bh(&sk->sk_callback_lock);
++ read_lock_bh(&sk->sk_callback_lock);
+ strp_data_ready(&psock->strp);
+- write_unlock_bh(&sk->sk_callback_lock);
++ read_unlock_bh(&sk->sk_callback_lock);
+ }
+ }
+ rcu_read_unlock();
+--
+2.43.0
+
--- /dev/null
+From cd18f20514fee3b01ee34d5c0b71c3405d3acea0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 10:41:15 +0800
+Subject: bpf: Fix the xdp_adjust_tail sample prog issue
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit 4236f114a3ffbbfd217436c08852e94cae372f57 ]
+
+During the xdp_adjust_tail test, probabilistic failure occurs and SKB package
+is discarded by the kernel. After checking the issues by tracking SKB package,
+it is identified that they were caused by checksum errors. Refer to checksum
+of the arch/arm64/include/asm/checksum.h for fixing.
+
+v2: Based on Alexei Starovoitov's suggestions, it is necessary to keep the code
+ implementation consistent.
+
+Fixes: c6ffd1ff7856 (bpf: add bpf_xdp_adjust_tail sample prog)
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20240930024115.52841-1-chenyuan_fl@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/xdp_adjust_tail_kern.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/samples/bpf/xdp_adjust_tail_kern.c b/samples/bpf/xdp_adjust_tail_kern.c
+index ffdd548627f0a..da67bcad1c638 100644
+--- a/samples/bpf/xdp_adjust_tail_kern.c
++++ b/samples/bpf/xdp_adjust_tail_kern.c
+@@ -57,6 +57,7 @@ static __always_inline void swap_mac(void *data, struct ethhdr *orig_eth)
+
+ static __always_inline __u16 csum_fold_helper(__u32 csum)
+ {
++ csum = (csum & 0xffff) + (csum >> 16);
+ return ~((csum & 0xffff) + (csum >> 16));
+ }
+
+--
+2.43.0
+
--- /dev/null
+From d0d2093222797a15a59c0bf143541d1a38ce2114 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 22:25:20 +0000
+Subject: bpf, sockmap: Fix sk_msg_reset_curr
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit 955afd57dc4bf7e8c620a0a9e3af3c881c2c6dff ]
+
+Found in the test_txmsg_pull in test_sockmap,
+```
+txmsg_cork = 512; // corking is importrant here
+opt->iov_length = 3;
+opt->iov_count = 1;
+opt->rate = 512; // sendmsg will be invoked 512 times
+```
+The first sendmsg will send an sk_msg with size 3, and bpf_msg_pull_data
+will be invoked the first time. sk_msg_reset_curr will reset the copybreak
+from 3 to 0. In the second sendmsg, since we are in the stage of corking,
+psock->cork will be reused in func sk_msg_alloc. msg->sg.copybreak is 0
+now, the second msg will overwrite the first msg. As a result, we could
+not pass the data integrity test.
+
+The same problem happens in push and pop test. Thus, fix sk_msg_reset_curr
+to restore the correct copybreak.
+
+Fixes: bb9aefde5bba ("bpf: sockmap, updating the sg structure should also update curr")
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Link: https://lore.kernel.org/r/20241106222520.527076-9-zijianzhang@bytedance.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 5174f4d48647f..4a97c89c9da9a 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2594,18 +2594,16 @@ BPF_CALL_2(bpf_msg_cork_bytes, struct sk_msg *, msg, u32, bytes)
+
+ static void sk_msg_reset_curr(struct sk_msg *msg)
+ {
+- u32 i = msg->sg.start;
+- u32 len = 0;
+-
+- do {
+- len += sk_msg_elem(msg, i)->length;
+- sk_msg_iter_var_next(i);
+- if (len >= msg->sg.size)
+- break;
+- } while (i != msg->sg.end);
++ if (!msg->sg.size) {
++ msg->sg.curr = msg->sg.start;
++ msg->sg.copybreak = 0;
++ } else {
++ u32 i = msg->sg.end;
+
+- msg->sg.curr = i;
+- msg->sg.copybreak = 0;
++ sk_msg_iter_var_prev(i);
++ msg->sg.curr = i;
++ msg->sg.copybreak = msg->sg.data[i].length;
++ }
+ }
+
+ static const struct bpf_func_proto bpf_msg_cork_bytes_proto = {
+--
+2.43.0
+
--- /dev/null
+From 6e98cb903530a9db546aeb4f73cac7c6122cfec0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 22:25:19 +0000
+Subject: bpf, sockmap: Several fixes to bpf_msg_pop_data
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit 5d609ba262475db450ba69b8e8a557bd768ac07a ]
+
+Several fixes to bpf_msg_pop_data,
+1. In sk_msg_shift_left, we should put_page
+2. if (len == 0), return early is better
+3. pop the entire sk_msg (last == msg->sg.size) should be supported
+4. Fix for the value of variable "a"
+5. In sk_msg_shift_left, after shifting, i has already pointed to the next
+element. Addtional sk_msg_iter_var_next may result in BUG.
+
+Fixes: 7246d8ed4dcc ("bpf: helper to pop data from messages")
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20241106222520.527076-8-zijianzhang@bytedance.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index b4ed0d9177818..5174f4d48647f 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2894,8 +2894,10 @@ static const struct bpf_func_proto bpf_msg_push_data_proto = {
+
+ static void sk_msg_shift_left(struct sk_msg *msg, int i)
+ {
++ struct scatterlist *sge = sk_msg_elem(msg, i);
+ int prev;
+
++ put_page(sg_page(sge));
+ do {
+ prev = i;
+ sk_msg_iter_var_next(i);
+@@ -2932,6 +2934,9 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start,
+ if (unlikely(flags))
+ return -EINVAL;
+
++ if (unlikely(len == 0))
++ return 0;
++
+ /* First find the starting scatterlist element */
+ i = msg->sg.start;
+ do {
+@@ -2944,7 +2949,7 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start,
+ } while (i != msg->sg.end);
+
+ /* Bounds checks: start and pop must be inside message */
+- if (start >= offset + l || last >= msg->sg.size)
++ if (start >= offset + l || last > msg->sg.size)
+ return -EINVAL;
+
+ space = MAX_MSG_FRAGS - sk_msg_elem_used(msg);
+@@ -2973,12 +2978,12 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start,
+ */
+ if (start != offset) {
+ struct scatterlist *nsge, *sge = sk_msg_elem(msg, i);
+- int a = start;
++ int a = start - offset;
+ int b = sge->length - pop - a;
+
+ sk_msg_iter_var_next(i);
+
+- if (pop < sge->length - a) {
++ if (b > 0) {
+ if (space) {
+ sge->length = a;
+ sk_msg_shift_right(msg, i);
+@@ -2997,7 +3002,6 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start,
+ if (unlikely(!page))
+ return -ENOMEM;
+
+- sge->length = a;
+ orig = sg_page(sge);
+ from = sg_virt(sge);
+ to = page_address(page);
+@@ -3007,7 +3011,7 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start,
+ put_page(orig);
+ }
+ pop = 0;
+- } else if (pop >= sge->length - a) {
++ } else {
+ pop -= (sge->length - a);
+ sge->length = a;
+ }
+@@ -3041,7 +3045,6 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_msg *, msg, u32, start,
+ pop -= sge->length;
+ sk_msg_shift_left(msg, i);
+ }
+- sk_msg_iter_var_next(i);
+ }
+
+ sk_mem_uncharge(msg->sk, len - pop);
+--
+2.43.0
+
--- /dev/null
+From abcbe8ccd5de8ec2a8893fa0367e1184969d1734 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 22:25:18 +0000
+Subject: bpf, sockmap: Several fixes to bpf_msg_push_data
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit 15ab0548e3107665c34579ae523b2b6e7c22082a ]
+
+Several fixes to bpf_msg_push_data,
+1. test_sockmap has tests where bpf_msg_push_data is invoked to push some
+data at the end of a message, but -EINVAL is returned. In this case, in
+bpf_msg_push_data, after the first loop, i will be set to msg->sg.end, add
+the logic to handle it.
+2. In the code block of "if (start - offset)", it's possible that "i"
+points to the last of sk_msg_elem. In this case, "sk_msg_iter_next(msg,
+end)" might still be called twice, another invoking is in "if (!copy)"
+code block, but actually only one is needed. Add the logic to handle it,
+and reconstruct the code to make the logic more clear.
+
+Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Link: https://lore.kernel.org/r/20241106222520.527076-7-zijianzhang@bytedance.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 53 +++++++++++++++++++++++++++++------------------
+ 1 file changed, 33 insertions(+), 20 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 2f6fef5f5864f..b4ed0d9177818 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -2768,7 +2768,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, u32, start,
+ sk_msg_iter_var_next(i);
+ } while (i != msg->sg.end);
+
+- if (start >= offset + l)
++ if (start > offset + l)
+ return -EINVAL;
+
+ space = MAX_MSG_FRAGS - sk_msg_elem_used(msg);
+@@ -2793,6 +2793,8 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, u32, start,
+
+ raw = page_address(page);
+
++ if (i == msg->sg.end)
++ sk_msg_iter_var_prev(i);
+ psge = sk_msg_elem(msg, i);
+ front = start - offset;
+ back = psge->length - front;
+@@ -2809,7 +2811,13 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, u32, start,
+ }
+
+ put_page(sg_page(psge));
+- } else if (start - offset) {
++ new = i;
++ goto place_new;
++ }
++
++ if (start - offset) {
++ if (i == msg->sg.end)
++ sk_msg_iter_var_prev(i);
+ psge = sk_msg_elem(msg, i);
+ rsge = sk_msg_elem_cpy(msg, i);
+
+@@ -2820,39 +2828,44 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, u32, start,
+ sk_msg_iter_var_next(i);
+ sg_unmark_end(psge);
+ sg_unmark_end(&rsge);
+- sk_msg_iter_next(msg, end);
+ }
+
+ /* Slot(s) to place newly allocated data */
++ sk_msg_iter_next(msg, end);
+ new = i;
++ sk_msg_iter_var_next(i);
++
++ if (i == msg->sg.end) {
++ if (!rsge.length)
++ goto place_new;
++ sk_msg_iter_next(msg, end);
++ goto place_new;
++ }
+
+ /* Shift one or two slots as needed */
+- if (!copy) {
+- sge = sk_msg_elem_cpy(msg, i);
++ sge = sk_msg_elem_cpy(msg, new);
++ sg_unmark_end(&sge);
+
++ nsge = sk_msg_elem_cpy(msg, i);
++ if (rsge.length) {
+ sk_msg_iter_var_next(i);
+- sg_unmark_end(&sge);
++ nnsge = sk_msg_elem_cpy(msg, i);
+ sk_msg_iter_next(msg, end);
++ }
+
+- nsge = sk_msg_elem_cpy(msg, i);
++ while (i != msg->sg.end) {
++ msg->sg.data[i] = sge;
++ sge = nsge;
++ sk_msg_iter_var_next(i);
+ if (rsge.length) {
+- sk_msg_iter_var_next(i);
++ nsge = nnsge;
+ nnsge = sk_msg_elem_cpy(msg, i);
+- }
+-
+- while (i != msg->sg.end) {
+- msg->sg.data[i] = sge;
+- sge = nsge;
+- sk_msg_iter_var_next(i);
+- if (rsge.length) {
+- nsge = nnsge;
+- nnsge = sk_msg_elem_cpy(msg, i);
+- } else {
+- nsge = sk_msg_elem_cpy(msg, i);
+- }
++ } else {
++ nsge = sk_msg_elem_cpy(msg, i);
+ }
+ }
+
++place_new:
+ /* Place newly allocated data buffer */
+ sk_mem_charge(msg->sk, len);
+ msg->sg.size += len;
+--
+2.43.0
+
--- /dev/null
+From b33887503dce3f7c390199fd6abe8ddfa398539d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 11:49:14 +0800
+Subject: brd: defer automatic disk creation until module initialization
+ succeeds
+
+From: Yang Erkun <yangerkun@huawei.com>
+
+[ Upstream commit 826cc42adf44930a633d11a5993676d85ddb0842 ]
+
+My colleague Wupeng found the following problems during fault injection:
+
+BUG: unable to handle page fault for address: fffffbfff809d073
+PGD 6e648067 P4D 123ec8067 PUD 123ec4067 PMD 100e38067 PTE 0
+Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
+CPU: 5 UID: 0 PID: 755 Comm: modprobe Not tainted 6.12.0-rc3+ #17
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.16.1-2.fc37 04/01/2014
+RIP: 0010:__asan_load8+0x4c/0xa0
+...
+Call Trace:
+ <TASK>
+ blkdev_put_whole+0x41/0x70
+ bdev_release+0x1a3/0x250
+ blkdev_release+0x11/0x20
+ __fput+0x1d7/0x4a0
+ task_work_run+0xfc/0x180
+ syscall_exit_to_user_mode+0x1de/0x1f0
+ do_syscall_64+0x6b/0x170
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+loop_init() is calling loop_add() after __register_blkdev() succeeds and
+is ignoring disk_add() failure from loop_add(), for loop_add() failure
+is not fatal and successfully created disks are already visible to
+bdev_open().
+
+brd_init() is currently calling brd_alloc() before __register_blkdev()
+succeeds and is releasing successfully created disks when brd_init()
+returns an error. This can cause UAF for the latter two case:
+
+case 1:
+ T1:
+modprobe brd
+ brd_init
+ brd_alloc(0) // success
+ add_disk
+ disk_scan_partitions
+ bdev_file_open_by_dev // alloc file
+ fput // won't free until back to userspace
+ brd_alloc(1) // failed since mem alloc error inject
+ // error path for modprobe will release code segment
+ // back to userspace
+ __fput
+ blkdev_release
+ bdev_release
+ blkdev_put_whole
+ bdev->bd_disk->fops->release // fops is freed now, UAF!
+
+case 2:
+ T1: T2:
+modprobe brd
+ brd_init
+ brd_alloc(0) // success
+ open(/dev/ram0)
+ brd_alloc(1) // fail
+ // error path for modprobe
+
+ close(/dev/ram0)
+ ...
+ /* UAF! */
+ bdev->bd_disk->fops->release
+
+Fix this problem by following what loop_init() does. Besides,
+reintroduce brd_devices_mutex to help serialize modifications to
+brd_list.
+
+Fixes: 7f9b348cb5e9 ("brd: convert to blk_alloc_disk/blk_cleanup_disk")
+Reported-by: Wupeng Ma <mawupeng1@huawei.com>
+Signed-off-by: Yang Erkun <yangerkun@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20241030034914.907829-1-yangerkun@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/brd.c | 66 ++++++++++++++++++++++++++++++---------------
+ 1 file changed, 44 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/block/brd.c b/drivers/block/brd.c
+index a8a77a1efe1e3..b2c109f08808a 100644
+--- a/drivers/block/brd.c
++++ b/drivers/block/brd.c
+@@ -368,8 +368,40 @@ __setup("ramdisk_size=", ramdisk_size);
+ * (should share code eventually).
+ */
+ static LIST_HEAD(brd_devices);
++static DEFINE_MUTEX(brd_devices_mutex);
+ static struct dentry *brd_debugfs_dir;
+
++static struct brd_device *brd_find_or_alloc_device(int i)
++{
++ struct brd_device *brd;
++
++ mutex_lock(&brd_devices_mutex);
++ list_for_each_entry(brd, &brd_devices, brd_list) {
++ if (brd->brd_number == i) {
++ mutex_unlock(&brd_devices_mutex);
++ return ERR_PTR(-EEXIST);
++ }
++ }
++
++ brd = kzalloc(sizeof(*brd), GFP_KERNEL);
++ if (!brd) {
++ mutex_unlock(&brd_devices_mutex);
++ return ERR_PTR(-ENOMEM);
++ }
++ brd->brd_number = i;
++ list_add_tail(&brd->brd_list, &brd_devices);
++ mutex_unlock(&brd_devices_mutex);
++ return brd;
++}
++
++static void brd_free_device(struct brd_device *brd)
++{
++ mutex_lock(&brd_devices_mutex);
++ list_del(&brd->brd_list);
++ mutex_unlock(&brd_devices_mutex);
++ kfree(brd);
++}
++
+ static int brd_alloc(int i)
+ {
+ struct brd_device *brd;
+@@ -377,14 +409,9 @@ static int brd_alloc(int i)
+ char buf[DISK_NAME_LEN];
+ int err = -ENOMEM;
+
+- list_for_each_entry(brd, &brd_devices, brd_list)
+- if (brd->brd_number == i)
+- return -EEXIST;
+- brd = kzalloc(sizeof(*brd), GFP_KERNEL);
+- if (!brd)
+- return -ENOMEM;
+- brd->brd_number = i;
+- list_add_tail(&brd->brd_list, &brd_devices);
++ brd = brd_find_or_alloc_device(i);
++ if (IS_ERR(brd))
++ return PTR_ERR(brd);
+
+ spin_lock_init(&brd->brd_lock);
+ INIT_RADIX_TREE(&brd->brd_pages, GFP_ATOMIC);
+@@ -428,8 +455,7 @@ static int brd_alloc(int i)
+ out_cleanup_disk:
+ put_disk(disk);
+ out_free_dev:
+- list_del(&brd->brd_list);
+- kfree(brd);
++ brd_free_device(brd);
+ return err;
+ }
+
+@@ -448,8 +474,7 @@ static void brd_cleanup(void)
+ del_gendisk(brd->brd_disk);
+ put_disk(brd->brd_disk);
+ brd_free_pages(brd);
+- list_del(&brd->brd_list);
+- kfree(brd);
++ brd_free_device(brd);
+ }
+ }
+
+@@ -476,16 +501,6 @@ static int __init brd_init(void)
+ {
+ int err, i;
+
+- brd_check_and_reset_par();
+-
+- brd_debugfs_dir = debugfs_create_dir("ramdisk_pages", NULL);
+-
+- for (i = 0; i < rd_nr; i++) {
+- err = brd_alloc(i);
+- if (err)
+- goto out_free;
+- }
+-
+ /*
+ * brd module now has a feature to instantiate underlying device
+ * structure on-demand, provided that there is an access dev node.
+@@ -501,11 +516,18 @@ static int __init brd_init(void)
+ * dynamically.
+ */
+
++ brd_check_and_reset_par();
++
++ brd_debugfs_dir = debugfs_create_dir("ramdisk_pages", NULL);
++
+ if (__register_blkdev(RAMDISK_MAJOR, "ramdisk", brd_probe)) {
+ err = -EIO;
+ goto out_free;
+ }
+
++ for (i = 0; i < rd_nr; i++)
++ brd_alloc(i);
++
+ pr_info("brd: module loaded\n");
+ return 0;
+
+--
+2.43.0
+
--- /dev/null
+From b4f4945f27f827abf0cc57c291dd42c4bad0f82d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 19:06:46 +0800
+Subject: cachefiles: Fix missing pos updates in
+ cachefiles_ondemand_fd_write_iter()
+
+From: Zizhi Wo <wozizhi@huawei.com>
+
+[ Upstream commit 56f4856b425a30e1d8b3e41e6cde8bfba90ba5f8 ]
+
+In the erofs on-demand loading scenario, read and write operations are
+usually delivered through "off" and "len" contained in read req in user
+mode. Naturally, pwrite is used to specify a specific offset to complete
+write operations.
+
+However, if the write(not pwrite) syscall is called multiple times in the
+read-ahead scenario, we need to manually update ki_pos after each write
+operation to update file->f_pos.
+
+This step is currently missing from the cachefiles_ondemand_fd_write_iter
+function, added to address this issue.
+
+Fixes: c8383054506c ("cachefiles: notify the user daemon when looking up cookie")
+Signed-off-by: Zizhi Wo <wozizhi@huawei.com>
+Link: https://lore.kernel.org/r/20241107110649.3980193-3-wozizhi@huawei.com
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cachefiles/ondemand.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c
+index 2185e2908dba8..d1a0264b08a6c 100644
+--- a/fs/cachefiles/ondemand.c
++++ b/fs/cachefiles/ondemand.c
+@@ -78,8 +78,10 @@ static ssize_t cachefiles_ondemand_fd_write_iter(struct kiocb *kiocb,
+
+ trace_cachefiles_ondemand_fd_write(object, file_inode(file), pos, len);
+ ret = __cachefiles_write(object, file, pos, iter, NULL, NULL);
+- if (!ret)
++ if (!ret) {
+ ret = len;
++ kiocb->ki_pos += ret;
++ }
+
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From fedfb3cbb7a2377f8f71f3782ad502039976b11c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 08:15:20 +0000
+Subject: cgroup/bpf: only cgroup v2 can be attached by bpf programs
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit 2190df6c91373fdec6db9fc07e427084f232f57e ]
+
+Only cgroup v2 can be attached by bpf programs, so this patch introduces
+that cgroup_bpf_inherit and cgroup_bpf_offline can only be called in
+cgroup v2, and this can fix the memleak mentioned by commit 04f8ef5643bc
+("cgroup: Fix memory leak caused by missing cgroup_bpf_offline"), which
+has been reverted.
+
+Fixes: 2b0d3d3e4fcf ("percpu_ref: reduce memory footprint of percpu_ref in fast path")
+Fixes: 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself")
+Link: https://lore.kernel.org/cgroups/aka2hk5jsel5zomucpwlxsej6iwnfw4qu5jkrmjhyfhesjlfdw@46zxhg5bdnr7/
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 11aa400979971..72ad4de66d10f 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -2119,8 +2119,10 @@ int cgroup_setup_root(struct cgroup_root *root, u16 ss_mask)
+ if (ret)
+ goto exit_stats;
+
+- ret = cgroup_bpf_inherit(root_cgrp);
+- WARN_ON_ONCE(ret);
++ if (root == &cgrp_dfl_root) {
++ ret = cgroup_bpf_inherit(root_cgrp);
++ WARN_ON_ONCE(ret);
++ }
+
+ trace_cgroup_setup_root(root);
+
+@@ -5626,9 +5628,11 @@ static struct cgroup *cgroup_create(struct cgroup *parent, const char *name,
+ if (ret)
+ goto out_kernfs_remove;
+
+- ret = cgroup_bpf_inherit(cgrp);
+- if (ret)
+- goto out_psi_free;
++ if (cgrp->root == &cgrp_dfl_root) {
++ ret = cgroup_bpf_inherit(cgrp);
++ if (ret)
++ goto out_psi_free;
++ }
+
+ /*
+ * New cgroup inherits effective freeze counter, and
+@@ -5946,7 +5950,8 @@ static int cgroup_destroy_locked(struct cgroup *cgrp)
+
+ cgroup1_check_for_release(parent);
+
+- cgroup_bpf_offline(cgrp);
++ if (cgrp->root == &cgrp_dfl_root)
++ cgroup_bpf_offline(cgrp);
+
+ /* put the base reference */
+ percpu_ref_kill(&cgrp->self.refcnt);
+--
+2.43.0
+
--- /dev/null
+From e62b1abfe399d2220fa072c493f54ee685d3fbdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 19:43:19 -0400
+Subject: checkpatch: always parse orig_commit in fixes tag
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tamir Duberstein <tamird@gmail.com>
+
+[ Upstream commit 2f07b652384969f5d0b317e1daa5f2eb967bc73d ]
+
+Do not require the presence of `$balanced_parens` to get the commit SHA;
+this allows a `Fixes: deadbeef` tag to get a correct suggestion rather
+than a suggestion containing a reference to HEAD.
+
+Given this patch:
+
+: From: Tamir Duberstein <tamird@gmail.com>
+: Subject: Test patch
+: Date: Fri, 25 Oct 2024 19:30:51 -0400
+:
+: This is a test patch.
+:
+: Fixes: bd17e036b495
+: Signed-off-by: Tamir Duberstein <tamird@gmail.com>
+: --- /dev/null
+: +++ b/new-file
+: @@ -0,0 +1 @@
+: +Test.
+
+Before:
+
+WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: c10a7d25e68f ("Test patch")'
+
+After:
+
+WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: bd17e036b495 ("checkpatch: warn for non-standard fixes tag style")'
+
+The prior behavior incorrectly suggested the patch's own SHA and title
+line rather than the referenced commit's. This fixes that.
+
+Ironically this:
+
+Fixes: bd17e036b495 ("checkpatch: warn for non-standard fixes tag style")
+Signed-off-by: Tamir Duberstein <tamird@gmail.com>
+Cc: Andy Whitcroft <apw@canonical.com>
+Cc: Dwaipayan Ray <dwaipayanray1@gmail.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Louis Peens <louis.peens@corigine.com>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Cc: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Cc: Philippe Schenker <philippe.schenker@toradex.com>
+Cc: Simon Horman <horms@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/checkpatch.pl | 37 ++++++++++++++++---------------------
+ 1 file changed, 16 insertions(+), 21 deletions(-)
+
+diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
+index 9ec205e6d48e2..12742da6504e0 100755
+--- a/scripts/checkpatch.pl
++++ b/scripts/checkpatch.pl
+@@ -3177,36 +3177,31 @@ sub process {
+
+ # Check Fixes: styles is correct
+ if (!$in_header_lines &&
+- $line =~ /^\s*fixes:?\s*(?:commit\s*)?[0-9a-f]{5,}\b/i) {
+- my $orig_commit = "";
+- my $id = "0123456789ab";
+- my $title = "commit title";
+- my $tag_case = 1;
+- my $tag_space = 1;
+- my $id_length = 1;
+- my $id_case = 1;
++ $line =~ /^\s*(fixes:?)\s*(?:commit\s*)?([0-9a-f]{5,40})(?:\s*($balanced_parens))?/i) {
++ my $tag = $1;
++ my $orig_commit = $2;
++ my $title;
+ my $title_has_quotes = 0;
+ $fixes_tag = 1;
+-
+- if ($line =~ /(\s*fixes:?)\s+([0-9a-f]{5,})\s+($balanced_parens)/i) {
+- my $tag = $1;
+- $orig_commit = $2;
+- $title = $3;
+-
+- $tag_case = 0 if $tag eq "Fixes:";
+- $tag_space = 0 if ($line =~ /^fixes:? [0-9a-f]{5,} ($balanced_parens)/i);
+-
+- $id_length = 0 if ($orig_commit =~ /^[0-9a-f]{12}$/i);
+- $id_case = 0 if ($orig_commit !~ /[A-F]/);
+-
++ if (defined $3) {
+ # Always strip leading/trailing parens then double quotes if existing
+- $title = substr($title, 1, -1);
++ $title = substr($3, 1, -1);
+ if ($title =~ /^".*"$/) {
+ $title = substr($title, 1, -1);
+ $title_has_quotes = 1;
+ }
++ } else {
++ $title = "commit title"
+ }
+
++
++ my $tag_case = not ($tag eq "Fixes:");
++ my $tag_space = not ($line =~ /^fixes:? [0-9a-f]{5,40} ($balanced_parens)/i);
++
++ my $id_length = not ($orig_commit =~ /^[0-9a-f]{12}$/i);
++ my $id_case = not ($orig_commit !~ /[A-F]/);
++
++ my $id = "0123456789ab";
+ my ($cid, $ctitle) = git_commit_info($orig_commit, $id,
+ $title);
+
+--
+2.43.0
+
--- /dev/null
+From 96377d94dc9d87416d293a5c17ac5f9c0bc86336 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jun 2024 16:43:29 +0300
+Subject: checkpatch: check for missing Fixes tags
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit d5d6281ae8e0c929c3ff188652f5b12c680fe8bf ]
+
+This check looks for common words that probably indicate a patch
+is a fix. For now the regex is:
+
+ (?:(?:BUG: K.|UB)SAN: |Call Trace:|stable\@|syzkaller)/)
+
+Why are stable patches encouraged to have a fixes tag? Some people mark
+their stable patches as "# 5.10" etc. This is useful but a Fixes tag is
+still a good idea. For example, the Fixes tag helps in review. It
+helps people to not cherry-pick buggy patches without also
+cherry-picking the fix.
+
+Also if a bug affects the 5.7 kernel some people will round it up to
+5.10+ because 5.7 is not supported on kernel.org. It's possible the Bad
+Binder bug was caused by this sort of gap where companies outside of
+kernel.org are supporting different kernels from kernel.org.
+
+Should it be counted as a Fix when a patch just silences harmless
+WARN_ON() stack trace. Yes. Definitely.
+
+Is silencing compiler warnings a fix? It seems unfair to the original
+authors, but we use -Werror now, and warnings break the build so let's
+just add Fixes tags. I tell people that silencing static checker
+warnings is not a fix but the rules on this vary by subsystem.
+
+Is fixing a minor LTP issue (Linux Test Project) a fix? Probably? It's
+hard to know what to do if the LTP test has technically always been
+broken.
+
+One clear false positive from this check is when someone updated their
+debug output and included before and after Call Traces. Or when crashes
+are introduced deliberately for testing. In those cases, you should
+just ignore checkpatch.
+
+Link: https://lkml.kernel.org/r/ZmhUgZBKeF_8ixA6@moroto
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Andy Whitcroft <apw@canonical.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Dwaipayan Ray <dwaipayanray1@gmail.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Cc: Sasha Levin <sashal@kernel.org>
+Cc: Thorsten Leemhuis <linux@leemhuis.info>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 2f07b6523849 ("checkpatch: always parse orig_commit in fixes tag")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/checkpatch.pl | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
+index 32dc82c0c7ace..9ec205e6d48e2 100755
+--- a/scripts/checkpatch.pl
++++ b/scripts/checkpatch.pl
+@@ -28,6 +28,7 @@ my %verbose_messages = ();
+ my %verbose_emitted = ();
+ my $tree = 1;
+ my $chk_signoff = 1;
++my $chk_fixes_tag = 1;
+ my $chk_patch = 1;
+ my $tst_only;
+ my $emacs = 0;
+@@ -86,6 +87,7 @@ Options:
+ -v, --verbose verbose mode
+ --no-tree run without a kernel tree
+ --no-signoff do not check for 'Signed-off-by' line
++ --no-fixes-tag do not check for 'Fixes:' tag
+ --patch treat FILE as patchfile (default)
+ --emacs emacs compile window format
+ --terse one line per report
+@@ -293,6 +295,7 @@ GetOptions(
+ 'v|verbose!' => \$verbose,
+ 'tree!' => \$tree,
+ 'signoff!' => \$chk_signoff,
++ 'fixes-tag!' => \$chk_fixes_tag,
+ 'patch!' => \$chk_patch,
+ 'emacs!' => \$emacs,
+ 'terse!' => \$terse,
+@@ -1225,6 +1228,7 @@ sub git_commit_info {
+ }
+
+ $chk_signoff = 0 if ($file);
++$chk_fixes_tag = 0 if ($file);
+
+ my @rawlines = ();
+ my @lines = ();
+@@ -2604,6 +2608,9 @@ sub process {
+
+ our $clean = 1;
+ my $signoff = 0;
++ my $fixes_tag = 0;
++ my $is_revert = 0;
++ my $needs_fixes_tag = "";
+ my $author = '';
+ my $authorsignoff = 0;
+ my $author_sob = '';
+@@ -3157,6 +3164,16 @@ sub process {
+ }
+ }
+
++# These indicate a bug fix
++ if (!$in_header_lines && !$is_patch &&
++ $line =~ /^This reverts commit/) {
++ $is_revert = 1;
++ }
++
++ if (!$in_header_lines && !$is_patch &&
++ $line =~ /((?:(?:BUG: K.|UB)SAN: |Call Trace:|stable\@|syzkaller))/) {
++ $needs_fixes_tag = $1;
++ }
+
+ # Check Fixes: styles is correct
+ if (!$in_header_lines &&
+@@ -3169,6 +3186,7 @@ sub process {
+ my $id_length = 1;
+ my $id_case = 1;
+ my $title_has_quotes = 0;
++ $fixes_tag = 1;
+
+ if ($line =~ /(\s*fixes:?)\s+([0-9a-f]{5,})\s+($balanced_parens)/i) {
+ my $tag = $1;
+@@ -7539,6 +7557,12 @@ sub process {
+ ERROR("NOT_UNIFIED_DIFF",
+ "Does not appear to be a unified-diff format patch\n");
+ }
++ if ($is_patch && $has_commit_log && $chk_fixes_tag) {
++ if ($needs_fixes_tag ne "" && !$is_revert && !$fixes_tag) {
++ WARN("MISSING_FIXES_TAG",
++ "The commit message has '$needs_fixes_tag', perhaps it also needs a 'Fixes:' tag?\n");
++ }
++ }
+ if ($is_patch && $has_commit_log && $chk_signoff) {
+ if ($signoff == 0) {
+ ERROR("MISSING_SIGN_OFF",
+--
+2.43.0
+
--- /dev/null
+From 3d244247e264a8ff5ffc3be98e47291c8abc9673 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 13:35:19 +0100
+Subject: checkpatch: warn when Reported-by: is not followed by Link:
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kai Wasserbäch <kai@dev.carbon-project.org>
+
+[ Upstream commit d7f1d71e5ef630ab9e15b5821d297a9e1a5fa1da ]
+
+Encourage patch authors to link to reports by issuing a warning, if a
+Reported-by: is not accompanied by a link to the report. Those links are
+often extremely useful for any code archaeologist that wants to know more
+about the backstory of a change than the commit message provides. That
+includes maintainers higher up in the patch-flow hierarchy, which is why
+Linus asks developers to add such links [1, 2, 3]. To quote [1]:
+
+> Again, the commit has a link to the patch *submission*, which is
+> almost entirely useless. There's no link to the actual problem the
+> patch fixes.
+>
+> [...]
+>
+> Put another way: I can see that
+>
+> Reported-by: Zhangfei Gao <zhangfei.gao@foxmail.com>
+>
+> in the commit, but I don't have a clue what the actual report was, and
+> there really isn't enough information in the commit itself, except for
+> a fairly handwavy "Device drivers might, for instance, still need to
+> flush operations.."
+>
+> I don't want to know what device drivers _might_ do. I would want to
+> have an actual pointer to what they do and where.
+
+Another reason why these links are wanted: the ongoing regression tracking
+efforts can only scale with them, as they allow the regression tracking
+bot 'regzbot' to automatically connect tracked reports with patches that
+are posted or committed to fix tracked regressions.
+
+Link: https://lore.kernel.org/all/CAHk-=wjMmSZzMJ3Xnskdg4+GGz=5p5p+GSYyFBTh0f-DgvdBWg@mail.gmail.com/ [1]
+Link: https://lore.kernel.org/all/CAHk-=wgs38ZrfPvy=nOwVkVzjpM3VFU1zobP37Fwd_h9iAD5JQ@mail.gmail.com/ [2]
+Link: https://lore.kernel.org/all/CAHk-=wjxzafG-=J8oT30s7upn4RhBs6TX-uVFZ5rME+L5_DoJA@mail.gmail.com/ [3]
+Link: https://lkml.kernel.org/r/bb5dfd55ea2026303ab2296f4a6df3da7dd64006.1674217480.git.linux@leemhuis.info
+Signed-off-by: Kai Wasserbäch <kai@dev.carbon-project.org>
+Co-developed-by: Thorsten Leemhuis <linux@leemhuis.info>
+Signed-off-by: Thorsten Leemhuis <linux@leemhuis.info>
+Cc: Andy Whitcroft <apw@canonical.com>
+Cc: Dwaipayan Ray <dwaipayanray1@gmail.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 2f07b6523849 ("checkpatch: always parse orig_commit in fixes tag")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/checkpatch.pl | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
+index ecf4250b0d2d2..32dc82c0c7ace 100755
+--- a/scripts/checkpatch.pl
++++ b/scripts/checkpatch.pl
+@@ -3144,8 +3144,20 @@ sub process {
+ "Co-developed-by and Signed-off-by: name/email do not match \n" . "$here\n" . $rawline . "\n" .$rawlines[$linenr]);
+ }
+ }
++
++# check if Reported-by: is followed by a Link:
++ if ($sign_off =~ /^reported(?:|-and-tested)-by:$/i) {
++ if (!defined $lines[$linenr]) {
++ WARN("BAD_REPORTED_BY_LINK",
++ "Reported-by: should be immediately followed by Link: to the report\n" . $herecurr . $rawlines[$linenr] . "\n");
++ } elsif ($rawlines[$linenr] !~ m{^link:\s*https?://}i) {
++ WARN("BAD_REPORTED_BY_LINK",
++ "Reported-by: should be immediately followed by Link: with a URL to the report\n" . $herecurr . $rawlines[$linenr] . "\n");
++ }
++ }
+ }
+
++
+ # Check Fixes: styles is correct
+ if (!$in_header_lines &&
+ $line =~ /^\s*fixes:?\s*(?:commit\s*)?[0-9a-f]{5,}\b/i) {
+--
+2.43.0
+
--- /dev/null
+From 2651e4992a63a38d07d3c4fa53482090cfb2eb32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2024 15:28:20 +0800
+Subject: clk: clk-apple-nco: Add NULL check in applnco_probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 969c765e2b508cca9099d246c010a1e48dcfd089 ]
+
+Add NULL check in applnco_probe, to handle kernel NULL pointer
+dereference error.
+
+Fixes: 6641057d5dba ("clk: clk-apple-nco: Add driver for Apple NCO")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Link: https://lore.kernel.org/r/20241114072820.3071-1-hanchunchao@inspur.com
+Reviewed-by: Martin Povišer <povik+lin@cutebit.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-apple-nco.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/clk/clk-apple-nco.c b/drivers/clk/clk-apple-nco.c
+index 39472a51530a3..457a48d489412 100644
+--- a/drivers/clk/clk-apple-nco.c
++++ b/drivers/clk/clk-apple-nco.c
+@@ -297,6 +297,9 @@ static int applnco_probe(struct platform_device *pdev)
+ memset(&init, 0, sizeof(init));
+ init.name = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+ "%s-%d", np->name, i);
++ if (!init.name)
++ return -ENOMEM;
++
+ init.ops = &applnco_ops;
+ init.parent_data = &pdata;
+ init.num_parents = 1;
+--
+2.43.0
+
--- /dev/null
+From 87e3986ff3a0c7fdfc8f0a73b271411a48330f6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 14:59:42 +0100
+Subject: clk: clk-axi-clkgen: make sure to enable the AXI bus clock
+
+From: Nuno Sa <nuno.sa@analog.com>
+
+[ Upstream commit c64ef7e4851d1a9abbb7f7833e4936973ac5ba79 ]
+
+In order to access the registers of the HW, we need to make sure that
+the AXI bus clock is enabled. Hence let's increase the number of clocks
+by one.
+
+In order to keep backward compatibility and make sure old DTs still work
+we check if clock-names is available or not. If it is, then we can
+disambiguate between really having the AXI clock or a parent clock and
+so we can enable the bus clock. If not, we fallback to what was done
+before and don't explicitly enable the AXI bus clock.
+
+Note that if clock-names is given, the axi clock must be the last one in
+the phandle array (also enforced in the DT bindings) so that we can reuse
+as much code as possible.
+
+Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver")
+Signed-off-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20241029-axi-clkgen-fix-axiclk-v2-2-bc5e0733ad76@analog.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-axi-clkgen.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/clk-axi-clkgen.c b/drivers/clk/clk-axi-clkgen.c
+index ac6ff736ac8f6..bb5cd9d389930 100644
+--- a/drivers/clk/clk-axi-clkgen.c
++++ b/drivers/clk/clk-axi-clkgen.c
+@@ -7,6 +7,7 @@
+ */
+
+ #include <linux/platform_device.h>
++#include <linux/clk.h>
+ #include <linux/clk-provider.h>
+ #include <linux/slab.h>
+ #include <linux/io.h>
+@@ -510,6 +511,7 @@ static int axi_clkgen_probe(struct platform_device *pdev)
+ struct clk_init_data init;
+ const char *parent_names[2];
+ const char *clk_name;
++ struct clk *axi_clk;
+ unsigned int i;
+ int ret;
+
+@@ -526,8 +528,24 @@ static int axi_clkgen_probe(struct platform_device *pdev)
+ return PTR_ERR(axi_clkgen->base);
+
+ init.num_parents = of_clk_get_parent_count(pdev->dev.of_node);
+- if (init.num_parents < 1 || init.num_parents > 2)
+- return -EINVAL;
++
++ axi_clk = devm_clk_get_enabled(&pdev->dev, "s_axi_aclk");
++ if (!IS_ERR(axi_clk)) {
++ if (init.num_parents < 2 || init.num_parents > 3)
++ return -EINVAL;
++
++ init.num_parents -= 1;
++ } else {
++ /*
++ * Legacy... So that old DTs which do not have clock-names still
++ * work. In this case we don't explicitly enable the AXI bus
++ * clock.
++ */
++ if (PTR_ERR(axi_clk) != -ENOENT)
++ return PTR_ERR(axi_clk);
++ if (init.num_parents < 1 || init.num_parents > 2)
++ return -EINVAL;
++ }
+
+ for (i = 0; i < init.num_parents; i++) {
+ parent_names[i] = of_clk_get_parent_name(pdev->dev.of_node, i);
+--
+2.43.0
+
--- /dev/null
+From 9da4dee1db2412c3afc01e0a4e602654bc9db051 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Oct 2024 20:00:10 +0800
+Subject: clk: imx: clk-scu: fix clk enable state save and restore
+
+From: Dong Aisheng <aisheng.dong@nxp.com>
+
+[ Upstream commit e81361f6cf9bf4a1848b0813bc4becb2250870b8 ]
+
+The scu clk_ops only inplements prepare() and unprepare() callback.
+Saving the clock state during suspend by checking clk_hw_is_enabled()
+is not safe as it's possible that some device drivers may only
+disable the clocks without unprepare. Then the state retention will not
+work for such clocks.
+
+Fixing it by checking clk_hw_is_prepared() which is more reasonable
+and safe.
+
+Fixes: d0409631f466 ("clk: imx: scu: add suspend/resume support")
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Tested-by: Carlos Song <carlos.song@nxp.com>
+Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com>
+Link: https://lore.kernel.org/r/20241027-imx-clk-v1-v3-4-89152574d1d7@nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-scu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/imx/clk-scu.c b/drivers/clk/imx/clk-scu.c
+index db307890e4c16..ec5afc7f2690b 100644
+--- a/drivers/clk/imx/clk-scu.c
++++ b/drivers/clk/imx/clk-scu.c
+@@ -577,7 +577,7 @@ static int __maybe_unused imx_clk_scu_suspend(struct device *dev)
+ clk->rate = clk_scu_recalc_rate(&clk->hw, 0);
+ else
+ clk->rate = clk_hw_get_rate(&clk->hw);
+- clk->is_enabled = clk_hw_is_enabled(&clk->hw);
++ clk->is_enabled = clk_hw_is_prepared(&clk->hw);
+
+ if (clk->parent)
+ dev_dbg(dev, "save parent %s idx %u\n", clk_hw_get_name(clk->parent),
+--
+2.43.0
+
--- /dev/null
+From 72d648a85bf3988c4c67bd33a9554415177db93f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Oct 2024 20:00:08 +0800
+Subject: clk: imx: fracn-gppll: correct PLL initialization flow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 557be501c38e1864b948fc6ccdf4b035d610a2ea ]
+
+Per i.MX93 Reference Mannual 22.4 Initialization information
+1. Program appropriate value of DIV[ODIV], DIV[RDIV] and DIV[MFI]
+ as per Integer mode.
+2. Wait for 5 μs.
+3. Program the following field in CTRL register.
+ Set CTRL[POWERUP] to 1'b1 to enable PLL block.
+4. Poll PLL_STATUS[PLL_LOCK] register, and wait till PLL_STATUS[PLL_LOCK]
+ is 1'b1 and pll_lock output signal is 1'b1.
+5. Set CTRL[CLKMUX_EN] to 1'b1 to enable PLL output clock.
+
+So move the CLKMUX_EN operation after PLL locked.
+
+Fixes: 1b26cb8a77a4 ("clk: imx: support fracn gppll")
+Co-developed-by: Jacky Bai <ping.bai@nxp.com>
+Signed-off-by: Jacky Bai <ping.bai@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20241027-imx-clk-v1-v3-2-89152574d1d7@nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-fracn-gppll.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-fracn-gppll.c b/drivers/clk/imx/clk-fracn-gppll.c
+index 421a78e295ee4..281fc62ecd3d5 100644
+--- a/drivers/clk/imx/clk-fracn-gppll.c
++++ b/drivers/clk/imx/clk-fracn-gppll.c
+@@ -299,13 +299,13 @@ static int clk_fracn_gppll_prepare(struct clk_hw *hw)
+ val |= POWERUP_MASK;
+ writel_relaxed(val, pll->base + PLL_CTRL);
+
+- val |= CLKMUX_EN;
+- writel_relaxed(val, pll->base + PLL_CTRL);
+-
+ ret = clk_fracn_gppll_wait_lock(pll);
+ if (ret)
+ return ret;
+
++ val |= CLKMUX_EN;
++ writel_relaxed(val, pll->base + PLL_CTRL);
++
+ val &= ~CLKMUX_BYPASS;
+ writel_relaxed(val, pll->base + PLL_CTRL);
+
+--
+2.43.0
+
--- /dev/null
+From 030bdee3e0de6d6be772f12b375dd55ca9a19b53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Oct 2024 20:00:09 +0800
+Subject: clk: imx: fracn-gppll: fix pll power up
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit ff4279618f0aec350b0fb41b2b35841324fbd96e ]
+
+To i.MX93 which features dual Cortex-A55 cores and DSU, when using
+writel_relaxed to write value to PLL registers, the value might be
+buffered. To make sure the value has been written into the hardware,
+using readl to read back the register could achieve the goal.
+
+current PLL power up flow can be simplified as below:
+ 1. writel_relaxed to set the PLL POWERUP bit;
+ 2. readl_poll_timeout to check the PLL lock bit:
+ a). timeout = ktime_add_us(ktime_get(), timeout_us);
+ b). readl the pll the lock reg;
+ c). check if the pll lock bit ready
+ d). check if timeout
+
+But in some corner cases, both the write in step 1 and read in
+step 2 will be blocked by other bus transaction in the SoC for a
+long time, saying the value into real hardware is just before step b).
+That means the timeout counting has begins for quite sometime since
+step a), but value still not written into real hardware until bus
+released just at a point before step b).
+
+Then there maybe chances that the pll lock bit is not ready
+when readl done but the timeout happens. readl_poll_timeout will
+err return due to timeout. To avoid such unexpected failure,
+read back the reg to make sure the write has been done in HW
+reg.
+
+So use readl after writel_relaxed to fix the issue.
+
+Since we are here, to avoid udelay to run before writel_relaxed, use
+readl before udelay.
+
+Fixes: 1b26cb8a77a4 ("clk: imx: support fracn gppll")
+Co-developed-by: Jacky Bai <ping.bai@nxp.com>
+Signed-off-by: Jacky Bai <ping.bai@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20241027-imx-clk-v1-v3-3-89152574d1d7@nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-fracn-gppll.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/clk/imx/clk-fracn-gppll.c b/drivers/clk/imx/clk-fracn-gppll.c
+index 281fc62ecd3d5..5f2296bb67a65 100644
+--- a/drivers/clk/imx/clk-fracn-gppll.c
++++ b/drivers/clk/imx/clk-fracn-gppll.c
+@@ -250,9 +250,11 @@ static int clk_fracn_gppll_set_rate(struct clk_hw *hw, unsigned long drate,
+ pll_div = FIELD_PREP(PLL_RDIV_MASK, rate->rdiv) | rate->odiv |
+ FIELD_PREP(PLL_MFI_MASK, rate->mfi);
+ writel_relaxed(pll_div, pll->base + PLL_DIV);
++ readl(pll->base + PLL_DIV);
+ if (pll->flags & CLK_FRACN_GPPLL_FRACN) {
+ writel_relaxed(rate->mfd, pll->base + PLL_DENOMINATOR);
+ writel_relaxed(FIELD_PREP(PLL_MFN_MASK, rate->mfn), pll->base + PLL_NUMERATOR);
++ readl(pll->base + PLL_NUMERATOR);
+ }
+
+ /* Wait for 5us according to fracn mode pll doc */
+@@ -261,6 +263,7 @@ static int clk_fracn_gppll_set_rate(struct clk_hw *hw, unsigned long drate,
+ /* Enable Powerup */
+ tmp |= POWERUP_MASK;
+ writel_relaxed(tmp, pll->base + PLL_CTRL);
++ readl(pll->base + PLL_CTRL);
+
+ /* Wait Lock */
+ ret = clk_fracn_gppll_wait_lock(pll);
+@@ -298,6 +301,7 @@ static int clk_fracn_gppll_prepare(struct clk_hw *hw)
+
+ val |= POWERUP_MASK;
+ writel_relaxed(val, pll->base + PLL_CTRL);
++ readl(pll->base + PLL_CTRL);
+
+ ret = clk_fracn_gppll_wait_lock(pll);
+ if (ret)
+--
+2.43.0
+
--- /dev/null
+From cbc581f02664a9d0155de60974fca99ed9106751 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Oct 2024 20:00:07 +0800
+Subject: clk: imx: lpcg-scu: SW workaround for errata (e10858)
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 5ee063fac85656bea9cfe3570af147ba1701ba18 ]
+
+Back-to-back LPCG writes can be ignored by the LPCG register due to
+a HW bug. The writes need to be separated by at least 4 cycles of
+the gated clock. See https://www.nxp.com.cn/docs/en/errata/IMX8_1N94W.pdf
+
+The workaround is implemented as follows:
+1. For clocks running greater than or equal to 24MHz, a read
+followed by the write will provide sufficient delay.
+2. For clocks running below 24MHz, add a delay of 4 clock cylces
+after the write to the LPCG register.
+
+Fixes: 2f77296d3df9 ("clk: imx: add lpcg clock support")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20241027-imx-clk-v1-v3-1-89152574d1d7@nxp.com
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-lpcg-scu.c | 37 ++++++++++++++++++++++++++--------
+ 1 file changed, 29 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-lpcg-scu.c b/drivers/clk/imx/clk-lpcg-scu.c
+index dd5abd09f3e20..620afdf8dc03e 100644
+--- a/drivers/clk/imx/clk-lpcg-scu.c
++++ b/drivers/clk/imx/clk-lpcg-scu.c
+@@ -6,10 +6,12 @@
+
+ #include <linux/bits.h>
+ #include <linux/clk-provider.h>
++#include <linux/delay.h>
+ #include <linux/err.h>
+ #include <linux/io.h>
+ #include <linux/slab.h>
+ #include <linux/spinlock.h>
++#include <linux/units.h>
+
+ #include "clk-scu.h"
+
+@@ -41,6 +43,29 @@ struct clk_lpcg_scu {
+
+ #define to_clk_lpcg_scu(_hw) container_of(_hw, struct clk_lpcg_scu, hw)
+
++/* e10858 -LPCG clock gating register synchronization errata */
++static void lpcg_e10858_writel(unsigned long rate, void __iomem *reg, u32 val)
++{
++ writel(val, reg);
++
++ if (rate >= 24 * HZ_PER_MHZ || rate == 0) {
++ /*
++ * The time taken to access the LPCG registers from the AP core
++ * through the interconnect is longer than the minimum delay
++ * of 4 clock cycles required by the errata.
++ * Adding a readl will provide sufficient delay to prevent
++ * back-to-back writes.
++ */
++ readl(reg);
++ } else {
++ /*
++ * For clocks running below 24MHz, wait a minimum of
++ * 4 clock cycles.
++ */
++ ndelay(4 * (DIV_ROUND_UP(1000 * HZ_PER_MHZ, rate)));
++ }
++}
++
+ static int clk_lpcg_scu_enable(struct clk_hw *hw)
+ {
+ struct clk_lpcg_scu *clk = to_clk_lpcg_scu(hw);
+@@ -57,7 +82,8 @@ static int clk_lpcg_scu_enable(struct clk_hw *hw)
+ val |= CLK_GATE_SCU_LPCG_HW_SEL;
+
+ reg |= val << clk->bit_idx;
+- writel(reg, clk->reg);
++
++ lpcg_e10858_writel(clk_hw_get_rate(hw), clk->reg, reg);
+
+ spin_unlock_irqrestore(&imx_lpcg_scu_lock, flags);
+
+@@ -74,7 +100,7 @@ static void clk_lpcg_scu_disable(struct clk_hw *hw)
+
+ reg = readl_relaxed(clk->reg);
+ reg &= ~(CLK_GATE_SCU_LPCG_MASK << clk->bit_idx);
+- writel(reg, clk->reg);
++ lpcg_e10858_writel(clk_hw_get_rate(hw), clk->reg, reg);
+
+ spin_unlock_irqrestore(&imx_lpcg_scu_lock, flags);
+ }
+@@ -145,13 +171,8 @@ static int __maybe_unused imx_clk_lpcg_scu_resume(struct device *dev)
+ {
+ struct clk_lpcg_scu *clk = dev_get_drvdata(dev);
+
+- /*
+- * FIXME: Sometimes writes don't work unless the CPU issues
+- * them twice
+- */
+-
+- writel(clk->state, clk->reg);
+ writel(clk->state, clk->reg);
++ lpcg_e10858_writel(0, clk->reg, clk->state);
+ dev_dbg(dev, "restore lpcg state 0x%x\n", clk->state);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 1c3f69ebbf2c297320544e6ddca7dc05d67026aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 14:42:11 +0100
+Subject: clk: renesas: rzg2l: Fix FOUTPOSTDIV clk
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit dabf72b85f298970e86891b5218459c17b57b26a ]
+
+While computing foutpostdiv_rate, the value of params->pl5_fracin
+is discarded, which results in the wrong refresh rate. Fix the formula
+for computing foutpostdiv_rate.
+
+Fixes: 1561380ee72f ("clk: renesas: rzg2l: Add FOUTPOSTDIV clk support")
+Signed-off-by: Hien Huynh <hien.huynh.px@renesas.com>
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/20241024134236.315289-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/rzg2l-cpg.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/clk/renesas/rzg2l-cpg.c b/drivers/clk/renesas/rzg2l-cpg.c
+index 473feb36a38f2..5617040f307c4 100644
+--- a/drivers/clk/renesas/rzg2l-cpg.c
++++ b/drivers/clk/renesas/rzg2l-cpg.c
+@@ -289,7 +289,7 @@ static unsigned long
+ rzg2l_cpg_get_foutpostdiv_rate(struct rzg2l_pll5_param *params,
+ unsigned long rate)
+ {
+- unsigned long foutpostdiv_rate;
++ unsigned long foutpostdiv_rate, foutvco_rate;
+
+ params->pl5_intin = rate / MEGA;
+ params->pl5_fracin = div_u64(((u64)rate % MEGA) << 24, MEGA);
+@@ -298,10 +298,11 @@ rzg2l_cpg_get_foutpostdiv_rate(struct rzg2l_pll5_param *params,
+ params->pl5_postdiv2 = 1;
+ params->pl5_spread = 0x16;
+
+- foutpostdiv_rate =
+- EXTAL_FREQ_IN_MEGA_HZ * MEGA / params->pl5_refdiv *
+- ((((params->pl5_intin << 24) + params->pl5_fracin)) >> 24) /
+- (params->pl5_postdiv1 * params->pl5_postdiv2);
++ foutvco_rate = div_u64(mul_u32_u32(EXTAL_FREQ_IN_MEGA_HZ * MEGA,
++ (params->pl5_intin << 24) + params->pl5_fracin),
++ params->pl5_refdiv) >> 24;
++ foutpostdiv_rate = DIV_ROUND_CLOSEST_ULL(foutvco_rate,
++ params->pl5_postdiv1 * params->pl5_postdiv2);
+
+ return foutpostdiv_rate;
+ }
+--
+2.43.0
+
--- /dev/null
+From 341545a60dd1d866992729a5d92a5d53c13a0fec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 11:50:16 +0100
+Subject: clk: sunxi-ng: d1: Fix PLL_AUDIO0 preset
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit e0f253a52ccee3cf3eb987e99756e20c68a1aac9 ]
+
+To work around a limitation in our clock modelling, we try to force two
+bits in the AUDIO0 PLL to 0, in the CCU probe routine.
+However the ~ operator only applies to the first expression, and does
+not cover the second bit, so we end up clearing only bit 1.
+
+Group the bit-ORing with parentheses, to make it both clearer to read
+and actually correct.
+
+Fixes: 35b97bb94111 ("clk: sunxi-ng: Add support for the D1 SoC clocks")
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Link: https://patch.msgid.link/20241001105016.1068558-1-andre.przywara@arm.com
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun20i-d1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/sunxi-ng/ccu-sun20i-d1.c b/drivers/clk/sunxi-ng/ccu-sun20i-d1.c
+index 8ef3cdeb79625..cb4bf038e17f5 100644
+--- a/drivers/clk/sunxi-ng/ccu-sun20i-d1.c
++++ b/drivers/clk/sunxi-ng/ccu-sun20i-d1.c
+@@ -1360,7 +1360,7 @@ static int sun20i_d1_ccu_probe(struct platform_device *pdev)
+
+ /* Enforce m1 = 0, m0 = 0 for PLL_AUDIO0 */
+ val = readl(reg + SUN20I_D1_PLL_AUDIO0_REG);
+- val &= ~BIT(1) | BIT(0);
++ val &= ~(BIT(1) | BIT(0));
+ writel(val, reg + SUN20I_D1_PLL_AUDIO0_REG);
+
+ /* Force fanout-27M factor N to 0. */
+--
+2.43.0
+
--- /dev/null
+From a5039c73bac871f718809bc35e3ef8701802c09d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 12:23:56 +0100
+Subject: clocksource/drivers:sp804: Make user selectable
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 0309f714a0908e947af1c902cf6a330cb593e75e ]
+
+The sp804 is currently only user selectable if COMPILE_TEST, this was
+done by commit dfc82faad725 ("clocksource/drivers/sp804: Add
+COMPILE_TEST to CONFIG_ARM_TIMER_SP804") in order to avoid it being
+spuriously offered on platforms that won't have the hardware since it's
+generally only seen on Arm based platforms. This config is overly
+restrictive, while platforms that rely on the SP804 do select it in
+their Kconfig there are others such as the Arm fast models which have a
+SP804 available but currently unused by Linux. Relax the dependency to
+allow it to be user selectable on arm and arm64 to avoid surprises and
+in case someone comes up with a use for extra timer hardware.
+
+Fixes: dfc82faad725 ("clocksource/drivers/sp804: Add COMPILE_TEST to CONFIG_ARM_TIMER_SP804")
+Reported-by: Ross Burton <ross.burton@arm.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20241001-arm64-vexpress-sp804-v3-1-0a2d3f7883e4@kernel.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig
+index 4469e7f555e97..c957bd470507e 100644
+--- a/drivers/clocksource/Kconfig
++++ b/drivers/clocksource/Kconfig
+@@ -390,7 +390,8 @@ config ARM_GT_INITIAL_PRESCALER_VAL
+ This affects CPU_FREQ max delta from the initial frequency.
+
+ config ARM_TIMER_SP804
+- bool "Support for Dual Timer SP804 module" if COMPILE_TEST
++ bool "Support for Dual Timer SP804 module"
++ depends on ARM || ARM64 || COMPILE_TEST
+ depends on GENERIC_SCHED_CLOCK && HAVE_CLK
+ select CLKSRC_MMIO
+ select TIMER_OF if OF
+--
+2.43.0
+
--- /dev/null
+From 88fa54af085a10c5dc78209f0e294ee756483086 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2024 13:54:23 +0100
+Subject: clocksource/drivers/timer-ti-dm: Fix child node refcount handling
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit e5cfc0989d9a2849c51c720a16b90b2c061a1aeb ]
+
+of_find_compatible_node() increments the node's refcount, and it must be
+decremented again with a call to of_node_put() when the pointer is no
+longer required to avoid leaking the resource.
+
+Instead of adding the missing calls to of_node_put() in all execution
+paths, use the cleanup attribute for 'arm_timer' by means of the
+__free() macro, which automatically calls of_node_put() when the
+variable goes out of scope.
+
+Fixes: 25de4ce5ed02 ("clocksource/drivers/timer-ti-dm: Handle dra7 timer wrap errata i940")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://lore.kernel.org/r/20241031-timer-ti-dm-systimer-of_node_put-v3-1-063ee822b73a@gmail.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-ti-dm-systimer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clocksource/timer-ti-dm-systimer.c b/drivers/clocksource/timer-ti-dm-systimer.c
+index 632523c1232f6..734920e8c5759 100644
+--- a/drivers/clocksource/timer-ti-dm-systimer.c
++++ b/drivers/clocksource/timer-ti-dm-systimer.c
+@@ -688,9 +688,9 @@ subsys_initcall(dmtimer_percpu_timer_startup);
+
+ static int __init dmtimer_percpu_quirk_init(struct device_node *np, u32 pa)
+ {
+- struct device_node *arm_timer;
++ struct device_node *arm_timer __free(device_node) =
++ of_find_compatible_node(NULL, NULL, "arm,armv7-timer");
+
+- arm_timer = of_find_compatible_node(NULL, NULL, "arm,armv7-timer");
+ if (of_device_is_available(arm_timer)) {
+ pr_warn_once("ARM architected timer wrap issue i940 detected\n");
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From de287184094cec577a56b28781b42047c507a3c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 19:18:25 +0000
+Subject: counter: stm32-timer-cnt: Add check for clk_enable()
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+[ Upstream commit 842c3755a6bfbfcafa4a1438078d2485a9eb1d87 ]
+
+Add check for the return value of clk_enable() in order to catch the
+potential exception.
+
+Fixes: c5b8425514da ("counter: stm32-timer-cnt: add power management support")
+Fixes: ad29937e206f ("counter: Add STM32 Timer quadrature encoder")
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Link: https://lore.kernel.org/r/20241104191825.40155-1-jiashengjiangcool@gmail.com
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/counter/stm32-timer-cnt.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/counter/stm32-timer-cnt.c b/drivers/counter/stm32-timer-cnt.c
+index 9bf20a5d6bda8..e752fc8cb190a 100644
+--- a/drivers/counter/stm32-timer-cnt.c
++++ b/drivers/counter/stm32-timer-cnt.c
+@@ -195,11 +195,17 @@ static int stm32_count_enable_write(struct counter_device *counter,
+ {
+ struct stm32_timer_cnt *const priv = counter_priv(counter);
+ u32 cr1;
++ int ret;
+
+ if (enable) {
+ regmap_read(priv->regmap, TIM_CR1, &cr1);
+- if (!(cr1 & TIM_CR1_CEN))
+- clk_enable(priv->clk);
++ if (!(cr1 & TIM_CR1_CEN)) {
++ ret = clk_enable(priv->clk);
++ if (ret) {
++ dev_err(counter->parent, "Cannot enable clock %d\n", ret);
++ return ret;
++ }
++ }
+
+ regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_CEN,
+ TIM_CR1_CEN);
+@@ -380,7 +386,11 @@ static int __maybe_unused stm32_timer_cnt_resume(struct device *dev)
+ return ret;
+
+ if (priv->enabled) {
+- clk_enable(priv->clk);
++ ret = clk_enable(priv->clk);
++ if (ret) {
++ dev_err(dev, "Cannot enable clock %d\n", ret);
++ return ret;
++ }
+
+ /* Restore registers that may have been lost */
+ regmap_write(priv->regmap, TIM_SMCR, priv->bak.smcr);
+--
+2.43.0
+
--- /dev/null
+From feb8fa9fdb6ea1477ebb7760af2a354988524a3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 19:40:59 +0000
+Subject: counter: ti-ecap-capture: Add check for clk_enable()
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+[ Upstream commit 1437d9f1c56fce9c24e566508bce1d218dd5497a ]
+
+Add check for the return value of clk_enable() in order to catch the
+potential exception.
+
+Fixes: 4e2f42aa00b6 ("counter: ti-ecap-capture: capture driver support for ECAP")
+Reviewed-by: Julien Panis <jpanis@baylibre.com>
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Link: https://lore.kernel.org/r/20241104194059.47924-1-jiashengjiangcool@gmail.com
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/counter/ti-ecap-capture.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/counter/ti-ecap-capture.c b/drivers/counter/ti-ecap-capture.c
+index fb1cb1774674a..b84e368a413f5 100644
+--- a/drivers/counter/ti-ecap-capture.c
++++ b/drivers/counter/ti-ecap-capture.c
+@@ -576,8 +576,13 @@ static int ecap_cnt_resume(struct device *dev)
+ {
+ struct counter_device *counter_dev = dev_get_drvdata(dev);
+ struct ecap_cnt_dev *ecap_dev = counter_priv(counter_dev);
++ int ret;
+
+- clk_enable(ecap_dev->clk);
++ ret = clk_enable(ecap_dev->clk);
++ if (ret) {
++ dev_err(dev, "Cannot enable clock %d\n", ret);
++ return ret;
++ }
+
+ ecap_cnt_capture_set_evmode(counter_dev, ecap_dev->pm_ctx.ev_mode);
+
+--
+2.43.0
+
--- /dev/null
+From d2b7b85d69c5e1a6fdb66b8e2cc7a229b4535c6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 16:24:49 +0800
+Subject: cpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 1a1374bb8c5926674973d849feed500bc61ad535 ]
+
+cpufreq_cpu_get_raw() may return NULL if the cpu is not in
+policy->cpus cpu mask and it will cause null pointer dereference,
+so check NULL for cppc_get_cpu_cost().
+
+Fixes: 740fcdc2c20e ("cpufreq: CPPC: Register EM based on efficiency class information")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cppc_cpufreq.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c
+index d8c8363167a78..0a2c21d5bc1c8 100644
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -492,6 +492,9 @@ static int cppc_get_cpu_cost(struct device *cpu_dev, unsigned long KHz,
+ int step;
+
+ policy = cpufreq_cpu_get_raw(cpu_dev->id);
++ if (!policy)
++ return 0;
++
+ cpu_data = policy->driver_data;
+ perf_caps = &cpu_data->perf_caps;
+ max_cap = arch_scale_cpu_capacity(cpu_dev->id);
+--
+2.43.0
+
--- /dev/null
+From eb40bb2df732655873132cf30df879f5bab51e65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 09:20:19 +0800
+Subject: cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit a78e7207564258db6e373e86294a85f9d646d35a ]
+
+cpufreq_cpu_get_raw() may return NULL if the cpu is not in
+policy->cpus cpu mask and it will cause null pointer dereference.
+
+Fixes: 740fcdc2c20e ("cpufreq: CPPC: Register EM based on efficiency class information")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cppc_cpufreq.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c
+index 0050242d382e7..d8c8363167a78 100644
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -422,6 +422,9 @@ static int cppc_get_cpu_power(struct device *cpu_dev,
+ struct cppc_cpudata *cpu_data;
+
+ policy = cpufreq_cpu_get_raw(cpu_dev->id);
++ if (!policy)
++ return 0;
++
+ cpu_data = policy->driver_data;
+ perf_caps = &cpu_data->perf_caps;
+ max_cap = arch_scale_cpu_capacity(cpu_dev->id);
+--
+2.43.0
+
--- /dev/null
+From c525ce903f12d2f6dd6dc69f0d2febc7bf8bd592 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 09:12:38 +0800
+Subject: cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_cost()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit be392aa80f1e5b0b65ccc2a540b9304fefcfe3d8 ]
+
+cppc_get_cpu_cost() return 0 if the policy is NULL. Then in
+em_compute_costs(), the later zero check for cost is not valid
+as cost is uninitialized. As Quentin pointed out, kernel energy model
+core check the return value of get_cost() first, so if the callback
+failed it should tell the core. Return -EINVAL to fix it.
+
+Fixes: 1a1374bb8c59 ("cpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost()")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/c4765377-7830-44c2-84fa-706b6e304e10@stanley.mountain/
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Suggested-by: Quentin Perret <qperret@google.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cppc_cpufreq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c
+index 0a2c21d5bc1c8..fd02702de504c 100644
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -493,7 +493,7 @@ static int cppc_get_cpu_cost(struct device *cpu_dev, unsigned long KHz,
+
+ policy = cpufreq_cpu_get_raw(cpu_dev->id);
+ if (!policy)
+- return 0;
++ return -EINVAL;
+
+ cpu_data = policy->driver_data;
+ perf_caps = &cpu_data->perf_caps;
+--
+2.43.0
+
--- /dev/null
+From 34748b0e0f54721a183a8915b1b5a3de97582684 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 09:01:11 +0800
+Subject: cpufreq: CPPC: Fix wrong return value in cppc_get_cpu_power()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit b51eb0874d8170028434fbd259e80b78ed9b8eca ]
+
+cppc_get_cpu_power() return 0 if the policy is NULL. Then in
+em_create_perf_table(), the later zero check for power is not valid
+as power is uninitialized. As Quentin pointed out, kernel energy model
+core check the return value of active_power() first, so if the callback
+failed it should tell the core. So return -EINVAL to fix it.
+
+Fixes: a78e72075642 ("cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw()")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Suggested-by: Quentin Perret <qperret@google.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cppc_cpufreq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c
+index fd02702de504c..12fc07ed3502b 100644
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -423,7 +423,7 @@ static int cppc_get_cpu_power(struct device *cpu_dev,
+
+ policy = cpufreq_cpu_get_raw(cpu_dev->id);
+ if (!policy)
+- return 0;
++ return -EINVAL;
+
+ cpu_data = policy->driver_data;
+ perf_caps = &cpu_data->perf_caps;
+--
+2.43.0
+
--- /dev/null
+From 676ab325b243206482f9b63462d667644f3472b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 17:06:15 +0800
+Subject: cpufreq: loongson2: Unregister platform_driver on failure
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 5f856d71ccdf89b4bac0ff70ebb0bb582e7f7f18 ]
+
+When cpufreq_register_driver() returns error, the cpufreq_init() returns
+without unregister platform_driver, fix by add missing
+platform_driver_unregister() when cpufreq_register_driver() failed.
+
+Fixes: f8ede0f700f5 ("MIPS: Loongson 2F: Add CPU frequency scaling support")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/loongson2_cpufreq.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/loongson2_cpufreq.c b/drivers/cpufreq/loongson2_cpufreq.c
+index afc59b292153d..63cae4037deb1 100644
+--- a/drivers/cpufreq/loongson2_cpufreq.c
++++ b/drivers/cpufreq/loongson2_cpufreq.c
+@@ -154,7 +154,9 @@ static int __init cpufreq_init(void)
+
+ ret = cpufreq_register_driver(&loongson2_cpufreq_driver);
+
+- if (!ret && !nowait) {
++ if (ret) {
++ platform_driver_unregister(&platform_driver);
++ } else if (!nowait) {
+ saved_cpu_wait = cpu_wait;
+ cpu_wait = loongson2_cpu_wait;
+ }
+--
+2.43.0
+
--- /dev/null
+From 9d3ec7eec6089d33d8c24891f2bf5a64d8a24de3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 14:24:17 +0800
+Subject: crypto: api - Add crypto_clone_tfm
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3c3a24cb0ae46c9c45e4ce2272f84f0504831f59 ]
+
+This patch adds the helper crypto_clone_tfm. The purpose is to
+allocate a tfm object with GFP_ATOMIC. As we cannot sleep, the
+object has to be cloned from an existing tfm object.
+
+This allows code paths that cannot otherwise allocate a crypto_tfm
+object to do so. Once a new tfm has been obtained its key could
+then be changed without impacting other users.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: 1465036b10be ("llc: Improve setsockopt() handling of malformed user input")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/api.c | 59 +++++++++++++++++++++++++++++++++++++++--------
+ crypto/internal.h | 2 ++
+ 2 files changed, 52 insertions(+), 9 deletions(-)
+
+diff --git a/crypto/api.c b/crypto/api.c
+index c58774586d9fb..4308b1c8ca2ea 100644
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -489,28 +489,44 @@ struct crypto_tfm *crypto_alloc_base(const char *alg_name, u32 type, u32 mask)
+ }
+ EXPORT_SYMBOL_GPL(crypto_alloc_base);
+
+-void *crypto_create_tfm_node(struct crypto_alg *alg,
+- const struct crypto_type *frontend,
+- int node)
++static void *crypto_alloc_tfmmem(struct crypto_alg *alg,
++ const struct crypto_type *frontend, int node,
++ gfp_t gfp)
+ {
+- char *mem;
+- struct crypto_tfm *tfm = NULL;
++ struct crypto_tfm *tfm;
+ unsigned int tfmsize;
+ unsigned int total;
+- int err = -ENOMEM;
++ char *mem;
+
+ tfmsize = frontend->tfmsize;
+ total = tfmsize + sizeof(*tfm) + frontend->extsize(alg);
+
+- mem = kzalloc_node(total, GFP_KERNEL, node);
++ mem = kzalloc_node(total, gfp, node);
+ if (mem == NULL)
+- goto out_err;
++ return ERR_PTR(-ENOMEM);
+
+ tfm = (struct crypto_tfm *)(mem + tfmsize);
+ tfm->__crt_alg = alg;
+ tfm->node = node;
+ refcount_set(&tfm->refcnt, 1);
+
++ return mem;
++}
++
++void *crypto_create_tfm_node(struct crypto_alg *alg,
++ const struct crypto_type *frontend,
++ int node)
++{
++ struct crypto_tfm *tfm;
++ char *mem;
++ int err;
++
++ mem = crypto_alloc_tfmmem(alg, frontend, node, GFP_KERNEL);
++ if (IS_ERR(mem))
++ goto out;
++
++ tfm = (struct crypto_tfm *)(mem + frontend->tfmsize);
++
+ err = frontend->init_tfm(tfm);
+ if (err)
+ goto out_free_tfm;
+@@ -526,13 +542,38 @@ void *crypto_create_tfm_node(struct crypto_alg *alg,
+ if (err == -EAGAIN)
+ crypto_shoot_alg(alg);
+ kfree(mem);
+-out_err:
+ mem = ERR_PTR(err);
+ out:
+ return mem;
+ }
+ EXPORT_SYMBOL_GPL(crypto_create_tfm_node);
+
++void *crypto_clone_tfm(const struct crypto_type *frontend,
++ struct crypto_tfm *otfm)
++{
++ struct crypto_alg *alg = otfm->__crt_alg;
++ struct crypto_tfm *tfm;
++ char *mem;
++
++ mem = ERR_PTR(-ESTALE);
++ if (unlikely(!crypto_mod_get(alg)))
++ goto out;
++
++ mem = crypto_alloc_tfmmem(alg, frontend, otfm->node, GFP_ATOMIC);
++ if (IS_ERR(mem)) {
++ crypto_mod_put(alg);
++ goto out;
++ }
++
++ tfm = (struct crypto_tfm *)(mem + frontend->tfmsize);
++ tfm->crt_flags = otfm->crt_flags;
++ tfm->exit = otfm->exit;
++
++out:
++ return mem;
++}
++EXPORT_SYMBOL_GPL(crypto_clone_tfm);
++
+ struct crypto_alg *crypto_find_alg(const char *alg_name,
+ const struct crypto_type *frontend,
+ u32 type, u32 mask)
+diff --git a/crypto/internal.h b/crypto/internal.h
+index 521bc021c54bc..e81cd7594b35e 100644
+--- a/crypto/internal.h
++++ b/crypto/internal.h
+@@ -86,6 +86,8 @@ struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
+ u32 mask);
+ void *crypto_create_tfm_node(struct crypto_alg *alg,
+ const struct crypto_type *frontend, int node);
++void *crypto_clone_tfm(const struct crypto_type *frontend,
++ struct crypto_tfm *otfm);
+
+ static inline void *crypto_create_tfm(struct crypto_alg *alg,
+ const struct crypto_type *frontend)
+--
+2.43.0
+
--- /dev/null
+From 95daf6ee243e7f34ca304d96a1423eeecaf3210f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 14:24:15 +0800
+Subject: crypto: api - Add crypto_tfm_get
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit ae131f4970f0778f35ed06aeb15bde2fbc1d9619 ]
+
+Add a crypto_tfm_get interface to allow tfm objects to be shared.
+They can still be freed in the usual way.
+
+This should only be done with tfm objects with no keys. You must
+also not modify the tfm flags in any way once it becomes shared.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: 1465036b10be ("llc: Improve setsockopt() handling of malformed user input")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/api.c | 4 ++++
+ crypto/internal.h | 6 ++++++
+ include/linux/crypto.h | 1 +
+ 3 files changed, 11 insertions(+)
+
+diff --git a/crypto/api.c b/crypto/api.c
+index 64f2d365a8e94..c58774586d9fb 100644
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -409,6 +409,7 @@ struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
+ goto out_err;
+
+ tfm->__crt_alg = alg;
++ refcount_set(&tfm->refcnt, 1);
+
+ err = crypto_init_ops(tfm, type, mask);
+ if (err)
+@@ -508,6 +509,7 @@ void *crypto_create_tfm_node(struct crypto_alg *alg,
+ tfm = (struct crypto_tfm *)(mem + tfmsize);
+ tfm->__crt_alg = alg;
+ tfm->node = node;
++ refcount_set(&tfm->refcnt, 1);
+
+ err = frontend->init_tfm(tfm);
+ if (err)
+@@ -620,6 +622,8 @@ void crypto_destroy_tfm(void *mem, struct crypto_tfm *tfm)
+ if (IS_ERR_OR_NULL(mem))
+ return;
+
++ if (!refcount_dec_and_test(&tfm->refcnt))
++ return;
+ alg = tfm->__crt_alg;
+
+ if (!tfm->exit && alg->cra_exit)
+diff --git a/crypto/internal.h b/crypto/internal.h
+index c08385571853e..521bc021c54bc 100644
+--- a/crypto/internal.h
++++ b/crypto/internal.h
+@@ -10,6 +10,7 @@
+
+ #include <crypto/algapi.h>
+ #include <linux/completion.h>
++#include <linux/err.h>
+ #include <linux/jump_label.h>
+ #include <linux/list.h>
+ #include <linux/module.h>
+@@ -166,5 +167,10 @@ static inline int crypto_is_test_larval(struct crypto_larval *larval)
+ return larval->alg.cra_driver_name[0];
+ }
+
++static inline struct crypto_tfm *crypto_tfm_get(struct crypto_tfm *tfm)
++{
++ return refcount_inc_not_zero(&tfm->refcnt) ? tfm : ERR_PTR(-EOVERFLOW);
++}
++
+ #endif /* _CRYPTO_INTERNAL_H */
+
+diff --git a/include/linux/crypto.h b/include/linux/crypto.h
+index e3c4be29aaccb..d354a2a7ac5ff 100644
+--- a/include/linux/crypto.h
++++ b/include/linux/crypto.h
+@@ -642,6 +642,7 @@ int crypto_has_alg(const char *name, u32 type, u32 mask);
+ */
+
+ struct crypto_tfm {
++ refcount_t refcnt;
+
+ u32 crt_flags;
+
+--
+2.43.0
+
--- /dev/null
+From 296039a91884c03316ffe3d9b5d77c2b1aec5ac4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 12:17:45 +0000
+Subject: crypto: bcm - add error check in the ahash_hmac_init function
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit 19630cf57233e845b6ac57c9c969a4888925467b ]
+
+The ahash_init functions may return fails. The ahash_hmac_init should
+not return ok when ahash_init returns error. For an example, ahash_init
+will return -ENOMEM when allocation memory is error.
+
+Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/bcm/cipher.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/bcm/cipher.c b/drivers/crypto/bcm/cipher.c
+index c8c799428fe0b..9a3e4d76acf75 100644
+--- a/drivers/crypto/bcm/cipher.c
++++ b/drivers/crypto/bcm/cipher.c
+@@ -2415,6 +2415,7 @@ static int ahash_hmac_setkey(struct crypto_ahash *ahash, const u8 *key,
+
+ static int ahash_hmac_init(struct ahash_request *req)
+ {
++ int ret;
+ struct iproc_reqctx_s *rctx = ahash_request_ctx(req);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+ struct iproc_ctx_s *ctx = crypto_ahash_ctx(tfm);
+@@ -2424,7 +2425,9 @@ static int ahash_hmac_init(struct ahash_request *req)
+ flow_log("ahash_hmac_init()\n");
+
+ /* init the context as a hash */
+- ahash_init(req);
++ ret = ahash_init(req);
++ if (ret)
++ return ret;
+
+ if (!spu_no_incr_hash(ctx)) {
+ /* SPU-M can do incr hashing but needs sw for outer HMAC */
+--
+2.43.0
+
--- /dev/null
+From d789764bfd86d36ed8d20bcc725602290a56f15f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 12:15:11 +0000
+Subject: crypto: caam - add error check to caam_rsa_set_priv_key_form
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit b64140c74e954f1db6eae5548ca3a1f41b6fad79 ]
+
+The caam_rsa_set_priv_key_form did not check for memory allocation errors.
+Add the checks to the caam_rsa_set_priv_key_form functions.
+
+Fixes: 52e26d77b8b3 ("crypto: caam - add support for RSA key form 2")
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Reviewed-by: Gaurav Jain <gaurav.jain@nxp.com>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/caam/caampkc.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/crypto/caam/caampkc.c b/drivers/crypto/caam/caampkc.c
+index 51b48b57266a6..7881846651d12 100644
+--- a/drivers/crypto/caam/caampkc.c
++++ b/drivers/crypto/caam/caampkc.c
+@@ -979,7 +979,7 @@ static int caam_rsa_set_pub_key(struct crypto_akcipher *tfm, const void *key,
+ return -ENOMEM;
+ }
+
+-static void caam_rsa_set_priv_key_form(struct caam_rsa_ctx *ctx,
++static int caam_rsa_set_priv_key_form(struct caam_rsa_ctx *ctx,
+ struct rsa_key *raw_key)
+ {
+ struct caam_rsa_key *rsa_key = &ctx->key;
+@@ -988,7 +988,7 @@ static void caam_rsa_set_priv_key_form(struct caam_rsa_ctx *ctx,
+
+ rsa_key->p = caam_read_raw_data(raw_key->p, &p_sz);
+ if (!rsa_key->p)
+- return;
++ return -ENOMEM;
+ rsa_key->p_sz = p_sz;
+
+ rsa_key->q = caam_read_raw_data(raw_key->q, &q_sz);
+@@ -1021,7 +1021,7 @@ static void caam_rsa_set_priv_key_form(struct caam_rsa_ctx *ctx,
+
+ rsa_key->priv_form = FORM3;
+
+- return;
++ return 0;
+
+ free_dq:
+ kfree_sensitive(rsa_key->dq);
+@@ -1035,6 +1035,7 @@ static void caam_rsa_set_priv_key_form(struct caam_rsa_ctx *ctx,
+ kfree_sensitive(rsa_key->q);
+ free_p:
+ kfree_sensitive(rsa_key->p);
++ return -ENOMEM;
+ }
+
+ static int caam_rsa_set_priv_key(struct crypto_akcipher *tfm, const void *key,
+@@ -1080,7 +1081,9 @@ static int caam_rsa_set_priv_key(struct crypto_akcipher *tfm, const void *key,
+ rsa_key->e_sz = raw_key.e_sz;
+ rsa_key->n_sz = raw_key.n_sz;
+
+- caam_rsa_set_priv_key_form(ctx, &raw_key);
++ ret = caam_rsa_set_priv_key_form(ctx, &raw_key);
++ if (ret)
++ goto err;
+
+ return 0;
+
+--
+2.43.0
+
--- /dev/null
+From acc62df820a1c2b41ee3ae78bf4c1d30d2051265 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Sep 2024 12:22:12 +0200
+Subject: crypto: caam - Fix the pointer passed to caam_qi_shutdown()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ad980b04f51f7fb503530bd1cb328ba5e75a250e ]
+
+The type of the last parameter given to devm_add_action_or_reset() is
+"struct caam_drv_private *", but in caam_qi_shutdown(), it is casted to
+"struct device *".
+
+Pass the correct parameter to devm_add_action_or_reset() so that the
+resources are released as expected.
+
+Fixes: f414de2e2fff ("crypto: caam - use devres to de-initialize QI")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/caam/qi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/caam/qi.c b/drivers/crypto/caam/qi.c
+index c36f27376d7e0..9f6db61e5c0d9 100644
+--- a/drivers/crypto/caam/qi.c
++++ b/drivers/crypto/caam/qi.c
+@@ -765,7 +765,7 @@ int caam_qi_init(struct platform_device *caam_pdev)
+
+ caam_debugfs_qi_init(ctrlpriv);
+
+- err = devm_add_action_or_reset(qidev, caam_qi_shutdown, ctrlpriv);
++ err = devm_add_action_or_reset(qidev, caam_qi_shutdown, qidev);
+ if (err)
+ return err;
+
+--
+2.43.0
+
--- /dev/null
+From 11108ec5980c6857906c503dc3ca0488a1440b70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2024 18:22:27 +0100
+Subject: crypto: cavium - Fix an error handling path in cpt_ucode_load_fw()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 572b7cf08403b6c67dfe0dc3e0f2efb42443254f ]
+
+If do_cpt_init() fails, a previous dma_alloc_coherent() call needs to be
+undone.
+
+Add the needed dma_free_coherent() before returning.
+
+Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/cavium/cpt/cptpf_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c
+index ec17beee24c07..54de869e5374c 100644
+--- a/drivers/crypto/cavium/cpt/cptpf_main.c
++++ b/drivers/crypto/cavium/cpt/cptpf_main.c
+@@ -302,6 +302,8 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
+
+ ret = do_cpt_init(cpt, mcode);
+ if (ret) {
++ dma_free_coherent(&cpt->pdev->dev, mcode->code_size,
++ mcode->code, mcode->phys_base);
+ dev_err(dev, "do_cpt_init failed with ret: %d\n", ret);
+ goto fw_release;
+ }
+--
+2.43.0
+
--- /dev/null
+From 37efa056c9ef9be2fe753d2b765be2d0fc0381bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 10:23:10 -0600
+Subject: crypto: cavium - Fix the if condition to exit loop after timeout
+
+From: Everest K.C <everestkc@everestkc.com.np>
+
+[ Upstream commit 53d91ca76b6c426c546542a44c78507b42008c9e ]
+
+The while loop breaks in the first run because of incorrect
+if condition. It also causes the statements after the if to
+appear dead.
+Fix this by changing the condition from if(timeout--) to
+if(!timeout--).
+
+This bug was reported by Coverity Scan.
+Report:
+CID 1600859: (#1 of 1): Logically dead code (DEADCODE)
+dead_error_line: Execution cannot reach this statement: udelay(30UL);
+
+Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
+Signed-off-by: Everest K.C. <everestkc@everestkc.com.np>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/cavium/cpt/cptpf_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c
+index 6872ac3440010..ec17beee24c07 100644
+--- a/drivers/crypto/cavium/cpt/cptpf_main.c
++++ b/drivers/crypto/cavium/cpt/cptpf_main.c
+@@ -44,7 +44,7 @@ static void cpt_disable_cores(struct cpt_device *cpt, u64 coremask,
+ dev_err(dev, "Cores still busy %llx", coremask);
+ grp = cpt_read_csr64(cpt->reg_base,
+ CPTX_PF_EXEC_BUSY(0));
+- if (timeout--)
++ if (!timeout--)
+ break;
+
+ udelay(CSR_DELAY);
+@@ -394,7 +394,7 @@ static void cpt_disable_all_cores(struct cpt_device *cpt)
+ dev_err(dev, "Cores still busy");
+ grp = cpt_read_csr64(cpt->reg_base,
+ CPTX_PF_EXEC_BUSY(0));
+- if (timeout--)
++ if (!timeout--)
+ break;
+
+ udelay(CSR_DELAY);
+--
+2.43.0
+
--- /dev/null
+From 1fedf6e6fc00399e2a5ea81adcf0744391dfbf8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 19:44:29 +0800
+Subject: crypto: hisilicon/qm - disable same error report before resetting
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit c418ba6baca3ae10ffaf47b0803d2a9e6bf1af96 ]
+
+If an error indicating that the device needs to be reset is reported,
+disable the error reporting before device reset is complete,
+enable the error reporting after the reset is complete to prevent
+the same error from being reported repeatedly.
+
+Fixes: eaebf4c3b103 ("crypto: hisilicon - Unify hardware error init/uninit into QM")
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/hpre/hpre_main.c | 35 ++++++++++++++---
+ drivers/crypto/hisilicon/qm.c | 47 +++++++----------------
+ drivers/crypto/hisilicon/sec2/sec_main.c | 35 ++++++++++++++---
+ drivers/crypto/hisilicon/zip/zip_main.c | 35 ++++++++++++++---
+ include/linux/hisi_acc_qm.h | 8 +++-
+ 5 files changed, 110 insertions(+), 50 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/hpre/hpre_main.c b/drivers/crypto/hisilicon/hpre/hpre_main.c
+index e9abb66773fe9..b0596564d27d8 100644
+--- a/drivers/crypto/hisilicon/hpre/hpre_main.c
++++ b/drivers/crypto/hisilicon/hpre/hpre_main.c
+@@ -1281,11 +1281,15 @@ static u32 hpre_get_hw_err_status(struct hisi_qm *qm)
+
+ static void hpre_clear_hw_err_status(struct hisi_qm *qm, u32 err_sts)
+ {
+- u32 nfe;
+-
+ writel(err_sts, qm->io_base + HPRE_HAC_SOURCE_INT);
+- nfe = hisi_qm_get_hw_info(qm, hpre_basic_info, HPRE_NFE_MASK_CAP, qm->cap_ver);
+- writel(nfe, qm->io_base + HPRE_RAS_NFE_ENB);
++}
++
++static void hpre_disable_error_report(struct hisi_qm *qm, u32 err_type)
++{
++ u32 nfe_mask;
++
++ nfe_mask = hisi_qm_get_hw_info(qm, hpre_basic_info, HPRE_NFE_MASK_CAP, qm->cap_ver);
++ writel(nfe_mask & (~err_type), qm->io_base + HPRE_RAS_NFE_ENB);
+ }
+
+ static void hpre_open_axi_master_ooo(struct hisi_qm *qm)
+@@ -1299,6 +1303,27 @@ static void hpre_open_axi_master_ooo(struct hisi_qm *qm)
+ qm->io_base + HPRE_AM_OOO_SHUTDOWN_ENB);
+ }
+
++static enum acc_err_result hpre_get_err_result(struct hisi_qm *qm)
++{
++ u32 err_status;
++
++ err_status = hpre_get_hw_err_status(qm);
++ if (err_status) {
++ if (err_status & qm->err_info.ecc_2bits_mask)
++ qm->err_status.is_dev_ecc_mbit = true;
++ hpre_log_hw_error(qm, err_status);
++
++ if (err_status & qm->err_info.dev_reset_mask) {
++ /* Disable the same error reporting until device is recovered. */
++ hpre_disable_error_report(qm, err_status);
++ return ACC_ERR_NEED_RESET;
++ }
++ hpre_clear_hw_err_status(qm, err_status);
++ }
++
++ return ACC_ERR_RECOVERED;
++}
++
+ static void hpre_err_info_init(struct hisi_qm *qm)
+ {
+ struct hisi_qm_err_info *err_info = &qm->err_info;
+@@ -1325,12 +1350,12 @@ static const struct hisi_qm_err_ini hpre_err_ini = {
+ .hw_err_disable = hpre_hw_error_disable,
+ .get_dev_hw_err_status = hpre_get_hw_err_status,
+ .clear_dev_hw_err_status = hpre_clear_hw_err_status,
+- .log_dev_hw_err = hpre_log_hw_error,
+ .open_axi_master_ooo = hpre_open_axi_master_ooo,
+ .open_sva_prefetch = hpre_open_sva_prefetch,
+ .close_sva_prefetch = hpre_close_sva_prefetch,
+ .show_last_dfx_regs = hpre_show_last_dfx_regs,
+ .err_info_init = hpre_err_info_init,
++ .get_err_result = hpre_get_err_result,
+ };
+
+ static int hpre_pf_probe_init(struct hpre *hpre)
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index df14727f6e714..a9bf65da30a68 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -281,12 +281,6 @@ enum vft_type {
+ SHAPER_VFT,
+ };
+
+-enum acc_err_result {
+- ACC_ERR_NONE,
+- ACC_ERR_NEED_RESET,
+- ACC_ERR_RECOVERED,
+-};
+-
+ enum qm_alg_type {
+ ALG_TYPE_0,
+ ALG_TYPE_1,
+@@ -1503,22 +1497,25 @@ static void qm_log_hw_error(struct hisi_qm *qm, u32 error_status)
+
+ static enum acc_err_result qm_hw_error_handle_v2(struct hisi_qm *qm)
+ {
+- u32 error_status, tmp;
+-
+- /* read err sts */
+- tmp = readl(qm->io_base + QM_ABNORMAL_INT_STATUS);
+- error_status = qm->error_mask & tmp;
++ u32 error_status;
+
+- if (error_status) {
++ error_status = qm_get_hw_error_status(qm);
++ if (error_status & qm->error_mask) {
+ if (error_status & QM_ECC_MBIT)
+ qm->err_status.is_qm_ecc_mbit = true;
+
+ qm_log_hw_error(qm, error_status);
+- if (error_status & qm->err_info.qm_reset_mask)
++ if (error_status & qm->err_info.qm_reset_mask) {
++ /* Disable the same error reporting until device is recovered. */
++ writel(qm->err_info.nfe & (~error_status),
++ qm->io_base + QM_RAS_NFE_ENABLE);
+ return ACC_ERR_NEED_RESET;
++ }
+
++ /* Clear error source if not need reset. */
+ writel(error_status, qm->io_base + QM_ABNORMAL_INT_SOURCE);
+ writel(qm->err_info.nfe, qm->io_base + QM_RAS_NFE_ENABLE);
++ writel(qm->err_info.ce, qm->io_base + QM_RAS_CE_ENABLE);
+ }
+
+ return ACC_ERR_RECOVERED;
+@@ -3868,30 +3865,12 @@ EXPORT_SYMBOL_GPL(hisi_qm_sriov_configure);
+
+ static enum acc_err_result qm_dev_err_handle(struct hisi_qm *qm)
+ {
+- u32 err_sts;
+-
+- if (!qm->err_ini->get_dev_hw_err_status) {
+- dev_err(&qm->pdev->dev, "Device doesn't support get hw error status!\n");
++ if (!qm->err_ini->get_err_result) {
++ dev_err(&qm->pdev->dev, "Device doesn't support reset!\n");
+ return ACC_ERR_NONE;
+ }
+
+- /* get device hardware error status */
+- err_sts = qm->err_ini->get_dev_hw_err_status(qm);
+- if (err_sts) {
+- if (err_sts & qm->err_info.ecc_2bits_mask)
+- qm->err_status.is_dev_ecc_mbit = true;
+-
+- if (qm->err_ini->log_dev_hw_err)
+- qm->err_ini->log_dev_hw_err(qm, err_sts);
+-
+- if (err_sts & qm->err_info.dev_reset_mask)
+- return ACC_ERR_NEED_RESET;
+-
+- if (qm->err_ini->clear_dev_hw_err_status)
+- qm->err_ini->clear_dev_hw_err_status(qm, err_sts);
+- }
+-
+- return ACC_ERR_RECOVERED;
++ return qm->err_ini->get_err_result(qm);
+ }
+
+ static enum acc_err_result qm_process_dev_error(struct hisi_qm *qm)
+diff --git a/drivers/crypto/hisilicon/sec2/sec_main.c b/drivers/crypto/hisilicon/sec2/sec_main.c
+index d2ead648767bd..8dd4c0b10a74a 100644
+--- a/drivers/crypto/hisilicon/sec2/sec_main.c
++++ b/drivers/crypto/hisilicon/sec2/sec_main.c
+@@ -1008,11 +1008,15 @@ static u32 sec_get_hw_err_status(struct hisi_qm *qm)
+
+ static void sec_clear_hw_err_status(struct hisi_qm *qm, u32 err_sts)
+ {
+- u32 nfe;
+-
+ writel(err_sts, qm->io_base + SEC_CORE_INT_SOURCE);
+- nfe = hisi_qm_get_hw_info(qm, sec_basic_info, SEC_NFE_MASK_CAP, qm->cap_ver);
+- writel(nfe, qm->io_base + SEC_RAS_NFE_REG);
++}
++
++static void sec_disable_error_report(struct hisi_qm *qm, u32 err_type)
++{
++ u32 nfe_mask;
++
++ nfe_mask = hisi_qm_get_hw_info(qm, sec_basic_info, SEC_NFE_MASK_CAP, qm->cap_ver);
++ writel(nfe_mask & (~err_type), qm->io_base + SEC_RAS_NFE_REG);
+ }
+
+ static void sec_open_axi_master_ooo(struct hisi_qm *qm)
+@@ -1024,6 +1028,27 @@ static void sec_open_axi_master_ooo(struct hisi_qm *qm)
+ writel(val | SEC_AXI_SHUTDOWN_ENABLE, qm->io_base + SEC_CONTROL_REG);
+ }
+
++static enum acc_err_result sec_get_err_result(struct hisi_qm *qm)
++{
++ u32 err_status;
++
++ err_status = sec_get_hw_err_status(qm);
++ if (err_status) {
++ if (err_status & qm->err_info.ecc_2bits_mask)
++ qm->err_status.is_dev_ecc_mbit = true;
++ sec_log_hw_error(qm, err_status);
++
++ if (err_status & qm->err_info.dev_reset_mask) {
++ /* Disable the same error reporting until device is recovered. */
++ sec_disable_error_report(qm, err_status);
++ return ACC_ERR_NEED_RESET;
++ }
++ sec_clear_hw_err_status(qm, err_status);
++ }
++
++ return ACC_ERR_RECOVERED;
++}
++
+ static void sec_err_info_init(struct hisi_qm *qm)
+ {
+ struct hisi_qm_err_info *err_info = &qm->err_info;
+@@ -1050,12 +1075,12 @@ static const struct hisi_qm_err_ini sec_err_ini = {
+ .hw_err_disable = sec_hw_error_disable,
+ .get_dev_hw_err_status = sec_get_hw_err_status,
+ .clear_dev_hw_err_status = sec_clear_hw_err_status,
+- .log_dev_hw_err = sec_log_hw_error,
+ .open_axi_master_ooo = sec_open_axi_master_ooo,
+ .open_sva_prefetch = sec_open_sva_prefetch,
+ .close_sva_prefetch = sec_close_sva_prefetch,
+ .show_last_dfx_regs = sec_show_last_dfx_regs,
+ .err_info_init = sec_err_info_init,
++ .get_err_result = sec_get_err_result,
+ };
+
+ static int sec_pf_probe_init(struct sec_dev *sec)
+diff --git a/drivers/crypto/hisilicon/zip/zip_main.c b/drivers/crypto/hisilicon/zip/zip_main.c
+index a8d5d105b3542..86e5178120936 100644
+--- a/drivers/crypto/hisilicon/zip/zip_main.c
++++ b/drivers/crypto/hisilicon/zip/zip_main.c
+@@ -1069,11 +1069,15 @@ static u32 hisi_zip_get_hw_err_status(struct hisi_qm *qm)
+
+ static void hisi_zip_clear_hw_err_status(struct hisi_qm *qm, u32 err_sts)
+ {
+- u32 nfe;
+-
+ writel(err_sts, qm->io_base + HZIP_CORE_INT_SOURCE);
+- nfe = hisi_qm_get_hw_info(qm, zip_basic_cap_info, ZIP_NFE_MASK_CAP, qm->cap_ver);
+- writel(nfe, qm->io_base + HZIP_CORE_INT_RAS_NFE_ENB);
++}
++
++static void hisi_zip_disable_error_report(struct hisi_qm *qm, u32 err_type)
++{
++ u32 nfe_mask;
++
++ nfe_mask = hisi_qm_get_hw_info(qm, zip_basic_cap_info, ZIP_NFE_MASK_CAP, qm->cap_ver);
++ writel(nfe_mask & (~err_type), qm->io_base + HZIP_CORE_INT_RAS_NFE_ENB);
+ }
+
+ static void hisi_zip_open_axi_master_ooo(struct hisi_qm *qm)
+@@ -1103,6 +1107,27 @@ static void hisi_zip_close_axi_master_ooo(struct hisi_qm *qm)
+ qm->io_base + HZIP_CORE_INT_SET);
+ }
+
++static enum acc_err_result hisi_zip_get_err_result(struct hisi_qm *qm)
++{
++ u32 err_status;
++
++ err_status = hisi_zip_get_hw_err_status(qm);
++ if (err_status) {
++ if (err_status & qm->err_info.ecc_2bits_mask)
++ qm->err_status.is_dev_ecc_mbit = true;
++ hisi_zip_log_hw_error(qm, err_status);
++
++ if (err_status & qm->err_info.dev_reset_mask) {
++ /* Disable the same error reporting until device is recovered. */
++ hisi_zip_disable_error_report(qm, err_status);
++ return ACC_ERR_NEED_RESET;
++ }
++ hisi_zip_clear_hw_err_status(qm, err_status);
++ }
++
++ return ACC_ERR_RECOVERED;
++}
++
+ static void hisi_zip_err_info_init(struct hisi_qm *qm)
+ {
+ struct hisi_qm_err_info *err_info = &qm->err_info;
+@@ -1130,13 +1155,13 @@ static const struct hisi_qm_err_ini hisi_zip_err_ini = {
+ .hw_err_disable = hisi_zip_hw_error_disable,
+ .get_dev_hw_err_status = hisi_zip_get_hw_err_status,
+ .clear_dev_hw_err_status = hisi_zip_clear_hw_err_status,
+- .log_dev_hw_err = hisi_zip_log_hw_error,
+ .open_axi_master_ooo = hisi_zip_open_axi_master_ooo,
+ .close_axi_master_ooo = hisi_zip_close_axi_master_ooo,
+ .open_sva_prefetch = hisi_zip_open_sva_prefetch,
+ .close_sva_prefetch = hisi_zip_close_sva_prefetch,
+ .show_last_dfx_regs = hisi_zip_show_last_dfx_regs,
+ .err_info_init = hisi_zip_err_info_init,
++ .get_err_result = hisi_zip_get_err_result,
+ };
+
+ static int hisi_zip_pf_probe_init(struct hisi_zip *hisi_zip)
+diff --git a/include/linux/hisi_acc_qm.h b/include/linux/hisi_acc_qm.h
+index b566ae420449c..50b6f30adf54f 100644
+--- a/include/linux/hisi_acc_qm.h
++++ b/include/linux/hisi_acc_qm.h
+@@ -226,6 +226,12 @@ struct hisi_qm_status {
+
+ struct hisi_qm;
+
++enum acc_err_result {
++ ACC_ERR_NONE,
++ ACC_ERR_NEED_RESET,
++ ACC_ERR_RECOVERED,
++};
++
+ struct hisi_qm_err_info {
+ char *acpi_rst;
+ u32 msi_wr_port;
+@@ -254,9 +260,9 @@ struct hisi_qm_err_ini {
+ void (*close_axi_master_ooo)(struct hisi_qm *qm);
+ void (*open_sva_prefetch)(struct hisi_qm *qm);
+ void (*close_sva_prefetch)(struct hisi_qm *qm);
+- void (*log_dev_hw_err)(struct hisi_qm *qm, u32 err_sts);
+ void (*show_last_dfx_regs)(struct hisi_qm *qm);
+ void (*err_info_init)(struct hisi_qm *qm);
++ enum acc_err_result (*get_err_result)(struct hisi_qm *qm);
+ };
+
+ struct hisi_qm_cap_info {
+--
+2.43.0
+
--- /dev/null
+From 89f30e277b19de22302449f9cec8c472b3e81f82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2024 19:27:55 +0800
+Subject: crypto: inside-secure - Fix the return value of
+ safexcel_xcbcmac_cra_init()
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+[ Upstream commit a10549fcce2913be7dc581562ffd8ea35653853e ]
+
+The commit 320406cb60b6 ("crypto: inside-secure - Replace generic aes
+with libaes") replaced crypto_alloc_cipher() with kmalloc(), but did not
+modify the handling of the return value. When kmalloc() returns NULL,
+PTR_ERR_OR_ZERO(NULL) returns 0, but in fact, the memory allocation has
+failed, and -ENOMEM should be returned.
+
+Fixes: 320406cb60b6 ("crypto: inside-secure - Replace generic aes with libaes")
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Acked-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/inside-secure/safexcel_hash.c b/drivers/crypto/inside-secure/safexcel_hash.c
+index 103fc551d2af9..ecf64cc35fffc 100644
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -2119,7 +2119,7 @@ static int safexcel_xcbcmac_cra_init(struct crypto_tfm *tfm)
+
+ safexcel_ahash_cra_init(tfm);
+ ctx->aes = kmalloc(sizeof(*ctx->aes), GFP_KERNEL);
+- return PTR_ERR_OR_ZERO(ctx->aes);
++ return ctx->aes == NULL ? -ENOMEM : 0;
+ }
+
+ static void safexcel_xcbcmac_cra_exit(struct crypto_tfm *tfm)
+--
+2.43.0
+
--- /dev/null
+From 517d3e34e2410912aab1f01d0e0fc2ba20987002 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 02:09:35 +0000
+Subject: crypto: pcrypt - Call crypto layer directly when padata_do_parallel()
+ return -EBUSY
+
+From: Yi Yang <yiyang13@huawei.com>
+
+[ Upstream commit 662f2f13e66d3883b9238b0b96b17886179e60e2 ]
+
+Since commit 8f4f68e788c3 ("crypto: pcrypt - Fix hungtask for
+PADATA_RESET"), the pcrypt encryption and decryption operations return
+-EAGAIN when the CPU goes online or offline. In alg_test(), a WARN is
+generated when pcrypt_aead_decrypt() or pcrypt_aead_encrypt() returns
+-EAGAIN, the unnecessary panic will occur when panic_on_warn set 1.
+Fix this issue by calling crypto layer directly without parallelization
+in that case.
+
+Fixes: 8f4f68e788c3 ("crypto: pcrypt - Fix hungtask for PADATA_RESET")
+Signed-off-by: Yi Yang <yiyang13@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/pcrypt.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
+index 005a36cb21bc4..2d7f98709e97c 100644
+--- a/crypto/pcrypt.c
++++ b/crypto/pcrypt.c
+@@ -117,8 +117,10 @@ static int pcrypt_aead_encrypt(struct aead_request *req)
+ err = padata_do_parallel(ictx->psenc, padata, &ctx->cb_cpu);
+ if (!err)
+ return -EINPROGRESS;
+- if (err == -EBUSY)
+- return -EAGAIN;
++ if (err == -EBUSY) {
++ /* try non-parallel mode */
++ return crypto_aead_encrypt(creq);
++ }
+
+ return err;
+ }
+@@ -166,8 +168,10 @@ static int pcrypt_aead_decrypt(struct aead_request *req)
+ err = padata_do_parallel(ictx->psdec, padata, &ctx->cb_cpu);
+ if (!err)
+ return -EINPROGRESS;
+- if (err == -EBUSY)
+- return -EAGAIN;
++ if (err == -EBUSY) {
++ /* try non-parallel mode */
++ return crypto_aead_decrypt(creq);
++ }
+
+ return err;
+ }
+--
+2.43.0
+
--- /dev/null
+From 00b6429d5b1b268d574685a6bf8a1277c4cb613f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 14:42:40 +0100
+Subject: crypto: qat - remove faulty arbiter config reset
+
+From: Ahsan Atta <ahsan.atta@intel.com>
+
+[ Upstream commit 70199359902f1c7187dcb28a1be679a7081de7cc ]
+
+Resetting the service arbiter config can cause potential issues
+related to response ordering and ring flow control check in the
+event of AER or device hang. This is because it results in changing
+the default response ring size from 32 bytes to 16 bytes. The service
+arbiter config reset also disables response ring flow control check.
+Thus, by removing this reset we can prevent the service arbiter from
+being configured inappropriately, which leads to undesired device
+behaviour in the event of errors.
+
+Fixes: 7afa232e76ce ("crypto: qat - Intel(R) QAT DH895xcc accelerator")
+Signed-off-by: Ahsan Atta <ahsan.atta@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_hw_arbiter.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_hw_arbiter.c b/drivers/crypto/qat/qat_common/adf_hw_arbiter.c
+index 64e4596a24f40..fd39cbcdec039 100644
+--- a/drivers/crypto/qat/qat_common/adf_hw_arbiter.c
++++ b/drivers/crypto/qat/qat_common/adf_hw_arbiter.c
+@@ -90,10 +90,6 @@ void adf_exit_arb(struct adf_accel_dev *accel_dev)
+
+ hw_data->get_arb_info(&info);
+
+- /* Reset arbiter configuration */
+- for (i = 0; i < ADF_ARB_NUM; i++)
+- WRITE_CSR_ARB_SARCONFIG(csr, arb_off, i, 0);
+-
+ /* Unmap worker threads to service arbiters */
+ for (i = 0; i < hw_data->num_engines; i++)
+ WRITE_CSR_ARB_WT2SAM(csr, arb_off, wt_off, i, 0);
+--
+2.43.0
+
--- /dev/null
+From af0d57ccc0a6438d422b648b3065a6e101e2b6d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 03:11:25 -0700
+Subject: dax: delete a stale directory pmem
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit b8e6d7ce50673c39514921ac61f7af00bbb58b87 ]
+
+After commit: 83762cb5c7c4 ("dax: Kill DEV_DAX_PMEM_COMPAT") the pmem/
+directory is not needed anymore and Makefile changes were made
+accordingly in this commit, but there is a Makefile and pmem.c in pmem/
+which are now stale and pmem.c is empty, remove them.
+
+Fixes: 83762cb5c7c4 ("dax: Kill DEV_DAX_PMEM_COMPAT")
+Suggested-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Link: https://patch.msgid.link/20241017101144.1654085-1-harshit.m.mogalapalli@oracle.com
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dax/pmem/Makefile | 7 -------
+ drivers/dax/pmem/pmem.c | 10 ----------
+ 2 files changed, 17 deletions(-)
+ delete mode 100644 drivers/dax/pmem/Makefile
+ delete mode 100644 drivers/dax/pmem/pmem.c
+
+diff --git a/drivers/dax/pmem/Makefile b/drivers/dax/pmem/Makefile
+deleted file mode 100644
+index 191c31f0d4f00..0000000000000
+--- a/drivers/dax/pmem/Makefile
++++ /dev/null
+@@ -1,7 +0,0 @@
+-# SPDX-License-Identifier: GPL-2.0-only
+-obj-$(CONFIG_DEV_DAX_PMEM) += dax_pmem.o
+-obj-$(CONFIG_DEV_DAX_PMEM) += dax_pmem_core.o
+-
+-dax_pmem-y := pmem.o
+-dax_pmem_core-y := core.o
+-dax_pmem_compat-y := compat.o
+diff --git a/drivers/dax/pmem/pmem.c b/drivers/dax/pmem/pmem.c
+deleted file mode 100644
+index dfe91a2990fec..0000000000000
+--- a/drivers/dax/pmem/pmem.c
++++ /dev/null
+@@ -1,10 +0,0 @@
+-// SPDX-License-Identifier: GPL-2.0
+-/* Copyright(c) 2016 - 2018 Intel Corporation. All rights reserved. */
+-#include <linux/percpu-refcount.h>
+-#include <linux/memremap.h>
+-#include <linux/module.h>
+-#include <linux/pfn_t.h>
+-#include <linux/nd.h>
+-#include "../bus.h"
+-
+-
+--
+2.43.0
+
--- /dev/null
+From 5b7c649826ba513d2a831b98598dcedddc44ac36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Aug 2024 11:18:17 +0300
+Subject: doc: rcu: update printed dynticks counter bits
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+[ Upstream commit 4a09e358922381f9b258e863bcd9c910584203b9 ]
+
+The stall warning prints 16 bits since commit 171476775d32
+("context_tracking: Convert state to atomic_t").
+
+Fixes: 171476775d32 ("context_tracking: Convert state to atomic_t")
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Reviewed-by: "Paul E. McKenney" <paulmck@kernel.org>
+Signed-off-by: Neeraj Upadhyay <neeraj.upadhyay@kernel.org>
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/RCU/stallwarn.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/RCU/stallwarn.rst b/Documentation/RCU/stallwarn.rst
+index e38c587067fc8..397e067db566a 100644
+--- a/Documentation/RCU/stallwarn.rst
++++ b/Documentation/RCU/stallwarn.rst
+@@ -243,7 +243,7 @@ ticks this GP)" indicates that this CPU has not taken any scheduling-clock
+ interrupts during the current stalled grace period.
+
+ The "idle=" portion of the message prints the dyntick-idle state.
+-The hex number before the first "/" is the low-order 12 bits of the
++The hex number before the first "/" is the low-order 16 bits of the
+ dynticks counter, which will have an even-numbered value if the CPU
+ is in dyntick-idle mode and an odd-numbered value otherwise. The hex
+ number between the two "/"s is the value of the nesting, which will be
+--
+2.43.0
+
--- /dev/null
+From 0deca830c08bc01de11610ba1fac0f2f9784821a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 14:51:55 +0800
+Subject: drivers: soc: xilinx: add the missing kfree in
+ xlnx_add_cb_for_suspend()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 44ed4f90a97ff6f339e50ac01db71544e0990efc ]
+
+If we fail to allocate memory for cb_data by kmalloc, the memory
+allocation for eve_data is never freed, add the missing kfree()
+in the error handling path.
+
+Fixes: 05e5ba40ea7a ("driver: soc: xilinx: Add support of multiple callbacks for same event in event management driver")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20240706065155.452764-1-cuigaosheng1@huawei.com
+Signed-off-by: Michal Simek <michal.simek@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/xilinx/xlnx_event_manager.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/xilinx/xlnx_event_manager.c b/drivers/soc/xilinx/xlnx_event_manager.c
+index 82e3174740238..e5476010bb3d1 100644
+--- a/drivers/soc/xilinx/xlnx_event_manager.c
++++ b/drivers/soc/xilinx/xlnx_event_manager.c
+@@ -174,8 +174,10 @@ static int xlnx_add_cb_for_suspend(event_cb_func_t cb_fun, void *data)
+ INIT_LIST_HEAD(&eve_data->cb_list_head);
+
+ cb_data = kmalloc(sizeof(*cb_data), GFP_KERNEL);
+- if (!cb_data)
++ if (!cb_data) {
++ kfree(eve_data);
+ return -ENOMEM;
++ }
+ cb_data->eve_cb = cb_fun;
+ cb_data->agent_data = data;
+
+--
+2.43.0
+
--- /dev/null
+From 6343f7f541769c72beec4530c6f9c9d3a9349073 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 09:35:41 +0800
+Subject: drm/amdkfd: Fix wrong usage of INIT_WORK()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 21cae8debc6a1d243f64fa82cd1b41cb612b5c61 ]
+
+In kfd_procfs_show(), the sdma_activity_work_handler is a local variable
+and the sdma_activity_work_handler.sdma_activity_work should initialize
+with INIT_WORK_ONSTACK() instead of INIT_WORK().
+
+Fixes: 32cb59f31362 ("drm/amdkfd: Track SDMA utilization per process")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Felix Kuehling <felix.kuehling@amd.com>
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_process.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+index 9582c9449fff9..99e2aef52ef26 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+@@ -314,8 +314,8 @@ static ssize_t kfd_procfs_show(struct kobject *kobj, struct attribute *attr,
+ attr_sdma);
+ struct kfd_sdma_activity_handler_workarea sdma_activity_work_handler;
+
+- INIT_WORK(&sdma_activity_work_handler.sdma_activity_work,
+- kfd_sdma_activity_worker);
++ INIT_WORK_ONSTACK(&sdma_activity_work_handler.sdma_activity_work,
++ kfd_sdma_activity_worker);
+
+ sdma_activity_work_handler.pdd = pdd;
+ sdma_activity_work_handler.sdma_activity_counter = 0;
+@@ -323,6 +323,7 @@ static ssize_t kfd_procfs_show(struct kobject *kobj, struct attribute *attr,
+ schedule_work(&sdma_activity_work_handler.sdma_activity_work);
+
+ flush_work(&sdma_activity_work_handler.sdma_activity_work);
++ destroy_work_on_stack(&sdma_activity_work_handler.sdma_activity_work);
+
+ return snprintf(buffer, PAGE_SIZE, "%llu\n",
+ (sdma_activity_work_handler.sdma_activity_counter)/
+--
+2.43.0
+
--- /dev/null
+From b0a78da4de45840252d35f2a21d587770ce92106 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2024 17:29:08 +0800
+Subject: drm/bridge: anx7625: Drop EDID cache on bridge power off
+
+From: Pin-yen Lin <treapking@chromium.org>
+
+[ Upstream commit 00ae002116a14c2e6a342c4c9ae080cdbb9b4b21 ]
+
+The bridge might miss the display change events when it's powered off.
+This happens when a user changes the external monitor when the system
+is suspended and the embedded controller doesn't not wake AP up.
+
+It's also observed that one DP-to-HDMI bridge doesn't work correctly
+when there is no EDID read after it is powered on.
+
+Drop the cache to force an EDID read after system resume to fix this.
+
+Fixes: 8bdfc5dae4e3 ("drm/bridge: anx7625: Add anx7625 MIPI DSI/DPI to DP")
+Signed-off-by: Pin-yen Lin <treapking@chromium.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240926092931.3870342-2-treapking@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/analogix/anx7625.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/bridge/analogix/anx7625.c b/drivers/gpu/drm/bridge/analogix/anx7625.c
+index 193015c75b454..e14c9fdabe2ba 100644
+--- a/drivers/gpu/drm/bridge/analogix/anx7625.c
++++ b/drivers/gpu/drm/bridge/analogix/anx7625.c
+@@ -2567,6 +2567,8 @@ static int __maybe_unused anx7625_runtime_pm_suspend(struct device *dev)
+ mutex_lock(&ctx->lock);
+
+ anx7625_stop_dp_work(ctx);
++ if (!ctx->pdata.panel_bridge)
++ anx7625_remove_edid(ctx);
+ anx7625_power_standby(ctx);
+
+ mutex_unlock(&ctx->lock);
+--
+2.43.0
+
--- /dev/null
+From 11a04352523265bc64ef07ed44eb2900c6c892a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Nov 2023 13:27:23 +0200
+Subject: drm/bridge: tc358767: Fix link properties discovery
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit 2d343723c7e1f9f6d64f721f07cfdfc2993758d1 ]
+
+When a display controller driver uses DRM_BRIDGE_ATTACH_NO_CONNECTOR,
+tc358767 will behave properly and skip the creation of the connector.
+
+However, tc_get_display_props(), which is used to find out about the DP
+monitor and link, is only called from two places: .atomic_enable() and
+tc_connector_get_modes(). The latter is only used when tc358767 creates
+its own connector, i.e. when DRM_BRIDGE_ATTACH_NO_CONNECTOR is _not_
+set.
+
+Thus, the driver never finds out the link properties before get_edid()
+is called. With num_lanes of 0 and link_rate of 0 there are not many
+valid modes...
+
+Fix this by adding tc_get_display_props() call at the beginning of
+get_edid(), so that we have up to date information before looking at the
+modes.
+
+Reported-by: Jan Kiszka <jan.kiszka@siemens.com>
+Closes: https://lore.kernel.org/all/24282420-b4dd-45b3-bb1c-fc37fe4a8205@siemens.com/
+Fixes: de5e6c027ae6 ("drm/bridge: tc358767: add drm_panel_bridge support")
+Reviewed-by: Aradhya Bhatia <a-bhatia1@ti.com>
+Tested-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231108-tc358767-v2-2-25c5f70a2159@ideasonboard.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/tc358767.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c
+index 0af2bd8706e44..a6b3af902642f 100644
+--- a/drivers/gpu/drm/bridge/tc358767.c
++++ b/drivers/gpu/drm/bridge/tc358767.c
+@@ -1579,6 +1579,13 @@ static struct edid *tc_get_edid(struct drm_bridge *bridge,
+ struct drm_connector *connector)
+ {
+ struct tc_data *tc = bridge_to_tc(bridge);
++ int ret;
++
++ ret = tc_get_display_props(tc);
++ if (ret < 0) {
++ dev_err(tc->dev, "failed to read display props: %d\n", ret);
++ return 0;
++ }
+
+ return drm_get_edid(connector, &tc->aux.ddc);
+ }
+--
+2.43.0
+
--- /dev/null
+From b7badf9d370d7218b550e12780d7b28c04c38dd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Sep 2022 13:29:39 -0700
+Subject: drm/etnaviv: fix power register offset on GC300
+
+From: Doug Brown <doug@schmorgal.com>
+
+[ Upstream commit 61a6920bb604df3a0e389a2a9479e1e233e4461d ]
+
+Older GC300 revisions have their power registers at an offset of 0x200
+rather than 0x100. Add new gpu_read_power and gpu_write_power functions
+to encapsulate accesses to the power addresses and fix the addresses.
+
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Stable-dep-of: 37dc4737447a ("drm/etnaviv: hold GPU lock across perfmon sampling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_dump.c | 7 ++++++-
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 20 ++++++++++----------
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.h | 21 +++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_dump.c b/drivers/gpu/drm/etnaviv/etnaviv_dump.c
+index 0edcf8ceb4a78..898f84a0fc30c 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_dump.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_dump.c
+@@ -83,10 +83,15 @@ static void etnaviv_core_dump_registers(struct core_dump_iterator *iter,
+ {
+ struct etnaviv_dump_registers *reg = iter->data;
+ unsigned int i;
++ u32 read_addr;
+
+ for (i = 0; i < ARRAY_SIZE(etnaviv_dump_registers); i++, reg++) {
++ read_addr = etnaviv_dump_registers[i];
++ if (read_addr >= VIVS_PM_POWER_CONTROLS &&
++ read_addr <= VIVS_PM_PULSE_EATER)
++ read_addr = gpu_fix_power_address(gpu, read_addr);
+ reg->reg = cpu_to_le32(etnaviv_dump_registers[i]);
+- reg->value = cpu_to_le32(gpu_read(gpu, etnaviv_dump_registers[i]));
++ reg->value = cpu_to_le32(gpu_read(gpu, read_addr));
+ }
+
+ etnaviv_core_dump_header(iter, ETDUMP_BUF_REG, reg);
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+index ffac685c22918..6c070411d95f0 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+@@ -590,7 +590,7 @@ static void etnaviv_gpu_enable_mlcg(struct etnaviv_gpu *gpu)
+ u32 pmc, ppc;
+
+ /* enable clock gating */
+- ppc = gpu_read(gpu, VIVS_PM_POWER_CONTROLS);
++ ppc = gpu_read_power(gpu, VIVS_PM_POWER_CONTROLS);
+ ppc |= VIVS_PM_POWER_CONTROLS_ENABLE_MODULE_CLOCK_GATING;
+
+ /* Disable stall module clock gating for 4.3.0.1 and 4.3.0.2 revs */
+@@ -598,9 +598,9 @@ static void etnaviv_gpu_enable_mlcg(struct etnaviv_gpu *gpu)
+ gpu->identity.revision == 0x4302)
+ ppc |= VIVS_PM_POWER_CONTROLS_DISABLE_STALL_MODULE_CLOCK_GATING;
+
+- gpu_write(gpu, VIVS_PM_POWER_CONTROLS, ppc);
++ gpu_write_power(gpu, VIVS_PM_POWER_CONTROLS, ppc);
+
+- pmc = gpu_read(gpu, VIVS_PM_MODULE_CONTROLS);
++ pmc = gpu_read_power(gpu, VIVS_PM_MODULE_CONTROLS);
+
+ /* Disable PA clock gating for GC400+ without bugfix except for GC420 */
+ if (gpu->identity.model >= chipModel_GC400 &&
+@@ -635,7 +635,7 @@ static void etnaviv_gpu_enable_mlcg(struct etnaviv_gpu *gpu)
+ pmc |= VIVS_PM_MODULE_CONTROLS_DISABLE_MODULE_CLOCK_GATING_RA_HZ;
+ pmc |= VIVS_PM_MODULE_CONTROLS_DISABLE_MODULE_CLOCK_GATING_RA_EZ;
+
+- gpu_write(gpu, VIVS_PM_MODULE_CONTROLS, pmc);
++ gpu_write_power(gpu, VIVS_PM_MODULE_CONTROLS, pmc);
+ }
+
+ void etnaviv_gpu_start_fe(struct etnaviv_gpu *gpu, u32 address, u16 prefetch)
+@@ -695,11 +695,11 @@ static void etnaviv_gpu_setup_pulse_eater(struct etnaviv_gpu *gpu)
+ (gpu->identity.features & chipFeatures_PIPE_3D))
+ {
+ /* Performance fix: disable internal DFS */
+- pulse_eater = gpu_read(gpu, VIVS_PM_PULSE_EATER);
++ pulse_eater = gpu_read_power(gpu, VIVS_PM_PULSE_EATER);
+ pulse_eater |= BIT(18);
+ }
+
+- gpu_write(gpu, VIVS_PM_PULSE_EATER, pulse_eater);
++ gpu_write_power(gpu, VIVS_PM_PULSE_EATER, pulse_eater);
+ }
+
+ static void etnaviv_gpu_hw_init(struct etnaviv_gpu *gpu)
+@@ -1293,9 +1293,9 @@ static void sync_point_perfmon_sample_pre(struct etnaviv_gpu *gpu,
+ u32 val;
+
+ /* disable clock gating */
+- val = gpu_read(gpu, VIVS_PM_POWER_CONTROLS);
++ val = gpu_read_power(gpu, VIVS_PM_POWER_CONTROLS);
+ val &= ~VIVS_PM_POWER_CONTROLS_ENABLE_MODULE_CLOCK_GATING;
+- gpu_write(gpu, VIVS_PM_POWER_CONTROLS, val);
++ gpu_write_power(gpu, VIVS_PM_POWER_CONTROLS, val);
+
+ /* enable debug register */
+ val = gpu_read(gpu, VIVS_HI_CLOCK_CONTROL);
+@@ -1326,9 +1326,9 @@ static void sync_point_perfmon_sample_post(struct etnaviv_gpu *gpu,
+ gpu_write(gpu, VIVS_HI_CLOCK_CONTROL, val);
+
+ /* enable clock gating */
+- val = gpu_read(gpu, VIVS_PM_POWER_CONTROLS);
++ val = gpu_read_power(gpu, VIVS_PM_POWER_CONTROLS);
+ val |= VIVS_PM_POWER_CONTROLS_ENABLE_MODULE_CLOCK_GATING;
+- gpu_write(gpu, VIVS_PM_POWER_CONTROLS, val);
++ gpu_write_power(gpu, VIVS_PM_POWER_CONTROLS, val);
+ }
+
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
+index 85eddd492774d..39f1e83d3cc7d 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
+@@ -10,6 +10,7 @@
+ #include "etnaviv_gem.h"
+ #include "etnaviv_mmu.h"
+ #include "etnaviv_drv.h"
++#include "common.xml.h"
+
+ struct etnaviv_gem_submit;
+ struct etnaviv_vram_mapping;
+@@ -159,6 +160,26 @@ static inline u32 gpu_read(struct etnaviv_gpu *gpu, u32 reg)
+ return readl(gpu->mmio + reg);
+ }
+
++static inline u32 gpu_fix_power_address(struct etnaviv_gpu *gpu, u32 reg)
++{
++ /* Power registers in GC300 < 2.0 are offset by 0x100 */
++ if (gpu->identity.model == chipModel_GC300 &&
++ gpu->identity.revision < 0x2000)
++ reg += 0x100;
++
++ return reg;
++}
++
++static inline void gpu_write_power(struct etnaviv_gpu *gpu, u32 reg, u32 data)
++{
++ writel(data, gpu->mmio + gpu_fix_power_address(gpu, reg));
++}
++
++static inline u32 gpu_read_power(struct etnaviv_gpu *gpu, u32 reg)
++{
++ return readl(gpu->mmio + gpu_fix_power_address(gpu, reg));
++}
++
+ int etnaviv_gpu_get_param(struct etnaviv_gpu *gpu, u32 param, u64 *value);
+
+ int etnaviv_gpu_init(struct etnaviv_gpu *gpu);
+--
+2.43.0
+
--- /dev/null
+From a04806f3bac9f68339dd488e8c56c156bd00b612 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jul 2024 22:00:09 +0200
+Subject: drm/etnaviv: hold GPU lock across perfmon sampling
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit 37dc4737447a7667f8e9ec790dac251da057eb27 ]
+
+The perfmon sampling mutates shared GPU state (e.g. VIVS_HI_CLOCK_CONTROL
+to select the pipe for the perf counter reads). To avoid clashing with
+other functions mutating the same state (e.g. etnaviv_gpu_update_clock)
+the perfmon sampling needs to hold the GPU lock.
+
+Fixes: 68dc0b295dcb ("drm/etnaviv: use 'sync points' for performance monitor requests")
+Reviewed-by: Christian Gmeiner <cgmeiner@igalia.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+index 6c070411d95f0..c0410e314dfab 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+@@ -1292,6 +1292,8 @@ static void sync_point_perfmon_sample_pre(struct etnaviv_gpu *gpu,
+ {
+ u32 val;
+
++ mutex_lock(&gpu->lock);
++
+ /* disable clock gating */
+ val = gpu_read_power(gpu, VIVS_PM_POWER_CONTROLS);
+ val &= ~VIVS_PM_POWER_CONTROLS_ENABLE_MODULE_CLOCK_GATING;
+@@ -1303,6 +1305,8 @@ static void sync_point_perfmon_sample_pre(struct etnaviv_gpu *gpu,
+ gpu_write(gpu, VIVS_HI_CLOCK_CONTROL, val);
+
+ sync_point_perfmon_sample(gpu, event, ETNA_PM_PROCESS_PRE);
++
++ mutex_unlock(&gpu->lock);
+ }
+
+ static void sync_point_perfmon_sample_post(struct etnaviv_gpu *gpu,
+@@ -1312,13 +1316,9 @@ static void sync_point_perfmon_sample_post(struct etnaviv_gpu *gpu,
+ unsigned int i;
+ u32 val;
+
+- sync_point_perfmon_sample(gpu, event, ETNA_PM_PROCESS_POST);
+-
+- for (i = 0; i < submit->nr_pmrs; i++) {
+- const struct etnaviv_perfmon_request *pmr = submit->pmrs + i;
++ mutex_lock(&gpu->lock);
+
+- *pmr->bo_vma = pmr->sequence;
+- }
++ sync_point_perfmon_sample(gpu, event, ETNA_PM_PROCESS_POST);
+
+ /* disable debug register */
+ val = gpu_read(gpu, VIVS_HI_CLOCK_CONTROL);
+@@ -1329,6 +1329,14 @@ static void sync_point_perfmon_sample_post(struct etnaviv_gpu *gpu,
+ val = gpu_read_power(gpu, VIVS_PM_POWER_CONTROLS);
+ val |= VIVS_PM_POWER_CONTROLS_ENABLE_MODULE_CLOCK_GATING;
+ gpu_write_power(gpu, VIVS_PM_POWER_CONTROLS, val);
++
++ mutex_unlock(&gpu->lock);
++
++ for (i = 0; i < submit->nr_pmrs; i++) {
++ const struct etnaviv_perfmon_request *pmr = submit->pmrs + i;
++
++ *pmr->bo_vma = pmr->sequence;
++ }
+ }
+
+
+--
+2.43.0
+
--- /dev/null
+From 3f318a061e396e71131c8f8ac85fb04fecf4d425 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 07:34:30 +0800
+Subject: drm/etnaviv: Request pages from DMA32 zone on addressing_limited
+
+From: Xiaolei Wang <xiaolei.wang@windriver.com>
+
+[ Upstream commit 13c96ac9a3f0f1c7ba1ff0656ea508e7fa065e7e ]
+
+Remove __GFP_HIGHMEM when requesting a page from DMA32 zone,
+and since all vivante GPUs in the system will share the same
+DMA constraints, move the check of whether to get a page from
+DMA32 to etnaviv_bind().
+
+Fixes: b72af445cd38 ("drm/etnaviv: request pages from DMA32 zone when needed")
+Suggested-by: Sui Jingfeng <sui.jingfeng@linux.dev>
+Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
+Reviewed-by: Christian Gmeiner <cgmeiner@igalia.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_drv.c | 10 ++++++++++
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 8 --------
+ 2 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.c b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
+index f29952a55c05d..b932a02efccda 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
+@@ -519,6 +519,16 @@ static int etnaviv_bind(struct device *dev)
+ priv->num_gpus = 0;
+ priv->shm_gfp_mask = GFP_HIGHUSER | __GFP_RETRY_MAYFAIL | __GFP_NOWARN;
+
++ /*
++ * If the GPU is part of a system with DMA addressing limitations,
++ * request pages for our SHM backend buffers from the DMA32 zone to
++ * hopefully avoid performance killing SWIOTLB bounce buffering.
++ */
++ if (dma_addressing_limited(dev)) {
++ priv->shm_gfp_mask |= GFP_DMA32;
++ priv->shm_gfp_mask &= ~__GFP_HIGHMEM;
++ }
++
+ priv->cmdbuf_suballoc = etnaviv_cmdbuf_suballoc_new(drm->dev);
+ if (IS_ERR(priv->cmdbuf_suballoc)) {
+ dev_err(drm->dev, "Failed to create cmdbuf suballocator\n");
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+index f667e7906d1f4..ffac685c22918 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+@@ -798,14 +798,6 @@ int etnaviv_gpu_init(struct etnaviv_gpu *gpu)
+ if (ret)
+ goto fail;
+
+- /*
+- * If the GPU is part of a system with DMA addressing limitations,
+- * request pages for our SHM backend buffers from the DMA32 zone to
+- * hopefully avoid performance killing SWIOTLB bounce buffering.
+- */
+- if (dma_addressing_limited(gpu->dev))
+- priv->shm_gfp_mask |= GFP_DMA32;
+-
+ /* Create buffer: */
+ ret = etnaviv_cmdbuf_init(priv->cmdbuf_suballoc, &gpu->buffer,
+ PAGE_SIZE);
+--
+2.43.0
+
--- /dev/null
+From b3c07074bf9adc68d94e6ec9566ee775e415e544 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2024 07:55:51 +0200
+Subject: drm: fsl-dcu: enable PIXCLK on LS1021A
+
+From: Matthias Schiffer <matthias.schiffer@tq-group.com>
+
+[ Upstream commit ffcde9e44d3e18fde3d18bfff8d9318935413bfd ]
+
+The PIXCLK needs to be enabled in SCFG before accessing certain DCU
+registers, or the access will hang. For simplicity, the PIXCLK is enabled
+unconditionally, resulting in increased power consumption.
+
+Signed-off-by: Matthias Schiffer <matthias.schiffer@tq-group.com>
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Fixes: 109eee2f2a18 ("drm/layerscape: Add Freescale DCU DRM driver")
+Acked-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240926055552.1632448-2-alexander.stein@ew.tq-group.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/fsl-dcu/Kconfig | 1 +
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c | 15 +++++++++++++++
+ drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h | 3 +++
+ 3 files changed, 19 insertions(+)
+
+diff --git a/drivers/gpu/drm/fsl-dcu/Kconfig b/drivers/gpu/drm/fsl-dcu/Kconfig
+index 5ca71ef873259..c9ee98693b48a 100644
+--- a/drivers/gpu/drm/fsl-dcu/Kconfig
++++ b/drivers/gpu/drm/fsl-dcu/Kconfig
+@@ -8,6 +8,7 @@ config DRM_FSL_DCU
+ select DRM_PANEL
+ select REGMAP_MMIO
+ select VIDEOMODE_HELPERS
++ select MFD_SYSCON if SOC_LS1021A
+ help
+ Choose this option if you have an Freescale DCU chipset.
+ If M is selected the module will be called fsl-dcu-drm.
+diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+index b4acc3422ba45..063a5e5bb7375 100644
+--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c
+@@ -100,6 +100,7 @@ static void fsl_dcu_irq_uninstall(struct drm_device *dev)
+ static int fsl_dcu_load(struct drm_device *dev, unsigned long flags)
+ {
+ struct fsl_dcu_drm_device *fsl_dev = dev->dev_private;
++ struct regmap *scfg;
+ int ret;
+
+ ret = fsl_dcu_drm_modeset_init(fsl_dev);
+@@ -108,6 +109,20 @@ static int fsl_dcu_load(struct drm_device *dev, unsigned long flags)
+ return ret;
+ }
+
++ scfg = syscon_regmap_lookup_by_compatible("fsl,ls1021a-scfg");
++ if (PTR_ERR(scfg) != -ENODEV) {
++ /*
++ * For simplicity, enable the PIXCLK unconditionally,
++ * resulting in increased power consumption. Disabling
++ * the clock in PM or on unload could be implemented as
++ * a future improvement.
++ */
++ ret = regmap_update_bits(scfg, SCFG_PIXCLKCR, SCFG_PIXCLKCR_PXCEN,
++ SCFG_PIXCLKCR_PXCEN);
++ if (ret < 0)
++ return dev_err_probe(dev->dev, ret, "failed to enable pixclk\n");
++ }
++
+ ret = drm_vblank_init(dev, dev->mode_config.num_crtc);
+ if (ret < 0) {
+ dev_err(dev->dev, "failed to initialize vblank\n");
+diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h
+index e2049a0e8a92a..566396013c04a 100644
+--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h
++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.h
+@@ -160,6 +160,9 @@
+ #define FSL_DCU_ARGB4444 12
+ #define FSL_DCU_YUV422 14
+
++#define SCFG_PIXCLKCR 0x28
++#define SCFG_PIXCLKCR_PXCEN BIT(31)
++
+ #define VF610_LAYER_REG_NUM 9
+ #define LS1021A_LAYER_REG_NUM 10
+
+--
+2.43.0
+
--- /dev/null
+From 592b1f27a2d73e9fa4e06d3ccc41b493c1b547fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 16:30:16 +0800
+Subject: drm/imx/dcss: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 1af01e14db7e0b45ae502d822776a58c86688763 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: 9021c317b770 ("drm/imx: Add initial support for DCSS on iMX8MQ")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240912083020.3720233-2-ruanjinjie@huawei.com
+[DB: fixed the subject]
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/imx/dcss/dcss-crtc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/imx/dcss/dcss-crtc.c b/drivers/gpu/drm/imx/dcss/dcss-crtc.c
+index 31267c00782fc..af91e45b5d13b 100644
+--- a/drivers/gpu/drm/imx/dcss/dcss-crtc.c
++++ b/drivers/gpu/drm/imx/dcss/dcss-crtc.c
+@@ -206,15 +206,13 @@ int dcss_crtc_init(struct dcss_crtc *crtc, struct drm_device *drm)
+ if (crtc->irq < 0)
+ return crtc->irq;
+
+- ret = request_irq(crtc->irq, dcss_crtc_irq_handler,
+- 0, "dcss_drm", crtc);
++ ret = request_irq(crtc->irq, dcss_crtc_irq_handler, IRQF_NO_AUTOEN,
++ "dcss_drm", crtc);
+ if (ret) {
+ dev_err(dcss->dev, "irq request failed with %d.\n", ret);
+ return ret;
+ }
+
+- disable_irq(crtc->irq);
+-
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 527e06136163ec596daf325292f41e9e6d77e057 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 16:30:18 +0800
+Subject: drm/imx/ipuv3: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 40004709a3d3b07041a473a163ca911ef04ab8bd ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: 47b1be5c0f4e ("staging: imx/drm: request irq only after adding the crtc")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240912083020.3720233-4-ruanjinjie@huawei.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/imx/ipuv3-crtc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c
+index 89585b31b985e..5f423a2e0ede3 100644
+--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
+@@ -410,14 +410,12 @@ static int ipu_drm_bind(struct device *dev, struct device *master, void *data)
+ }
+
+ ipu_crtc->irq = ipu_plane_irq(ipu_crtc->plane[0]);
+- ret = devm_request_irq(ipu_crtc->dev, ipu_crtc->irq, ipu_irq_handler, 0,
+- "imx_drm", ipu_crtc);
++ ret = devm_request_irq(ipu_crtc->dev, ipu_crtc->irq, ipu_irq_handler,
++ IRQF_NO_AUTOEN, "imx_drm", ipu_crtc);
+ if (ret < 0) {
+ dev_err(ipu_crtc->dev, "irq request failed with %d.\n", ret);
+ return ret;
+ }
+- /* Only enable IRQ when we actually need it to trigger work. */
+- disable_irq(ipu_crtc->irq);
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 0e2edd9193893dcc15f6cea8c0abd218d2615e6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 18:46:40 +0300
+Subject: drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 53bd7c1c0077db533472ae32799157758302ef48 ]
+
+The INTERVAL_TREE_DEFINE() uncoditionally provides a bunch of helper
+functions which in some cases may be not used. This, in particular,
+prevents kernel builds with clang, `make W=1` and CONFIG_WERROR=y:
+
+.../drm/drm_mm.c:152:1: error: unused function 'drm_mm_interval_tree_insert' [-Werror,-Wunused-function]
+ 152 | INTERVAL_TREE_DEFINE(struct drm_mm_node, rb,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 153 | u64, __subtree_last,
+ | ~~~~~~~~~~~~~~~~~~~~
+ 154 | START, LAST, static inline, drm_mm_interval_tree)
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Fix this by marking drm_mm_interval_tree*() functions with __maybe_unused.
+
+See also commit 6863f5643dd7 ("kbuild: allow Clang to find unused static
+inline functions for W=1 build").
+
+Fixes: 202b52b7fbf7 ("drm: Track drm_mm nodes with an interval tree")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240829154640.1120050-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_mm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_mm.c b/drivers/gpu/drm/drm_mm.c
+index 8257f9d4f6190..22a373eaffefd 100644
+--- a/drivers/gpu/drm/drm_mm.c
++++ b/drivers/gpu/drm/drm_mm.c
+@@ -151,7 +151,7 @@ static void show_leaks(struct drm_mm *mm) { }
+
+ INTERVAL_TREE_DEFINE(struct drm_mm_node, rb,
+ u64, __subtree_last,
+- START, LAST, static inline, drm_mm_interval_tree)
++ START, LAST, static inline __maybe_unused, drm_mm_interval_tree)
+
+ struct drm_mm_node *
+ __drm_mm_interval_first(const struct drm_mm *mm, u64 start, u64 last)
+--
+2.43.0
+
--- /dev/null
+From 649005a0bbe10413fd8b28fe05322db20d31ca2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 16:30:20 +0800
+Subject: drm/msm/adreno: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 394679f322649d06fea3c646ba65f5a0887f52c3 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: 4b565ca5a2cb ("drm/msm: Add A6XX device support")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Patchwork: https://patchwork.freedesktop.org/patch/614075/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+index 870252bef23f3..ee9b32fbe916c 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+@@ -1462,15 +1462,13 @@ static int a6xx_gmu_get_irq(struct a6xx_gmu *gmu, struct platform_device *pdev,
+
+ irq = platform_get_irq_byname(pdev, name);
+
+- ret = request_irq(irq, handler, IRQF_TRIGGER_HIGH, name, gmu);
++ ret = request_irq(irq, handler, IRQF_TRIGGER_HIGH | IRQF_NO_AUTOEN, name, gmu);
+ if (ret) {
+ DRM_DEV_ERROR(&pdev->dev, "Unable to get interrupt %s %d\n",
+ name, ret);
+ return ret;
+ }
+
+- disable_irq(irq);
+-
+ return irq;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 804ebc2eb8ae4fb04477cf3e816dbc9784bc7b33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 14:42:10 -0500
+Subject: drm/msm/dpu: cast crtc_clk calculation to u64 in
+ _dpu_core_perf_calc_clk()
+
+From: Zichen Xie <zichenxie0106@gmail.com>
+
+[ Upstream commit 20c7b42d9dbd048019bfe0af39229e3014007a98 ]
+
+There may be a potential integer overflow issue in
+_dpu_core_perf_calc_clk(). crtc_clk is defined as u64, while
+mode->vtotal, mode->hdisplay, and drm_mode_vrefresh(mode) are defined as
+a smaller data type. The result of the calculation will be limited to
+"int" in this case without correct casting. In screen with high
+resolution and high refresh rate, integer overflow may happen.
+So, we recommend adding an extra cast to prevent potential
+integer overflow.
+
+Fixes: c33b7c0389e1 ("drm/msm/dpu: add support for clk and bw scaling for display")
+Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/622206/
+Link: https://lore.kernel.org/r/20241029194209.23684-1-zichenxie0106@gmail.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c
+index 1d9d83d7b99ed..72f043732f939 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_core_perf.c
+@@ -80,7 +80,7 @@ static u64 _dpu_core_perf_calc_clk(struct dpu_kms *kms,
+
+ mode = &state->adjusted_mode;
+
+- crtc_clk = mode->vtotal * mode->hdisplay * drm_mode_vrefresh(mode);
++ crtc_clk = (u64)mode->vtotal * mode->hdisplay * drm_mode_vrefresh(mode);
+
+ drm_atomic_crtc_for_each_plane(plane, crtc) {
+ pstate = to_dpu_plane_state(plane->state);
+--
+2.43.0
+
--- /dev/null
+From 7b070f07aaf7dcbacaae9a86fdbb3a1fc8a0d4a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 15:14:42 -0800
+Subject: drm/msm/gpu: Add devfreq tuning debugfs
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 6563f60f14cbb3dcbdc4e1d8469fc0fbaaa80544 ]
+
+Make the handful of tuning knobs available visible via debugfs.
+
+v2: select DEVFREQ_GOV_SIMPLE_ONDEMAND because for some reason
+ struct devfreq_simple_ondemand_data depends on this
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/517784/
+Link: https://lore.kernel.org/r/20230110231447.1939101-2-robdclark@gmail.com
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+Stable-dep-of: 8f32ddd87e49 ("drm/msm/gpu: Check the status of registration to PM QoS")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/Kconfig | 1 +
+ drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 2 +-
+ drivers/gpu/drm/msm/msm_debugfs.c | 12 ++++++++++++
+ drivers/gpu/drm/msm/msm_drv.h | 9 +++++++++
+ drivers/gpu/drm/msm/msm_gpu.h | 3 ---
+ drivers/gpu/drm/msm/msm_gpu_devfreq.c | 6 ++++--
+ 6 files changed, 27 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/Kconfig b/drivers/gpu/drm/msm/Kconfig
+index 3c9dfdb0b3283..f7abacb4b221b 100644
+--- a/drivers/gpu/drm/msm/Kconfig
++++ b/drivers/gpu/drm/msm/Kconfig
+@@ -23,6 +23,7 @@ config DRM_MSM
+ select SHMEM
+ select TMPFS
+ select QCOM_SCM
++ select DEVFREQ_GOV_SIMPLE_ONDEMAND
+ select WANT_DEV_COREDUMP
+ select SND_SOC_HDMI_CODEC if SND_SOC
+ select SYNC_FILE
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
+index d6a810b7cfa2c..cdb4665b953c8 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
+@@ -2056,7 +2056,7 @@ struct msm_gpu *a6xx_gpu_init(struct drm_device *dev)
+ * to cause power supply issues:
+ */
+ if (adreno_is_a618(adreno_gpu) || adreno_is_7c3(adreno_gpu))
+- gpu->clamp_to_idle = true;
++ priv->gpu_clamp_to_idle = true;
+
+ /* Check if there is a GMU phandle and set it up */
+ node = of_parse_phandle(pdev->dev.of_node, "qcom,gmu", 0);
+diff --git a/drivers/gpu/drm/msm/msm_debugfs.c b/drivers/gpu/drm/msm/msm_debugfs.c
+index 95f4374ae21c2..d6ecff0ab6187 100644
+--- a/drivers/gpu/drm/msm/msm_debugfs.c
++++ b/drivers/gpu/drm/msm/msm_debugfs.c
+@@ -305,6 +305,7 @@ void msm_debugfs_init(struct drm_minor *minor)
+ {
+ struct drm_device *dev = minor->dev;
+ struct msm_drm_private *priv = dev->dev_private;
++ struct dentry *gpu_devfreq;
+
+ drm_debugfs_create_files(msm_debugfs_list,
+ ARRAY_SIZE(msm_debugfs_list),
+@@ -325,6 +326,17 @@ void msm_debugfs_init(struct drm_minor *minor)
+ debugfs_create_file("shrink", S_IRWXU, minor->debugfs_root,
+ dev, &shrink_fops);
+
++ gpu_devfreq = debugfs_create_dir("devfreq", minor->debugfs_root);
++
++ debugfs_create_bool("idle_clamp",0600, gpu_devfreq,
++ &priv->gpu_clamp_to_idle);
++
++ debugfs_create_u32("upthreshold",0600, gpu_devfreq,
++ &priv->gpu_devfreq_config.upthreshold);
++
++ debugfs_create_u32("downdifferential",0600, gpu_devfreq,
++ &priv->gpu_devfreq_config.downdifferential);
++
+ if (priv->kms && priv->kms->funcs->debugfs_init)
+ priv->kms->funcs->debugfs_init(priv->kms, minor);
+
+diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h
+index d4e0ef608950e..81deb112ea446 100644
+--- a/drivers/gpu/drm/msm/msm_drv.h
++++ b/drivers/gpu/drm/msm/msm_drv.h
+@@ -11,6 +11,7 @@
+ #include <linux/kernel.h>
+ #include <linux/clk.h>
+ #include <linux/cpufreq.h>
++#include <linux/devfreq.h>
+ #include <linux/module.h>
+ #include <linux/component.h>
+ #include <linux/platform_device.h>
+@@ -233,6 +234,14 @@ struct msm_drm_private {
+ */
+ unsigned int hangcheck_period;
+
++ /** gpu_devfreq_config: Devfreq tuning config for the GPU. */
++ struct devfreq_simple_ondemand_data gpu_devfreq_config;
++
++ /**
++ * gpu_clamp_to_idle: Enable clamping to idle freq when inactive
++ */
++ bool gpu_clamp_to_idle;
++
+ /**
+ * disable_err_irq:
+ *
+diff --git a/drivers/gpu/drm/msm/msm_gpu.h b/drivers/gpu/drm/msm/msm_gpu.h
+index b39cd332751dc..a326b6d1adbe2 100644
+--- a/drivers/gpu/drm/msm/msm_gpu.h
++++ b/drivers/gpu/drm/msm/msm_gpu.h
+@@ -275,9 +275,6 @@ struct msm_gpu {
+
+ struct msm_gpu_state *crashstate;
+
+- /* Enable clamping to idle freq when inactive: */
+- bool clamp_to_idle;
+-
+ /* True if the hardware supports expanded apriv (a650 and newer) */
+ bool hw_apriv;
+
+diff --git a/drivers/gpu/drm/msm/msm_gpu_devfreq.c b/drivers/gpu/drm/msm/msm_gpu_devfreq.c
+index 85c443a37e4e8..1f4e2dd8e76dd 100644
+--- a/drivers/gpu/drm/msm/msm_gpu_devfreq.c
++++ b/drivers/gpu/drm/msm/msm_gpu_devfreq.c
+@@ -183,6 +183,7 @@ static bool has_devfreq(struct msm_gpu *gpu)
+ void msm_devfreq_init(struct msm_gpu *gpu)
+ {
+ struct msm_gpu_devfreq *df = &gpu->devfreq;
++ struct msm_drm_private *priv = gpu->dev->dev_private;
+
+ /* We need target support to do devfreq */
+ if (!gpu->funcs->gpu_busy)
+@@ -209,7 +210,7 @@ void msm_devfreq_init(struct msm_gpu *gpu)
+
+ df->devfreq = devm_devfreq_add_device(&gpu->pdev->dev,
+ &msm_devfreq_profile, DEVFREQ_GOV_SIMPLE_ONDEMAND,
+- NULL);
++ &priv->gpu_devfreq_config);
+
+ if (IS_ERR(df->devfreq)) {
+ DRM_DEV_ERROR(&gpu->pdev->dev, "Couldn't initialize GPU devfreq\n");
+@@ -358,10 +359,11 @@ static void msm_devfreq_idle_work(struct kthread_work *work)
+ struct msm_gpu_devfreq *df = container_of(work,
+ struct msm_gpu_devfreq, idle_work.work);
+ struct msm_gpu *gpu = container_of(df, struct msm_gpu, devfreq);
++ struct msm_drm_private *priv = gpu->dev->dev_private;
+
+ df->idle_time = ktime_get();
+
+- if (gpu->clamp_to_idle)
++ if (priv->gpu_clamp_to_idle)
+ dev_pm_qos_update_request(&df->idle_freq, 0);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 99bbf9d93d520dc183282da2f2c97dc2fd339a96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 15:14:43 -0800
+Subject: drm/msm/gpu: Bypass PM QoS constraint for idle clamp
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit fadcc3ab1302d4e5baa32c272b658221f0066696 ]
+
+Change idle freq clamping back to the direct method, bypassing PM QoS
+requests. The problem with using PM QoS requests is they call
+(indirectly) the governors ->get_target_freq() which goes thru a
+get_dev_status() cycle. The problem comes when the GPU becomes active
+again and we remove the idle-clamp request, we go through another
+get_dev_status() cycle for the period that the GPU has been idle, which
+triggers the governor to lower the target freq excessively.
+
+This partially reverts commit 7c0ffcd40b16 ("drm/msm/gpu: Respect PM QoS
+constraints"), but preserves the use of boost QoS request, so that it
+will continue to play nicely with other QoS requests such as a cooling
+device. This also mostly undoes commit 78f815c1cf8f ("drm/msm: return the
+average load over the polling period")
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/517785/
+Link: https://lore.kernel.org/r/20230110231447.1939101-3-robdclark@gmail.com
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+Stable-dep-of: 8f32ddd87e49 ("drm/msm/gpu: Check the status of registration to PM QoS")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gpu.h | 12 ++-
+ drivers/gpu/drm/msm/msm_gpu_devfreq.c | 135 +++++++++++---------------
+ 2 files changed, 65 insertions(+), 82 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gpu.h b/drivers/gpu/drm/msm/msm_gpu.h
+index a326b6d1adbe2..5929ecaa1fcdc 100644
+--- a/drivers/gpu/drm/msm/msm_gpu.h
++++ b/drivers/gpu/drm/msm/msm_gpu.h
+@@ -109,11 +109,15 @@ struct msm_gpu_devfreq {
+ struct mutex lock;
+
+ /**
+- * idle_constraint:
++ * idle_freq:
+ *
+- * A PM QoS constraint to limit max freq while the GPU is idle.
++ * Shadow frequency used while the GPU is idle. From the PoV of
++ * the devfreq governor, we are continuing to sample busyness and
++ * adjust frequency while the GPU is idle, but we use this shadow
++ * value as the GPU is actually clamped to minimum frequency while
++ * it is inactive.
+ */
+- struct dev_pm_qos_request idle_freq;
++ unsigned long idle_freq;
+
+ /**
+ * boost_constraint:
+@@ -135,8 +139,6 @@ struct msm_gpu_devfreq {
+ /** idle_time: Time of last transition to idle: */
+ ktime_t idle_time;
+
+- struct devfreq_dev_status average_status;
+-
+ /**
+ * idle_work:
+ *
+diff --git a/drivers/gpu/drm/msm/msm_gpu_devfreq.c b/drivers/gpu/drm/msm/msm_gpu_devfreq.c
+index 1f4e2dd8e76dd..ae5380e2abf76 100644
+--- a/drivers/gpu/drm/msm/msm_gpu_devfreq.c
++++ b/drivers/gpu/drm/msm/msm_gpu_devfreq.c
+@@ -33,6 +33,16 @@ static int msm_devfreq_target(struct device *dev, unsigned long *freq,
+
+ trace_msm_gpu_freq_change(dev_pm_opp_get_freq(opp));
+
++ /*
++ * If the GPU is idle, devfreq is not aware, so just stash
++ * the new target freq (to use when we return to active)
++ */
++ if (df->idle_freq) {
++ df->idle_freq = *freq;
++ dev_pm_opp_put(opp);
++ return 0;
++ }
++
+ if (gpu->funcs->gpu_set_freq) {
+ mutex_lock(&df->lock);
+ gpu->funcs->gpu_set_freq(gpu, opp, df->suspended);
+@@ -48,15 +58,26 @@ static int msm_devfreq_target(struct device *dev, unsigned long *freq,
+
+ static unsigned long get_freq(struct msm_gpu *gpu)
+ {
++ struct msm_gpu_devfreq *df = &gpu->devfreq;
++
++ /*
++ * If the GPU is idle, use the shadow/saved freq to avoid
++ * confusing devfreq (which is unaware that we are switching
++ * to lowest freq until the device is active again)
++ */
++ if (df->idle_freq)
++ return df->idle_freq;
++
+ if (gpu->funcs->gpu_get_freq)
+ return gpu->funcs->gpu_get_freq(gpu);
+
+ return clk_get_rate(gpu->core_clk);
+ }
+
+-static void get_raw_dev_status(struct msm_gpu *gpu,
++static int msm_devfreq_get_dev_status(struct device *dev,
+ struct devfreq_dev_status *status)
+ {
++ struct msm_gpu *gpu = dev_to_gpu(dev);
+ struct msm_gpu_devfreq *df = &gpu->devfreq;
+ u64 busy_cycles, busy_time;
+ unsigned long sample_rate;
+@@ -72,7 +93,7 @@ static void get_raw_dev_status(struct msm_gpu *gpu,
+ if (df->suspended) {
+ mutex_unlock(&df->lock);
+ status->busy_time = 0;
+- return;
++ return 0;
+ }
+
+ busy_cycles = gpu->funcs->gpu_busy(gpu, &sample_rate);
+@@ -87,71 +108,6 @@ static void get_raw_dev_status(struct msm_gpu *gpu,
+ busy_time = ~0LU;
+
+ status->busy_time = busy_time;
+-}
+-
+-static void update_average_dev_status(struct msm_gpu *gpu,
+- const struct devfreq_dev_status *raw)
+-{
+- struct msm_gpu_devfreq *df = &gpu->devfreq;
+- const u32 polling_ms = df->devfreq->profile->polling_ms;
+- const u32 max_history_ms = polling_ms * 11 / 10;
+- struct devfreq_dev_status *avg = &df->average_status;
+- u64 avg_freq;
+-
+- /* simple_ondemand governor interacts poorly with gpu->clamp_to_idle.
+- * When we enforce the constraint on idle, it calls get_dev_status
+- * which would normally reset the stats. When we remove the
+- * constraint on active, it calls get_dev_status again where busy_time
+- * would be 0.
+- *
+- * To remedy this, we always return the average load over the past
+- * polling_ms.
+- */
+-
+- /* raw is longer than polling_ms or avg has no history */
+- if (div_u64(raw->total_time, USEC_PER_MSEC) >= polling_ms ||
+- !avg->total_time) {
+- *avg = *raw;
+- return;
+- }
+-
+- /* Truncate the oldest history first.
+- *
+- * Because we keep the history with a single devfreq_dev_status,
+- * rather than a list of devfreq_dev_status, we have to assume freq
+- * and load are the same over avg->total_time. We can scale down
+- * avg->busy_time and avg->total_time by the same factor to drop
+- * history.
+- */
+- if (div_u64(avg->total_time + raw->total_time, USEC_PER_MSEC) >=
+- max_history_ms) {
+- const u32 new_total_time = polling_ms * USEC_PER_MSEC -
+- raw->total_time;
+- avg->busy_time = div_u64(
+- mul_u32_u32(avg->busy_time, new_total_time),
+- avg->total_time);
+- avg->total_time = new_total_time;
+- }
+-
+- /* compute the average freq over avg->total_time + raw->total_time */
+- avg_freq = mul_u32_u32(avg->current_frequency, avg->total_time);
+- avg_freq += mul_u32_u32(raw->current_frequency, raw->total_time);
+- do_div(avg_freq, avg->total_time + raw->total_time);
+-
+- avg->current_frequency = avg_freq;
+- avg->busy_time += raw->busy_time;
+- avg->total_time += raw->total_time;
+-}
+-
+-static int msm_devfreq_get_dev_status(struct device *dev,
+- struct devfreq_dev_status *status)
+-{
+- struct msm_gpu *gpu = dev_to_gpu(dev);
+- struct devfreq_dev_status raw;
+-
+- get_raw_dev_status(gpu, &raw);
+- update_average_dev_status(gpu, &raw);
+- *status = gpu->devfreq.average_status;
+
+ return 0;
+ }
+@@ -191,9 +147,6 @@ void msm_devfreq_init(struct msm_gpu *gpu)
+
+ mutex_init(&df->lock);
+
+- dev_pm_qos_add_request(&gpu->pdev->dev, &df->idle_freq,
+- DEV_PM_QOS_MAX_FREQUENCY,
+- PM_QOS_MAX_FREQUENCY_DEFAULT_VALUE);
+ dev_pm_qos_add_request(&gpu->pdev->dev, &df->boost_freq,
+ DEV_PM_QOS_MIN_FREQUENCY, 0);
+
+@@ -214,7 +167,6 @@ void msm_devfreq_init(struct msm_gpu *gpu)
+
+ if (IS_ERR(df->devfreq)) {
+ DRM_DEV_ERROR(&gpu->pdev->dev, "Couldn't initialize GPU devfreq\n");
+- dev_pm_qos_remove_request(&df->idle_freq);
+ dev_pm_qos_remove_request(&df->boost_freq);
+ df->devfreq = NULL;
+ return;
+@@ -256,7 +208,6 @@ void msm_devfreq_cleanup(struct msm_gpu *gpu)
+
+ devfreq_cooling_unregister(gpu->cooling);
+ dev_pm_qos_remove_request(&df->boost_freq);
+- dev_pm_qos_remove_request(&df->idle_freq);
+ }
+
+ void msm_devfreq_resume(struct msm_gpu *gpu)
+@@ -329,6 +280,7 @@ void msm_devfreq_active(struct msm_gpu *gpu)
+ {
+ struct msm_gpu_devfreq *df = &gpu->devfreq;
+ unsigned int idle_time;
++ unsigned long target_freq;
+
+ if (!has_devfreq(gpu))
+ return;
+@@ -338,8 +290,28 @@ void msm_devfreq_active(struct msm_gpu *gpu)
+ */
+ cancel_idle_work(df);
+
++ /*
++ * Hold devfreq lock to synchronize with get_dev_status()/
++ * target() callbacks
++ */
++ mutex_lock(&df->devfreq->lock);
++
++ target_freq = df->idle_freq;
++
+ idle_time = ktime_to_ms(ktime_sub(ktime_get(), df->idle_time));
+
++ df->idle_freq = 0;
++
++ /*
++ * We could have become active again before the idle work had a
++ * chance to run, in which case the df->idle_freq would have
++ * still been zero. In this case, no need to change freq.
++ */
++ if (target_freq)
++ msm_devfreq_target(&gpu->pdev->dev, &target_freq, 0);
++
++ mutex_unlock(&df->devfreq->lock);
++
+ /*
+ * If we've been idle for a significant fraction of a polling
+ * interval, then we won't meet the threshold of busyness for
+@@ -348,9 +320,6 @@ void msm_devfreq_active(struct msm_gpu *gpu)
+ if (idle_time > msm_devfreq_profile.polling_ms) {
+ msm_devfreq_boost(gpu, 2);
+ }
+-
+- dev_pm_qos_update_request(&df->idle_freq,
+- PM_QOS_MAX_FREQUENCY_DEFAULT_VALUE);
+ }
+
+
+@@ -360,11 +329,23 @@ static void msm_devfreq_idle_work(struct kthread_work *work)
+ struct msm_gpu_devfreq, idle_work.work);
+ struct msm_gpu *gpu = container_of(df, struct msm_gpu, devfreq);
+ struct msm_drm_private *priv = gpu->dev->dev_private;
++ unsigned long idle_freq, target_freq = 0;
+
+- df->idle_time = ktime_get();
++ /*
++ * Hold devfreq lock to synchronize with get_dev_status()/
++ * target() callbacks
++ */
++ mutex_lock(&df->devfreq->lock);
++
++ idle_freq = get_freq(gpu);
+
+ if (priv->gpu_clamp_to_idle)
+- dev_pm_qos_update_request(&df->idle_freq, 0);
++ msm_devfreq_target(&gpu->pdev->dev, &target_freq, 0);
++
++ df->idle_time = ktime_get();
++ df->idle_freq = idle_freq;
++
++ mutex_unlock(&df->devfreq->lock);
+ }
+
+ void msm_devfreq_idle(struct msm_gpu *gpu)
+--
+2.43.0
+
--- /dev/null
+From 9652b5c72d941bad5aff38ca181c67ba7b76e998 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 12:18:11 +0100
+Subject: drm/msm/gpu: Check the status of registration to PM QoS
+
+From: Lukasz Luba <lukasz.luba@arm.com>
+
+[ Upstream commit 8f32ddd87e499ba6d2dc74ce30b6932baf1e1fc3 ]
+
+There is a need to check the returned value of the registration function.
+In case of returned error, print that and stop the init process.
+
+Fixes: 7c0ffcd40b16 ("drm/msm/gpu: Respect PM QoS constraints")
+Signed-off-by: Lukasz Luba <lukasz.luba@arm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/620336/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gpu_devfreq.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gpu_devfreq.c b/drivers/gpu/drm/msm/msm_gpu_devfreq.c
+index ae5380e2abf76..4e73b915fe1a2 100644
+--- a/drivers/gpu/drm/msm/msm_gpu_devfreq.c
++++ b/drivers/gpu/drm/msm/msm_gpu_devfreq.c
+@@ -140,6 +140,7 @@ void msm_devfreq_init(struct msm_gpu *gpu)
+ {
+ struct msm_gpu_devfreq *df = &gpu->devfreq;
+ struct msm_drm_private *priv = gpu->dev->dev_private;
++ int ret;
+
+ /* We need target support to do devfreq */
+ if (!gpu->funcs->gpu_busy)
+@@ -147,8 +148,12 @@ void msm_devfreq_init(struct msm_gpu *gpu)
+
+ mutex_init(&df->lock);
+
+- dev_pm_qos_add_request(&gpu->pdev->dev, &df->boost_freq,
+- DEV_PM_QOS_MIN_FREQUENCY, 0);
++ ret = dev_pm_qos_add_request(&gpu->pdev->dev, &df->boost_freq,
++ DEV_PM_QOS_MIN_FREQUENCY, 0);
++ if (ret < 0) {
++ DRM_DEV_ERROR(&gpu->pdev->dev, "Couldn't initialize QoS\n");
++ return;
++ }
+
+ msm_devfreq_profile.initial_freq = gpu->fast_rate;
+
+--
+2.43.0
+
--- /dev/null
+From 7b50452d05ee61c0d1d836a5ca567175757780ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 16:50:29 +0300
+Subject: drm/omap: Fix locking in omap_gem_new_dmabuf()
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit e6a1c4037227539373c8cf484ace83833e2ad6a2 ]
+
+omap_gem_new_dmabuf() creates the new gem object, and then takes and
+holds the omap_obj->lock for the rest of the function. This has two
+issues:
+
+- omap_gem_free_object(), which is called in the error paths, also takes
+ the same lock, leading to deadlock
+- Even if the above wouldn't happen, in the error cases
+ omap_gem_new_dmabuf() still unlocks omap_obj->lock, even after the
+ omap_obj has already been freed.
+
+Furthermore, I don't think there's any reason to take the lock at all,
+as the object was just created and not yet shared with anyone else.
+
+To fix all this, drop taking the lock.
+
+Fixes: 3cbd0c587b12 ("drm/omap: gem: Replace struct_mutex usage with omap_obj private lock")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/all/511b99d7-aade-4f92-bd3e-63163a13d617@stanley.mountain/
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240806-omapdrm-misc-fixes-v1-3-15d31aea0831@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/omapdrm/omap_gem.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/omapdrm/omap_gem.c b/drivers/gpu/drm/omapdrm/omap_gem.c
+index cf571796fd26e..8fdb12ce2f884 100644
+--- a/drivers/gpu/drm/omapdrm/omap_gem.c
++++ b/drivers/gpu/drm/omapdrm/omap_gem.c
+@@ -1408,8 +1408,6 @@ struct drm_gem_object *omap_gem_new_dmabuf(struct drm_device *dev, size_t size,
+
+ omap_obj = to_omap_bo(obj);
+
+- mutex_lock(&omap_obj->lock);
+-
+ omap_obj->sgt = sgt;
+
+ if (sgt->orig_nents == 1) {
+@@ -1424,21 +1422,17 @@ struct drm_gem_object *omap_gem_new_dmabuf(struct drm_device *dev, size_t size,
+ pages = kcalloc(npages, sizeof(*pages), GFP_KERNEL);
+ if (!pages) {
+ omap_gem_free_object(obj);
+- obj = ERR_PTR(-ENOMEM);
+- goto done;
++ return ERR_PTR(-ENOMEM);
+ }
+
+ omap_obj->pages = pages;
+ ret = drm_prime_sg_to_page_array(sgt, pages, npages);
+ if (ret) {
+ omap_gem_free_object(obj);
+- obj = ERR_PTR(-ENOMEM);
+- goto done;
++ return ERR_PTR(-ENOMEM);
+ }
+ }
+
+-done:
+- mutex_unlock(&omap_obj->lock);
+ return obj;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 5c8505d4ed0346e5e0fd0dedc8e7917f9df369d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 16:50:27 +0300
+Subject: drm/omap: Fix possible NULL dereference
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit a88fee2d67d9b78c24630a987a88ccf886b2498b ]
+
+smatch reports:
+
+drivers/gpu/drm/omapdrm/dss/base.c:176 omapdss_device_disconnect() error: we previously assumed 'src' could be null (see line 169)
+
+This code is mostly from a time when omapdrm had its own display device
+model. I can't honestly remember the details, and I don't think it's
+worth digging in deeply into that for a legacy driver.
+
+However, it looks like we only call omapdss_device_disconnect() and
+omapdss_device_connect() with NULL as the src parameter. We can thus
+drop the src parameter from both functions, and fix the smatch warning.
+
+I don't think omapdss_device_disconnect() ever gets NULL for the dst
+parameter (if it did, we'd crash soon after returning from the
+function), but I have kept the !dst check, just in case, but I added a
+WARN_ON() there.
+
+Also, if the dst parameter can be NULL, we can't always get the struct
+dss_device pointer from dst->dss (which is only used for a debug print).
+To make sure we can't hit that issue, do it similarly to the
+omapdss_device_connect() function: add 'struct dss_device *dss' as the
+first parameter, so that we always have it regardless of the dst.
+
+Fixes: 79107f274b2f ("drm/omap: Add support for drm_bridge")
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240806-omapdrm-misc-fixes-v1-1-15d31aea0831@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/omapdrm/dss/base.c | 25 ++++++-------------------
+ drivers/gpu/drm/omapdrm/dss/omapdss.h | 3 +--
+ drivers/gpu/drm/omapdrm/omap_drv.c | 4 ++--
+ 3 files changed, 9 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/gpu/drm/omapdrm/dss/base.c b/drivers/gpu/drm/omapdrm/dss/base.c
+index 050ca7eafac58..556e0f9026bed 100644
+--- a/drivers/gpu/drm/omapdrm/dss/base.c
++++ b/drivers/gpu/drm/omapdrm/dss/base.c
+@@ -139,21 +139,13 @@ static bool omapdss_device_is_connected(struct omap_dss_device *dssdev)
+ }
+
+ int omapdss_device_connect(struct dss_device *dss,
+- struct omap_dss_device *src,
+ struct omap_dss_device *dst)
+ {
+- dev_dbg(&dss->pdev->dev, "connect(%s, %s)\n",
+- src ? dev_name(src->dev) : "NULL",
++ dev_dbg(&dss->pdev->dev, "connect(%s)\n",
+ dst ? dev_name(dst->dev) : "NULL");
+
+- if (!dst) {
+- /*
+- * The destination is NULL when the source is connected to a
+- * bridge instead of a DSS device. Stop here, we will attach
+- * the bridge later when we will have a DRM encoder.
+- */
+- return src && src->bridge ? 0 : -EINVAL;
+- }
++ if (!dst)
++ return -EINVAL;
+
+ if (omapdss_device_is_connected(dst))
+ return -EBUSY;
+@@ -163,19 +155,14 @@ int omapdss_device_connect(struct dss_device *dss,
+ return 0;
+ }
+
+-void omapdss_device_disconnect(struct omap_dss_device *src,
++void omapdss_device_disconnect(struct dss_device *dss,
+ struct omap_dss_device *dst)
+ {
+- struct dss_device *dss = src ? src->dss : dst->dss;
+-
+- dev_dbg(&dss->pdev->dev, "disconnect(%s, %s)\n",
+- src ? dev_name(src->dev) : "NULL",
++ dev_dbg(&dss->pdev->dev, "disconnect(%s)\n",
+ dst ? dev_name(dst->dev) : "NULL");
+
+- if (!dst) {
+- WARN_ON(!src->bridge);
++ if (WARN_ON(!dst))
+ return;
+- }
+
+ if (!dst->id && !omapdss_device_is_connected(dst)) {
+ WARN_ON(1);
+diff --git a/drivers/gpu/drm/omapdrm/dss/omapdss.h b/drivers/gpu/drm/omapdrm/dss/omapdss.h
+index 040d5a3e33d68..4c22c09c93d52 100644
+--- a/drivers/gpu/drm/omapdrm/dss/omapdss.h
++++ b/drivers/gpu/drm/omapdrm/dss/omapdss.h
+@@ -242,9 +242,8 @@ struct omap_dss_device *omapdss_device_get(struct omap_dss_device *dssdev);
+ void omapdss_device_put(struct omap_dss_device *dssdev);
+ struct omap_dss_device *omapdss_find_device_by_node(struct device_node *node);
+ int omapdss_device_connect(struct dss_device *dss,
+- struct omap_dss_device *src,
+ struct omap_dss_device *dst);
+-void omapdss_device_disconnect(struct omap_dss_device *src,
++void omapdss_device_disconnect(struct dss_device *dss,
+ struct omap_dss_device *dst);
+
+ int omap_dss_get_num_overlay_managers(void);
+diff --git a/drivers/gpu/drm/omapdrm/omap_drv.c b/drivers/gpu/drm/omapdrm/omap_drv.c
+index cc3bb0f6435b8..b6e461a3f7a2f 100644
+--- a/drivers/gpu/drm/omapdrm/omap_drv.c
++++ b/drivers/gpu/drm/omapdrm/omap_drv.c
+@@ -307,7 +307,7 @@ static void omap_disconnect_pipelines(struct drm_device *ddev)
+ for (i = 0; i < priv->num_pipes; i++) {
+ struct omap_drm_pipeline *pipe = &priv->pipes[i];
+
+- omapdss_device_disconnect(NULL, pipe->output);
++ omapdss_device_disconnect(priv->dss, pipe->output);
+
+ omapdss_device_put(pipe->output);
+ pipe->output = NULL;
+@@ -325,7 +325,7 @@ static int omap_connect_pipelines(struct drm_device *ddev)
+ int r;
+
+ for_each_dss_output(output) {
+- r = omapdss_device_connect(priv->dss, NULL, output);
++ r = omapdss_device_connect(priv->dss, output);
+ if (r == -EPROBE_DEFER) {
+ omapdss_device_put(output);
+ return r;
+--
+2.43.0
+
--- /dev/null
+From c3dfa80646d4ccf5b924eb95a47fd9011a8dd4c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 15:00:07 +0100
+Subject: drm/panfrost: Remove unused id_mask from struct panfrost_model
+
+From: Steven Price <steven.price@arm.com>
+
+[ Upstream commit 581d1f8248550f2b67847e6d84f29fbe3751ea0a ]
+
+The id_mask field of struct panfrost_model has never been used.
+
+Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
+Signed-off-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241025140008.385081-1-steven.price@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_gpu.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.c b/drivers/gpu/drm/panfrost/panfrost_gpu.c
+index 40b6314459926..62722d9ff8eb5 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_gpu.c
++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.c
+@@ -157,7 +157,6 @@ static void panfrost_gpu_init_quirks(struct panfrost_device *pfdev)
+ struct panfrost_model {
+ const char *name;
+ u32 id;
+- u32 id_mask;
+ u64 features;
+ u64 issues;
+ struct {
+--
+2.43.0
+
--- /dev/null
+From a27ae17b4281f2a6842ded3abdf5fa100d6bf9a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 10:55:05 -0300
+Subject: drm/v3d: Address race-condition in MMU flush
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit cf1becb7f996a0a23ea2c270cf6bb0911ec3ca1a ]
+
+We must first flush the MMU cache and then, flush the TLB, not the other
+way around. Currently, we can see a race condition between the MMU cache
+and the TLB when running multiple rendering processes at the same time.
+This is evidenced by MMU errors triggered by the IRQ.
+
+Fix the MMU flush order by flushing the MMU cache and then the TLB.
+Also, in order to address the race condition, wait for the MMU cache flush
+to finish before starting the TLB flush.
+
+Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+")
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240923141348.2422499-2-mcanal@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/v3d/v3d_mmu.c | 29 ++++++++++-------------------
+ 1 file changed, 10 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/gpu/drm/v3d/v3d_mmu.c b/drivers/gpu/drm/v3d/v3d_mmu.c
+index 5a453532901f1..166d4a88daee5 100644
+--- a/drivers/gpu/drm/v3d/v3d_mmu.c
++++ b/drivers/gpu/drm/v3d/v3d_mmu.c
+@@ -34,32 +34,23 @@ static int v3d_mmu_flush_all(struct v3d_dev *v3d)
+ {
+ int ret;
+
+- /* Make sure that another flush isn't already running when we
+- * start this one.
+- */
+- ret = wait_for(!(V3D_READ(V3D_MMU_CTL) &
+- V3D_MMU_CTL_TLB_CLEARING), 100);
+- if (ret)
+- dev_err(v3d->drm.dev, "TLB clear wait idle pre-wait failed\n");
+-
+- V3D_WRITE(V3D_MMU_CTL, V3D_READ(V3D_MMU_CTL) |
+- V3D_MMU_CTL_TLB_CLEAR);
+-
+- V3D_WRITE(V3D_MMUC_CONTROL,
+- V3D_MMUC_CONTROL_FLUSH |
++ V3D_WRITE(V3D_MMUC_CONTROL, V3D_MMUC_CONTROL_FLUSH |
+ V3D_MMUC_CONTROL_ENABLE);
+
+- ret = wait_for(!(V3D_READ(V3D_MMU_CTL) &
+- V3D_MMU_CTL_TLB_CLEARING), 100);
++ ret = wait_for(!(V3D_READ(V3D_MMUC_CONTROL) &
++ V3D_MMUC_CONTROL_FLUSHING), 100);
+ if (ret) {
+- dev_err(v3d->drm.dev, "TLB clear wait idle failed\n");
++ dev_err(v3d->drm.dev, "MMUC flush wait idle failed\n");
+ return ret;
+ }
+
+- ret = wait_for(!(V3D_READ(V3D_MMUC_CONTROL) &
+- V3D_MMUC_CONTROL_FLUSHING), 100);
++ V3D_WRITE(V3D_MMU_CTL, V3D_READ(V3D_MMU_CTL) |
++ V3D_MMU_CTL_TLB_CLEAR);
++
++ ret = wait_for(!(V3D_READ(V3D_MMU_CTL) &
++ V3D_MMU_CTL_TLB_CLEARING), 100);
+ if (ret)
+- dev_err(v3d->drm.dev, "MMUC flush wait idle failed\n");
++ dev_err(v3d->drm.dev, "MMU TLB clear wait idle failed\n");
+
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From d8277ece1978f7891d8dda9cdffa7d6cdcb2a054 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jun 2024 16:20:40 +0100
+Subject: drm/vc4: hdmi: Avoid hang with debug registers when suspended
+
+From: Dom Cobley <popcornmix@gmail.com>
+
+[ Upstream commit 223ee2567a55e4f80315c768d2969e6a3b9fb23d ]
+
+Trying to read /sys/kernel/debug/dri/1/hdmi1_regs
+when the hdmi is disconnected results in a fatal system hang.
+
+This is due to the pm suspend code disabling the dvp clock.
+That is just a gate of the 108MHz clock in DVP_HT_RPI_MISC_CONFIG,
+which results in accesses hanging AXI bus.
+
+Protect against this.
+
+Fixes: 25eb441d55d4 ("drm/vc4: hdmi: Add all the vc5 HDMI registers into the debugfs dumps")
+Signed-off-by: Dom Cobley <popcornmix@gmail.com>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240621152055.4180873-17-dave.stevenson@raspberrypi.com
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 971801acbde60..649fd5c03f21d 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -170,6 +170,8 @@ static int vc4_hdmi_debugfs_regs(struct seq_file *m, void *unused)
+ if (!drm_dev_enter(drm, &idx))
+ return -ENODEV;
+
++ WARN_ON(pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev));
++
+ drm_print_regset32(&p, &vc4_hdmi->hdmi_regset);
+ drm_print_regset32(&p, &vc4_hdmi->hd_regset);
+ drm_print_regset32(&p, &vc4_hdmi->cec_regset);
+@@ -179,6 +181,8 @@ static int vc4_hdmi_debugfs_regs(struct seq_file *m, void *unused)
+ drm_print_regset32(&p, &vc4_hdmi->ram_regset);
+ drm_print_regset32(&p, &vc4_hdmi->rm_regset);
+
++ pm_runtime_put(&vc4_hdmi->pdev->dev);
++
+ drm_dev_exit(idx);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 4fe05a4e4f80b5777c078921033beb873056714e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jun 2024 16:20:55 +0100
+Subject: drm/vc4: hvs: Correct logic on stopping an HVS channel
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+
+[ Upstream commit 7ab6512e7942889c0962588355cb92424a690be6 ]
+
+When factoring out __vc4_hvs_stop_channel, the logic got inverted from
+ if (condition)
+ // stop channel
+to
+ if (condition)
+ goto out
+ //stop channel
+ out:
+and also changed the exact register writes used to stop the channel.
+
+Correct the logic so that the channel is actually stopped, and revert
+to the original register writes.
+
+Fixes: 6d01a106b4c8 ("drm/vc4: crtc: Move HVS init and close to a function")
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240621152055.4180873-32-dave.stevenson@raspberrypi.com
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hvs.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hvs.c b/drivers/gpu/drm/vc4/vc4_hvs.c
+index 44b31d02c8eef..82c8eda2d4358 100644
+--- a/drivers/gpu/drm/vc4/vc4_hvs.c
++++ b/drivers/gpu/drm/vc4/vc4_hvs.c
+@@ -418,13 +418,11 @@ void vc4_hvs_stop_channel(struct vc4_hvs *hvs, unsigned int chan)
+ if (!drm_dev_enter(drm, &idx))
+ return;
+
+- if (HVS_READ(SCALER_DISPCTRLX(chan)) & SCALER_DISPCTRLX_ENABLE)
++ if (!(HVS_READ(SCALER_DISPCTRLX(chan)) & SCALER_DISPCTRLX_ENABLE))
+ goto out;
+
+- HVS_WRITE(SCALER_DISPCTRLX(chan),
+- HVS_READ(SCALER_DISPCTRLX(chan)) | SCALER_DISPCTRLX_RESET);
+- HVS_WRITE(SCALER_DISPCTRLX(chan),
+- HVS_READ(SCALER_DISPCTRLX(chan)) & ~SCALER_DISPCTRLX_ENABLE);
++ HVS_WRITE(SCALER_DISPCTRLX(chan), SCALER_DISPCTRLX_RESET);
++ HVS_WRITE(SCALER_DISPCTRLX(chan), 0);
+
+ /* Once we leave, the scaler should be disabled and its fifo empty. */
+ WARN_ON_ONCE(HVS_READ(SCALER_DISPCTRLX(chan)) & SCALER_DISPCTRLX_RESET);
+--
+2.43.0
+
--- /dev/null
+From 513af2ef94b9bee54d936d7e5c0c8267254b6c93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jun 2024 16:20:38 +0100
+Subject: drm/vc4: hvs: Don't write gamma luts on 2711
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+
+[ Upstream commit 52efe364d1968ee3e3ed45eb44eb924b63635315 ]
+
+The gamma block has changed in 2711, therefore writing the lut
+in vc4_hvs_lut_load is incorrect.
+
+Whilst the gamma property isn't created for 2711, it is called
+from vc4_hvs_init_channel, so abort if attempted.
+
+Fixes: c54619b0bfb3 ("drm/vc4: Add support for the BCM2711 HVS5")
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240621152055.4180873-15-dave.stevenson@raspberrypi.com
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hvs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hvs.c b/drivers/gpu/drm/vc4/vc4_hvs.c
+index 47990ecbfc4df..cf017b59114e9 100644
+--- a/drivers/gpu/drm/vc4/vc4_hvs.c
++++ b/drivers/gpu/drm/vc4/vc4_hvs.c
+@@ -220,6 +220,9 @@ static void vc4_hvs_lut_load(struct vc4_hvs *hvs,
+ if (!drm_dev_enter(drm, &idx))
+ return;
+
++ if (hvs->vc4->is_vc5)
++ return;
++
+ /* The LUT memory is laid out with each HVS channel in order,
+ * each of which takes 256 writes for R, 256 for G, then 256
+ * for B.
+--
+2.43.0
+
--- /dev/null
+From 92381f1d72410a632f32b9d0147ec16639ca2fd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jun 2024 16:20:41 +0100
+Subject: drm/vc4: hvs: Fix dlist debug not resetting the next entry pointer
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+
+[ Upstream commit 6d5f76e0544b04ec5bdd2a09c19d90aeeb2cd479 ]
+
+The debug function to display the dlists didn't reset next_entry_start
+when starting each display, so resulting in not stopping the
+list at the correct place.
+
+Fixes: c6dac00340fc ("drm/vc4: hvs: Add debugfs node that dumps the current display lists")
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240621152055.4180873-18-dave.stevenson@raspberrypi.com
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hvs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hvs.c b/drivers/gpu/drm/vc4/vc4_hvs.c
+index cf017b59114e9..a049899a17636 100644
+--- a/drivers/gpu/drm/vc4/vc4_hvs.c
++++ b/drivers/gpu/drm/vc4/vc4_hvs.c
+@@ -108,7 +108,7 @@ static int vc4_hvs_debugfs_dlist(struct seq_file *m, void *data)
+ struct vc4_dev *vc4 = to_vc4_dev(dev);
+ struct vc4_hvs *hvs = vc4->hvs;
+ struct drm_printer p = drm_seq_file_printer(m);
+- unsigned int next_entry_start = 0;
++ unsigned int next_entry_start;
+ unsigned int i, j;
+ u32 dlist_word, dispstat;
+
+@@ -122,6 +122,7 @@ static int vc4_hvs_debugfs_dlist(struct seq_file *m, void *data)
+ }
+
+ drm_printf(&p, "HVS chan %u:\n", i);
++ next_entry_start = 0;
+
+ for (j = HVS_READ(SCALER_DISPLISTX(i)); j < 256; j++) {
+ dlist_word = readl((u32 __iomem *)vc4->hvs->dlist + j);
+--
+2.43.0
+
--- /dev/null
+From 5453c9c33cc3eb95aac67c062294b12740408bc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jun 2024 16:20:42 +0100
+Subject: drm/vc4: hvs: Remove incorrect limit from hvs_dlist debugfs function
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+
+[ Upstream commit d285bb622ebdfaa84f51df3a1abccb87036157ea ]
+
+The debugfs function to dump dlists aborted at 256 bytes,
+when actually the dlist memory is generally significantly
+larger but varies based on SoC.
+
+We already have the correct limit in __vc4_hvs_alloc, so
+store it for use in the debugfs dlist function.
+
+Fixes: c6dac00340fc ("drm/vc4: hvs: Add debugfs node that dumps the current display lists")
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240621152055.4180873-19-dave.stevenson@raspberrypi.com
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_drv.h | 1 +
+ drivers/gpu/drm/vc4/vc4_hvs.c | 6 ++++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_drv.h b/drivers/gpu/drm/vc4/vc4_drv.h
+index 418a8242691f2..7700e8dfd5f26 100644
+--- a/drivers/gpu/drm/vc4/vc4_drv.h
++++ b/drivers/gpu/drm/vc4/vc4_drv.h
+@@ -323,6 +323,7 @@ struct vc4_hvs {
+ struct platform_device *pdev;
+ void __iomem *regs;
+ u32 __iomem *dlist;
++ unsigned int dlist_mem_size;
+
+ struct clk *core_clk;
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hvs.c b/drivers/gpu/drm/vc4/vc4_hvs.c
+index a049899a17636..44b31d02c8eef 100644
+--- a/drivers/gpu/drm/vc4/vc4_hvs.c
++++ b/drivers/gpu/drm/vc4/vc4_hvs.c
+@@ -108,6 +108,7 @@ static int vc4_hvs_debugfs_dlist(struct seq_file *m, void *data)
+ struct vc4_dev *vc4 = to_vc4_dev(dev);
+ struct vc4_hvs *hvs = vc4->hvs;
+ struct drm_printer p = drm_seq_file_printer(m);
++ unsigned int dlist_mem_size = hvs->dlist_mem_size;
+ unsigned int next_entry_start;
+ unsigned int i, j;
+ u32 dlist_word, dispstat;
+@@ -124,7 +125,7 @@ static int vc4_hvs_debugfs_dlist(struct seq_file *m, void *data)
+ drm_printf(&p, "HVS chan %u:\n", i);
+ next_entry_start = 0;
+
+- for (j = HVS_READ(SCALER_DISPLISTX(i)); j < 256; j++) {
++ for (j = HVS_READ(SCALER_DISPLISTX(i)); j < dlist_mem_size; j++) {
+ dlist_word = readl((u32 __iomem *)vc4->hvs->dlist + j);
+ drm_printf(&p, "dlist: %02d: 0x%08x\n", j,
+ dlist_word);
+@@ -827,9 +828,10 @@ static int vc4_hvs_bind(struct device *dev, struct device *master, void *data)
+ * our 16K), since we don't want to scramble the screen when
+ * transitioning from the firmware's boot setup to runtime.
+ */
++ hvs->dlist_mem_size = (SCALER_DLIST_SIZE >> 2) - HVS_BOOTLOADER_DLIST_END;
+ drm_mm_init(&hvs->dlist_mm,
+ HVS_BOOTLOADER_DLIST_END,
+- (SCALER_DLIST_SIZE >> 2) - HVS_BOOTLOADER_DLIST_END);
++ hvs->dlist_mem_size);
+
+ /* Set up the HVS LBM memory manager. We could have some more
+ * complicated data structure that allowed reuse of LBM areas
+--
+2.43.0
+
--- /dev/null
+From 3ad08c1dbd87908132313868bd503ab023f51014 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 14:59:41 +0100
+Subject: dt-bindings: clock: axi-clkgen: include AXI clk
+
+From: Nuno Sa <nuno.sa@analog.com>
+
+[ Upstream commit 47f3f5a82a31527e027929c5cec3dd1ef5ef30f5 ]
+
+In order to access the registers of the HW, we need to make sure that
+the AXI bus clock is enabled. Hence let's increase the number of clocks
+by one and add clock-names to differentiate between parent clocks and
+the bus clock.
+
+Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver")
+Signed-off-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20241029-axi-clkgen-fix-axiclk-v2-1-bc5e0733ad76@analog.com
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bindings/clock/adi,axi-clkgen.yaml | 22 +++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml b/Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml
+index 983033fe5b177..592285f616f57 100644
+--- a/Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml
++++ b/Documentation/devicetree/bindings/clock/adi,axi-clkgen.yaml
+@@ -26,9 +26,21 @@ properties:
+ description:
+ Specifies the reference clock(s) from which the output frequency is
+ derived. This must either reference one clock if only the first clock
+- input is connected or two if both clock inputs are connected.
+- minItems: 1
+- maxItems: 2
++ input is connected or two if both clock inputs are connected. The last
++ clock is the AXI bus clock that needs to be enabled so we can access the
++ core registers.
++ minItems: 2
++ maxItems: 3
++
++ clock-names:
++ oneOf:
++ - items:
++ - const: clkin1
++ - const: s_axi_aclk
++ - items:
++ - const: clkin1
++ - const: clkin2
++ - const: s_axi_aclk
+
+ '#clock-cells':
+ const: 0
+@@ -40,6 +52,7 @@ required:
+ - compatible
+ - reg
+ - clocks
++ - clock-names
+ - '#clock-cells'
+
+ additionalProperties: false
+@@ -50,5 +63,6 @@ examples:
+ compatible = "adi,axi-clkgen-2.00.a";
+ #clock-cells = <0>;
+ reg = <0xff000000 0x1000>;
+- clocks = <&osc 1>;
++ clocks = <&osc 1>, <&clkc 15>;
++ clock-names = "clkin1", "s_axi_aclk";
+ };
+--
+2.43.0
+
--- /dev/null
+From b6465375133b54250144c22edbd21155c7d01190 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2024 17:52:39 +0300
+Subject: dt-bindings: vendor-prefixes: Add NeoFidelity, Inc
+
+From: Igor Prusov <ivprusov@salutedevices.com>
+
+[ Upstream commit 5d9e6d6fc1b98c8c22d110ee931b3b233d43cd13 ]
+
+Add vendor prefix for NeoFidelity, Inc
+
+Signed-off-by: Igor Prusov <ivprusov@salutedevices.com>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://patch.msgid.link/20240925-ntp-amps-8918-8835-v3-1-e2459a8191a6@salutedevices.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Documentation/devicetree/bindings/vendor-prefixes.yaml b/Documentation/devicetree/bindings/vendor-prefixes.yaml
+index 6e323a380294a..77e9413cdee07 100644
+--- a/Documentation/devicetree/bindings/vendor-prefixes.yaml
++++ b/Documentation/devicetree/bindings/vendor-prefixes.yaml
+@@ -869,6 +869,8 @@ patternProperties:
+ description: National Semiconductor
+ "^nec,.*":
+ description: NEC LCD Technologies, Ltd.
++ "^neofidelity,.*":
++ description: Neofidelity Inc.
+ "^neonode,.*":
+ description: Neonode Inc.
+ "^netgear,.*":
+--
+2.43.0
+
--- /dev/null
+From 4a8d6a0fc21d294f2a6fb2e62f3bd1ef2b8272e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 11:10:56 -0400
+Subject: EDAC/bluefield: Fix potential integer overflow
+
+From: David Thompson <davthompson@nvidia.com>
+
+[ Upstream commit 1fe774a93b46bb029b8f6fa9d1f25affa53f06c6 ]
+
+The 64-bit argument for the "get DIMM info" SMC call consists of mem_ctrl_idx
+left-shifted 16 bits and OR-ed with DIMM index. With mem_ctrl_idx defined as
+32-bits wide the left-shift operation truncates the upper 16 bits of
+information during the calculation of the SMC argument.
+
+The mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any
+potential integer overflow, i.e. loss of data from upper 16 bits.
+
+Fixes: 82413e562ea6 ("EDAC, mellanox: Add ECC support for BlueField DDR4")
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Shravan Kumar Ramani <shravankr@nvidia.com>
+Link: https://lore.kernel.org/r/20240930151056.10158-1-davthompson@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/bluefield_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/edac/bluefield_edac.c b/drivers/edac/bluefield_edac.c
+index e4736eb37bfb3..0ef0489827682 100644
+--- a/drivers/edac/bluefield_edac.c
++++ b/drivers/edac/bluefield_edac.c
+@@ -180,7 +180,7 @@ static void bluefield_edac_check(struct mem_ctl_info *mci)
+ static void bluefield_edac_init_dimms(struct mem_ctl_info *mci)
+ {
+ struct bluefield_edac_priv *priv = mci->pvt_info;
+- int mem_ctrl_idx = mci->mc_idx;
++ u64 mem_ctrl_idx = mci->mc_idx;
+ struct dimm_info *dimm;
+ u64 smc_info, smc_arg;
+ int is_empty = 1, i;
+--
+2.43.0
+
--- /dev/null
+From b4bb9664b8e9b58c799a42af21b74f62b45feb07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 16:31:11 -0400
+Subject: EDAC/fsl_ddr: Fix bad bit shift operations
+
+From: Priyanka Singh <priyanka.singh@nxp.com>
+
+[ Upstream commit 9ec22ac4fe766c6abba845290d5139a3fbe0153b ]
+
+Fix undefined behavior caused by left-shifting a negative value in the
+expression:
+
+ cap_high ^ (1 << (bad_data_bit - 32))
+
+The variable bad_data_bit ranges from 0 to 63. When it is less than 32,
+bad_data_bit - 32 becomes negative, and left-shifting by a negative
+value in C is undefined behavior.
+
+Fix this by combining cap_high and cap_low into a 64-bit variable.
+
+ [ bp: Massage commit message, simplify error bits handling. ]
+
+Fixes: ea2eb9a8b620 ("EDAC, fsl-ddr: Separate FSL DDR driver from MPC85xx")
+Signed-off-by: Priyanka Singh <priyanka.singh@nxp.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/20241016-imx95_edac-v3-3-86ae6fc2756a@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/fsl_ddr_edac.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/edac/fsl_ddr_edac.c b/drivers/edac/fsl_ddr_edac.c
+index ac2102b257062..2fea9569927b2 100644
+--- a/drivers/edac/fsl_ddr_edac.c
++++ b/drivers/edac/fsl_ddr_edac.c
+@@ -329,21 +329,25 @@ static void fsl_mc_check(struct mem_ctl_info *mci)
+ * TODO: Add support for 32-bit wide buses
+ */
+ if ((err_detect & DDR_EDE_SBE) && (bus_width == 64)) {
++ u64 cap = (u64)cap_high << 32 | cap_low;
++ u32 s = syndrome;
++
+ sbe_ecc_decode(cap_high, cap_low, syndrome,
+ &bad_data_bit, &bad_ecc_bit);
+
+- if (bad_data_bit != -1)
+- fsl_mc_printk(mci, KERN_ERR,
+- "Faulty Data bit: %d\n", bad_data_bit);
+- if (bad_ecc_bit != -1)
+- fsl_mc_printk(mci, KERN_ERR,
+- "Faulty ECC bit: %d\n", bad_ecc_bit);
++ if (bad_data_bit >= 0) {
++ fsl_mc_printk(mci, KERN_ERR, "Faulty Data bit: %d\n", bad_data_bit);
++ cap ^= 1ULL << bad_data_bit;
++ }
++
++ if (bad_ecc_bit >= 0) {
++ fsl_mc_printk(mci, KERN_ERR, "Faulty ECC bit: %d\n", bad_ecc_bit);
++ s ^= 1 << bad_ecc_bit;
++ }
+
+ fsl_mc_printk(mci, KERN_ERR,
+ "Expected Data / ECC:\t%#8.8x_%08x / %#2.2x\n",
+- cap_high ^ (1 << (bad_data_bit - 32)),
+- cap_low ^ (1 << bad_data_bit),
+- syndrome ^ (1 << bad_ecc_bit));
++ upper_32_bits(cap), lower_32_bits(cap), s);
+ }
+
+ fsl_mc_printk(mci, KERN_ERR,
+--
+2.43.0
+
--- /dev/null
+From a773b1bc988e4ae70a5cd3013fd5934247a9feb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 12:40:52 +0000
+Subject: EDAC/igen6: Avoid segmentation fault on module unload
+
+From: Orange Kao <orange@aiven.io>
+
+[ Upstream commit fefaae90398d38a1100ccd73b46ab55ff4610fba ]
+
+The segmentation fault happens because:
+
+During modprobe:
+1. In igen6_probe(), igen6_pvt will be allocated with kzalloc()
+2. In igen6_register_mci(), mci->pvt_info will point to
+ &igen6_pvt->imc[mc]
+
+During rmmod:
+1. In mci_release() in edac_mc.c, it will kfree(mci->pvt_info)
+2. In igen6_remove(), it will kfree(igen6_pvt);
+
+Fix this issue by setting mci->pvt_info to NULL to avoid the double
+kfree.
+
+Fixes: 10590a9d4f23 ("EDAC/igen6: Add EDAC driver for Intel client SoCs using IBECC")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219360
+Signed-off-by: Orange Kao <orange@aiven.io>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20241104124237.124109-2-orange@aiven.io
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/igen6_edac.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index 74c5aad1f6081..0ab8642c4e55a 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -1075,6 +1075,7 @@ static int igen6_register_mci(int mc, u64 mchbar, struct pci_dev *pdev)
+ imc->mci = mci;
+ return 0;
+ fail3:
++ mci->pvt_info = NULL;
+ kfree(mci->ctl_name);
+ fail2:
+ edac_mc_free(mci);
+@@ -1099,6 +1100,7 @@ static void igen6_unregister_mcis(void)
+
+ edac_mc_del_mc(mci->pdev);
+ kfree(mci->ctl_name);
++ mci->pvt_info = NULL;
+ edac_mc_free(mci);
+ iounmap(imc->window);
+ }
+--
+2.43.0
+
--- /dev/null
+From fdf0089b7a7c7564618686438a8a7a5365c56ad2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Oct 2024 00:15:56 +0200
+Subject: ext4: avoid remount errors with 'abort' mount option
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 76486b104168ae59703190566e372badf433314b ]
+
+When we remount filesystem with 'abort' mount option while changing
+other mount options as well (as is LTP test doing), we can return error
+from the system call after commit d3476f3dad4a ("ext4: don't set
+SB_RDONLY after filesystem errors") because the application of mount
+option changes detects shutdown filesystem and refuses to do anything.
+The behavior of application of other mount options in presence of
+'abort' mount option is currently rather arbitary as some mount option
+changes are handled before 'abort' and some after it.
+
+Move aborting of the filesystem to the end of remount handling so all
+requested changes are properly applied before the filesystem is shutdown
+to have a reasonably consistent behavior.
+
+Fixes: d3476f3dad4a ("ext4: don't set SB_RDONLY after filesystem errors")
+Reported-by: Jan Stancek <jstancek@redhat.com>
+Link: https://lore.kernel.org/all/Zvp6L+oFnfASaoHl@t14s
+Signed-off-by: Jan Kara <jack@suse.cz>
+Tested-by: Jan Stancek <jstancek@redhat.com>
+Link: https://patch.msgid.link/20241004221556.19222-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/super.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 6df7735744ac3..54f2ea2a8c9fc 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -6433,9 +6433,6 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb)
+ goto restore_opts;
+ }
+
+- if (test_opt2(sb, ABORT))
+- ext4_abort(sb, ESHUTDOWN, "Abort forced by user");
+-
+ sb->s_flags = (sb->s_flags & ~SB_POSIXACL) |
+ (test_opt(sb, POSIX_ACL) ? SB_POSIXACL : 0);
+
+@@ -6604,6 +6601,14 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb)
+ if (!ext4_has_feature_mmp(sb) || sb_rdonly(sb))
+ ext4_stop_mmpd(sbi);
+
++ /*
++ * Handle aborting the filesystem as the last thing during remount to
++ * avoid obsure errors during remount when some option changes fail to
++ * apply due to shutdown filesystem.
++ */
++ if (test_opt2(sb, ABORT))
++ ext4_abort(sb, ESHUTDOWN, "Abort forced by user");
++
+ return 0;
+
+ restore_opts:
+--
+2.43.0
+
--- /dev/null
+From 2f071998c251f2f5eeeca6848b3e44962fc78fb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 18:50:50 +0200
+Subject: ext4: make 'abort' mount option handling standard
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 22b8d707b07e6e06f50fe1d9ca8756e1f894eb0d ]
+
+'abort' mount option is the only mount option that has special handling
+and sets a bit in sbi->s_mount_flags. There is not strong reason for
+that so just simplify the code and make 'abort' set a bit in
+sbi->s_mount_opt2 as any other mount option. This simplifies the code
+and will allow us to drop EXT4_MF_FS_ABORTED completely in the following
+patch.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230616165109.21695-4-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 76486b104168 ("ext4: avoid remount errors with 'abort' mount option")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/ext4.h | 1 +
+ fs/ext4/super.c | 16 ++--------------
+ 2 files changed, 3 insertions(+), 14 deletions(-)
+
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index 72abb8d6caf75..faa889882e552 100644
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -1269,6 +1269,7 @@ struct ext4_inode_info {
+ #define EXT4_MOUNT2_MB_OPTIMIZE_SCAN 0x00000080 /* Optimize group
+ * scanning in mballoc
+ */
++#define EXT4_MOUNT2_ABORT 0x00000100 /* Abort filesystem */
+
+ #define clear_opt(sb, opt) EXT4_SB(sb)->s_mount_opt &= \
+ ~EXT4_MOUNT_##opt
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 987d49e18dbe8..6df7735744ac3 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1833,6 +1833,7 @@ static const struct mount_opts {
+ {Opt_fc_debug_force, EXT4_MOUNT2_JOURNAL_FAST_COMMIT,
+ MOPT_SET | MOPT_2 | MOPT_EXT4_ONLY},
+ #endif
++ {Opt_abort, EXT4_MOUNT2_ABORT, MOPT_SET | MOPT_2},
+ {Opt_err, 0, 0}
+ };
+
+@@ -1901,8 +1902,6 @@ struct ext4_fs_context {
+ unsigned int mask_s_mount_opt;
+ unsigned int vals_s_mount_opt2;
+ unsigned int mask_s_mount_opt2;
+- unsigned long vals_s_mount_flags;
+- unsigned long mask_s_mount_flags;
+ unsigned int opt_flags; /* MOPT flags */
+ unsigned int spec;
+ u32 s_max_batch_time;
+@@ -2053,12 +2052,6 @@ EXT4_SET_CTX(mount_opt2);
+ EXT4_CLEAR_CTX(mount_opt2);
+ EXT4_TEST_CTX(mount_opt2);
+
+-static inline void ctx_set_mount_flag(struct ext4_fs_context *ctx, int bit)
+-{
+- set_bit(bit, &ctx->mask_s_mount_flags);
+- set_bit(bit, &ctx->vals_s_mount_flags);
+-}
+-
+ static int ext4_parse_param(struct fs_context *fc, struct fs_parameter *param)
+ {
+ struct ext4_fs_context *ctx = fc->fs_private;
+@@ -2122,9 +2115,6 @@ static int ext4_parse_param(struct fs_context *fc, struct fs_parameter *param)
+ ext4_msg(NULL, KERN_WARNING, "Ignoring removed %s option",
+ param->key);
+ return 0;
+- case Opt_abort:
+- ctx_set_mount_flag(ctx, EXT4_MF_FS_ABORTED);
+- return 0;
+ case Opt_inlinecrypt:
+ #ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
+ ctx_set_flags(ctx, SB_INLINECRYPT);
+@@ -2789,8 +2779,6 @@ static void ext4_apply_options(struct fs_context *fc, struct super_block *sb)
+ sbi->s_mount_opt |= ctx->vals_s_mount_opt;
+ sbi->s_mount_opt2 &= ~ctx->mask_s_mount_opt2;
+ sbi->s_mount_opt2 |= ctx->vals_s_mount_opt2;
+- sbi->s_mount_flags &= ~ctx->mask_s_mount_flags;
+- sbi->s_mount_flags |= ctx->vals_s_mount_flags;
+ sb->s_flags &= ~ctx->mask_s_flags;
+ sb->s_flags |= ctx->vals_s_flags;
+
+@@ -6445,7 +6433,7 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb)
+ goto restore_opts;
+ }
+
+- if (ext4_test_mount_flag(sb, EXT4_MF_FS_ABORTED))
++ if (test_opt2(sb, ABORT))
+ ext4_abort(sb, ESHUTDOWN, "Abort forced by user");
+
+ sb->s_flags = (sb->s_flags & ~SB_POSIXACL) |
+--
+2.43.0
+
--- /dev/null
+From 478450c601e6daf71db5e3e5e1be875fac1aa368 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2024 12:48:01 +0800
+Subject: f2fs: check curseg->inited before write_sum_page in change_curseg
+
+From: Yongpeng Yang <yangyongpeng1@oppo.com>
+
+[ Upstream commit 43563069e1c1df417d2eed6eca8a22fc6b04691d ]
+
+In the __f2fs_init_atgc_curseg->get_atssr_segment calling,
+curseg->segno is NULL_SEGNO, indicating that there is no summary
+block that needs to be written.
+
+Fixes: 093749e296e2 ("f2fs: support age threshold based garbage collection")
+Signed-off-by: Yongpeng Yang <yangyongpeng1@oppo.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 884b3d9d1de62..72bbdb29e8381 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2674,7 +2674,8 @@ static void change_curseg(struct f2fs_sb_info *sbi, int type)
+ struct f2fs_summary_block *sum_node;
+ struct page *sum_page;
+
+- write_sum_page(sbi, curseg->sum_blk, GET_SUM_BLOCK(sbi, curseg->segno));
++ if (curseg->inited)
++ write_sum_page(sbi, curseg->sum_blk, GET_SUM_BLOCK(sbi, curseg->segno));
+
+ __set_test_and_inuse(sbi, new_segno);
+
+--
+2.43.0
+
--- /dev/null
+From a9ed85929f200e5fadeca39739dacc61d789fa87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Sep 2024 02:00:10 -0600
+Subject: f2fs: compress: fix inconsistent update of i_blocks in
+ release_compress_blocks and reserve_compress_blocks
+
+From: Qi Han <hanqi@vivo.com>
+
+[ Upstream commit 26413ce18e85de3dda2cd3d72c3c3e8ab8f4f996 ]
+
+After release a file and subsequently reserve it, the FSCK flag is set
+when the file is deleted, as shown in the following backtrace:
+
+F2FS-fs (dm-48): Inconsistent i_blocks, ino:401231, iblocks:1448, sectors:1472
+fs_rec_info_write_type+0x58/0x274
+f2fs_rec_info_write+0x1c/0x2c
+set_sbi_flag+0x74/0x98
+dec_valid_block_count+0x150/0x190
+f2fs_truncate_data_blocks_range+0x2d4/0x3cc
+f2fs_do_truncate_blocks+0x2fc/0x5f0
+f2fs_truncate_blocks+0x68/0x100
+f2fs_truncate+0x80/0x128
+f2fs_evict_inode+0x1a4/0x794
+evict+0xd4/0x280
+iput+0x238/0x284
+do_unlinkat+0x1ac/0x298
+__arm64_sys_unlinkat+0x48/0x68
+invoke_syscall+0x58/0x11c
+
+For clusters of the following type, i_blocks are decremented by 1 and
+i_compr_blocks are incremented by 7 in release_compress_blocks, while
+updates to i_blocks and i_compr_blocks are skipped in reserve_compress_blocks.
+
+raw node:
+D D D D D D D D
+after compress:
+C D D D D D D D
+after reserve:
+C D D D D D D D
+
+Let's update i_blocks and i_compr_blocks properly in reserve_compress_blocks.
+
+Fixes: eb8fbaa53374 ("f2fs: compress: fix to check unreleased compressed cluster")
+Signed-off-by: Qi Han <hanqi@vivo.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 6a2b5fcbe6799..a25b9bff76ffc 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -3703,7 +3703,7 @@ static int reserve_compress_blocks(struct dnode_of_data *dn, pgoff_t count,
+ to_reserved = cluster_size - compr_blocks - reserved;
+
+ /* for the case all blocks in cluster were reserved */
+- if (to_reserved == 1) {
++ if (reserved && to_reserved == 1) {
+ dn->ofs_in_node += cluster_size;
+ goto next;
+ }
+--
+2.43.0
+
--- /dev/null
+From ddc6aefe7996e38140d902626bb43fee19253e9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2024 10:31:47 +0800
+Subject: f2fs: fix the wrong f2fs_bug_on condition in f2fs_do_replace_block
+
+From: LongPing Wei <weilongping@oppo.com>
+
+[ Upstream commit c3af1f13476ec23fd99c98d060a89be28c1e8871 ]
+
+This f2fs_bug_on was introduced by commit 2c1905042c8c ("f2fs: check
+segment type in __f2fs_replace_block") when there were only 6 curseg types.
+After commit d0b9e42ab615 ("f2fs: introduce inmem curseg") was introduced,
+the condition should be changed to checking curseg->seg_type.
+
+Fixes: d0b9e42ab615 ("f2fs: introduce inmem curseg")
+Signed-off-by: LongPing Wei <weilongping@oppo.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 947849e66b0a7..64609b6e47617 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -3543,8 +3543,8 @@ void f2fs_do_replace_block(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
+ }
+ }
+
+- f2fs_bug_on(sbi, !IS_DATASEG(type));
+ curseg = CURSEG_I(sbi, type);
++ f2fs_bug_on(sbi, !IS_DATASEG(curseg->seg_type));
+
+ mutex_lock(&curseg->curseg_mutex);
+ down_write(&sit_i->sentry_lock);
+--
+2.43.0
+
--- /dev/null
+From d219e1b15b540c0dbc37f851b0f241359e8f33b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 11:43:39 +0800
+Subject: f2fs: fix to account dirty data in __get_secs_required()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 1acd73edbbfef2c3c5b43cba4006a7797eca7050 ]
+
+It will trigger system panic w/ testcase in [1]:
+
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/segment.c:2752!
+RIP: 0010:new_curseg+0xc81/0x2110
+Call Trace:
+ f2fs_allocate_data_block+0x1c91/0x4540
+ do_write_page+0x163/0xdf0
+ f2fs_outplace_write_data+0x1aa/0x340
+ f2fs_do_write_data_page+0x797/0x2280
+ f2fs_write_single_data_page+0x16cd/0x2190
+ f2fs_write_cache_pages+0x994/0x1c80
+ f2fs_write_data_pages+0x9cc/0xea0
+ do_writepages+0x194/0x7a0
+ filemap_fdatawrite_wbc+0x12b/0x1a0
+ __filemap_fdatawrite_range+0xbb/0xf0
+ file_write_and_wait_range+0xa1/0x110
+ f2fs_do_sync_file+0x26f/0x1c50
+ f2fs_sync_file+0x12b/0x1d0
+ vfs_fsync_range+0xfa/0x230
+ do_fsync+0x3d/0x80
+ __x64_sys_fsync+0x37/0x50
+ x64_sys_call+0x1e88/0x20d0
+ do_syscall_64+0x4b/0x110
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The root cause is if checkpoint_disabling and lfs_mode are both on,
+it will trigger OPU for all overwritten data, it may cost more free
+segment than expected, so f2fs must account those data correctly to
+calculate cosumed free segments later, and return ENOSPC earlier to
+avoid run out of free segment during block allocation.
+
+[1] https://lore.kernel.org/fstests/20241015025106.3203676-1-chao@kernel.org/
+
+Fixes: 4354994f097d ("f2fs: checkpoint disabling")
+Cc: Daniel Rosenberg <drosen@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.h | 35 +++++++++++++++++++++++++----------
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h
+index 17d1723d98a0b..dde79842d14d1 100644
+--- a/fs/f2fs/segment.h
++++ b/fs/f2fs/segment.h
+@@ -584,18 +584,21 @@ static inline int reserved_sections(struct f2fs_sb_info *sbi)
+ }
+
+ static inline bool has_curseg_enough_space(struct f2fs_sb_info *sbi,
+- unsigned int node_blocks, unsigned int dent_blocks)
++ unsigned int node_blocks, unsigned int data_blocks,
++ unsigned int dent_blocks)
+ {
+
+- unsigned segno, left_blocks;
++ unsigned int segno, left_blocks, blocks;
+ int i;
+
+- /* check current node sections in the worst case. */
+- for (i = CURSEG_HOT_NODE; i <= CURSEG_COLD_NODE; i++) {
++ /* check current data/node sections in the worst case. */
++ for (i = CURSEG_HOT_DATA; i < NR_PERSISTENT_LOG; i++) {
+ segno = CURSEG_I(sbi, i)->segno;
+ left_blocks = CAP_BLKS_PER_SEC(sbi) -
+ get_ckpt_valid_blocks(sbi, segno, true);
+- if (node_blocks > left_blocks)
++
++ blocks = i <= CURSEG_COLD_DATA ? data_blocks : node_blocks;
++ if (blocks > left_blocks)
+ return false;
+ }
+
+@@ -609,8 +612,9 @@ static inline bool has_curseg_enough_space(struct f2fs_sb_info *sbi,
+ }
+
+ /*
+- * calculate needed sections for dirty node/dentry
+- * and call has_curseg_enough_space
++ * calculate needed sections for dirty node/dentry and call
++ * has_curseg_enough_space, please note that, it needs to account
++ * dirty data as well in lfs mode when checkpoint is disabled.
+ */
+ static inline void __get_secs_required(struct f2fs_sb_info *sbi,
+ unsigned int *lower_p, unsigned int *upper_p, bool *curseg_p)
+@@ -619,19 +623,30 @@ static inline void __get_secs_required(struct f2fs_sb_info *sbi,
+ get_pages(sbi, F2FS_DIRTY_DENTS) +
+ get_pages(sbi, F2FS_DIRTY_IMETA);
+ unsigned int total_dent_blocks = get_pages(sbi, F2FS_DIRTY_DENTS);
++ unsigned int total_data_blocks = 0;
+ unsigned int node_secs = total_node_blocks / CAP_BLKS_PER_SEC(sbi);
+ unsigned int dent_secs = total_dent_blocks / CAP_BLKS_PER_SEC(sbi);
++ unsigned int data_secs = 0;
+ unsigned int node_blocks = total_node_blocks % CAP_BLKS_PER_SEC(sbi);
+ unsigned int dent_blocks = total_dent_blocks % CAP_BLKS_PER_SEC(sbi);
++ unsigned int data_blocks = 0;
++
++ if (f2fs_lfs_mode(sbi) &&
++ unlikely(is_sbi_flag_set(sbi, SBI_CP_DISABLED))) {
++ total_data_blocks = get_pages(sbi, F2FS_DIRTY_DATA);
++ data_secs = total_data_blocks / CAP_BLKS_PER_SEC(sbi);
++ data_blocks = total_data_blocks % CAP_BLKS_PER_SEC(sbi);
++ }
+
+ if (lower_p)
+- *lower_p = node_secs + dent_secs;
++ *lower_p = node_secs + dent_secs + data_secs;
+ if (upper_p)
+ *upper_p = node_secs + dent_secs +
+- (node_blocks ? 1 : 0) + (dent_blocks ? 1 : 0);
++ (node_blocks ? 1 : 0) + (dent_blocks ? 1 : 0) +
++ (data_blocks ? 1 : 0);
+ if (curseg_p)
+ *curseg_p = has_curseg_enough_space(sbi,
+- node_blocks, dent_blocks);
++ node_blocks, data_blocks, dent_blocks);
+ }
+
+ static inline bool has_not_enough_free_secs(struct f2fs_sb_info *sbi,
+--
+2.43.0
+
--- /dev/null
+From 1d965333207244d412f05079e2d2547bc0cdf4c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 09:50:16 +0800
+Subject: f2fs: fix to avoid forcing direct write to use buffered IO on
+ inline_data inode
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 26e6f59d0bbaac76fa3413462d780bd2b5f9f653 ]
+
+Jinsu Lee reported a performance regression issue, after commit
+5c8764f8679e ("f2fs: fix to force buffered IO on inline_data
+inode"), we forced direct write to use buffered IO on inline_data
+inode, it will cause performace regression due to memory copy
+and data flush.
+
+It's fine to not force direct write to use buffered IO, as it
+can convert inline inode before committing direct write IO.
+
+Fixes: 5c8764f8679e ("f2fs: fix to force buffered IO on inline_data inode")
+Reported-by: Jinsu Lee <jinsu1.lee@samsung.com>
+Closes: https://lore.kernel.org/linux-f2fs-devel/af03dd2c-e361-4f80-b2fd-39440766cf6e@kernel.org
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index a25b9bff76ffc..3bab52d33e806 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -855,7 +855,11 @@ static bool f2fs_force_buffered_io(struct inode *inode, int rw)
+ return true;
+ if (f2fs_compressed_file(inode))
+ return true;
+- if (f2fs_has_inline_data(inode))
++ /*
++ * only force direct read to use buffered IO, for direct write,
++ * it expects inline data conversion before committing IO.
++ */
++ if (f2fs_has_inline_data(inode) && rw == READ)
+ return true;
+
+ /* disallow direct IO if any of devices has unaligned blksize */
+--
+2.43.0
+
--- /dev/null
+From b0a54cca3e05cf302e88b569eb82ca34ce1509b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 11:12:49 +0800
+Subject: f2fs: fix to avoid use GC_AT when setting gc_mode as GC_URGENT_LOW or
+ GC_URGENT_MID
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit 296b8cb34e65fa93382cf919be5a056f719c9a26 ]
+
+If gc_mode is set to GC_URGENT_LOW or GC_URGENT_MID, cost benefit GC
+approach should be used, but if ATGC is enabled at the same time,
+Age-threshold approach will be selected, which can only do amount of
+GC and it is much less than the numbers of CB approach.
+
+some traces:
+ f2fs_gc-254:48-396 [007] ..... 2311600.684028: f2fs_gc_begin: dev = (254,48), gc_type = Background GC, no_background_GC = 0, nr_free_secs = 0, nodes = 1053, dents = 2, imeta = 18, free_sec:44898, free_seg:44898, rsv_seg:239, prefree_seg:0
+ f2fs_gc-254:48-396 [007] ..... 2311600.684527: f2fs_get_victim: dev = (254,48), type = No TYPE, policy = (Background GC, LFS-mode, Age-threshold), victim = 10, cost = 4294364975, ofs_unit = 1, pre_victim_secno = -1, prefree = 0, free = 44898
+ f2fs_gc-254:48-396 [007] ..... 2311600.714835: f2fs_gc_end: dev = (254,48), ret = 0, seg_freed = 0, sec_freed = 0, nodes = 1562, dents = 2, imeta = 18, free_sec:44898, free_seg:44898, rsv_seg:239, prefree_seg:0
+ f2fs_gc-254:48-396 [007] ..... 2311600.714843: f2fs_background_gc: dev = (254,48), wait_ms = 50, prefree = 0, free = 44898
+ f2fs_gc-254:48-396 [007] ..... 2311600.771785: f2fs_gc_begin: dev = (254,48), gc_type = Background GC, no_background_GC = 0, nr_free_secs = 0, nodes = 1562, dents = 2, imeta = 18, free_sec:44898, free_seg:44898, rsv_seg:239, prefree_seg:
+ f2fs_gc-254:48-396 [007] ..... 2311600.772275: f2fs_gc_end: dev = (254,48), ret = -61, seg_freed = 0, sec_freed = 0, nodes = 1562, dents = 2, imeta = 18, free_sec:44898, free_seg:44898, rsv_seg:239, prefree_seg:0
+
+Fixes: 0e5e81114de1 ("f2fs: add GC_URGENT_LOW mode in gc_urgent")
+Fixes: d98af5f45520 ("f2fs: introduce gc_urgent_mid mode")
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-fs-f2fs | 7 +++++--
+ fs/f2fs/gc.c | 2 ++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-fs-f2fs b/Documentation/ABI/testing/sysfs-fs-f2fs
+index 483639fb727b2..a411ce2c75016 100644
+--- a/Documentation/ABI/testing/sysfs-fs-f2fs
++++ b/Documentation/ABI/testing/sysfs-fs-f2fs
+@@ -303,10 +303,13 @@ Description: Do background GC aggressively when set. Set to 0 by default.
+ GC approach and turns SSR mode on.
+ gc urgent low(2): lowers the bar of checking I/O idling in
+ order to process outstanding discard commands and GC a
+- little bit aggressively. uses cost benefit GC approach.
++ little bit aggressively. always uses cost benefit GC approach,
++ and will override age-threshold GC approach if ATGC is enabled
++ at the same time.
+ gc urgent mid(3): does GC forcibly in a period of given
+ gc_urgent_sleep_time and executes a mid level of I/O idling check.
+- uses cost benefit GC approach.
++ always uses cost benefit GC approach, and will override
++ age-threshold GC approach if ATGC is enabled at the same time.
+
+ What: /sys/fs/f2fs/<disk>/gc_urgent_sleep_time
+ Date: August 2017
+diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
+index 5a661a0e76632..687b2ce82c854 100644
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -227,6 +227,8 @@ static int select_gc_type(struct f2fs_sb_info *sbi, int gc_type)
+
+ switch (sbi->gc_mode) {
+ case GC_IDLE_CB:
++ case GC_URGENT_LOW:
++ case GC_URGENT_MID:
+ gc_mode = GC_CB;
+ break;
+ case GC_IDLE_GREEDY:
+--
+2.43.0
+
--- /dev/null
+From 4538d3ae6cbaf41e8eef8a9772b10a0a846da966 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 10:43:45 +0100
+Subject: f2fs: open code allocate_segment_by_default
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 8442d94b8ac8d5d8300725a9ffa9def526b71170 ]
+
+allocate_segment_by_default has just two callers, which use very
+different code pathes inside it based on the force paramter. Just
+open code the logic in the two callers using a new helper to decided
+if a new segment should be allocated.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: 43563069e1c1 ("f2fs: check curseg->inited before write_sum_page in change_curseg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 50 +++++++++++++++++++++++------------------------
+ 1 file changed, 24 insertions(+), 26 deletions(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index bfc3c9ba6ef40..a40322964c1e0 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2859,31 +2859,20 @@ static int get_ssr_segment(struct f2fs_sb_info *sbi, int type,
+ return 0;
+ }
+
+-/*
+- * flush out current segment and replace it with new segment
+- * This function should be returned with success, otherwise BUG
+- */
+-static void allocate_segment_by_default(struct f2fs_sb_info *sbi,
+- int type, bool force)
++static bool need_new_seg(struct f2fs_sb_info *sbi, int type)
+ {
+ struct curseg_info *curseg = CURSEG_I(sbi, type);
+
+- if (force)
+- new_curseg(sbi, type, true);
+- else if (!is_set_ckpt_flags(sbi, CP_CRC_RECOVERY_FLAG) &&
+- curseg->seg_type == CURSEG_WARM_NODE)
+- new_curseg(sbi, type, false);
+- else if (curseg->alloc_type == LFS &&
+- is_next_segment_free(sbi, curseg, type) &&
+- likely(!is_sbi_flag_set(sbi, SBI_CP_DISABLED)))
+- new_curseg(sbi, type, false);
+- else if (f2fs_need_SSR(sbi) &&
+- get_ssr_segment(sbi, type, SSR, 0))
+- change_curseg(sbi, type, true);
+- else
+- new_curseg(sbi, type, false);
+-
+- stat_inc_seg_type(sbi, curseg);
++ if (!is_set_ckpt_flags(sbi, CP_CRC_RECOVERY_FLAG) &&
++ curseg->seg_type == CURSEG_WARM_NODE)
++ return true;
++ if (curseg->alloc_type == LFS &&
++ is_next_segment_free(sbi, curseg, type) &&
++ likely(!is_sbi_flag_set(sbi, SBI_CP_DISABLED)))
++ return true;
++ if (!f2fs_need_SSR(sbi) || !get_ssr_segment(sbi, type, SSR, 0))
++ return true;
++ return false;
+ }
+
+ void f2fs_allocate_segment_for_resize(struct f2fs_sb_info *sbi, int type,
+@@ -2936,7 +2925,8 @@ static void __allocate_new_segment(struct f2fs_sb_info *sbi, int type,
+ return;
+ alloc:
+ old_segno = curseg->segno;
+- allocate_segment_by_default(sbi, type, true);
++ new_curseg(sbi, type, true);
++ stat_inc_seg_type(sbi, curseg);
+ locate_dirty_segment(sbi, old_segno);
+ }
+
+@@ -3287,11 +3277,19 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page,
+ update_sit_entry(sbi, old_blkaddr, -1);
+
+ if (!__has_curseg_space(sbi, curseg)) {
+- if (from_gc)
++ /*
++ * Flush out current segment and replace it with new segment.
++ */
++ if (from_gc) {
+ get_atssr_segment(sbi, type, se->type,
+ AT_SSR, se->mtime);
+- else
+- allocate_segment_by_default(sbi, type, false);
++ } else {
++ if (need_new_seg(sbi, type))
++ new_curseg(sbi, type, false);
++ else
++ change_curseg(sbi, type, true);
++ stat_inc_seg_type(sbi, curseg);
++ }
+ }
+ /*
+ * segment dirty status should be updated after segment allocation,
+--
+2.43.0
+
--- /dev/null
+From 0bc970e4600602eb429401ddb306d29f21a2f934 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 10:43:44 +0100
+Subject: f2fs: remove struct segment_allocation default_salloc_ops
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 1c8a8ec0a0e9a1176022a35c4daf04fe1594d270 ]
+
+There is only single instance of these ops, so remove the indirection
+and call allocate_segment_by_default directly.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: 43563069e1c1 ("f2fs: check curseg->inited before write_sum_page in change_curseg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 11 ++---------
+ fs/f2fs/segment.h | 6 ------
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 64609b6e47617..bfc3c9ba6ef40 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2936,7 +2936,7 @@ static void __allocate_new_segment(struct f2fs_sb_info *sbi, int type,
+ return;
+ alloc:
+ old_segno = curseg->segno;
+- SIT_I(sbi)->s_ops->allocate_segment(sbi, type, true);
++ allocate_segment_by_default(sbi, type, true);
+ locate_dirty_segment(sbi, old_segno);
+ }
+
+@@ -2967,10 +2967,6 @@ void f2fs_allocate_new_segments(struct f2fs_sb_info *sbi)
+ f2fs_up_read(&SM_I(sbi)->curseg_lock);
+ }
+
+-static const struct segment_allocation default_salloc_ops = {
+- .allocate_segment = allocate_segment_by_default,
+-};
+-
+ bool f2fs_exist_trim_candidates(struct f2fs_sb_info *sbi,
+ struct cp_control *cpc)
+ {
+@@ -3295,7 +3291,7 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page,
+ get_atssr_segment(sbi, type, se->type,
+ AT_SSR, se->mtime);
+ else
+- sit_i->s_ops->allocate_segment(sbi, type, false);
++ allocate_segment_by_default(sbi, type, false);
+ }
+ /*
+ * segment dirty status should be updated after segment allocation,
+@@ -4281,9 +4277,6 @@ static int build_sit_info(struct f2fs_sb_info *sbi)
+ return -ENOMEM;
+ #endif
+
+- /* init SIT information */
+- sit_i->s_ops = &default_salloc_ops;
+-
+ sit_i->sit_base_addr = le32_to_cpu(raw_super->sit_blkaddr);
+ sit_i->sit_blocks = sit_segs << sbi->log_blocks_per_seg;
+ sit_i->written_valid_blocks = 0;
+diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h
+index dde79842d14d1..5ef5a88f47a0a 100644
+--- a/fs/f2fs/segment.h
++++ b/fs/f2fs/segment.h
+@@ -225,10 +225,6 @@ struct sec_entry {
+ unsigned int valid_blocks; /* # of valid blocks in a section */
+ };
+
+-struct segment_allocation {
+- void (*allocate_segment)(struct f2fs_sb_info *, int, bool);
+-};
+-
+ #define MAX_SKIP_GC_COUNT 16
+
+ struct revoke_entry {
+@@ -238,8 +234,6 @@ struct revoke_entry {
+ };
+
+ struct sit_info {
+- const struct segment_allocation *s_ops;
+-
+ block_t sit_base_addr; /* start block address of SIT area */
+ block_t sit_blocks; /* # of blocks used by SIT area */
+ block_t written_valid_blocks; /* # of valid blocks in main area */
+--
+2.43.0
+
--- /dev/null
+From 682862e8538d5be24acdf6d6ce62eceab6cbcf8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 10:43:46 +0100
+Subject: f2fs: remove the unused flush argument to change_curseg
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 5bcd655fffaec24e849bda1207446f5cc821713e ]
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: 43563069e1c1 ("f2fs: check curseg->inited before write_sum_page in change_curseg")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index a40322964c1e0..884b3d9d1de62 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2666,7 +2666,7 @@ bool f2fs_segment_has_free_slot(struct f2fs_sb_info *sbi, int segno)
+ * This function always allocates a used segment(from dirty seglist) by SSR
+ * manner, so it should recover the existing segment information of valid blocks
+ */
+-static void change_curseg(struct f2fs_sb_info *sbi, int type, bool flush)
++static void change_curseg(struct f2fs_sb_info *sbi, int type)
+ {
+ struct dirty_seglist_info *dirty_i = DIRTY_I(sbi);
+ struct curseg_info *curseg = CURSEG_I(sbi, type);
+@@ -2674,9 +2674,7 @@ static void change_curseg(struct f2fs_sb_info *sbi, int type, bool flush)
+ struct f2fs_summary_block *sum_node;
+ struct page *sum_page;
+
+- if (flush)
+- write_sum_page(sbi, curseg->sum_blk,
+- GET_SUM_BLOCK(sbi, curseg->segno));
++ write_sum_page(sbi, curseg->sum_blk, GET_SUM_BLOCK(sbi, curseg->segno));
+
+ __set_test_and_inuse(sbi, new_segno);
+
+@@ -2715,7 +2713,7 @@ static void get_atssr_segment(struct f2fs_sb_info *sbi, int type,
+ struct seg_entry *se = get_seg_entry(sbi, curseg->next_segno);
+
+ curseg->seg_type = se->type;
+- change_curseg(sbi, type, true);
++ change_curseg(sbi, type);
+ } else {
+ /* allocate cold segment by default */
+ curseg->seg_type = CURSEG_COLD_DATA;
+@@ -2890,7 +2888,7 @@ void f2fs_allocate_segment_for_resize(struct f2fs_sb_info *sbi, int type,
+ goto unlock;
+
+ if (f2fs_need_SSR(sbi) && get_ssr_segment(sbi, type, SSR, 0))
+- change_curseg(sbi, type, true);
++ change_curseg(sbi, type);
+ else
+ new_curseg(sbi, type, true);
+
+@@ -3287,7 +3285,7 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page,
+ if (need_new_seg(sbi, type))
+ new_curseg(sbi, type, false);
+ else
+- change_curseg(sbi, type, true);
++ change_curseg(sbi, type);
+ stat_inc_seg_type(sbi, curseg);
+ }
+ }
+@@ -3550,7 +3548,7 @@ void f2fs_do_replace_block(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
+ /* change the current segment */
+ if (segno != curseg->segno) {
+ curseg->next_segno = segno;
+- change_curseg(sbi, type, true);
++ change_curseg(sbi, type);
+ }
+
+ curseg->next_blkoff = GET_BLKOFF_FROM_SEG0(sbi, new_blkaddr);
+@@ -3578,7 +3576,7 @@ void f2fs_do_replace_block(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
+ if (recover_curseg) {
+ if (old_cursegno != curseg->segno) {
+ curseg->next_segno = old_cursegno;
+- change_curseg(sbi, type, true);
++ change_curseg(sbi, type);
+ }
+ curseg->next_blkoff = old_blkoff;
+ curseg->alloc_type = old_alloc_type;
+--
+2.43.0
+
--- /dev/null
+From b150145d227ef18df096e576b87269046932d347 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jun 2023 13:07:02 +0200
+Subject: fbdev/sh7760fb: Alloc DMA memory from hardware device
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 8404e56f4bc1d1a65bfc98450ba3dae5e653dda1 ]
+
+Pass the hardware device to the DMA helpers dma_alloc_coherent() and
+dma_free_coherent(). The fbdev device that is currently being used is
+a software device and does not provide DMA memory. Also update the
+related dev_*() output statements similarly.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230613110953.24176-28-tzimmermann@suse.de
+Stable-dep-of: f89d17ae2ac4 ("fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sh7760fb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/video/fbdev/sh7760fb.c b/drivers/video/fbdev/sh7760fb.c
+index 5978a89212322..6adf048c1bae8 100644
+--- a/drivers/video/fbdev/sh7760fb.c
++++ b/drivers/video/fbdev/sh7760fb.c
+@@ -359,7 +359,7 @@ static void sh7760fb_free_mem(struct fb_info *info)
+ if (!info->screen_base)
+ return;
+
+- dma_free_coherent(info->dev, info->screen_size,
++ dma_free_coherent(info->device, info->screen_size,
+ info->screen_base, par->fbdma);
+
+ par->fbdma = 0;
+@@ -408,14 +408,14 @@ static int sh7760fb_alloc_mem(struct fb_info *info)
+ if (vram < PAGE_SIZE)
+ vram = PAGE_SIZE;
+
+- fbmem = dma_alloc_coherent(info->dev, vram, &par->fbdma, GFP_KERNEL);
++ fbmem = dma_alloc_coherent(info->device, vram, &par->fbdma, GFP_KERNEL);
+
+ if (!fbmem)
+ return -ENOMEM;
+
+ if ((par->fbdma & SH7760FB_DMA_MASK) != SH7760FB_DMA_MASK) {
+ sh7760fb_free_mem(info);
+- dev_err(info->dev, "kernel gave me memory at 0x%08lx, which is"
++ dev_err(info->device, "kernel gave me memory at 0x%08lx, which is"
+ "unusable for the LCDC\n", (unsigned long)par->fbdma);
+ return -ENOMEM;
+ }
+@@ -486,7 +486,7 @@ static int sh7760fb_probe(struct platform_device *pdev)
+
+ ret = sh7760fb_alloc_mem(info);
+ if (ret) {
+- dev_dbg(info->dev, "framebuffer memory allocation failed!\n");
++ dev_dbg(info->device, "framebuffer memory allocation failed!\n");
+ goto out_unmap;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 6fe1b741148016f24732e9d31b1558df194dd0f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 11:56:34 +0800
+Subject: fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit f89d17ae2ac42931be2a0153fecbf8533280c927 ]
+
+When information such as info->screen_base is not ready, calling
+sh7760fb_free_mem() does not release memory correctly. Call
+dma_free_coherent() instead.
+
+Fixes: 4a25e41831ee ("video: sh7760fb: SH7760/SH7763 LCDC framebuffer driver")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sh7760fb.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/sh7760fb.c b/drivers/video/fbdev/sh7760fb.c
+index 6adf048c1bae8..62e28d315d815 100644
+--- a/drivers/video/fbdev/sh7760fb.c
++++ b/drivers/video/fbdev/sh7760fb.c
+@@ -409,12 +409,11 @@ static int sh7760fb_alloc_mem(struct fb_info *info)
+ vram = PAGE_SIZE;
+
+ fbmem = dma_alloc_coherent(info->device, vram, &par->fbdma, GFP_KERNEL);
+-
+ if (!fbmem)
+ return -ENOMEM;
+
+ if ((par->fbdma & SH7760FB_DMA_MASK) != SH7760FB_DMA_MASK) {
+- sh7760fb_free_mem(info);
++ dma_free_coherent(info->device, vram, fbmem, par->fbdma);
+ dev_err(info->device, "kernel gave me memory at 0x%08lx, which is"
+ "unusable for the LCDC\n", (unsigned long)par->fbdma);
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From 04aa63a96a3fd0acc4d0e5586e11764a20da5353 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 11:21:15 +0800
+Subject: firmware: arm_scpi: Check the DVFS OPP count returned by the firmware
+
+From: Luo Qiu <luoqiu@kylinsec.com.cn>
+
+[ Upstream commit 109aa654f85c5141e813b2cd1bd36d90be678407 ]
+
+Fix a kernel crash with the below call trace when the SCPI firmware
+returns OPP count of zero.
+
+dvfs_info.opp_count may be zero on some platforms during the reboot
+test, and the kernel will crash after dereferencing the pointer to
+kcalloc(info->count, sizeof(*opp), GFP_KERNEL).
+
+ | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028
+ | Mem abort info:
+ | ESR = 0x96000004
+ | Exception class = DABT (current EL), IL = 32 bits
+ | SET = 0, FnV = 0
+ | EA = 0, S1PTW = 0
+ | Data abort info:
+ | ISV = 0, ISS = 0x00000004
+ | CM = 0, WnR = 0
+ | user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000faefa08c
+ | [0000000000000028] pgd=0000000000000000
+ | Internal error: Oops: 96000004 [#1] SMP
+ | scpi-hwmon: probe of PHYT000D:00 failed with error -110
+ | Process systemd-udevd (pid: 1701, stack limit = 0x00000000aaede86c)
+ | CPU: 2 PID: 1701 Comm: systemd-udevd Not tainted 4.19.90+ #1
+ | Hardware name: PHYTIUM LTD Phytium FT2000/4/Phytium FT2000/4, BIOS
+ | pstate: 60000005 (nZCv daif -PAN -UAO)
+ | pc : scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi]
+ | lr : clk_register+0x438/0x720
+ | Call trace:
+ | scpi_dvfs_recalc_rate+0x40/0x58 [clk_scpi]
+ | devm_clk_hw_register+0x50/0xa0
+ | scpi_clk_ops_init.isra.2+0xa0/0x138 [clk_scpi]
+ | scpi_clocks_probe+0x528/0x70c [clk_scpi]
+ | platform_drv_probe+0x58/0xa8
+ | really_probe+0x260/0x3d0
+ | driver_probe_device+0x12c/0x148
+ | device_driver_attach+0x74/0x98
+ | __driver_attach+0xb4/0xe8
+ | bus_for_each_dev+0x88/0xe0
+ | driver_attach+0x30/0x40
+ | bus_add_driver+0x178/0x2b0
+ | driver_register+0x64/0x118
+ | __platform_driver_register+0x54/0x60
+ | scpi_clocks_driver_init+0x24/0x1000 [clk_scpi]
+ | do_one_initcall+0x54/0x220
+ | do_init_module+0x54/0x1c8
+ | load_module+0x14a4/0x1668
+ | __se_sys_finit_module+0xf8/0x110
+ | __arm64_sys_finit_module+0x24/0x30
+ | el0_svc_common+0x78/0x170
+ | el0_svc_handler+0x38/0x78
+ | el0_svc+0x8/0x340
+ | Code: 937d7c00 a94153f3 a8c27bfd f9400421 (b8606820)
+ | ---[ end trace 06feb22469d89fa8 ]---
+ | Kernel panic - not syncing: Fatal exception
+ | SMP: stopping secondary CPUs
+ | Kernel Offset: disabled
+ | CPU features: 0x10,a0002008
+ | Memory Limit: none
+
+Fixes: 8cb7cf56c9fe ("firmware: add support for ARM System Control and Power Interface(SCPI) protocol")
+Signed-off-by: Luo Qiu <luoqiu@kylinsec.com.cn>
+Message-Id: <55A2F7A784391686+20241101032115.275977-1-luoqiu@kylinsec.com.cn>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scpi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
+index 435d0e2658a42..3de25e9d18ef8 100644
+--- a/drivers/firmware/arm_scpi.c
++++ b/drivers/firmware/arm_scpi.c
+@@ -627,6 +627,9 @@ static struct scpi_dvfs_info *scpi_dvfs_get_info(u8 domain)
+ if (ret)
+ return ERR_PTR(ret);
+
++ if (!buf.opp_count)
++ return ERR_PTR(-ENOENT);
++
+ info = kmalloc(sizeof(*info), GFP_KERNEL);
+ if (!info)
+ return ERR_PTR(-ENOMEM);
+--
+2.43.0
+
--- /dev/null
+From ffed88e0e47af99c57bdf3cf0536b1fc89904523 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 21:13:44 +0800
+Subject: firmware: google: Unregister driver_info on failure
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 32b0901e141f6d4cf49d820b53eb09b88b1f72f7 ]
+
+When platform_device_register_full() returns error, the gsmi_init() returns
+without unregister gsmi_driver_info, fix by add missing
+platform_driver_unregister() when platform_device_register_full() failed.
+
+Fixes: 8942b2d5094b ("gsmi: Add GSMI commands to log S0ix info")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Acked-by: Brian Norris <briannorris@chromium.org>
+Link: https://lore.kernel.org/r/20241015131344.20272-1-yuancan@huawei.com
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/google/gsmi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c
+index 871bedf533a80..8c75308b01d5d 100644
+--- a/drivers/firmware/google/gsmi.c
++++ b/drivers/firmware/google/gsmi.c
+@@ -918,7 +918,8 @@ static __init int gsmi_init(void)
+ gsmi_dev.pdev = platform_device_register_full(&gsmi_dev_info);
+ if (IS_ERR(gsmi_dev.pdev)) {
+ printk(KERN_ERR "gsmi: unable to register platform device\n");
+- return PTR_ERR(gsmi_dev.pdev);
++ ret = PTR_ERR(gsmi_dev.pdev);
++ goto out_unregister;
+ }
+
+ /* SMI access needs to be serialized */
+@@ -1056,10 +1057,11 @@ static __init int gsmi_init(void)
+ gsmi_buf_free(gsmi_dev.name_buf);
+ kmem_cache_destroy(gsmi_dev.mem_pool);
+ platform_device_unregister(gsmi_dev.pdev);
+- pr_info("gsmi: failed to load: %d\n", ret);
++out_unregister:
+ #ifdef CONFIG_PM
+ platform_driver_unregister(&gsmi_driver_info);
+ #endif
++ pr_info("gsmi: failed to load: %d\n", ret);
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From a720299f1fdcab5a4dee7e1c979838d11332f791 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 06:46:52 +0100
+Subject: fs/proc/kcore.c: fix coccinelle reported ERROR instances
+
+From: Mirsad Todorovac <mtodorovac69@gmail.com>
+
+[ Upstream commit 82e33f249f1126cf3c5f39a31b850d485ac33bc3 ]
+
+Coccinelle complains about the nested reuse of the pointer `iter' with
+different pointer type:
+
+./fs/proc/kcore.c:515:26-30: ERROR: invalid reference to the index variable of the iterator on line 499
+./fs/proc/kcore.c:534:23-27: ERROR: invalid reference to the index variable of the iterator on line 499
+./fs/proc/kcore.c:550:40-44: ERROR: invalid reference to the index variable of the iterator on line 499
+./fs/proc/kcore.c:568:27-31: ERROR: invalid reference to the index variable of the iterator on line 499
+./fs/proc/kcore.c:581:28-32: ERROR: invalid reference to the index variable of the iterator on line 499
+./fs/proc/kcore.c:599:27-31: ERROR: invalid reference to the index variable of the iterator on line 499
+./fs/proc/kcore.c:607:38-42: ERROR: invalid reference to the index variable of the iterator on line 499
+./fs/proc/kcore.c:614:26-30: ERROR: invalid reference to the index variable of the iterator on line 499
+
+Replacing `struct kcore_list *iter' with `struct kcore_list *tmp' doesn't change the
+scope and the functionality is the same and coccinelle seems happy.
+
+NOTE: There was an issue with using `struct kcore_list *pos' as the nested iterator.
+ The build did not work!
+
+[akpm@linux-foundation.org: s/tmp/pos/]
+Link: https://lkml.kernel.org/r/20241029054651.86356-2-mtodorovac69@gmail.com
+Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ [1]
+Link: https://lkml.kernel.org/r/20220331223700.902556-1-jakobkoschel@gmail.com
+Fixes: 04d168c6d42d ("fs/proc/kcore.c: remove check of list iterator against head past the loop body")
+Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
+Signed-off-by: Mirsad Todorovac <mtodorovac69@gmail.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: "Brian Johannesmeyer" <bjohannesmeyer@gmail.com>
+Cc: Cristiano Giuffrida <c.giuffrida@vu.nl>
+Cc: "Bos, H.J." <h.j.bos@vu.nl>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Yang Li <yang.lee@linux.alibaba.com>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Hari Bathini <hbathini@linux.ibm.com>
+Cc: Yan Zhen <yanzhen@vivo.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/kcore.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
+index a2d430549012f..92c7259adfd98 100644
+--- a/fs/proc/kcore.c
++++ b/fs/proc/kcore.c
+@@ -496,13 +496,13 @@ read_kcore_iter(struct kiocb *iocb, struct iov_iter *iter)
+ * the previous entry, search for a matching entry.
+ */
+ if (!m || start < m->addr || start >= m->addr + m->size) {
+- struct kcore_list *iter;
++ struct kcore_list *pos;
+
+ m = NULL;
+- list_for_each_entry(iter, &kclist_head, list) {
+- if (start >= iter->addr &&
+- start < iter->addr + iter->size) {
+- m = iter;
++ list_for_each_entry(pos, &kclist_head, list) {
++ if (start >= pos->addr &&
++ start < pos->addr + pos->size) {
++ m = pos;
+ break;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 7622a07fb7b1393bff1d33a30b5d9d9ba561c927 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2024 13:50:21 -0800
+Subject: fs_parser: update mount_api doc to match function signature
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit c66f759832a83cb273ba5a55c66dcc99384efa74 ]
+
+Add the missing 'name' parameter to the mount_api documentation for
+fs_validate_description().
+
+Fixes: 96cafb9ccb15 ("fs_parser: remove fs_parameter_description name field")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20241125215021.231758-1-rdunlap@infradead.org
+Cc: Eric Sandeen <sandeen@redhat.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: linux-doc@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/filesystems/mount_api.rst | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/filesystems/mount_api.rst b/Documentation/filesystems/mount_api.rst
+index 1d16787a00e95..253078b997990 100644
+--- a/Documentation/filesystems/mount_api.rst
++++ b/Documentation/filesystems/mount_api.rst
+@@ -778,7 +778,8 @@ process the parameters it is given.
+
+ * ::
+
+- bool fs_validate_description(const struct fs_parameter_description *desc);
++ bool fs_validate_description(const char *name,
++ const struct fs_parameter_description *desc);
+
+ This performs some validation checks on a parameter description. It
+ returns true if the description is good and false if it is not. It will
+--
+2.43.0
+
--- /dev/null
+From a530e0f8cca6971dcd8ede76834d65a4a36a2079 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 08:41:09 -0300
+Subject: hfsplus: don't query the device logical block size multiple times
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit 1c82587cb57687de3f18ab4b98a8850c789bedcf ]
+
+Devices block sizes may change. One of these cases is a loop device by
+using ioctl LOOP_SET_BLOCK_SIZE.
+
+While this may cause other issues like IO being rejected, in the case of
+hfsplus, it will allocate a block by using that size and potentially write
+out-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the
+latter function reads a different io_size.
+
+Using a new min_io_size initally set to sb_min_blocksize works for the
+purposes of the original fix, since it will be set to the max between
+HFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the
+max between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not
+initialized.
+
+Tested by mounting an hfsplus filesystem with loop block sizes 512, 1024
+and 4096.
+
+The produced KASAN report before the fix looks like this:
+
+[ 419.944641] ==================================================================
+[ 419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a
+[ 419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678
+[ 419.947612]
+[ 419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84
+[ 419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+[ 419.950035] Call Trace:
+[ 419.950384] <TASK>
+[ 419.950676] dump_stack_lvl+0x57/0x78
+[ 419.951212] ? hfsplus_read_wrapper+0x659/0xa0a
+[ 419.951830] print_report+0x14c/0x49e
+[ 419.952361] ? __virt_addr_valid+0x267/0x278
+[ 419.952979] ? kmem_cache_debug_flags+0xc/0x1d
+[ 419.953561] ? hfsplus_read_wrapper+0x659/0xa0a
+[ 419.954231] kasan_report+0x89/0xb0
+[ 419.954748] ? hfsplus_read_wrapper+0x659/0xa0a
+[ 419.955367] hfsplus_read_wrapper+0x659/0xa0a
+[ 419.955948] ? __pfx_hfsplus_read_wrapper+0x10/0x10
+[ 419.956618] ? do_raw_spin_unlock+0x59/0x1a9
+[ 419.957214] ? _raw_spin_unlock+0x1a/0x2e
+[ 419.957772] hfsplus_fill_super+0x348/0x1590
+[ 419.958355] ? hlock_class+0x4c/0x109
+[ 419.958867] ? __pfx_hfsplus_fill_super+0x10/0x10
+[ 419.959499] ? __pfx_string+0x10/0x10
+[ 419.960006] ? lock_acquire+0x3e2/0x454
+[ 419.960532] ? bdev_name.constprop.0+0xce/0x243
+[ 419.961129] ? __pfx_bdev_name.constprop.0+0x10/0x10
+[ 419.961799] ? pointer+0x3f0/0x62f
+[ 419.962277] ? __pfx_pointer+0x10/0x10
+[ 419.962761] ? vsnprintf+0x6c4/0xfba
+[ 419.963178] ? __pfx_vsnprintf+0x10/0x10
+[ 419.963621] ? setup_bdev_super+0x376/0x3b3
+[ 419.964029] ? snprintf+0x9d/0xd2
+[ 419.964344] ? __pfx_snprintf+0x10/0x10
+[ 419.964675] ? lock_acquired+0x45c/0x5e9
+[ 419.965016] ? set_blocksize+0x139/0x1c1
+[ 419.965381] ? sb_set_blocksize+0x6d/0xae
+[ 419.965742] ? __pfx_hfsplus_fill_super+0x10/0x10
+[ 419.966179] mount_bdev+0x12f/0x1bf
+[ 419.966512] ? __pfx_mount_bdev+0x10/0x10
+[ 419.966886] ? vfs_parse_fs_string+0xce/0x111
+[ 419.967293] ? __pfx_vfs_parse_fs_string+0x10/0x10
+[ 419.967702] ? __pfx_hfsplus_mount+0x10/0x10
+[ 419.968073] legacy_get_tree+0x104/0x178
+[ 419.968414] vfs_get_tree+0x86/0x296
+[ 419.968751] path_mount+0xba3/0xd0b
+[ 419.969157] ? __pfx_path_mount+0x10/0x10
+[ 419.969594] ? kmem_cache_free+0x1e2/0x260
+[ 419.970311] do_mount+0x99/0xe0
+[ 419.970630] ? __pfx_do_mount+0x10/0x10
+[ 419.971008] __do_sys_mount+0x199/0x1c9
+[ 419.971397] do_syscall_64+0xd0/0x135
+[ 419.971761] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 419.972233] RIP: 0033:0x7c3cb812972e
+[ 419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48
+[ 419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
+[ 419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e
+[ 419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI: 00007ffe306325d0
+[ 419.976363] RBP: 00007ffe30632720 R08: 00007ffe30632610 R09: 0000000000000000
+[ 419.977034] R10: 0000000000200008 R11: 0000000000000286 R12: 0000000000000000
+[ 419.977713] R13: 00007ffe306328e8 R14: 00005a0eb298bc68 R15: 00007c3cb8356000
+[ 419.978375] </TASK>
+[ 419.978589]
+
+Fixes: 6596528e391a ("hfsplus: ensure bio requests are not smaller than the hardware sectors")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Link: https://lore.kernel.org/r/20241107114109.839253-1-cascardo@igalia.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/hfsplus_fs.h | 3 ++-
+ fs/hfsplus/wrapper.c | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
+index 7db213cd1eea8..3227436f3a4a6 100644
+--- a/fs/hfsplus/hfsplus_fs.h
++++ b/fs/hfsplus/hfsplus_fs.h
+@@ -156,6 +156,7 @@ struct hfsplus_sb_info {
+
+ /* Runtime variables */
+ u32 blockoffset;
++ u32 min_io_size;
+ sector_t part_start;
+ sector_t sect_count;
+ int fs_shift;
+@@ -306,7 +307,7 @@ struct hfsplus_readdir_data {
+ */
+ static inline unsigned short hfsplus_min_io_size(struct super_block *sb)
+ {
+- return max_t(unsigned short, bdev_logical_block_size(sb->s_bdev),
++ return max_t(unsigned short, HFSPLUS_SB(sb)->min_io_size,
+ HFSPLUS_SECTOR_SIZE);
+ }
+
+diff --git a/fs/hfsplus/wrapper.c b/fs/hfsplus/wrapper.c
+index 0b791adf02e53..a51a58db3fef0 100644
+--- a/fs/hfsplus/wrapper.c
++++ b/fs/hfsplus/wrapper.c
+@@ -171,6 +171,8 @@ int hfsplus_read_wrapper(struct super_block *sb)
+ if (!blocksize)
+ goto out;
+
++ sbi->min_io_size = blocksize;
++
+ if (hfsplus_get_last_session(sb, &part_start, &part_size))
+ goto out;
+
+--
+2.43.0
+
--- /dev/null
+From 33a22d4c3d38d52f4688415c18af0be71aaeff42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Nov 2024 09:39:51 +0800
+Subject: hwmon: (nct6775-core) Fix overflows seen when writing limit
+ attributes
+
+From: Pei Xiao <xiaopei01@kylinos.cn>
+
+[ Upstream commit 57ee12b6c514146c19b6a159013b48727a012960 ]
+
+DIV_ROUND_CLOSEST() after kstrtoul() results in an overflow if a large
+number such as 18446744073709551615 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
+Fixes: c3963bc0a0cf ("hwmon: (nct6775) Split core and platform driver")
+Message-ID: <7d5084cea33f7c0fd0578c59adfff71f93de94d9.1731375425.git.xiaopei01@kylinos.cn>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/nct6775-core.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hwmon/nct6775-core.c b/drivers/hwmon/nct6775-core.c
+index 83e424945b598..9de3ad2713f1d 100644
+--- a/drivers/hwmon/nct6775-core.c
++++ b/drivers/hwmon/nct6775-core.c
+@@ -2787,8 +2787,7 @@ store_target_temp(struct device *dev, struct device_attribute *attr,
+ if (err < 0)
+ return err;
+
+- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0,
+- data->target_temp_mask);
++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, data->target_temp_mask * 1000), 1000);
+
+ mutex_lock(&data->update_lock);
+ data->target_temp[nr] = val;
+@@ -2868,7 +2867,7 @@ store_temp_tolerance(struct device *dev, struct device_attribute *attr,
+ return err;
+
+ /* Limit tolerance as needed */
+- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, data->tolerance_mask);
++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, data->tolerance_mask * 1000), 1000);
+
+ mutex_lock(&data->update_lock);
+ data->temp_tolerance[index][nr] = val;
+@@ -2994,7 +2993,7 @@ store_weight_temp(struct device *dev, struct device_attribute *attr,
+ if (err < 0)
+ return err;
+
+- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 255);
++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 255000), 1000);
+
+ mutex_lock(&data->update_lock);
+ data->weight_temp[index][nr] = val;
+--
+2.43.0
+
--- /dev/null
+From 127a4b8619e03ff61d57cb968cd6bc41d89d32cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 20:36:03 +0300
+Subject: hwmon: (tps23861) Fix reporting of negative temperatures
+
+From: Murad Masimov <m.masimov@maxima.ru>
+
+[ Upstream commit de2bf507fabba9c0c678cf5ed54beb546f5ca29a ]
+
+Negative temperatures are reported as large positive temperatures
+due to missing sign extension from unsigned int to long. Cast unsigned
+raw register values to signed before performing the calculations
+to fix the problem.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: fff7b8ab2255 ("hwmon: add Texas Instruments TPS23861 driver")
+Signed-off-by: Murad Masimov <m.masimov@maxima.ru>
+Message-ID: <20241121173604.2021-1-m.masimov@maxima.ru>
+[groeck: Updated subject and description]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/tps23861.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/tps23861.c b/drivers/hwmon/tps23861.c
+index 68c77c4932700..152e3c1c5c5fa 100644
+--- a/drivers/hwmon/tps23861.c
++++ b/drivers/hwmon/tps23861.c
+@@ -132,7 +132,7 @@ static int tps23861_read_temp(struct tps23861_data *data, long *val)
+ if (err < 0)
+ return err;
+
+- *val = (regval * TEMPERATURE_LSB) - 20000;
++ *val = ((long)regval * TEMPERATURE_LSB) - 20000;
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From cd2d60611cb839808b64f802720070e013278a20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 20:36:06 +0200
+Subject: iio: light: al3010: Fix an error handling path in al3010_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a4b7064d34186cf4970fe0333c3b27346cf8f819 ]
+
+If i2c_smbus_write_byte_data() fails in al3010_init(),
+al3010_set_pwr(false) is not called.
+
+In order to avoid such a situation, move the devm_add_action_or_reset()
+witch calls al3010_set_pwr(false) right after a successful
+al3010_set_pwr(true).
+
+Fixes: c36b5195ab70 ("iio: light: add Dyna-Image AL3010 driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://patch.msgid.link/ee5d10a2dd2b70f29772d5df33774d3974a80f30.1725993353.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/al3010.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iio/light/al3010.c b/drivers/iio/light/al3010.c
+index ce5363845b225..c1c37e5a85159 100644
+--- a/drivers/iio/light/al3010.c
++++ b/drivers/iio/light/al3010.c
+@@ -87,7 +87,12 @@ static int al3010_init(struct al3010_data *data)
+ int ret;
+
+ ret = al3010_set_pwr(data->client, true);
++ if (ret < 0)
++ return ret;
+
++ ret = devm_add_action_or_reset(&data->client->dev,
++ al3010_set_pwr_off,
++ data);
+ if (ret < 0)
+ return ret;
+
+@@ -191,12 +196,6 @@ static int al3010_probe(struct i2c_client *client,
+ return ret;
+ }
+
+- ret = devm_add_action_or_reset(&client->dev,
+- al3010_set_pwr_off,
+- data);
+- if (ret < 0)
+- return ret;
+-
+ return devm_iio_device_register(&client->dev, indio_dev);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 2eb4a3a9e43b8b0346f13cd57cd382432cdad2ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 03:55:10 +0000
+Subject: initramfs: avoid filename buffer overrun
+
+From: David Disseldorp <ddiss@suse.de>
+
+[ Upstream commit e017671f534dd3f568db9e47b0583e853d2da9b5 ]
+
+The initramfs filename field is defined in
+Documentation/driver-api/early-userspace/buffer-format.rst as:
+
+ 37 cpio_file := ALGN(4) + cpio_header + filename + "\0" + ALGN(4) + data
+...
+ 55 ============= ================== =========================
+ 56 Field name Field size Meaning
+ 57 ============= ================== =========================
+...
+ 70 c_namesize 8 bytes Length of filename, including final \0
+
+When extracting an initramfs cpio archive, the kernel's do_name() path
+handler assumes a zero-terminated path at @collected, passing it
+directly to filp_open() / init_mkdir() / init_mknod().
+
+If a specially crafted cpio entry carries a non-zero-terminated filename
+and is followed by uninitialized memory, then a file may be created with
+trailing characters that represent the uninitialized memory. The ability
+to create an initramfs entry would imply already having full control of
+the system, so the buffer overrun shouldn't be considered a security
+vulnerability.
+
+Append the output of the following bash script to an existing initramfs
+and observe any created /initramfs_test_fname_overrunAA* path. E.g.
+ ./reproducer.sh | gzip >> /myinitramfs
+
+It's easiest to observe non-zero uninitialized memory when the output is
+gzipped, as it'll overflow the heap allocated @out_buf in __gunzip(),
+rather than the initrd_start+initrd_size block.
+
+---- reproducer.sh ----
+nilchar="A" # change to "\0" to properly zero terminate / pad
+magic="070701"
+ino=1
+mode=$(( 0100777 ))
+uid=0
+gid=0
+nlink=1
+mtime=1
+filesize=0
+devmajor=0
+devminor=1
+rdevmajor=0
+rdevminor=0
+csum=0
+fname="initramfs_test_fname_overrun"
+namelen=$(( ${#fname} + 1 )) # plus one to account for terminator
+
+printf "%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s" \
+ $magic $ino $mode $uid $gid $nlink $mtime $filesize \
+ $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname
+
+termpadlen=$(( 1 + ((4 - ((110 + $namelen) & 3)) % 4) ))
+printf "%.s${nilchar}" $(seq 1 $termpadlen)
+---- reproducer.sh ----
+
+Symlink filename fields handled in do_symlink() won't overrun past the
+data segment, due to the explicit zero-termination of the symlink
+target.
+
+Fix filename buffer overrun by aborting the initramfs FSM if any cpio
+entry doesn't carry a zero-terminator at the expected (name_len - 1)
+offset.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Link: https://lore.kernel.org/r/20241030035509.20194-2-ddiss@suse.de
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/initramfs.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/init/initramfs.c b/init/initramfs.c
+index 7b915170789da..3eab7fccb106f 100644
+--- a/init/initramfs.c
++++ b/init/initramfs.c
+@@ -364,6 +364,15 @@ static int __init do_name(void)
+ {
+ state = SkipIt;
+ next_state = Reset;
++
++ /* name_len > 0 && name_len <= PATH_MAX checked in do_header */
++ if (collected[name_len - 1] != '\0') {
++ pr_err("initramfs name without nulterm: %.*s\n",
++ (int)name_len, collected);
++ error("malformed archive");
++ return 1;
++ }
++
+ if (strcmp(collected, "TRAILER!!!") == 0) {
+ free_hash();
+ return 0;
+@@ -428,6 +437,12 @@ static int __init do_copy(void)
+
+ static int __init do_symlink(void)
+ {
++ if (collected[name_len - 1] != '\0') {
++ pr_err("initramfs symlink without nulterm: %.*s\n",
++ (int)name_len, collected);
++ error("malformed archive");
++ return 1;
++ }
+ collected[N_ALIGN(name_len) + body_len] = '\0';
+ clean_path(collected, 0);
+ init_symlink(collected + N_ALIGN(name_len), collected);
+--
+2.43.0
+
--- /dev/null
+From 441974465bf4fa0e7ee3f345599f8841c7c192db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 09:40:32 +0800
+Subject: iommu/vt-d: Fix checks and print in dmar_fault_dump_ptes()
+
+From: Zhenzhong Duan <zhenzhong.duan@intel.com>
+
+[ Upstream commit 6ceb93f952f6ca34823ce3650c902c31b8385b40 ]
+
+There are some issues in dmar_fault_dump_ptes():
+
+1. return value of phys_to_virt() is used for checking if an entry is
+ present.
+2. dump is confusing, e.g., "pasid table entry is not present", confusing
+ by unpresent pasid table vs. unpresent pasid table entry. Current code
+ means the former.
+3. pgtable_walk() is called without checking if page table is present.
+
+Fix 1 by checking present bit of an entry before dump a lower level entry.
+Fix 2 by removing "entry" string, e.g., "pasid table is not present".
+Fix 3 by checking page table present before walk.
+
+Take issue 3 for example, before fix:
+
+[ 442.240357] DMAR: pasid dir entry: 0x000000012c83e001
+[ 442.246661] DMAR: pasid table entry[0]: 0x0000000000000000
+[ 442.253429] DMAR: pasid table entry[1]: 0x0000000000000000
+[ 442.260203] DMAR: pasid table entry[2]: 0x0000000000000000
+[ 442.266969] DMAR: pasid table entry[3]: 0x0000000000000000
+[ 442.273733] DMAR: pasid table entry[4]: 0x0000000000000000
+[ 442.280479] DMAR: pasid table entry[5]: 0x0000000000000000
+[ 442.287234] DMAR: pasid table entry[6]: 0x0000000000000000
+[ 442.293989] DMAR: pasid table entry[7]: 0x0000000000000000
+[ 442.300742] DMAR: PTE not present at level 2
+
+After fix:
+...
+[ 357.241214] DMAR: pasid table entry[6]: 0x0000000000000000
+[ 357.248022] DMAR: pasid table entry[7]: 0x0000000000000000
+[ 357.254824] DMAR: scalable mode page table is not present
+
+Fixes: 914ff7719e8a ("iommu/vt-d: Dump DMAR translation structure when DMA fault occurs")
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
+Link: https://lore.kernel.org/r/20241024092146.715063-2-zhenzhong.duan@intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/iommu.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index f118c89911303..2bf9157256c55 100644
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -861,11 +861,11 @@ void dmar_fault_dump_ptes(struct intel_iommu *iommu, u16 source_id,
+ pr_info("Dump %s table entries for IOVA 0x%llx\n", iommu->name, addr);
+
+ /* root entry dump */
+- rt_entry = &iommu->root_entry[bus];
+- if (!rt_entry) {
+- pr_info("root table entry is not present\n");
++ if (!iommu->root_entry) {
++ pr_info("root table is not present\n");
+ return;
+ }
++ rt_entry = &iommu->root_entry[bus];
+
+ if (sm_supported(iommu))
+ pr_info("scalable mode root entry: hi 0x%016llx, low 0x%016llx\n",
+@@ -876,7 +876,7 @@ void dmar_fault_dump_ptes(struct intel_iommu *iommu, u16 source_id,
+ /* context entry dump */
+ ctx_entry = iommu_context_addr(iommu, bus, devfn, 0);
+ if (!ctx_entry) {
+- pr_info("context table entry is not present\n");
++ pr_info("context table is not present\n");
+ return;
+ }
+
+@@ -885,17 +885,23 @@ void dmar_fault_dump_ptes(struct intel_iommu *iommu, u16 source_id,
+
+ /* legacy mode does not require PASID entries */
+ if (!sm_supported(iommu)) {
++ if (!context_present(ctx_entry)) {
++ pr_info("legacy mode page table is not present\n");
++ return;
++ }
+ level = agaw_to_level(ctx_entry->hi & 7);
+ pgtable = phys_to_virt(ctx_entry->lo & VTD_PAGE_MASK);
+ goto pgtable_walk;
+ }
+
+- /* get the pointer to pasid directory entry */
+- dir = phys_to_virt(ctx_entry->lo & VTD_PAGE_MASK);
+- if (!dir) {
+- pr_info("pasid directory entry is not present\n");
++ if (!context_present(ctx_entry)) {
++ pr_info("pasid directory table is not present\n");
+ return;
+ }
++
++ /* get the pointer to pasid directory entry */
++ dir = phys_to_virt(ctx_entry->lo & VTD_PAGE_MASK);
++
+ /* For request-without-pasid, get the pasid from context entry */
+ if (intel_iommu_sm && pasid == INVALID_IOASID)
+ pasid = PASID_RID2PASID;
+@@ -907,7 +913,7 @@ void dmar_fault_dump_ptes(struct intel_iommu *iommu, u16 source_id,
+ /* get the pointer to the pasid table entry */
+ entries = get_pasid_table_from_pde(pde);
+ if (!entries) {
+- pr_info("pasid table entry is not present\n");
++ pr_info("pasid table is not present\n");
+ return;
+ }
+ index = pasid & PASID_PTE_MASK;
+@@ -915,6 +921,11 @@ void dmar_fault_dump_ptes(struct intel_iommu *iommu, u16 source_id,
+ for (i = 0; i < ARRAY_SIZE(pte->val); i++)
+ pr_info("pasid table entry[%d]: 0x%016llx\n", i, pte->val[i]);
+
++ if (!pasid_pte_is_present(pte)) {
++ pr_info("scalable mode page table is not present\n");
++ return;
++ }
++
+ if (pasid_pte_get_pgtt(pte) == PASID_ENTRY_PGTT_FL_ONLY) {
+ level = pte->val[2] & BIT_ULL(2) ? 5 : 4;
+ pgtable = phys_to_virt(pte->val[2] & VTD_PAGE_MASK);
+--
+2.43.0
+
--- /dev/null
+From 41be070c85da74599794cbb9d7c6ab3b01e424cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 09:40:33 +0800
+Subject: iommu/vt-d: Fix checks and print in pgtable_walk()
+
+From: Zhenzhong Duan <zhenzhong.duan@intel.com>
+
+[ Upstream commit f1645676f25d2c846798f0233c3a953efd62aafb ]
+
+There are some issues in pgtable_walk():
+
+1. Super page is dumped as non-present page
+2. dma_pte_superpage() should not check against leaf page table entries
+3. Pointer pte is never NULL so checking it is meaningless
+4. When an entry is not present, it still makes sense to dump the entry
+ content.
+
+Fix 1,2 by checking dma_pte_superpage()'s returned value after level check.
+Fix 3 by removing pte check.
+Fix 4 by checking present bit after printing.
+
+By this chance, change to print "page table not present" instead of "PTE
+not present" to be clearer.
+
+Fixes: 914ff7719e8a ("iommu/vt-d: Dump DMAR translation structure when DMA fault occurs")
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
+Link: https://lore.kernel.org/r/20241024092146.715063-3-zhenzhong.duan@intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/iommu.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index 2bf9157256c55..9a1bdfda9a9af 100644
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -831,14 +831,15 @@ static void pgtable_walk(struct intel_iommu *iommu, unsigned long pfn,
+ while (1) {
+ offset = pfn_level_offset(pfn, level);
+ pte = &parent[offset];
+- if (!pte || (dma_pte_superpage(pte) || !dma_pte_present(pte))) {
+- pr_info("PTE not present at level %d\n", level);
+- break;
+- }
+
+ pr_info("pte level: %d, pte value: 0x%016llx\n", level, pte->val);
+
+- if (level == 1)
++ if (!dma_pte_present(pte)) {
++ pr_info("page table not present at level %d\n", level - 1);
++ break;
++ }
++
++ if (level == 1 || dma_pte_superpage(pte))
+ break;
+
+ parent = phys_to_virt(dma_pte_addr(pte));
+--
+2.43.0
+
--- /dev/null
+From 462f99142cd8da870a1b23a7cd2cdf14e56a0d87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Nov 2024 16:40:57 +0100
+Subject: ip6mr: fix tables suspicious RCU usage
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit f1553c9894b4dbeb10a2ab15ab1aa113b3b4047c ]
+
+Several places call ip6mr_get_table() with no RCU nor RTNL lock.
+Add RCU protection inside such helper and provide a lockless variant
+for the few callers that already acquired the relevant lock.
+
+Note that some users additionally reference the table outside the RCU
+lock. That is actually safe as the table deletion can happen only
+after all table accesses are completed.
+
+Fixes: e2d57766e674 ("net: Provide compat support for SIOCGETMIFCNT_IN6 and SIOCGETSGCNT_IN6.")
+Fixes: d7c31cbde4bc ("net: ip6mr: add RTM_GETROUTE netlink op")
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6mr.c | 38 +++++++++++++++++++++++++++-----------
+ 1 file changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
+index 27fb5479988af..138f6aee70afc 100644
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -125,7 +125,7 @@ static struct mr_table *ip6mr_mr_table_iter(struct net *net,
+ return ret;
+ }
+
+-static struct mr_table *ip6mr_get_table(struct net *net, u32 id)
++static struct mr_table *__ip6mr_get_table(struct net *net, u32 id)
+ {
+ struct mr_table *mrt;
+
+@@ -136,6 +136,16 @@ static struct mr_table *ip6mr_get_table(struct net *net, u32 id)
+ return NULL;
+ }
+
++static struct mr_table *ip6mr_get_table(struct net *net, u32 id)
++{
++ struct mr_table *mrt;
++
++ rcu_read_lock();
++ mrt = __ip6mr_get_table(net, id);
++ rcu_read_unlock();
++ return mrt;
++}
++
+ static int ip6mr_fib_lookup(struct net *net, struct flowi6 *flp6,
+ struct mr_table **mrt)
+ {
+@@ -177,7 +187,7 @@ static int ip6mr_rule_action(struct fib_rule *rule, struct flowi *flp,
+
+ arg->table = fib_rule_get_table(rule, arg);
+
+- mrt = ip6mr_get_table(rule->fr_net, arg->table);
++ mrt = __ip6mr_get_table(rule->fr_net, arg->table);
+ if (!mrt)
+ return -EAGAIN;
+ res->mrt = mrt;
+@@ -304,6 +314,8 @@ static struct mr_table *ip6mr_get_table(struct net *net, u32 id)
+ return net->ipv6.mrt6;
+ }
+
++#define __ip6mr_get_table ip6mr_get_table
++
+ static int ip6mr_fib_lookup(struct net *net, struct flowi6 *flp6,
+ struct mr_table **mrt)
+ {
+@@ -382,7 +394,7 @@ static struct mr_table *ip6mr_new_table(struct net *net, u32 id)
+ {
+ struct mr_table *mrt;
+
+- mrt = ip6mr_get_table(net, id);
++ mrt = __ip6mr_get_table(net, id);
+ if (mrt)
+ return mrt;
+
+@@ -411,13 +423,15 @@ static void *ip6mr_vif_seq_start(struct seq_file *seq, loff_t *pos)
+ struct net *net = seq_file_net(seq);
+ struct mr_table *mrt;
+
+- mrt = ip6mr_get_table(net, RT6_TABLE_DFLT);
+- if (!mrt)
++ rcu_read_lock();
++ mrt = __ip6mr_get_table(net, RT6_TABLE_DFLT);
++ if (!mrt) {
++ rcu_read_unlock();
+ return ERR_PTR(-ENOENT);
++ }
+
+ iter->mrt = mrt;
+
+- rcu_read_lock();
+ return mr_vif_seq_start(seq, pos);
+ }
+
+@@ -2288,11 +2302,13 @@ int ip6mr_get_route(struct net *net, struct sk_buff *skb, struct rtmsg *rtm,
+ struct mfc6_cache *cache;
+ struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
+
+- mrt = ip6mr_get_table(net, RT6_TABLE_DFLT);
+- if (!mrt)
++ rcu_read_lock();
++ mrt = __ip6mr_get_table(net, RT6_TABLE_DFLT);
++ if (!mrt) {
++ rcu_read_unlock();
+ return -ENOENT;
++ }
+
+- rcu_read_lock();
+ cache = ip6mr_cache_find(mrt, &rt->rt6i_src.addr, &rt->rt6i_dst.addr);
+ if (!cache && skb->dev) {
+ int vif = ip6mr_find_vif(mrt, skb->dev);
+@@ -2573,7 +2589,7 @@ static int ip6mr_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
+ grp = nla_get_in6_addr(tb[RTA_DST]);
+ tableid = tb[RTA_TABLE] ? nla_get_u32(tb[RTA_TABLE]) : 0;
+
+- mrt = ip6mr_get_table(net, tableid ?: RT_TABLE_DEFAULT);
++ mrt = __ip6mr_get_table(net, tableid ?: RT_TABLE_DEFAULT);
+ if (!mrt) {
+ NL_SET_ERR_MSG_MOD(extack, "MR table does not exist");
+ return -ENOENT;
+@@ -2618,7 +2634,7 @@ static int ip6mr_rtm_dumproute(struct sk_buff *skb, struct netlink_callback *cb)
+ if (filter.table_id) {
+ struct mr_table *mrt;
+
+- mrt = ip6mr_get_table(sock_net(skb->sk), filter.table_id);
++ mrt = __ip6mr_get_table(sock_net(skb->sk), filter.table_id);
+ if (!mrt) {
+ if (rtnl_msg_family(cb->nlh) != RTNL_FAMILY_IP6MR)
+ return skb->len;
+--
+2.43.0
+
--- /dev/null
+From 1a6823c364771f1b6dff98ddfe77b65b220516c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Nov 2024 16:40:58 +0100
+Subject: ipmr: fix tables suspicious RCU usage
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit fc9c273d6daaa9866f349bbe8cae25c67764c456 ]
+
+Similar to the previous patch, plumb the RCU lock inside
+the ipmr_get_table(), provided a lockless variant and apply
+the latter in the few spots were the lock is already held.
+
+Fixes: 709b46e8d90b ("net: Add compat ioctl support for the ipv4 multicast ioctl SIOCGETSGCNT")
+Fixes: f0ad0860d01e ("ipv4: ipmr: support multiple tables")
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ipmr.c | 42 +++++++++++++++++++++++++++++-------------
+ 1 file changed, 29 insertions(+), 13 deletions(-)
+
+diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
+index 3ed9ed2bffd29..f64651c0dea6c 100644
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -136,7 +136,7 @@ static struct mr_table *ipmr_mr_table_iter(struct net *net,
+ return ret;
+ }
+
+-static struct mr_table *ipmr_get_table(struct net *net, u32 id)
++static struct mr_table *__ipmr_get_table(struct net *net, u32 id)
+ {
+ struct mr_table *mrt;
+
+@@ -147,6 +147,16 @@ static struct mr_table *ipmr_get_table(struct net *net, u32 id)
+ return NULL;
+ }
+
++static struct mr_table *ipmr_get_table(struct net *net, u32 id)
++{
++ struct mr_table *mrt;
++
++ rcu_read_lock();
++ mrt = __ipmr_get_table(net, id);
++ rcu_read_unlock();
++ return mrt;
++}
++
+ static int ipmr_fib_lookup(struct net *net, struct flowi4 *flp4,
+ struct mr_table **mrt)
+ {
+@@ -188,7 +198,7 @@ static int ipmr_rule_action(struct fib_rule *rule, struct flowi *flp,
+
+ arg->table = fib_rule_get_table(rule, arg);
+
+- mrt = ipmr_get_table(rule->fr_net, arg->table);
++ mrt = __ipmr_get_table(rule->fr_net, arg->table);
+ if (!mrt)
+ return -EAGAIN;
+ res->mrt = mrt;
+@@ -314,6 +324,8 @@ static struct mr_table *ipmr_get_table(struct net *net, u32 id)
+ return net->ipv4.mrt;
+ }
+
++#define __ipmr_get_table ipmr_get_table
++
+ static int ipmr_fib_lookup(struct net *net, struct flowi4 *flp4,
+ struct mr_table **mrt)
+ {
+@@ -402,7 +414,7 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id)
+ if (id != RT_TABLE_DEFAULT && id >= 1000000000)
+ return ERR_PTR(-EINVAL);
+
+- mrt = ipmr_get_table(net, id);
++ mrt = __ipmr_get_table(net, id);
+ if (mrt)
+ return mrt;
+
+@@ -1373,7 +1385,7 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, sockptr_t optval,
+ goto out_unlock;
+ }
+
+- mrt = ipmr_get_table(net, raw_sk(sk)->ipmr_table ? : RT_TABLE_DEFAULT);
++ mrt = __ipmr_get_table(net, raw_sk(sk)->ipmr_table ? : RT_TABLE_DEFAULT);
+ if (!mrt) {
+ ret = -ENOENT;
+ goto out_unlock;
+@@ -2247,11 +2259,13 @@ int ipmr_get_route(struct net *net, struct sk_buff *skb,
+ struct mr_table *mrt;
+ int err;
+
+- mrt = ipmr_get_table(net, RT_TABLE_DEFAULT);
+- if (!mrt)
++ rcu_read_lock();
++ mrt = __ipmr_get_table(net, RT_TABLE_DEFAULT);
++ if (!mrt) {
++ rcu_read_unlock();
+ return -ENOENT;
++ }
+
+- rcu_read_lock();
+ cache = ipmr_cache_find(mrt, saddr, daddr);
+ if (!cache && skb->dev) {
+ int vif = ipmr_find_vif(mrt, skb->dev);
+@@ -2536,7 +2550,7 @@ static int ipmr_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
+ grp = tb[RTA_DST] ? nla_get_in_addr(tb[RTA_DST]) : 0;
+ tableid = tb[RTA_TABLE] ? nla_get_u32(tb[RTA_TABLE]) : 0;
+
+- mrt = ipmr_get_table(net, tableid ? tableid : RT_TABLE_DEFAULT);
++ mrt = __ipmr_get_table(net, tableid ? tableid : RT_TABLE_DEFAULT);
+ if (!mrt) {
+ err = -ENOENT;
+ goto errout_free;
+@@ -2588,7 +2602,7 @@ static int ipmr_rtm_dumproute(struct sk_buff *skb, struct netlink_callback *cb)
+ if (filter.table_id) {
+ struct mr_table *mrt;
+
+- mrt = ipmr_get_table(sock_net(skb->sk), filter.table_id);
++ mrt = __ipmr_get_table(sock_net(skb->sk), filter.table_id);
+ if (!mrt) {
+ if (rtnl_msg_family(cb->nlh) != RTNL_FAMILY_IPMR)
+ return skb->len;
+@@ -2696,7 +2710,7 @@ static int rtm_to_ipmr_mfcc(struct net *net, struct nlmsghdr *nlh,
+ break;
+ }
+ }
+- mrt = ipmr_get_table(net, tblid);
++ mrt = __ipmr_get_table(net, tblid);
+ if (!mrt) {
+ ret = -ENOENT;
+ goto out;
+@@ -2904,13 +2918,15 @@ static void *ipmr_vif_seq_start(struct seq_file *seq, loff_t *pos)
+ struct net *net = seq_file_net(seq);
+ struct mr_table *mrt;
+
+- mrt = ipmr_get_table(net, RT_TABLE_DEFAULT);
+- if (!mrt)
++ rcu_read_lock();
++ mrt = __ipmr_get_table(net, RT_TABLE_DEFAULT);
++ if (!mrt) {
++ rcu_read_unlock();
+ return ERR_PTR(-ENOENT);
++ }
+
+ iter->mrt = mrt;
+
+- rcu_read_lock();
+ return mr_vif_seq_start(seq, pos);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From e3abbf4d2061eb533413e017c706af2065889519 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2024 19:23:50 +0100
+Subject: ipv6: release nexthop on device removal
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe ]
+
+The CI is hitting some aperiodic hangup at device removal time in the
+pmtu.sh self-test:
+
+unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6
+ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at
+ dst_init+0x84/0x4a0
+ dst_alloc+0x97/0x150
+ ip6_dst_alloc+0x23/0x90
+ ip6_rt_pcpu_alloc+0x1e6/0x520
+ ip6_pol_route+0x56f/0x840
+ fib6_rule_lookup+0x334/0x630
+ ip6_route_output_flags+0x259/0x480
+ ip6_dst_lookup_tail.constprop.0+0x5c2/0x940
+ ip6_dst_lookup_flow+0x88/0x190
+ udp_tunnel6_dst_lookup+0x2a7/0x4c0
+ vxlan_xmit_one+0xbde/0x4a50 [vxlan]
+ vxlan_xmit+0x9ad/0xf20 [vxlan]
+ dev_hard_start_xmit+0x10e/0x360
+ __dev_queue_xmit+0xf95/0x18c0
+ arp_solicit+0x4a2/0xe00
+ neigh_probe+0xaa/0xf0
+
+While the first suspect is the dst_cache, explicitly tracking the dst
+owing the last device reference via probes proved such dst is held by
+the nexthop in the originating fib6_info.
+
+Similar to commit f5b51fe804ec ("ipv6: route: purge exception on
+removal"), we need to explicitly release the originating fib info when
+disconnecting a to-be-removed device from a live ipv6 dst: move the
+fib6_info cleanup into ip6_dst_ifdown().
+
+Tested running:
+
+./pmtu.sh cleanup_ipv6_exception
+
+in a tight loop for more than 400 iterations with no spat, running an
+unpatched kernel I observed a splat every ~10 iterations.
+
+Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/604c45c188c609b732286b47ac2a451a40f6cf6d.1730828007.git.pabeni@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 10e7517d126d9..5da0c83a3ee8f 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -378,6 +378,7 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
+ {
+ struct rt6_info *rt = (struct rt6_info *)dst;
+ struct inet6_dev *idev = rt->rt6i_idev;
++ struct fib6_info *from;
+
+ if (idev && idev->dev != blackhole_netdev) {
+ struct inet6_dev *blackhole_idev = in6_dev_get(blackhole_netdev);
+@@ -387,6 +388,8 @@ static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
+ in6_dev_put(idev);
+ }
+ }
++ from = unrcu_pointer(xchg(&rt->from, NULL));
++ fib6_info_release(from);
+ }
+
+ static bool __rt6_check_expired(const struct rt6_info *rt)
+@@ -1449,7 +1452,6 @@ static DEFINE_SPINLOCK(rt6_exception_lock);
+ static void rt6_remove_exception(struct rt6_exception_bucket *bucket,
+ struct rt6_exception *rt6_ex)
+ {
+- struct fib6_info *from;
+ struct net *net;
+
+ if (!bucket || !rt6_ex)
+@@ -1461,8 +1463,6 @@ static void rt6_remove_exception(struct rt6_exception_bucket *bucket,
+ /* purge completely the exception to allow releasing the held resources:
+ * some [sk] cache may keep the dst around for unlimited time
+ */
+- from = unrcu_pointer(xchg(&rt6_ex->rt6i->from, NULL));
+- fib6_info_release(from);
+ dst_dev_put(&rt6_ex->rt6i->dst);
+
+ hlist_del_rcu(&rt6_ex->hlist);
+--
+2.43.0
+
--- /dev/null
+From 381b1c44cd2c3dc9ed2a79c0e7abe221951f645a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 16:43:09 +0100
+Subject: kcsan, seqlock: Fix incorrect assumption in read_seqbegin()
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit 183ec5f26b2fc97a4a9871865bfe9b33c41fddb2 ]
+
+During testing of the preceding changes, I noticed that in some cases,
+current->kcsan_ctx.in_flat_atomic remained true until task exit. This is
+obviously wrong, because _all_ accesses for the given task will be
+treated as atomic, resulting in false negatives i.e. missed data races.
+
+Debugging led to fs/dcache.c, where we can see this usage of seqlock:
+
+ struct dentry *d_lookup(const struct dentry *parent, const struct qstr *name)
+ {
+ struct dentry *dentry;
+ unsigned seq;
+
+ do {
+ seq = read_seqbegin(&rename_lock);
+ dentry = __d_lookup(parent, name);
+ if (dentry)
+ break;
+ } while (read_seqretry(&rename_lock, seq));
+ [...]
+
+As can be seen, read_seqretry() is never called if dentry != NULL;
+consequently, current->kcsan_ctx.in_flat_atomic will never be reset to
+false by read_seqretry().
+
+Give up on the wrong assumption of "assume closing read_seqretry()", and
+rely on the already-present annotations in read_seqcount_begin/retry().
+
+Fixes: 88ecd153be95 ("seqlock, kcsan: Add annotations for KCSAN")
+Signed-off-by: Marco Elver <elver@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20241104161910.780003-6-elver@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/seqlock.h | 12 +-----------
+ 1 file changed, 1 insertion(+), 11 deletions(-)
+
+diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h
+index 484f9a179fc12..b4b4ce9a4151e 100644
+--- a/include/linux/seqlock.h
++++ b/include/linux/seqlock.h
+@@ -890,11 +890,7 @@ typedef struct {
+ */
+ static inline unsigned read_seqbegin(const seqlock_t *sl)
+ {
+- unsigned ret = read_seqcount_begin(&sl->seqcount);
+-
+- kcsan_atomic_next(0); /* non-raw usage, assume closing read_seqretry() */
+- kcsan_flat_atomic_begin();
+- return ret;
++ return read_seqcount_begin(&sl->seqcount);
+ }
+
+ /**
+@@ -910,12 +906,6 @@ static inline unsigned read_seqbegin(const seqlock_t *sl)
+ */
+ static inline unsigned read_seqretry(const seqlock_t *sl, unsigned start)
+ {
+- /*
+- * Assume not nested: read_seqretry() may be called multiple times when
+- * completing read critical section.
+- */
+- kcsan_flat_atomic_end();
+-
+ return read_seqcount_retry(&sl->seqcount, start);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From be19b2dd9d6c65a48ca6f191410ece4d48b2135c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 16:43:07 +0100
+Subject: kcsan, seqlock: Support seqcount_latch_t
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit 5c1806c41ce0a0110db5dd4c483cf2dc28b3ddf0 ]
+
+While fuzzing an arm64 kernel, Alexander Potapenko reported:
+
+| BUG: KCSAN: data-race in ktime_get_mono_fast_ns / timekeeping_update
+|
+| write to 0xffffffc082e74248 of 56 bytes by interrupt on cpu 0:
+| update_fast_timekeeper kernel/time/timekeeping.c:430 [inline]
+| timekeeping_update+0x1d8/0x2d8 kernel/time/timekeeping.c:768
+| timekeeping_advance+0x9e8/0xb78 kernel/time/timekeeping.c:2344
+| update_wall_time+0x18/0x38 kernel/time/timekeeping.c:2360
+| [...]
+|
+| read to 0xffffffc082e74258 of 8 bytes by task 5260 on cpu 1:
+| __ktime_get_fast_ns kernel/time/timekeeping.c:372 [inline]
+| ktime_get_mono_fast_ns+0x88/0x174 kernel/time/timekeeping.c:489
+| init_srcu_struct_fields+0x40c/0x530 kernel/rcu/srcutree.c:263
+| init_srcu_struct+0x14/0x20 kernel/rcu/srcutree.c:311
+| [...]
+|
+| value changed: 0x000002f875d33266 -> 0x000002f877416866
+|
+| Reported by Kernel Concurrency Sanitizer on:
+| CPU: 1 UID: 0 PID: 5260 Comm: syz.2.7483 Not tainted 6.12.0-rc3-dirty #78
+
+This is a false positive data race between a seqcount latch writer and a reader
+accessing stale data. Since its introduction, KCSAN has never understood the
+seqcount_latch interface (due to being unannotated).
+
+Unlike the regular seqlock interface, the seqcount_latch interface for latch
+writers never has had a well-defined critical section, making it difficult to
+teach tooling where the critical section starts and ends.
+
+Introduce an instrumentable (non-raw) seqcount_latch interface, with
+which we can clearly denote writer critical sections. This both helps
+readability and tooling like KCSAN to understand when the writer is done
+updating all latch copies.
+
+Fixes: 88ecd153be95 ("seqlock, kcsan: Add annotations for KCSAN")
+Reported-by: Alexander Potapenko <glider@google.com>
+Co-developed-by: "Peter Zijlstra (Intel)" <peterz@infradead.org>
+Signed-off-by: "Peter Zijlstra (Intel)" <peterz@infradead.org>
+Signed-off-by: Marco Elver <elver@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20241104161910.780003-4-elver@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/locking/seqlock.rst | 2 +-
+ include/linux/seqlock.h | 86 +++++++++++++++++++++++++------
+ 2 files changed, 72 insertions(+), 16 deletions(-)
+
+diff --git a/Documentation/locking/seqlock.rst b/Documentation/locking/seqlock.rst
+index bfda1a5fecadc..ec6411d02ac8f 100644
+--- a/Documentation/locking/seqlock.rst
++++ b/Documentation/locking/seqlock.rst
+@@ -153,7 +153,7 @@ Use seqcount_latch_t when the write side sections cannot be protected
+ from interruption by readers. This is typically the case when the read
+ side can be invoked from NMI handlers.
+
+-Check `raw_write_seqcount_latch()` for more information.
++Check `write_seqcount_latch()` for more information.
+
+
+ .. _seqlock_t:
+diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h
+index e9bd2f65d7f4e..484f9a179fc12 100644
+--- a/include/linux/seqlock.h
++++ b/include/linux/seqlock.h
+@@ -682,6 +682,23 @@ static __always_inline unsigned raw_read_seqcount_latch(const seqcount_latch_t *
+ return READ_ONCE(s->seqcount.sequence);
+ }
+
++/**
++ * read_seqcount_latch() - pick even/odd latch data copy
++ * @s: Pointer to seqcount_latch_t
++ *
++ * See write_seqcount_latch() for details and a full reader/writer usage
++ * example.
++ *
++ * Return: sequence counter raw value. Use the lowest bit as an index for
++ * picking which data copy to read. The full counter must then be checked
++ * with read_seqcount_latch_retry().
++ */
++static __always_inline unsigned read_seqcount_latch(const seqcount_latch_t *s)
++{
++ kcsan_atomic_next(KCSAN_SEQLOCK_REGION_MAX);
++ return raw_read_seqcount_latch(s);
++}
++
+ /**
+ * raw_read_seqcount_latch_retry() - end a seqcount_latch_t read section
+ * @s: Pointer to seqcount_latch_t
+@@ -696,9 +713,34 @@ raw_read_seqcount_latch_retry(const seqcount_latch_t *s, unsigned start)
+ return unlikely(READ_ONCE(s->seqcount.sequence) != start);
+ }
+
++/**
++ * read_seqcount_latch_retry() - end a seqcount_latch_t read section
++ * @s: Pointer to seqcount_latch_t
++ * @start: count, from read_seqcount_latch()
++ *
++ * Return: true if a read section retry is required, else false
++ */
++static __always_inline int
++read_seqcount_latch_retry(const seqcount_latch_t *s, unsigned start)
++{
++ kcsan_atomic_next(0);
++ return raw_read_seqcount_latch_retry(s, start);
++}
++
+ /**
+ * raw_write_seqcount_latch() - redirect latch readers to even/odd copy
+ * @s: Pointer to seqcount_latch_t
++ */
++static __always_inline void raw_write_seqcount_latch(seqcount_latch_t *s)
++{
++ smp_wmb(); /* prior stores before incrementing "sequence" */
++ s->seqcount.sequence++;
++ smp_wmb(); /* increment "sequence" before following stores */
++}
++
++/**
++ * write_seqcount_latch_begin() - redirect latch readers to odd copy
++ * @s: Pointer to seqcount_latch_t
+ *
+ * The latch technique is a multiversion concurrency control method that allows
+ * queries during non-atomic modifications. If you can guarantee queries never
+@@ -726,17 +768,11 @@ raw_read_seqcount_latch_retry(const seqcount_latch_t *s, unsigned start)
+ *
+ * void latch_modify(struct latch_struct *latch, ...)
+ * {
+- * smp_wmb(); // Ensure that the last data[1] update is visible
+- * latch->seq.sequence++;
+- * smp_wmb(); // Ensure that the seqcount update is visible
+- *
++ * write_seqcount_latch_begin(&latch->seq);
+ * modify(latch->data[0], ...);
+- *
+- * smp_wmb(); // Ensure that the data[0] update is visible
+- * latch->seq.sequence++;
+- * smp_wmb(); // Ensure that the seqcount update is visible
+- *
++ * write_seqcount_latch(&latch->seq);
+ * modify(latch->data[1], ...);
++ * write_seqcount_latch_end(&latch->seq);
+ * }
+ *
+ * The query will have a form like::
+@@ -747,13 +783,13 @@ raw_read_seqcount_latch_retry(const seqcount_latch_t *s, unsigned start)
+ * unsigned seq, idx;
+ *
+ * do {
+- * seq = raw_read_seqcount_latch(&latch->seq);
++ * seq = read_seqcount_latch(&latch->seq);
+ *
+ * idx = seq & 0x01;
+ * entry = data_query(latch->data[idx], ...);
+ *
+ * // This includes needed smp_rmb()
+- * } while (raw_read_seqcount_latch_retry(&latch->seq, seq));
++ * } while (read_seqcount_latch_retry(&latch->seq, seq));
+ *
+ * return entry;
+ * }
+@@ -777,11 +813,31 @@ raw_read_seqcount_latch_retry(const seqcount_latch_t *s, unsigned start)
+ * When data is a dynamic data structure; one should use regular RCU
+ * patterns to manage the lifetimes of the objects within.
+ */
+-static inline void raw_write_seqcount_latch(seqcount_latch_t *s)
++static __always_inline void write_seqcount_latch_begin(seqcount_latch_t *s)
+ {
+- smp_wmb(); /* prior stores before incrementing "sequence" */
+- s->seqcount.sequence++;
+- smp_wmb(); /* increment "sequence" before following stores */
++ kcsan_nestable_atomic_begin();
++ raw_write_seqcount_latch(s);
++}
++
++/**
++ * write_seqcount_latch() - redirect latch readers to even copy
++ * @s: Pointer to seqcount_latch_t
++ */
++static __always_inline void write_seqcount_latch(seqcount_latch_t *s)
++{
++ raw_write_seqcount_latch(s);
++}
++
++/**
++ * write_seqcount_latch_end() - end a seqcount_latch_t write section
++ * @s: Pointer to seqcount_latch_t
++ *
++ * Marks the end of a seqcount_latch_t writer section, after all copies of the
++ * latch-protected data have been updated.
++ */
++static __always_inline void write_seqcount_latch_end(seqcount_latch_t *s)
++{
++ kcsan_nestable_atomic_end();
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From e5f0b9947e569ea1e4c0f198d7a9140dd6260ad0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 16:32:49 +0100
+Subject: kselftest/arm64: mte: fix printf type warnings about __u64
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit 7e893dc81de3e342156389ea0b83ec7d07f25281 ]
+
+When printing the signal context's PC, we use a "%lx" format specifier,
+which matches the common userland (glibc's) definition of uint64_t as an
+"unsigned long". However the structure in question is defined in a
+kernel uapi header, which uses a self defined __u64 type, and the arm64
+kernel headers define this using "int-ll64.h", so it becomes an
+"unsigned long long". This mismatch leads to the usual compiler warning.
+
+The common fix would be to use "PRIx64", but because this is defined by
+the userland's toolchain libc headers, it wouldn't match as well. Since
+we know the exact type of __u64, just use "%llx" here instead, to silence
+this warning.
+
+This also fixes a more severe typo: "$lx" is not a valid format
+specifier.
+
+Fixes: 191e678bdc9b ("kselftest/arm64: Log unexpected asynchronous MTE faults")
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240816153251.2833702-7-andre.przywara@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/arm64/mte/mte_common_util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/arm64/mte/mte_common_util.c b/tools/testing/selftests/arm64/mte/mte_common_util.c
+index 00ffd34c66d30..1120f5aa76550 100644
+--- a/tools/testing/selftests/arm64/mte/mte_common_util.c
++++ b/tools/testing/selftests/arm64/mte/mte_common_util.c
+@@ -38,7 +38,7 @@ void mte_default_handler(int signum, siginfo_t *si, void *uc)
+ if (cur_mte_cxt.trig_si_code == si->si_code)
+ cur_mte_cxt.fault_valid = true;
+ else
+- ksft_print_msg("Got unexpected SEGV_MTEAERR at pc=$lx, fault addr=%lx\n",
++ ksft_print_msg("Got unexpected SEGV_MTEAERR at pc=%llx, fault addr=%lx\n",
+ ((ucontext_t *)uc)->uc_mcontext.pc,
+ addr);
+ return;
+@@ -64,7 +64,7 @@ void mte_default_handler(int signum, siginfo_t *si, void *uc)
+ exit(1);
+ }
+ } else if (signum == SIGBUS) {
+- ksft_print_msg("INFO: SIGBUS signal at pc=%lx, fault addr=%lx, si_code=%lx\n",
++ ksft_print_msg("INFO: SIGBUS signal at pc=%llx, fault addr=%lx, si_code=%x\n",
+ ((ucontext_t *)uc)->uc_mcontext.pc, addr, si->si_code);
+ if ((cur_mte_cxt.trig_range >= 0 &&
+ addr >= MT_CLEAR_TAG(cur_mte_cxt.trig_addr) &&
+--
+2.43.0
+
--- /dev/null
+From 667a5f6cae123fe2eb6dffe3c5016d2b429929f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2024 16:32:51 +0100
+Subject: kselftest/arm64: mte: fix printf type warnings about longs
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit 96dddb7b9406259baace9a1831e8da155311be6f ]
+
+When checking MTE tags, we print some diagnostic messages when the tests
+fail. Some variables uses there are "longs", however we only use "%x"
+for the format specifier.
+
+Update the format specifiers to "%lx", to match the variable types they
+are supposed to print.
+
+Fixes: f3b2a26ca78d ("kselftest/arm64: Verify mte tag inclusion via prctl")
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20240816153251.2833702-9-andre.przywara@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/arm64/mte/check_tags_inclusion.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/arm64/mte/check_tags_inclusion.c b/tools/testing/selftests/arm64/mte/check_tags_inclusion.c
+index 2b1425b92b699..a3d1e23fe02af 100644
+--- a/tools/testing/selftests/arm64/mte/check_tags_inclusion.c
++++ b/tools/testing/selftests/arm64/mte/check_tags_inclusion.c
+@@ -65,7 +65,7 @@ static int check_single_included_tags(int mem_type, int mode)
+ ptr = mte_insert_tags(ptr, BUFFER_SIZE);
+ /* Check tag value */
+ if (MT_FETCH_TAG((uintptr_t)ptr) == tag) {
+- ksft_print_msg("FAIL: wrong tag = 0x%x with include mask=0x%x\n",
++ ksft_print_msg("FAIL: wrong tag = 0x%lx with include mask=0x%x\n",
+ MT_FETCH_TAG((uintptr_t)ptr),
+ MT_INCLUDE_VALID_TAG(tag));
+ result = KSFT_FAIL;
+@@ -97,7 +97,7 @@ static int check_multiple_included_tags(int mem_type, int mode)
+ ptr = mte_insert_tags(ptr, BUFFER_SIZE);
+ /* Check tag value */
+ if (MT_FETCH_TAG((uintptr_t)ptr) < tag) {
+- ksft_print_msg("FAIL: wrong tag = 0x%x with include mask=0x%x\n",
++ ksft_print_msg("FAIL: wrong tag = 0x%lx with include mask=0x%lx\n",
+ MT_FETCH_TAG((uintptr_t)ptr),
+ MT_INCLUDE_VALID_TAGS(excl_mask));
+ result = KSFT_FAIL;
+--
+2.43.0
+
--- /dev/null
+From 18faaf580c5ba5d372b124e721811bbb3be28adf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Nov 2024 12:02:57 +0530
+Subject: KVM: PPC: Book3S HV: Avoid returning to nested hypervisor on pending
+ doorbells
+
+From: Gautam Menghani <gautam@linux.ibm.com>
+
+[ Upstream commit 26686db69917399fa30e3b3135360771e90f83ec ]
+
+Commit 6398326b9ba1 ("KVM: PPC: Book3S HV P9: Stop using vc->dpdes")
+dropped the use of vcore->dpdes for msgsndp / SMT emulation. Prior to that
+commit, the below code at L1 level (see [1] for terminology) was
+responsible for setting vc->dpdes for the respective L2 vCPU:
+
+if (!nested) {
+ kvmppc_core_prepare_to_enter(vcpu);
+ if (vcpu->arch.doorbell_request) {
+ vc->dpdes = 1;
+ smp_wmb();
+ vcpu->arch.doorbell_request = 0;
+ }
+
+L1 then sent vc->dpdes to L0 via kvmhv_save_hv_regs(), and while
+servicing H_ENTER_NESTED at L0, the below condition at L0 level made sure
+to abort and go back to L1 if vcpu->arch.doorbell_request = 1 so that L1
+sets vc->dpdes as per above if condition:
+
+} else if (vcpu->arch.pending_exceptions ||
+ vcpu->arch.doorbell_request ||
+ xive_interrupt_pending(vcpu)) {
+ vcpu->arch.ret = RESUME_HOST;
+ goto out;
+}
+
+This worked fine since vcpu->arch.doorbell_request was used more like a
+flag and vc->dpdes was used to pass around the doorbell state. But after
+Commit 6398326b9ba1 ("KVM: PPC: Book3S HV P9: Stop using vc->dpdes"),
+vcpu->arch.doorbell_request is the only variable used to pass around
+doorbell state.
+With the plumbing for handling doorbells for nested guests updated to use
+vcpu->arch.doorbell_request over vc->dpdes, the above "else if" stops
+doorbells from working correctly as L0 aborts execution of L2 and
+instead goes back to L1.
+
+Remove vcpu->arch.doorbell_request from the above "else if" condition as
+it is no longer needed for L0 to correctly handle the doorbell status
+while running L2.
+
+[1] Terminology
+1. L0 : PowerNV linux running with HV privileges
+2. L1 : Pseries KVM guest running on top of L0
+2. L2 : Nested KVM guest running on top of L1
+
+Fixes: 6398326b9ba1 ("KVM: PPC: Book3S HV P9: Stop using vc->dpdes")
+Signed-off-by: Gautam Menghani <gautam@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/20241109063301.105289-4-gautam@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index 479218389e7cd..45708ac55e90e 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -4653,7 +4653,6 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit,
+ lpcr |= LPCR_MER;
+ }
+ } else if (vcpu->arch.pending_exceptions ||
+- vcpu->arch.doorbell_request ||
+ xive_interrupt_pending(vcpu)) {
+ vcpu->arch.ret = RESUME_HOST;
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From e65b5968f57c4e7534aa334ed8cca2b7de573db1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Nov 2024 12:02:56 +0530
+Subject: KVM: PPC: Book3S HV: Stop using vc->dpdes for nested KVM guests
+
+From: Gautam Menghani <gautam@linux.ibm.com>
+
+[ Upstream commit 0d3c6b28896f9889c8864dab469e0343a0ad1c0c ]
+
+commit 6398326b9ba1 ("KVM: PPC: Book3S HV P9: Stop using vc->dpdes")
+introduced an optimization to use only vcpu->doorbell_request for SMT
+emulation for Power9 and above guests, but the code for nested guests
+still relies on the old way of handling doorbells, due to which an L2
+guest (see [1]) cannot be booted with XICS with SMT>1. The command to
+repro this issue is:
+
+// To be run in L1
+
+qemu-system-ppc64 \
+ -drive file=rhel.qcow2,format=qcow2 \
+ -m 20G \
+ -smp 8,cores=1,threads=8 \
+ -cpu host \
+ -nographic \
+ -machine pseries,ic-mode=xics -accel kvm
+
+Fix the plumbing to utilize vcpu->doorbell_request instead of vcore->dpdes
+for nested KVM guests on P9 and above.
+
+[1] Terminology
+1. L0 : PowerNV linux running with HV privileges
+2. L1 : Pseries KVM guest running on top of L0
+2. L2 : Nested KVM guest running on top of L1
+
+Fixes: 6398326b9ba1 ("KVM: PPC: Book3S HV P9: Stop using vc->dpdes")
+Signed-off-by: Gautam Menghani <gautam@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/20241109063301.105289-3-gautam@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 9 +++++++++
+ arch/powerpc/kvm/book3s_hv_nested.c | 14 ++++++++++----
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index 6ba68dd6190bd..479218389e7cd 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -4062,6 +4062,15 @@ static int kvmhv_vcpu_entry_p9_nested(struct kvm_vcpu *vcpu, u64 time_limit, uns
+ }
+ hvregs.hdec_expiry = time_limit;
+
++ /*
++ * hvregs has the doorbell status, so zero it here which
++ * enables us to receive doorbells when H_ENTER_NESTED is
++ * in progress for this vCPU
++ */
++
++ if (vcpu->arch.doorbell_request)
++ vcpu->arch.doorbell_request = 0;
++
+ /*
+ * When setting DEC, we must always deal with irq_work_raise
+ * via NMI vs setting DEC. The problem occurs right as we
+diff --git a/arch/powerpc/kvm/book3s_hv_nested.c b/arch/powerpc/kvm/book3s_hv_nested.c
+index 5a64a1341e6f1..bc71a90c7cc76 100644
+--- a/arch/powerpc/kvm/book3s_hv_nested.c
++++ b/arch/powerpc/kvm/book3s_hv_nested.c
+@@ -32,7 +32,7 @@ void kvmhv_save_hv_regs(struct kvm_vcpu *vcpu, struct hv_guest_state *hr)
+ struct kvmppc_vcore *vc = vcpu->arch.vcore;
+
+ hr->pcr = vc->pcr | PCR_MASK;
+- hr->dpdes = vc->dpdes;
++ hr->dpdes = vcpu->arch.doorbell_request;
+ hr->hfscr = vcpu->arch.hfscr;
+ hr->tb_offset = vc->tb_offset;
+ hr->dawr0 = vcpu->arch.dawr0;
+@@ -105,7 +105,7 @@ static void save_hv_return_state(struct kvm_vcpu *vcpu,
+ {
+ struct kvmppc_vcore *vc = vcpu->arch.vcore;
+
+- hr->dpdes = vc->dpdes;
++ hr->dpdes = vcpu->arch.doorbell_request;
+ hr->purr = vcpu->arch.purr;
+ hr->spurr = vcpu->arch.spurr;
+ hr->ic = vcpu->arch.ic;
+@@ -143,7 +143,7 @@ static void restore_hv_regs(struct kvm_vcpu *vcpu, const struct hv_guest_state *
+ struct kvmppc_vcore *vc = vcpu->arch.vcore;
+
+ vc->pcr = hr->pcr | PCR_MASK;
+- vc->dpdes = hr->dpdes;
++ vcpu->arch.doorbell_request = hr->dpdes;
+ vcpu->arch.hfscr = hr->hfscr;
+ vcpu->arch.dawr0 = hr->dawr0;
+ vcpu->arch.dawrx0 = hr->dawrx0;
+@@ -170,7 +170,13 @@ void kvmhv_restore_hv_return_state(struct kvm_vcpu *vcpu,
+ {
+ struct kvmppc_vcore *vc = vcpu->arch.vcore;
+
+- vc->dpdes = hr->dpdes;
++ /*
++ * This L2 vCPU might have received a doorbell while H_ENTER_NESTED was being handled.
++ * Make sure we preserve the doorbell if it was either:
++ * a) Sent after H_ENTER_NESTED was called on this vCPU (arch.doorbell_request would be 1)
++ * b) Doorbell was not handled and L2 exited for some other reason (hr->dpdes would be 1)
++ */
++ vcpu->arch.doorbell_request = vcpu->arch.doorbell_request | hr->dpdes;
+ vcpu->arch.hfscr = hr->hfscr;
+ vcpu->arch.purr = hr->purr;
+ vcpu->arch.spurr = hr->spurr;
+--
+2.43.0
+
--- /dev/null
+From 0d441a075a844454f19358604cb4e0a6f60abda2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 01:37:42 -0700
+Subject: libbpf: Fix output .symtab byte-order during linking
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit f896b4a5399e97af0b451fcf04754ed316935674 ]
+
+Object linking output data uses the default ELF_T_BYTE type for '.symtab'
+section data, which disables any libelf-based translation. Explicitly set
+the ELF_T_SYM type for output to restore libelf's byte-order conversion,
+noting that input '.symtab' data is already correctly translated.
+
+Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/87868bfeccf3f51aec61260073f8778e9077050a.1726475448.git.tony.ambardar@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/linker.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
+index 8a7cb830bff14..7d28f21b007fc 100644
+--- a/tools/lib/bpf/linker.c
++++ b/tools/lib/bpf/linker.c
+@@ -396,6 +396,8 @@ static int init_output_elf(struct bpf_linker *linker, const char *file)
+ pr_warn_elf("failed to create SYMTAB data");
+ return -EINVAL;
+ }
++ /* Ensure libelf translates byte-order of symbol records */
++ sec->data->d_type = ELF_T_SYM;
+
+ str_off = strset__add_str(linker->strtab_strs, sec->sec_name);
+ if (str_off < 0)
+--
+2.43.0
+
--- /dev/null
+From 021b53d7eeaa1d66d9f270b15a6a56ea54d70a6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 18:15:54 -0700
+Subject: libbpf: fix sym_is_subprog() logic for weak global subprogs
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 4073213488be542f563eb4b2457ab4cbcfc2b738 ]
+
+sym_is_subprog() is incorrectly rejecting relocations against *weak*
+global subprogs. Fix that by realizing that STB_WEAK is also a global
+function.
+
+While it seems like verifier doesn't support taking an address of
+non-static subprog right now, it's still best to fix support for it on
+libbpf side, otherwise users will get a very confusing error during BPF
+skeleton generation or static linking due to misinterpreted relocation:
+
+ libbpf: prog 'handle_tp': bad map relo against 'foo' in section '.text'
+ Error: failed to open BPF object file: Relocation failed
+
+It's clearly not a map relocation, but is treated and reported as such
+without this fix.
+
+Fixes: 53eddb5e04ac ("libbpf: Support subprog address relocation")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20241009011554.880168-1-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 878f05a424218..d8b5304eac8cd 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -3501,7 +3501,7 @@ static bool sym_is_subprog(const Elf64_Sym *sym, int text_shndx)
+ return true;
+
+ /* global function */
+- return bind == STB_GLOBAL && type == STT_FUNC;
++ return (bind == STB_GLOBAL || bind == STB_WEAK) && type == STT_FUNC;
+ }
+
+ static int find_extern_btf_id(const struct btf *btf, const char *ext_name)
+--
+2.43.0
+
--- /dev/null
+From f720197e0bd0cd087091fd97b0c21b8ab1ec0a0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 14:17:30 -0700
+Subject: libbpf: never interpret subprogs in .text as entry programs
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit db089c9158c1d535a36dfc010e5db37fccea2561 ]
+
+Libbpf pre-1.0 had a legacy logic of allowing singular non-annotated
+(i.e., not having explicit SEC() annotation) function to be treated as
+sole entry BPF program (unless there were other explicit entry
+programs).
+
+This behavior was dropped during libbpf 1.0 transition period (unless
+LIBBPF_STRICT_SEC_NAME flag was unset in libbpf_mode). When 1.0 was
+released and all the legacy behavior was removed, the bug slipped
+through leaving this legacy behavior around.
+
+Fix this for good, as it actually causes very confusing behavior if BPF
+object file only has subprograms, but no entry programs.
+
+Fixes: bd054102a8c7 ("libbpf: enforce strict libbpf 1.0 behaviors")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20241010211731.4121837-1-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index d8b5304eac8cd..a0fb50718daef 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -3896,7 +3896,7 @@ static int bpf_object__collect_externs(struct bpf_object *obj)
+
+ static bool prog_is_subprog(const struct bpf_object *obj, const struct bpf_program *prog)
+ {
+- return prog->sec_idx == obj->efile.text_shndx && obj->nr_programs > 1;
++ return prog->sec_idx == obj->efile.text_shndx;
+ }
+
+ struct bpf_program *
+--
+2.43.0
+
--- /dev/null
+From 344d7d1a2481bc384e5cb26b9f7ae0309ec5e4de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Nov 2024 14:31:41 +0100
+Subject: llc: Improve setsockopt() handling of malformed user input
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 1465036b10be4b8b00eb31c879e86de633ad74c1 ]
+
+copy_from_sockptr() is used incorrectly: return value is the number of
+bytes that could not be copied. Since it's deprecated, switch to
+copy_safe_from_sockptr().
+
+Note: Keeping the `optlen != sizeof(int)` check as copy_safe_from_sockptr()
+by itself would also accept optlen > sizeof(int). Which would allow a more
+lenient handling of inputs.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Suggested-by: David Wei <dw@davidwei.uk>
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/llc/af_llc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index 8e3be0009f609..447031c5eac4d 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -1099,7 +1099,7 @@ static int llc_ui_setsockopt(struct socket *sock, int level, int optname,
+ lock_sock(sk);
+ if (unlikely(level != SOL_LLC || optlen != sizeof(int)))
+ goto out;
+- rc = copy_from_sockptr(&opt, optval, sizeof(opt));
++ rc = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (rc)
+ goto out;
+ rc = -EINVAL;
+--
+2.43.0
+
--- /dev/null
+From b247ccce3f8d6ebffe6b7c666c888f1e7636f10c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 15:47:48 +0800
+Subject: LoongArch: BPF: Sign-extend return values
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit 73c359d1d356cf10236ccd358bd55edab33e9424 ]
+
+(1) Description of Problem:
+
+When testing BPF JIT with the latest compiler toolchains on LoongArch,
+there exist some strange failed test cases, dmesg shows something like
+this:
+
+ # dmesg -t | grep FAIL | head -1
+ ... ret -3 != -3 (0xfffffffd != 0xfffffffd)FAIL ...
+
+(2) Steps to Reproduce:
+
+ # echo 1 > /proc/sys/net/core/bpf_jit_enable
+ # modprobe test_bpf
+
+(3) Additional Info:
+
+There are no failed test cases compiled with the lower version of GCC
+such as 13.3.0, while the problems only appear with higher version of
+GCC such as 14.2.0.
+
+This is because the problems were hidden by the lower version of GCC due
+to redundant sign extension instructions generated by compiler, but with
+optimization of higher version of GCC, the sign extension instructions
+have been removed.
+
+(4) Root Cause Analysis:
+
+The LoongArch architecture does not expose sub-registers, and hold all
+32-bit values in a sign-extended format. While BPF, on the other hand,
+exposes sub-registers, and use zero-extension (similar to arm64/x86).
+
+This has led to some subtle bugs, where a BPF JITted program has not
+sign-extended the a0 register (return value in LoongArch land), passed
+the return value up the kernel, for example:
+
+ | int from_bpf(void);
+ |
+ | long foo(void)
+ | {
+ | return from_bpf();
+ | }
+
+Here, a0 would be 0xffffffff instead of the expected 0xffffffffffffffff.
+
+Internally, the LoongArch JIT uses a5 as a dedicated register for BPF
+return values. That is to say, the LoongArch BPF uses a5 for BPF return
+values, which are zero-extended, whereas the LoongArch ABI uses a0 which
+is sign-extended.
+
+(5) Final Solution:
+
+Keep a5 zero-extended, but explicitly sign-extend a0 (which is used
+outside BPF land). Because libbpf currently defines the return value
+of an ebpf program as a 32-bit unsigned integer, just use addi.w to
+extend bit 31 into bits 63 through 32 of a5 to a0. This is similar to
+commit 2f1b0d3d7331 ("riscv, bpf: Sign-extend return values").
+
+Fixes: 5dc615520c4d ("LoongArch: Add BPF JIT support")
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/net/bpf_jit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c
+index 4e86441e63196..2567916370b4e 100644
+--- a/arch/loongarch/net/bpf_jit.c
++++ b/arch/loongarch/net/bpf_jit.c
+@@ -179,7 +179,7 @@ static void __build_epilogue(struct jit_ctx *ctx, bool is_tail_call)
+
+ if (!is_tail_call) {
+ /* Set return value */
+- move_reg(ctx, LOONGARCH_GPR_A0, regmap[BPF_REG_0]);
++ emit_insn(ctx, addiw, LOONGARCH_GPR_A0, regmap[BPF_REG_0], 0);
+ /* Return to the caller */
+ emit_insn(ctx, jirl, LOONGARCH_GPR_RA, LOONGARCH_GPR_ZERO, 0);
+ } else {
+--
+2.43.0
+
--- /dev/null
+From b840280c9223d4712761a9fda8b28a3084f9bcc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 15:47:47 +0800
+Subject: LoongArch: Fix build failure with GCC 15 (-std=gnu23)
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit 947d5d036c788156f09e83e7f16322ffe8124384 ]
+
+Whenever I try to build the kernel with upcoming GCC 15 which defaults
+to -std=gnu23 I get a build failure:
+
+ CC arch/loongarch/vdso/vgetcpu.o
+In file included from ./include/uapi/linux/posix_types.h:5,
+ from ./include/uapi/linux/types.h:14,
+ from ./include/linux/types.h:6,
+ from ./include/linux/kasan-checks.h:5,
+ from ./include/asm-generic/rwonce.h:26,
+ from ./arch/loongarch/include/generated/asm/rwonce.h:1,
+ from ./include/linux/compiler.h:317,
+ from ./include/asm-generic/bug.h:5,
+ from ./arch/loongarch/include/asm/bug.h:60,
+ from ./include/linux/bug.h:5,
+ from ./include/linux/mmdebug.h:5,
+ from ./include/linux/mm.h:6,
+ from ./arch/loongarch/include/asm/vdso.h:10,
+ from arch/loongarch/vdso/vgetcpu.c:6:
+./include/linux/stddef.h:11:9: error: expected identifier before 'false'
+ 11 | false = 0,
+ | ^~~~~
+./include/linux/types.h:35:33: error: two or more data types in declaration specifiers
+ 35 | typedef _Bool bool;
+ | ^~~~
+./include/linux/types.h:35:1: warning: useless type name in empty declaration
+ 35 | typedef _Bool bool;
+ | ^~~~~~~
+
+The kernel builds explicitly with -std=gnu11 in top Makefile, but
+arch/loongarch/vdso does not use KBUILD_CFLAGS from the rest of the
+kernel, just add -std=gnu11 flag to arch/loongarch/vdso/Makefile.
+
+By the way, commit e8c07082a810 ("Kbuild: move to -std=gnu11") did a
+similar change for arch/arm64/kernel/vdso32/Makefile.
+
+Fixes: c6b99bed6b8f ("LoongArch: Add VDSO and VSYSCALL support")
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/vdso/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/loongarch/vdso/Makefile b/arch/loongarch/vdso/Makefile
+index 67cfb4934bcf8..ed196e42972c7 100644
+--- a/arch/loongarch/vdso/Makefile
++++ b/arch/loongarch/vdso/Makefile
+@@ -23,7 +23,7 @@ endif
+ cflags-vdso := $(ccflags-vdso) \
+ -isystem $(shell $(CC) -print-file-name=include) \
+ $(filter -W%,$(filter-out -Wa$(comma)%,$(KBUILD_CFLAGS))) \
+- -O2 -g -fno-strict-aliasing -fno-common -fno-builtin \
++ -std=gnu11 -O2 -g -fno-strict-aliasing -fno-common -fno-builtin \
+ -fno-stack-protector -fno-jump-tables -DDISABLE_BRANCH_PROFILING \
+ $(call cc-option, -fno-asynchronous-unwind-tables) \
+ $(call cc-option, -fno-stack-protector)
+--
+2.43.0
+
--- /dev/null
+From e35a8518565350ab66cfc5ea0829255d6e7e9bb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jun 2023 20:58:43 +0800
+Subject: LoongArch: Tweak CFLAGS for Clang compatibility
+
+From: WANG Xuerui <git@xen0n.name>
+
+[ Upstream commit 38b10b269d04540aee05c34a059dcf304cfce0a8 ]
+
+Now the arch code is mostly ready for LLVM/Clang consumption, it is time
+to re-organize the CFLAGS a little to actually enable the LLVM build.
+Namely, all -G0 switches from CFLAGS are removed, and -mexplicit-relocs
+and -mdirect-extern-access are now wrapped with cc-option (with the
+related asm/percpu.h definition guarded against toolchain combos that
+are known to not work).
+
+A build with !RELOCATABLE && !MODULE is confirmed working within a QEMU
+environment; support for the two features are currently blocked on
+LLVM/Clang, and will come later.
+
+Why -G0 can be removed:
+
+In GCC, -G stands for "small data threshold", that instructs the
+compiler to put data smaller than the specified threshold in a dedicated
+"small data" section (called .sdata on LoongArch and several other
+arches).
+
+However, benefiting from this would require ABI cooperation, which is
+not the case for LoongArch; and current GCC behave the same whether -G0
+(equal to disabling this optimization) is given or not. So, remove -G0
+from CFLAGS altogether for one less thing to care about. This also
+benefits LLVM/Clang compatibility where the -G switch is not supported.
+
+Why -mexplicit-relocs can now be conditionally applied without
+regressions:
+
+Originally -mexplicit-relocs is unconditionally added to CFLAGS in case
+of CONFIG_AS_HAS_EXPLICIT_RELOCS, because not having it (i.e. old GCC +
+new binutils) would not work: modules will have R_LARCH_ABS_* relocs
+inside, but given the rarity of such toolchain combo in the wild, it may
+not be worthwhile to support it, so support for such relocs in modules
+were not added back when explicit relocs support was upstreamed, and
+-mexplicit-relocs is unconditionally added to fail the build early.
+
+Now that Clang compatibility is desired, given Clang is behaving like
+-mexplicit-relocs from day one but without support for the CLI flag, we
+must ensure the flag is not passed in case of Clang. However, explicit
+compiler flavor checks can be more brittle than feature detection: in
+this case what actually matters is support for __attribute__((model))
+when building modules. Given neither older GCC nor current Clang support
+this attribute, probing for the attribute support and #error'ing out
+would allow proper UX without checking for Clang, and also automatically
+work when Clang support for the attribute is to be added in the future.
+
+Why -mdirect-extern-access is now conditionally applied:
+
+This is actually a nice-to-have optimization that can reduce GOT
+accesses, but not having it is harmless either. Because Clang does not
+support the option currently, but might do so in the future, conditional
+application via cc-option ensures compatibility with both current and
+future Clang versions.
+
+Suggested-by: Xi Ruoyao <xry111@xry111.site> # cc-option changes
+Signed-off-by: WANG Xuerui <git@xen0n.name>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Stable-dep-of: 947d5d036c78 ("LoongArch: Fix build failure with GCC 15 (-std=gnu23)")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/Makefile | 21 +++++++++++++--------
+ arch/loongarch/include/asm/percpu.h | 6 +++++-
+ arch/loongarch/vdso/Makefile | 2 +-
+ 3 files changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/arch/loongarch/Makefile b/arch/loongarch/Makefile
+index ed47a3a87768e..275d4d5260c72 100644
+--- a/arch/loongarch/Makefile
++++ b/arch/loongarch/Makefile
+@@ -41,8 +41,8 @@ ld-emul = $(64bit-emul)
+ cflags-y += -mabi=lp64s
+ endif
+
+-cflags-y += -G0 -pipe -msoft-float
+-LDFLAGS_vmlinux += -G0 -static -n -nostdlib
++cflags-y += -pipe -msoft-float
++LDFLAGS_vmlinux += -static -n -nostdlib
+
+ # When the assembler supports explicit relocation hint, we must use it.
+ # GCC may have -mexplicit-relocs off by default if it was built with an old
+@@ -51,13 +51,18 @@ LDFLAGS_vmlinux += -G0 -static -n -nostdlib
+ # When the assembler does not supports explicit relocation hint, we can't use
+ # it. Disable it if the compiler supports it.
+ #
+-# If you've seen "unknown reloc hint" message building the kernel and you are
+-# now wondering why "-mexplicit-relocs" is not wrapped with cc-option: the
+-# combination of a "new" assembler and "old" compiler is not supported. Either
+-# upgrade the compiler or downgrade the assembler.
++# The combination of a "new" assembler and "old" GCC is not supported, given
++# the rarity of this combo and the extra complexity needed to make it work.
++# Either upgrade the compiler or downgrade the assembler; the build will error
++# out if it is the case (by probing for the model attribute; all supported
++# compilers in this case would have support).
++#
++# Also, -mdirect-extern-access is useful in case of building with explicit
++# relocs, for avoiding unnecessary GOT accesses. It is harmless to not have
++# support though.
+ ifdef CONFIG_AS_HAS_EXPLICIT_RELOCS
+-cflags-y += -mexplicit-relocs
+-KBUILD_CFLAGS_KERNEL += -mdirect-extern-access
++cflags-y += $(call cc-option,-mexplicit-relocs)
++KBUILD_CFLAGS_KERNEL += $(call cc-option,-mdirect-extern-access)
+ else
+ cflags-y += $(call cc-option,-mno-explicit-relocs)
+ KBUILD_AFLAGS_KERNEL += -Wa,-mla-global-with-pcrel
+diff --git a/arch/loongarch/include/asm/percpu.h b/arch/loongarch/include/asm/percpu.h
+index c90c560941685..7e804140500f1 100644
+--- a/arch/loongarch/include/asm/percpu.h
++++ b/arch/loongarch/include/asm/percpu.h
+@@ -14,7 +14,11 @@
+ * loaded. Tell the compiler this fact when using explicit relocs.
+ */
+ #if defined(MODULE) && defined(CONFIG_AS_HAS_EXPLICIT_RELOCS)
+-#define PER_CPU_ATTRIBUTES __attribute__((model("extreme")))
++# if __has_attribute(model)
++# define PER_CPU_ATTRIBUTES __attribute__((model("extreme")))
++# else
++# error compiler support for the model attribute is necessary when a recent assembler is used
++# endif
+ #endif
+
+ /* Use r21 for fast access */
+diff --git a/arch/loongarch/vdso/Makefile b/arch/loongarch/vdso/Makefile
+index d89e2ac75f7b8..67cfb4934bcf8 100644
+--- a/arch/loongarch/vdso/Makefile
++++ b/arch/loongarch/vdso/Makefile
+@@ -23,7 +23,7 @@ endif
+ cflags-vdso := $(ccflags-vdso) \
+ -isystem $(shell $(CC) -print-file-name=include) \
+ $(filter -W%,$(filter-out -Wa$(comma)%,$(KBUILD_CFLAGS))) \
+- -O2 -g -fno-strict-aliasing -fno-common -fno-builtin -G0 \
++ -O2 -g -fno-strict-aliasing -fno-common -fno-builtin \
+ -fno-stack-protector -fno-jump-tables -DDISABLE_BRANCH_PROFILING \
+ $(call cc-option, -fno-asynchronous-unwind-tables) \
+ $(call cc-option, -fno-stack-protector)
+--
+2.43.0
+
--- /dev/null
+From 496bbfb4e36aab6c6ebca703fcef0dacc32e53cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 22:43:15 +0100
+Subject: m68k: coldfire/device.c: only build FEC when HW macros are defined
+
+From: Antonio Quartulli <antonio@mandelbit.com>
+
+[ Upstream commit 63a24cf8cc330e5a68ebd2e20ae200096974c475 ]
+
+When CONFIG_FEC is set (due to COMPILE_TEST) along with
+CONFIG_M54xx, coldfire/device.c has compile errors due to
+missing MCFEC_* and MCF_IRQ_FEC_* symbols.
+
+Make the whole FEC blocks dependent on having the HW macros
+defined, rather than on CONFIG_FEC itself.
+
+This fix is very similar to commit e6e1e7b19fa1 ("m68k: coldfire/device.c: only build for MCF_EDMA when h/w macros are defined")
+
+Fixes: b7ce7f0d0efc ("m68knommu: merge common ColdFire FEC platform setup code")
+To: Greg Ungerer <gerg@linux-m68k.org>
+To: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: linux-m68k@lists.linux-m68k.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
+Signed-off-by: Greg Ungerer <gerg@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/coldfire/device.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/m68k/coldfire/device.c b/arch/m68k/coldfire/device.c
+index 7dab46728aeda..b6958ec2a220c 100644
+--- a/arch/m68k/coldfire/device.c
++++ b/arch/m68k/coldfire/device.c
+@@ -93,7 +93,7 @@ static struct platform_device mcf_uart = {
+ .dev.platform_data = mcf_uart_platform_data,
+ };
+
+-#if IS_ENABLED(CONFIG_FEC)
++#ifdef MCFFEC_BASE0
+
+ #ifdef CONFIG_M5441x
+ #define FEC_NAME "enet-fec"
+@@ -145,6 +145,7 @@ static struct platform_device mcf_fec0 = {
+ .platform_data = FEC_PDATA,
+ }
+ };
++#endif /* MCFFEC_BASE0 */
+
+ #ifdef MCFFEC_BASE1
+ static struct resource mcf_fec1_resources[] = {
+@@ -182,7 +183,6 @@ static struct platform_device mcf_fec1 = {
+ }
+ };
+ #endif /* MCFFEC_BASE1 */
+-#endif /* CONFIG_FEC */
+
+ #if IS_ENABLED(CONFIG_SPI_COLDFIRE_QSPI)
+ /*
+@@ -624,12 +624,12 @@ static struct platform_device mcf_flexcan0 = {
+
+ static struct platform_device *mcf_devices[] __initdata = {
+ &mcf_uart,
+-#if IS_ENABLED(CONFIG_FEC)
++#ifdef MCFFEC_BASE0
+ &mcf_fec0,
++#endif
+ #ifdef MCFFEC_BASE1
+ &mcf_fec1,
+ #endif
+-#endif
+ #if IS_ENABLED(CONFIG_SPI_COLDFIRE_QSPI)
+ &mcf_qspi,
+ #endif
+--
+2.43.0
+
--- /dev/null
+From 0424033ad2376215f812fd6fc1c4caf58151af60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 09:24:35 +0200
+Subject: m68k: mcfgpio: Fix incorrect register offset for CONFIG_M5441x
+
+From: Jean-Michel Hautbois <jeanmichel.hautbois@yoseli.org>
+
+[ Upstream commit f212140962c93cd5da43283a18e31681540fc23d ]
+
+Fix a typo in the CONFIG_M5441x preprocessor condition, where the GPIO
+register offset was incorrectly set to 8 instead of 0. This prevented
+proper GPIO configuration for m5441x targets.
+
+Fixes: bea8bcb12da0 ("m68knommu: Add support for the Coldfire m5441x.")
+Signed-off-by: Jean-Michel Hautbois <jeanmichel.hautbois@yoseli.org>
+Signed-off-by: Greg Ungerer <gerg@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/mcfgpio.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/m68k/include/asm/mcfgpio.h b/arch/m68k/include/asm/mcfgpio.h
+index 27f32cc81da6b..02049568198c9 100644
+--- a/arch/m68k/include/asm/mcfgpio.h
++++ b/arch/m68k/include/asm/mcfgpio.h
+@@ -144,7 +144,7 @@ static inline void gpio_free(unsigned gpio)
+ * read-modify-write as well as those controlled by the EPORT and GPIO modules.
+ */
+ #define MCFGPIO_SCR_START 40
+-#elif defined(CONFIGM5441x)
++#elif defined(CONFIG_M5441x)
+ /* The m5441x EPORT doesn't have its own GPIO port, uses PORT C */
+ #define MCFGPIO_SCR_START 0
+ #else
+--
+2.43.0
+
--- /dev/null
+From eaf3226eabd6cefdb60f9f030ae9d0428ba66be1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2024 13:29:47 +1000
+Subject: m68k: mvme147: Fix SCSI controller IRQ numbers
+
+From: Daniel Palmer <daniel@0x0f.com>
+
+[ Upstream commit 47bc874427382018fa2e3e982480e156271eee70 ]
+
+Sometime long ago the m68k IRQ code was refactored and the interrupt
+numbers for SCSI controller on this board ended up wrong, and it hasn't
+worked since.
+
+The PCC adds 0x40 to the vector for its interrupts so they end up in
+the user interrupt range. Hence, the kernel number should be the kernel
+offset for user interrupt range + the PCC interrupt number.
+
+Fixes: 200a3d352cd5 ("[PATCH] m68k: convert VME irq code")
+Signed-off-by: Daniel Palmer <daniel@0x0f.com>
+Reviewed-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/0e7636a21a0274eea35bfd5d874459d5078e97cc.1727926187.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/mvme147hw.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/m68k/include/asm/mvme147hw.h b/arch/m68k/include/asm/mvme147hw.h
+index e28eb1c0e0bfb..dbf88059e47a4 100644
+--- a/arch/m68k/include/asm/mvme147hw.h
++++ b/arch/m68k/include/asm/mvme147hw.h
+@@ -93,8 +93,8 @@ struct pcc_regs {
+ #define M147_SCC_B_ADDR 0xfffe3000
+ #define M147_SCC_PCLK 5000000
+
+-#define MVME147_IRQ_SCSI_PORT (IRQ_USER+0x45)
+-#define MVME147_IRQ_SCSI_DMA (IRQ_USER+0x46)
++#define MVME147_IRQ_SCSI_PORT (IRQ_USER + 5)
++#define MVME147_IRQ_SCSI_DMA (IRQ_USER + 6)
+
+ /* SCC interrupts, for MVME147 */
+
+--
+2.43.0
+
--- /dev/null
+From b09520325f6573151146f486aee682b42b469a9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 10:51:24 +1100
+Subject: m68k: mvme147: Reinstate early console
+
+From: Daniel Palmer <daniel@0x0f.com>
+
+[ Upstream commit 077b33b9e2833ff25050d986178a2c4c4036cbac ]
+
+Commit a38eaa07a0ce ("m68k/mvme147: config.c - Remove unused
+functions"), removed the console functionality for the mvme147 instead
+of wiring it up to an early console. Put the console write function
+back and wire it up like mvme16x does so it's possible to see Linux boot
+on this fine hardware once more.
+
+Fixes: a38eaa07a0ce ("m68k/mvme147: config.c - Remove unused functions")
+Signed-off-by: Daniel Palmer <daniel@0x0f.com>
+Co-developed-by: Finn Thain <fthain@linux-m68k.org>
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/a82e8f0068a8722996a0ccfe666abb5e0a5c120d.1730850684.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/early_printk.c | 5 ++++-
+ arch/m68k/mvme147/config.c | 30 ++++++++++++++++++++++++++++++
+ arch/m68k/mvme147/mvme147.h | 6 ++++++
+ 3 files changed, 40 insertions(+), 1 deletion(-)
+ create mode 100644 arch/m68k/mvme147/mvme147.h
+
+diff --git a/arch/m68k/kernel/early_printk.c b/arch/m68k/kernel/early_printk.c
+index 3cc944df04f65..f11ef9f1f56fc 100644
+--- a/arch/m68k/kernel/early_printk.c
++++ b/arch/m68k/kernel/early_printk.c
+@@ -13,6 +13,7 @@
+ #include <asm/setup.h>
+
+
++#include "../mvme147/mvme147.h"
+ #include "../mvme16x/mvme16x.h"
+
+ asmlinkage void __init debug_cons_nputs(const char *s, unsigned n);
+@@ -22,7 +23,9 @@ static void __ref debug_cons_write(struct console *c,
+ {
+ #if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \
+ defined(CONFIG_COLDFIRE))
+- if (MACH_IS_MVME16x)
++ if (MACH_IS_MVME147)
++ mvme147_scc_write(c, s, n);
++ else if (MACH_IS_MVME16x)
+ mvme16x_cons_write(c, s, n);
+ else
+ debug_cons_nputs(s, n);
+diff --git a/arch/m68k/mvme147/config.c b/arch/m68k/mvme147/config.c
+index 4e6218115f43c..95d4a7e13b33d 100644
+--- a/arch/m68k/mvme147/config.c
++++ b/arch/m68k/mvme147/config.c
+@@ -35,6 +35,7 @@
+ #include <asm/mvme147hw.h>
+ #include <asm/config.h>
+
++#include "mvme147.h"
+
+ static void mvme147_get_model(char *model);
+ extern void mvme147_sched_init(void);
+@@ -188,3 +189,32 @@ int mvme147_hwclk(int op, struct rtc_time *t)
+ }
+ return 0;
+ }
++
++static void scc_delay(void)
++{
++ __asm__ __volatile__ ("nop; nop;");
++}
++
++static void scc_write(char ch)
++{
++ do {
++ scc_delay();
++ } while (!(in_8(M147_SCC_A_ADDR) & BIT(2)));
++ scc_delay();
++ out_8(M147_SCC_A_ADDR, 8);
++ scc_delay();
++ out_8(M147_SCC_A_ADDR, ch);
++}
++
++void mvme147_scc_write(struct console *co, const char *str, unsigned int count)
++{
++ unsigned long flags;
++
++ local_irq_save(flags);
++ while (count--) {
++ if (*str == '\n')
++ scc_write('\r');
++ scc_write(*str++);
++ }
++ local_irq_restore(flags);
++}
+diff --git a/arch/m68k/mvme147/mvme147.h b/arch/m68k/mvme147/mvme147.h
+new file mode 100644
+index 0000000000000..140bc98b0102a
+--- /dev/null
++++ b/arch/m68k/mvme147/mvme147.h
+@@ -0,0 +1,6 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++
++struct console;
++
++/* config.c */
++void mvme147_scc_write(struct console *co, const char *str, unsigned int count);
+--
+2.43.0
+
--- /dev/null
+From b5edcefa101bea297abde8f29b00d30de1d31bd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 16:08:25 +0200
+Subject: m68k: mvme16x: Add and use "mvme16x.h"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit dcec33c1fc4ab63983d93ffb0d82b68fc5775b88 ]
+
+When building with W=1:
+
+ arch/m68k/mvme16x/config.c:208:6: warning: no previous prototype for ‘mvme16x_cons_write’ [-Wmissing-prototypes]
+ 208 | void mvme16x_cons_write(struct console *co, const char *str, unsigned count)
+ | ^~~~~~~~~~~~~~~~~~
+
+Fix this by introducing a new header file "mvme16x.h" for holding the
+prototypes of functions implemented in arch/m68k/mvme16x/.
+
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/6200cc3b26fad215c4524748af04692e38c5ecd2.1694613528.git.geert@linux-m68k.org
+Stable-dep-of: 077b33b9e283 ("m68k: mvme147: Reinstate early console")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/early_printk.c | 4 ++--
+ arch/m68k/mvme16x/config.c | 2 ++
+ arch/m68k/mvme16x/mvme16x.h | 6 ++++++
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+ create mode 100644 arch/m68k/mvme16x/mvme16x.h
+
+diff --git a/arch/m68k/kernel/early_printk.c b/arch/m68k/kernel/early_printk.c
+index 7d3fe08a48eb0..3cc944df04f65 100644
+--- a/arch/m68k/kernel/early_printk.c
++++ b/arch/m68k/kernel/early_printk.c
+@@ -12,8 +12,8 @@
+ #include <linux/string.h>
+ #include <asm/setup.h>
+
+-extern void mvme16x_cons_write(struct console *co,
+- const char *str, unsigned count);
++
++#include "../mvme16x/mvme16x.h"
+
+ asmlinkage void __init debug_cons_nputs(const char *s, unsigned n);
+
+diff --git a/arch/m68k/mvme16x/config.c b/arch/m68k/mvme16x/config.c
+index f00c7aa058dec..2b7eac224138e 100644
+--- a/arch/m68k/mvme16x/config.c
++++ b/arch/m68k/mvme16x/config.c
+@@ -38,6 +38,8 @@
+ #include <asm/mvme16xhw.h>
+ #include <asm/config.h>
+
++#include "mvme16x.h"
++
+ extern t_bdid mvme_bdid;
+
+ static MK48T08ptr_t volatile rtc = (MK48T08ptr_t)MVME_RTC_BASE;
+diff --git a/arch/m68k/mvme16x/mvme16x.h b/arch/m68k/mvme16x/mvme16x.h
+new file mode 100644
+index 0000000000000..159c34b700394
+--- /dev/null
++++ b/arch/m68k/mvme16x/mvme16x.h
+@@ -0,0 +1,6 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++
++struct console;
++
++/* config.c */
++void mvme16x_cons_write(struct console *co, const char *str, unsigned count);
+--
+2.43.0
+
--- /dev/null
+From 0ce1b9417c4c1181c0befcc570d4be8e60fdbb21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2024 12:00:12 +0300
+Subject: mailbox: arm_mhuv2: clean up loop in get_irq_chan_comb()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 192a16a3430ca459c4e986f3d10758c4d6b1aa29 ]
+
+Both the inner and outer loops in this code use the "i" iterator.
+The inner loop should really use a different iterator.
+
+It doesn't affect things in practice because the data comes from the
+device tree. The "protocol" and "windows" variables are going to be
+zero. That means we're always going to hit the "return &chans[channel];"
+statement and we're not going to want to iterate through the outer
+loop again.
+
+Still it's worth fixing this for future use cases.
+
+Fixes: 5a6338cce9f4 ("mailbox: arm_mhuv2: Add driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/arm_mhuv2.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mailbox/arm_mhuv2.c b/drivers/mailbox/arm_mhuv2.c
+index 0ec21dcdbde72..cff7c343ee082 100644
+--- a/drivers/mailbox/arm_mhuv2.c
++++ b/drivers/mailbox/arm_mhuv2.c
+@@ -500,7 +500,7 @@ static const struct mhuv2_protocol_ops mhuv2_data_transfer_ops = {
+ static struct mbox_chan *get_irq_chan_comb(struct mhuv2 *mhu, u32 __iomem *reg)
+ {
+ struct mbox_chan *chans = mhu->mbox.chans;
+- int channel = 0, i, offset = 0, windows, protocol, ch_wn;
++ int channel = 0, i, j, offset = 0, windows, protocol, ch_wn;
+ u32 stat;
+
+ for (i = 0; i < MHUV2_CMB_INT_ST_REG_CNT; i++) {
+@@ -510,9 +510,9 @@ static struct mbox_chan *get_irq_chan_comb(struct mhuv2 *mhu, u32 __iomem *reg)
+
+ ch_wn = i * MHUV2_STAT_BITS + __builtin_ctz(stat);
+
+- for (i = 0; i < mhu->length; i += 2) {
+- protocol = mhu->protocols[i];
+- windows = mhu->protocols[i + 1];
++ for (j = 0; j < mhu->length; j += 2) {
++ protocol = mhu->protocols[j];
++ windows = mhu->protocols[j + 1];
+
+ if (ch_wn >= offset + windows) {
+ if (protocol == DOORBELL)
+--
+2.43.0
+
--- /dev/null
+From 34a310f5d5949eb6f305cd53ee2a011a3f03cc8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 23:06:58 +0300
+Subject: marvell: pxa168_eth: fix call balance of pep->clk handling routines
+
+From: Vitalii Mordan <mordan@ispras.ru>
+
+[ Upstream commit b032ae57d4fe2b2445e3bc190db6fcaa8c102f68 ]
+
+If the clock pep->clk was not enabled in pxa168_eth_probe,
+it should not be disabled in any path.
+
+Conversely, if it was enabled in pxa168_eth_probe, it must be disabled
+in all error paths to ensure proper cleanup.
+
+Use the devm_clk_get_enabled helper function to ensure proper call balance
+for pep->clk.
+
+Found by Linux Verification Center (linuxtesting.org) with Klever.
+
+Fixes: a49f37eed22b ("net: add Fast Ethernet driver for PXA168.")
+Signed-off-by: Vitalii Mordan <mordan@ispras.ru>
+Link: https://patch.msgid.link/20241121200658.2203871-1-mordan@ispras.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/pxa168_eth.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/pxa168_eth.c b/drivers/net/ethernet/marvell/pxa168_eth.c
+index cf456d62677fe..1e8568a96443d 100644
+--- a/drivers/net/ethernet/marvell/pxa168_eth.c
++++ b/drivers/net/ethernet/marvell/pxa168_eth.c
+@@ -1394,18 +1394,15 @@ static int pxa168_eth_probe(struct platform_device *pdev)
+
+ printk(KERN_NOTICE "PXA168 10/100 Ethernet Driver\n");
+
+- clk = devm_clk_get(&pdev->dev, NULL);
++ clk = devm_clk_get_enabled(&pdev->dev, NULL);
+ if (IS_ERR(clk)) {
+- dev_err(&pdev->dev, "Fast Ethernet failed to get clock\n");
++ dev_err(&pdev->dev, "Fast Ethernet failed to get and enable clock\n");
+ return -ENODEV;
+ }
+- clk_prepare_enable(clk);
+
+ dev = alloc_etherdev(sizeof(struct pxa168_eth_private));
+- if (!dev) {
+- err = -ENOMEM;
+- goto err_clk;
+- }
++ if (!dev)
++ return -ENOMEM;
+
+ platform_set_drvdata(pdev, dev);
+ pep = netdev_priv(dev);
+@@ -1523,8 +1520,6 @@ static int pxa168_eth_probe(struct platform_device *pdev)
+ mdiobus_free(pep->smi_bus);
+ err_netdev:
+ free_netdev(dev);
+-err_clk:
+- clk_disable_unprepare(clk);
+ return err;
+ }
+
+@@ -1542,7 +1537,6 @@ static int pxa168_eth_remove(struct platform_device *pdev)
+ if (dev->phydev)
+ phy_disconnect(dev->phydev);
+
+- clk_disable_unprepare(pep->clk);
+ mdiobus_unregister(pep->smi_bus);
+ mdiobus_free(pep->smi_bus);
+ unregister_netdev(dev);
+--
+2.43.0
+
--- /dev/null
+From 1223b7844b53c9c8fd322e853b132e17ee7d3c9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 22:50:51 +0800
+Subject: media: atomisp: Add check for rgby_data memory allocation failure
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+[ Upstream commit ed61c59139509f76d3592683c90dc3fdc6e23cd6 ]
+
+In ia_css_3a_statistics_allocate(), there is no check on the allocation
+result of the rgby_data memory. If rgby_data is not successfully
+allocated, it may trigger the assert(host_stats->rgby_data) assertion in
+ia_css_s3a_hmem_decode(). Adding a check to fix this potential issue.
+
+Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Link: https://lore.kernel.org/r/20241104145051.3088231-1-lihuafei1@huawei.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/sh_css_params.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
+index 67915d76a87f2..34113bea31d58 100644
+--- a/drivers/staging/media/atomisp/pci/sh_css_params.c
++++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
+@@ -4137,6 +4137,8 @@ ia_css_3a_statistics_allocate(const struct ia_css_3a_grid_info *grid)
+ goto err;
+ /* No weighted histogram, no structure, treat the histogram data as a byte dump in a byte array */
+ me->rgby_data = kvmalloc(sizeof_hmem(HMEM0_ID), GFP_KERNEL);
++ if (!me->rgby_data)
++ goto err;
+
+ IA_CSS_LEAVE("return=%p", me);
+ return me;
+--
+2.43.0
+
--- /dev/null
+From 77f32e5eca6ecb78c6945e7e6884b588109d83e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 01:56:41 +0900
+Subject: media: venus: fix enc/dec destruction order
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+[ Upstream commit 6c9934c5a00ae722a98d1a06ed44b673514407b5 ]
+
+We destroy mutex-es too early as they are still taken in
+v4l2_fh_exit()->v4l2_event_unsubscribe()->v4l2_ctrl_find().
+
+We should destroy mutex-es right before kfree(). Also
+do not vdec_ctrl_deinit() before v4l2_fh_exit().
+
+Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files")
+Suggested-by: Tomasz Figa <tfiga@google.com>
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/vdec.c | 7 ++++---
+ drivers/media/platform/qcom/venus/venc.c | 6 +++---
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c
+index 3b51d603605ee..f2fc57b8938ba 100644
+--- a/drivers/media/platform/qcom/venus/vdec.c
++++ b/drivers/media/platform/qcom/venus/vdec.c
+@@ -1711,13 +1711,14 @@ static int vdec_close(struct file *file)
+ cancel_work_sync(&inst->delayed_process_work);
+ v4l2_m2m_ctx_release(inst->m2m_ctx);
+ v4l2_m2m_release(inst->m2m_dev);
+- vdec_ctrl_deinit(inst);
+ ida_destroy(&inst->dpb_ids);
+ hfi_session_destroy(inst);
+- mutex_destroy(&inst->lock);
+- mutex_destroy(&inst->ctx_q_lock);
+ v4l2_fh_del(&inst->fh);
+ v4l2_fh_exit(&inst->fh);
++ vdec_ctrl_deinit(inst);
++
++ mutex_destroy(&inst->lock);
++ mutex_destroy(&inst->ctx_q_lock);
+
+ vdec_pm_put(inst, false);
+
+diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c
+index abd25720b96bc..9a23c1b1de8c2 100644
+--- a/drivers/media/platform/qcom/venus/venc.c
++++ b/drivers/media/platform/qcom/venus/venc.c
+@@ -1487,14 +1487,14 @@ static int venc_close(struct file *file)
+
+ v4l2_m2m_ctx_release(inst->m2m_ctx);
+ v4l2_m2m_release(inst->m2m_dev);
+- venc_ctrl_deinit(inst);
+ hfi_session_destroy(inst);
+- mutex_destroy(&inst->lock);
+- mutex_destroy(&inst->ctx_q_lock);
+ v4l2_fh_del(&inst->fh);
+ v4l2_fh_exit(&inst->fh);
++ venc_ctrl_deinit(inst);
+
+ inst->enc_state = VENUS_ENC_STATE_DEINIT;
++ mutex_destroy(&inst->lock);
++ mutex_destroy(&inst->ctx_q_lock);
+
+ venc_pm_put(inst, false);
+
+--
+2.43.0
+
--- /dev/null
+From 096d46964ad4e9b1a31db0d8e27dda7925fd2ab5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 May 2023 07:29:34 +0100
+Subject: media: venus: provide ctx queue lock for ioctl synchronization
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+[ Upstream commit 34318b808ef20cdddd4e187ea2df0455936cf61b ]
+
+Video device has to provide a lock so that __video_do_ioctl()
+can serialize IOCTL calls. Introduce a dedicated venus_inst
+mutex for the purpose of vb2 operations synchronization.
+
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Stable-dep-of: 6c9934c5a00a ("media: venus: fix enc/dec destruction order")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/core.h | 2 ++
+ drivers/media/platform/qcom/venus/vdec.c | 4 ++++
+ drivers/media/platform/qcom/venus/venc.c | 4 ++++
+ 3 files changed, 10 insertions(+)
+
+diff --git a/drivers/media/platform/qcom/venus/core.h b/drivers/media/platform/qcom/venus/core.h
+index d147154c01ea5..83a97288319ba 100644
+--- a/drivers/media/platform/qcom/venus/core.h
++++ b/drivers/media/platform/qcom/venus/core.h
+@@ -390,6 +390,7 @@ enum venus_inst_modes {
+ * @sequence_out: a sequence counter for output queue
+ * @m2m_dev: a reference to m2m device structure
+ * @m2m_ctx: a reference to m2m context structure
++ * @ctx_q_lock: a lock to serialize video device ioctl calls
+ * @state: current state of the instance
+ * @done: a completion for sync HFI operation
+ * @error: an error returned during last HFI sync operation
+@@ -461,6 +462,7 @@ struct venus_inst {
+ u32 sequence_out;
+ struct v4l2_m2m_dev *m2m_dev;
+ struct v4l2_m2m_ctx *m2m_ctx;
++ struct mutex ctx_q_lock;
+ unsigned int state;
+ struct completion done;
+ unsigned int error;
+diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c
+index 7ea976efc0242..3b51d603605ee 100644
+--- a/drivers/media/platform/qcom/venus/vdec.c
++++ b/drivers/media/platform/qcom/venus/vdec.c
+@@ -1604,6 +1604,7 @@ static int m2m_queue_init(void *priv, struct vb2_queue *src_vq,
+ src_vq->allow_zero_bytesused = 1;
+ src_vq->min_buffers_needed = 0;
+ src_vq->dev = inst->core->dev;
++ src_vq->lock = &inst->ctx_q_lock;
+ ret = vb2_queue_init(src_vq);
+ if (ret)
+ return ret;
+@@ -1618,6 +1619,7 @@ static int m2m_queue_init(void *priv, struct vb2_queue *src_vq,
+ dst_vq->allow_zero_bytesused = 1;
+ dst_vq->min_buffers_needed = 0;
+ dst_vq->dev = inst->core->dev;
++ dst_vq->lock = &inst->ctx_q_lock;
+ return vb2_queue_init(dst_vq);
+ }
+
+@@ -1636,6 +1638,7 @@ static int vdec_open(struct file *file)
+ INIT_LIST_HEAD(&inst->internalbufs);
+ INIT_LIST_HEAD(&inst->list);
+ mutex_init(&inst->lock);
++ mutex_init(&inst->ctx_q_lock);
+
+ inst->core = core;
+ inst->session_type = VIDC_SESSION_TYPE_DEC;
+@@ -1712,6 +1715,7 @@ static int vdec_close(struct file *file)
+ ida_destroy(&inst->dpb_ids);
+ hfi_session_destroy(inst);
+ mutex_destroy(&inst->lock);
++ mutex_destroy(&inst->ctx_q_lock);
+ v4l2_fh_del(&inst->fh);
+ v4l2_fh_exit(&inst->fh);
+
+diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c
+index f4921dbe6b7ec..abd25720b96bc 100644
+--- a/drivers/media/platform/qcom/venus/venc.c
++++ b/drivers/media/platform/qcom/venus/venc.c
+@@ -1370,6 +1370,7 @@ static int m2m_queue_init(void *priv, struct vb2_queue *src_vq,
+ src_vq->allow_zero_bytesused = 1;
+ src_vq->min_buffers_needed = 1;
+ src_vq->dev = inst->core->dev;
++ src_vq->lock = &inst->ctx_q_lock;
+ if (inst->core->res->hfi_version == HFI_VERSION_1XX)
+ src_vq->bidirectional = 1;
+ ret = vb2_queue_init(src_vq);
+@@ -1386,6 +1387,7 @@ static int m2m_queue_init(void *priv, struct vb2_queue *src_vq,
+ dst_vq->allow_zero_bytesused = 1;
+ dst_vq->min_buffers_needed = 1;
+ dst_vq->dev = inst->core->dev;
++ dst_vq->lock = &inst->ctx_q_lock;
+ return vb2_queue_init(dst_vq);
+ }
+
+@@ -1418,6 +1420,7 @@ static int venc_open(struct file *file)
+ INIT_LIST_HEAD(&inst->internalbufs);
+ INIT_LIST_HEAD(&inst->list);
+ mutex_init(&inst->lock);
++ mutex_init(&inst->ctx_q_lock);
+
+ inst->core = core;
+ inst->session_type = VIDC_SESSION_TYPE_ENC;
+@@ -1487,6 +1490,7 @@ static int venc_close(struct file *file)
+ venc_ctrl_deinit(inst);
+ hfi_session_destroy(inst);
+ mutex_destroy(&inst->lock);
++ mutex_destroy(&inst->ctx_q_lock);
+ v4l2_fh_del(&inst->fh);
+ v4l2_fh_exit(&inst->fh);
+
+--
+2.43.0
+
--- /dev/null
+From 554be8e0e4a2ed5fc65eb171ae96089ce9ca06fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 01:56:42 +0900
+Subject: media: venus: sync with threaded IRQ during inst destruction
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+[ Upstream commit 45b1a1b348ec178a599323f1ce7d7932aea8c6d4 ]
+
+When destroying an inst we should make sure that we don't race
+against threaded IRQ (or pending IRQ), otherwise we can concurrently
+kfree() inst context and inst itself.
+
+BUG: KASAN: slab-use-after-free in vb2_queue_error+0x80/0x90
+Call trace:
+dump_backtrace+0x1c4/0x1f8
+show_stack+0x38/0x60
+dump_stack_lvl+0x168/0x1f0
+print_report+0x170/0x4c8
+kasan_report+0x94/0xd0
+__asan_report_load2_noabort+0x20/0x30
+vb2_queue_error+0x80/0x90
+venus_helper_vb2_queue_error+0x54/0x78
+venc_event_notify+0xec/0x158
+hfi_event_notify+0x878/0xd20
+hfi_process_msg_packet+0x27c/0x4e0
+venus_isr_thread+0x258/0x6e8
+hfi_isr_thread+0x70/0x90
+venus_isr_thread+0x34/0x50
+irq_thread_fn+0x88/0x130
+irq_thread+0x160/0x2c0
+kthread+0x294/0x328
+ret_from_fork+0x10/0x20
+
+Allocated by task 20291:
+kasan_set_track+0x4c/0x80
+kasan_save_alloc_info+0x28/0x38
+__kasan_kmalloc+0x84/0xa0
+kmalloc_trace+0x7c/0x98
+v4l2_m2m_ctx_init+0x74/0x280
+venc_open+0x444/0x6d0
+v4l2_open+0x19c/0x2a0
+chrdev_open+0x374/0x3f0
+do_dentry_open+0x710/0x10a8
+vfs_open+0x88/0xa8
+path_openat+0x1e6c/0x2700
+do_filp_open+0x1a4/0x2e0
+do_sys_openat2+0xe8/0x508
+do_sys_open+0x15c/0x1a0
+__arm64_sys_openat+0xa8/0xc8
+invoke_syscall+0xdc/0x270
+el0_svc_common+0x1ec/0x250
+do_el0_svc+0x54/0x70
+el0_svc+0x50/0xe8
+el0t_64_sync_handler+0x48/0x120
+el0t_64_sync+0x1a8/0x1b0
+
+Freed by task 20291:
+ kasan_set_track+0x4c/0x80
+ kasan_save_free_info+0x3c/0x60
+ ____kasan_slab_free+0x124/0x1a0
+ __kasan_slab_free+0x18/0x28
+ __kmem_cache_free+0x134/0x300
+ kfree+0xc8/0x1a8
+ v4l2_m2m_ctx_release+0x44/0x60
+ venc_close+0x78/0x130 [venus_enc]
+ v4l2_release+0x20c/0x2f8
+ __fput+0x328/0x7f0
+ ____fput+0x2c/0x48
+ task_work_run+0x1e0/0x280
+ get_signal+0xfb8/0x1190
+ do_notify_resume+0x34c/0x16a8
+ el0_svc+0x9c/0xe8
+ el0t_64_sync_handler+0x48/0x120
+ el0t_64_sync+0x1a8/0x1b0
+
+Rearrange inst destruction. First remove the inst from the
+core->instances list, second synchronize IRQ/IRQ-thread to
+make sure that nothing else would see the inst while we take
+it down.
+
+Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files")
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/vdec.c | 12 +++++++++++-
+ drivers/media/platform/qcom/venus/venc.c | 12 +++++++++++-
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c
+index f2fc57b8938ba..924891a4b5a7b 100644
+--- a/drivers/media/platform/qcom/venus/vdec.c
++++ b/drivers/media/platform/qcom/venus/vdec.c
+@@ -1709,10 +1709,20 @@ static int vdec_close(struct file *file)
+ vdec_pm_get(inst);
+
+ cancel_work_sync(&inst->delayed_process_work);
++ /*
++ * First, remove the inst from the ->instances list, so that
++ * to_instance() will return NULL.
++ */
++ hfi_session_destroy(inst);
++ /*
++ * Second, make sure we don't have IRQ/IRQ-thread currently running
++ * or pending execution, which would race with the inst destruction.
++ */
++ synchronize_irq(inst->core->irq);
++
+ v4l2_m2m_ctx_release(inst->m2m_ctx);
+ v4l2_m2m_release(inst->m2m_dev);
+ ida_destroy(&inst->dpb_ids);
+- hfi_session_destroy(inst);
+ v4l2_fh_del(&inst->fh);
+ v4l2_fh_exit(&inst->fh);
+ vdec_ctrl_deinit(inst);
+diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c
+index 9a23c1b1de8c2..45914237c9dc7 100644
+--- a/drivers/media/platform/qcom/venus/venc.c
++++ b/drivers/media/platform/qcom/venus/venc.c
+@@ -1485,9 +1485,19 @@ static int venc_close(struct file *file)
+
+ venc_pm_get(inst);
+
++ /*
++ * First, remove the inst from the ->instances list, so that
++ * to_instance() will return NULL.
++ */
++ hfi_session_destroy(inst);
++ /*
++ * Second, make sure we don't have IRQ/IRQ-thread currently running
++ * or pending execution, which would race with the inst destruction.
++ */
++ synchronize_irq(inst->core->irq);
++
+ v4l2_m2m_ctx_release(inst->m2m_ctx);
+ v4l2_m2m_release(inst->m2m_dev);
+- hfi_session_destroy(inst);
+ v4l2_fh_del(&inst->fh);
+ v4l2_fh_exit(&inst->fh);
+ venc_ctrl_deinit(inst);
+--
+2.43.0
+
--- /dev/null
+From 6e46957a94fc1be1e8d086ab42603cf3f072073e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 15:41:20 +0100
+Subject: memory: renesas-rpc-if: Improve Runtime PM handling
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit bb0b025d72d22b8617df920b61f5ae1e23d1b593 ]
+
+Convert from the deprecated pm_runtime_get_sync() to the new
+pm_runtime_resume_and_get(), and add error checking.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/6f2bd3b2b3d98c5bed541d969900b2ad04f93943.1669213027.git.geert+renesas@glider.be
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Stable-dep-of: 7d189579a287 ("mtd: hyperbus: rpc-if: Add missing MODULE_DEVICE_TABLE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/renesas-rpc-if.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/memory/renesas-rpc-if.c b/drivers/memory/renesas-rpc-if.c
+index 7343dbb79c9f7..6991185caa7bb 100644
+--- a/drivers/memory/renesas-rpc-if.c
++++ b/drivers/memory/renesas-rpc-if.c
+@@ -303,12 +303,13 @@ int rpcif_hw_init(struct rpcif *rpcif, bool hyperflash)
+ {
+ struct rpcif_priv *rpc = dev_get_drvdata(rpcif->dev);
+ u32 dummy;
++ int ret;
+
+- pm_runtime_get_sync(rpc->dev);
++ ret = pm_runtime_resume_and_get(rpc->dev);
++ if (ret)
++ return ret;
+
+ if (rpc->type == RPCIF_RZ_G2L) {
+- int ret;
+-
+ ret = reset_control_reset(rpc->rstc);
+ if (ret)
+ return ret;
+@@ -478,7 +479,9 @@ int rpcif_manual_xfer(struct rpcif *rpcif)
+ u32 smenr, smcr, pos = 0, max = rpc->bus_size == 2 ? 8 : 4;
+ int ret = 0;
+
+- pm_runtime_get_sync(rpc->dev);
++ ret = pm_runtime_resume_and_get(rpc->dev);
++ if (ret < 0)
++ return ret;
+
+ regmap_update_bits(rpc->regmap, RPCIF_PHYCNT,
+ RPCIF_PHYCNT_CAL, RPCIF_PHYCNT_CAL);
+@@ -646,11 +649,14 @@ ssize_t rpcif_dirmap_read(struct rpcif *rpcif, u64 offs, size_t len, void *buf)
+ struct rpcif_priv *rpc = dev_get_drvdata(rpcif->dev);
+ loff_t from = offs & (rpc->size - 1);
+ size_t size = rpc->size - from;
++ int ret;
+
+ if (len > size)
+ len = size;
+
+- pm_runtime_get_sync(rpc->dev);
++ ret = pm_runtime_resume_and_get(rpc->dev);
++ if (ret < 0)
++ return ret;
+
+ regmap_update_bits(rpc->regmap, RPCIF_CMNCR, RPCIF_CMNCR_MD, 0);
+ regmap_write(rpc->regmap, RPCIF_DRCR, 0);
+--
+2.43.0
+
--- /dev/null
+From 4cd2e4906126a5542bfe12fe98c5b9b03061d728 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 15:41:21 +0100
+Subject: memory: renesas-rpc-if: Pass device instead of rpcif to rpcif_*()
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit a198fcd1d53cbaf616d94822921c77910b94edb7 ]
+
+Most rpcif_*() API functions do not need access to any other fields in
+the rpcif structure than the device pointer. Simplify dependencies by
+passing the device pointer instead.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Acked-by: Mark Brown <broonie@kernel.org>
+Acked-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/0460fe82ba348cedec7a9a75a8eff762c50e817b.1669213027.git.geert+renesas@glider.be
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Stable-dep-of: 7d189579a287 ("mtd: hyperbus: rpc-if: Add missing MODULE_DEVICE_TABLE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/renesas-rpc-if.c | 32 ++++++++++++++++----------------
+ drivers/mtd/hyperbus/rpc-if.c | 18 +++++++++---------
+ drivers/spi/spi-rpc-if.c | 14 +++++++-------
+ include/memory/renesas-rpc-if.h | 16 ++++++++--------
+ 4 files changed, 40 insertions(+), 40 deletions(-)
+
+diff --git a/drivers/memory/renesas-rpc-if.c b/drivers/memory/renesas-rpc-if.c
+index 6991185caa7bb..6a2b3c2565996 100644
+--- a/drivers/memory/renesas-rpc-if.c
++++ b/drivers/memory/renesas-rpc-if.c
+@@ -299,13 +299,13 @@ static void rpcif_rzg2l_timing_adjust_sdr(struct rpcif_priv *rpc)
+ regmap_write(rpc->regmap, RPCIF_PHYADD, 0x80000032);
+ }
+
+-int rpcif_hw_init(struct rpcif *rpcif, bool hyperflash)
++int rpcif_hw_init(struct device *dev, bool hyperflash)
+ {
+- struct rpcif_priv *rpc = dev_get_drvdata(rpcif->dev);
++ struct rpcif_priv *rpc = dev_get_drvdata(dev);
+ u32 dummy;
+ int ret;
+
+- ret = pm_runtime_resume_and_get(rpc->dev);
++ ret = pm_runtime_resume_and_get(dev);
+ if (ret)
+ return ret;
+
+@@ -355,7 +355,7 @@ int rpcif_hw_init(struct rpcif *rpcif, bool hyperflash)
+ regmap_write(rpc->regmap, RPCIF_SSLDR, RPCIF_SSLDR_SPNDL(7) |
+ RPCIF_SSLDR_SLNDL(7) | RPCIF_SSLDR_SCKDL(7));
+
+- pm_runtime_put(rpc->dev);
++ pm_runtime_put(dev);
+
+ rpc->bus_size = hyperflash ? 2 : 1;
+
+@@ -385,10 +385,10 @@ static u8 rpcif_bit_size(u8 buswidth)
+ return buswidth > 4 ? 2 : ilog2(buswidth);
+ }
+
+-void rpcif_prepare(struct rpcif *rpcif, const struct rpcif_op *op, u64 *offs,
++void rpcif_prepare(struct device *dev, const struct rpcif_op *op, u64 *offs,
+ size_t *len)
+ {
+- struct rpcif_priv *rpc = dev_get_drvdata(rpcif->dev);
++ struct rpcif_priv *rpc = dev_get_drvdata(dev);
+
+ rpc->smcr = 0;
+ rpc->smadr = 0;
+@@ -473,13 +473,13 @@ void rpcif_prepare(struct rpcif *rpcif, const struct rpcif_op *op, u64 *offs,
+ }
+ EXPORT_SYMBOL(rpcif_prepare);
+
+-int rpcif_manual_xfer(struct rpcif *rpcif)
++int rpcif_manual_xfer(struct device *dev)
+ {
+- struct rpcif_priv *rpc = dev_get_drvdata(rpcif->dev);
++ struct rpcif_priv *rpc = dev_get_drvdata(dev);
+ u32 smenr, smcr, pos = 0, max = rpc->bus_size == 2 ? 8 : 4;
+ int ret = 0;
+
+- ret = pm_runtime_resume_and_get(rpc->dev);
++ ret = pm_runtime_resume_and_get(dev);
+ if (ret < 0)
+ return ret;
+
+@@ -591,13 +591,13 @@ int rpcif_manual_xfer(struct rpcif *rpcif)
+ }
+
+ exit:
+- pm_runtime_put(rpc->dev);
++ pm_runtime_put(dev);
+ return ret;
+
+ err_out:
+ if (reset_control_reset(rpc->rstc))
+- dev_err(rpc->dev, "Failed to reset HW\n");
+- rpcif_hw_init(rpcif, rpc->bus_size == 2);
++ dev_err(dev, "Failed to reset HW\n");
++ rpcif_hw_init(dev, rpc->bus_size == 2);
+ goto exit;
+ }
+ EXPORT_SYMBOL(rpcif_manual_xfer);
+@@ -644,9 +644,9 @@ static void memcpy_fromio_readw(void *to,
+ }
+ }
+
+-ssize_t rpcif_dirmap_read(struct rpcif *rpcif, u64 offs, size_t len, void *buf)
++ssize_t rpcif_dirmap_read(struct device *dev, u64 offs, size_t len, void *buf)
+ {
+- struct rpcif_priv *rpc = dev_get_drvdata(rpcif->dev);
++ struct rpcif_priv *rpc = dev_get_drvdata(dev);
+ loff_t from = offs & (rpc->size - 1);
+ size_t size = rpc->size - from;
+ int ret;
+@@ -654,7 +654,7 @@ ssize_t rpcif_dirmap_read(struct rpcif *rpcif, u64 offs, size_t len, void *buf)
+ if (len > size)
+ len = size;
+
+- ret = pm_runtime_resume_and_get(rpc->dev);
++ ret = pm_runtime_resume_and_get(dev);
+ if (ret < 0)
+ return ret;
+
+@@ -674,7 +674,7 @@ ssize_t rpcif_dirmap_read(struct rpcif *rpcif, u64 offs, size_t len, void *buf)
+ else
+ memcpy_fromio(buf, rpc->dirmap + from, len);
+
+- pm_runtime_put(rpc->dev);
++ pm_runtime_put(dev);
+
+ return len;
+ }
+diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c
+index d00d302434030..41734e337ac00 100644
+--- a/drivers/mtd/hyperbus/rpc-if.c
++++ b/drivers/mtd/hyperbus/rpc-if.c
+@@ -56,7 +56,7 @@ static void rpcif_hb_prepare_read(struct rpcif *rpc, void *to,
+ op.data.nbytes = len;
+ op.data.buf.in = to;
+
+- rpcif_prepare(rpc, &op, NULL, NULL);
++ rpcif_prepare(rpc->dev, &op, NULL, NULL);
+ }
+
+ static void rpcif_hb_prepare_write(struct rpcif *rpc, unsigned long to,
+@@ -70,7 +70,7 @@ static void rpcif_hb_prepare_write(struct rpcif *rpc, unsigned long to,
+ op.data.nbytes = len;
+ op.data.buf.out = from;
+
+- rpcif_prepare(rpc, &op, NULL, NULL);
++ rpcif_prepare(rpc->dev, &op, NULL, NULL);
+ }
+
+ static u16 rpcif_hb_read16(struct hyperbus_device *hbdev, unsigned long addr)
+@@ -81,7 +81,7 @@ static u16 rpcif_hb_read16(struct hyperbus_device *hbdev, unsigned long addr)
+
+ rpcif_hb_prepare_read(&hyperbus->rpc, &data, addr, 2);
+
+- rpcif_manual_xfer(&hyperbus->rpc);
++ rpcif_manual_xfer(hyperbus->rpc.dev);
+
+ return data.x[0];
+ }
+@@ -94,7 +94,7 @@ static void rpcif_hb_write16(struct hyperbus_device *hbdev, unsigned long addr,
+
+ rpcif_hb_prepare_write(&hyperbus->rpc, addr, &data, 2);
+
+- rpcif_manual_xfer(&hyperbus->rpc);
++ rpcif_manual_xfer(hyperbus->rpc.dev);
+ }
+
+ static void rpcif_hb_copy_from(struct hyperbus_device *hbdev, void *to,
+@@ -105,7 +105,7 @@ static void rpcif_hb_copy_from(struct hyperbus_device *hbdev, void *to,
+
+ rpcif_hb_prepare_read(&hyperbus->rpc, to, from, len);
+
+- rpcif_dirmap_read(&hyperbus->rpc, from, len, to);
++ rpcif_dirmap_read(hyperbus->rpc.dev, from, len, to);
+ }
+
+ static const struct hyperbus_ops rpcif_hb_ops = {
+@@ -130,9 +130,9 @@ static int rpcif_hb_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, hyperbus);
+
+- rpcif_enable_rpm(&hyperbus->rpc);
++ rpcif_enable_rpm(hyperbus->rpc.dev);
+
+- error = rpcif_hw_init(&hyperbus->rpc, true);
++ error = rpcif_hw_init(hyperbus->rpc.dev, true);
+ if (error)
+ goto out_disable_rpm;
+
+@@ -150,7 +150,7 @@ static int rpcif_hb_probe(struct platform_device *pdev)
+ return 0;
+
+ out_disable_rpm:
+- rpcif_disable_rpm(&hyperbus->rpc);
++ rpcif_disable_rpm(hyperbus->rpc.dev);
+ return error;
+ }
+
+@@ -160,7 +160,7 @@ static int rpcif_hb_remove(struct platform_device *pdev)
+
+ hyperbus_unregister_device(&hyperbus->hbdev);
+
+- rpcif_disable_rpm(&hyperbus->rpc);
++ rpcif_disable_rpm(hyperbus->rpc.dev);
+
+ return 0;
+ }
+diff --git a/drivers/spi/spi-rpc-if.c b/drivers/spi/spi-rpc-if.c
+index 24ec1c83f379c..5063587d2c724 100644
+--- a/drivers/spi/spi-rpc-if.c
++++ b/drivers/spi/spi-rpc-if.c
+@@ -58,7 +58,7 @@ static void rpcif_spi_mem_prepare(struct spi_device *spi_dev,
+ rpc_op.data.dir = RPCIF_NO_DATA;
+ }
+
+- rpcif_prepare(rpc, &rpc_op, offs, len);
++ rpcif_prepare(rpc->dev, &rpc_op, offs, len);
+ }
+
+ static bool rpcif_spi_mem_supports_op(struct spi_mem *mem,
+@@ -86,7 +86,7 @@ static ssize_t rpcif_spi_mem_dirmap_read(struct spi_mem_dirmap_desc *desc,
+
+ rpcif_spi_mem_prepare(desc->mem->spi, &desc->info.op_tmpl, &offs, &len);
+
+- return rpcif_dirmap_read(rpc, offs, len, buf);
++ return rpcif_dirmap_read(rpc->dev, offs, len, buf);
+ }
+
+ static int rpcif_spi_mem_dirmap_create(struct spi_mem_dirmap_desc *desc)
+@@ -117,7 +117,7 @@ static int rpcif_spi_mem_exec_op(struct spi_mem *mem,
+
+ rpcif_spi_mem_prepare(mem->spi, op, NULL, NULL);
+
+- return rpcif_manual_xfer(rpc);
++ return rpcif_manual_xfer(rpc->dev);
+ }
+
+ static const struct spi_controller_mem_ops rpcif_spi_mem_ops = {
+@@ -147,7 +147,7 @@ static int rpcif_spi_probe(struct platform_device *pdev)
+
+ ctlr->dev.of_node = parent->of_node;
+
+- rpcif_enable_rpm(rpc);
++ rpcif_enable_rpm(rpc->dev);
+
+ ctlr->num_chipselect = 1;
+ ctlr->mem_ops = &rpcif_spi_mem_ops;
+@@ -156,7 +156,7 @@ static int rpcif_spi_probe(struct platform_device *pdev)
+ ctlr->mode_bits = SPI_CPOL | SPI_CPHA | SPI_TX_QUAD | SPI_RX_QUAD;
+ ctlr->flags = SPI_CONTROLLER_HALF_DUPLEX;
+
+- error = rpcif_hw_init(rpc, false);
++ error = rpcif_hw_init(rpc->dev, false);
+ if (error)
+ goto out_disable_rpm;
+
+@@ -169,7 +169,7 @@ static int rpcif_spi_probe(struct platform_device *pdev)
+ return 0;
+
+ out_disable_rpm:
+- rpcif_disable_rpm(rpc);
++ rpcif_disable_rpm(rpc->dev);
+ return error;
+ }
+
+@@ -179,7 +179,7 @@ static int rpcif_spi_remove(struct platform_device *pdev)
+ struct rpcif *rpc = spi_controller_get_devdata(ctlr);
+
+ spi_unregister_controller(ctlr);
+- rpcif_disable_rpm(rpc);
++ rpcif_disable_rpm(rpc->dev);
+
+ return 0;
+ }
+diff --git a/include/memory/renesas-rpc-if.h b/include/memory/renesas-rpc-if.h
+index ddf94356752d3..d2130c2c8c82f 100644
+--- a/include/memory/renesas-rpc-if.h
++++ b/include/memory/renesas-rpc-if.h
+@@ -69,20 +69,20 @@ struct rpcif {
+ };
+
+ int rpcif_sw_init(struct rpcif *rpc, struct device *dev);
+-int rpcif_hw_init(struct rpcif *rpc, bool hyperflash);
+-void rpcif_prepare(struct rpcif *rpc, const struct rpcif_op *op, u64 *offs,
++int rpcif_hw_init(struct device *dev, bool hyperflash);
++void rpcif_prepare(struct device *dev, const struct rpcif_op *op, u64 *offs,
+ size_t *len);
+-int rpcif_manual_xfer(struct rpcif *rpc);
+-ssize_t rpcif_dirmap_read(struct rpcif *rpc, u64 offs, size_t len, void *buf);
++int rpcif_manual_xfer(struct device *dev);
++ssize_t rpcif_dirmap_read(struct device *dev, u64 offs, size_t len, void *buf);
+
+-static inline void rpcif_enable_rpm(struct rpcif *rpc)
++static inline void rpcif_enable_rpm(struct device *dev)
+ {
+- pm_runtime_enable(rpc->dev);
++ pm_runtime_enable(dev);
+ }
+
+-static inline void rpcif_disable_rpm(struct rpcif *rpc)
++static inline void rpcif_disable_rpm(struct device *dev)
+ {
+- pm_runtime_disable(rpc->dev);
++ pm_runtime_disable(dev);
+ }
+
+ #endif // __RENESAS_RPC_IF_H
+--
+2.43.0
+
--- /dev/null
+From 55c2f64a57954f97bda0426d5f1c28da8321062f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 15:41:22 +0100
+Subject: memory: renesas-rpc-if: Remove Runtime PM wrappers
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 27e5f98c30d73cdb8c8baeaf7d0af19af5266d3a ]
+
+Now the rpcif_{en,dis}able_rpm() wrappers just take a pointer to a
+device structure, there is no point in keeping them. Remove them, and
+update the callers to call Runtime PM directly.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/d87aa5d7e4a39b18f7e2e0649fee0a45b45d371f.1669213027.git.geert+renesas@glider.be
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Stable-dep-of: 7d189579a287 ("mtd: hyperbus: rpc-if: Add missing MODULE_DEVICE_TABLE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/hyperbus/rpc-if.c | 6 +++---
+ drivers/spi/spi-rpc-if.c | 6 +++---
+ include/memory/renesas-rpc-if.h | 10 ----------
+ 3 files changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c
+index 41734e337ac00..ef32fca5f785e 100644
+--- a/drivers/mtd/hyperbus/rpc-if.c
++++ b/drivers/mtd/hyperbus/rpc-if.c
+@@ -130,7 +130,7 @@ static int rpcif_hb_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, hyperbus);
+
+- rpcif_enable_rpm(hyperbus->rpc.dev);
++ pm_runtime_enable(hyperbus->rpc.dev);
+
+ error = rpcif_hw_init(hyperbus->rpc.dev, true);
+ if (error)
+@@ -150,7 +150,7 @@ static int rpcif_hb_probe(struct platform_device *pdev)
+ return 0;
+
+ out_disable_rpm:
+- rpcif_disable_rpm(hyperbus->rpc.dev);
++ pm_runtime_disable(hyperbus->rpc.dev);
+ return error;
+ }
+
+@@ -160,7 +160,7 @@ static int rpcif_hb_remove(struct platform_device *pdev)
+
+ hyperbus_unregister_device(&hyperbus->hbdev);
+
+- rpcif_disable_rpm(hyperbus->rpc.dev);
++ pm_runtime_disable(hyperbus->rpc.dev);
+
+ return 0;
+ }
+diff --git a/drivers/spi/spi-rpc-if.c b/drivers/spi/spi-rpc-if.c
+index 5063587d2c724..ec0904faf3a10 100644
+--- a/drivers/spi/spi-rpc-if.c
++++ b/drivers/spi/spi-rpc-if.c
+@@ -147,7 +147,7 @@ static int rpcif_spi_probe(struct platform_device *pdev)
+
+ ctlr->dev.of_node = parent->of_node;
+
+- rpcif_enable_rpm(rpc->dev);
++ pm_runtime_enable(rpc->dev);
+
+ ctlr->num_chipselect = 1;
+ ctlr->mem_ops = &rpcif_spi_mem_ops;
+@@ -169,7 +169,7 @@ static int rpcif_spi_probe(struct platform_device *pdev)
+ return 0;
+
+ out_disable_rpm:
+- rpcif_disable_rpm(rpc->dev);
++ pm_runtime_disable(rpc->dev);
+ return error;
+ }
+
+@@ -179,7 +179,7 @@ static int rpcif_spi_remove(struct platform_device *pdev)
+ struct rpcif *rpc = spi_controller_get_devdata(ctlr);
+
+ spi_unregister_controller(ctlr);
+- rpcif_disable_rpm(rpc->dev);
++ pm_runtime_disable(rpc->dev);
+
+ return 0;
+ }
+diff --git a/include/memory/renesas-rpc-if.h b/include/memory/renesas-rpc-if.h
+index d2130c2c8c82f..b1b6d9126b038 100644
+--- a/include/memory/renesas-rpc-if.h
++++ b/include/memory/renesas-rpc-if.h
+@@ -75,14 +75,4 @@ void rpcif_prepare(struct device *dev, const struct rpcif_op *op, u64 *offs,
+ int rpcif_manual_xfer(struct device *dev);
+ ssize_t rpcif_dirmap_read(struct device *dev, u64 offs, size_t len, void *buf);
+
+-static inline void rpcif_enable_rpm(struct device *dev)
+-{
+- pm_runtime_enable(dev);
+-}
+-
+-static inline void rpcif_disable_rpm(struct device *dev)
+-{
+- pm_runtime_disable(dev);
+-}
+-
+ #endif // __RENESAS_RPC_IF_H
+--
+2.43.0
+
--- /dev/null
+From 5aa4050421b774a9a848607a328e44f2ec2c3612 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2024 12:19:53 +0200
+Subject: mfd: da9052-spi: Change read-mask to write-mask
+
+From: Marcus Folkesson <marcus.folkesson@gmail.com>
+
+[ Upstream commit 2e3378f6c79a1b3f7855ded1ef306ea4406352ed ]
+
+Driver has mixed up the R/W bit.
+The LSB bit is set on write rather than read.
+Change it to avoid nasty things to happen.
+
+Fixes: e9e9d3973594 ("mfd: da9052: Avoid setting read_flag_mask for da9052-i2c driver")
+Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
+Link: https://lore.kernel.org/r/20240925-da9052-v2-1-f243e4505b07@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/da9052-spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/da9052-spi.c b/drivers/mfd/da9052-spi.c
+index b79a57b45c1e8..458f919de4cb4 100644
+--- a/drivers/mfd/da9052-spi.c
++++ b/drivers/mfd/da9052-spi.c
+@@ -37,7 +37,7 @@ static int da9052_spi_probe(struct spi_device *spi)
+ spi_set_drvdata(spi, da9052);
+
+ config = da9052_regmap_config;
+- config.read_flag_mask = 1;
++ config.write_flag_mask = 1;
+ config.reg_bits = 7;
+ config.pad_bits = 1;
+ config.val_bits = 8;
+--
+2.43.0
+
--- /dev/null
+From d85cde97d799ccff40f2b4880b33481470dd43de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Oct 2024 22:27:06 +0300
+Subject: mfd: intel_soc_pmic_bxtwc: Use IRQ domain for PMIC devices
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 0350d783ab888cb1cb48ced36cc28b372723f1a4 ]
+
+While design wise the idea of converting the driver to use
+the hierarchy of the IRQ chips is correct, the implementation
+has (inherited) flaws. This was unveiled when platform_get_irq()
+had started WARN() on IRQ 0 that is supposed to be a Linux
+IRQ number (also known as vIRQ).
+
+Rework the driver to respect IRQ domain when creating each MFD
+device separately, as the domain is not the same for all of them.
+
+Fixes: 57129044f504 ("mfd: intel_soc_pmic_bxtwc: Use chained IRQs for second level IRQ chips")
+Tested-by: Zhang Ning <zhangn1985@outlook.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20241005193029.1929139-4-andriy.shevchenko@linux.intel.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/intel_soc_pmic_bxtwc.c | 54 +++++++++++++++++-------------
+ 1 file changed, 30 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/mfd/intel_soc_pmic_bxtwc.c b/drivers/mfd/intel_soc_pmic_bxtwc.c
+index 5fc9d3aa61428..3aa7857271dad 100644
+--- a/drivers/mfd/intel_soc_pmic_bxtwc.c
++++ b/drivers/mfd/intel_soc_pmic_bxtwc.c
+@@ -231,21 +231,11 @@ static const struct resource tmu_resources[] = {
+ };
+
+ static struct mfd_cell bxt_wc_dev[] = {
+- {
+- .name = "bxt_wcove_gpadc",
+- .num_resources = ARRAY_SIZE(adc_resources),
+- .resources = adc_resources,
+- },
+ {
+ .name = "bxt_wcove_thermal",
+ .num_resources = ARRAY_SIZE(thermal_resources),
+ .resources = thermal_resources,
+ },
+- {
+- .name = "bxt_wcove_bcu",
+- .num_resources = ARRAY_SIZE(bcu_resources),
+- .resources = bcu_resources,
+- },
+ {
+ .name = "bxt_wcove_gpio",
+ .num_resources = ARRAY_SIZE(gpio_resources),
+@@ -264,6 +254,22 @@ static const struct mfd_cell bxt_wc_tmu_dev[] = {
+ },
+ };
+
++static const struct mfd_cell bxt_wc_bcu_dev[] = {
++ {
++ .name = "bxt_wcove_bcu",
++ .num_resources = ARRAY_SIZE(bcu_resources),
++ .resources = bcu_resources,
++ },
++};
++
++static const struct mfd_cell bxt_wc_adc_dev[] = {
++ {
++ .name = "bxt_wcove_gpadc",
++ .num_resources = ARRAY_SIZE(adc_resources),
++ .resources = adc_resources,
++ },
++};
++
+ static struct mfd_cell bxt_wc_chgr_dev[] = {
+ {
+ .name = "bxt_wcove_usbc",
+@@ -509,23 +515,23 @@ static int bxtwc_probe(struct platform_device *pdev)
+ if (ret)
+ return dev_err_probe(dev, ret, "Failed to add PWRBTN IRQ chip\n");
+
+- /* Add chained IRQ handler for BCU IRQs */
+- ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data,
+- BXTWC_BCU_LVL1_IRQ,
+- IRQF_ONESHOT,
+- &bxtwc_regmap_irq_chip_bcu,
+- &pmic->irq_chip_data_bcu);
++ ret = bxtwc_add_chained_devices(pmic, bxt_wc_bcu_dev, ARRAY_SIZE(bxt_wc_bcu_dev),
++ pmic->irq_chip_data,
++ BXTWC_BCU_LVL1_IRQ,
++ IRQF_ONESHOT,
++ &bxtwc_regmap_irq_chip_bcu,
++ &pmic->irq_chip_data_bcu);
+ if (ret)
+- return dev_err_probe(dev, ret, "Failed to add BUC IRQ chip\n");
++ return ret;
+
+- /* Add chained IRQ handler for ADC IRQs */
+- ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data,
+- BXTWC_ADC_LVL1_IRQ,
+- IRQF_ONESHOT,
+- &bxtwc_regmap_irq_chip_adc,
+- &pmic->irq_chip_data_adc);
++ ret = bxtwc_add_chained_devices(pmic, bxt_wc_adc_dev, ARRAY_SIZE(bxt_wc_adc_dev),
++ pmic->irq_chip_data,
++ BXTWC_ADC_LVL1_IRQ,
++ IRQF_ONESHOT,
++ &bxtwc_regmap_irq_chip_adc,
++ &pmic->irq_chip_data_adc);
+ if (ret)
+- return dev_err_probe(dev, ret, "Failed to add ADC IRQ chip\n");
++ return ret;
+
+ ret = bxtwc_add_chained_devices(pmic, bxt_wc_chgr_dev, ARRAY_SIZE(bxt_wc_chgr_dev),
+ pmic->irq_chip_data,
+--
+2.43.0
+
--- /dev/null
+From 9934f09e4a3b316fd6be97be43da4d84d5af80c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Oct 2024 22:27:05 +0300
+Subject: mfd: intel_soc_pmic_bxtwc: Use IRQ domain for TMU device
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 9b79d59e6b2b515eb9a22bc469ef7b8f0904fc73 ]
+
+While design wise the idea of converting the driver to use
+the hierarchy of the IRQ chips is correct, the implementation
+has (inherited) flaws. This was unveiled when platform_get_irq()
+had started WARN() on IRQ 0 that is supposed to be a Linux
+IRQ number (also known as vIRQ).
+
+Rework the driver to respect IRQ domain when creating each MFD
+device separately, as the domain is not the same for all of them.
+
+Fixes: 957ae5098185 ("platform/x86: Add Whiskey Cove PMIC TMU support")
+Fixes: 57129044f504 ("mfd: intel_soc_pmic_bxtwc: Use chained IRQs for second level IRQ chips")
+Reported-by: Zhang Ning <zhangn1985@outlook.com>
+Closes: https://lore.kernel.org/r/TY2PR01MB3322FEDCDC048B7D3794F922CDBA2@TY2PR01MB3322.jpnprd01.prod.outlook.com
+Tested-by: Zhang Ning <zhangn1985@outlook.com>
+Acked-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20241005193029.1929139-3-andriy.shevchenko@linux.intel.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/intel_soc_pmic_bxtwc.c | 31 ++++++++++++++------------
+ drivers/platform/x86/intel/bxtwc_tmu.c | 22 +++++-------------
+ 2 files changed, 23 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/mfd/intel_soc_pmic_bxtwc.c b/drivers/mfd/intel_soc_pmic_bxtwc.c
+index 6ea98321bbf20..5fc9d3aa61428 100644
+--- a/drivers/mfd/intel_soc_pmic_bxtwc.c
++++ b/drivers/mfd/intel_soc_pmic_bxtwc.c
+@@ -246,12 +246,6 @@ static struct mfd_cell bxt_wc_dev[] = {
+ .num_resources = ARRAY_SIZE(bcu_resources),
+ .resources = bcu_resources,
+ },
+- {
+- .name = "bxt_wcove_tmu",
+- .num_resources = ARRAY_SIZE(tmu_resources),
+- .resources = tmu_resources,
+- },
+-
+ {
+ .name = "bxt_wcove_gpio",
+ .num_resources = ARRAY_SIZE(gpio_resources),
+@@ -262,6 +256,14 @@ static struct mfd_cell bxt_wc_dev[] = {
+ },
+ };
+
++static const struct mfd_cell bxt_wc_tmu_dev[] = {
++ {
++ .name = "bxt_wcove_tmu",
++ .num_resources = ARRAY_SIZE(tmu_resources),
++ .resources = tmu_resources,
++ },
++};
++
+ static struct mfd_cell bxt_wc_chgr_dev[] = {
+ {
+ .name = "bxt_wcove_usbc",
+@@ -490,6 +492,15 @@ static int bxtwc_probe(struct platform_device *pdev)
+ if (ret)
+ return dev_err_probe(dev, ret, "Failed to add IRQ chip\n");
+
++ ret = bxtwc_add_chained_devices(pmic, bxt_wc_tmu_dev, ARRAY_SIZE(bxt_wc_tmu_dev),
++ pmic->irq_chip_data,
++ BXTWC_TMU_LVL1_IRQ,
++ IRQF_ONESHOT,
++ &bxtwc_regmap_irq_chip_tmu,
++ &pmic->irq_chip_data_tmu);
++ if (ret)
++ return ret;
++
+ ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data,
+ BXTWC_PWRBTN_LVL1_IRQ,
+ IRQF_ONESHOT,
+@@ -498,14 +509,6 @@ static int bxtwc_probe(struct platform_device *pdev)
+ if (ret)
+ return dev_err_probe(dev, ret, "Failed to add PWRBTN IRQ chip\n");
+
+- ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data,
+- BXTWC_TMU_LVL1_IRQ,
+- IRQF_ONESHOT,
+- &bxtwc_regmap_irq_chip_tmu,
+- &pmic->irq_chip_data_tmu);
+- if (ret)
+- return dev_err_probe(dev, ret, "Failed to add TMU IRQ chip\n");
+-
+ /* Add chained IRQ handler for BCU IRQs */
+ ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data,
+ BXTWC_BCU_LVL1_IRQ,
+diff --git a/drivers/platform/x86/intel/bxtwc_tmu.c b/drivers/platform/x86/intel/bxtwc_tmu.c
+index 7ccf583649e6b..3c9778366d930 100644
+--- a/drivers/platform/x86/intel/bxtwc_tmu.c
++++ b/drivers/platform/x86/intel/bxtwc_tmu.c
+@@ -48,9 +48,8 @@ static irqreturn_t bxt_wcove_tmu_irq_handler(int irq, void *data)
+ static int bxt_wcove_tmu_probe(struct platform_device *pdev)
+ {
+ struct intel_soc_pmic *pmic = dev_get_drvdata(pdev->dev.parent);
+- struct regmap_irq_chip_data *regmap_irq_chip;
+ struct wcove_tmu *wctmu;
+- int ret, virq, irq;
++ int ret;
+
+ wctmu = devm_kzalloc(&pdev->dev, sizeof(*wctmu), GFP_KERNEL);
+ if (!wctmu)
+@@ -59,27 +58,18 @@ static int bxt_wcove_tmu_probe(struct platform_device *pdev)
+ wctmu->dev = &pdev->dev;
+ wctmu->regmap = pmic->regmap;
+
+- irq = platform_get_irq(pdev, 0);
+- if (irq < 0)
+- return irq;
++ wctmu->irq = platform_get_irq(pdev, 0);
++ if (wctmu->irq < 0)
++ return wctmu->irq;
+
+- regmap_irq_chip = pmic->irq_chip_data_tmu;
+- virq = regmap_irq_get_virq(regmap_irq_chip, irq);
+- if (virq < 0) {
+- dev_err(&pdev->dev,
+- "failed to get virtual interrupt=%d\n", irq);
+- return virq;
+- }
+-
+- ret = devm_request_threaded_irq(&pdev->dev, virq,
++ ret = devm_request_threaded_irq(&pdev->dev, wctmu->irq,
+ NULL, bxt_wcove_tmu_irq_handler,
+ IRQF_ONESHOT, "bxt_wcove_tmu", wctmu);
+ if (ret) {
+ dev_err(&pdev->dev, "request irq failed: %d,virq: %d\n",
+- ret, virq);
++ ret, wctmu->irq);
+ return ret;
+ }
+- wctmu->irq = virq;
+
+ /* Unmask TMU second level Wake & System alarm */
+ regmap_update_bits(wctmu->regmap, BXTWC_MTMUIRQ_REG,
+--
+2.43.0
+
--- /dev/null
+From 2f2d634adb197494651130969d2bd7110ec57862 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Oct 2024 22:27:04 +0300
+Subject: mfd: intel_soc_pmic_bxtwc: Use IRQ domain for USB Type-C device
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 686fb77712a4bc94b76a0c5ae74c60118b7a0d79 ]
+
+While design wise the idea of converting the driver to use
+the hierarchy of the IRQ chips is correct, the implementation
+has (inherited) flaws. This was unveiled when platform_get_irq()
+had started WARN() on IRQ 0 that is supposed to be a Linux
+IRQ number (also known as vIRQ).
+
+Rework the driver to respect IRQ domain when creating each MFD
+device separately, as the domain is not the same for all of them.
+
+Fixes: 9c6235c86332 ("mfd: intel_soc_pmic_bxtwc: Add bxt_wcove_usbc device")
+Fixes: d2061f9cc32d ("usb: typec: add driver for Intel Whiskey Cove PMIC USB Type-C PHY")
+Fixes: 57129044f504 ("mfd: intel_soc_pmic_bxtwc: Use chained IRQs for second level IRQ chips")
+Reported-by: Zhang Ning <zhangn1985@outlook.com>
+Closes: https://lore.kernel.org/r/TY2PR01MB3322FEDCDC048B7D3794F922CDBA2@TY2PR01MB3322.jpnprd01.prod.outlook.com
+Tested-by: Zhang Ning <zhangn1985@outlook.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20241005193029.1929139-2-andriy.shevchenko@linux.intel.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/intel_soc_pmic_bxtwc.c | 57 +++++++++++++++++++++---------
+ drivers/usb/typec/tcpm/wcove.c | 4 ---
+ 2 files changed, 40 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/mfd/intel_soc_pmic_bxtwc.c b/drivers/mfd/intel_soc_pmic_bxtwc.c
+index 8dac0d41f64f3..6ea98321bbf20 100644
+--- a/drivers/mfd/intel_soc_pmic_bxtwc.c
++++ b/drivers/mfd/intel_soc_pmic_bxtwc.c
+@@ -241,16 +241,6 @@ static struct mfd_cell bxt_wc_dev[] = {
+ .num_resources = ARRAY_SIZE(thermal_resources),
+ .resources = thermal_resources,
+ },
+- {
+- .name = "bxt_wcove_usbc",
+- .num_resources = ARRAY_SIZE(usbc_resources),
+- .resources = usbc_resources,
+- },
+- {
+- .name = "bxt_wcove_ext_charger",
+- .num_resources = ARRAY_SIZE(charger_resources),
+- .resources = charger_resources,
+- },
+ {
+ .name = "bxt_wcove_bcu",
+ .num_resources = ARRAY_SIZE(bcu_resources),
+@@ -272,6 +262,19 @@ static struct mfd_cell bxt_wc_dev[] = {
+ },
+ };
+
++static struct mfd_cell bxt_wc_chgr_dev[] = {
++ {
++ .name = "bxt_wcove_usbc",
++ .num_resources = ARRAY_SIZE(usbc_resources),
++ .resources = usbc_resources,
++ },
++ {
++ .name = "bxt_wcove_ext_charger",
++ .num_resources = ARRAY_SIZE(charger_resources),
++ .resources = charger_resources,
++ },
++};
++
+ static int regmap_ipc_byte_reg_read(void *context, unsigned int reg,
+ unsigned int *val)
+ {
+@@ -426,6 +429,26 @@ static int bxtwc_add_chained_irq_chip(struct intel_soc_pmic *pmic,
+ 0, chip, data);
+ }
+
++static int bxtwc_add_chained_devices(struct intel_soc_pmic *pmic,
++ const struct mfd_cell *cells, int n_devs,
++ struct regmap_irq_chip_data *pdata,
++ int pirq, int irq_flags,
++ const struct regmap_irq_chip *chip,
++ struct regmap_irq_chip_data **data)
++{
++ struct device *dev = pmic->dev;
++ struct irq_domain *domain;
++ int ret;
++
++ ret = bxtwc_add_chained_irq_chip(pmic, pdata, pirq, irq_flags, chip, data);
++ if (ret)
++ return dev_err_probe(dev, ret, "Failed to add %s IRQ chip\n", chip->name);
++
++ domain = regmap_irq_get_domain(*data);
++
++ return devm_mfd_add_devices(dev, PLATFORM_DEVID_NONE, cells, n_devs, NULL, 0, domain);
++}
++
+ static int bxtwc_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+@@ -501,14 +524,14 @@ static int bxtwc_probe(struct platform_device *pdev)
+ if (ret)
+ return dev_err_probe(dev, ret, "Failed to add ADC IRQ chip\n");
+
+- /* Add chained IRQ handler for CHGR IRQs */
+- ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data,
+- BXTWC_CHGR_LVL1_IRQ,
+- IRQF_ONESHOT,
+- &bxtwc_regmap_irq_chip_chgr,
+- &pmic->irq_chip_data_chgr);
++ ret = bxtwc_add_chained_devices(pmic, bxt_wc_chgr_dev, ARRAY_SIZE(bxt_wc_chgr_dev),
++ pmic->irq_chip_data,
++ BXTWC_CHGR_LVL1_IRQ,
++ IRQF_ONESHOT,
++ &bxtwc_regmap_irq_chip_chgr,
++ &pmic->irq_chip_data_chgr);
+ if (ret)
+- return dev_err_probe(dev, ret, "Failed to add CHGR IRQ chip\n");
++ return ret;
+
+ /* Add chained IRQ handler for CRIT IRQs */
+ ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data,
+diff --git a/drivers/usb/typec/tcpm/wcove.c b/drivers/usb/typec/tcpm/wcove.c
+index 20917d85d6f4c..5d34466a0abf2 100644
+--- a/drivers/usb/typec/tcpm/wcove.c
++++ b/drivers/usb/typec/tcpm/wcove.c
+@@ -621,10 +621,6 @@ static int wcove_typec_probe(struct platform_device *pdev)
+ if (irq < 0)
+ return irq;
+
+- irq = regmap_irq_get_virq(pmic->irq_chip_data_chgr, irq);
+- if (irq < 0)
+- return irq;
+-
+ ret = guid_parse(WCOVE_DSM_UUID, &wcove->guid);
+ if (ret)
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From 183ce0191c218843796cb87fca3154bb0e1d6fcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 23:41:06 +0800
+Subject: mfd: rt5033: Fix missing regmap_del_irq_chip()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit d256d612f47529ed0b332298e2d5ea981a4dd5b8 ]
+
+Fix missing call to regmap_del_irq_chip() in error handling path by
+using devm_regmap_add_irq_chip().
+
+Fixes: 0b271258544b ("mfd: rt5033: Add Richtek RT5033 driver core.")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1730302867-8391-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/rt5033.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mfd/rt5033.c b/drivers/mfd/rt5033.c
+index df095e91e2666..78bafeda5e470 100644
+--- a/drivers/mfd/rt5033.c
++++ b/drivers/mfd/rt5033.c
+@@ -82,8 +82,8 @@ static int rt5033_i2c_probe(struct i2c_client *i2c,
+ }
+ dev_info(&i2c->dev, "Device found Device ID: %04x\n", dev_id);
+
+- ret = regmap_add_irq_chip(rt5033->regmap, rt5033->irq,
+- IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
++ ret = devm_regmap_add_irq_chip(rt5033->dev, rt5033->regmap,
++ rt5033->irq, IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ 0, &rt5033_irq_chip, &rt5033->irq_data);
+ if (ret) {
+ dev_err(&i2c->dev, "Failed to request IRQ %d: %d\n",
+--
+2.43.0
+
--- /dev/null
+From 2b300478d3c214805c73fbf70e0d1165a5a17268 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 11:15:30 +0800
+Subject: mfd: tps65010: Use IRQF_NO_AUTOEN flag in request_irq() to fix race
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 2174f9a8c9db50f74df769edd5a4ab822c73b6d2 ]
+
+As the comment said, disable_irq() after request_irq() still has a
+time gap in which interrupts can come. request_irq() with IRQF_NO_AUTOEN
+flag will disable IRQ auto-enable when request IRQ.
+
+Fixes: 72cd799544f2 ("[PATCH] I2C: add i2c driver for TPS6501x")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/r/20240912031530.2211654-1-ruanjinjie@huawei.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/tps65010.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/mfd/tps65010.c b/drivers/mfd/tps65010.c
+index c2afa2e69f42f..35ddffb96ba1a 100644
+--- a/drivers/mfd/tps65010.c
++++ b/drivers/mfd/tps65010.c
+@@ -548,17 +548,13 @@ static int tps65010_probe(struct i2c_client *client,
+ */
+ if (client->irq > 0) {
+ status = request_irq(client->irq, tps65010_irq,
+- IRQF_TRIGGER_FALLING, DRIVER_NAME, tps);
++ IRQF_TRIGGER_FALLING | IRQF_NO_AUTOEN,
++ DRIVER_NAME, tps);
+ if (status < 0) {
+ dev_dbg(&client->dev, "can't get IRQ %d, err %d\n",
+ client->irq, status);
+ return status;
+ }
+- /* annoying race here, ideally we'd have an option
+- * to claim the irq now and enable it later.
+- * FIXME genirq IRQF_NOAUTOEN now solves that ...
+- */
+- disable_irq(client->irq);
+ set_bit(FLAG_IRQ_ENABLE, &tps->flags);
+ } else
+ dev_warn(&client->dev, "IRQ not configured!\n");
+--
+2.43.0
+
--- /dev/null
+From 4360f74b1e8676260be0a960598bdf39b5803f78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Jun 2024 14:11:32 +0200
+Subject: microblaze: Export xmb_manager functions
+
+From: Michal Simek <michal.simek@amd.com>
+
+[ Upstream commit badf752b5e4b17d281f93f409d4718388ff912e6 ]
+
+When TMR_MANAGER is enabled as module there is a need to export functions
+which are present in architecture code.
+
+It has been found by running:
+make W=1 C=1 allmodconfig
+sed -i -e 's/WERROR=y/WERROR=n/g' .config
+make C=1 W=1
+
+which errors out like this:
+ERROR: modpost: "xmb_manager_register" [drivers/misc/xilinx_tmr_manager.ko] undefined!
+ERROR: modpost: "xmb_inject_err" [drivers/misc/xilinx_tmr_inject.ko] undefined!
+
+Fixes: a5e3aaa654c1 ("microblaze: Add xmb_manager_register function")
+Reported-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Michal Simek <michal.simek@amd.com>
+Link: https://lore.kernel.org/r/e322dbbbde0feef83f44304ea13249d365d1dc5f.1718799090.git.michal.simek@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/microblaze/kernel/microblaze_ksyms.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/arch/microblaze/kernel/microblaze_ksyms.c b/arch/microblaze/kernel/microblaze_ksyms.c
+index c892e173ec990..a8553f54152b7 100644
+--- a/arch/microblaze/kernel/microblaze_ksyms.c
++++ b/arch/microblaze/kernel/microblaze_ksyms.c
+@@ -16,6 +16,7 @@
+ #include <asm/page.h>
+ #include <linux/ftrace.h>
+ #include <linux/uaccess.h>
++#include <asm/xilinx_mb_manager.h>
+
+ #ifdef CONFIG_FUNCTION_TRACER
+ extern void _mcount(void);
+@@ -46,3 +47,12 @@ extern void __udivsi3(void);
+ EXPORT_SYMBOL(__udivsi3);
+ extern void __umodsi3(void);
+ EXPORT_SYMBOL(__umodsi3);
++
++#ifdef CONFIG_MB_MANAGER
++extern void xmb_manager_register(uintptr_t phys_baseaddr, u32 cr_val,
++ void (*callback)(void *data),
++ void *priv, void (*reset_callback)(void *data));
++EXPORT_SYMBOL(xmb_manager_register);
++extern asmlinkage void xmb_inject_err(void);
++EXPORT_SYMBOL(xmb_inject_err);
++#endif
+--
+2.43.0
+
--- /dev/null
+From 46f3de044748f641d261a785e66aef42492cf817 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 12:12:14 +0200
+Subject: mips: asm: fix warning when disabling MIPS_FP_SUPPORT
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit da09935975c8f8c90d6f57be2422dee5557206cd ]
+
+When MIPS_FP_SUPPORT is disabled, __sanitize_fcr31() is defined as
+nothing, which triggers a gcc warning:
+
+ In file included from kernel/sched/core.c:79:
+ kernel/sched/core.c: In function 'context_switch':
+ ./arch/mips/include/asm/switch_to.h:114:39: warning: suggest braces around empty body in an 'if' statement [-Wempty-body]
+ 114 | __sanitize_fcr31(next); \
+ | ^
+ kernel/sched/core.c:5316:9: note: in expansion of macro 'switch_to'
+ 5316 | switch_to(prev, next, prev);
+ | ^~~~~~~~~
+
+Fix this by providing an empty body for __sanitize_fcr31() like one is
+defined for __mips_mt_fpaff_switch_to().
+
+Fixes: 36a498035bd2 ("MIPS: Avoid FCSR sanitization when CONFIG_MIPS_FP_SUPPORT=n")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/switch_to.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/switch_to.h b/arch/mips/include/asm/switch_to.h
+index a4374b4cb88fd..d6ccd53440213 100644
+--- a/arch/mips/include/asm/switch_to.h
++++ b/arch/mips/include/asm/switch_to.h
+@@ -97,7 +97,7 @@ do { \
+ } \
+ } while (0)
+ #else
+-# define __sanitize_fcr31(next)
++# define __sanitize_fcr31(next) do { (void) (next); } while (0)
+ #endif
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 80fe47ca95d098c47e053516abeef666c9e6b44e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 11:55:56 +0800
+Subject: misc: apds990x: Fix missing pm_runtime_disable()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 3c5d8b819d27012264edd17e6ae7fffda382fe44 ]
+
+The pm_runtime_disable() is missing in probe error path,
+so add it to fix it.
+
+Fixes: 92b1f84d46b2 ("drivers/misc: driver for APDS990X ALS and proximity sensors")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/r/20240923035556.3009105-1-ruanjinjie@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/apds990x.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/misc/apds990x.c b/drivers/misc/apds990x.c
+index e2100cc42ce86..668609d22fe18 100644
+--- a/drivers/misc/apds990x.c
++++ b/drivers/misc/apds990x.c
+@@ -1148,7 +1148,7 @@ static int apds990x_probe(struct i2c_client *client,
+ err = chip->pdata->setup_resources();
+ if (err) {
+ err = -EINVAL;
+- goto fail3;
++ goto fail4;
+ }
+ }
+
+@@ -1156,7 +1156,7 @@ static int apds990x_probe(struct i2c_client *client,
+ apds990x_attribute_group);
+ if (err < 0) {
+ dev_err(&chip->client->dev, "Sysfs registration failed\n");
+- goto fail4;
++ goto fail5;
+ }
+
+ err = request_threaded_irq(client->irq, NULL,
+@@ -1167,15 +1167,17 @@ static int apds990x_probe(struct i2c_client *client,
+ if (err) {
+ dev_err(&client->dev, "could not get IRQ %d\n",
+ client->irq);
+- goto fail5;
++ goto fail6;
+ }
+ return err;
+-fail5:
++fail6:
+ sysfs_remove_group(&chip->client->dev.kobj,
+ &apds990x_attribute_group[0]);
+-fail4:
++fail5:
+ if (chip->pdata && chip->pdata->release_resources)
+ chip->pdata->release_resources();
++fail4:
++ pm_runtime_disable(&client->dev);
+ fail3:
+ regulator_bulk_disable(ARRAY_SIZE(chip->regs), chip->regs);
+ fail2:
+--
+2.43.0
+
--- /dev/null
+From 4b859f4e16202f7da9f41c6c538fac256d508476 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 18:01:34 +0200
+Subject: mmc: mmc_spi: drop buggy snprintf()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit 328bda09cc91b3d93bc64f4a4dadc44313dd8140 ]
+
+GCC 13 complains about the truncated output of snprintf():
+
+drivers/mmc/host/mmc_spi.c: In function ‘mmc_spi_response_get’:
+drivers/mmc/host/mmc_spi.c:227:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
+ 227 | snprintf(tag, sizeof(tag), " ... CMD%d response SPI_%s",
+ | ^
+drivers/mmc/host/mmc_spi.c:227:9: note: ‘snprintf’ output between 26 and 43 bytes into a destination of size 32
+ 227 | snprintf(tag, sizeof(tag), " ... CMD%d response SPI_%s",
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 228 | cmd->opcode, maptype(cmd));
+
+Drop it and fold the string it generates into the only place where it's
+emitted - the dev_dbg() call at the end of the function.
+
+Fixes: 15a0580ced08 ("mmc_spi host driver")
+Suggested-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Link: https://lore.kernel.org/r/20241008160134.69934-1-brgl@bgdev.pl
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mmc_spi.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c
+index 2a99ffb61f8c0..30b93dc938f1a 100644
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -223,10 +223,6 @@ static int mmc_spi_response_get(struct mmc_spi_host *host,
+ u8 leftover = 0;
+ unsigned short rotator;
+ int i;
+- char tag[32];
+-
+- snprintf(tag, sizeof(tag), " ... CMD%d response SPI_%s",
+- cmd->opcode, maptype(cmd));
+
+ /* Except for data block reads, the whole response will already
+ * be stored in the scratch buffer. It's somewhere after the
+@@ -379,8 +375,9 @@ static int mmc_spi_response_get(struct mmc_spi_host *host,
+ }
+
+ if (value < 0)
+- dev_dbg(&host->spi->dev, "%s: resp %04x %08x\n",
+- tag, cmd->resp[0], cmd->resp[1]);
++ dev_dbg(&host->spi->dev,
++ " ... CMD%d response SPI_%s: resp %04x %08x\n",
++ cmd->opcode, maptype(cmd), cmd->resp[0], cmd->resp[1]);
+
+ /* disable chipselect on errors and some success cases */
+ if (value >= 0 && cs_on)
+--
+2.43.0
+
--- /dev/null
+From 553c446226cb366195fbd3df61e1dd24906873c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 09:08:40 +0100
+Subject: mtd: hyperbus: rpc-if: Add missing MODULE_DEVICE_TABLE
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit 7d189579a287d5c568db623c5fc2344cce98a887 ]
+
+The rpc-if-hyperflash driver can be compiled as a module, but lacks
+MODULE_DEVICE_TABLE() and will therefore not be loaded automatically.
+Fix this.
+
+Fixes: 5de15b610f78 ("mtd: hyperbus: add Renesas RPC-IF driver")
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240731080846.257139-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/hyperbus/rpc-if.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c
+index b22aa57119f23..e7a28f3316c3f 100644
+--- a/drivers/mtd/hyperbus/rpc-if.c
++++ b/drivers/mtd/hyperbus/rpc-if.c
+@@ -163,9 +163,16 @@ static void rpcif_hb_remove(struct platform_device *pdev)
+ pm_runtime_disable(hyperbus->rpc.dev);
+ }
+
++static const struct platform_device_id rpc_if_hyperflash_id_table[] = {
++ { .name = "rpc-if-hyperflash" },
++ { /* sentinel */ }
++};
++MODULE_DEVICE_TABLE(platform, rpc_if_hyperflash_id_table);
++
+ static struct platform_driver rpcif_platform_driver = {
+ .probe = rpcif_hb_probe,
+ .remove_new = rpcif_hb_remove,
++ .id_table = rpc_if_hyperflash_id_table,
+ .driver = {
+ .name = "rpc-if-hyperflash",
+ },
+--
+2.43.0
+
--- /dev/null
+From 167ce86135a63ca797ad8bd8dc71f2b583f1d4dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Oct 2023 22:01:33 +0200
+Subject: mtd: hyperbus: rpc-if: Convert to platform remove callback returning
+ void
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit baaa90c1c923ff2412fae0162eb66d036fd3be6b ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is ignored (apart
+from emitting a warning) and this typically results in resource leaks.
+
+To improve here there is a quest to make the remove callback return
+void. In the first step of this quest all drivers are converted to
+.remove_new(), which already returns void. Eventually after all drivers
+are converted, .remove_new() will be renamed to .remove().
+
+Trivially convert this driver from always returning zero in the remove
+callback to the void returning variant.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Acked-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Link: https://lore.kernel.org/linux-mtd/20231008200143.196369-11-u.kleine-koenig@pengutronix.de
+Stable-dep-of: 7d189579a287 ("mtd: hyperbus: rpc-if: Add missing MODULE_DEVICE_TABLE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/hyperbus/rpc-if.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c
+index ef32fca5f785e..b22aa57119f23 100644
+--- a/drivers/mtd/hyperbus/rpc-if.c
++++ b/drivers/mtd/hyperbus/rpc-if.c
+@@ -154,20 +154,18 @@ static int rpcif_hb_probe(struct platform_device *pdev)
+ return error;
+ }
+
+-static int rpcif_hb_remove(struct platform_device *pdev)
++static void rpcif_hb_remove(struct platform_device *pdev)
+ {
+ struct rpcif_hyperbus *hyperbus = platform_get_drvdata(pdev);
+
+ hyperbus_unregister_device(&hyperbus->hbdev);
+
+ pm_runtime_disable(hyperbus->rpc.dev);
+-
+- return 0;
+ }
+
+ static struct platform_driver rpcif_platform_driver = {
+ .probe = rpcif_hb_probe,
+- .remove = rpcif_hb_remove,
++ .remove_new = rpcif_hb_remove,
+ .driver = {
+ .name = "rpc-if-hyperflash",
+ },
+--
+2.43.0
+
--- /dev/null
+From e1f397688f89d191a31e1573df70d6136d60f93b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 22:31:49 +0200
+Subject: mtd: rawnand: atmel: Fix possible memory leak
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+[ Upstream commit 6d734f1bfc336aaea91313a5632f2f197608fadd ]
+
+The pmecc "user" structure is allocated in atmel_pmecc_create_user() and
+was supposed to be freed with atmel_pmecc_destroy_user(), but this other
+helper is never called. One solution would be to find the proper
+location to call the destructor, but the trend today is to switch to
+device managed allocations, which in this case fits pretty well.
+
+Replace kzalloc() by devm_kzalloc() and drop the destructor entirely.
+
+Reported-by: "Dr. David Alan Gilbert" <linux@treblig.org>
+Closes: https://lore.kernel.org/all/ZvmIvRJCf6VhHvpo@gallifrey/
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20241001203149.387655-1-miquel.raynal@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/atmel/pmecc.c | 8 +-------
+ drivers/mtd/nand/raw/atmel/pmecc.h | 2 --
+ 2 files changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/atmel/pmecc.c b/drivers/mtd/nand/raw/atmel/pmecc.c
+index 4d7dc8a9c3738..a22aab4ed4e8a 100644
+--- a/drivers/mtd/nand/raw/atmel/pmecc.c
++++ b/drivers/mtd/nand/raw/atmel/pmecc.c
+@@ -362,7 +362,7 @@ atmel_pmecc_create_user(struct atmel_pmecc *pmecc,
+ size = ALIGN(size, sizeof(s32));
+ size += (req->ecc.strength + 1) * sizeof(s32) * 3;
+
+- user = kzalloc(size, GFP_KERNEL);
++ user = devm_kzalloc(pmecc->dev, size, GFP_KERNEL);
+ if (!user)
+ return ERR_PTR(-ENOMEM);
+
+@@ -408,12 +408,6 @@ atmel_pmecc_create_user(struct atmel_pmecc *pmecc,
+ }
+ EXPORT_SYMBOL_GPL(atmel_pmecc_create_user);
+
+-void atmel_pmecc_destroy_user(struct atmel_pmecc_user *user)
+-{
+- kfree(user);
+-}
+-EXPORT_SYMBOL_GPL(atmel_pmecc_destroy_user);
+-
+ static int get_strength(struct atmel_pmecc_user *user)
+ {
+ const int *strengths = user->pmecc->caps->strengths;
+diff --git a/drivers/mtd/nand/raw/atmel/pmecc.h b/drivers/mtd/nand/raw/atmel/pmecc.h
+index 7851c05126cf1..cc0c5af1f4f1a 100644
+--- a/drivers/mtd/nand/raw/atmel/pmecc.h
++++ b/drivers/mtd/nand/raw/atmel/pmecc.h
+@@ -55,8 +55,6 @@ struct atmel_pmecc *devm_atmel_pmecc_get(struct device *dev);
+ struct atmel_pmecc_user *
+ atmel_pmecc_create_user(struct atmel_pmecc *pmecc,
+ struct atmel_pmecc_user_req *req);
+-void atmel_pmecc_destroy_user(struct atmel_pmecc_user *user);
+-
+ void atmel_pmecc_reset(struct atmel_pmecc *pmecc);
+ int atmel_pmecc_enable(struct atmel_pmecc_user *user, int op);
+ void atmel_pmecc_disable(struct atmel_pmecc_user *user);
+--
+2.43.0
+
--- /dev/null
+From f4adb82150884382816fec149634bfcc54c4907c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 17:13:43 +0000
+Subject: net: hsr: fix hsr_init_sk() vs network/transport headers.
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9cfb5e7f0ded2bfaabc270ceb5f91d13f0e805b9 ]
+
+Following sequence in hsr_init_sk() is invalid :
+
+ skb_reset_mac_header(skb);
+ skb_reset_mac_len(skb);
+ skb_reset_network_header(skb);
+ skb_reset_transport_header(skb);
+
+It is invalid because skb_reset_mac_len() needs the correct
+network header, which should be after the mac header.
+
+This patch moves the skb_reset_network_header()
+and skb_reset_transport_header() before
+the call to dev_hard_header().
+
+As a result skb->mac_len is no longer set to a value
+close to 65535.
+
+Fixes: 48b491a5cc74 ("net: hsr: fix mac_len checks")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: George McCollister <george.mccollister@gmail.com>
+Link: https://patch.msgid.link/20241122171343.897551-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_device.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
+index ad75724b69adf..6e434af189bc0 100644
+--- a/net/hsr/hsr_device.c
++++ b/net/hsr/hsr_device.c
+@@ -253,6 +253,8 @@ static struct sk_buff *hsr_init_skb(struct hsr_port *master)
+ skb->dev = master->dev;
+ skb->priority = TC_PRIO_CONTROL;
+
++ skb_reset_network_header(skb);
++ skb_reset_transport_header(skb);
+ if (dev_hard_header(skb, skb->dev, ETH_P_PRP,
+ hsr->sup_multicast_addr,
+ skb->dev->dev_addr, skb->len) <= 0)
+@@ -260,8 +262,6 @@ static struct sk_buff *hsr_init_skb(struct hsr_port *master)
+
+ skb_reset_mac_header(skb);
+ skb_reset_mac_len(skb);
+- skb_reset_network_header(skb);
+- skb_reset_transport_header(skb);
+
+ return skb;
+ out:
+--
+2.43.0
+
--- /dev/null
+From bd319984792bf985452d9b913a741227fcce5129 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2024 09:51:07 +0000
+Subject: net/ipv6: delete temporary address if mngtmpaddr is removed or
+ unmanaged
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 00b5b7aab9e422d00d5a9d03d7e0760a76b5d57f ]
+
+RFC8981 section 3.4 says that existing temporary addresses must have their
+lifetimes adjusted so that no temporary addresses should ever remain "valid"
+or "preferred" longer than the incoming SLAAC Prefix Information. This would
+strongly imply in Linux's case that if the "mngtmpaddr" address is deleted or
+un-flagged as such, its corresponding temporary addresses must be cleared out
+right away.
+
+But now the temporary address is renewed even after ‘mngtmpaddr’ is removed
+or becomes unmanaged as manage_tempaddrs() set temporary addresses
+prefered/valid time to 0, and later in addrconf_verify_rtnl() all checkings
+failed to remove the addresses. Fix this by deleting the temporary address
+directly for these situations.
+
+Fixes: 778964f2fdf0 ("ipv6/addrconf: fix timing bug in tempaddr regen")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 41 +++++++++++++++++++++++++++++------------
+ 1 file changed, 29 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 4e1e6ef72464c..f52527c86e71c 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2527,6 +2527,24 @@ static struct inet6_dev *addrconf_add_dev(struct net_device *dev)
+ return idev;
+ }
+
++static void delete_tempaddrs(struct inet6_dev *idev,
++ struct inet6_ifaddr *ifp)
++{
++ struct inet6_ifaddr *ift, *tmp;
++
++ write_lock_bh(&idev->lock);
++ list_for_each_entry_safe(ift, tmp, &idev->tempaddr_list, tmp_list) {
++ if (ift->ifpub != ifp)
++ continue;
++
++ in6_ifa_hold(ift);
++ write_unlock_bh(&idev->lock);
++ ipv6_del_addr(ift);
++ write_lock_bh(&idev->lock);
++ }
++ write_unlock_bh(&idev->lock);
++}
++
+ static void manage_tempaddrs(struct inet6_dev *idev,
+ struct inet6_ifaddr *ifp,
+ __u32 valid_lft, __u32 prefered_lft,
+@@ -3051,11 +3069,12 @@ static int inet6_addr_del(struct net *net, int ifindex, u32 ifa_flags,
+ in6_ifa_hold(ifp);
+ read_unlock_bh(&idev->lock);
+
+- if (!(ifp->flags & IFA_F_TEMPORARY) &&
+- (ifa_flags & IFA_F_MANAGETEMPADDR))
+- manage_tempaddrs(idev, ifp, 0, 0, false,
+- jiffies);
+ ipv6_del_addr(ifp);
++
++ if (!(ifp->flags & IFA_F_TEMPORARY) &&
++ (ifp->flags & IFA_F_MANAGETEMPADDR))
++ delete_tempaddrs(idev, ifp);
++
+ addrconf_verify_rtnl(net);
+ if (ipv6_addr_is_multicast(pfx)) {
+ ipv6_mc_config(net->ipv6.mc_autojoin_sk,
+@@ -4863,14 +4882,12 @@ static int inet6_addr_modify(struct net *net, struct inet6_ifaddr *ifp,
+ }
+
+ if (was_managetempaddr || ifp->flags & IFA_F_MANAGETEMPADDR) {
+- if (was_managetempaddr &&
+- !(ifp->flags & IFA_F_MANAGETEMPADDR)) {
+- cfg->valid_lft = 0;
+- cfg->preferred_lft = 0;
+- }
+- manage_tempaddrs(ifp->idev, ifp, cfg->valid_lft,
+- cfg->preferred_lft, !was_managetempaddr,
+- jiffies);
++ if (was_managetempaddr && !(ifp->flags & IFA_F_MANAGETEMPADDR))
++ delete_tempaddrs(ifp->idev, ifp);
++ else
++ manage_tempaddrs(ifp->idev, ifp, cfg->valid_lft,
++ cfg->preferred_lft, !was_managetempaddr,
++ jiffies);
+ }
+
+ addrconf_verify_rtnl(net);
+--
+2.43.0
+
--- /dev/null
+From a175dc58452468454829340c879e01130b2871c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 11:31:52 -0800
+Subject: net: mdio-ipq4019: add missing error check
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 9cc8d0ecdd2aad42e377e971e3bb114339df609e ]
+
+If an optional resource is found but fails to remap, return on failure.
+Avoids any potential problems when using the iomapped resource as the
+assumption is that it's available.
+
+Fixes: 23a890d493e3 ("net: mdio: Add the reset function for IPQ MDIO driver")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20241121193152.8966-1-rosenp@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-ipq4019.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/mdio/mdio-ipq4019.c b/drivers/net/mdio/mdio-ipq4019.c
+index 4eba5a91075c0..da5dc854b6ca6 100644
+--- a/drivers/net/mdio/mdio-ipq4019.c
++++ b/drivers/net/mdio/mdio-ipq4019.c
+@@ -231,8 +231,11 @@ static int ipq4019_mdio_probe(struct platform_device *pdev)
+ /* The platform resource is provided on the chipset IPQ5018 */
+ /* This resource is optional */
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
+- if (res)
++ if (res) {
+ priv->eth_ldo_rdy = devm_ioremap_resource(&pdev->dev, res);
++ if (IS_ERR(priv->eth_ldo_rdy))
++ return PTR_ERR(priv->eth_ldo_rdy);
++ }
+
+ bus->name = "ipq4019_mdio";
+ bus->read = ipq4019_mdio_read;
+--
+2.43.0
+
--- /dev/null
+From 50caf8c07d92a63960701f9f5edc16a3b30a4264 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2024 14:53:41 -0500
+Subject: net: rfkill: gpio: Add check for clk_enable()
+
+From: Mingwei Zheng <zmw12306@gmail.com>
+
+[ Upstream commit 8251e7621b25ccdb689f1dd9553b8789e3745ea1 ]
+
+Add check for the return value of clk_enable() to catch the potential
+error.
+
+Fixes: 7176ba23f8b5 ("net: rfkill: add generic gpio rfkill driver")
+Signed-off-by: Mingwei Zheng <zmw12306@gmail.com>
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Link: https://patch.msgid.link/20241108195341.1853080-1-zmw12306@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rfkill/rfkill-gpio.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c
+index f74baefd855d3..2df5bf240b64a 100644
+--- a/net/rfkill/rfkill-gpio.c
++++ b/net/rfkill/rfkill-gpio.c
+@@ -30,8 +30,12 @@ static int rfkill_gpio_set_power(void *data, bool blocked)
+ {
+ struct rfkill_gpio_data *rfkill = data;
+
+- if (!blocked && !IS_ERR(rfkill->clk) && !rfkill->clk_enabled)
+- clk_enable(rfkill->clk);
++ if (!blocked && !IS_ERR(rfkill->clk) && !rfkill->clk_enabled) {
++ int ret = clk_enable(rfkill->clk);
++
++ if (ret)
++ return ret;
++ }
+
+ gpiod_set_value_cansleep(rfkill->shutdown_gpio, !blocked);
+ gpiod_set_value_cansleep(rfkill->reset_gpio, !blocked);
+--
+2.43.0
+
--- /dev/null
+From 589706519c1a3f2d1ac1bfacaad26e300782458b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 15:12:55 +0100
+Subject: net: stmmac: dwmac-socfpga: Set RX watchdog interrupt as broken
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit 407618d66dba55e7db1278872e8be106808bbe91 ]
+
+On DWMAC3 and later, there's a RX Watchdog interrupt that's used for
+interrupt coalescing. It's known to be buggy on some platforms, and
+dwmac-socfpga appears to be one of them. Changing the interrupt
+coalescing from ethtool doesn't appear to have any effect here.
+
+Without disabling RIWT (Received Interrupt Watchdog Timer, I
+believe...), we observe latencies while receiving traffic that amount to
+around ~0.4ms. This was discovered with NTP but can be easily reproduced
+with a simple ping. Without this patch :
+
+64 bytes from 192.168.5.2: icmp_seq=1 ttl=64 time=0.657 ms
+
+With this patch :
+
+64 bytes from 192.168.5.2: icmp_seq=1 ttl=64 time=0.254 ms
+
+Fixes: 801d233b7302 ("net: stmmac: Add SOCFPGA glue driver")
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20241122141256.764578-1-maxime.chevallier@bootlin.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c
+index 6b447d8f0bd8a..9c726fe40acdf 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c
+@@ -426,6 +426,8 @@ static int socfpga_dwmac_probe(struct platform_device *pdev)
+ plat_dat->bsp_priv = dwmac;
+ plat_dat->fix_mac_speed = socfpga_dwmac_fix_mac_speed;
+
++ plat_dat->riwt_off = 1;
++
+ ret = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res);
+ if (ret)
+ goto err_remove_config_dt;
+--
+2.43.0
+
--- /dev/null
+From 9491c4c822a7e11205e05a7501d08b5fe9f5a2f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Nov 2024 14:05:57 +0100
+Subject: net: usb: lan78xx: Fix double free issue with interrupt buffer
+ allocation
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 03819abbeb11117dcbba40bfe322b88c0c88a6b6 ]
+
+In lan78xx_probe(), the buffer `buf` was being freed twice: once
+implicitly through `usb_free_urb(dev->urb_intr)` with the
+`URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused
+a double free issue.
+
+To resolve this, reordered `kmalloc()` and `usb_alloc_urb()` calls to
+simplify the initialization sequence and removed the redundant
+`kfree(buf)`. Now, `buf` is allocated after `usb_alloc_urb()`, ensuring
+it is correctly managed by `usb_fill_int_urb()` and freed by
+`usb_free_urb()` as intended.
+
+Fixes: a6df95cae40b ("lan78xx: Fix memory allocation bug")
+Cc: John Efstathiades <john.efstathiades@pebblebay.com>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20241116130558.1352230-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index 366e83ed0a973..b18afd2c7aeed 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -4417,29 +4417,30 @@ static int lan78xx_probe(struct usb_interface *intf,
+
+ period = ep_intr->desc.bInterval;
+ maxp = usb_maxpacket(dev->udev, dev->pipe_intr);
+- buf = kmalloc(maxp, GFP_KERNEL);
+- if (!buf) {
++
++ dev->urb_intr = usb_alloc_urb(0, GFP_KERNEL);
++ if (!dev->urb_intr) {
+ ret = -ENOMEM;
+ goto out5;
+ }
+
+- dev->urb_intr = usb_alloc_urb(0, GFP_KERNEL);
+- if (!dev->urb_intr) {
++ buf = kmalloc(maxp, GFP_KERNEL);
++ if (!buf) {
+ ret = -ENOMEM;
+- goto out6;
+- } else {
+- usb_fill_int_urb(dev->urb_intr, dev->udev,
+- dev->pipe_intr, buf, maxp,
+- intr_complete, dev, period);
+- dev->urb_intr->transfer_flags |= URB_FREE_BUFFER;
++ goto free_urbs;
+ }
+
++ usb_fill_int_urb(dev->urb_intr, dev->udev,
++ dev->pipe_intr, buf, maxp,
++ intr_complete, dev, period);
++ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER;
++
+ dev->maxpacket = usb_maxpacket(dev->udev, dev->pipe_out);
+
+ /* Reject broken descriptors. */
+ if (dev->maxpacket == 0) {
+ ret = -ENODEV;
+- goto out6;
++ goto free_urbs;
+ }
+
+ /* driver requires remote-wakeup capability during autosuspend. */
+@@ -4447,7 +4448,7 @@ static int lan78xx_probe(struct usb_interface *intf,
+
+ ret = lan78xx_phy_init(dev);
+ if (ret < 0)
+- goto out7;
++ goto free_urbs;
+
+ ret = register_netdev(netdev);
+ if (ret != 0) {
+@@ -4469,10 +4470,8 @@ static int lan78xx_probe(struct usb_interface *intf,
+
+ out8:
+ phy_disconnect(netdev->phydev);
+-out7:
++free_urbs:
+ usb_free_urb(dev->urb_intr);
+-out6:
+- kfree(buf);
+ out5:
+ lan78xx_unbind(dev, intf);
+ out4:
+--
+2.43.0
+
--- /dev/null
+From 50c6c621073e44d4a0ec259457801800e1c96c9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Nov 2024 14:05:58 +0100
+Subject: net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY
+ device
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit ae7370e61c5d8f5bcefc2d4fca724bd4e9bbf789 ]
+
+Add calls to `phy_device_free` after `fixed_phy_unregister` to fix a
+memory leak that occurs when the device is unplugged. This ensures
+proper cleanup of pseudo fixed-link PHYs.
+
+Fixes: 89b36fb5e532 ("lan78xx: Lan7801 Support for Fixed PHY")
+Cc: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20241116130558.1352230-2-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index b18afd2c7aeed..ee3c13bbf6c02 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2387,6 +2387,7 @@ static int lan78xx_phy_init(struct lan78xx_net *dev)
+ if (dev->chipid == ID_REV_CHIP_ID_7801_) {
+ if (phy_is_pseudo_fixed_link(phydev)) {
+ fixed_phy_unregister(phydev);
++ phy_device_free(phydev);
+ } else {
+ phy_unregister_fixup_for_uid(PHY_KSZ9031RNX,
+ 0xfffffff0);
+@@ -4246,8 +4247,10 @@ static void lan78xx_disconnect(struct usb_interface *intf)
+
+ phy_disconnect(net->phydev);
+
+- if (phy_is_pseudo_fixed_link(phydev))
++ if (phy_is_pseudo_fixed_link(phydev)) {
+ fixed_phy_unregister(phydev);
++ phy_device_free(phydev);
++ }
+
+ usb_scuttle_anchored_urbs(&dev->deferred);
+
+--
+2.43.0
+
--- /dev/null
+From 278df873a85eb3e4440aa378fea99658ddbf8201 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 15:03:51 +0100
+Subject: net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL
+ configuration
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit e863ff806f72098bccaf8fa89c80d9ad6187c3b0 ]
+
+Validate Wake-on-LAN (WoL) options in `lan78xx_set_wol` before calling
+`usb_autopm_get_interface`. This prevents USB autopm refcounting issues
+and ensures the adapter can properly enter autosuspend when invalid WoL
+options are provided.
+
+Fixes: eb9ad088f966 ("lan78xx: Check for supported Wake-on-LAN modes")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://patch.msgid.link/20241118140351.2398166-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index ee3c13bbf6c02..feff1265cad6f 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -1657,13 +1657,13 @@ static int lan78xx_set_wol(struct net_device *netdev,
+ struct lan78xx_priv *pdata = (struct lan78xx_priv *)(dev->data[0]);
+ int ret;
+
++ if (wol->wolopts & ~WAKE_ALL)
++ return -EINVAL;
++
+ ret = usb_autopm_get_interface(dev->intf);
+ if (ret < 0)
+ return ret;
+
+- if (wol->wolopts & ~WAKE_ALL)
+- return -EINVAL;
+-
+ pdata->wol = wol->wolopts;
+
+ device_set_wakeup_enable(&dev->udev->dev, (bool)wol->wolopts);
+--
+2.43.0
+
--- /dev/null
+From 5f441cdfd55a7c569562f1dfd753b4b1f5343166 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 11:16:03 +0000
+Subject: net: use unrcu_pointer() helper
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b4cb4a1391dcdc640c4ade003aaf0ee19cc8d509 ]
+
+Toke mentioned unrcu_pointer() existence, allowing
+to remove some of the ugly casts we have when using
+xchg() for rcu protected pointers.
+
+Also make inet_rcv_compat const.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Toke Høiland-Jørgensen <toke@redhat.com>
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20240604111603.45871-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: eb02688c5c45 ("ipv6: release nexthop on device removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 2 +-
+ net/core/gen_estimator.c | 2 +-
+ net/core/sock_diag.c | 8 +++-----
+ net/ipv4/cipso_ipv4.c | 2 +-
+ net/ipv4/tcp.c | 2 +-
+ net/ipv4/tcp_fastopen.c | 7 ++++---
+ net/ipv4/udp.c | 2 +-
+ net/ipv6/af_inet6.c | 2 +-
+ net/ipv6/ip6_fib.c | 2 +-
+ net/ipv6/ipv6_sockglue.c | 3 +--
+ net/ipv6/route.c | 6 +++---
+ net/sched/act_api.c | 2 +-
+ 12 files changed, 19 insertions(+), 21 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 1b39b62d44e24..0a06c997b45be 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2246,7 +2246,7 @@ sk_dst_set(struct sock *sk, struct dst_entry *dst)
+
+ sk_tx_queue_clear(sk);
+ WRITE_ONCE(sk->sk_dst_pending_confirm, 0);
+- old_dst = xchg((__force struct dst_entry **)&sk->sk_dst_cache, dst);
++ old_dst = unrcu_pointer(xchg(&sk->sk_dst_cache, RCU_INITIALIZER(dst)));
+ dst_release(old_dst);
+ }
+
+diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c
+index 4fcbdd71c59fa..e0654e3a92861 100644
+--- a/net/core/gen_estimator.c
++++ b/net/core/gen_estimator.c
+@@ -206,7 +206,7 @@ void gen_kill_estimator(struct net_rate_estimator __rcu **rate_est)
+ {
+ struct net_rate_estimator *est;
+
+- est = xchg((__force struct net_rate_estimator **)rate_est, NULL);
++ est = unrcu_pointer(xchg(rate_est, NULL));
+ if (est) {
+ del_timer_sync(&est->timer);
+ kfree_rcu(est, rcu);
+diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
+index d36beb9a9a928..17972558f54a0 100644
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -18,7 +18,7 @@
+
+ static const struct sock_diag_handler __rcu *sock_diag_handlers[AF_MAX];
+
+-static struct sock_diag_inet_compat __rcu *inet_rcv_compat;
++static const struct sock_diag_inet_compat __rcu *inet_rcv_compat;
+
+ static struct workqueue_struct *broadcast_wq;
+
+@@ -184,8 +184,7 @@ void sock_diag_broadcast_destroy(struct sock *sk)
+
+ void sock_diag_register_inet_compat(const struct sock_diag_inet_compat *ptr)
+ {
+- xchg((__force const struct sock_diag_inet_compat **)&inet_rcv_compat,
+- ptr);
++ xchg(&inet_rcv_compat, RCU_INITIALIZER(ptr));
+ }
+ EXPORT_SYMBOL_GPL(sock_diag_register_inet_compat);
+
+@@ -193,8 +192,7 @@ void sock_diag_unregister_inet_compat(const struct sock_diag_inet_compat *ptr)
+ {
+ const struct sock_diag_inet_compat *old;
+
+- old = xchg((__force const struct sock_diag_inet_compat **)&inet_rcv_compat,
+- NULL);
++ old = unrcu_pointer(xchg(&inet_rcv_compat, NULL));
+ WARN_ON_ONCE(old != ptr);
+ }
+ EXPORT_SYMBOL_GPL(sock_diag_unregister_inet_compat);
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index 2b56cabe4da98..fd139daf9dfb3 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1955,7 +1955,7 @@ int cipso_v4_req_setattr(struct request_sock *req,
+ buf = NULL;
+
+ req_inet = inet_rsk(req);
+- opt = xchg((__force struct ip_options_rcu **)&req_inet->ireq_opt, opt);
++ opt = unrcu_pointer(xchg(&req_inet->ireq_opt, RCU_INITIALIZER(opt)));
+ if (opt)
+ kfree_rcu(opt, rcu);
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index cb79919323a62..e27a9a9bb1623 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3184,7 +3184,7 @@ int tcp_disconnect(struct sock *sk, int flags)
+ icsk->icsk_ack.rcv_mss = TCP_MIN_MSS;
+ memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
+ __sk_dst_reset(sk);
+- dst_release(xchg((__force struct dst_entry **)&sk->sk_rx_dst, NULL));
++ dst_release(unrcu_pointer(xchg(&sk->sk_rx_dst, NULL)));
+ tcp_saved_syn_free(tp);
+ tp->compressed_ack = 0;
+ tp->segs_in = 0;
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index 85e4953f11821..d0b7ded591bd4 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -49,7 +49,7 @@ void tcp_fastopen_ctx_destroy(struct net *net)
+ {
+ struct tcp_fastopen_context *ctxt;
+
+- ctxt = xchg((__force struct tcp_fastopen_context **)&net->ipv4.tcp_fastopen_ctx, NULL);
++ ctxt = unrcu_pointer(xchg(&net->ipv4.tcp_fastopen_ctx, NULL));
+
+ if (ctxt)
+ call_rcu(&ctxt->rcu, tcp_fastopen_ctx_free);
+@@ -80,9 +80,10 @@ int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk,
+
+ if (sk) {
+ q = &inet_csk(sk)->icsk_accept_queue.fastopenq;
+- octx = xchg((__force struct tcp_fastopen_context **)&q->ctx, ctx);
++ octx = unrcu_pointer(xchg(&q->ctx, RCU_INITIALIZER(ctx)));
+ } else {
+- octx = xchg((__force struct tcp_fastopen_context **)&net->ipv4.tcp_fastopen_ctx, ctx);
++ octx = unrcu_pointer(xchg(&net->ipv4.tcp_fastopen_ctx,
++ RCU_INITIALIZER(ctx)));
+ }
+
+ if (octx)
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 53267566808c1..3f9c4b74fdc0c 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2252,7 +2252,7 @@ bool udp_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst)
+ struct dst_entry *old;
+
+ if (dst_hold_safe(dst)) {
+- old = xchg((__force struct dst_entry **)&sk->sk_rx_dst, dst);
++ old = unrcu_pointer(xchg(&sk->sk_rx_dst, RCU_INITIALIZER(dst)));
+ dst_release(old);
+ return old != dst;
+ }
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 62247621cea52..ea16c40cfb211 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -513,7 +513,7 @@ void inet6_destroy_sock(struct sock *sk)
+
+ /* Free tx options */
+
+- opt = xchg((__force struct ipv6_txoptions **)&np->opt, NULL);
++ opt = unrcu_pointer(xchg(&np->opt, NULL));
+ if (opt) {
+ atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
+ txopt_put(opt);
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index 1123594ad2be7..0b45ef8b7ee21 100644
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -983,7 +983,7 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh,
+ if (pcpu_rt && rcu_access_pointer(pcpu_rt->from) == match) {
+ struct fib6_info *from;
+
+- from = xchg((__force struct fib6_info **)&pcpu_rt->from, NULL);
++ from = unrcu_pointer(xchg(&pcpu_rt->from, NULL));
+ fib6_info_release(from);
+ }
+ }
+diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
+index 532f4478c8840..2924aa45adbc5 100644
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -111,8 +111,7 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk,
+ icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
+ }
+ }
+- opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt,
+- opt);
++ opt = unrcu_pointer(xchg(&inet6_sk(sk)->opt, RCU_INITIALIZER(opt)));
+ sk_dst_reset(sk);
+
+ return opt;
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 6a227edf8a8aa..10e7517d126d9 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -369,7 +369,7 @@ static void ip6_dst_destroy(struct dst_entry *dst)
+ in6_dev_put(idev);
+ }
+
+- from = xchg((__force struct fib6_info **)&rt->from, NULL);
++ from = unrcu_pointer(xchg(&rt->from, NULL));
+ fib6_info_release(from);
+ }
+
+@@ -1432,7 +1432,7 @@ static struct rt6_info *rt6_make_pcpu_route(struct net *net,
+ if (res->f6i->fib6_destroying) {
+ struct fib6_info *from;
+
+- from = xchg((__force struct fib6_info **)&pcpu_rt->from, NULL);
++ from = unrcu_pointer(xchg(&pcpu_rt->from, NULL));
+ fib6_info_release(from);
+ }
+
+@@ -1461,7 +1461,7 @@ static void rt6_remove_exception(struct rt6_exception_bucket *bucket,
+ /* purge completely the exception to allow releasing the held resources:
+ * some [sk] cache may keep the dst around for unlimited time
+ */
+- from = xchg((__force struct fib6_info **)&rt6_ex->rt6i->from, NULL);
++ from = unrcu_pointer(xchg(&rt6_ex->rt6i->from, NULL));
+ fib6_info_release(from);
+ dst_dev_put(&rt6_ex->rt6i->dst);
+
+diff --git a/net/sched/act_api.c b/net/sched/act_api.c
+index 05bd1e9bca36a..b75e22756c4b0 100644
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -61,7 +61,7 @@ static void tcf_set_action_cookie(struct tc_cookie __rcu **old_cookie,
+ {
+ struct tc_cookie *old;
+
+- old = xchg((__force struct tc_cookie **)old_cookie, new_cookie);
++ old = unrcu_pointer(xchg(old_cookie, RCU_INITIALIZER(new_cookie)));
+ if (old)
+ call_rcu(&old->rcu, tcf_free_cookie_rcu);
+ }
+--
+2.43.0
+
--- /dev/null
+From f5a1a58d7e661a92e0e3c86d1c5b0ba1a8947a9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 04:00:26 +0000
+Subject: netdevsim: copy addresses for both in and out paths
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 2cf567f421dbfe7e53b7e5ddee9400da10efb75d ]
+
+The current code only copies the address for the in path, leaving the out
+path address set to 0. This patch corrects the issue by copying the addresses
+for both the in and out paths. Before this patch:
+
+ # cat /sys/kernel/debug/netdevsim/netdevsim0/ports/0/ipsec
+ SA count=2 tx=20
+ sa[0] tx ipaddr=0.0.0.0
+ sa[0] spi=0x00000100 proto=0x32 salt=0x0adecc3a crypt=1
+ sa[0] key=0x3167608a ca4f1397 43565909 941fa627
+ sa[1] rx ipaddr=192.168.0.1
+ sa[1] spi=0x00000101 proto=0x32 salt=0x0adecc3a crypt=1
+ sa[1] key=0x3167608a ca4f1397 43565909 941fa627
+
+After this patch:
+
+ = cat /sys/kernel/debug/netdevsim/netdevsim0/ports/0/ipsec
+ SA count=2 tx=20
+ sa[0] tx ipaddr=192.168.0.2
+ sa[0] spi=0x00000100 proto=0x32 salt=0x0adecc3a crypt=1
+ sa[0] key=0x3167608a ca4f1397 43565909 941fa627
+ sa[1] rx ipaddr=192.168.0.1
+ sa[1] spi=0x00000101 proto=0x32 salt=0x0adecc3a crypt=1
+ sa[1] key=0x3167608a ca4f1397 43565909 941fa627
+
+Fixes: 7699353da875 ("netdevsim: add ipsec offload testing")
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://patch.msgid.link/20241010040027.21440-3-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netdevsim/ipsec.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/netdevsim/ipsec.c b/drivers/net/netdevsim/ipsec.c
+index 386336a38f349..feca55eef9938 100644
+--- a/drivers/net/netdevsim/ipsec.c
++++ b/drivers/net/netdevsim/ipsec.c
+@@ -171,14 +171,13 @@ static int nsim_ipsec_add_sa(struct xfrm_state *xs)
+ return ret;
+ }
+
+- if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {
++ if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN)
+ sa.rx = true;
+
+- if (xs->props.family == AF_INET6)
+- memcpy(sa.ipaddr, &xs->id.daddr.a6, 16);
+- else
+- memcpy(&sa.ipaddr[3], &xs->id.daddr.a4, 4);
+- }
++ if (xs->props.family == AF_INET6)
++ memcpy(sa.ipaddr, &xs->id.daddr.a6, 16);
++ else
++ memcpy(&sa.ipaddr[3], &xs->id.daddr.a4, 4);
+
+ /* the preparations worked, so save the info */
+ memcpy(&ipsec->sa[sa_idx], &sa, sizeof(sa));
+--
+2.43.0
+
--- /dev/null
+From 6b4ea35750fd809e661bf4b719d78846f1f89f1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 10:41:19 +0100
+Subject: netfilter: nf_tables: must hold rcu read lock while iterating object
+ type list
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit cddc04275f95ca3b18da5c0fb111705ac173af89 ]
+
+Update of stateful object triggers:
+WARNING: suspicious RCU usage
+net/netfilter/nf_tables_api.c:7759 RCU-list traversed in non-reader section!!
+
+other info that might help us debug this:
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by nft/3060:
+ #0: ffff88810f0578c8 (&nft_net->commit_mutex){+.+.}-{4:4}, [..]
+
+... but this list is not protected by the transaction mutex but the
+nfnl nftables subsystem mutex.
+
+Switch to nft_obj_type_get which will acquire rcu read lock,
+bump refcount, and returns the result.
+
+v3: Dan Carpenter points out nft_obj_type_get returns error pointer, not
+NULL, on error.
+
+Fixes: dad3bdeef45f ("netfilter: nf_tables: fix memory leak during stateful obj update").
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index d7a628e2c2493..07bcf9b7d779b 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7239,9 +7239,7 @@ static int nf_tables_updobj(const struct nft_ctx *ctx,
+ struct nft_trans *trans;
+ int err = -ENOMEM;
+
+- if (!try_module_get(type->owner))
+- return -ENOENT;
+-
++ /* caller must have obtained type->owner reference. */
+ trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
+ sizeof(struct nft_trans_obj));
+ if (!trans)
+@@ -7309,15 +7307,16 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
+ if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
+ return -EOPNOTSUPP;
+
+- type = __nft_obj_type_get(objtype, family);
+- if (WARN_ON_ONCE(!type))
+- return -ENOENT;
+-
+ if (!obj->ops->update)
+ return 0;
+
++ type = nft_obj_type_get(net, objtype, family);
++ if (WARN_ON_ONCE(IS_ERR(type)))
++ return PTR_ERR(type);
++
+ nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
+
++ /* type->owner reference is put when transaction object is released. */
+ return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 38e31d93b938dfc127e156e73e06ebebc05e8ac9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 09:35:48 +0100
+Subject: netfilter: nf_tables: skip transaction if update object is not
+ implemented
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 84b1a0c0140a9a92ea108576c0002210f224ce59 ]
+
+Turn update into noop as a follow up for:
+
+ 9fedd894b4e1 ("netfilter: nf_tables: fix unexpected EOPNOTSUPP error")
+
+instead of adding a transaction object which is simply discarded at a
+later stage of the commit protocol.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Stable-dep-of: cddc04275f95 ("netfilter: nf_tables: must hold rcu read lock while iterating object type list")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index ed09b1fdda16e..d7a628e2c2493 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7313,6 +7313,9 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
+ if (WARN_ON_ONCE(!type))
+ return -ENOENT;
+
++ if (!obj->ops->update)
++ return 0;
++
+ nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
+
+ return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
+@@ -8972,9 +8975,10 @@ static void nft_obj_commit_update(struct nft_trans *trans)
+ obj = nft_trans_obj(trans);
+ newobj = nft_trans_obj_newobj(trans);
+
+- if (obj->ops->update)
+- obj->ops->update(obj, newobj);
++ if (WARN_ON_ONCE(!obj->ops->update))
++ return;
+
++ obj->ops->update(obj, newobj);
+ nft_obj_destroy(&trans->ctx, newobj);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From d9bc1908cefc8a7ab534af8c3ad95be52671e4ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 19:06:49 +0800
+Subject: netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING
+
+From: Zizhi Wo <wozizhi@huawei.com>
+
+[ Upstream commit 22f9400a6f3560629478e0a64247b8fcc811a24d ]
+
+In fscache_create_volume(), there is a missing memory barrier between the
+bit-clearing operation and the wake-up operation. This may cause a
+situation where, after a wake-up, the bit-clearing operation hasn't been
+detected yet, leading to an indefinite wait. The triggering process is as
+follows:
+
+ [cookie1] [cookie2] [volume_work]
+fscache_perform_lookup
+ fscache_create_volume
+ fscache_perform_lookup
+ fscache_create_volume
+ fscache_create_volume_work
+ cachefiles_acquire_volume
+ clear_and_wake_up_bit
+ test_and_set_bit
+ test_and_set_bit
+ goto maybe_wait
+ goto no_wait
+
+In the above process, cookie1 and cookie2 has the same volume. When cookie1
+enters the -no_wait- process, it will clear the bit and wake up the waiting
+process. If a barrier is missing, it may cause cookie2 to remain in the
+-wait- process indefinitely.
+
+In commit 3288666c7256 ("fscache: Use clear_and_wake_up_bit() in
+fscache_create_volume_work()"), barriers were added to similar operations
+in fscache_create_volume_work(), but fscache_create_volume() was missed.
+
+By combining the clear and wake operations into clear_and_wake_up_bit() to
+fix this issue.
+
+Fixes: bfa22da3ed65 ("fscache: Provide and use cache methods to lookup/create/free a volume")
+Signed-off-by: Zizhi Wo <wozizhi@huawei.com>
+Link: https://lore.kernel.org/r/20241107110649.3980193-6-wozizhi@huawei.com
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fscache/volume.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/fscache/volume.c b/fs/fscache/volume.c
+index cb75c07b5281a..ced14ac78cc1c 100644
+--- a/fs/fscache/volume.c
++++ b/fs/fscache/volume.c
+@@ -322,8 +322,7 @@ void fscache_create_volume(struct fscache_volume *volume, bool wait)
+ }
+ return;
+ no_wait:
+- clear_bit_unlock(FSCACHE_VOLUME_CREATING, &volume->flags);
+- wake_up_bit(&volume->flags, FSCACHE_VOLUME_CREATING);
++ clear_and_wake_up_bit(FSCACHE_VOLUME_CREATING, &volume->flags);
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From ab1dbcc2310f9a729c3b872641ac0e926487b521 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Nov 2024 23:39:50 +0100
+Subject: netlink: typographical error in nlmsg_type constants definition
+
+From: Maurice Lambert <mauricelambert434@gmail.com>
+
+[ Upstream commit 84bfbfbbd32aee136afea4b6bf82581dce79c305 ]
+
+This commit fix a typographical error in netlink nlmsg_type constants definition in the include/uapi/linux/rtnetlink.h at line 177. The definition is RTM_NEWNVLAN RTM_NEWVLAN instead of RTM_NEWVLAN RTM_NEWVLAN.
+
+Signed-off-by: Maurice Lambert <mauricelambert434@gmail.com>
+Fixes: 8dcea187088b ("net: bridge: vlan: add rtm definitions and dump support")
+Link: https://patch.msgid.link/20241103223950.230300-1-mauricelambert434@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/rtnetlink.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
+index 51c13cf9c5aee..63a0922937e72 100644
+--- a/include/uapi/linux/rtnetlink.h
++++ b/include/uapi/linux/rtnetlink.h
+@@ -174,7 +174,7 @@ enum {
+ #define RTM_GETLINKPROP RTM_GETLINKPROP
+
+ RTM_NEWVLAN = 112,
+-#define RTM_NEWNVLAN RTM_NEWVLAN
++#define RTM_NEWVLAN RTM_NEWVLAN
+ RTM_DELVLAN,
+ #define RTM_DELVLAN RTM_DELVLAN
+ RTM_GETVLAN,
+--
+2.43.0
+
--- /dev/null
+From efe683565d473c97f54576afba3ed6a37efe5d1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 03:15:18 -0800
+Subject: netpoll: Use rcu_access_pointer() in netpoll_poll_lock
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit a57d5a72f8dec7db8a79d0016fb0a3bdecc82b56 ]
+
+The ndev->npinfo pointer in netpoll_poll_lock() is RCU-protected but is
+being accessed directly for a NULL check. While no RCU read lock is held
+in this context, we should still use proper RCU primitives for
+consistency and correctness.
+
+Replace the direct NULL check with rcu_access_pointer(), which is the
+appropriate primitive when only checking for NULL without dereferencing
+the pointer. This function provides the necessary ordering guarantees
+without requiring RCU read-side protection.
+
+Fixes: bea3348eef27 ("[NET]: Make NAPI polling independent of struct net_device objects.")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Link: https://patch.msgid.link/20241118-netpoll_rcu-v1-2-a1888dcb4a02@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netpoll.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/netpoll.h b/include/linux/netpoll.h
+index bd19c4b91e312..3ddf205b7e2c3 100644
+--- a/include/linux/netpoll.h
++++ b/include/linux/netpoll.h
+@@ -71,7 +71,7 @@ static inline void *netpoll_poll_lock(struct napi_struct *napi)
+ {
+ struct net_device *dev = napi->dev;
+
+- if (dev && dev->npinfo) {
++ if (dev && rcu_access_pointer(dev->npinfo)) {
+ int owner = smp_processor_id();
+
+ while (cmpxchg(&napi->poll_owner, -1, owner) != -1)
+--
+2.43.0
+
--- /dev/null
+From 7e4260eb996ec8702c0bcb527d8f99f70215c4bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 11:03:56 -0400
+Subject: NFSD: Cap the number of bytes copied by nfs4_reset_recoverydir()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit f64ea4af43161bb86ffc77e6aeb5bcf5c3229df0 ]
+
+It's only current caller already length-checks the string, but let's
+be safe.
+
+Fixes: 0964a3d3f1aa ("[PATCH] knfsd: nfsd4 reboot dirname fix")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4recover.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
+index 7d5d794e2e320..6596989718106 100644
+--- a/fs/nfsd/nfs4recover.c
++++ b/fs/nfsd/nfs4recover.c
+@@ -658,7 +658,8 @@ nfs4_reset_recoverydir(char *recdir)
+ return status;
+ status = -ENOTDIR;
+ if (d_is_dir(path.dentry)) {
+- strcpy(user_recovery_dirname, recdir);
++ strscpy(user_recovery_dirname, recdir,
++ sizeof(user_recovery_dirname));
+ status = 0;
+ }
+ path_put(&path);
+--
+2.43.0
+
--- /dev/null
+From 76124e397afca2130b8463ed4b6c78e6a57f24df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2024 09:40:03 -0400
+Subject: NFSD: Fix nfsd4_shutdown_copy()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 62a8642ba00aa8ceb0a02ade942f5ec52e877c95 ]
+
+nfsd4_shutdown_copy() is just this:
+
+ while ((copy = nfsd4_get_copy(clp)) != NULL)
+ nfsd4_stop_copy(copy);
+
+nfsd4_get_copy() bumps @copy's reference count, preventing
+nfsd4_stop_copy() from releasing @copy.
+
+A while loop like this usually works by removing the first element
+of the list, but neither nfsd4_get_copy() nor nfsd4_stop_copy()
+alters the async_copies list.
+
+Best I can tell, then, is that nfsd4_shutdown_copy() continues to
+loop until other threads manage to remove all the items from this
+list. The spinning loop blocks shutdown until these items are gone.
+
+Possibly the reason we haven't seen this issue in the field is
+because client_has_state() prevents __destroy_client() from calling
+nfsd4_shutdown_copy() if there are any items on this list. In a
+subsequent patch I plan to remove that restriction.
+
+Fixes: e0639dc5805a ("NFSD introduce async copy feature")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4proc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index 0aebb2dc57761..6eb02390bd427 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1255,7 +1255,7 @@ static void nfsd4_stop_copy(struct nfsd4_copy *copy)
+ nfs4_put_copy(copy);
+ }
+
+-static struct nfsd4_copy *nfsd4_get_copy(struct nfs4_client *clp)
++static struct nfsd4_copy *nfsd4_unhash_copy(struct nfs4_client *clp)
+ {
+ struct nfsd4_copy *copy = NULL;
+
+@@ -1264,6 +1264,9 @@ static struct nfsd4_copy *nfsd4_get_copy(struct nfs4_client *clp)
+ copy = list_first_entry(&clp->async_copies, struct nfsd4_copy,
+ copies);
+ refcount_inc(©->refcount);
++ copy->cp_clp = NULL;
++ if (!list_empty(©->copies))
++ list_del_init(©->copies);
+ }
+ spin_unlock(&clp->async_lock);
+ return copy;
+@@ -1273,7 +1276,7 @@ void nfsd4_shutdown_copy(struct nfs4_client *clp)
+ {
+ struct nfsd4_copy *copy;
+
+- while ((copy = nfsd4_get_copy(clp)) != NULL)
++ while ((copy = nfsd4_unhash_copy(clp)) != NULL)
+ nfsd4_stop_copy(copy);
+ }
+ #ifdef CONFIG_NFSD_V4_2_INTER_SSC
+--
+2.43.0
+
--- /dev/null
+From 8fe72646c7abe75f8cf0038560b75722fa2b3d29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 11:03:53 -0400
+Subject: NFSD: Prevent NULL dereference in nfsd4_process_cb_update()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 1e02c641c3a43c88cecc08402000418e15578d38 ]
+
+@ses is initialized to NULL. If __nfsd4_find_backchannel() finds no
+available backchannel session, setup_callback_client() will try to
+dereference @ses and segfault.
+
+Fixes: dcbeaa68dbbd ("nfsd4: allow backchannel recovery")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4callback.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
+index 4eae2c5af2edf..18d62d3424c1a 100644
+--- a/fs/nfsd/nfs4callback.c
++++ b/fs/nfsd/nfs4callback.c
+@@ -1379,6 +1379,8 @@ static void nfsd4_process_cb_update(struct nfsd4_callback *cb)
+ ses = c->cn_session;
+ }
+ spin_unlock(&clp->cl_lock);
++ if (!c)
++ return;
+
+ err = setup_callback_client(clp, &conn, ses);
+ if (err) {
+--
+2.43.0
+
--- /dev/null
+From b325af044012a4d5d4edcb43537ae40e466b39bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 05:40:04 +0100
+Subject: nvme-pci: fix freeing of the HMB descriptor table
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 3c2fb1ca8086eb139b2a551358137525ae8e0d7a ]
+
+The HMB descriptor table is sized to the maximum number of descriptors
+that could be used for a given device, but __nvme_alloc_host_mem could
+break out of the loop earlier on memory allocation failure and end up
+using less descriptors than planned for, which leads to an incorrect
+size passed to dma_free_coherent.
+
+In practice this was not showing up because the number of descriptors
+tends to be low and the dma coherent allocator always allocates and
+frees at least a page.
+
+Fixes: 87ad72a59a38 ("nvme-pci: implement host memory buffer support")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index f0063962c2c87..e09df396eb14c 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -153,6 +153,7 @@ struct nvme_dev {
+ /* host memory buffer support: */
+ u64 host_mem_size;
+ u32 nr_host_mem_descs;
++ u32 host_mem_descs_size;
+ dma_addr_t host_mem_descs_dma;
+ struct nvme_host_mem_buf_desc *host_mem_descs;
+ void **host_mem_desc_bufs;
+@@ -2007,10 +2008,10 @@ static void nvme_free_host_mem(struct nvme_dev *dev)
+
+ kfree(dev->host_mem_desc_bufs);
+ dev->host_mem_desc_bufs = NULL;
+- dma_free_coherent(dev->dev,
+- dev->nr_host_mem_descs * sizeof(*dev->host_mem_descs),
++ dma_free_coherent(dev->dev, dev->host_mem_descs_size,
+ dev->host_mem_descs, dev->host_mem_descs_dma);
+ dev->host_mem_descs = NULL;
++ dev->host_mem_descs_size = 0;
+ dev->nr_host_mem_descs = 0;
+ }
+
+@@ -2018,7 +2019,7 @@ static int __nvme_alloc_host_mem(struct nvme_dev *dev, u64 preferred,
+ u32 chunk_size)
+ {
+ struct nvme_host_mem_buf_desc *descs;
+- u32 max_entries, len;
++ u32 max_entries, len, descs_size;
+ dma_addr_t descs_dma;
+ int i = 0;
+ void **bufs;
+@@ -2031,8 +2032,9 @@ static int __nvme_alloc_host_mem(struct nvme_dev *dev, u64 preferred,
+ if (dev->ctrl.hmmaxd && dev->ctrl.hmmaxd < max_entries)
+ max_entries = dev->ctrl.hmmaxd;
+
+- descs = dma_alloc_coherent(dev->dev, max_entries * sizeof(*descs),
+- &descs_dma, GFP_KERNEL);
++ descs_size = max_entries * sizeof(*descs);
++ descs = dma_alloc_coherent(dev->dev, descs_size, &descs_dma,
++ GFP_KERNEL);
+ if (!descs)
+ goto out;
+
+@@ -2061,6 +2063,7 @@ static int __nvme_alloc_host_mem(struct nvme_dev *dev, u64 preferred,
+ dev->host_mem_size = size;
+ dev->host_mem_descs = descs;
+ dev->host_mem_descs_dma = descs_dma;
++ dev->host_mem_descs_size = descs_size;
+ dev->host_mem_desc_bufs = bufs;
+ return 0;
+
+@@ -2075,8 +2078,7 @@ static int __nvme_alloc_host_mem(struct nvme_dev *dev, u64 preferred,
+
+ kfree(bufs);
+ out_free_descs:
+- dma_free_coherent(dev->dev, max_entries * sizeof(*descs), descs,
+- descs_dma);
++ dma_free_coherent(dev->dev, descs_size, descs, descs_dma);
+ out:
+ dev->host_mem_descs = NULL;
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From 41acc6d612353957f089d35b13512ace0d53ddc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 16:20:41 +0100
+Subject: nvme-pci: reverse request order in nvme_queue_rqs
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit beadf0088501d9dcf2454b05d90d5d31ea3ba55f ]
+
+blk_mq_flush_plug_list submits requests in the reverse order that they
+were submitted, which leads to a rather suboptimal I/O pattern especially
+in rotational devices. Fix this by rewriting nvme_queue_rqs so that it
+always pops the requests from the passed in request list, and then adds
+them to the head of a local submit list. This actually simplifies the
+code a bit as it removes the complicated list splicing, at the cost of
+extra updates of the rq_next pointer. As that should be cache hot
+anyway it should be an easy price to pay.
+
+Fixes: d62cbcf62f2f ("nvme: add support for mq_ops->queue_rqs()")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20241113152050.157179-2-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 39 +++++++++++++++++----------------------
+ 1 file changed, 17 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index e09df396eb14c..fbc45b58099f9 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -952,9 +952,10 @@ static blk_status_t nvme_queue_rq(struct blk_mq_hw_ctx *hctx,
+
+ static void nvme_submit_cmds(struct nvme_queue *nvmeq, struct request **rqlist)
+ {
++ struct request *req;
++
+ spin_lock(&nvmeq->sq_lock);
+- while (!rq_list_empty(*rqlist)) {
+- struct request *req = rq_list_pop(rqlist);
++ while ((req = rq_list_pop(rqlist))) {
+ struct nvme_iod *iod = blk_mq_rq_to_pdu(req);
+
+ nvme_sq_copy_cmd(nvmeq, &iod->cmd);
+@@ -980,31 +981,25 @@ static bool nvme_prep_rq_batch(struct nvme_queue *nvmeq, struct request *req)
+
+ static void nvme_queue_rqs(struct request **rqlist)
+ {
+- struct request *req, *next, *prev = NULL;
++ struct request *submit_list = NULL;
+ struct request *requeue_list = NULL;
++ struct request **requeue_lastp = &requeue_list;
++ struct nvme_queue *nvmeq = NULL;
++ struct request *req;
+
+- rq_list_for_each_safe(rqlist, req, next) {
+- struct nvme_queue *nvmeq = req->mq_hctx->driver_data;
+-
+- if (!nvme_prep_rq_batch(nvmeq, req)) {
+- /* detach 'req' and add to remainder list */
+- rq_list_move(rqlist, &requeue_list, req, prev);
+-
+- req = prev;
+- if (!req)
+- continue;
+- }
++ while ((req = rq_list_pop(rqlist))) {
++ if (nvmeq && nvmeq != req->mq_hctx->driver_data)
++ nvme_submit_cmds(nvmeq, &submit_list);
++ nvmeq = req->mq_hctx->driver_data;
+
+- if (!next || req->mq_hctx != next->mq_hctx) {
+- /* detach rest of list, and submit */
+- req->rq_next = NULL;
+- nvme_submit_cmds(nvmeq, rqlist);
+- *rqlist = next;
+- prev = NULL;
+- } else
+- prev = req;
++ if (nvme_prep_rq_batch(nvmeq, req))
++ rq_list_add(&submit_list, req); /* reverse order */
++ else
++ rq_list_add_tail(&requeue_lastp, req);
+ }
+
++ if (nvmeq)
++ nvme_submit_cmds(nvmeq, &submit_list);
+ *rqlist = requeue_list;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From fd1a782ded941d784ee86a929bf0213c5dd001ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 12:17:36 +0300
+Subject: ocfs2: fix uninitialized value in ocfs2_file_read_iter()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit adc77b19f62d7e80f98400b2fca9d700d2afdd6f ]
+
+Syzbot has reported the following KMSAN splat:
+
+BUG: KMSAN: uninit-value in ocfs2_file_read_iter+0x9a4/0xf80
+ ocfs2_file_read_iter+0x9a4/0xf80
+ __io_read+0x8d4/0x20f0
+ io_read+0x3e/0xf0
+ io_issue_sqe+0x42b/0x22c0
+ io_wq_submit_work+0xaf9/0xdc0
+ io_worker_handle_work+0xd13/0x2110
+ io_wq_worker+0x447/0x1410
+ ret_from_fork+0x6f/0x90
+ ret_from_fork_asm+0x1a/0x30
+
+Uninit was created at:
+ __alloc_pages_noprof+0x9a7/0xe00
+ alloc_pages_mpol_noprof+0x299/0x990
+ alloc_pages_noprof+0x1bf/0x1e0
+ allocate_slab+0x33a/0x1250
+ ___slab_alloc+0x12ef/0x35e0
+ kmem_cache_alloc_bulk_noprof+0x486/0x1330
+ __io_alloc_req_refill+0x84/0x560
+ io_submit_sqes+0x172f/0x2f30
+ __se_sys_io_uring_enter+0x406/0x41c0
+ __x64_sys_io_uring_enter+0x11f/0x1a0
+ x64_sys_call+0x2b54/0x3ba0
+ do_syscall_64+0xcd/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Since an instance of 'struct kiocb' may be passed from the block layer
+with 'private' field uninitialized, introduce 'ocfs2_iocb_init_rw_locked()'
+and use it from where 'ocfs2_dio_end_io()' might take care, i.e. in
+'ocfs2_file_read_iter()' and 'ocfs2_file_write_iter()'.
+
+Link: https://lkml.kernel.org/r/20241029091736.1501946-1-dmantipov@yandex.ru
+Fixes: 7cdfc3a1c397 ("ocfs2: Remember rw lock level during direct io")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+a73e253cca4f0230a5a5@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=a73e253cca4f0230a5a5
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/aops.h | 2 ++
+ fs/ocfs2/file.c | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/fs/ocfs2/aops.h b/fs/ocfs2/aops.h
+index 3a520117fa59f..a9ce7947228c8 100644
+--- a/fs/ocfs2/aops.h
++++ b/fs/ocfs2/aops.h
+@@ -70,6 +70,8 @@ enum ocfs2_iocb_lock_bits {
+ OCFS2_IOCB_NUM_LOCKS
+ };
+
++#define ocfs2_iocb_init_rw_locked(iocb) \
++ (iocb->private = NULL)
+ #define ocfs2_iocb_clear_rw_locked(iocb) \
+ clear_bit(OCFS2_IOCB_RW_LOCK, (unsigned long *)&iocb->private)
+ #define ocfs2_iocb_rw_locked_level(iocb) \
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index e96b947c3f5dd..e29e267472bf8 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2398,6 +2398,8 @@ static ssize_t ocfs2_file_write_iter(struct kiocb *iocb,
+ } else
+ inode_lock(inode);
+
++ ocfs2_iocb_init_rw_locked(iocb);
++
+ /*
+ * Concurrent O_DIRECT writes are allowed with
+ * mount_option "coherency=buffered".
+@@ -2544,6 +2546,8 @@ static ssize_t ocfs2_file_read_iter(struct kiocb *iocb,
+ if (!direct_io && nowait)
+ return -EOPNOTSUPP;
+
++ ocfs2_iocb_init_rw_locked(iocb);
++
+ /*
+ * buffered reads protect themselves in ->read_folio(). O_DIRECT reads
+ * need locks to protect pending reads from racing with truncate.
+--
+2.43.0
+
--- /dev/null
+From f88033febe844fbd7e262ae9c2a3f24d1218991d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 21:50:31 +0530
+Subject: octeontx2-af: RPM: Fix mismatch in lmac type
+
+From: Hariprasad Kelam <hkelam@marvell.com>
+
+[ Upstream commit 7ebbbb23ea5b6d051509cb11399afac5042c9266 ]
+
+Due to a bug in the previous patch, there is a mismatch
+between the lmac type reported by the driver and the actual
+hardware configuration.
+
+Fixes: 3ad3f8f93c81 ("octeontx2-af: cn10k: MAC internal loopback support")
+Signed-off-by: Hariprasad Kelam <hkelam@marvell.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rpm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rpm.c b/drivers/net/ethernet/marvell/octeontx2/af/rpm.c
+index 6b4792a942d84..d8001bfd39a15 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rpm.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rpm.c
+@@ -350,7 +350,7 @@ u8 rpm_get_lmac_type(void *rpmd, int lmac_id)
+ int err;
+
+ req = FIELD_SET(CMDREG_ID, CGX_CMD_GET_LINK_STS, req);
+- err = cgx_fwi_cmd_generic(req, &resp, rpm, 0);
++ err = cgx_fwi_cmd_generic(req, &resp, rpm, lmac_id);
+ if (!err)
+ return FIELD_GET(RESP_LINKSTAT_LMAC_TYPE, resp);
+ return err;
+--
+2.43.0
+
--- /dev/null
+From 404f140c17c9e5b5ba8fe184912cbd9222fd907c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 19:10:36 +0000
+Subject: octeontx2-pf: handle otx2_mbox_get_rsp errors in cn10k.c
+
+From: Dipendra Khadka <kdipendra88@gmail.com>
+
+[ Upstream commit ac9183023b6a9c09467516abd8aab04f9a2f9564 ]
+
+Add error pointer check after calling otx2_mbox_get_rsp().
+
+Fixes: 2ca89a2c3752 ("octeontx2-pf: TC_MATCHALL ingress ratelimiting offload")
+Signed-off-by: Dipendra Khadka <kdipendra88@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c
+index 59d8d1ba15c28..8663bdf014d85 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c
+@@ -201,6 +201,11 @@ int cn10k_alloc_leaf_profile(struct otx2_nic *pfvf, u16 *leaf)
+
+ rsp = (struct nix_bandprof_alloc_rsp *)
+ otx2_mbox_get_rsp(&pfvf->mbox.mbox, 0, &req->hdr);
++ if (IS_ERR(rsp)) {
++ rc = PTR_ERR(rsp);
++ goto out;
++ }
++
+ if (!rsp->prof_count[BAND_PROF_LEAF_LAYER]) {
+ rc = -EIO;
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From c5ad0591cbbc59697fdd465c0abd8d20f4968d5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 18:56:33 +0000
+Subject: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_common.c
+
+From: Dipendra Khadka <kdipendra88@gmail.com>
+
+[ Upstream commit 0fbc7a5027c6f7f2c785adae3dcec22b2f2b69b3 ]
+
+Add error pointer check after calling otx2_mbox_get_rsp().
+
+Fixes: ab58a416c93f ("octeontx2-pf: cn10k: Get max mtu supported from admin function")
+Signed-off-by: Dipendra Khadka <kdipendra88@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
+index c00d6d67db518..d05f91f97a9af 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
+@@ -1786,6 +1786,10 @@ u16 otx2_get_max_mtu(struct otx2_nic *pfvf)
+ if (!rc) {
+ rsp = (struct nix_hw_info *)
+ otx2_mbox_get_rsp(&pfvf->mbox.mbox, 0, &req->hdr);
++ if (IS_ERR(rsp)) {
++ rc = PTR_ERR(rsp);
++ goto out;
++ }
+
+ /* HW counts VLAN insertion bytes (8 for double tag)
+ * irrespective of whether SQE is requesting to insert VLAN
+--
+2.43.0
+
--- /dev/null
+From aafe011d00d7a9cef2f1ad99edbfc19f92d19569 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 19:02:29 +0000
+Subject: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_ethtool.c
+
+From: Dipendra Khadka <kdipendra88@gmail.com>
+
+[ Upstream commit e26f8eac6bb20b20fdb8f7dc695711ebce4c7c5c ]
+
+Add error pointer check after calling otx2_mbox_get_rsp().
+
+Fixes: 75f36270990c ("octeontx2-pf: Support to enable/disable pause frames via ethtool")
+Fixes: d0cf9503e908 ("octeontx2-pf: ethtool fec mode support")
+Signed-off-by: Dipendra Khadka <kdipendra88@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+index af779ae40d3c2..2d6f6edb15106 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+@@ -333,6 +333,11 @@ static void otx2_get_pauseparam(struct net_device *netdev,
+ if (!otx2_sync_mbox_msg(&pfvf->mbox)) {
+ rsp = (struct cgx_pause_frm_cfg *)
+ otx2_mbox_get_rsp(&pfvf->mbox.mbox, 0, &req->hdr);
++ if (IS_ERR(rsp)) {
++ mutex_unlock(&pfvf->mbox.lock);
++ return;
++ }
++
+ pause->rx_pause = rsp->rx_pause;
+ pause->tx_pause = rsp->tx_pause;
+ }
+@@ -1072,6 +1077,11 @@ static int otx2_set_fecparam(struct net_device *netdev,
+
+ rsp = (struct fec_mode *)otx2_mbox_get_rsp(&pfvf->mbox.mbox,
+ 0, &req->hdr);
++ if (IS_ERR(rsp)) {
++ err = PTR_ERR(rsp);
++ goto end;
++ }
++
+ if (rsp->fec >= 0)
+ pfvf->linfo.fec = rsp->fec;
+ else
+--
+2.43.0
+
--- /dev/null
+From 3ce8be24013934c77662df2f10e29639e3e9fd39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 19:08:44 +0000
+Subject: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c
+
+From: Dipendra Khadka <kdipendra88@gmail.com>
+
+[ Upstream commit bd3110bc102ab6292656b8118be819faa0de8dd0 ]
+
+Adding error pointer check after calling otx2_mbox_get_rsp().
+
+Fixes: 9917060fc30a ("octeontx2-pf: Cleanup flow rule management")
+Fixes: f0a1913f8a6f ("octeontx2-pf: Add support for ethtool ntuple filters")
+Fixes: 674b3e164238 ("octeontx2-pf: Add additional checks while configuring ucast/bcast/mcast rules")
+Signed-off-by: Dipendra Khadka <kdipendra88@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/marvell/octeontx2/nic/otx2_flows.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c
+index 5c757508322b9..7c7f8814fb3f9 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c
+@@ -121,6 +121,8 @@ int otx2_alloc_mcam_entries(struct otx2_nic *pfvf, u16 count)
+
+ rsp = (struct npc_mcam_alloc_entry_rsp *)otx2_mbox_get_rsp
+ (&pfvf->mbox.mbox, 0, &req->hdr);
++ if (IS_ERR(rsp))
++ goto exit;
+
+ for (ent = 0; ent < rsp->count; ent++)
+ flow_cfg->flow_ent[ent + allocated] = rsp->entry_list[ent];
+@@ -199,6 +201,10 @@ static int otx2_mcam_entry_init(struct otx2_nic *pfvf)
+
+ rsp = (struct npc_mcam_alloc_entry_rsp *)otx2_mbox_get_rsp
+ (&pfvf->mbox.mbox, 0, &req->hdr);
++ if (IS_ERR(rsp)) {
++ mutex_unlock(&pfvf->mbox.lock);
++ return PTR_ERR(rsp);
++ }
+
+ if (rsp->count != req->count) {
+ netdev_info(pfvf->netdev,
+@@ -234,6 +240,10 @@ static int otx2_mcam_entry_init(struct otx2_nic *pfvf)
+
+ frsp = (struct npc_get_field_status_rsp *)otx2_mbox_get_rsp
+ (&pfvf->mbox.mbox, 0, &freq->hdr);
++ if (IS_ERR(frsp)) {
++ mutex_unlock(&pfvf->mbox.lock);
++ return PTR_ERR(frsp);
++ }
+
+ if (frsp->enable) {
+ pfvf->flags |= OTX2_FLAG_RX_VLAN_SUPPORT;
+--
+2.43.0
+
--- /dev/null
+From 89f0165adae23de826d588724ac7b0c73f0540c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 19:13:54 +0000
+Subject: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dmac_flt.c
+
+From: Dipendra Khadka <kdipendra88@gmail.com>
+
+[ Upstream commit f5b942e6c54b13246ee49d42dcfb71b7f29e3c64 ]
+
+Add error pointer checks after calling otx2_mbox_get_rsp().
+
+Fixes: 79d2be385e9e ("octeontx2-pf: offload DMAC filters to CGX/RPM block")
+Fixes: fa5e0ccb8f3a ("octeontx2-pf: Add support for exact match table.")
+Signed-off-by: Dipendra Khadka <kdipendra88@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/marvell/octeontx2/nic/otx2_dmac_flt.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dmac_flt.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dmac_flt.c
+index 80d853b343f98..2046dd0da00d8 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dmac_flt.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dmac_flt.c
+@@ -28,6 +28,11 @@ static int otx2_dmacflt_do_add(struct otx2_nic *pf, const u8 *mac,
+ if (!err) {
+ rsp = (struct cgx_mac_addr_add_rsp *)
+ otx2_mbox_get_rsp(&pf->mbox.mbox, 0, &req->hdr);
++ if (IS_ERR(rsp)) {
++ mutex_unlock(&pf->mbox.lock);
++ return PTR_ERR(rsp);
++ }
++
+ *dmac_index = rsp->index;
+ }
+
+@@ -200,6 +205,10 @@ int otx2_dmacflt_update(struct otx2_nic *pf, u8 *mac, u32 bit_pos)
+
+ rsp = (struct cgx_mac_addr_update_rsp *)
+ otx2_mbox_get_rsp(&pf->mbox.mbox, 0, &req->hdr);
++ if (IS_ERR(rsp)) {
++ rc = PTR_ERR(rsp);
++ goto out;
++ }
+
+ pf->flow_cfg->bmap_to_dmacindex[bit_pos] = rsp->index;
+
+--
+2.43.0
+
--- /dev/null
+From 38a78c75ab4f1faf2e8f5c4549756445716c0a55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 19:16:16 +0000
+Subject: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dcbnl.c
+
+From: Dipendra Khadka <kdipendra88@gmail.com>
+
+[ Upstream commit 69297b0d3369488af259e3a7cf53d69157938ea1 ]
+
+Add error pointer check after calling otx2_mbox_get_rsp().
+
+Fixes: 8e67558177f8 ("octeontx2-pf: PFC config support with DCBx")
+Signed-off-by: Dipendra Khadka <kdipendra88@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
+index 28fb643d2917f..1a13f003f3dbd 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
+@@ -311,6 +311,11 @@ int otx2_config_priority_flow_ctrl(struct otx2_nic *pfvf)
+ if (!otx2_sync_mbox_msg(&pfvf->mbox)) {
+ rsp = (struct cgx_pfc_rsp *)
+ otx2_mbox_get_rsp(&pfvf->mbox.mbox, 0, &req->hdr);
++ if (IS_ERR(rsp)) {
++ err = PTR_ERR(rsp);
++ goto unlock;
++ }
++
+ if (req->rx_pause != rsp->rx_pause || req->tx_pause != rsp->tx_pause) {
+ dev_warn(pfvf->dev,
+ "Failed to config PFC\n");
+--
+2.43.0
+
--- /dev/null
+From 5e4809e7908abdc49afa3f0ae5734975f618b7a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2024 12:11:37 +0300
+Subject: PCI: cpqphp: Fix PCIBIOS_* return value confusion
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit e2226dbc4a4919d9c8bd9293299b532090bdf020 ]
+
+Code in and related to PCI_RefinedAccessConfig() has three types of return
+type confusion:
+
+ - PCI_RefinedAccessConfig() tests pci_bus_read_config_dword() return value
+ against -1.
+
+ - PCI_RefinedAccessConfig() returns both -1 and PCIBIOS_* return codes.
+
+ - Callers of PCI_RefinedAccessConfig() only test for -1.
+
+Make PCI_RefinedAccessConfig() return PCIBIOS_* codes consistently and
+adapt callers accordingly.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/r/20241022091140.3504-2-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/cpqphp_pci.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pci/hotplug/cpqphp_pci.c b/drivers/pci/hotplug/cpqphp_pci.c
+index ae95307e6ece3..a35af42d6a3d8 100644
+--- a/drivers/pci/hotplug/cpqphp_pci.c
++++ b/drivers/pci/hotplug/cpqphp_pci.c
+@@ -135,11 +135,13 @@ int cpqhp_unconfigure_device(struct pci_func *func)
+ static int PCI_RefinedAccessConfig(struct pci_bus *bus, unsigned int devfn, u8 offset, u32 *value)
+ {
+ u32 vendID = 0;
++ int ret;
+
+- if (pci_bus_read_config_dword(bus, devfn, PCI_VENDOR_ID, &vendID) == -1)
+- return -1;
++ ret = pci_bus_read_config_dword(bus, devfn, PCI_VENDOR_ID, &vendID);
++ if (ret != PCIBIOS_SUCCESSFUL)
++ return PCIBIOS_DEVICE_NOT_FOUND;
+ if (PCI_POSSIBLE_ERROR(vendID))
+- return -1;
++ return PCIBIOS_DEVICE_NOT_FOUND;
+ return pci_bus_read_config_dword(bus, devfn, offset, value);
+ }
+
+@@ -202,13 +204,15 @@ static int PCI_ScanBusForNonBridge(struct controller *ctrl, u8 bus_num, u8 *dev_
+ {
+ u16 tdevice;
+ u32 work;
++ int ret;
+ u8 tbus;
+
+ ctrl->pci_bus->number = bus_num;
+
+ for (tdevice = 0; tdevice < 0xFF; tdevice++) {
+ /* Scan for access first */
+- if (PCI_RefinedAccessConfig(ctrl->pci_bus, tdevice, 0x08, &work) == -1)
++ ret = PCI_RefinedAccessConfig(ctrl->pci_bus, tdevice, 0x08, &work);
++ if (ret)
+ continue;
+ dbg("Looking for nonbridge bus_num %d dev_num %d\n", bus_num, tdevice);
+ /* Yep we got one. Not a bridge ? */
+@@ -220,7 +224,8 @@ static int PCI_ScanBusForNonBridge(struct controller *ctrl, u8 bus_num, u8 *dev_
+ }
+ for (tdevice = 0; tdevice < 0xFF; tdevice++) {
+ /* Scan for access first */
+- if (PCI_RefinedAccessConfig(ctrl->pci_bus, tdevice, 0x08, &work) == -1)
++ ret = PCI_RefinedAccessConfig(ctrl->pci_bus, tdevice, 0x08, &work);
++ if (ret)
+ continue;
+ dbg("Looking for bridge bus_num %d dev_num %d\n", bus_num, tdevice);
+ /* Yep we got one. bridge ? */
+--
+2.43.0
+
--- /dev/null
+From c28a02b9531aedd3a3fe2b7c929bb386b92193ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 14:50:50 +0800
+Subject: PCI: cpqphp: Use PCI_POSSIBLE_ERROR() to check config reads
+
+From: weiyufeng <weiyufeng@kylinos.cn>
+
+[ Upstream commit 87d5403378cccc557af9e02a8a2c8587ad8b7e9a ]
+
+Use PCI_POSSIBLE_ERROR() to check the response we get when we read data
+from hardware. This unifies PCI error response checking and makes error
+checks consistent and easier to find.
+
+Link: https://lore.kernel.org/r/20240806065050.28725-1-412574090@163.com
+Signed-off-by: weiyufeng <weiyufeng@kylinos.cn>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Stable-dep-of: e2226dbc4a49 ("PCI: cpqphp: Fix PCIBIOS_* return value confusion")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/cpqphp_pci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/hotplug/cpqphp_pci.c b/drivers/pci/hotplug/cpqphp_pci.c
+index 3b248426a9f42..ae95307e6ece3 100644
+--- a/drivers/pci/hotplug/cpqphp_pci.c
++++ b/drivers/pci/hotplug/cpqphp_pci.c
+@@ -138,7 +138,7 @@ static int PCI_RefinedAccessConfig(struct pci_bus *bus, unsigned int devfn, u8 o
+
+ if (pci_bus_read_config_dword(bus, devfn, PCI_VENDOR_ID, &vendID) == -1)
+ return -1;
+- if (vendID == 0xffffffff)
++ if (PCI_POSSIBLE_ERROR(vendID))
+ return -1;
+ return pci_bus_read_config_dword(bus, devfn, offset, value);
+ }
+@@ -253,7 +253,7 @@ static int PCI_GetBusDevHelper(struct controller *ctrl, u8 *bus_num, u8 *dev_num
+ *dev_num = tdevice;
+ ctrl->pci_bus->number = tbus;
+ pci_bus_read_config_dword(ctrl->pci_bus, *dev_num, PCI_VENDOR_ID, &work);
+- if (!nobridge || (work == 0xffffffff))
++ if (!nobridge || PCI_POSSIBLE_ERROR(work))
+ return 0;
+
+ dbg("bus_num %d devfn %d\n", *bus_num, *dev_num);
+--
+2.43.0
+
--- /dev/null
+From d167029b0bf9cc293abb1d5eaa6689cedf8e2557 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 23:11:47 +0000
+Subject: PCI: Fix reset_method_store() memory leak
+
+From: Todd Kjos <tkjos@google.com>
+
+[ Upstream commit 2985b1844f3f3447f2d938eff1ef6762592065a5 ]
+
+In reset_method_store(), a string is allocated via kstrndup() and assigned
+to the local "options". options is then used in with strsep() to find
+spaces:
+
+ while ((name = strsep(&options, " ")) != NULL) {
+
+If there are no remaining spaces, then options is set to NULL by strsep(),
+so the subsequent kfree(options) doesn't free the memory allocated via
+kstrndup().
+
+Fix by using a separate tmp_options to iterate with strsep() so options is
+preserved.
+
+Link: https://lore.kernel.org/r/20241001231147.3583649-1-tkjos@google.com
+Fixes: d88f521da3ef ("PCI: Allow userspace to query and set device reset mechanism")
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 0baf5c03ef4cb..e08354b811073 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5308,7 +5308,7 @@ static ssize_t reset_method_store(struct device *dev,
+ const char *buf, size_t count)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
+- char *options, *name;
++ char *options, *tmp_options, *name;
+ int m, n;
+ u8 reset_methods[PCI_NUM_RESET_METHODS] = { 0 };
+
+@@ -5328,7 +5328,8 @@ static ssize_t reset_method_store(struct device *dev,
+ return -ENOMEM;
+
+ n = 0;
+- while ((name = strsep(&options, " ")) != NULL) {
++ tmp_options = options;
++ while ((name = strsep(&tmp_options, " ")) != NULL) {
+ if (sysfs_streq(name, ""))
+ continue;
+
+--
+2.43.0
+
--- /dev/null
+From 2f3b1068448b44caebb986fc4ca32c7f341858d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 14:57:32 +0100
+Subject: perf cs-etm: Don't flush when packet_queue fills up
+
+From: James Clark <james.clark@linaro.org>
+
+[ Upstream commit 5afd032961e8465808c4bc385c06e7676fbe1951 ]
+
+cs_etm__flush(), like cs_etm__sample() is an operation that generates a
+sample and then swaps the current with the previous packet. Calling
+flush after processing the queues results in two swaps which corrupts
+the next sample. Therefore it wasn't appropriate to call flush here so
+remove it.
+
+Flushing is still done on a discontinuity to explicitly clear the last
+branch buffer, but when the packet_queue fills up before reaching a
+timestamp, that's not a discontinuity and the call to
+cs_etm__process_traceid_queue() already generated samples and drained
+the buffers correctly.
+
+This is visible by looking for a branch that has the same target as the
+previous branch and the following source is before the address of the
+last target, which is impossible as execution would have had to have
+gone backwards:
+
+ ffff800080849d40 _find_next_and_bit+0x78 => ffff80008011cadc update_sg_lb_stats+0x94
+ (packet_queue fills here before a timestamp, resulting in a flush and
+ branch target ffff80008011cadc is duplicated.)
+ ffff80008011cb1c update_sg_lb_stats+0xd4 => ffff80008011cadc update_sg_lb_stats+0x94
+ ffff8000801117c4 cpu_util+0x24 => ffff8000801117d4 cpu_util+0x34
+
+After removing the flush the correct branch target is used for the
+second sample, and ffff8000801117c4 is no longer before the previous
+address:
+
+ ffff800080849d40 _find_next_and_bit+0x78 => ffff80008011cadc update_sg_lb_stats+0x94
+ ffff80008011cb1c update_sg_lb_stats+0xd4 => ffff8000801117a0 cpu_util+0x0
+ ffff8000801117c4 cpu_util+0x24 => ffff8000801117d4 cpu_util+0x34
+
+Make sure that a final branch stack is output at the end of the trace
+by calling cs_etm__end_block(). This is already done for both the
+timeless decode paths.
+
+Fixes: 21fe8dc1191a ("perf cs-etm: Add support for CPU-wide trace scenarios")
+Reported-by: Ganapatrao Kulkarni <gankulkarni@os.amperecomputing.com>
+Closes: https://lore.kernel.org/all/20240719092619.274730-1-gankulkarni@os.amperecomputing.com/
+Reviewed-by: Leo Yan <leo.yan@arm.com>
+Signed-off-by: James Clark <james.clark@linaro.org>
+Tested-by: Ganapatrao Kulkarni <gankulkarni@os.amperecomputing.com>
+Cc: Ben Gainey <ben.gainey@arm.com>
+Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: Mike Leach <mike.leach@linaro.org>
+Cc: Ruidong Tian <tianruidong@linux.alibaba.com>
+Cc: Benjamin Gray <bgray@linux.ibm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: coresight@lists.linaro.org
+Cc: John Garry <john.g.garry@oracle.com>
+Cc: scclevenger@os.amperecomputing.com
+Link: https://lore.kernel.org/r/20240916135743.1490403-2-james.clark@linaro.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/cs-etm.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/tools/perf/util/cs-etm.c b/tools/perf/util/cs-etm.c
+index 09e240e4477d0..3b54baf79bd4a 100644
+--- a/tools/perf/util/cs-etm.c
++++ b/tools/perf/util/cs-etm.c
+@@ -2124,12 +2124,6 @@ static void cs_etm__clear_all_traceid_queues(struct cs_etm_queue *etmq)
+
+ /* Ignore return value */
+ cs_etm__process_traceid_queue(etmq, tidq);
+-
+- /*
+- * Generate an instruction sample with the remaining
+- * branchstack entries.
+- */
+- cs_etm__flush(etmq, tidq);
+ }
+ }
+
+@@ -2226,7 +2220,7 @@ static int cs_etm__process_queues(struct cs_etm_auxtrace *etm)
+
+ while (1) {
+ if (!etm->heap.heap_cnt)
+- goto out;
++ break;
+
+ /* Take the entry at the top of the min heap */
+ cs_queue_nr = etm->heap.heap_array[0].queue_nr;
+@@ -2309,6 +2303,23 @@ static int cs_etm__process_queues(struct cs_etm_auxtrace *etm)
+ ret = auxtrace_heap__add(&etm->heap, cs_queue_nr, cs_timestamp);
+ }
+
++ for (i = 0; i < etm->queues.nr_queues; i++) {
++ struct int_node *inode;
++
++ etmq = etm->queues.queue_array[i].priv;
++ if (!etmq)
++ continue;
++
++ intlist__for_each_entry(inode, etmq->traceid_queues_list) {
++ int idx = (int)(intptr_t)inode->priv;
++
++ /* Flush any remaining branch stack entries */
++ tidq = etmq->traceid_queues[idx];
++ ret = cs_etm__end_block(etmq, tidq);
++ if (ret)
++ return ret;
++ }
++ }
+ out:
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From d2a515c02837d3f30029b09eef1dd3273e21ea60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 16:29:02 -0300
+Subject: perf ftrace latency: Fix unit on histogram first entry when using
+ --use-nsec
+
+From: Arnaldo Carvalho de Melo <acme@kernel.org>
+
+[ Upstream commit 064d569e20e82c065b1dec9d20c29c7087bb1a00 ]
+
+The use_nsec arg wasn't being taken into account when printing the first
+histogram entry, fix it:
+
+ root@number:~# perf ftrace latency --use-nsec -T switch_mm_irqs_off -a sleep 2
+ # DURATION | COUNT | GRAPH |
+ 0 - 1 us | 0 | |
+ 1 - 2 ns | 0 | |
+ 2 - 4 ns | 0 | |
+ 4 - 8 ns | 0 | |
+ 8 - 16 ns | 0 | |
+ 16 - 32 ns | 0 | |
+ 32 - 64 ns | 125 | |
+ 64 - 128 ns | 335 | |
+ 128 - 256 ns | 2155 | #### |
+ 256 - 512 ns | 9996 | ################### |
+ 512 - 1024 ns | 4958 | ######### |
+ 1 - 2 us | 4636 | ######### |
+ 2 - 4 us | 1053 | ## |
+ 4 - 8 us | 15 | |
+ 8 - 16 us | 1 | |
+ 16 - 32 us | 0 | |
+ 32 - 64 us | 0 | |
+ 64 - 128 us | 0 | |
+ 128 - 256 us | 0 | |
+ 256 - 512 us | 0 | |
+ 512 - 1024 us | 0 | |
+ 1 - ... ms | 0 | |
+ root@number:~#
+
+After:
+
+ root@number:~# perf ftrace latency --use-nsec -T switch_mm_irqs_off -a sleep 2
+ # DURATION | COUNT | GRAPH |
+ 0 - 1 ns | 0 | |
+ 1 - 2 ns | 0 | |
+ 2 - 4 ns | 0 | |
+ 4 - 8 ns | 0 | |
+ 8 - 16 ns | 0 | |
+ 16 - 32 ns | 0 | |
+ 32 - 64 ns | 19 | |
+ 64 - 128 ns | 94 | |
+ 128 - 256 ns | 2191 | #### |
+ 256 - 512 ns | 9719 | #################### |
+ 512 - 1024 ns | 5330 | ########### |
+ 1 - 2 us | 4104 | ######## |
+ 2 - 4 us | 807 | # |
+ 4 - 8 us | 9 | |
+ 8 - 16 us | 0 | |
+ 16 - 32 us | 0 | |
+ 32 - 64 us | 0 | |
+ 64 - 128 us | 0 | |
+ 128 - 256 us | 0 | |
+ 256 - 512 us | 0 | |
+ 512 - 1024 us | 0 | |
+ 1 - ... ms | 0 | |
+ root@number:~#
+
+Fixes: 84005bb6148618cc ("perf ftrace latency: Add -n/--use-nsec option")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Gabriele Monaco <gmonaco@redhat.com>
+Link: https://lore.kernel.org/r/ZyE3frB-hMXHCnMO@x1
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-ftrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c
+index 1d40f9bcb63bc..86597f6119003 100644
+--- a/tools/perf/builtin-ftrace.c
++++ b/tools/perf/builtin-ftrace.c
+@@ -769,7 +769,7 @@ static void display_histogram(int buckets[], bool use_nsec)
+
+ bar_len = buckets[0] * bar_total / total;
+ printf(" %4d - %-4d %s | %10d | %.*s%*s |\n",
+- 0, 1, "us", buckets[0], bar_len, bar, bar_total - bar_len, "");
++ 0, 1, use_nsec ? "ns" : "us", buckets[0], bar_len, bar, bar_total - bar_len, "");
+
+ for (i = 1; i < NUM_BUCKET - 1; i++) {
+ int start = (1 << (i - 1));
+--
+2.43.0
+
--- /dev/null
+From ff42f22b3685a1b60b5afd6f37b48be82c1c85f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 15:14:32 +0100
+Subject: perf probe: Correct demangled symbols in C++ program
+
+From: Leo Yan <leo.yan@arm.com>
+
+[ Upstream commit 314909f13cc12d47c468602c37dace512d225eeb ]
+
+An issue can be observed when probe C++ demangled symbol with steps:
+
+ # nm test_cpp_mangle | grep print_data
+ 0000000000000c94 t _GLOBAL__sub_I__Z10print_datai
+ 0000000000000afc T _Z10print_datai
+ 0000000000000b38 T _Z10print_dataR5Point
+
+ # perf probe -x /home/niayan01/test_cpp_mangle -F --demangle
+ ...
+ print_data(Point&)
+ print_data(int)
+ ...
+
+ # perf --debug verbose=3 probe -x test_cpp_mangle --add "test=print_data(int)"
+ probe-definition(0): test=print_data(int)
+ symbol:print_data(int) file:(null) line:0 offset:0 return:0 lazy:(null)
+ 0 arguments
+ Open Debuginfo file: /home/niayan01/test_cpp_mangle
+ Try to find probe point from debuginfo.
+ Symbol print_data(int) address found : afc
+ Matched function: print_data [2ccf]
+ Probe point found: print_data+0
+ Found 1 probe_trace_events.
+ Opening /sys/kernel/tracing//uprobe_events write=1
+ Opening /sys/kernel/tracing//README write=0
+ Writing event: p:probe_test_cpp_mangle/test /home/niayan01/test_cpp_mangle:0xb38
+ ...
+
+When tried to probe symbol "print_data(int)", the log shows:
+
+ Symbol print_data(int) address found : afc
+
+The found address is 0xafc - which is right with verifying the output
+result from nm. Afterwards when write event, the command uses offset
+0xb38 in the last log, which is a wrong address.
+
+The dwarf_diename() gets a common function name, in above case, it
+returns string "print_data". As a result, the tool parses the offset
+based on the common name. This leads to probe at the wrong symbol
+"print_data(Point&)".
+
+To fix the issue, use the die_get_linkage_name() function to retrieve
+the distinct linkage name - this is the mangled name for the C++ case.
+Based on this unique name, the tool can get a correct offset for
+probing. Based on DWARF doc, it is possible the linkage name is missed
+in the DIE, it rolls back to use dwarf_diename().
+
+After:
+
+ # perf --debug verbose=3 probe -x test_cpp_mangle --add "test=print_data(int)"
+ probe-definition(0): test=print_data(int)
+ symbol:print_data(int) file:(null) line:0 offset:0 return:0 lazy:(null)
+ 0 arguments
+ Open Debuginfo file: /home/niayan01/test_cpp_mangle
+ Try to find probe point from debuginfo.
+ Symbol print_data(int) address found : afc
+ Matched function: print_data [2d06]
+ Probe point found: print_data+0
+ Found 1 probe_trace_events.
+ Opening /sys/kernel/tracing//uprobe_events write=1
+ Opening /sys/kernel/tracing//README write=0
+ Writing event: p:probe_test_cpp_mangle/test /home/niayan01/test_cpp_mangle:0xafc
+ Added new event:
+ probe_test_cpp_mangle:test (on print_data(int) in /home/niayan01/test_cpp_mangle)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe_test_cpp_mangle:test -aR sleep 1
+
+ # perf --debug verbose=3 probe -x test_cpp_mangle --add "test2=print_data(Point&)"
+ probe-definition(0): test2=print_data(Point&)
+ symbol:print_data(Point&) file:(null) line:0 offset:0 return:0 lazy:(null)
+ 0 arguments
+ Open Debuginfo file: /home/niayan01/test_cpp_mangle
+ Try to find probe point from debuginfo.
+ Symbol print_data(Point&) address found : b38
+ Matched function: print_data [2ccf]
+ Probe point found: print_data+0
+ Found 1 probe_trace_events.
+ Opening /sys/kernel/tracing//uprobe_events write=1
+ Parsing probe_events: p:probe_test_cpp_mangle/test /home/niayan01/test_cpp_mangle:0x0000000000000afc
+ Group:probe_test_cpp_mangle Event:test probe:p
+ Opening /sys/kernel/tracing//README write=0
+ Writing event: p:probe_test_cpp_mangle/test2 /home/niayan01/test_cpp_mangle:0xb38
+ Added new event:
+ probe_test_cpp_mangle:test2 (on print_data(Point&) in /home/niayan01/test_cpp_mangle)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe_test_cpp_mangle:test2 -aR sleep 1
+
+Fixes: fb1587d869a3 ("perf probe: List probes with line number and file name")
+Signed-off-by: Leo Yan <leo.yan@arm.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Link: https://lore.kernel.org/r/20241012141432.877894-1-leo.yan@arm.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-finder.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
+index 2f86103761ab2..3c13597d0a0db 100644
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -1736,8 +1736,21 @@ int debuginfo__find_probe_point(struct debuginfo *dbg, u64 addr,
+
+ /* Find a corresponding function (name, baseline and baseaddr) */
+ if (die_find_realfunc(&cudie, (Dwarf_Addr)addr, &spdie)) {
+- /* Get function entry information */
+- func = basefunc = dwarf_diename(&spdie);
++ /*
++ * Get function entry information.
++ *
++ * As described in the document DWARF Debugging Information
++ * Format Version 5, section 2.22 Linkage Names, "mangled names,
++ * are used in various ways, ... to distinguish multiple
++ * entities that have the same name".
++ *
++ * Firstly try to get distinct linkage name, if fail then
++ * rollback to get associated name in DIE.
++ */
++ func = basefunc = die_get_linkage_name(&spdie);
++ if (!func)
++ func = basefunc = dwarf_diename(&spdie);
++
+ if (!func ||
+ die_entrypc(&spdie, &baseaddr) != 0 ||
+ dwarf_decl_line(&spdie, &baseline) != 0) {
+--
+2.43.0
+
--- /dev/null
+From eeaf89dea6be85cf0b002fe4d2ab7efe50768100 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 16:56:22 -0700
+Subject: perf probe: Fix libdw memory leak
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 4585038b8e186252141ef86e9f0d8e97f11dce8d ]
+
+Add missing dwarf_cfi_end to free memory associated with probe_finder
+cfi_eh which is allocated and owned via a call to
+dwarf_getcfi_elf. Confusingly cfi_dbg shouldn't be freed as its memory
+is owned by the passed in debuginfo struct. Add comments to highlight
+this.
+
+This addresses leak sanitizer issues seen in:
+tools/perf/tests/shell/test_uprobe_from_different_cu.sh
+
+Fixes: 270bde1e76f4 ("perf probe: Search both .eh_frame and .debug_frame sections for probe location")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Steinar H. Gunderson <sesse@google.com>
+Cc: Alexander Lobakin <aleksander.lobakin@intel.com>
+Cc: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: Kajol Jain <kjain@linux.ibm.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Hemant Kumar <hemant@linux.vnet.ibm.com>
+Link: https://lore.kernel.org/r/20241016235622.52166-3-irogers@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-finder.c | 4 ++++
+ tools/perf/util/probe-finder.h | 4 ++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
+index 50d861a80f572..2f86103761ab2 100644
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -1490,6 +1490,10 @@ int debuginfo__find_trace_events(struct debuginfo *dbg,
+ if (ret >= 0 && tf.pf.skip_empty_arg)
+ ret = fill_empty_trace_arg(pev, tf.tevs, tf.ntevs);
+
++#if _ELFUTILS_PREREQ(0, 142)
++ dwarf_cfi_end(tf.pf.cfi_eh);
++#endif
++
+ if (ret < 0 || tf.ntevs == 0) {
+ for (i = 0; i < tf.ntevs; i++)
+ clear_probe_trace_event(&tf.tevs[i]);
+diff --git a/tools/perf/util/probe-finder.h b/tools/perf/util/probe-finder.h
+index 8bc1c80d3c1c0..1f4650b955094 100644
+--- a/tools/perf/util/probe-finder.h
++++ b/tools/perf/util/probe-finder.h
+@@ -81,9 +81,9 @@ struct probe_finder {
+
+ /* For variable searching */
+ #if _ELFUTILS_PREREQ(0, 142)
+- /* Call Frame Information from .eh_frame */
++ /* Call Frame Information from .eh_frame. Owned by this struct. */
+ Dwarf_CFI *cfi_eh;
+- /* Call Frame Information from .debug_frame */
++ /* Call Frame Information from .debug_frame. Not owned. */
+ Dwarf_CFI *cfi_dbg;
+ #endif
+ Dwarf_Op *fb_ops; /* Frame base attribute */
+--
+2.43.0
+
--- /dev/null
+From 8187b5438e5ba50e1bfc49347228c13ce382193e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2024 14:20:21 +0100
+Subject: perf stat: Close cork_fd when create_perf_stat_counter() failed
+
+From: Levi Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit e880a70f8046df0dd9089fa60dcb866a2cc69194 ]
+
+When create_perf_stat_counter() failed, it doesn't close workload.cork_fd
+open in evlist__prepare_workload(). This could make too many open file
+error while __run_perf_stat() repeats.
+
+Introduce evlist__cancel_workload to close workload.cork_fd and
+wait workload.child_pid until exit to clear child process
+when create_perf_stat_counter() is failed.
+
+Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
+Reviewed-by: James Clark <james.clark@linaro.org>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Cc: nd@arm.com
+Cc: howardchu95@gmail.com
+Link: https://lore.kernel.org/r/20240925132022.2650180-2-yeoreum.yun@arm.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Stable-dep-of: 7f6ccb70e465 ("perf stat: Fix affinity memory leaks on error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-stat.c | 50 +++++++++++++++++++++++++++------------
+ tools/perf/util/evlist.c | 19 +++++++++++++--
+ tools/perf/util/evlist.h | 1 +
+ 3 files changed, 53 insertions(+), 17 deletions(-)
+
+diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c
+index bdd8dd54fdb63..79e058ff8a33a 100644
+--- a/tools/perf/builtin-stat.c
++++ b/tools/perf/builtin-stat.c
+@@ -756,15 +756,19 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+ evlist__set_leader(evsel_list);
+
+ if (!cpu_map__is_dummy(evsel_list->core.user_requested_cpus)) {
+- if (affinity__setup(&saved_affinity) < 0)
+- return -1;
++ if (affinity__setup(&saved_affinity) < 0) {
++ err = -1;
++ goto err_out;
++ }
+ affinity = &saved_affinity;
+ }
+
+ evlist__for_each_entry(evsel_list, counter) {
+ counter->reset_group = false;
+- if (bpf_counter__load(counter, &target))
+- return -1;
++ if (bpf_counter__load(counter, &target)) {
++ err = -1;
++ goto err_out;
++ }
+ if (!(evsel__is_bperf(counter)))
+ all_counters_use_bpf = false;
+ }
+@@ -805,7 +809,8 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+
+ switch (stat_handle_error(counter)) {
+ case COUNTER_FATAL:
+- return -1;
++ err = -1;
++ goto err_out;
+ case COUNTER_RETRY:
+ goto try_again;
+ case COUNTER_SKIP:
+@@ -846,7 +851,8 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+
+ switch (stat_handle_error(counter)) {
+ case COUNTER_FATAL:
+- return -1;
++ err = -1;
++ goto err_out;
+ case COUNTER_RETRY:
+ goto try_again_reset;
+ case COUNTER_SKIP:
+@@ -871,8 +877,10 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+ stat_config.unit_width = l;
+
+ if (evsel__should_store_id(counter) &&
+- evsel__store_ids(counter, evsel_list))
+- return -1;
++ evsel__store_ids(counter, evsel_list)) {
++ err = -1;
++ goto err_out;
++ }
+ }
+
+ if (evlist__apply_filters(evsel_list, &counter)) {
+@@ -893,20 +901,23 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+ }
+
+ if (err < 0)
+- return err;
++ goto err_out;
+
+ err = perf_event__synthesize_stat_events(&stat_config, NULL, evsel_list,
+ process_synthesized_event, is_pipe);
+ if (err < 0)
+- return err;
++ goto err_out;
++
+ }
+
+ if (target.initial_delay) {
+ pr_info(EVLIST_DISABLED_MSG);
+ } else {
+ err = enable_counters();
+- if (err)
+- return -1;
++ if (err) {
++ err = -1;
++ goto err_out;
++ }
+ }
+
+ /* Exec the command, if any */
+@@ -916,8 +927,10 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+ if (target.initial_delay > 0) {
+ usleep(target.initial_delay * USEC_PER_MSEC);
+ err = enable_counters();
+- if (err)
+- return -1;
++ if (err) {
++ err = -1;
++ goto err_out;
++ }
+
+ pr_info(EVLIST_ENABLED_MSG);
+ }
+@@ -937,7 +950,8 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+ if (workload_exec_errno) {
+ const char *emsg = str_error_r(workload_exec_errno, msg, sizeof(msg));
+ pr_err("Workload failed: %s\n", emsg);
+- return -1;
++ err = -1;
++ goto err_out;
+ }
+
+ if (WIFSIGNALED(status))
+@@ -986,6 +1000,12 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+ evlist__close(evsel_list);
+
+ return WEXITSTATUS(status);
++
++err_out:
++ if (forks)
++ evlist__cancel_workload(evsel_list);
++
++ return err;
+ }
+
+ static int run_perf_stat(int argc, const char **argv, int run_idx)
+diff --git a/tools/perf/util/evlist.c b/tools/perf/util/evlist.c
+index ca08e6dc8b232..dca6843ea3225 100644
+--- a/tools/perf/util/evlist.c
++++ b/tools/perf/util/evlist.c
+@@ -42,6 +42,7 @@
+ #include <sys/mman.h>
+ #include <sys/prctl.h>
+ #include <sys/timerfd.h>
++#include <sys/wait.h>
+
+ #include <linux/bitops.h>
+ #include <linux/hash.h>
+@@ -1392,6 +1393,8 @@ int evlist__prepare_workload(struct evlist *evlist, struct target *target, const
+ int child_ready_pipe[2], go_pipe[2];
+ char bf;
+
++ evlist->workload.cork_fd = -1;
++
+ if (pipe(child_ready_pipe) < 0) {
+ perror("failed to create 'ready' pipe");
+ return -1;
+@@ -1444,7 +1447,7 @@ int evlist__prepare_workload(struct evlist *evlist, struct target *target, const
+ * For cancelling the workload without actually running it,
+ * the parent will just close workload.cork_fd, without writing
+ * anything, i.e. read will return zero and we just exit()
+- * here.
++ * here (See evlist__cancel_workload()).
+ */
+ if (ret != 1) {
+ if (ret == -1)
+@@ -1508,7 +1511,7 @@ int evlist__prepare_workload(struct evlist *evlist, struct target *target, const
+
+ int evlist__start_workload(struct evlist *evlist)
+ {
+- if (evlist->workload.cork_fd > 0) {
++ if (evlist->workload.cork_fd >= 0) {
+ char bf = 0;
+ int ret;
+ /*
+@@ -1519,12 +1522,24 @@ int evlist__start_workload(struct evlist *evlist)
+ perror("unable to write to pipe");
+
+ close(evlist->workload.cork_fd);
++ evlist->workload.cork_fd = -1;
+ return ret;
+ }
+
+ return 0;
+ }
+
++void evlist__cancel_workload(struct evlist *evlist)
++{
++ int status;
++
++ if (evlist->workload.cork_fd >= 0) {
++ close(evlist->workload.cork_fd);
++ evlist->workload.cork_fd = -1;
++ waitpid(evlist->workload.pid, &status, WNOHANG);
++ }
++}
++
+ int evlist__parse_sample(struct evlist *evlist, union perf_event *event, struct perf_sample *sample)
+ {
+ struct evsel *evsel = evlist__event2evsel(evlist, event);
+diff --git a/tools/perf/util/evlist.h b/tools/perf/util/evlist.h
+index 16734c6756b3c..dc2197069cdc6 100644
+--- a/tools/perf/util/evlist.h
++++ b/tools/perf/util/evlist.h
+@@ -187,6 +187,7 @@ int evlist__prepare_workload(struct evlist *evlist, struct target *target,
+ const char *argv[], bool pipe_output,
+ void (*exec_error)(int signo, siginfo_t *info, void *ucontext));
+ int evlist__start_workload(struct evlist *evlist);
++void evlist__cancel_workload(struct evlist *evlist);
+
+ struct option;
+
+--
+2.43.0
+
--- /dev/null
+From 96f061d992d20e6483c8d2f34e5ac48a187fbf04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 22:23:24 -0700
+Subject: perf stat: Fix affinity memory leaks on error path
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 7f6ccb70e465bd8c9cf8973aee1c01224e4bdb3c ]
+
+Missed cleanup when an error occurs.
+
+Fixes: 49de179577e7 ("perf stat: No need to setup affinities when starting a workload")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20241001052327.7052-2-irogers@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-stat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c
+index 79e058ff8a33a..b243027bc22d8 100644
+--- a/tools/perf/builtin-stat.c
++++ b/tools/perf/builtin-stat.c
+@@ -865,6 +865,7 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+ }
+ }
+ affinity__cleanup(affinity);
++ affinity = NULL;
+
+ evlist__for_each_entry(evsel_list, counter) {
+ if (!counter->supported) {
+@@ -1005,6 +1006,7 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+ if (forks)
+ evlist__cancel_workload(evsel_list);
+
++ affinity__cleanup(affinity);
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 98ac508714b118c0ffa5136ce03e07cacae81ce0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 23:21:27 +0000
+Subject: perf trace: Avoid garbage when not printing a syscall's arguments
+
+From: Benjamin Peterson <benjamin@engflow.com>
+
+[ Upstream commit 1302e352b26f34991b619b5d0b621b76d20a3883 ]
+
+syscall__scnprintf_args may not place anything in the output buffer
+(e.g., because the arguments are all zero). If that happened in
+trace__fprintf_sys_enter, its fprintf would receive an unitialized
+buffer leading to garbage output.
+
+Fix the problem by passing the (possibly zero) bounds of the argument
+buffer to the output fprintf.
+
+Fixes: a98392bb1e169a04 ("perf trace: Use beautifiers on syscalls:sys_enter_ handlers")
+Signed-off-by: Benjamin Peterson <benjamin@engflow.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Tested-by: Howard Chu <howardchu95@gmail.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20241107232128.108981-2-benjamin@engflow.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index 48e101ad13924..441655e659c2b 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -2385,6 +2385,7 @@ static int trace__fprintf_sys_enter(struct trace *trace, struct evsel *evsel,
+ char msg[1024];
+ void *args, *augmented_args = NULL;
+ int augmented_args_size;
++ size_t printed = 0;
+
+ if (sc == NULL)
+ return -1;
+@@ -2400,8 +2401,8 @@ static int trace__fprintf_sys_enter(struct trace *trace, struct evsel *evsel,
+
+ args = perf_evsel__sc_tp_ptr(evsel, args, sample);
+ augmented_args = syscall__augmented_args(sc, sample, &augmented_args_size, trace->raw_augmented_syscalls_args_size);
+- syscall__scnprintf_args(sc, msg, sizeof(msg), args, augmented_args, augmented_args_size, trace, thread);
+- fprintf(trace->output, "%s", msg);
++ printed += syscall__scnprintf_args(sc, msg, sizeof(msg), args, augmented_args, augmented_args_size, trace, thread);
++ fprintf(trace->output, "%.*s", (int)printed, msg);
+ err = 0;
+ out_put:
+ thread__put(thread);
+--
+2.43.0
+
--- /dev/null
+From a6ab5a59d7393b95098521efad924aac6cef78ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Nov 2024 20:48:16 +0000
+Subject: perf trace: avoid garbage when not printing a trace event's arguments
+
+From: Benjamin Peterson <benjamin@engflow.com>
+
+[ Upstream commit 5fb8e56542a3cf469fdf25d77f50e21cbff3ae7e ]
+
+trace__fprintf_tp_fields may not print any tracepoint arguments. E.g., if the
+argument values are all zero. Previously, this would result in a totally
+uninitialized buffer being passed to fprintf, which could lead to garbage on the
+console. Fix the problem by passing the number of initialized bytes fprintf.
+
+Fixes: f11b2803bb88 ("perf trace: Allow choosing how to augment the tracepoint arguments")
+Signed-off-by: Benjamin Peterson <benjamin@engflow.com>
+Tested-by: Howard Chu <howardchu95@gmail.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Link: https://lore.kernel.org/r/20241103204816.7834-1-benjamin@engflow.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index 93dab6423a048..9aafa332828f8 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -2770,7 +2770,7 @@ static size_t trace__fprintf_tp_fields(struct trace *trace, struct evsel *evsel,
+ printed += syscall_arg_fmt__scnprintf_val(arg, bf + printed, size - printed, &syscall_arg, val);
+ }
+
+- return printed + fprintf(trace->output, "%s", bf);
++ return printed + fprintf(trace->output, "%.*s", (int)printed, bf);
+ }
+
+ static int trace__event_handler(struct trace *trace, struct evsel *evsel,
+--
+2.43.0
+
--- /dev/null
+From 5d153c0ebecfed1e8b89708c62a8564be68ca57b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 23:21:26 +0000
+Subject: perf trace: Do not lose last events in a race
+
+From: Benjamin Peterson <benjamin@engflow.com>
+
+[ Upstream commit 3fd7c36973a250e17a4ee305a31545a9426021f4 ]
+
+If a perf trace event selector specifies a maximum number of events to output
+(i.e., "/nr=N/" syntax), the event printing handler, trace__event_handler,
+disables the event selector after the maximum number events are
+printed.
+
+Furthermore, trace__event_handler checked if the event selector was
+disabled before doing any work. This avoided exceeding the maximum
+number of events to print if more events were in the buffer before the
+selector was disabled.
+
+However, the event selector can be disabled for reasons other than
+exceeding the maximum number of events. In particular, when the traced
+subprocess exits, the main loop disables all event selectors. This meant
+the last events of a traced subprocess might be lost to the printing
+handler's short-circuiting logic.
+
+This nondeterministic problem could be seen by running the following many times:
+
+ $ perf trace -e syscalls:sys_enter_exit_group true
+
+trace__event_handler should simply check for exceeding the maximum number of
+events to print rather than the state of the event selector.
+
+Fixes: a9c5e6c1e9bff42c ("perf trace: Introduce per-event maximum number of events property")
+Signed-off-by: Benjamin Peterson <benjamin@engflow.com>
+Tested-by: Howard Chu <howardchu95@gmail.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20241107232128.108981-1-benjamin@engflow.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index 9aafa332828f8..48e101ad13924 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -2779,13 +2779,8 @@ static int trace__event_handler(struct trace *trace, struct evsel *evsel,
+ {
+ struct thread *thread;
+ int callchain_ret = 0;
+- /*
+- * Check if we called perf_evsel__disable(evsel) due to, for instance,
+- * this event's max_events having been hit and this is an entry coming
+- * from the ring buffer that we should discard, since the max events
+- * have already been considered/printed.
+- */
+- if (evsel->disabled)
++
++ if (evsel->nr_events_printed >= evsel->max_events)
+ return 0;
+
+ thread = machine__findnew_thread(trace->host, sample->pid, sample->tid);
+--
+2.43.0
+
--- /dev/null
+From bd6b8baaec489d5c804c9b204f89f7643149ca26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 15:12:01 +0800
+Subject: pinctrl: k210: Undef K210_PC_DEFAULT
+
+From: zhang jiao <zhangjiao2@cmss.chinamobile.com>
+
+[ Upstream commit 7e86490c5dee5c41a55f32d0dc34269e200e6909 ]
+
+When the temporary macro K210_PC_DEFAULT is not needed anymore,
+use its name in the #undef statement instead of
+the incorrect "DEFAULT" name.
+
+Fixes: d4c34d09ab03 ("pinctrl: Add RISC-V Canaan Kendryte K210 FPIOA driver")
+Signed-off-by: zhang jiao <zhangjiao2@cmss.chinamobile.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/20241113071201.5440-1-zhangjiao2@cmss.chinamobile.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-k210.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-k210.c b/drivers/pinctrl/pinctrl-k210.c
+index ad4db99094a79..e75c96c6b3daf 100644
+--- a/drivers/pinctrl/pinctrl-k210.c
++++ b/drivers/pinctrl/pinctrl-k210.c
+@@ -181,7 +181,7 @@ static const u32 k210_pinconf_mode_id_to_mode[] = {
+ [K210_PC_DEFAULT_INT13] = K210_PC_MODE_IN | K210_PC_PU,
+ };
+
+-#undef DEFAULT
++#undef K210_PC_DEFAULT
+
+ /*
+ * Pin functions configuration information.
+--
+2.43.0
+
--- /dev/null
+From 157297295214c60e2a9d79f9d9e0d0cb73cfeaf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 10:04:32 +0200
+Subject: pinctrl: zynqmp: drop excess struct member description
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit 2a85fc7044987d751f27d7f1e4423eebbcecc2c6 ]
+
+The 'node' member has never been part of this structure so drop its
+description.
+
+Fixes: 8b242ca700f8 ("pinctrl: Add Xilinx ZynqMP pinctrl driver support")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Link: https://lore.kernel.org/20241010080432.7781-1-brgl@bgdev.pl
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-zynqmp.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-zynqmp.c b/drivers/pinctrl/pinctrl-zynqmp.c
+index c98f35ad89217..5a6be66c1a0b5 100644
+--- a/drivers/pinctrl/pinctrl-zynqmp.c
++++ b/drivers/pinctrl/pinctrl-zynqmp.c
+@@ -45,7 +45,6 @@
+ * @name: Name of the pin mux function
+ * @groups: List of pin groups for this function
+ * @ngroups: Number of entries in @groups
+- * @node: Firmware node matching with the function
+ *
+ * This structure holds information about pin control function
+ * and function group names supporting that function.
+--
+2.43.0
+
--- /dev/null
+From 319d9f081ce64521c4030a5eff5cf3d3d97ae62e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 06:46:39 +0000
+Subject: platform/x86: panasonic-laptop: Return errno correctly in show
+ callback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yao Zi <ziyao@disroot.org>
+
+[ Upstream commit 5c7bebc1a3f0661db558d60e14dde27fc216d9dc ]
+
+When an error occurs in sysfs show callback, we should return the errno
+directly instead of formatting it as the result, which produces
+meaningless output and doesn't inform the userspace of the error.
+
+Fixes: 468f96bfa3a0 ("platform/x86: panasonic-laptop: Add support for battery charging threshold (eco mode)")
+Fixes: d5a81d8e864b ("platform/x86: panasonic-laptop: Add support for optical driver power in Y and W series")
+Signed-off-by: Yao Zi <ziyao@disroot.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20241118064637.61832-3-ziyao@disroot.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/panasonic-laptop.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c
+index ac7fb7a8fd592..e9bee5f6ec8d0 100644
+--- a/drivers/platform/x86/panasonic-laptop.c
++++ b/drivers/platform/x86/panasonic-laptop.c
+@@ -602,8 +602,7 @@ static ssize_t eco_mode_show(struct device *dev, struct device_attribute *attr,
+ result = 1;
+ break;
+ default:
+- result = -EIO;
+- break;
++ return -EIO;
+ }
+ return sysfs_emit(buf, "%u\n", result);
+ }
+@@ -749,7 +748,12 @@ static ssize_t current_brightness_store(struct device *dev, struct device_attrib
+ static ssize_t cdpower_show(struct device *dev, struct device_attribute *attr,
+ char *buf)
+ {
+- return sysfs_emit(buf, "%d\n", get_optd_power_state());
++ int state = get_optd_power_state();
++
++ if (state < 0)
++ return state;
++
++ return sysfs_emit(buf, "%d\n", state);
+ }
+
+ static ssize_t cdpower_store(struct device *dev, struct device_attribute *attr,
+--
+2.43.0
+
--- /dev/null
+From 3eccc8b71b0a3c09e7e09655bf036013e062a033 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 11:04:41 +0800
+Subject: pmdomain: ti-sci: Add missing of_node_put() for args.np
+
+From: Zhang Zekun <zhangzekun11@huawei.com>
+
+[ Upstream commit afc2331ef81657493c074592c409dac7c3cb8ccc ]
+
+of_parse_phandle_with_args() needs to call of_node_put() to decrement
+the refcount of args.np. So, Add the missing of_node_put() in the loop.
+
+Fixes: efa5c01cd7ee ("soc: ti: ti_sci_pm_domains: switch to use multiple genpds instead of one")
+Signed-off-by: Zhang Zekun <zhangzekun11@huawei.com>
+Reviewed-by: Dhruva Gole <d-gole@ti.com>
+Message-ID: <20241024030442.119506-2-zhangzekun11@huawei.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/ti/ti_sci_pm_domains.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/soc/ti/ti_sci_pm_domains.c b/drivers/soc/ti/ti_sci_pm_domains.c
+index 17984a7bffba5..b21b152ed5d0f 100644
+--- a/drivers/soc/ti/ti_sci_pm_domains.c
++++ b/drivers/soc/ti/ti_sci_pm_domains.c
+@@ -165,6 +165,7 @@ static int ti_sci_pm_domain_probe(struct platform_device *pdev)
+ break;
+
+ if (args.args_count >= 1 && args.np == dev->of_node) {
++ of_node_put(args.np);
+ if (args.args[0] > max_id) {
+ max_id = args.args[0];
+ } else {
+@@ -192,7 +193,10 @@ static int ti_sci_pm_domain_probe(struct platform_device *pdev)
+ pm_genpd_init(&pd->pd, NULL, true);
+
+ list_add(&pd->node, &pd_provider->pd_list);
++ } else {
++ of_node_put(args.np);
+ }
++
+ index++;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From d097ec2de80844a245f37fbe076d013d1f5a2f90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 20:54:05 +0200
+Subject: power: supply: bq27xxx: Fix registers of bq27426
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Barnabás Czémán <barnabas.czeman@mainlining.org>
+
+[ Upstream commit 34f99d3b706a519e556841f405c224ca708b1f54 ]
+
+Correct bq27426 registers, according to technical reference manual
+it does not have Design Capacity register so it is not register
+compatible with bq27421.
+
+Fixes: 5ef6a16033b47 ("power: supply: bq27xxx: Add support for BQ27426")
+Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
+Link: https://lore.kernel.org/r/20241016-fix_bq27426-v2-1-aa6c0f51a9f6@mainlining.org
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 37 ++++++++++++++++++++++++--
+ 1 file changed, 35 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c
+index 4a5371a3a5313..2868dcf3f96dc 100644
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -449,9 +449,29 @@ static u8
+ [BQ27XXX_REG_AP] = 0x18,
+ BQ27XXX_DM_REG_ROWS,
+ },
++ bq27426_regs[BQ27XXX_REG_MAX] = {
++ [BQ27XXX_REG_CTRL] = 0x00,
++ [BQ27XXX_REG_TEMP] = 0x02,
++ [BQ27XXX_REG_INT_TEMP] = 0x1e,
++ [BQ27XXX_REG_VOLT] = 0x04,
++ [BQ27XXX_REG_AI] = 0x10,
++ [BQ27XXX_REG_FLAGS] = 0x06,
++ [BQ27XXX_REG_TTE] = INVALID_REG_ADDR,
++ [BQ27XXX_REG_TTF] = INVALID_REG_ADDR,
++ [BQ27XXX_REG_TTES] = INVALID_REG_ADDR,
++ [BQ27XXX_REG_TTECP] = INVALID_REG_ADDR,
++ [BQ27XXX_REG_NAC] = 0x08,
++ [BQ27XXX_REG_RC] = 0x0c,
++ [BQ27XXX_REG_FCC] = 0x0e,
++ [BQ27XXX_REG_CYCT] = INVALID_REG_ADDR,
++ [BQ27XXX_REG_AE] = INVALID_REG_ADDR,
++ [BQ27XXX_REG_SOC] = 0x1c,
++ [BQ27XXX_REG_DCAP] = INVALID_REG_ADDR,
++ [BQ27XXX_REG_AP] = 0x18,
++ BQ27XXX_DM_REG_ROWS,
++ },
+ #define bq27411_regs bq27421_regs
+ #define bq27425_regs bq27421_regs
+-#define bq27426_regs bq27421_regs
+ #define bq27441_regs bq27421_regs
+ #define bq27621_regs bq27421_regs
+ bq27z561_regs[BQ27XXX_REG_MAX] = {
+@@ -769,10 +789,23 @@ static enum power_supply_property bq27421_props[] = {
+ };
+ #define bq27411_props bq27421_props
+ #define bq27425_props bq27421_props
+-#define bq27426_props bq27421_props
+ #define bq27441_props bq27421_props
+ #define bq27621_props bq27421_props
+
++static enum power_supply_property bq27426_props[] = {
++ POWER_SUPPLY_PROP_STATUS,
++ POWER_SUPPLY_PROP_PRESENT,
++ POWER_SUPPLY_PROP_VOLTAGE_NOW,
++ POWER_SUPPLY_PROP_CURRENT_NOW,
++ POWER_SUPPLY_PROP_CAPACITY,
++ POWER_SUPPLY_PROP_CAPACITY_LEVEL,
++ POWER_SUPPLY_PROP_TEMP,
++ POWER_SUPPLY_PROP_TECHNOLOGY,
++ POWER_SUPPLY_PROP_CHARGE_FULL,
++ POWER_SUPPLY_PROP_CHARGE_NOW,
++ POWER_SUPPLY_PROP_MANUFACTURER,
++};
++
+ static enum power_supply_property bq27z561_props[] = {
+ POWER_SUPPLY_PROP_STATUS,
+ POWER_SUPPLY_PROP_PRESENT,
+--
+2.43.0
+
--- /dev/null
+From ae1f41c867c583d352e170ab52f0ffe5c5dc9169 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2024 12:39:14 -0700
+Subject: power: supply: core: Remove might_sleep() from power_supply_put()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit f6da4553ff24a5d1c959c9627c965323adc3d307 ]
+
+The put_device() call in power_supply_put() may call
+power_supply_dev_release(). The latter function does not sleep so
+power_supply_put() doesn't sleep either. Hence, remove the might_sleep()
+call from power_supply_put(). This patch suppresses false positive
+complaints about calling a sleeping function from atomic context if
+power_supply_put() is called from atomic context.
+
+Cc: Kyle Tso <kyletso@google.com>
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Fixes: 1a352462b537 ("power_supply: Add power_supply_put for decrementing device reference counter")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20240917193914.47566-1-bvanassche@acm.org
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/power_supply_core.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/power/supply/power_supply_core.c b/drivers/power/supply/power_supply_core.c
+index ac88c9636b663..13801dfa5c385 100644
+--- a/drivers/power/supply/power_supply_core.c
++++ b/drivers/power/supply/power_supply_core.c
+@@ -480,8 +480,6 @@ EXPORT_SYMBOL_GPL(power_supply_get_by_name);
+ */
+ void power_supply_put(struct power_supply *psy)
+ {
+- might_sleep();
+-
+ atomic_dec(&psy->use_cnt);
+ put_device(&psy->dev);
+ }
+--
+2.43.0
+
--- /dev/null
+From 9b83778a364ae9c46483b89bbb852d0b6eebc0f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 21:47:57 +0530
+Subject: powerpc/fadump: Move fadump_cma_init to setup_arch() after
+ initmem_init()
+
+From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+
+[ Upstream commit 05b94cae1c47f94588c3e7096963c1007c4d9c1d ]
+
+During early init CMA_MIN_ALIGNMENT_BYTES can be PAGE_SIZE,
+since pageblock_order is still zero and it gets initialized
+later during initmem_init() e.g.
+setup_arch() -> initmem_init() -> sparse_init() -> set_pageblock_order()
+
+One such use case where this causes issue is -
+early_setup() -> early_init_devtree() -> fadump_reserve_mem() -> fadump_cma_init()
+
+This causes CMA memory alignment check to be bypassed in
+cma_init_reserved_mem(). Then later cma_activate_area() can hit
+a VM_BUG_ON_PAGE(pfn & ((1 << order) - 1)) if the reserved memory
+area was not pageblock_order aligned.
+
+Fix it by moving the fadump_cma_init() after initmem_init(),
+where other such cma reservations also gets called.
+
+<stack trace>
+==============
+page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10010
+flags: 0x13ffff800000000(node=1|zone=0|lastcpupid=0x7ffff) CMA
+raw: 013ffff800000000 5deadbeef0000100 5deadbeef0000122 0000000000000000
+raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: VM_BUG_ON_PAGE(pfn & ((1 << order) - 1))
+------------[ cut here ]------------
+kernel BUG at mm/page_alloc.c:778!
+
+Call Trace:
+__free_one_page+0x57c/0x7b0 (unreliable)
+free_pcppages_bulk+0x1a8/0x2c8
+free_unref_page_commit+0x3d4/0x4e4
+free_unref_page+0x458/0x6d0
+init_cma_reserved_pageblock+0x114/0x198
+cma_init_reserved_areas+0x270/0x3e0
+do_one_initcall+0x80/0x2f8
+kernel_init_freeable+0x33c/0x530
+kernel_init+0x34/0x26c
+ret_from_kernel_user_thread+0x14/0x1c
+
+Fixes: 11ac3e87ce09 ("mm: cma: use pageblock_order as the single alignment")
+Suggested-by: David Hildenbrand <david@redhat.com>
+Reported-by: Sachin P Bappalige <sachinpb@linux.ibm.com>
+Acked-by: Hari Bathini <hbathini@linux.ibm.com>
+Reviewed-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/3ae208e48c0d9cefe53d2dc4f593388067405b7d.1729146153.git.ritesh.list@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/fadump.h | 7 +++++++
+ arch/powerpc/kernel/fadump.c | 6 +-----
+ arch/powerpc/kernel/setup-common.c | 6 ++++--
+ 3 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/fadump.h b/arch/powerpc/include/asm/fadump.h
+index 526a6a6473128..daa44b2ef35ad 100644
+--- a/arch/powerpc/include/asm/fadump.h
++++ b/arch/powerpc/include/asm/fadump.h
+@@ -32,4 +32,11 @@ extern int early_init_dt_scan_fw_dump(unsigned long node, const char *uname,
+ int depth, void *data);
+ extern int fadump_reserve_mem(void);
+ #endif
++
++#if defined(CONFIG_FA_DUMP) && defined(CONFIG_CMA)
++void fadump_cma_init(void);
++#else
++static inline void fadump_cma_init(void) { }
++#endif
++
+ #endif /* _ASM_POWERPC_FADUMP_H */
+diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
+index 4722a9e606e61..1866bac234000 100644
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -80,7 +80,7 @@ static struct cma *fadump_cma;
+ * But for some reason even if it fails we still have the memory reservation
+ * with us and we can still continue doing fadump.
+ */
+-static void __init fadump_cma_init(void)
++void __init fadump_cma_init(void)
+ {
+ unsigned long long base, size;
+ int rc;
+@@ -124,8 +124,6 @@ static void __init fadump_cma_init(void)
+ (unsigned long)cma_get_base(fadump_cma) >> 20,
+ fw_dump.reserve_dump_area_size);
+ }
+-#else
+-static void __init fadump_cma_init(void) { }
+ #endif /* CONFIG_CMA */
+
+ /* Scan the Firmware Assisted dump configuration details. */
+@@ -642,8 +640,6 @@ int __init fadump_reserve_mem(void)
+
+ pr_info("Reserved %lldMB of memory at %#016llx (System RAM: %lldMB)\n",
+ (size >> 20), base, (memblock_phys_mem_size() >> 20));
+-
+- fadump_cma_init();
+ }
+
+ return ret;
+diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c
+index 56f6b958926d7..41c03c8e41b41 100644
+--- a/arch/powerpc/kernel/setup-common.c
++++ b/arch/powerpc/kernel/setup-common.c
+@@ -982,9 +982,11 @@ void __init setup_arch(char **cmdline_p)
+ initmem_init();
+
+ /*
+- * Reserve large chunks of memory for use by CMA for KVM and hugetlb. These must
+- * be called after initmem_init(), so that pageblock_order is initialised.
++ * Reserve large chunks of memory for use by CMA for fadump, KVM and
++ * hugetlb. These must be called after initmem_init(), so that
++ * pageblock_order is initialised.
+ */
++ fadump_cma_init();
+ kvm_cma_reserve();
+ gigantic_hugetlb_cma_reserve();
+
+--
+2.43.0
+
--- /dev/null
+From d48d1e1f1062d7962f3d951047c4b2be900c0232 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 21:47:55 +0530
+Subject: powerpc/fadump: Refactor and prepare fadump_cma_init for late init
+
+From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+
+[ Upstream commit adfaec30ffaceecd565e06adae367aa944acc3c9 ]
+
+We anyway don't use any return values from fadump_cma_init(). Since
+fadump_reserve_mem() from where fadump_cma_init() gets called today,
+already has the required checks.
+This patch makes this function return type as void. Let's also handle
+extra cases like return if fadump_supported is false or dump_active, so
+that in later patches we can call fadump_cma_init() separately from
+setup_arch().
+
+Acked-by: Hari Bathini <hbathini@linux.ibm.com>
+Reviewed-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/a2afc3d6481a87a305e89cfc4a3f3d2a0b8ceab3.1729146153.git.ritesh.list@gmail.com
+Stable-dep-of: 05b94cae1c47 ("powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/fadump.c | 23 +++++++++--------------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
+index 3ff2da7b120b5..4722a9e606e61 100644
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -80,27 +80,23 @@ static struct cma *fadump_cma;
+ * But for some reason even if it fails we still have the memory reservation
+ * with us and we can still continue doing fadump.
+ */
+-static int __init fadump_cma_init(void)
++static void __init fadump_cma_init(void)
+ {
+ unsigned long long base, size;
+ int rc;
+
+- if (!fw_dump.fadump_enabled)
+- return 0;
+-
++ if (!fw_dump.fadump_supported || !fw_dump.fadump_enabled ||
++ fw_dump.dump_active)
++ return;
+ /*
+ * Do not use CMA if user has provided fadump=nocma kernel parameter.
+- * Return 1 to continue with fadump old behaviour.
+ */
+- if (fw_dump.nocma)
+- return 1;
++ if (fw_dump.nocma || !fw_dump.boot_memory_size)
++ return;
+
+ base = fw_dump.reserve_dump_area_start;
+ size = fw_dump.boot_memory_size;
+
+- if (!size)
+- return 0;
+-
+ rc = cma_init_reserved_mem(base, size, 0, "fadump_cma", &fadump_cma);
+ if (rc) {
+ pr_err("Failed to init cma area for firmware-assisted dump,%d\n", rc);
+@@ -110,7 +106,7 @@ static int __init fadump_cma_init(void)
+ * blocked from production system usage. Hence return 1,
+ * so that we can continue with fadump.
+ */
+- return 1;
++ return;
+ }
+
+ /*
+@@ -127,10 +123,9 @@ static int __init fadump_cma_init(void)
+ cma_get_size(fadump_cma),
+ (unsigned long)cma_get_base(fadump_cma) >> 20,
+ fw_dump.reserve_dump_area_size);
+- return 1;
+ }
+ #else
+-static int __init fadump_cma_init(void) { return 1; }
++static void __init fadump_cma_init(void) { }
+ #endif /* CONFIG_CMA */
+
+ /* Scan the Firmware Assisted dump configuration details. */
+@@ -648,7 +643,7 @@ int __init fadump_reserve_mem(void)
+ pr_info("Reserved %lldMB of memory at %#016llx (System RAM: %lldMB)\n",
+ (size >> 20), base, (memblock_phys_mem_size() >> 20));
+
+- ret = fadump_cma_init();
++ fadump_cma_init();
+ }
+
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From 2fbd2b16bae4b83c2a3b6bab7e4a0e3fc701ac50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 15:56:28 +0800
+Subject: powerpc/kexec: Fix return of uninitialized variable
+
+From: Zhang Zekun <zhangzekun11@huawei.com>
+
+[ Upstream commit 83b5a407fbb73e6965adfb4bd0a803724bf87f96 ]
+
+of_property_read_u64() can fail and leave the variable uninitialized,
+which will then be used. Return error if reading the property failed.
+
+Fixes: 2e6bd221d96f ("powerpc/kexec_file: Enable early kernel OPAL calls")
+Signed-off-by: Zhang Zekun <zhangzekun11@huawei.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/20240930075628.125138-1-zhangzekun11@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kexec/file_load_64.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kexec/file_load_64.c b/arch/powerpc/kexec/file_load_64.c
+index 180c1dfe4aa77..04d100ca18b86 100644
+--- a/arch/powerpc/kexec/file_load_64.c
++++ b/arch/powerpc/kexec/file_load_64.c
+@@ -911,13 +911,18 @@ int setup_purgatory_ppc64(struct kimage *image, const void *slave_code,
+ if (dn) {
+ u64 val;
+
+- of_property_read_u64(dn, "opal-base-address", &val);
++ ret = of_property_read_u64(dn, "opal-base-address", &val);
++ if (ret)
++ goto out;
++
+ ret = kexec_purgatory_get_set_symbol(image, "opal_base", &val,
+ sizeof(val), false);
+ if (ret)
+ goto out;
+
+- of_property_read_u64(dn, "opal-entry-address", &val);
++ ret = of_property_read_u64(dn, "opal-entry-address", &val);
++ if (ret)
++ goto out;
+ ret = kexec_purgatory_get_set_symbol(image, "opal_entry", &val,
+ sizeof(val), false);
+ }
+--
+2.43.0
+
--- /dev/null
+From aace37315ad09222c6c35db12bc33941f0673534 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 22:59:42 +0530
+Subject: powerpc/mm/fault: Fix kfence page fault reporting
+
+From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+
+[ Upstream commit 06dbbb4d5f7126b6307ab807cbf04ecfc459b933 ]
+
+copy_from_kernel_nofault() can be called when doing read of /proc/kcore.
+/proc/kcore can have some unmapped kfence objects which when read via
+copy_from_kernel_nofault() can cause page faults. Since *_nofault()
+functions define their own fixup table for handling fault, use that
+instead of asking kfence to handle such faults.
+
+Hence we search the exception tables for the nip which generated the
+fault. If there is an entry then we let the fixup table handler handle the
+page fault by returning an error from within ___do_page_fault().
+
+This can be easily triggered if someone tries to do dd from /proc/kcore.
+eg. dd if=/proc/kcore of=/dev/null bs=1M
+
+Some example false negatives:
+
+ ===============================
+ BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0
+ Invalid read at 0xc0000000fdff0000:
+ copy_from_kernel_nofault+0x9c/0x1a0
+ 0xc00000000665f950
+ read_kcore_iter+0x57c/0xa04
+ proc_reg_read_iter+0xe4/0x16c
+ vfs_read+0x320/0x3ec
+ ksys_read+0x90/0x154
+ system_call_exception+0x120/0x310
+ system_call_vectored_common+0x15c/0x2ec
+
+ BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0
+ Use-after-free read at 0xc0000000fe050000 (in kfence-#2):
+ copy_from_kernel_nofault+0x9c/0x1a0
+ 0xc00000000665f950
+ read_kcore_iter+0x57c/0xa04
+ proc_reg_read_iter+0xe4/0x16c
+ vfs_read+0x320/0x3ec
+ ksys_read+0x90/0x154
+ system_call_exception+0x120/0x310
+ system_call_vectored_common+0x15c/0x2ec
+
+Fixes: 90cbac0e995d ("powerpc: Enable KFENCE for PPC32")
+Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Reported-by: Disha Goel <disgoel@linux.ibm.com>
+Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/a411788081d50e3b136c6270471e35aba3dfafa3.1729271995.git.ritesh.list@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/fault.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
+index 644e4ec6ce99d..4b59315cb820a 100644
+--- a/arch/powerpc/mm/fault.c
++++ b/arch/powerpc/mm/fault.c
+@@ -431,10 +431,16 @@ static int ___do_page_fault(struct pt_regs *regs, unsigned long address,
+ /*
+ * The kernel should never take an execute fault nor should it
+ * take a page fault to a kernel address or a page fault to a user
+- * address outside of dedicated places
++ * address outside of dedicated places.
++ *
++ * Rather than kfence directly reporting false negatives, search whether
++ * the NIP belongs to the fixup table for cases where fault could come
++ * from functions like copy_from_kernel_nofault().
+ */
+ if (unlikely(!is_user && bad_kernel_fault(regs, error_code, address, is_write))) {
+- if (kfence_handle_page_fault(address, is_write, regs))
++ if (is_kfence_address((void *)address) &&
++ !search_exception_tables(instruction_pointer(regs)) &&
++ kfence_handle_page_fault(address, is_write, regs))
+ return 0;
+
+ return SIGSEGV;
+--
+2.43.0
+
--- /dev/null
+From 18b0e676360220cb521c87295027776a6842a277 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 22:24:01 +1000
+Subject: powerpc/pseries: Fix dtl_access_lock to be a rw_semaphore
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit cadae3a45d23aa4f6485938a67cbc47aaaa25e38 ]
+
+The dtl_access_lock needs to be a rw_sempahore, a sleeping lock, because
+the code calls kmalloc() while holding it, which can sleep:
+
+ # echo 1 > /proc/powerpc/vcpudispatch_stats
+ BUG: sleeping function called from invalid context at include/linux/sched/mm.h:337
+ in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 199, name: sh
+ preempt_count: 1, expected: 0
+ 3 locks held by sh/199:
+ #0: c00000000a0743f8 (sb_writers#3){.+.+}-{0:0}, at: vfs_write+0x324/0x438
+ #1: c0000000028c7058 (dtl_enable_mutex){+.+.}-{3:3}, at: vcpudispatch_stats_write+0xd4/0x5f4
+ #2: c0000000028c70b8 (dtl_access_lock){+.+.}-{2:2}, at: vcpudispatch_stats_write+0x220/0x5f4
+ CPU: 0 PID: 199 Comm: sh Not tainted 6.10.0-rc4 #152
+ Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries
+ Call Trace:
+ dump_stack_lvl+0x130/0x148 (unreliable)
+ __might_resched+0x174/0x410
+ kmem_cache_alloc_noprof+0x340/0x3d0
+ alloc_dtl_buffers+0x124/0x1ac
+ vcpudispatch_stats_write+0x2a8/0x5f4
+ proc_reg_write+0xf4/0x150
+ vfs_write+0xfc/0x438
+ ksys_write+0x88/0x148
+ system_call_exception+0x1c4/0x5a0
+ system_call_common+0xf4/0x258
+
+Fixes: 06220d78f24a ("powerpc/pseries: Introduce rwlock to gatekeep DTLB usage")
+Tested-by: Kajol Jain <kjain@linux.ibm.com>
+Reviewed-by: Nysal Jan K.A <nysal@linux.ibm.com>
+Reviewed-by: Kajol Jain <kjain@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/20240819122401.513203-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/dtl.h | 4 ++--
+ arch/powerpc/platforms/pseries/dtl.c | 8 ++++----
+ arch/powerpc/platforms/pseries/lpar.c | 8 ++++----
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/dtl.h b/arch/powerpc/include/asm/dtl.h
+index 4bcb9f9ac7649..859af5de3c2f9 100644
+--- a/arch/powerpc/include/asm/dtl.h
++++ b/arch/powerpc/include/asm/dtl.h
+@@ -1,8 +1,8 @@
+ #ifndef _ASM_POWERPC_DTL_H
+ #define _ASM_POWERPC_DTL_H
+
++#include <linux/rwsem.h>
+ #include <asm/lppaca.h>
+-#include <linux/spinlock_types.h>
+
+ /*
+ * Layout of entries in the hypervisor's dispatch trace log buffer.
+@@ -35,7 +35,7 @@ struct dtl_entry {
+ #define DTL_LOG_ALL (DTL_LOG_CEDE | DTL_LOG_PREEMPT | DTL_LOG_FAULT)
+
+ extern struct kmem_cache *dtl_cache;
+-extern rwlock_t dtl_access_lock;
++extern struct rw_semaphore dtl_access_lock;
+
+ extern void register_dtl_buffer(int cpu);
+ extern void alloc_dtl_buffers(unsigned long *time_limit);
+diff --git a/arch/powerpc/platforms/pseries/dtl.c b/arch/powerpc/platforms/pseries/dtl.c
+index 3f1cdccebc9c1..ecc04ef8c53e3 100644
+--- a/arch/powerpc/platforms/pseries/dtl.c
++++ b/arch/powerpc/platforms/pseries/dtl.c
+@@ -191,7 +191,7 @@ static int dtl_enable(struct dtl *dtl)
+ return -EBUSY;
+
+ /* ensure there are no other conflicting dtl users */
+- if (!read_trylock(&dtl_access_lock))
++ if (!down_read_trylock(&dtl_access_lock))
+ return -EBUSY;
+
+ n_entries = dtl_buf_entries;
+@@ -199,7 +199,7 @@ static int dtl_enable(struct dtl *dtl)
+ if (!buf) {
+ printk(KERN_WARNING "%s: buffer alloc failed for cpu %d\n",
+ __func__, dtl->cpu);
+- read_unlock(&dtl_access_lock);
++ up_read(&dtl_access_lock);
+ return -ENOMEM;
+ }
+
+@@ -217,7 +217,7 @@ static int dtl_enable(struct dtl *dtl)
+ spin_unlock(&dtl->lock);
+
+ if (rc) {
+- read_unlock(&dtl_access_lock);
++ up_read(&dtl_access_lock);
+ kmem_cache_free(dtl_cache, buf);
+ }
+
+@@ -232,7 +232,7 @@ static void dtl_disable(struct dtl *dtl)
+ dtl->buf = NULL;
+ dtl->buf_entries = 0;
+ spin_unlock(&dtl->lock);
+- read_unlock(&dtl_access_lock);
++ up_read(&dtl_access_lock);
+ }
+
+ /* file interface */
+diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c
+index 29d235b02f062..98f8e0a39eb2f 100644
+--- a/arch/powerpc/platforms/pseries/lpar.c
++++ b/arch/powerpc/platforms/pseries/lpar.c
+@@ -167,7 +167,7 @@ struct vcpu_dispatch_data {
+ */
+ #define NR_CPUS_H NR_CPUS
+
+-DEFINE_RWLOCK(dtl_access_lock);
++DECLARE_RWSEM(dtl_access_lock);
+ static DEFINE_PER_CPU(struct vcpu_dispatch_data, vcpu_disp_data);
+ static DEFINE_PER_CPU(u64, dtl_entry_ridx);
+ static DEFINE_PER_CPU(struct dtl_worker, dtl_workers);
+@@ -461,7 +461,7 @@ static int dtl_worker_enable(unsigned long *time_limit)
+ {
+ int rc = 0, state;
+
+- if (!write_trylock(&dtl_access_lock)) {
++ if (!down_write_trylock(&dtl_access_lock)) {
+ rc = -EBUSY;
+ goto out;
+ }
+@@ -477,7 +477,7 @@ static int dtl_worker_enable(unsigned long *time_limit)
+ pr_err("vcpudispatch_stats: unable to setup workqueue for DTL processing\n");
+ free_dtl_buffers(time_limit);
+ reset_global_dtl_mask();
+- write_unlock(&dtl_access_lock);
++ up_write(&dtl_access_lock);
+ rc = -EINVAL;
+ goto out;
+ }
+@@ -492,7 +492,7 @@ static void dtl_worker_disable(unsigned long *time_limit)
+ cpuhp_remove_state(dtl_worker_state);
+ free_dtl_buffers(time_limit);
+ reset_global_dtl_mask();
+- write_unlock(&dtl_access_lock);
++ up_write(&dtl_access_lock);
+ }
+
+ static ssize_t vcpudispatch_stats_write(struct file *file, const char __user *p,
+--
+2.43.0
+
--- /dev/null
+From 42a63dbe2cec833d30132de004a5150d59d6b695 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 15:03:49 +0200
+Subject: powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+[ Upstream commit a26c4dbb3d9c1821cb0fc11cb2dbc32d5bf3463b ]
+
+These functions are not used outside of sstep.c
+
+Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code")
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/20241001130356.14664-1-msuchanek@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/sstep.h | 5 -----
+ arch/powerpc/lib/sstep.c | 12 ++++--------
+ 2 files changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/sstep.h b/arch/powerpc/include/asm/sstep.h
+index 50950deedb873..e3d0e714ff280 100644
+--- a/arch/powerpc/include/asm/sstep.h
++++ b/arch/powerpc/include/asm/sstep.h
+@@ -173,9 +173,4 @@ int emulate_step(struct pt_regs *regs, ppc_inst_t instr);
+ */
+ extern int emulate_loadstore(struct pt_regs *regs, struct instruction_op *op);
+
+-extern void emulate_vsx_load(struct instruction_op *op, union vsx_reg *reg,
+- const void *mem, bool cross_endian);
+-extern void emulate_vsx_store(struct instruction_op *op,
+- const union vsx_reg *reg, void *mem,
+- bool cross_endian);
+ extern int emulate_dcbz(unsigned long ea, struct pt_regs *regs);
+diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c
+index ec30af8eadb7d..289690814ad40 100644
+--- a/arch/powerpc/lib/sstep.c
++++ b/arch/powerpc/lib/sstep.c
+@@ -780,8 +780,8 @@ static nokprobe_inline int emulate_stq(struct pt_regs *regs, unsigned long ea,
+ #endif /* __powerpc64 */
+
+ #ifdef CONFIG_VSX
+-void emulate_vsx_load(struct instruction_op *op, union vsx_reg *reg,
+- const void *mem, bool rev)
++static nokprobe_inline void emulate_vsx_load(struct instruction_op *op, union vsx_reg *reg,
++ const void *mem, bool rev)
+ {
+ int size, read_size;
+ int i, j;
+@@ -863,11 +863,9 @@ void emulate_vsx_load(struct instruction_op *op, union vsx_reg *reg,
+ break;
+ }
+ }
+-EXPORT_SYMBOL_GPL(emulate_vsx_load);
+-NOKPROBE_SYMBOL(emulate_vsx_load);
+
+-void emulate_vsx_store(struct instruction_op *op, const union vsx_reg *reg,
+- void *mem, bool rev)
++static nokprobe_inline void emulate_vsx_store(struct instruction_op *op, const union vsx_reg *reg,
++ void *mem, bool rev)
+ {
+ int size, write_size;
+ int i, j;
+@@ -955,8 +953,6 @@ void emulate_vsx_store(struct instruction_op *op, const union vsx_reg *reg,
+ break;
+ }
+ }
+-EXPORT_SYMBOL_GPL(emulate_vsx_store);
+-NOKPROBE_SYMBOL(emulate_vsx_store);
+
+ static nokprobe_inline int do_vsx_load(struct instruction_op *op,
+ unsigned long ea, struct pt_regs *regs,
+--
+2.43.0
+
--- /dev/null
+From e096f6a034bae5c76860e554906a926866045555 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 00:17:57 +0200
+Subject: powerpc/vdso: Flag VDSO64 entry points as functions
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 0161bd38c24312853ed5ae9a425a1c41c4ac674a ]
+
+On powerpc64 as shown below by readelf, vDSO functions symbols have
+type NOTYPE.
+
+$ powerpc64-linux-gnu-readelf -a arch/powerpc/kernel/vdso/vdso64.so.dbg
+ELF Header:
+ Magic: 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00
+ Class: ELF64
+ Data: 2's complement, big endian
+ Version: 1 (current)
+ OS/ABI: UNIX - System V
+ ABI Version: 0
+ Type: DYN (Shared object file)
+ Machine: PowerPC64
+ Version: 0x1
+...
+
+Symbol table '.dynsym' contains 12 entries:
+ Num: Value Size Type Bind Vis Ndx Name
+...
+ 1: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+...
+ 4: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15
+ 5: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+
+Symbol table '.symtab' contains 56 entries:
+ Num: Value Size Type Bind Vis Ndx Name
+...
+ 45: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15
+ 46: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __kernel_getcpu
+ 47: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_getres
+
+To overcome that, commit ba83b3239e65 ("selftests: vDSO: fix vDSO
+symbols lookup for powerpc64") was applied to have selftests also
+look for NOTYPE symbols, but the correct fix should be to flag VDSO
+entry points as functions.
+
+The original commit that brought VDSO support into powerpc/64 has the
+following explanation:
+
+ Note that the symbols exposed by the vDSO aren't "normal" function symbols, apps
+ can't be expected to link against them directly, the vDSO's are both seen
+ as if they were linked at 0 and the symbols just contain offsets to the
+ various functions. This is done on purpose to avoid a relocation step
+ (ppc64 functions normally have descriptors with abs addresses in them).
+ When glibc uses those functions, it's expected to use it's own trampolines
+ that know how to reach them.
+
+The descriptors it's talking about are the OPD function descriptors
+used on ABI v1 (big endian). But it would be more correct for a text
+symbol to have type function, even if there's no function descriptor
+for it.
+
+glibc has a special case already for handling the VDSO symbols which
+creates a fake opd pointing at the kernel symbol. So changing the VDSO
+symbol type to function shouldn't affect that.
+
+For ABI v2, there is no function descriptors and VDSO functions can
+safely have function type.
+
+So lets flag VDSO entry points as functions and revert the
+selftest change.
+
+Link: https://github.com/mpe/linux-fullhistory/commit/5f2dd691b62da9d9cc54b938f8b29c22c93cb805
+Fixes: ba83b3239e65 ("selftests: vDSO: fix vDSO symbols lookup for powerpc64")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Reviewed-By: Segher Boessenkool <segher@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://patch.msgid.link/b6ad2f1ee9887af3ca5ecade2a56f4acda517a85.1728512263.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/vdso.h | 1 +
+ tools/testing/selftests/vDSO/parse_vdso.c | 3 +--
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/vdso.h b/arch/powerpc/include/asm/vdso.h
+index 7650b6ce14c85..8d972bc98b55f 100644
+--- a/arch/powerpc/include/asm/vdso.h
++++ b/arch/powerpc/include/asm/vdso.h
+@@ -25,6 +25,7 @@ int vdso_getcpu_init(void);
+ #ifdef __VDSO64__
+ #define V_FUNCTION_BEGIN(name) \
+ .globl name; \
++ .type name,@function; \
+ name: \
+
+ #define V_FUNCTION_END(name) \
+diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c
+index 7dd5668ea8a6e..28f35620c4991 100644
+--- a/tools/testing/selftests/vDSO/parse_vdso.c
++++ b/tools/testing/selftests/vDSO/parse_vdso.c
+@@ -222,8 +222,7 @@ void *vdso_sym(const char *version, const char *name)
+ ELF(Sym) *sym = &vdso_info.symtab[chain];
+
+ /* Check for a defined global or weak function w/ right name. */
+- if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC &&
+- ELF64_ST_TYPE(sym->st_info) != STT_NOTYPE)
++ if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC)
+ continue;
+ if (ELF64_ST_BIND(sym->st_info) != STB_GLOBAL &&
+ ELF64_ST_BIND(sym->st_info) != STB_WEAK)
+--
+2.43.0
+
--- /dev/null
+From b67ebfbfa9f951e694ce495c76717a53dfb3a430 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 15:41:23 -0400
+Subject: pwm: imx27: Workaround of the pwm output bug when decrease the duty
+ cycle
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clark Wang <xiaoning.wang@nxp.com>
+
+[ Upstream commit a25351e4c7740eb22561a3ee4ef17611c6f410b0 ]
+
+Implement workaround for ERR051198
+(https://www.nxp.com/docs/en/errata/IMX8MN_0N14Y.pdf)
+
+PWM output may not function correctly if the FIFO is empty when a new SAR
+value is programmed.
+
+Description:
+ When the PWM FIFO is empty, a new value programmed to the PWM Sample
+ register (PWM_PWMSAR) will be directly applied even if the current timer
+ period has not expired. If the new SAMPLE value programmed in the
+ PWM_PWMSAR register is less than the previous value, and the PWM counter
+ register (PWM_PWMCNR) that contains the current COUNT value is greater
+ than the new programmed SAMPLE value, the current period will not flip
+ the level. This may result in an output pulse with a duty cycle of 100%.
+
+Workaround:
+ Program the current SAMPLE value in the PWM_PWMSAR register before
+ updating the new duty cycle to the SAMPLE value in the PWM_PWMSAR
+ register. This will ensure that the new SAMPLE value is modified during
+ a non-empty FIFO, and can be successfully updated after the period
+ expires.
+
+Write the old SAR value before updating the new duty cycle to SAR. This
+avoids writing the new value into an empty FIFO.
+
+This only resolves the issue when the PWM period is longer than 2us
+(or <500kHz) because write register is not quick enough when PWM period is
+very short.
+
+Reproduce steps:
+ cd /sys/class/pwm/pwmchip1/pwm0
+ echo 2000000000 > period # It is easy to observe by using long period
+ echo 1000000000 > duty_cycle
+ echo 1 > enable
+ echo 8000 > duty_cycle # One full high pulse will be seen by scope
+
+Fixes: 166091b1894d ("[ARM] MXC: add pwm driver for i.MX SoCs")
+Reviewed-by: Jun Li <jun.li@nxp.com>
+Signed-off-by: Clark Wang <xiaoning.wang@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20241008194123.1943141-1-Frank.Li@nxp.com
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-imx27.c | 98 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 96 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pwm/pwm-imx27.c b/drivers/pwm/pwm-imx27.c
+index 3a22c2fddc452..0cd42ae5c0a4c 100644
+--- a/drivers/pwm/pwm-imx27.c
++++ b/drivers/pwm/pwm-imx27.c
+@@ -26,6 +26,7 @@
+ #define MX3_PWMSR 0x04 /* PWM Status Register */
+ #define MX3_PWMSAR 0x0C /* PWM Sample Register */
+ #define MX3_PWMPR 0x10 /* PWM Period Register */
++#define MX3_PWMCNR 0x14 /* PWM Counter Register */
+
+ #define MX3_PWMCR_FWM GENMASK(27, 26)
+ #define MX3_PWMCR_STOPEN BIT(25)
+@@ -217,11 +218,13 @@ static void pwm_imx27_wait_fifo_slot(struct pwm_chip *chip,
+ static int pwm_imx27_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ const struct pwm_state *state)
+ {
+- unsigned long period_cycles, duty_cycles, prescale;
++ unsigned long period_cycles, duty_cycles, prescale, period_us, tmp;
+ struct pwm_imx27_chip *imx = to_pwm_imx27_chip(chip);
+ struct pwm_state cstate;
+ unsigned long long c;
+ unsigned long long clkrate;
++ unsigned long flags;
++ int val;
+ int ret;
+ u32 cr;
+
+@@ -264,7 +267,98 @@ static int pwm_imx27_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ pwm_imx27_sw_reset(chip);
+ }
+
+- writel(duty_cycles, imx->mmio_base + MX3_PWMSAR);
++ val = readl(imx->mmio_base + MX3_PWMPR);
++ val = val >= MX3_PWMPR_MAX ? MX3_PWMPR_MAX : val;
++ cr = readl(imx->mmio_base + MX3_PWMCR);
++ tmp = NSEC_PER_SEC * (u64)(val + 2) * MX3_PWMCR_PRESCALER_GET(cr);
++ tmp = DIV_ROUND_UP_ULL(tmp, clkrate);
++ period_us = DIV_ROUND_UP_ULL(tmp, 1000);
++
++ /*
++ * ERR051198:
++ * PWM: PWM output may not function correctly if the FIFO is empty when
++ * a new SAR value is programmed
++ *
++ * Description:
++ * When the PWM FIFO is empty, a new value programmed to the PWM Sample
++ * register (PWM_PWMSAR) will be directly applied even if the current
++ * timer period has not expired.
++ *
++ * If the new SAMPLE value programmed in the PWM_PWMSAR register is
++ * less than the previous value, and the PWM counter register
++ * (PWM_PWMCNR) that contains the current COUNT value is greater than
++ * the new programmed SAMPLE value, the current period will not flip
++ * the level. This may result in an output pulse with a duty cycle of
++ * 100%.
++ *
++ * Consider a change from
++ * ________
++ * / \______/
++ * ^ * ^
++ * to
++ * ____
++ * / \__________/
++ * ^ ^
++ * At the time marked by *, the new write value will be directly applied
++ * to SAR even the current period is not over if FIFO is empty.
++ *
++ * ________ ____________________
++ * / \______/ \__________/
++ * ^ ^ * ^ ^
++ * |<-- old SAR -->| |<-- new SAR -->|
++ *
++ * That is the output is active for a whole period.
++ *
++ * Workaround:
++ * Check new SAR less than old SAR and current counter is in errata
++ * windows, write extra old SAR into FIFO and new SAR will effect at
++ * next period.
++ *
++ * Sometime period is quite long, such as over 1 second. If add old SAR
++ * into FIFO unconditional, new SAR have to wait for next period. It
++ * may be too long.
++ *
++ * Turn off the interrupt to ensure that not IRQ and schedule happen
++ * during above operations. If any irq and schedule happen, counter
++ * in PWM will be out of data and take wrong action.
++ *
++ * Add a safety margin 1.5us because it needs some time to complete
++ * IO write.
++ *
++ * Use writel_relaxed() to minimize the interval between two writes to
++ * the SAR register to increase the fastest PWM frequency supported.
++ *
++ * When the PWM period is longer than 2us(or <500kHz), this workaround
++ * can solve this problem. No software workaround is available if PWM
++ * period is shorter than IO write. Just try best to fill old data
++ * into FIFO.
++ */
++ c = clkrate * 1500;
++ do_div(c, NSEC_PER_SEC);
++
++ local_irq_save(flags);
++ val = FIELD_GET(MX3_PWMSR_FIFOAV, readl_relaxed(imx->mmio_base + MX3_PWMSR));
++
++ if (duty_cycles < imx->duty_cycle && (cr & MX3_PWMCR_EN)) {
++ if (period_us < 2) { /* 2us = 500 kHz */
++ /* Best effort attempt to fix up >500 kHz case */
++ udelay(3 * period_us);
++ writel_relaxed(imx->duty_cycle, imx->mmio_base + MX3_PWMSAR);
++ writel_relaxed(imx->duty_cycle, imx->mmio_base + MX3_PWMSAR);
++ } else if (val < MX3_PWMSR_FIFOAV_2WORDS) {
++ val = readl_relaxed(imx->mmio_base + MX3_PWMCNR);
++ /*
++ * If counter is close to period, controller may roll over when
++ * next IO write.
++ */
++ if ((val + c >= duty_cycles && val < imx->duty_cycle) ||
++ val + c >= period_cycles)
++ writel_relaxed(imx->duty_cycle, imx->mmio_base + MX3_PWMSAR);
++ }
++ }
++ writel_relaxed(duty_cycles, imx->mmio_base + MX3_PWMSAR);
++ local_irq_restore(flags);
++
+ writel(period_cycles, imx->mmio_base + MX3_PWMPR);
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 3fafbbecc46fc23f1705cc2b6ed92046b13d536b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Oct 2024 03:06:54 -0700
+Subject: RDMA/bnxt_re: Check cqe flags to know imm_data vs inv_irkey
+
+From: Kashyap Desai <kashyap.desai@broadcom.com>
+
+[ Upstream commit 808ca6de989c598bc5af1ae0ad971a66077efac0 ]
+
+Invalidate rkey is cpu endian and immediate data is in big endian format.
+Both immediate data and invalidate the remote key returned by
+HW is in little endian format.
+
+While handling the commit in fixes tag, the difference between
+immediate data and invalidate rkey endianness was not considered.
+
+Without changes of this patch, Kernel ULP was failing while processing
+inv_rkey.
+
+dmesg log snippet -
+nvme nvme0: Bogus remote invalidation for rkey 0x2000019Fix in this patch
+
+Do endianness conversion based on completion queue entry flag.
+Also, the HW completions are already converted to host endianness in
+bnxt_qplib_cq_process_res_rc and bnxt_qplib_cq_process_res_ud and there
+is no need to convert it again in bnxt_re_poll_cq. Modified the union to
+hold the correct data type.
+
+Fixes: 95b087f87b78 ("bnxt_re: Fix imm_data endianness")
+Signed-off-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://patch.msgid.link/1730110014-20755-1-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +++++--
+ drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index 4c34cb1cb7866..13102ba93847a 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -3340,7 +3340,7 @@ static void bnxt_re_process_res_shadow_qp_wc(struct bnxt_re_qp *gsi_sqp,
+ wc->byte_len = orig_cqe->length;
+ wc->qp = &gsi_qp->ib_qp;
+
+- wc->ex.imm_data = cpu_to_be32(le32_to_cpu(orig_cqe->immdata));
++ wc->ex.imm_data = cpu_to_be32(orig_cqe->immdata);
+ wc->src_qp = orig_cqe->src_qp;
+ memcpy(wc->smac, orig_cqe->smac, ETH_ALEN);
+ if (bnxt_re_is_vlan_pkt(orig_cqe, &vlan_id, &sl)) {
+@@ -3476,7 +3476,10 @@ int bnxt_re_poll_cq(struct ib_cq *ib_cq, int num_entries, struct ib_wc *wc)
+ (unsigned long)(cqe->qp_handle),
+ struct bnxt_re_qp, qplib_qp);
+ wc->qp = &qp->ib_qp;
+- wc->ex.imm_data = cpu_to_be32(le32_to_cpu(cqe->immdata));
++ if (cqe->flags & CQ_RES_RC_FLAGS_IMM)
++ wc->ex.imm_data = cpu_to_be32(cqe->immdata);
++ else
++ wc->ex.invalidate_rkey = cqe->invrkey;
+ wc->src_qp = cqe->src_qp;
+ memcpy(wc->smac, cqe->smac, ETH_ALEN);
+ wc->port_num = 1;
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+index 57a3dae87f659..13263ce2309d7 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+@@ -374,7 +374,7 @@ struct bnxt_qplib_cqe {
+ u16 cfa_meta;
+ u64 wr_id;
+ union {
+- __le32 immdata;
++ u32 immdata;
+ u32 invrkey;
+ };
+ u64 qp_handle;
+--
+2.43.0
+
--- /dev/null
+From 6c681855b3318803902e2f3b6aadee605cb06e29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 May 2023 20:16:41 +0800
+Subject: RDMA/hns: Add clear_hem return value to log
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit a519a612a71848b69b70b18b4d14d165b2d8aaf7 ]
+
+Log return value of clear_hem() to help diagnose.
+
+Link: https://lore.kernel.org/r/20230523121641.3132102-4-huangjunxian6@hisilicon.com
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Stable-dep-of: d81fb6511abf ("RDMA/hns: Use dev_* printings in hem code instead of ibdev_*")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hem.c | 44 ++++++++++++++++--------
+ 1 file changed, 30 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
+index 2c8f0fd9557d1..d0f338ff78df5 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
+@@ -619,6 +619,7 @@ static void clear_mhop_hem(struct hns_roce_dev *hr_dev,
+ u32 hop_num = mhop->hop_num;
+ u32 chunk_ba_num;
+ u32 step_idx;
++ int ret;
+
+ index->inited = HEM_INDEX_BUF;
+ chunk_ba_num = mhop->bt_chunk_size / BA_BYTE_LEN;
+@@ -642,16 +643,24 @@ static void clear_mhop_hem(struct hns_roce_dev *hr_dev,
+ else
+ step_idx = hop_num;
+
+- if (hr_dev->hw->clear_hem(hr_dev, table, obj, step_idx))
+- ibdev_warn(ibdev, "failed to clear hop%u HEM.\n", hop_num);
+-
+- if (index->inited & HEM_INDEX_L1)
+- if (hr_dev->hw->clear_hem(hr_dev, table, obj, 1))
+- ibdev_warn(ibdev, "failed to clear HEM step 1.\n");
++ ret = hr_dev->hw->clear_hem(hr_dev, table, obj, step_idx);
++ if (ret)
++ ibdev_warn(ibdev, "failed to clear hop%u HEM, ret = %d.\n",
++ hop_num, ret);
++
++ if (index->inited & HEM_INDEX_L1) {
++ ret = hr_dev->hw->clear_hem(hr_dev, table, obj, 1);
++ if (ret)
++ ibdev_warn(ibdev, "failed to clear HEM step 1, ret = %d.\n",
++ ret);
++ }
+
+- if (index->inited & HEM_INDEX_L0)
+- if (hr_dev->hw->clear_hem(hr_dev, table, obj, 0))
+- ibdev_warn(ibdev, "failed to clear HEM step 0.\n");
++ if (index->inited & HEM_INDEX_L0) {
++ ret = hr_dev->hw->clear_hem(hr_dev, table, obj, 0);
++ if (ret)
++ ibdev_warn(ibdev, "failed to clear HEM step 0, ret = %d.\n",
++ ret);
++ }
+ }
+ }
+
+@@ -688,6 +697,7 @@ void hns_roce_table_put(struct hns_roce_dev *hr_dev,
+ {
+ struct device *dev = hr_dev->dev;
+ unsigned long i;
++ int ret;
+
+ if (hns_roce_check_whether_mhop(hr_dev, table->type)) {
+ hns_roce_table_mhop_put(hr_dev, table, obj, 1);
+@@ -700,8 +710,10 @@ void hns_roce_table_put(struct hns_roce_dev *hr_dev,
+ &table->mutex))
+ return;
+
+- if (hr_dev->hw->clear_hem(hr_dev, table, obj, HEM_HOP_STEP_DIRECT))
+- dev_warn(dev, "failed to clear HEM base address.\n");
++ ret = hr_dev->hw->clear_hem(hr_dev, table, obj, HEM_HOP_STEP_DIRECT);
++ if (ret)
++ dev_warn(dev, "failed to clear HEM base address, ret = %d.\n",
++ ret);
+
+ hns_roce_free_hem(hr_dev, table->hem[i]);
+ table->hem[i] = NULL;
+@@ -917,6 +929,8 @@ void hns_roce_cleanup_hem_table(struct hns_roce_dev *hr_dev,
+ {
+ struct device *dev = hr_dev->dev;
+ unsigned long i;
++ int obj;
++ int ret;
+
+ if (hns_roce_check_whether_mhop(hr_dev, table->type)) {
+ hns_roce_cleanup_mhop_hem_table(hr_dev, table);
+@@ -925,9 +939,11 @@ void hns_roce_cleanup_hem_table(struct hns_roce_dev *hr_dev,
+
+ for (i = 0; i < table->num_hem; ++i)
+ if (table->hem[i]) {
+- if (hr_dev->hw->clear_hem(hr_dev, table,
+- i * table->table_chunk_size / table->obj_size, 0))
+- dev_err(dev, "clear HEM base address failed.\n");
++ obj = i * table->table_chunk_size / table->obj_size;
++ ret = hr_dev->hw->clear_hem(hr_dev, table, obj, 0);
++ if (ret)
++ dev_err(dev, "clear HEM base address failed, ret = %d.\n",
++ ret);
+
+ hns_roce_free_hem(hr_dev, table->hem[i]);
+ }
+--
+2.43.0
+
--- /dev/null
+From 0ad1eb3b6ebe2e0707f9891a40a0e837f70a699d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 20:39:56 +0800
+Subject: RDMA/hns: Fix an AEQE overflow error caused by untimely update of
+ eq_db_ci
+
+From: wenglianfa <wenglianfa@huawei.com>
+
+[ Upstream commit 571e4ab8a45e530623ab129803f090a844dd3fe9 ]
+
+eq_db_ci is updated only after all AEQEs are processed in the AEQ
+interrupt handler, which is not timely enough and may result in
+AEQ overflow. Two optimization methods are proposed:
+1. Set an upper limit for AEQE processing.
+2. Move time-consuming operations such as printings to the bottom
+half of the interrupt.
+
+cmd events and flush_cqe events are still fully processed in the top half
+to ensure timely handling.
+
+Fixes: a5073d6054f7 ("RDMA/hns: Add eq support of hip08")
+Signed-off-by: wenglianfa <wenglianfa@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20241024124000.2931869-2-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_device.h | 1 +
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 75 ++++++++++++++-------
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 5 ++
+ drivers/infiniband/hw/hns/hns_roce_qp.c | 54 +++++++++------
+ 4 files changed, 91 insertions(+), 44 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h
+index a2bdfa026c560..5b8b68b2d69cf 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_device.h
++++ b/drivers/infiniband/hw/hns/hns_roce_device.h
+@@ -1228,6 +1228,7 @@ void hns_roce_cq_completion(struct hns_roce_dev *hr_dev, u32 cqn);
+ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type);
+ void flush_cqe(struct hns_roce_dev *dev, struct hns_roce_qp *qp);
+ void hns_roce_qp_event(struct hns_roce_dev *hr_dev, u32 qpn, int event_type);
++void hns_roce_flush_cqe(struct hns_roce_dev *hr_dev, u32 qpn);
+ void hns_roce_srq_event(struct hns_roce_dev *hr_dev, u32 srqn, int event_type);
+ u8 hns_get_gid_index(struct hns_roce_dev *hr_dev, u32 port, int gid_index);
+ void hns_roce_handle_device_err(struct hns_roce_dev *hr_dev);
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 56c0e87c494ec..8b371d6ecbac9 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -5977,11 +5977,10 @@ static int hns_roce_v2_query_mpt(struct hns_roce_dev *hr_dev, u32 key,
+ return ret;
+ }
+
+-static void hns_roce_irq_work_handle(struct work_struct *work)
++static void dump_aeqe_log(struct hns_roce_work *irq_work)
+ {
+- struct hns_roce_work *irq_work =
+- container_of(work, struct hns_roce_work, work);
+- struct ib_device *ibdev = &irq_work->hr_dev->ib_dev;
++ struct hns_roce_dev *hr_dev = irq_work->hr_dev;
++ struct ib_device *ibdev = &hr_dev->ib_dev;
+
+ switch (irq_work->event_type) {
+ case HNS_ROCE_EVENT_TYPE_PATH_MIG:
+@@ -6025,6 +6024,8 @@ static void hns_roce_irq_work_handle(struct work_struct *work)
+ case HNS_ROCE_EVENT_TYPE_DB_OVERFLOW:
+ ibdev_warn(ibdev, "DB overflow.\n");
+ break;
++ case HNS_ROCE_EVENT_TYPE_MB:
++ break;
+ case HNS_ROCE_EVENT_TYPE_FLR:
+ ibdev_warn(ibdev, "function level reset.\n");
+ break;
+@@ -6035,8 +6036,46 @@ static void hns_roce_irq_work_handle(struct work_struct *work)
+ ibdev_err(ibdev, "invalid xrceth error.\n");
+ break;
+ default:
++ ibdev_info(ibdev, "Undefined event %d.\n",
++ irq_work->event_type);
+ break;
+ }
++}
++
++static void hns_roce_irq_work_handle(struct work_struct *work)
++{
++ struct hns_roce_work *irq_work =
++ container_of(work, struct hns_roce_work, work);
++ struct hns_roce_dev *hr_dev = irq_work->hr_dev;
++ int event_type = irq_work->event_type;
++ u32 queue_num = irq_work->queue_num;
++
++ switch (event_type) {
++ case HNS_ROCE_EVENT_TYPE_PATH_MIG:
++ case HNS_ROCE_EVENT_TYPE_PATH_MIG_FAILED:
++ case HNS_ROCE_EVENT_TYPE_COMM_EST:
++ case HNS_ROCE_EVENT_TYPE_SQ_DRAINED:
++ case HNS_ROCE_EVENT_TYPE_WQ_CATAS_ERROR:
++ case HNS_ROCE_EVENT_TYPE_SRQ_LAST_WQE_REACH:
++ case HNS_ROCE_EVENT_TYPE_INV_REQ_LOCAL_WQ_ERROR:
++ case HNS_ROCE_EVENT_TYPE_LOCAL_WQ_ACCESS_ERROR:
++ case HNS_ROCE_EVENT_TYPE_XRCD_VIOLATION:
++ case HNS_ROCE_EVENT_TYPE_INVALID_XRCETH:
++ hns_roce_qp_event(hr_dev, queue_num, event_type);
++ break;
++ case HNS_ROCE_EVENT_TYPE_SRQ_LIMIT_REACH:
++ case HNS_ROCE_EVENT_TYPE_SRQ_CATAS_ERROR:
++ hns_roce_srq_event(hr_dev, queue_num, event_type);
++ break;
++ case HNS_ROCE_EVENT_TYPE_CQ_ACCESS_ERROR:
++ case HNS_ROCE_EVENT_TYPE_CQ_OVERFLOW:
++ hns_roce_cq_event(hr_dev, queue_num, event_type);
++ break;
++ default:
++ break;
++ }
++
++ dump_aeqe_log(irq_work);
+
+ kfree(irq_work);
+ }
+@@ -6097,14 +6136,14 @@ static struct hns_roce_aeqe *next_aeqe_sw_v2(struct hns_roce_eq *eq)
+ static irqreturn_t hns_roce_v2_aeq_int(struct hns_roce_dev *hr_dev,
+ struct hns_roce_eq *eq)
+ {
+- struct device *dev = hr_dev->dev;
+ struct hns_roce_aeqe *aeqe = next_aeqe_sw_v2(eq);
+ irqreturn_t aeqe_found = IRQ_NONE;
++ int num_aeqes = 0;
+ int event_type;
+ u32 queue_num;
+ int sub_type;
+
+- while (aeqe) {
++ while (aeqe && num_aeqes < HNS_AEQ_POLLING_BUDGET) {
+ /* Make sure we read AEQ entry after we have checked the
+ * ownership bit
+ */
+@@ -6115,25 +6154,12 @@ static irqreturn_t hns_roce_v2_aeq_int(struct hns_roce_dev *hr_dev,
+ queue_num = hr_reg_read(aeqe, AEQE_EVENT_QUEUE_NUM);
+
+ switch (event_type) {
+- case HNS_ROCE_EVENT_TYPE_PATH_MIG:
+- case HNS_ROCE_EVENT_TYPE_PATH_MIG_FAILED:
+- case HNS_ROCE_EVENT_TYPE_COMM_EST:
+- case HNS_ROCE_EVENT_TYPE_SQ_DRAINED:
+ case HNS_ROCE_EVENT_TYPE_WQ_CATAS_ERROR:
+- case HNS_ROCE_EVENT_TYPE_SRQ_LAST_WQE_REACH:
+ case HNS_ROCE_EVENT_TYPE_INV_REQ_LOCAL_WQ_ERROR:
+ case HNS_ROCE_EVENT_TYPE_LOCAL_WQ_ACCESS_ERROR:
+ case HNS_ROCE_EVENT_TYPE_XRCD_VIOLATION:
+ case HNS_ROCE_EVENT_TYPE_INVALID_XRCETH:
+- hns_roce_qp_event(hr_dev, queue_num, event_type);
+- break;
+- case HNS_ROCE_EVENT_TYPE_SRQ_LIMIT_REACH:
+- case HNS_ROCE_EVENT_TYPE_SRQ_CATAS_ERROR:
+- hns_roce_srq_event(hr_dev, queue_num, event_type);
+- break;
+- case HNS_ROCE_EVENT_TYPE_CQ_ACCESS_ERROR:
+- case HNS_ROCE_EVENT_TYPE_CQ_OVERFLOW:
+- hns_roce_cq_event(hr_dev, queue_num, event_type);
++ hns_roce_flush_cqe(hr_dev, queue_num);
+ break;
+ case HNS_ROCE_EVENT_TYPE_MB:
+ hns_roce_cmd_event(hr_dev,
+@@ -6141,12 +6167,7 @@ static irqreturn_t hns_roce_v2_aeq_int(struct hns_roce_dev *hr_dev,
+ aeqe->event.cmd.status,
+ le64_to_cpu(aeqe->event.cmd.out_param));
+ break;
+- case HNS_ROCE_EVENT_TYPE_DB_OVERFLOW:
+- case HNS_ROCE_EVENT_TYPE_FLR:
+- break;
+ default:
+- dev_err(dev, "unhandled event %d on EQ %d at idx %u.\n",
+- event_type, eq->eqn, eq->cons_index);
+ break;
+ }
+
+@@ -6158,6 +6179,7 @@ static irqreturn_t hns_roce_v2_aeq_int(struct hns_roce_dev *hr_dev,
+ hns_roce_v2_init_irq_work(hr_dev, eq, queue_num);
+
+ aeqe = next_aeqe_sw_v2(eq);
++ ++num_aeqes;
+ }
+
+ update_eq_db(eq);
+@@ -6687,6 +6709,9 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev)
+ int ret;
+ int i;
+
++ if (hr_dev->caps.aeqe_depth < HNS_AEQ_POLLING_BUDGET)
++ return -EINVAL;
++
+ other_num = hr_dev->caps.num_other_vectors;
+ comp_num = hr_dev->caps.num_comp_vectors;
+ aeq_num = hr_dev->caps.num_aeq_vectors;
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index 2b4dbbb06eb56..e24ddbcafe0fc 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -114,6 +114,11 @@
+
+ #define HNS_ROCE_V2_TABLE_CHUNK_SIZE (1 << 18)
+
++/* budget must be smaller than aeqe_depth to guarantee that we update
++ * the ci before we polled all the entries in the EQ.
++ */
++#define HNS_AEQ_POLLING_BUDGET 64
++
+ enum {
+ HNS_ROCE_CMD_FLAG_IN = BIT(0),
+ HNS_ROCE_CMD_FLAG_OUT = BIT(1),
+diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
+index e158ed9e6c83c..7af6631761044 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
+@@ -39,6 +39,25 @@
+ #include "hns_roce_device.h"
+ #include "hns_roce_hem.h"
+
++static struct hns_roce_qp *hns_roce_qp_lookup(struct hns_roce_dev *hr_dev,
++ u32 qpn)
++{
++ struct device *dev = hr_dev->dev;
++ struct hns_roce_qp *qp;
++ unsigned long flags;
++
++ xa_lock_irqsave(&hr_dev->qp_table_xa, flags);
++ qp = __hns_roce_qp_lookup(hr_dev, qpn);
++ if (qp)
++ refcount_inc(&qp->refcount);
++ xa_unlock_irqrestore(&hr_dev->qp_table_xa, flags);
++
++ if (!qp)
++ dev_warn(dev, "async event for bogus QP %08x\n", qpn);
++
++ return qp;
++}
++
+ static void flush_work_handle(struct work_struct *work)
+ {
+ struct hns_roce_work *flush_work = container_of(work,
+@@ -95,31 +114,28 @@ void flush_cqe(struct hns_roce_dev *dev, struct hns_roce_qp *qp)
+
+ void hns_roce_qp_event(struct hns_roce_dev *hr_dev, u32 qpn, int event_type)
+ {
+- struct device *dev = hr_dev->dev;
+ struct hns_roce_qp *qp;
+
+- xa_lock(&hr_dev->qp_table_xa);
+- qp = __hns_roce_qp_lookup(hr_dev, qpn);
+- if (qp)
+- refcount_inc(&qp->refcount);
+- xa_unlock(&hr_dev->qp_table_xa);
+-
+- if (!qp) {
+- dev_warn(dev, "async event for bogus QP %08x\n", qpn);
++ qp = hns_roce_qp_lookup(hr_dev, qpn);
++ if (!qp)
+ return;
+- }
+
+- if (event_type == HNS_ROCE_EVENT_TYPE_WQ_CATAS_ERROR ||
+- event_type == HNS_ROCE_EVENT_TYPE_INV_REQ_LOCAL_WQ_ERROR ||
+- event_type == HNS_ROCE_EVENT_TYPE_LOCAL_WQ_ACCESS_ERROR ||
+- event_type == HNS_ROCE_EVENT_TYPE_XRCD_VIOLATION ||
+- event_type == HNS_ROCE_EVENT_TYPE_INVALID_XRCETH) {
+- qp->state = IB_QPS_ERR;
++ qp->event(qp, (enum hns_roce_event)event_type);
+
+- flush_cqe(hr_dev, qp);
+- }
++ if (refcount_dec_and_test(&qp->refcount))
++ complete(&qp->free);
++}
+
+- qp->event(qp, (enum hns_roce_event)event_type);
++void hns_roce_flush_cqe(struct hns_roce_dev *hr_dev, u32 qpn)
++{
++ struct hns_roce_qp *qp;
++
++ qp = hns_roce_qp_lookup(hr_dev, qpn);
++ if (!qp)
++ return;
++
++ qp->state = IB_QPS_ERR;
++ flush_cqe(hr_dev, qp);
+
+ if (refcount_dec_and_test(&qp->refcount))
+ complete(&qp->free);
+--
+2.43.0
+
--- /dev/null
+From fffedc3136d7e7779cab7d16427bf22fcb0f1c44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 20:40:00 +0800
+Subject: RDMA/hns: Fix cpu stuck caused by printings during reset
+
+From: wenglianfa <wenglianfa@huawei.com>
+
+[ Upstream commit 323275ac2ff15b2b7b3eac391ae5d8c5a3c3a999 ]
+
+During reset, cmd to destroy resources such as qp, cq, and mr may fail,
+and error logs will be printed. When a large number of resources are
+destroyed, there will be lots of printings, and it may lead to a cpu
+stuck.
+
+Delete some unnecessary printings and replace other printing functions
+in these paths with the ratelimited version.
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Fixes: c7bcb13442e1 ("RDMA/hns: Add SRQ support for hip08 kernel mode")
+Fixes: 70f92521584f ("RDMA/hns: Use the reserved loopback QPs to free MR before destroying MPT")
+Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC")
+Signed-off-by: wenglianfa <wenglianfa@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20241024124000.2931869-6-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_cq.c | 4 +-
+ drivers/infiniband/hw/hns/hns_roce_hem.c | 4 +-
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 73 ++++++++++------------
+ drivers/infiniband/hw/hns/hns_roce_mr.c | 4 +-
+ drivers/infiniband/hw/hns/hns_roce_srq.c | 4 +-
+ 5 files changed, 41 insertions(+), 48 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_cq.c b/drivers/infiniband/hw/hns/hns_roce_cq.c
+index ff177466de9b4..9b91731a62079 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_cq.c
++++ b/drivers/infiniband/hw/hns/hns_roce_cq.c
+@@ -180,8 +180,8 @@ static void free_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq)
+ ret = hns_roce_destroy_hw_ctx(hr_dev, HNS_ROCE_CMD_DESTROY_CQC,
+ hr_cq->cqn);
+ if (ret)
+- dev_err(dev, "DESTROY_CQ failed (%d) for CQN %06lx\n", ret,
+- hr_cq->cqn);
++ dev_err_ratelimited(dev, "DESTROY_CQ failed (%d) for CQN %06lx\n",
++ ret, hr_cq->cqn);
+
+ xa_erase_irq(&cq_table->array, hr_cq->cqn);
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
+index d1b00bb389d9f..f605eb8fd13a2 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
+@@ -712,8 +712,8 @@ void hns_roce_table_put(struct hns_roce_dev *hr_dev,
+
+ ret = hr_dev->hw->clear_hem(hr_dev, table, obj, HEM_HOP_STEP_DIRECT);
+ if (ret)
+- dev_warn(dev, "failed to clear HEM base address, ret = %d.\n",
+- ret);
++ dev_warn_ratelimited(dev, "failed to clear HEM base address, ret = %d.\n",
++ ret);
+
+ hns_roce_free_hem(hr_dev, table->hem[i]);
+ table->hem[i] = NULL;
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index b190e0cd86b45..d0846d2c97ccf 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -372,19 +372,12 @@ static int set_rwqe_data_seg(struct ib_qp *ibqp, const struct ib_send_wr *wr,
+ static int check_send_valid(struct hns_roce_dev *hr_dev,
+ struct hns_roce_qp *hr_qp)
+ {
+- struct ib_device *ibdev = &hr_dev->ib_dev;
+-
+ if (unlikely(hr_qp->state == IB_QPS_RESET ||
+ hr_qp->state == IB_QPS_INIT ||
+- hr_qp->state == IB_QPS_RTR)) {
+- ibdev_err(ibdev, "failed to post WQE, QP state %u!\n",
+- hr_qp->state);
++ hr_qp->state == IB_QPS_RTR))
+ return -EINVAL;
+- } else if (unlikely(hr_dev->state >= HNS_ROCE_DEVICE_STATE_RST_DOWN)) {
+- ibdev_err(ibdev, "failed to post WQE, dev state %d!\n",
+- hr_dev->state);
++ else if (unlikely(hr_dev->state >= HNS_ROCE_DEVICE_STATE_RST_DOWN))
+ return -EIO;
+- }
+
+ return 0;
+ }
+@@ -2845,8 +2838,8 @@ static int free_mr_modify_rsv_qp(struct hns_roce_dev *hr_dev,
+ ret = hr_dev->hw->modify_qp(&hr_qp->ibqp, attr, mask, IB_QPS_INIT,
+ IB_QPS_INIT);
+ if (ret) {
+- ibdev_err(ibdev, "failed to modify qp to init, ret = %d.\n",
+- ret);
++ ibdev_err_ratelimited(ibdev, "failed to modify qp to init, ret = %d.\n",
++ ret);
+ return ret;
+ }
+
+@@ -3492,8 +3485,8 @@ static int free_mr_post_send_lp_wqe(struct hns_roce_qp *hr_qp)
+
+ ret = hns_roce_v2_post_send(&hr_qp->ibqp, send_wr, &bad_wr);
+ if (ret) {
+- ibdev_err(ibdev, "failed to post wqe for free mr, ret = %d.\n",
+- ret);
++ ibdev_err_ratelimited(ibdev, "failed to post wqe for free mr, ret = %d.\n",
++ ret);
+ return ret;
+ }
+
+@@ -3532,9 +3525,9 @@ static void free_mr_send_cmd_to_hw(struct hns_roce_dev *hr_dev)
+
+ ret = free_mr_post_send_lp_wqe(hr_qp);
+ if (ret) {
+- ibdev_err(ibdev,
+- "failed to send wqe (qp:0x%lx) for free mr, ret = %d.\n",
+- hr_qp->qpn, ret);
++ ibdev_err_ratelimited(ibdev,
++ "failed to send wqe (qp:0x%lx) for free mr, ret = %d.\n",
++ hr_qp->qpn, ret);
+ break;
+ }
+
+@@ -3545,16 +3538,16 @@ static void free_mr_send_cmd_to_hw(struct hns_roce_dev *hr_dev)
+ while (cqe_cnt) {
+ npolled = hns_roce_v2_poll_cq(&free_mr->rsv_cq->ib_cq, cqe_cnt, wc);
+ if (npolled < 0) {
+- ibdev_err(ibdev,
+- "failed to poll cqe for free mr, remain %d cqe.\n",
+- cqe_cnt);
++ ibdev_err_ratelimited(ibdev,
++ "failed to poll cqe for free mr, remain %d cqe.\n",
++ cqe_cnt);
+ goto out;
+ }
+
+ if (time_after(jiffies, end)) {
+- ibdev_err(ibdev,
+- "failed to poll cqe for free mr and timeout, remain %d cqe.\n",
+- cqe_cnt);
++ ibdev_err_ratelimited(ibdev,
++ "failed to poll cqe for free mr and timeout, remain %d cqe.\n",
++ cqe_cnt);
+ goto out;
+ }
+ cqe_cnt -= npolled;
+@@ -5125,10 +5118,8 @@ static int hns_roce_v2_set_abs_fields(struct ib_qp *ibqp,
+ struct hns_roce_dev *hr_dev = to_hr_dev(ibqp->device);
+ int ret = 0;
+
+- if (!check_qp_state(cur_state, new_state)) {
+- ibdev_err(&hr_dev->ib_dev, "Illegal state for QP!\n");
++ if (!check_qp_state(cur_state, new_state))
+ return -EINVAL;
+- }
+
+ if (cur_state == IB_QPS_RESET && new_state == IB_QPS_INIT) {
+ memset(qpc_mask, 0, hr_dev->caps.qpc_sz);
+@@ -5390,7 +5381,7 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp,
+ /* SW pass context to HW */
+ ret = hns_roce_v2_qp_modify(hr_dev, context, qpc_mask, hr_qp);
+ if (ret) {
+- ibdev_err(ibdev, "failed to modify QP, ret = %d.\n", ret);
++ ibdev_err_ratelimited(ibdev, "failed to modify QP, ret = %d.\n", ret);
+ goto out;
+ }
+
+@@ -5480,7 +5471,9 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr,
+
+ ret = hns_roce_v2_query_qpc(hr_dev, hr_qp->qpn, &context);
+ if (ret) {
+- ibdev_err(ibdev, "failed to query QPC, ret = %d.\n", ret);
++ ibdev_err_ratelimited(ibdev,
++ "failed to query QPC, ret = %d.\n",
++ ret);
+ ret = -EINVAL;
+ goto out;
+ }
+@@ -5488,7 +5481,7 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr,
+ state = hr_reg_read(&context, QPC_QP_ST);
+ tmp_qp_state = to_ib_qp_st((enum hns_roce_v2_qp_state)state);
+ if (tmp_qp_state == -1) {
+- ibdev_err(ibdev, "Illegal ib_qp_state\n");
++ ibdev_err_ratelimited(ibdev, "Illegal ib_qp_state\n");
+ ret = -EINVAL;
+ goto out;
+ }
+@@ -5581,9 +5574,9 @@ static int hns_roce_v2_destroy_qp_common(struct hns_roce_dev *hr_dev,
+ ret = hns_roce_v2_modify_qp(&hr_qp->ibqp, NULL, 0,
+ hr_qp->state, IB_QPS_RESET);
+ if (ret)
+- ibdev_err(ibdev,
+- "failed to modify QP to RST, ret = %d.\n",
+- ret);
++ ibdev_err_ratelimited(ibdev,
++ "failed to modify QP to RST, ret = %d.\n",
++ ret);
+ }
+
+ send_cq = hr_qp->ibqp.send_cq ? to_hr_cq(hr_qp->ibqp.send_cq) : NULL;
+@@ -5619,9 +5612,9 @@ int hns_roce_v2_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
+
+ ret = hns_roce_v2_destroy_qp_common(hr_dev, hr_qp, udata);
+ if (ret)
+- ibdev_err(&hr_dev->ib_dev,
+- "failed to destroy QP, QPN = 0x%06lx, ret = %d.\n",
+- hr_qp->qpn, ret);
++ ibdev_err_ratelimited(&hr_dev->ib_dev,
++ "failed to destroy QP, QPN = 0x%06lx, ret = %d.\n",
++ hr_qp->qpn, ret);
+
+ hns_roce_qp_destroy(hr_dev, hr_qp, udata);
+
+@@ -5894,9 +5887,9 @@ static int hns_roce_v2_modify_cq(struct ib_cq *cq, u16 cq_count, u16 cq_period)
+ HNS_ROCE_CMD_MODIFY_CQC, hr_cq->cqn);
+ hns_roce_free_cmd_mailbox(hr_dev, mailbox);
+ if (ret)
+- ibdev_err(&hr_dev->ib_dev,
+- "failed to process cmd when modifying CQ, ret = %d.\n",
+- ret);
++ ibdev_err_ratelimited(&hr_dev->ib_dev,
++ "failed to process cmd when modifying CQ, ret = %d.\n",
++ ret);
+
+ return ret;
+ }
+@@ -5916,9 +5909,9 @@ static int hns_roce_v2_query_cqc(struct hns_roce_dev *hr_dev, u32 cqn,
+ ret = hns_roce_cmd_mbox(hr_dev, 0, mailbox->dma,
+ HNS_ROCE_CMD_QUERY_CQC, cqn);
+ if (ret) {
+- ibdev_err(&hr_dev->ib_dev,
+- "failed to process cmd when querying CQ, ret = %d.\n",
+- ret);
++ ibdev_err_ratelimited(&hr_dev->ib_dev,
++ "failed to process cmd when querying CQ, ret = %d.\n",
++ ret);
+ goto err_mailbox;
+ }
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c
+index 980261969b0c0..b053f2f43dacd 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
+@@ -130,8 +130,8 @@ static void hns_roce_mr_free(struct hns_roce_dev *hr_dev, struct hns_roce_mr *mr
+ key_to_hw_index(mr->key) &
+ (hr_dev->caps.num_mtpts - 1));
+ if (ret)
+- ibdev_warn(ibdev, "failed to destroy mpt, ret = %d.\n",
+- ret);
++ ibdev_warn_ratelimited(ibdev, "failed to destroy mpt, ret = %d.\n",
++ ret);
+ }
+
+ free_mr_pbl(hr_dev, mr);
+diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c
+index 727f926500712..652508b660a06 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_srq.c
++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c
+@@ -150,8 +150,8 @@ static void free_srqc(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq)
+ ret = hns_roce_destroy_hw_ctx(hr_dev, HNS_ROCE_CMD_DESTROY_SRQ,
+ srq->srqn);
+ if (ret)
+- dev_err(hr_dev->dev, "DESTROY_SRQ failed (%d) for SRQN %06lx\n",
+- ret, srq->srqn);
++ dev_err_ratelimited(hr_dev->dev, "DESTROY_SRQ failed (%d) for SRQN %06lx\n",
++ ret, srq->srqn);
+
+ xa_erase_irq(&srq_table->xa, srq->srqn);
+
+--
+2.43.0
+
--- /dev/null
+From 7ef6ef293a0eb662e0a76fece4bb64d0182a9d4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2024 15:57:43 +0800
+Subject: RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg()
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 6b526d17eed850352d880b93b9bf20b93006bd92 ]
+
+ib_map_mr_sg() allows ULPs to specify NULL as the sg_offset argument.
+The driver needs to check whether it is a NULL pointer before
+dereferencing it.
+
+Fixes: d387d4b54eb8 ("RDMA/hns: Fix missing pagesize and alignment check in FRMR")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20241108075743.2652258-3-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_mr.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c
+index b053f2f43dacd..7f29a55d378f0 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
+@@ -415,15 +415,16 @@ static int hns_roce_set_page(struct ib_mr *ibmr, u64 addr)
+ }
+
+ int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents,
+- unsigned int *sg_offset)
++ unsigned int *sg_offset_p)
+ {
++ unsigned int sg_offset = sg_offset_p ? *sg_offset_p : 0;
+ struct hns_roce_dev *hr_dev = to_hr_dev(ibmr->device);
+ struct ib_device *ibdev = &hr_dev->ib_dev;
+ struct hns_roce_mr *mr = to_hr_mr(ibmr);
+ struct hns_roce_mtr *mtr = &mr->pbl_mtr;
+ int ret, sg_num = 0;
+
+- if (!IS_ALIGNED(*sg_offset, HNS_ROCE_FRMR_ALIGN_SIZE) ||
++ if (!IS_ALIGNED(sg_offset, HNS_ROCE_FRMR_ALIGN_SIZE) ||
+ ibmr->page_size < HNS_HW_PAGE_SIZE ||
+ ibmr->page_size > HNS_HW_MAX_PAGE_SIZE)
+ return sg_num;
+@@ -434,7 +435,7 @@ int hns_roce_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, int sg_nents,
+ if (!mr->page_list)
+ return sg_num;
+
+- sg_num = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, hns_roce_set_page);
++ sg_num = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset_p, hns_roce_set_page);
+ if (sg_num < 1) {
+ ibdev_err(ibdev, "failed to store sg pages %u %u, cnt = %d.\n",
+ mr->npages, mr->pbl_mtr.hem_cfg.buf_pg_count, sg_num);
+--
+2.43.0
+
--- /dev/null
+From 5386b51bec6659f03bfb3819fc3a774f266f2942 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2024 15:57:42 +0800
+Subject: RDMA/hns: Fix out-of-order issue of requester when setting FENCE
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 5dbcb1c1900f45182b5651c89257c272f1f3ead7 ]
+
+The FENCE indicator in hns WQE doesn't ensure that response data from
+a previous Read/Atomic operation has been written to the requester's
+memory before the subsequent Send/Write operation is processed. This
+may result in the subsequent Send/Write operation accessing the original
+data in memory instead of the expected response data.
+
+Unlike FENCE, the SO (Strong Order) indicator blocks the subsequent
+operation until the previous response data is written to memory and a
+bresp is returned. Set the SO indicator instead of FENCE to maintain
+strict order.
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20241108075743.2652258-2-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 +-
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index d0846d2c97ccf..54df6c6e4cacb 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -578,7 +578,7 @@ static inline int set_rc_wqe(struct hns_roce_qp *qp,
+ if (WARN_ON(ret))
+ return ret;
+
+- hr_reg_write(rc_sq_wqe, RC_SEND_WQE_FENCE,
++ hr_reg_write(rc_sq_wqe, RC_SEND_WQE_SO,
+ (wr->send_flags & IB_SEND_FENCE) ? 1 : 0);
+
+ hr_reg_write(rc_sq_wqe, RC_SEND_WQE_SE,
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index e24ddbcafe0fc..a9eff72f10c62 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -926,6 +926,7 @@ struct hns_roce_v2_rc_send_wqe {
+ #define RC_SEND_WQE_OWNER RC_SEND_WQE_FIELD_LOC(7, 7)
+ #define RC_SEND_WQE_CQE RC_SEND_WQE_FIELD_LOC(8, 8)
+ #define RC_SEND_WQE_FENCE RC_SEND_WQE_FIELD_LOC(9, 9)
++#define RC_SEND_WQE_SO RC_SEND_WQE_FIELD_LOC(10, 10)
+ #define RC_SEND_WQE_SE RC_SEND_WQE_FIELD_LOC(11, 11)
+ #define RC_SEND_WQE_INLINE RC_SEND_WQE_FIELD_LOC(12, 12)
+ #define RC_SEND_WQE_WQE_INDEX RC_SEND_WQE_FIELD_LOC(30, 15)
+--
+2.43.0
+
--- /dev/null
+From 2034a3202243cae7e929139120e23e8a327a2b4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 May 2023 20:16:39 +0800
+Subject: RDMA/hns: Remove unnecessary QP type checks
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit b9989ab3f61ec459cbaf0a492fea3168bbfa4c7a ]
+
+It is not necessary to check the type of the queue on IO path because
+unsupported QP type cannot be created.
+
+Link: https://lore.kernel.org/r/20230523121641.3132102-2-huangjunxian6@hisilicon.com
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Stable-dep-of: 323275ac2ff1 ("RDMA/hns: Fix cpu stuck caused by printings during reset")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 24 +++-------------------
+ 1 file changed, 3 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 8b371d6ecbac9..b190e0cd86b45 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -373,17 +373,10 @@ static int check_send_valid(struct hns_roce_dev *hr_dev,
+ struct hns_roce_qp *hr_qp)
+ {
+ struct ib_device *ibdev = &hr_dev->ib_dev;
+- struct ib_qp *ibqp = &hr_qp->ibqp;
+
+- if (unlikely(ibqp->qp_type != IB_QPT_RC &&
+- ibqp->qp_type != IB_QPT_GSI &&
+- ibqp->qp_type != IB_QPT_UD)) {
+- ibdev_err(ibdev, "not supported QP(0x%x)type!\n",
+- ibqp->qp_type);
+- return -EOPNOTSUPP;
+- } else if (unlikely(hr_qp->state == IB_QPS_RESET ||
+- hr_qp->state == IB_QPS_INIT ||
+- hr_qp->state == IB_QPS_RTR)) {
++ if (unlikely(hr_qp->state == IB_QPS_RESET ||
++ hr_qp->state == IB_QPS_INIT ||
++ hr_qp->state == IB_QPS_RTR)) {
+ ibdev_err(ibdev, "failed to post WQE, QP state %u!\n",
+ hr_qp->state);
+ return -EINVAL;
+@@ -777,17 +770,6 @@ static int hns_roce_v2_post_send(struct ib_qp *ibqp,
+ static int check_recv_valid(struct hns_roce_dev *hr_dev,
+ struct hns_roce_qp *hr_qp)
+ {
+- struct ib_device *ibdev = &hr_dev->ib_dev;
+- struct ib_qp *ibqp = &hr_qp->ibqp;
+-
+- if (unlikely(ibqp->qp_type != IB_QPT_RC &&
+- ibqp->qp_type != IB_QPT_GSI &&
+- ibqp->qp_type != IB_QPT_UD)) {
+- ibdev_err(ibdev, "unsupported qp type, qp_type = %d.\n",
+- ibqp->qp_type);
+- return -EOPNOTSUPP;
+- }
+-
+ if (unlikely(hr_dev->state >= HNS_ROCE_DEVICE_STATE_RST_DOWN))
+ return -EIO;
+
+--
+2.43.0
+
--- /dev/null
+From 87de57c68fd612df12bce1276df12a23f35d59ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 20:39:59 +0800
+Subject: RDMA/hns: Use dev_* printings in hem code instead of ibdev_*
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit d81fb6511abf18591befaa5f4a972ffc838690ec ]
+
+The hem code is executed before ib_dev is registered, so use dev_*
+printing instead of ibdev_* to avoid log like this:
+
+(null): set HEM address to HW failed!
+
+Fixes: 2f49de21f3e9 ("RDMA/hns: Optimize mhop get flow for multi-hop addressing")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20241024124000.2931869-5-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hem.c | 44 ++++++++++++------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
+index d0f338ff78df5..d1b00bb389d9f 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
+@@ -337,7 +337,7 @@ static int calc_hem_config(struct hns_roce_dev *hr_dev,
+ struct hns_roce_hem_mhop *mhop,
+ struct hns_roce_hem_index *index)
+ {
+- struct ib_device *ibdev = &hr_dev->ib_dev;
++ struct device *dev = hr_dev->dev;
+ unsigned long mhop_obj = obj;
+ u32 l0_idx, l1_idx, l2_idx;
+ u32 chunk_ba_num;
+@@ -368,14 +368,14 @@ static int calc_hem_config(struct hns_roce_dev *hr_dev,
+ index->buf = l0_idx;
+ break;
+ default:
+- ibdev_err(ibdev, "table %u not support mhop.hop_num = %u!\n",
+- table->type, mhop->hop_num);
++ dev_err(dev, "table %u not support mhop.hop_num = %u!\n",
++ table->type, mhop->hop_num);
+ return -EINVAL;
+ }
+
+ if (unlikely(index->buf >= table->num_hem)) {
+- ibdev_err(ibdev, "table %u exceed hem limt idx %llu, max %lu!\n",
+- table->type, index->buf, table->num_hem);
++ dev_err(dev, "table %u exceed hem limt idx %llu, max %lu!\n",
++ table->type, index->buf, table->num_hem);
+ return -EINVAL;
+ }
+
+@@ -487,14 +487,14 @@ static int set_mhop_hem(struct hns_roce_dev *hr_dev,
+ struct hns_roce_hem_mhop *mhop,
+ struct hns_roce_hem_index *index)
+ {
+- struct ib_device *ibdev = &hr_dev->ib_dev;
++ struct device *dev = hr_dev->dev;
+ u32 step_idx;
+ int ret = 0;
+
+ if (index->inited & HEM_INDEX_L0) {
+ ret = hr_dev->hw->set_hem(hr_dev, table, obj, 0);
+ if (ret) {
+- ibdev_err(ibdev, "set HEM step 0 failed!\n");
++ dev_err(dev, "set HEM step 0 failed!\n");
+ goto out;
+ }
+ }
+@@ -502,7 +502,7 @@ static int set_mhop_hem(struct hns_roce_dev *hr_dev,
+ if (index->inited & HEM_INDEX_L1) {
+ ret = hr_dev->hw->set_hem(hr_dev, table, obj, 1);
+ if (ret) {
+- ibdev_err(ibdev, "set HEM step 1 failed!\n");
++ dev_err(dev, "set HEM step 1 failed!\n");
+ goto out;
+ }
+ }
+@@ -514,7 +514,7 @@ static int set_mhop_hem(struct hns_roce_dev *hr_dev,
+ step_idx = mhop->hop_num;
+ ret = hr_dev->hw->set_hem(hr_dev, table, obj, step_idx);
+ if (ret)
+- ibdev_err(ibdev, "set HEM step last failed!\n");
++ dev_err(dev, "set HEM step last failed!\n");
+ }
+ out:
+ return ret;
+@@ -524,14 +524,14 @@ static int hns_roce_table_mhop_get(struct hns_roce_dev *hr_dev,
+ struct hns_roce_hem_table *table,
+ unsigned long obj)
+ {
+- struct ib_device *ibdev = &hr_dev->ib_dev;
+ struct hns_roce_hem_index index = {};
+ struct hns_roce_hem_mhop mhop = {};
++ struct device *dev = hr_dev->dev;
+ int ret;
+
+ ret = calc_hem_config(hr_dev, table, obj, &mhop, &index);
+ if (ret) {
+- ibdev_err(ibdev, "calc hem config failed!\n");
++ dev_err(dev, "calc hem config failed!\n");
+ return ret;
+ }
+
+@@ -543,7 +543,7 @@ static int hns_roce_table_mhop_get(struct hns_roce_dev *hr_dev,
+
+ ret = alloc_mhop_hem(hr_dev, table, &mhop, &index);
+ if (ret) {
+- ibdev_err(ibdev, "alloc mhop hem failed!\n");
++ dev_err(dev, "alloc mhop hem failed!\n");
+ goto out;
+ }
+
+@@ -551,7 +551,7 @@ static int hns_roce_table_mhop_get(struct hns_roce_dev *hr_dev,
+ if (table->type < HEM_TYPE_MTT) {
+ ret = set_mhop_hem(hr_dev, table, obj, &mhop, &index);
+ if (ret) {
+- ibdev_err(ibdev, "set HEM address to HW failed!\n");
++ dev_err(dev, "set HEM address to HW failed!\n");
+ goto err_alloc;
+ }
+ }
+@@ -615,7 +615,7 @@ static void clear_mhop_hem(struct hns_roce_dev *hr_dev,
+ struct hns_roce_hem_mhop *mhop,
+ struct hns_roce_hem_index *index)
+ {
+- struct ib_device *ibdev = &hr_dev->ib_dev;
++ struct device *dev = hr_dev->dev;
+ u32 hop_num = mhop->hop_num;
+ u32 chunk_ba_num;
+ u32 step_idx;
+@@ -645,21 +645,21 @@ static void clear_mhop_hem(struct hns_roce_dev *hr_dev,
+
+ ret = hr_dev->hw->clear_hem(hr_dev, table, obj, step_idx);
+ if (ret)
+- ibdev_warn(ibdev, "failed to clear hop%u HEM, ret = %d.\n",
+- hop_num, ret);
++ dev_warn(dev, "failed to clear hop%u HEM, ret = %d.\n",
++ hop_num, ret);
+
+ if (index->inited & HEM_INDEX_L1) {
+ ret = hr_dev->hw->clear_hem(hr_dev, table, obj, 1);
+ if (ret)
+- ibdev_warn(ibdev, "failed to clear HEM step 1, ret = %d.\n",
+- ret);
++ dev_warn(dev, "failed to clear HEM step 1, ret = %d.\n",
++ ret);
+ }
+
+ if (index->inited & HEM_INDEX_L0) {
+ ret = hr_dev->hw->clear_hem(hr_dev, table, obj, 0);
+ if (ret)
+- ibdev_warn(ibdev, "failed to clear HEM step 0, ret = %d.\n",
+- ret);
++ dev_warn(dev, "failed to clear HEM step 0, ret = %d.\n",
++ ret);
+ }
+ }
+ }
+@@ -669,14 +669,14 @@ static void hns_roce_table_mhop_put(struct hns_roce_dev *hr_dev,
+ unsigned long obj,
+ int check_refcount)
+ {
+- struct ib_device *ibdev = &hr_dev->ib_dev;
+ struct hns_roce_hem_index index = {};
+ struct hns_roce_hem_mhop mhop = {};
++ struct device *dev = hr_dev->dev;
+ int ret;
+
+ ret = calc_hem_config(hr_dev, table, obj, &mhop, &index);
+ if (ret) {
+- ibdev_err(ibdev, "calc hem config failed!\n");
++ dev_err(dev, "calc hem config failed!\n");
+ return;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From cfa206aeefd2c2f878d0c61717050910f93caadf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 18:55:53 +0200
+Subject: regmap: irq: Set lockdep class for hierarchical IRQ domains
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 953e549471cabc9d4980f1da2e9fa79f4c23da06 ]
+
+Lockdep gives a false positive splat as it can't distinguish the lock
+which is taken by different IRQ descriptors from different IRQ chips
+that are organized in a way of a hierarchy:
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ 6.12.0-rc5-next-20241101-00148-g9fabf8160b53 #562 Tainted: G W
+ ------------------------------------------------------
+ modprobe/141 is trying to acquire lock:
+ ffff899446947868 (intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock){+.+.}-{4:4}, at: regmap_update_bits_base+0x33/0x90
+
+ but task is already holding lock:
+ ffff899446947c68 (&d->lock){+.+.}-{4:4}, at: __setup_irq+0x682/0x790
+
+ which lock already depends on the new lock.
+
+ -> #3 (&d->lock){+.+.}-{4:4}:
+ -> #2 (&desc->request_mutex){+.+.}-{4:4}:
+ -> #1 (ipclock){+.+.}-{4:4}:
+ -> #0 (intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock){+.+.}-{4:4}:
+
+ Chain exists of:
+ intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock --> &desc->request_mutex --> &d->lock
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&d->lock);
+ lock(&desc->request_mutex);
+ lock(&d->lock);
+ lock(intel_soc_pmic_bxtwc:502:(&bxtwc_regmap_config)->lock);
+
+ *** DEADLOCK ***
+
+ 3 locks held by modprobe/141:
+ #0: ffff8994419368f8 (&dev->mutex){....}-{4:4}, at: __driver_attach+0xf6/0x250
+ #1: ffff89944690b250 (&desc->request_mutex){+.+.}-{4:4}, at: __setup_irq+0x1a2/0x790
+ #2: ffff899446947c68 (&d->lock){+.+.}-{4:4}, at: __setup_irq+0x682/0x790
+
+Set a lockdep class when we map the IRQ so that it doesn't warn about
+a lockdep bug that doesn't exist.
+
+Fixes: 4af8be67fd99 ("regmap: Convert regmap_irq to use irq_domain")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/20241101165553.4055617-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap-irq.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/base/regmap/regmap-irq.c b/drivers/base/regmap/regmap-irq.c
+index 18fc1c4360817..db19e9c76e4f1 100644
+--- a/drivers/base/regmap/regmap-irq.c
++++ b/drivers/base/regmap/regmap-irq.c
+@@ -591,12 +591,16 @@ static irqreturn_t regmap_irq_thread(int irq, void *d)
+ return IRQ_NONE;
+ }
+
++static struct lock_class_key regmap_irq_lock_class;
++static struct lock_class_key regmap_irq_request_class;
++
+ static int regmap_irq_map(struct irq_domain *h, unsigned int virq,
+ irq_hw_number_t hw)
+ {
+ struct regmap_irq_chip_data *data = h->host_data;
+
+ irq_set_chip_data(virq, data);
++ irq_set_lockdep_class(virq, ®map_irq_lock_class, ®map_irq_request_class);
+ irq_set_chip(virq, &data->irq_chip);
+ irq_set_nested_thread(virq, 1);
+ irq_set_parent(virq, data->irq);
+--
+2.43.0
+
--- /dev/null
+From 8d442d3a82600da93b5f34a1b7350de931ecc2eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Oct 2024 01:09:44 +0300
+Subject: remoteproc: qcom: pas: add minidump_id to SM8350 resources
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit e8983156d54f59f57e648ecd44f01c16572da842 ]
+
+Specify minidump_id for the SM8350 DSPs. It was omitted for in the
+original commit e8b4e9a21af7 ("remoteproc: qcom: pas: Add SM8350 PAS
+remoteprocs").
+
+Fixes: e8b4e9a21af7 ("remoteproc: qcom: pas: Add SM8350 PAS remoteprocs")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20241027-sar2130p-adsp-v1-2-bd204e39d24e@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_q6v5_pas.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
+index 533cee25b18e5..631c90afb5bc5 100644
+--- a/drivers/remoteproc/qcom_q6v5_pas.c
++++ b/drivers/remoteproc/qcom_q6v5_pas.c
+@@ -632,6 +632,7 @@ static const struct adsp_data sm8250_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
++ .minidump_id = 5,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "lcx",
+@@ -773,6 +774,7 @@ static const struct adsp_data sm8350_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
++ .minidump_id = 7,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "cx",
+--
+2.43.0
+
--- /dev/null
+From 640b2891aaed7711178c69464bb91a8bf4a25483 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jul 2022 15:15:14 +0300
+Subject: remoteproc: qcom: q6v5: Use _clk_get_optional for aggre2_clk
+
+From: Abel Vesa <abel.vesa@linaro.org>
+
+[ Upstream commit 6d967a5a49e8d08d8e4430aadba8d3c903b794a5 ]
+
+Only msm8996 and msm8998 SLPIs need the RPM_SMD_AGGR2_NOC_CLK
+(as aggre2 clock). None of the other platforms do. Back when the support
+for the mentioned platforms was added to the q6v5 pass driver, the
+devm_clk_get_optional was not available, so the has_aggre2_clk was
+necessary in order to differentiate between plaforms that need this
+clock and those which do not. Now that devm_clk_get_optional is available,
+we can drop the has_aggre2_clk. This makes the adsp_data more cleaner
+and removes the check within adsp_init_clocks.
+
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220718121514.2451590-1-abel.vesa@linaro.org
+Stable-dep-of: e8983156d54f ("remoteproc: qcom: pas: add minidump_id to SM8350 resources")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_q6v5_pas.c | 42 +++++-------------------------
+ 1 file changed, 7 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
+index dc6f07ca83410..533cee25b18e5 100644
+--- a/drivers/remoteproc/qcom_q6v5_pas.c
++++ b/drivers/remoteproc/qcom_q6v5_pas.c
+@@ -37,7 +37,6 @@ struct adsp_data {
+ const char *firmware_name;
+ int pas_id;
+ unsigned int minidump_id;
+- bool has_aggre2_clk;
+ bool auto_boot;
+ bool decrypt_shutdown;
+
+@@ -68,7 +67,6 @@ struct qcom_adsp {
+ int pas_id;
+ unsigned int minidump_id;
+ int crash_reason_smem;
+- bool has_aggre2_clk;
+ bool decrypt_shutdown;
+ const char *info_name;
+
+@@ -345,15 +343,13 @@ static int adsp_init_clock(struct qcom_adsp *adsp)
+ return ret;
+ }
+
+- if (adsp->has_aggre2_clk) {
+- adsp->aggre2_clk = devm_clk_get(adsp->dev, "aggre2");
+- if (IS_ERR(adsp->aggre2_clk)) {
+- ret = PTR_ERR(adsp->aggre2_clk);
+- if (ret != -EPROBE_DEFER)
+- dev_err(adsp->dev,
+- "failed to get aggre2 clock");
+- return ret;
+- }
++ adsp->aggre2_clk = devm_clk_get_optional(adsp->dev, "aggre2");
++ if (IS_ERR(adsp->aggre2_clk)) {
++ ret = PTR_ERR(adsp->aggre2_clk);
++ if (ret != -EPROBE_DEFER)
++ dev_err(adsp->dev,
++ "failed to get aggre2 clock");
++ return ret;
+ }
+
+ return 0;
+@@ -505,7 +501,6 @@ static int adsp_probe(struct platform_device *pdev)
+ adsp->rproc = rproc;
+ adsp->minidump_id = desc->minidump_id;
+ adsp->pas_id = desc->pas_id;
+- adsp->has_aggre2_clk = desc->has_aggre2_clk;
+ adsp->info_name = desc->sysmon_name;
+ adsp->decrypt_shutdown = desc->decrypt_shutdown;
+ platform_set_drvdata(pdev, adsp);
+@@ -585,7 +580,6 @@ static const struct adsp_data adsp_resource_init = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .ssr_name = "lpass",
+ .sysmon_name = "adsp",
+@@ -596,7 +590,6 @@ static const struct adsp_data sdm845_adsp_resource_init = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .load_state = "adsp",
+ .ssr_name = "lpass",
+@@ -608,7 +601,6 @@ static const struct adsp_data sm6350_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "lcx",
+@@ -625,7 +617,6 @@ static const struct adsp_data sm8150_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "cx",
+@@ -641,7 +632,6 @@ static const struct adsp_data sm8250_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "lcx",
+@@ -658,7 +648,6 @@ static const struct adsp_data sm8350_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "lcx",
+@@ -675,7 +664,6 @@ static const struct adsp_data msm8996_adsp_resource = {
+ .crash_reason_smem = 423,
+ .firmware_name = "adsp.mdt",
+ .pas_id = 1,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "cx",
+@@ -690,7 +678,6 @@ static const struct adsp_data cdsp_resource_init = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .ssr_name = "cdsp",
+ .sysmon_name = "cdsp",
+@@ -701,7 +688,6 @@ static const struct adsp_data sdm845_cdsp_resource_init = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .load_state = "cdsp",
+ .ssr_name = "cdsp",
+@@ -713,7 +699,6 @@ static const struct adsp_data sm6350_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "cx",
+@@ -730,7 +715,6 @@ static const struct adsp_data sm8150_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "cx",
+@@ -746,7 +730,6 @@ static const struct adsp_data sm8250_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "cx",
+@@ -762,7 +745,6 @@ static const struct adsp_data sc8280xp_nsp0_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "nsp",
+@@ -777,7 +759,6 @@ static const struct adsp_data sc8280xp_nsp1_resource = {
+ .crash_reason_smem = 633,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 30,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "nsp",
+@@ -792,7 +773,6 @@ static const struct adsp_data sm8350_cdsp_resource = {
+ .crash_reason_smem = 601,
+ .firmware_name = "cdsp.mdt",
+ .pas_id = 18,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "cx",
+@@ -810,7 +790,6 @@ static const struct adsp_data mpss_resource_init = {
+ .firmware_name = "modem.mdt",
+ .pas_id = 4,
+ .minidump_id = 3,
+- .has_aggre2_clk = false,
+ .auto_boot = false,
+ .proxy_pd_names = (char*[]){
+ "cx",
+@@ -827,7 +806,6 @@ static const struct adsp_data sc8180x_mpss_resource = {
+ .crash_reason_smem = 421,
+ .firmware_name = "modem.mdt",
+ .pas_id = 4,
+- .has_aggre2_clk = false,
+ .auto_boot = false,
+ .proxy_pd_names = (char*[]){
+ "cx",
+@@ -843,7 +821,6 @@ static const struct adsp_data slpi_resource_init = {
+ .crash_reason_smem = 424,
+ .firmware_name = "slpi.mdt",
+ .pas_id = 12,
+- .has_aggre2_clk = true,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "ssc_cx",
+@@ -858,7 +835,6 @@ static const struct adsp_data sm8150_slpi_resource = {
+ .crash_reason_smem = 424,
+ .firmware_name = "slpi.mdt",
+ .pas_id = 12,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "lcx",
+@@ -875,7 +851,6 @@ static const struct adsp_data sm8250_slpi_resource = {
+ .crash_reason_smem = 424,
+ .firmware_name = "slpi.mdt",
+ .pas_id = 12,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "lcx",
+@@ -892,7 +867,6 @@ static const struct adsp_data sm8350_slpi_resource = {
+ .crash_reason_smem = 424,
+ .firmware_name = "slpi.mdt",
+ .pas_id = 12,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "lcx",
+@@ -919,7 +893,6 @@ static const struct adsp_data sdx55_mpss_resource = {
+ .crash_reason_smem = 421,
+ .firmware_name = "modem.mdt",
+ .pas_id = 4,
+- .has_aggre2_clk = false,
+ .auto_boot = true,
+ .proxy_pd_names = (char*[]){
+ "cx",
+@@ -936,7 +909,6 @@ static const struct adsp_data sm8450_mpss_resource = {
+ .firmware_name = "modem.mdt",
+ .pas_id = 4,
+ .minidump_id = 3,
+- .has_aggre2_clk = false,
+ .auto_boot = false,
+ .decrypt_shutdown = true,
+ .proxy_pd_names = (char*[]){
+--
+2.43.0
+
--- /dev/null
+From 8e5d59b2ddb87a984c19def47f865b27ae2c6043 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 13:00:20 +0530
+Subject: remoteproc: qcom_q6v5_mss: Re-order writes to the IMEM region
+
+From: Sibi Sankar <quic_sibis@quicinc.com>
+
+[ Upstream commit 7b22b7719fc17d5979a991c918c868ab041be5c8 ]
+
+Any write access to the IMEM region when the Q6 is setting up XPU
+protection on it will result in a XPU violation. Fix this by ensuring
+IMEM writes related to the MBA post-mortem logs happen before the Q6
+is brought out of reset.
+
+Fixes: 318130cc9362 ("remoteproc: qcom_q6v5_mss: Add MBA log extraction support")
+Signed-off-by: Sibi Sankar <quic_sibis@quicinc.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20240819073020.3291287-1-quic_sibis@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_q6v5_mss.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c
+index 7dbab5fcbe1e7..e4ef8e6ed8aaa 100644
+--- a/drivers/remoteproc/qcom_q6v5_mss.c
++++ b/drivers/remoteproc/qcom_q6v5_mss.c
+@@ -1118,6 +1118,9 @@ static int q6v5_mba_load(struct q6v5 *qproc)
+ goto disable_active_clks;
+ }
+
++ if (qproc->has_mba_logs)
++ qcom_pil_info_store("mba", qproc->mba_phys, MBA_LOG_SIZE);
++
+ writel(qproc->mba_phys, qproc->rmb_base + RMB_MBA_IMAGE_REG);
+ if (qproc->dp_size) {
+ writel(qproc->mba_phys + SZ_1M, qproc->rmb_base + RMB_PMI_CODE_START_REG);
+@@ -1128,9 +1131,6 @@ static int q6v5_mba_load(struct q6v5 *qproc)
+ if (ret)
+ goto reclaim_mba;
+
+- if (qproc->has_mba_logs)
+- qcom_pil_info_store("mba", qproc->mba_phys, MBA_LOG_SIZE);
+-
+ ret = q6v5_rmb_mba_wait(qproc, 0, 5000);
+ if (ret == -ETIMEDOUT) {
+ dev_err(qproc->dev, "MBA boot timed out\n");
+--
+2.43.0
+
--- /dev/null
+From 5615bf4e5d5c26146356369b034de09c762a8d19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 08:15:19 +0000
+Subject: Revert "cgroup: Fix memory leak caused by missing cgroup_bpf_offline"
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit feb301c60970bd2a1310a53ce2d6e4375397a51b ]
+
+This reverts commit 04f8ef5643bcd8bcde25dfdebef998aea480b2ba.
+
+Only cgroup v2 can be attached by cgroup by BPF programs. Revert this
+commit and cgroup_bpf_inherit and cgroup_bpf_offline won't be called in
+cgroup v1. The memory leak issue will be fixed with next patch.
+
+Fixes: 04f8ef5643bc ("cgroup: Fix memory leak caused by missing cgroup_bpf_offline")
+Link: https://lore.kernel.org/cgroups/aka2hk5jsel5zomucpwlxsej6iwnfw4qu5jkrmjhyfhesjlfdw@46zxhg5bdnr7/
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 2ca4aeb21a440..11aa400979971 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -2293,10 +2293,8 @@ static void cgroup_kill_sb(struct super_block *sb)
+ * And don't kill the default root.
+ */
+ if (list_empty(&root->cgrp.self.children) && root != &cgrp_dfl_root &&
+- !percpu_ref_is_dying(&root->cgrp.self.refcnt)) {
+- cgroup_bpf_offline(&root->cgrp);
++ !percpu_ref_is_dying(&root->cgrp.self.refcnt))
+ percpu_ref_kill(&root->cgrp.self.refcnt);
+- }
+ cgroup_put(&root->cgrp);
+ kernfs_kill_sb(sb);
+ }
+--
+2.43.0
+
--- /dev/null
+From 9d496b635038273765e5072de568edecbca603b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 14:59:33 -0800
+Subject: rpmsg: glink: Fix GLINK command prefix
+
+From: Bjorn Andersson <quic_bjorande@quicinc.com>
+
+[ Upstream commit 4e816d0318fdfe8932da80dbf04ba318b13e4b3a ]
+
+The upstream GLINK driver was first introduced to communicate with the
+RPM on MSM8996, presumably as an artifact from that era the command
+defines was prefixed RPM_CMD, while they actually are GLINK_CMDs.
+
+Let's rename these, to keep things tidy. No functional change.
+
+Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com>
+Reviewed-by: Chris Lew <quic_clew@quicinc.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230214225933.2025595-1-quic_bjorande@quicinc.com
+Stable-dep-of: 06c59d97f63c ("rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name length")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 98 +++++++++++++++----------------
+ 1 file changed, 49 insertions(+), 49 deletions(-)
+
+diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
+index cb8f65c1d4e3b..2c388426e4019 100644
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -189,20 +189,20 @@ struct glink_channel {
+
+ static const struct rpmsg_endpoint_ops glink_endpoint_ops;
+
+-#define RPM_CMD_VERSION 0
+-#define RPM_CMD_VERSION_ACK 1
+-#define RPM_CMD_OPEN 2
+-#define RPM_CMD_CLOSE 3
+-#define RPM_CMD_OPEN_ACK 4
+-#define RPM_CMD_INTENT 5
+-#define RPM_CMD_RX_DONE 6
+-#define RPM_CMD_RX_INTENT_REQ 7
+-#define RPM_CMD_RX_INTENT_REQ_ACK 8
+-#define RPM_CMD_TX_DATA 9
+-#define RPM_CMD_CLOSE_ACK 11
+-#define RPM_CMD_TX_DATA_CONT 12
+-#define RPM_CMD_READ_NOTIF 13
+-#define RPM_CMD_RX_DONE_W_REUSE 14
++#define GLINK_CMD_VERSION 0
++#define GLINK_CMD_VERSION_ACK 1
++#define GLINK_CMD_OPEN 2
++#define GLINK_CMD_CLOSE 3
++#define GLINK_CMD_OPEN_ACK 4
++#define GLINK_CMD_INTENT 5
++#define GLINK_CMD_RX_DONE 6
++#define GLINK_CMD_RX_INTENT_REQ 7
++#define GLINK_CMD_RX_INTENT_REQ_ACK 8
++#define GLINK_CMD_TX_DATA 9
++#define GLINK_CMD_CLOSE_ACK 11
++#define GLINK_CMD_TX_DATA_CONT 12
++#define GLINK_CMD_READ_NOTIF 13
++#define GLINK_CMD_RX_DONE_W_REUSE 14
+
+ #define GLINK_FEATURE_INTENTLESS BIT(1)
+
+@@ -311,7 +311,7 @@ static void qcom_glink_send_read_notify(struct qcom_glink *glink)
+ {
+ struct glink_msg msg;
+
+- msg.cmd = cpu_to_le16(RPM_CMD_READ_NOTIF);
++ msg.cmd = cpu_to_le16(GLINK_CMD_READ_NOTIF);
+ msg.param1 = 0;
+ msg.param2 = 0;
+
+@@ -373,7 +373,7 @@ static int qcom_glink_send_version(struct qcom_glink *glink)
+ {
+ struct glink_msg msg;
+
+- msg.cmd = cpu_to_le16(RPM_CMD_VERSION);
++ msg.cmd = cpu_to_le16(GLINK_CMD_VERSION);
+ msg.param1 = cpu_to_le16(GLINK_VERSION_1);
+ msg.param2 = cpu_to_le32(glink->features);
+
+@@ -384,7 +384,7 @@ static void qcom_glink_send_version_ack(struct qcom_glink *glink)
+ {
+ struct glink_msg msg;
+
+- msg.cmd = cpu_to_le16(RPM_CMD_VERSION_ACK);
++ msg.cmd = cpu_to_le16(GLINK_CMD_VERSION_ACK);
+ msg.param1 = cpu_to_le16(GLINK_VERSION_1);
+ msg.param2 = cpu_to_le32(glink->features);
+
+@@ -396,7 +396,7 @@ static void qcom_glink_send_open_ack(struct qcom_glink *glink,
+ {
+ struct glink_msg msg;
+
+- msg.cmd = cpu_to_le16(RPM_CMD_OPEN_ACK);
++ msg.cmd = cpu_to_le16(GLINK_CMD_OPEN_ACK);
+ msg.param1 = cpu_to_le16(channel->rcid);
+ msg.param2 = cpu_to_le32(0);
+
+@@ -422,11 +422,11 @@ static void qcom_glink_handle_intent_req_ack(struct qcom_glink *glink,
+ }
+
+ /**
+- * qcom_glink_send_open_req() - send a RPM_CMD_OPEN request to the remote
++ * qcom_glink_send_open_req() - send a GLINK_CMD_OPEN request to the remote
+ * @glink: Ptr to the glink edge
+ * @channel: Ptr to the channel that the open req is sent
+ *
+- * Allocates a local channel id and sends a RPM_CMD_OPEN message to the remote.
++ * Allocates a local channel id and sends a GLINK_CMD_OPEN message to the remote.
+ * Will return with refcount held, regardless of outcome.
+ *
+ * Return: 0 on success, negative errno otherwise.
+@@ -455,7 +455,7 @@ static int qcom_glink_send_open_req(struct qcom_glink *glink,
+
+ channel->lcid = ret;
+
+- req.msg.cmd = cpu_to_le16(RPM_CMD_OPEN);
++ req.msg.cmd = cpu_to_le16(GLINK_CMD_OPEN);
+ req.msg.param1 = cpu_to_le16(channel->lcid);
+ req.msg.param2 = cpu_to_le32(name_len);
+ strcpy(req.name, channel->name);
+@@ -480,7 +480,7 @@ static void qcom_glink_send_close_req(struct qcom_glink *glink,
+ {
+ struct glink_msg req;
+
+- req.cmd = cpu_to_le16(RPM_CMD_CLOSE);
++ req.cmd = cpu_to_le16(GLINK_CMD_CLOSE);
+ req.param1 = cpu_to_le16(channel->lcid);
+ req.param2 = 0;
+
+@@ -492,7 +492,7 @@ static void qcom_glink_send_close_ack(struct qcom_glink *glink,
+ {
+ struct glink_msg req;
+
+- req.cmd = cpu_to_le16(RPM_CMD_CLOSE_ACK);
++ req.cmd = cpu_to_le16(GLINK_CMD_CLOSE_ACK);
+ req.param1 = cpu_to_le16(rcid);
+ req.param2 = 0;
+
+@@ -523,7 +523,7 @@ static void qcom_glink_rx_done_work(struct work_struct *work)
+ iid = intent->id;
+ reuse = intent->reuse;
+
+- cmd.id = reuse ? RPM_CMD_RX_DONE_W_REUSE : RPM_CMD_RX_DONE;
++ cmd.id = reuse ? GLINK_CMD_RX_DONE_W_REUSE : GLINK_CMD_RX_DONE;
+ cmd.lcid = cid;
+ cmd.liid = iid;
+
+@@ -635,7 +635,7 @@ static int qcom_glink_send_intent_req_ack(struct qcom_glink *glink,
+ {
+ struct glink_msg msg;
+
+- msg.cmd = cpu_to_le16(RPM_CMD_RX_INTENT_REQ_ACK);
++ msg.cmd = cpu_to_le16(GLINK_CMD_RX_INTENT_REQ_ACK);
+ msg.param1 = cpu_to_le16(channel->lcid);
+ msg.param2 = cpu_to_le32(granted);
+
+@@ -666,7 +666,7 @@ static int qcom_glink_advertise_intent(struct qcom_glink *glink,
+ } __packed;
+ struct command cmd;
+
+- cmd.id = cpu_to_le16(RPM_CMD_INTENT);
++ cmd.id = cpu_to_le16(GLINK_CMD_INTENT);
+ cmd.lcid = cpu_to_le16(channel->lcid);
+ cmd.count = cpu_to_le32(1);
+ cmd.size = cpu_to_le32(intent->size);
+@@ -1031,42 +1031,42 @@ static irqreturn_t qcom_glink_native_intr(int irq, void *data)
+ param2 = le32_to_cpu(msg.param2);
+
+ switch (cmd) {
+- case RPM_CMD_VERSION:
+- case RPM_CMD_VERSION_ACK:
+- case RPM_CMD_CLOSE:
+- case RPM_CMD_CLOSE_ACK:
+- case RPM_CMD_RX_INTENT_REQ:
++ case GLINK_CMD_VERSION:
++ case GLINK_CMD_VERSION_ACK:
++ case GLINK_CMD_CLOSE:
++ case GLINK_CMD_CLOSE_ACK:
++ case GLINK_CMD_RX_INTENT_REQ:
+ ret = qcom_glink_rx_defer(glink, 0);
+ break;
+- case RPM_CMD_OPEN_ACK:
++ case GLINK_CMD_OPEN_ACK:
+ ret = qcom_glink_rx_open_ack(glink, param1);
+ qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+ break;
+- case RPM_CMD_OPEN:
++ case GLINK_CMD_OPEN:
+ ret = qcom_glink_rx_defer(glink, param2);
+ break;
+- case RPM_CMD_TX_DATA:
+- case RPM_CMD_TX_DATA_CONT:
++ case GLINK_CMD_TX_DATA:
++ case GLINK_CMD_TX_DATA_CONT:
+ ret = qcom_glink_rx_data(glink, avail);
+ break;
+- case RPM_CMD_READ_NOTIF:
++ case GLINK_CMD_READ_NOTIF:
+ qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+
+ mbox_send_message(glink->mbox_chan, NULL);
+ mbox_client_txdone(glink->mbox_chan, 0);
+ break;
+- case RPM_CMD_INTENT:
++ case GLINK_CMD_INTENT:
+ qcom_glink_handle_intent(glink, param1, param2, avail);
+ break;
+- case RPM_CMD_RX_DONE:
++ case GLINK_CMD_RX_DONE:
+ qcom_glink_handle_rx_done(glink, param1, param2, false);
+ qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+ break;
+- case RPM_CMD_RX_DONE_W_REUSE:
++ case GLINK_CMD_RX_DONE_W_REUSE:
+ qcom_glink_handle_rx_done(glink, param1, param2, true);
+ qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+ break;
+- case RPM_CMD_RX_INTENT_REQ_ACK:
++ case GLINK_CMD_RX_INTENT_REQ_ACK:
+ qcom_glink_handle_intent_req_ack(glink, param1, param2);
+ qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+ break;
+@@ -1269,7 +1269,7 @@ static int qcom_glink_request_intent(struct qcom_glink *glink,
+
+ reinit_completion(&channel->intent_req_comp);
+
+- cmd.id = RPM_CMD_RX_INTENT_REQ;
++ cmd.id = GLINK_CMD_RX_INTENT_REQ;
+ cmd.cid = channel->lcid;
+ cmd.size = size;
+
+@@ -1343,7 +1343,7 @@ static int __qcom_glink_send(struct glink_channel *channel,
+ chunk_size = SZ_8K;
+ left_size = len - chunk_size;
+ }
+- req.msg.cmd = cpu_to_le16(RPM_CMD_TX_DATA);
++ req.msg.cmd = cpu_to_le16(GLINK_CMD_TX_DATA);
+ req.msg.param1 = cpu_to_le16(channel->lcid);
+ req.msg.param2 = cpu_to_le32(iid);
+ req.chunk_size = cpu_to_le32(chunk_size);
+@@ -1365,7 +1365,7 @@ static int __qcom_glink_send(struct glink_channel *channel,
+ chunk_size = SZ_8K;
+ left_size -= chunk_size;
+
+- req.msg.cmd = cpu_to_le16(RPM_CMD_TX_DATA_CONT);
++ req.msg.cmd = cpu_to_le16(GLINK_CMD_TX_DATA_CONT);
+ req.msg.param1 = cpu_to_le16(channel->lcid);
+ req.msg.param2 = cpu_to_le32(iid);
+ req.chunk_size = cpu_to_le32(chunk_size);
+@@ -1631,22 +1631,22 @@ static void qcom_glink_work(struct work_struct *work)
+ param2 = le32_to_cpu(msg->param2);
+
+ switch (cmd) {
+- case RPM_CMD_VERSION:
++ case GLINK_CMD_VERSION:
+ qcom_glink_receive_version(glink, param1, param2);
+ break;
+- case RPM_CMD_VERSION_ACK:
++ case GLINK_CMD_VERSION_ACK:
+ qcom_glink_receive_version_ack(glink, param1, param2);
+ break;
+- case RPM_CMD_OPEN:
++ case GLINK_CMD_OPEN:
+ qcom_glink_rx_open(glink, param1, msg->data);
+ break;
+- case RPM_CMD_CLOSE:
++ case GLINK_CMD_CLOSE:
+ qcom_glink_rx_close(glink, param1);
+ break;
+- case RPM_CMD_CLOSE_ACK:
++ case GLINK_CMD_CLOSE_ACK:
+ qcom_glink_rx_close_ack(glink, param1);
+ break;
+- case RPM_CMD_RX_INTENT_REQ:
++ case GLINK_CMD_RX_INTENT_REQ:
+ qcom_glink_handle_intent_req(glink, param1, param2);
+ break;
+ default:
+--
+2.43.0
+
--- /dev/null
+From 80368ae81fd3869a6d7db2bda856ab52a058f2e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 19:59:35 -0400
+Subject: rpmsg: glink: use only lower 16-bits of param2 for CMD_OPEN name
+ length
+
+From: Jonathan Marek <jonathan@marek.ca>
+
+[ Upstream commit 06c59d97f63c1b8af521fa5aef8a716fb988b285 ]
+
+The name len field of the CMD_OPEN packet is only 16-bits and the upper
+16-bits of "param2" are a different "prio" field, which can be nonzero in
+certain situations, and CMD_OPEN packets can be unexpectedly dropped
+because of this.
+
+Fix this by masking out the upper 16 bits of param2.
+
+Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
+Signed-off-by: Jonathan Marek <jonathan@marek.ca>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20241007235935.6216-1-jonathan@marek.ca
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
+index 2c388426e4019..c838be098e865 100644
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -1043,7 +1043,8 @@ static irqreturn_t qcom_glink_native_intr(int irq, void *data)
+ qcom_glink_rx_advance(glink, ALIGN(sizeof(msg), 8));
+ break;
+ case GLINK_CMD_OPEN:
+- ret = qcom_glink_rx_defer(glink, param2);
++ /* upper 16 bits of param2 are the "prio" field */
++ ret = qcom_glink_rx_defer(glink, param2 & 0xffff);
+ break;
+ case GLINK_CMD_TX_DATA:
+ case GLINK_CMD_TX_DATA_CONT:
+--
+2.43.0
+
--- /dev/null
+From bdd21d14e9b70490ba831bde4975694f8751e197 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Nov 2024 14:31:42 +0100
+Subject: rxrpc: Improve setsockopt() handling of malformed user input
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 02020056647017e70509bb58c3096448117099e1 ]
+
+copy_from_sockptr() does not return negative value on error; instead, it
+reports the number of bytes that failed to copy. Since it's deprecated,
+switch to copy_safe_from_sockptr().
+
+Note: Keeping the `optlen != sizeof(unsigned int)` check as
+copy_safe_from_sockptr() by itself would also accept
+optlen > sizeof(unsigned int). Which would allow a more lenient handling
+of inputs.
+
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/af_rxrpc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
+index ceba28e9dce62..9b3efe6d580fe 100644
+--- a/net/rxrpc/af_rxrpc.c
++++ b/net/rxrpc/af_rxrpc.c
+@@ -641,9 +641,10 @@ static int rxrpc_setsockopt(struct socket *sock, int level, int optname,
+ ret = -EISCONN;
+ if (rx->sk.sk_state != RXRPC_UNBOUND)
+ goto error;
+- ret = copy_from_sockptr(&min_sec_level, optval,
+- sizeof(unsigned int));
+- if (ret < 0)
++ ret = copy_safe_from_sockptr(&min_sec_level,
++ sizeof(min_sec_level),
++ optval, optlen);
++ if (ret)
+ goto error;
+ ret = -EINVAL;
+ if (min_sec_level > RXRPC_SECURITY_MAX)
+--
+2.43.0
+
--- /dev/null
+From 75630e3fc7a1902e65d5967d0c43f665c1e0d390 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 22:16:43 +0200
+Subject: s390/cio: Do not unregister the subchannel based on DNV
+
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+
+[ Upstream commit 8c58a229688ce3a097b3b1a2efe1b4f5508c2123 ]
+
+Starting with commit 2297791c92d0 ("s390/cio: dont unregister
+subchannel from child-drivers"), CIO does not unregister subchannels
+when the attached device is invalid or unavailable. Instead, it
+allows subchannels to exist without a connected device. However, if
+the DNV value is 0, such as, when all the CHPIDs of a subchannel are
+configured in standby state, the subchannel is unregistered, which
+contradicts the current subchannel specification.
+
+Update the logic so that subchannels are not unregistered based
+on the DNV value. Also update the SCHIB information even if the
+DNV bit is zero.
+
+Suggested-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
+Fixes: 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers")
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/cio.c | 6 +++++-
+ drivers/s390/cio/device.c | 18 +++++++++++++++++-
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/s390/cio/cio.c b/drivers/s390/cio/cio.c
+index 923f5ca4f5e6b..54bfa9fe3031b 100644
+--- a/drivers/s390/cio/cio.c
++++ b/drivers/s390/cio/cio.c
+@@ -459,10 +459,14 @@ int cio_update_schib(struct subchannel *sch)
+ {
+ struct schib schib;
+
+- if (stsch(sch->schid, &schib) || !css_sch_is_valid(&schib))
++ if (stsch(sch->schid, &schib))
+ return -ENODEV;
+
+ memcpy(&sch->schib, &schib, sizeof(schib));
++
++ if (!css_sch_is_valid(&schib))
++ return -EACCES;
++
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(cio_update_schib);
+diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
+index 5666b9cc5d296..bdf5a50bd931d 100644
+--- a/drivers/s390/cio/device.c
++++ b/drivers/s390/cio/device.c
+@@ -1378,14 +1378,18 @@ enum io_sch_action {
+ IO_SCH_VERIFY,
+ IO_SCH_DISC,
+ IO_SCH_NOP,
++ IO_SCH_ORPH_CDEV,
+ };
+
+ static enum io_sch_action sch_get_action(struct subchannel *sch)
+ {
+ struct ccw_device *cdev;
++ int rc;
+
+ cdev = sch_get_cdev(sch);
+- if (cio_update_schib(sch)) {
++ rc = cio_update_schib(sch);
++
++ if (rc == -ENODEV) {
+ /* Not operational. */
+ if (!cdev)
+ return IO_SCH_UNREG;
+@@ -1393,6 +1397,16 @@ static enum io_sch_action sch_get_action(struct subchannel *sch)
+ return IO_SCH_UNREG;
+ return IO_SCH_ORPH_UNREG;
+ }
++
++ /* Avoid unregistering subchannels without working device. */
++ if (rc == -EACCES) {
++ if (!cdev)
++ return IO_SCH_NOP;
++ if (ccw_device_notify(cdev, CIO_GONE) != NOTIFY_OK)
++ return IO_SCH_UNREG_CDEV;
++ return IO_SCH_ORPH_CDEV;
++ }
++
+ /* Operational. */
+ if (!cdev)
+ return IO_SCH_ATTACH;
+@@ -1462,6 +1476,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process)
+ rc = 0;
+ goto out_unlock;
+ case IO_SCH_ORPH_UNREG:
++ case IO_SCH_ORPH_CDEV:
+ case IO_SCH_ORPH_ATTACH:
+ ccw_device_set_disconnected(cdev);
+ break;
+@@ -1493,6 +1508,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process)
+ /* Handle attached ccw device. */
+ switch (action) {
+ case IO_SCH_ORPH_UNREG:
++ case IO_SCH_ORPH_CDEV:
+ case IO_SCH_ORPH_ATTACH:
+ /* Move ccw device to orphanage. */
+ rc = ccw_device_move_to_orph(cdev);
+--
+2.43.0
+
--- /dev/null
+From 7ba289438b6e59ea9fbdc47e4f10819d8dfd1775 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Nov 2024 16:22:19 +0100
+Subject: s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct()
+
+From: Sidraya Jayagond <sidraya@linux.ibm.com>
+
+[ Upstream commit ebaf81317e42aa990ad20b113cfe3a7b20d4e937 ]
+
+Passing MSG_PEEK flag to skb_recv_datagram() increments skb refcount
+(skb->users) and iucv_sock_recvmsg() does not decrement skb refcount
+at exit.
+This results in skb memory leak in skb_queue_purge() and WARN_ON in
+iucv_sock_destruct() during socket close. To fix this decrease
+skb refcount by one if MSG_PEEK is set in order to prevent memory
+leak and WARN_ON.
+
+WARNING: CPU: 2 PID: 6292 at net/iucv/af_iucv.c:286 iucv_sock_destruct+0x144/0x1a0 [af_iucv]
+CPU: 2 PID: 6292 Comm: afiucv_test_msg Kdump: loaded Tainted: G W 6.10.0-rc7 #1
+Hardware name: IBM 3931 A01 704 (z/VM 7.3.0)
+Call Trace:
+ [<001587c682c4aa98>] iucv_sock_destruct+0x148/0x1a0 [af_iucv]
+ [<001587c682c4a9d0>] iucv_sock_destruct+0x80/0x1a0 [af_iucv]
+ [<001587c704117a32>] __sk_destruct+0x52/0x550
+ [<001587c704104a54>] __sock_release+0xa4/0x230
+ [<001587c704104c0c>] sock_close+0x2c/0x40
+ [<001587c702c5f5a8>] __fput+0x2e8/0x970
+ [<001587c7024148c4>] task_work_run+0x1c4/0x2c0
+ [<001587c7023b0716>] do_exit+0x996/0x1050
+ [<001587c7023b13aa>] do_group_exit+0x13a/0x360
+ [<001587c7023b1626>] __s390x_sys_exit_group+0x56/0x60
+ [<001587c7022bccca>] do_syscall+0x27a/0x380
+ [<001587c7049a6a0c>] __do_syscall+0x9c/0x160
+ [<001587c7049ce8a8>] system_call+0x70/0x98
+ Last Breaking-Event-Address:
+ [<001587c682c4a9d4>] iucv_sock_destruct+0x84/0x1a0 [af_iucv]
+
+Fixes: eac3731bd04c ("[S390]: Add AF_IUCV socket support")
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Reviewed-by: Thorsten Winkler <twinkler@linux.ibm.com>
+Signed-off-by: Sidraya Jayagond <sidraya@linux.ibm.com>
+Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
+Reviewed-by: David Wei <dw@davidwei.uk>
+Link: https://patch.msgid.link/20241119152219.3712168-1-wintera@linux.ibm.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/iucv/af_iucv.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
+index 815b1df0b2d19..0f660b1d3bd51 100644
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -1238,7 +1238,9 @@ static int iucv_sock_recvmsg(struct socket *sock, struct msghdr *msg,
+ return -EOPNOTSUPP;
+
+ /* receive/dequeue next skb:
+- * the function understands MSG_PEEK and, thus, does not dequeue skb */
++ * the function understands MSG_PEEK and, thus, does not dequeue skb
++ * only refcount is increased.
++ */
+ skb = skb_recv_datagram(sk, flags, &err);
+ if (!skb) {
+ if (sk->sk_shutdown & RCV_SHUTDOWN)
+@@ -1254,9 +1256,8 @@ static int iucv_sock_recvmsg(struct socket *sock, struct msghdr *msg,
+
+ cskb = skb;
+ if (skb_copy_datagram_msg(cskb, offset, msg, copied)) {
+- if (!(flags & MSG_PEEK))
+- skb_queue_head(&sk->sk_receive_queue, skb);
+- return -EFAULT;
++ err = -EFAULT;
++ goto err_out;
+ }
+
+ /* SOCK_SEQPACKET: set MSG_TRUNC if recv buf size is too small */
+@@ -1273,11 +1274,8 @@ static int iucv_sock_recvmsg(struct socket *sock, struct msghdr *msg,
+ err = put_cmsg(msg, SOL_IUCV, SCM_IUCV_TRGCLS,
+ sizeof(IUCV_SKB_CB(skb)->class),
+ (void *)&IUCV_SKB_CB(skb)->class);
+- if (err) {
+- if (!(flags & MSG_PEEK))
+- skb_queue_head(&sk->sk_receive_queue, skb);
+- return err;
+- }
++ if (err)
++ goto err_out;
+
+ /* Mark read part of skb as used */
+ if (!(flags & MSG_PEEK)) {
+@@ -1333,8 +1331,18 @@ static int iucv_sock_recvmsg(struct socket *sock, struct msghdr *msg,
+ /* SOCK_SEQPACKET: return real length if MSG_TRUNC is set */
+ if (sk->sk_type == SOCK_SEQPACKET && (flags & MSG_TRUNC))
+ copied = rlen;
++ if (flags & MSG_PEEK)
++ skb_unref(skb);
+
+ return copied;
++
++err_out:
++ if (!(flags & MSG_PEEK))
++ skb_queue_head(&sk->sk_receive_queue, skb);
++ else
++ skb_unref(skb);
++
++ return err;
+ }
+
+ static inline __poll_t iucv_accept_poll(struct sock *parent)
+--
+2.43.0
+
--- /dev/null
+From 472da0e026c0ba22b44375669214bcf651a7740c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2024 22:45:52 +0900
+Subject: s390/syscalls: Avoid creation of arch/arch/ directory
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 0708967e2d56e370231fd07defa0d69f9ad125e8 ]
+
+Building the kernel with ARCH=s390 creates a weird arch/arch/ directory.
+
+ $ find arch/arch
+ arch/arch
+ arch/arch/s390
+ arch/arch/s390/include
+ arch/arch/s390/include/generated
+ arch/arch/s390/include/generated/asm
+ arch/arch/s390/include/generated/uapi
+ arch/arch/s390/include/generated/uapi/asm
+
+The root cause is 'targets' in arch/s390/kernel/syscalls/Makefile,
+where the relative path is incorrect.
+
+Strictly speaking, 'targets' was not necessary in the first place
+because this Makefile uses 'filechk' instead of 'if_changed'.
+
+However, this commit keeps it, as it will be useful when converting
+'filechk' to 'if_changed' later.
+
+Fixes: 5c75824d915e ("s390/syscalls: add Makefile to generate system call header files")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Link: https://lore.kernel.org/r/20241111134603.2063226-1-masahiroy@kernel.org
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/syscalls/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/syscalls/Makefile b/arch/s390/kernel/syscalls/Makefile
+index fb85e797946db..2bd7756288df6 100644
+--- a/arch/s390/kernel/syscalls/Makefile
++++ b/arch/s390/kernel/syscalls/Makefile
+@@ -12,7 +12,7 @@ kapi-hdrs-y := $(kapi)/unistd_nr.h
+ uapi-hdrs-y := $(uapi)/unistd_32.h
+ uapi-hdrs-y += $(uapi)/unistd_64.h
+
+-targets += $(addprefix ../../../,$(gen-y) $(kapi-hdrs-y) $(uapi-hdrs-y))
++targets += $(addprefix ../../../../,$(gen-y) $(kapi-hdrs-y) $(uapi-hdrs-y))
+
+ PHONY += kapi uapi
+
+--
+2.43.0
+
--- /dev/null
+From 70fc2625634b8bc96f6927f440cc1a3c4804252b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Oct 2024 09:18:09 +0800
+Subject: scsi: bfa: Fix use-after-free in bfad_im_module_exit()
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit 178b8f38932d635e90f5f0e9af1986c6f4a89271 ]
+
+BUG: KASAN: slab-use-after-free in __lock_acquire+0x2aca/0x3a20
+Read of size 8 at addr ffff8881082d80c8 by task modprobe/25303
+
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x95/0xe0
+ print_report+0xcb/0x620
+ kasan_report+0xbd/0xf0
+ __lock_acquire+0x2aca/0x3a20
+ lock_acquire+0x19b/0x520
+ _raw_spin_lock+0x2b/0x40
+ attribute_container_unregister+0x30/0x160
+ fc_release_transport+0x19/0x90 [scsi_transport_fc]
+ bfad_im_module_exit+0x23/0x60 [bfa]
+ bfad_init+0xdb/0xff0 [bfa]
+ do_one_initcall+0xdc/0x550
+ do_init_module+0x22d/0x6b0
+ load_module+0x4e96/0x5ff0
+ init_module_from_file+0xcd/0x130
+ idempotent_init_module+0x330/0x620
+ __x64_sys_finit_module+0xb3/0x110
+ do_syscall_64+0xc1/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Allocated by task 25303:
+ kasan_save_stack+0x24/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0x7f/0x90
+ fc_attach_transport+0x4f/0x4740 [scsi_transport_fc]
+ bfad_im_module_init+0x17/0x80 [bfa]
+ bfad_init+0x23/0xff0 [bfa]
+ do_one_initcall+0xdc/0x550
+ do_init_module+0x22d/0x6b0
+ load_module+0x4e96/0x5ff0
+ init_module_from_file+0xcd/0x130
+ idempotent_init_module+0x330/0x620
+ __x64_sys_finit_module+0xb3/0x110
+ do_syscall_64+0xc1/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 25303:
+ kasan_save_stack+0x24/0x50
+ kasan_save_track+0x14/0x30
+ kasan_save_free_info+0x3b/0x60
+ __kasan_slab_free+0x38/0x50
+ kfree+0x212/0x480
+ bfad_im_module_init+0x7e/0x80 [bfa]
+ bfad_init+0x23/0xff0 [bfa]
+ do_one_initcall+0xdc/0x550
+ do_init_module+0x22d/0x6b0
+ load_module+0x4e96/0x5ff0
+ init_module_from_file+0xcd/0x130
+ idempotent_init_module+0x330/0x620
+ __x64_sys_finit_module+0xb3/0x110
+ do_syscall_64+0xc1/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Above issue happens as follows:
+
+bfad_init
+ error = bfad_im_module_init()
+ fc_release_transport(bfad_im_scsi_transport_template);
+ if (error)
+ goto ext;
+
+ext:
+ bfad_im_module_exit();
+ fc_release_transport(bfad_im_scsi_transport_template);
+ --> Trigger double release
+
+Don't call bfad_im_module_exit() if bfad_im_module_init() failed.
+
+Fixes: 7725ccfda597 ("[SCSI] bfa: Brocade BFA FC SCSI driver")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Link: https://lore.kernel.org/r/20241023011809.63466-1-yebin@huaweicloud.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bfa/bfad.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/bfa/bfad.c b/drivers/scsi/bfa/bfad.c
+index e5aa982ffedc3..d4455ca3a7dd2 100644
+--- a/drivers/scsi/bfa/bfad.c
++++ b/drivers/scsi/bfa/bfad.c
+@@ -1699,9 +1699,8 @@ bfad_init(void)
+
+ error = bfad_im_module_init();
+ if (error) {
+- error = -ENOMEM;
+ printk(KERN_WARNING "bfad_im_module_init failure\n");
+- goto ext;
++ return -ENOMEM;
+ }
+
+ if (strcmp(FCPI_NAME, " fcpim") == 0)
+--
+2.43.0
+
--- /dev/null
+From 4e209019c71e168ac154f89f48912b402189112a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 16:44:17 +0800
+Subject: scsi: fusion: Remove unused variable 'rc'
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+[ Upstream commit bd65694223f7ad11c790ab63ad1af87a771192ee ]
+
+The return value of scsi_device_reprobe() is currently ignored in
+_scsih_reprobe_lun(). Fixing the calling code to deal with the potential
+error is non-trivial, so for now just WARN_ON().
+
+The handling of scsi_device_reprobe()'s return value refers to
+_scsih_reprobe_lun() and the following link:
+
+https://lore.kernel.org/all/094fdbf57487af4f395238c0525b2a560c8f68f0.1469766027.git.calvinowens@fb.com/
+
+Fixes: f99be43b3024 ("[SCSI] fusion: power pc and miscellaneous bug fixs")
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Link: https://lore.kernel.org/r/20241024084417.154655-1-zengheng4@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/message/fusion/mptsas.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
+index 34901bcd1ce81..452774cf40cb6 100644
+--- a/drivers/message/fusion/mptsas.c
++++ b/drivers/message/fusion/mptsas.c
+@@ -4234,10 +4234,8 @@ mptsas_find_phyinfo_by_phys_disk_num(MPT_ADAPTER *ioc, u8 phys_disk_num,
+ static void
+ mptsas_reprobe_lun(struct scsi_device *sdev, void *data)
+ {
+- int rc;
+-
+ sdev->no_uld_attach = data ? 1 : 0;
+- rc = scsi_device_reprobe(sdev);
++ WARN_ON(scsi_device_reprobe(sdev));
+ }
+
+ static void
+--
+2.43.0
+
--- /dev/null
+From 5213e0ce17f8dfa59379e2ee4a3282b4463ceb66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 20:57:10 +0800
+Subject: scsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit c62c30429db3eb4ced35c7fcf6f04a61ce3a01bb ]
+
+Hook "qed_ops->common->sb_init = qed_sb_init" does not release the DMA
+memory sb_virt when it fails. Add dma_free_coherent() to free it. This
+is the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb().
+
+Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20241026125711.484-2-thunder.leizhen@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedf/qedf_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
+index 179967774cc8c..288c96e7bc39f 100644
+--- a/drivers/scsi/qedf/qedf_main.c
++++ b/drivers/scsi/qedf/qedf_main.c
+@@ -2739,6 +2739,7 @@ static int qedf_alloc_and_init_sb(struct qedf_ctx *qedf,
+ sb_id, QED_SB_TYPE_STORAGE);
+
+ if (ret) {
++ dma_free_coherent(&qedf->pdev->dev, sizeof(*sb_virt), sb_virt, sb_phys);
+ QEDF_ERR(&qedf->dbg_ctx,
+ "Status block initialization failed (0x%x) for id = %d.\n",
+ ret, sb_id);
+--
+2.43.0
+
--- /dev/null
+From ff091019ecd4804d45a6f4ecf81067c77675943e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 20:57:11 +0800
+Subject: scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 95bbdca4999bc59a72ebab01663d421d6ce5775d ]
+
+Hook "qedi_ops->common->sb_init = qed_sb_init" does not release the DMA
+memory sb_virt when it fails. Add dma_free_coherent() to free it. This
+is the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb().
+
+Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20241026125711.484-3-thunder.leizhen@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
+index 2ee109fb65616..825606c845e1a 100644
+--- a/drivers/scsi/qedi/qedi_main.c
++++ b/drivers/scsi/qedi/qedi_main.c
+@@ -369,6 +369,7 @@ static int qedi_alloc_and_init_sb(struct qedi_ctx *qedi,
+ ret = qedi_ops->common->sb_init(qedi->cdev, sb_info, sb_virt, sb_phys,
+ sb_id, QED_SB_TYPE_STORAGE);
+ if (ret) {
++ dma_free_coherent(&qedi->pdev->dev, sizeof(*sb_virt), sb_virt, sb_phys);
+ QEDI_ERR(&qedi->dbg_ctx,
+ "Status block initialization failed for id = %d.\n",
+ sb_id);
+--
+2.43.0
+
--- /dev/null
+From 82a866d3d3ef6a1ca47386c588c62a72fac0f083 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Nov 2023 11:03:16 -0800
+Subject: selftests/bpf: Add csum helpers
+
+From: Stanislav Fomichev <sdf@google.com>
+
+[ Upstream commit f6642de0c3e94d3ef6f44e127d11fcf4138873f7 ]
+
+Checksum helpers will be used to calculate pseudo-header checksum in
+AF_XDP metadata selftests.
+
+The helpers are mirroring existing kernel ones:
+- csum_tcpudp_magic : IPv4 pseudo header csum
+- csum_ipv6_magic : IPv6 pseudo header csum
+- csum_fold : fold csum and do one's complement
+
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Link: https://lore.kernel.org/r/20231127190319.1190813-11-sdf@google.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 5bf1557e3d6a ("selftests/bpf: Fix backtrace printing for selftests crashes")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/network_helpers.h | 43 +++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/network_helpers.h b/tools/testing/selftests/bpf/network_helpers.h
+index f882c691b7909..2582ec56dcc50 100644
+--- a/tools/testing/selftests/bpf/network_helpers.h
++++ b/tools/testing/selftests/bpf/network_helpers.h
+@@ -66,4 +66,47 @@ struct nstoken;
+ */
+ struct nstoken *open_netns(const char *name);
+ void close_netns(struct nstoken *token);
++
++static __u16 csum_fold(__u32 csum)
++{
++ csum = (csum & 0xffff) + (csum >> 16);
++ csum = (csum & 0xffff) + (csum >> 16);
++
++ return (__u16)~csum;
++}
++
++static inline __sum16 csum_tcpudp_magic(__be32 saddr, __be32 daddr,
++ __u32 len, __u8 proto,
++ __wsum csum)
++{
++ __u64 s = csum;
++
++ s += (__u32)saddr;
++ s += (__u32)daddr;
++ s += htons(proto + len);
++ s = (s & 0xffffffff) + (s >> 32);
++ s = (s & 0xffffffff) + (s >> 32);
++
++ return csum_fold((__u32)s);
++}
++
++static inline __sum16 csum_ipv6_magic(const struct in6_addr *saddr,
++ const struct in6_addr *daddr,
++ __u32 len, __u8 proto,
++ __wsum csum)
++{
++ __u64 s = csum;
++ int i;
++
++ for (i = 0; i < 4; i++)
++ s += (__u32)saddr->s6_addr32[i];
++ for (i = 0; i < 4; i++)
++ s += (__u32)daddr->s6_addr32[i];
++ s += htons(proto + len);
++ s = (s & 0xffffffff) + (s >> 32);
++ s = (s & 0xffffffff) + (s >> 32);
++
++ return csum_fold((__u32)s);
++}
++
+ #endif
+--
+2.43.0
+
--- /dev/null
+From f0758ed8a9ee5fe00e1e53910fb34e02444fb591 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 16:50:57 +0200
+Subject: selftests/bpf: add missing header include for htons
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
+
+[ Upstream commit bc9b3fb827fceec4e05564d6e668280f4470ab5b ]
+
+Including the network_helpers.h header in tests can lead to the following
+build error:
+
+./network_helpers.h: In function ‘csum_tcpudp_magic’:
+./network_helpers.h:116:14: error: implicit declaration of function \
+ ‘htons’ [-Werror=implicit-function-declaration]
+ 116 | s += htons(proto + len);
+
+The error is avoided in many cases thanks to some other headers included
+earlier and bringing in arpa/inet.h (ie: test_progs.h).
+
+Make sure that test_progs build success does not depend on header ordering
+by adding the missing header include in network_helpers.h
+
+Fixes: f6642de0c3e9 ("selftests/bpf: Add csum helpers")
+Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
+Link: https://lore.kernel.org/r/20241008-network_helpers_fix-v1-1-2c2ae03df7ef@bootlin.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/network_helpers.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/network_helpers.h b/tools/testing/selftests/bpf/network_helpers.h
+index 2582ec56dcc50..535b72623dd4b 100644
+--- a/tools/testing/selftests/bpf/network_helpers.h
++++ b/tools/testing/selftests/bpf/network_helpers.h
+@@ -1,6 +1,7 @@
+ /* SPDX-License-Identifier: GPL-2.0 */
+ #ifndef __NETWORK_HELPERS_H
+ #define __NETWORK_HELPERS_H
++#include <arpa/inet.h>
+ #include <sys/socket.h>
+ #include <sys/types.h>
+ #include <linux/types.h>
+--
+2.43.0
+
--- /dev/null
+From bada27b2b99eacd85266af59c69f64fd57c2154e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 22:25:16 +0000
+Subject: selftests/bpf: Add push/pop checking for msg_verify_data in
+ test_sockmap
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit 862087c3d36219ed44569666eb263efc97f00c9a ]
+
+Add push/pop checking for msg_verify_data in test_sockmap, except for
+pop/push with cork tests, in these tests the logic will be different.
+1. With corking, pop/push might not be invoked in each sendmsg, it makes
+the layout of the received data difficult
+2. It makes it hard to calculate the total_bytes in the recvmsg
+Temporarily skip the data integrity test for these cases now, added a TODO
+
+Fixes: ee9b352ce465 ("selftests/bpf: Fix msg_verify_data in test_sockmap")
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20241106222520.527076-5-zijianzhang@bytedance.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_sockmap.c | 106 ++++++++++++++++++++-
+ 1 file changed, 101 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c
+index 0d21c6c752dae..d0284ef699bb2 100644
+--- a/tools/testing/selftests/bpf/test_sockmap.c
++++ b/tools/testing/selftests/bpf/test_sockmap.c
+@@ -87,6 +87,10 @@ int ktls;
+ int peek_flag;
+ int skb_use_parser;
+ int txmsg_omit_skb_parser;
++int verify_push_start;
++int verify_push_len;
++int verify_pop_start;
++int verify_pop_len;
+
+ static const struct option long_options[] = {
+ {"help", no_argument, NULL, 'h' },
+@@ -513,12 +517,41 @@ static int msg_alloc_iov(struct msghdr *msg,
+ return -ENOMEM;
+ }
+
+-/* TODO: Add verification logic for push, pull and pop data */
++/* In push or pop test, we need to do some calculations for msg_verify_data */
++static void msg_verify_date_prep(void)
++{
++ int push_range_end = txmsg_start_push + txmsg_end_push - 1;
++ int pop_range_end = txmsg_start_pop + txmsg_pop - 1;
++
++ if (txmsg_end_push && txmsg_pop &&
++ txmsg_start_push <= pop_range_end && txmsg_start_pop <= push_range_end) {
++ /* The push range and the pop range overlap */
++ int overlap_len;
++
++ verify_push_start = txmsg_start_push;
++ verify_pop_start = txmsg_start_pop;
++ if (txmsg_start_push < txmsg_start_pop)
++ overlap_len = min(push_range_end - txmsg_start_pop + 1, txmsg_pop);
++ else
++ overlap_len = min(pop_range_end - txmsg_start_push + 1, txmsg_end_push);
++ verify_push_len = max(txmsg_end_push - overlap_len, 0);
++ verify_pop_len = max(txmsg_pop - overlap_len, 0);
++ } else {
++ /* Otherwise */
++ verify_push_start = txmsg_start_push;
++ verify_pop_start = txmsg_start_pop;
++ verify_push_len = txmsg_end_push;
++ verify_pop_len = txmsg_pop;
++ }
++}
++
+ static int msg_verify_data(struct msghdr *msg, int size, int chunk_sz,
+- unsigned char *k_p, int *bytes_cnt_p)
++ unsigned char *k_p, int *bytes_cnt_p,
++ int *check_cnt_p, int *push_p)
+ {
+- int i, j, bytes_cnt = *bytes_cnt_p;
++ int bytes_cnt = *bytes_cnt_p, check_cnt = *check_cnt_p, push = *push_p;
+ unsigned char k = *k_p;
++ int i, j;
+
+ for (i = 0, j = 0; i < msg->msg_iovlen && size; i++, j = 0) {
+ unsigned char *d = msg->msg_iov[i].iov_base;
+@@ -537,6 +570,37 @@ static int msg_verify_data(struct msghdr *msg, int size, int chunk_sz,
+ }
+
+ for (; j < msg->msg_iov[i].iov_len && size; j++) {
++ if (push > 0 &&
++ check_cnt == verify_push_start + verify_push_len - push) {
++ int skipped;
++revisit_push:
++ skipped = push;
++ if (j + push >= msg->msg_iov[i].iov_len)
++ skipped = msg->msg_iov[i].iov_len - j;
++ push -= skipped;
++ size -= skipped;
++ j += skipped - 1;
++ check_cnt += skipped;
++ continue;
++ }
++
++ if (verify_pop_len > 0 && check_cnt == verify_pop_start) {
++ bytes_cnt += verify_pop_len;
++ check_cnt += verify_pop_len;
++ k += verify_pop_len;
++
++ if (bytes_cnt == chunk_sz) {
++ k = 0;
++ bytes_cnt = 0;
++ check_cnt = 0;
++ push = verify_push_len;
++ }
++
++ if (push > 0 &&
++ check_cnt == verify_push_start + verify_push_len - push)
++ goto revisit_push;
++ }
++
+ if (d[j] != k++) {
+ fprintf(stderr,
+ "detected data corruption @iov[%i]:%i %02x != %02x, %02x ?= %02x\n",
+@@ -544,15 +608,20 @@ static int msg_verify_data(struct msghdr *msg, int size, int chunk_sz,
+ return -EDATAINTEGRITY;
+ }
+ bytes_cnt++;
++ check_cnt++;
+ if (bytes_cnt == chunk_sz) {
+ k = 0;
+ bytes_cnt = 0;
++ check_cnt = 0;
++ push = verify_push_len;
+ }
+ size--;
+ }
+ }
+ *k_p = k;
+ *bytes_cnt_p = bytes_cnt;
++ *check_cnt_p = check_cnt;
++ *push_p = push;
+ return 0;
+ }
+
+@@ -611,6 +680,8 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt,
+ struct timeval timeout;
+ unsigned char k = 0;
+ int bytes_cnt = 0;
++ int check_cnt = 0;
++ int push = 0;
+ fd_set w;
+
+ fcntl(fd, fd_flags);
+@@ -636,6 +707,10 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt,
+ }
+ total_bytes += txmsg_push_total;
+ total_bytes -= txmsg_pop_total;
++ if (data) {
++ msg_verify_date_prep();
++ push = verify_push_len;
++ }
+ err = clock_gettime(CLOCK_MONOTONIC, &s->start);
+ if (err < 0)
+ perror("recv start time");
+@@ -711,7 +786,8 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt,
+ iov_length :
+ iov_length * iov_count;
+
+- errno = msg_verify_data(&msg, recv, chunk_sz, &k, &bytes_cnt);
++ errno = msg_verify_data(&msg, recv, chunk_sz, &k, &bytes_cnt,
++ &check_cnt, &push);
+ if (errno) {
+ perror("data verify msg failed");
+ goto out_errno;
+@@ -721,7 +797,9 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt,
+ recvp,
+ chunk_sz,
+ &k,
+- &bytes_cnt);
++ &bytes_cnt,
++ &check_cnt,
++ &push);
+ if (errno) {
+ perror("data verify msg_peek failed");
+ goto out_errno;
+@@ -1639,6 +1717,8 @@ static void test_txmsg_pull(int cgrp, struct sockmap_options *opt)
+
+ static void test_txmsg_pop(int cgrp, struct sockmap_options *opt)
+ {
++ bool data = opt->data_test;
++
+ /* Test basic pop */
+ txmsg_pass = 1;
+ txmsg_start_pop = 1;
+@@ -1657,6 +1737,12 @@ static void test_txmsg_pop(int cgrp, struct sockmap_options *opt)
+ txmsg_pop = 2;
+ test_send_many(opt, cgrp);
+
++ /* TODO: Test for pop + cork should be different,
++ * - It makes the layout of the received data difficult
++ * - It makes it hard to calculate the total_bytes in the recvmsg
++ * Temporarily skip the data integrity test for this case now.
++ */
++ opt->data_test = false;
+ /* Test pop + cork */
+ txmsg_redir = 0;
+ txmsg_cork = 512;
+@@ -1670,10 +1756,13 @@ static void test_txmsg_pop(int cgrp, struct sockmap_options *opt)
+ txmsg_start_pop = 1;
+ txmsg_pop = 2;
+ test_send_many(opt, cgrp);
++ opt->data_test = data;
+ }
+
+ static void test_txmsg_push(int cgrp, struct sockmap_options *opt)
+ {
++ bool data = opt->data_test;
++
+ /* Test basic push */
+ txmsg_pass = 1;
+ txmsg_start_push = 1;
+@@ -1692,12 +1781,19 @@ static void test_txmsg_push(int cgrp, struct sockmap_options *opt)
+ txmsg_end_push = 2;
+ test_send_many(opt, cgrp);
+
++ /* TODO: Test for push + cork should be different,
++ * - It makes the layout of the received data difficult
++ * - It makes it hard to calculate the total_bytes in the recvmsg
++ * Temporarily skip the data integrity test for this case now.
++ */
++ opt->data_test = false;
+ /* Test push + cork */
+ txmsg_redir = 0;
+ txmsg_cork = 512;
+ txmsg_start_push = 1;
+ txmsg_end_push = 2;
+ test_send_many(opt, cgrp);
++ opt->data_test = data;
+ }
+
+ static void test_txmsg_push_pop(int cgrp, struct sockmap_options *opt)
+--
+2.43.0
+
--- /dev/null
+From 952693cbb1b25bbf1ed930329733c38f68ba3d1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 22:25:13 +0000
+Subject: selftests/bpf: Add txmsg_pass to pull/push/pop in test_sockmap
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit 66c54c20408d994be34be2c070fba08472f69eee ]
+
+Add txmsg_pass to test_txmsg_pull/push/pop. If txmsg_pass is missing,
+tx_prog will be NULL, and no program will be attached to the sockmap.
+As a result, pull/push/pop are never invoked.
+
+Fixes: 328aa08a081b ("bpf: Selftests, break down test_sockmap into subtests")
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20241106222520.527076-2-zijianzhang@bytedance.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_sockmap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c
+index 1954c2aeb7a9c..102a9bafbe6bc 100644
+--- a/tools/testing/selftests/bpf/test_sockmap.c
++++ b/tools/testing/selftests/bpf/test_sockmap.c
+@@ -1599,11 +1599,13 @@ static void test_txmsg_cork_hangs(int cgrp, struct sockmap_options *opt)
+ static void test_txmsg_pull(int cgrp, struct sockmap_options *opt)
+ {
+ /* Test basic start/end */
++ txmsg_pass = 1;
+ txmsg_start = 1;
+ txmsg_end = 2;
+ test_send(opt, cgrp);
+
+ /* Test >4k pull */
++ txmsg_pass = 1;
+ txmsg_start = 4096;
+ txmsg_end = 9182;
+ test_send_large(opt, cgrp);
+@@ -1632,11 +1634,13 @@ static void test_txmsg_pull(int cgrp, struct sockmap_options *opt)
+ static void test_txmsg_pop(int cgrp, struct sockmap_options *opt)
+ {
+ /* Test basic pop */
++ txmsg_pass = 1;
+ txmsg_start_pop = 1;
+ txmsg_pop = 2;
+ test_send_many(opt, cgrp);
+
+ /* Test pop with >4k */
++ txmsg_pass = 1;
+ txmsg_start_pop = 4096;
+ txmsg_pop = 4096;
+ test_send_large(opt, cgrp);
+@@ -1665,11 +1669,13 @@ static void test_txmsg_pop(int cgrp, struct sockmap_options *opt)
+ static void test_txmsg_push(int cgrp, struct sockmap_options *opt)
+ {
+ /* Test basic push */
++ txmsg_pass = 1;
+ txmsg_start_push = 1;
+ txmsg_end_push = 1;
+ test_send(opt, cgrp);
+
+ /* Test push 4kB >4k */
++ txmsg_pass = 1;
+ txmsg_start_push = 4096;
+ txmsg_end_push = 4096;
+ test_send_large(opt, cgrp);
+@@ -1690,6 +1696,7 @@ static void test_txmsg_push(int cgrp, struct sockmap_options *opt)
+
+ static void test_txmsg_push_pop(int cgrp, struct sockmap_options *opt)
+ {
++ txmsg_pass = 1;
+ txmsg_start_push = 1;
+ txmsg_end_push = 10;
+ txmsg_start_pop = 5;
+--
+2.43.0
+
--- /dev/null
+From a9b9832b126b15a85f9160887f4027a8c5e2b6a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2024 14:03:07 -0700
+Subject: selftests/bpf: Fix backtrace printing for selftests crashes
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 5bf1557e3d6a69113649d831276ea2f97585fc33 ]
+
+test_progs uses glibc specific functions backtrace() and
+backtrace_symbols_fd() to print backtrace in case of SIGSEGV.
+
+Recent commit (see fixes) updated test_progs.c to define stub versions
+of the same functions with attriubte "weak" in order to allow linking
+test_progs against musl libc. Unfortunately this broke the backtrace
+handling for glibc builds.
+
+As it turns out, glibc defines backtrace() and backtrace_symbols_fd()
+as weak:
+
+ $ llvm-readelf --symbols /lib64/libc.so.6 \
+ | grep -P '( backtrace_symbols_fd| backtrace)$'
+ 4910: 0000000000126b40 161 FUNC WEAK DEFAULT 16 backtrace
+ 6843: 0000000000126f90 852 FUNC WEAK DEFAULT 16 backtrace_symbols_fd
+
+So does test_progs:
+
+ $ llvm-readelf --symbols test_progs \
+ | grep -P '( backtrace_symbols_fd| backtrace)$'
+ 2891: 00000000006ad190 15 FUNC WEAK DEFAULT 13 backtrace
+ 11215: 00000000006ad1a0 41 FUNC WEAK DEFAULT 13 backtrace_symbols_fd
+
+In such situation dynamic linker is not obliged to favour glibc
+implementation over the one defined in test_progs.
+
+Compiling with the following simple modification to test_progs.c
+demonstrates the issue:
+
+ $ git diff
+ ...
+ \--- a/tools/testing/selftests/bpf/test_progs.c
+ \+++ b/tools/testing/selftests/bpf/test_progs.c
+ \@@ -1817,6 +1817,7 @@ int main(int argc, char **argv)
+ if (err)
+ return err;
+
+ + *(int *)0xdeadbeef = 42;
+ err = cd_flavor_subdir(argv[0]);
+ if (err)
+ return err;
+
+ $ ./test_progs
+ [0]: Caught signal #11!
+ Stack trace:
+ <backtrace not supported>
+ Segmentation fault (core dumped)
+
+Resolve this by hiding stub definitions behind __GLIBC__ macro check
+instead of using "weak" attribute.
+
+Fixes: c9a83e76b5a9 ("selftests/bpf: Fix compile if backtrace support missing in libc")
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Tested-by: Tony Ambardar <tony.ambardar@gmail.com>
+Reviewed-by: Tony Ambardar <tony.ambardar@gmail.com>
+Acked-by: Daniel Xu <dxu@dxuuu.xyz>
+Link: https://lore.kernel.org/bpf/20241003210307.3847907-1-eddyz87@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_progs.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
+index 11d4c51c7d211..6068f5bde8fd5 100644
+--- a/tools/testing/selftests/bpf/test_progs.c
++++ b/tools/testing/selftests/bpf/test_progs.c
+@@ -16,11 +16,13 @@
+ #include <sys/socket.h>
+ #include <sys/un.h>
+
++/* backtrace() and backtrace_symbols_fd() are glibc specific,
++ * use header file when glibc is available and provide stub
++ * implementations when another libc implementation is used.
++ */
+ #ifdef __GLIBC__
+ #include <execinfo.h> /* backtrace */
+-#endif
+-
+-/* Default backtrace funcs if missing at link */
++#else
+ __weak int backtrace(void **buffer, int size)
+ {
+ return 0;
+@@ -30,6 +32,7 @@ __weak void backtrace_symbols_fd(void *const *buffer, int size, int fd)
+ {
+ dprintf(fd, "<backtrace not supported>\n");
+ }
++#endif /*__GLIBC__ */
+
+ static bool verbose(void)
+ {
+--
+2.43.0
+
--- /dev/null
+From 5a19187b6079c0a987f5f741e7c3b798182edd57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 20:37:30 +0000
+Subject: selftests/bpf: Fix msg_verify_data in test_sockmap
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit ee9b352ce4650ffc0d8ca0ac373d7c009c7e561e ]
+
+Function msg_verify_data should have context of bytes_cnt and k instead of
+assuming they are zero. Otherwise, test_sockmap with data integrity test
+will report some errors. I also fix the logic related to size and index j
+
+1/ 6 sockmap::txmsg test passthrough:FAIL
+2/ 6 sockmap::txmsg test redirect:FAIL
+7/12 sockmap::txmsg test apply:FAIL
+10/11 sockmap::txmsg test push_data:FAIL
+11/17 sockmap::txmsg test pull-data:FAIL
+12/ 9 sockmap::txmsg test pop-data:FAIL
+13/ 1 sockmap::txmsg test push/pop data:FAIL
+...
+Pass: 24 Fail: 52
+
+After applying this patch, some of the errors are solved, but for push,
+pull and pop, we may need more fixes to msg_verify_data, added a TODO
+
+10/11 sockmap::txmsg test push_data:FAIL
+11/17 sockmap::txmsg test pull-data:FAIL
+12/ 9 sockmap::txmsg test pop-data:FAIL
+...
+Pass: 37 Fail: 15
+
+Besides, added a custom errno EDATAINTEGRITY for msg_verify_data, we
+shall not ignore the error in txmsg_cork case.
+
+Fixes: 753fb2ee0934 ("bpf: sockmap, add msg_peek tests to test_sockmap")
+Fixes: 16edddfe3c5d ("selftests/bpf: test_sockmap, check test failure")
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Link: https://lore.kernel.org/r/20241012203731.1248619-2-zijianzhang@bytedance.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_sockmap.c | 30 ++++++++++++++--------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c
+index 25da05cad8f61..72023e1b894db 100644
+--- a/tools/testing/selftests/bpf/test_sockmap.c
++++ b/tools/testing/selftests/bpf/test_sockmap.c
+@@ -56,6 +56,8 @@ static void running_handler(int a);
+ #define BPF_SOCKHASH_FILENAME "test_sockhash_kern.bpf.o"
+ #define CG_PATH "/sockmap"
+
++#define EDATAINTEGRITY 2001
++
+ /* global sockets */
+ int s1, s2, c1, c2, p1, p2;
+ int test_cnt;
+@@ -509,23 +511,25 @@ static int msg_alloc_iov(struct msghdr *msg,
+ return -ENOMEM;
+ }
+
+-static int msg_verify_data(struct msghdr *msg, int size, int chunk_sz)
++/* TODO: Add verification logic for push, pull and pop data */
++static int msg_verify_data(struct msghdr *msg, int size, int chunk_sz,
++ unsigned char *k_p, int *bytes_cnt_p)
+ {
+- int i, j = 0, bytes_cnt = 0;
+- unsigned char k = 0;
++ int i, j, bytes_cnt = *bytes_cnt_p;
++ unsigned char k = *k_p;
+
+- for (i = 0; i < msg->msg_iovlen; i++) {
++ for (i = 0, j = 0; i < msg->msg_iovlen && size; i++, j = 0) {
+ unsigned char *d = msg->msg_iov[i].iov_base;
+
+ /* Special case test for skb ingress + ktls */
+ if (i == 0 && txmsg_ktls_skb) {
+ if (msg->msg_iov[i].iov_len < 4)
+- return -EIO;
++ return -EDATAINTEGRITY;
+ if (memcmp(d, "PASS", 4) != 0) {
+ fprintf(stderr,
+ "detected skb data error with skb ingress update @iov[%i]:%i \"%02x %02x %02x %02x\" != \"PASS\"\n",
+ i, 0, d[0], d[1], d[2], d[3]);
+- return -EIO;
++ return -EDATAINTEGRITY;
+ }
+ j = 4; /* advance index past PASS header */
+ }
+@@ -535,7 +539,7 @@ static int msg_verify_data(struct msghdr *msg, int size, int chunk_sz)
+ fprintf(stderr,
+ "detected data corruption @iov[%i]:%i %02x != %02x, %02x ?= %02x\n",
+ i, j, d[j], k - 1, d[j+1], k);
+- return -EIO;
++ return -EDATAINTEGRITY;
+ }
+ bytes_cnt++;
+ if (bytes_cnt == chunk_sz) {
+@@ -545,6 +549,8 @@ static int msg_verify_data(struct msghdr *msg, int size, int chunk_sz)
+ size--;
+ }
+ }
++ *k_p = k;
++ *bytes_cnt_p = bytes_cnt;
+ return 0;
+ }
+
+@@ -601,6 +607,8 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt,
+ float total_bytes, txmsg_pop_total;
+ int fd_flags = O_NONBLOCK;
+ struct timeval timeout;
++ unsigned char k = 0;
++ int bytes_cnt = 0;
+ fd_set w;
+
+ fcntl(fd, fd_flags);
+@@ -695,7 +703,7 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt,
+ iov_length * cnt :
+ iov_length * iov_count;
+
+- errno = msg_verify_data(&msg, recv, chunk_sz);
++ errno = msg_verify_data(&msg, recv, chunk_sz, &k, &bytes_cnt);
+ if (errno) {
+ perror("data verify msg failed");
+ goto out_errno;
+@@ -703,7 +711,9 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt,
+ if (recvp) {
+ errno = msg_verify_data(&msg_peek,
+ recvp,
+- chunk_sz);
++ chunk_sz,
++ &k,
++ &bytes_cnt);
+ if (errno) {
+ perror("data verify msg_peek failed");
+ goto out_errno;
+@@ -811,7 +821,7 @@ static int sendmsg_test(struct sockmap_options *opt)
+ s.bytes_sent, sent_Bps, sent_Bps/giga,
+ s.bytes_recvd, recvd_Bps, recvd_Bps/giga,
+ peek_flag ? "(peek_msg)" : "");
+- if (err && txmsg_cork)
++ if (err && err != -EDATAINTEGRITY && txmsg_cork)
+ err = 0;
+ exit(err ? 1 : 0);
+ } else if (rxpid == -1) {
+--
+2.43.0
+
--- /dev/null
+From a143cea53d19031478c7de2562d71dc0f37eb037 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 22:25:14 +0000
+Subject: selftests/bpf: Fix SENDPAGE data logic in test_sockmap
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit 4095031463d4e99b534d2cd82035a417295764ae ]
+
+In the SENDPAGE test, "opt->iov_length * cnt" size of data will be sent
+cnt times by sendfile.
+1. In push/pop tests, they will be invoked cnt times, for the simplicity of
+msg_verify_data, change chunk_sz to iov_length
+2. Change iov_length in test_send_large from 1024 to 8192. We have pop test
+where txmsg_start_pop is 4096. 4096 > 1024, an error will be returned.
+
+Fixes: 328aa08a081b ("bpf: Selftests, break down test_sockmap into subtests")
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20241106222520.527076-3-zijianzhang@bytedance.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_sockmap.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c
+index 102a9bafbe6bc..07edc88fa9cba 100644
+--- a/tools/testing/selftests/bpf/test_sockmap.c
++++ b/tools/testing/selftests/bpf/test_sockmap.c
+@@ -419,16 +419,18 @@ static int msg_loop_sendpage(int fd, int iov_length, int cnt,
+ {
+ bool drop = opt->drop_expected;
+ unsigned char k = 0;
++ int i, j, fp;
+ FILE *file;
+- int i, fp;
+
+ file = tmpfile();
+ if (!file) {
+ perror("create file for sendpage");
+ return 1;
+ }
+- for (i = 0; i < iov_length * cnt; i++, k++)
+- fwrite(&k, sizeof(char), 1, file);
++ for (i = 0; i < cnt; i++, k = 0) {
++ for (j = 0; j < iov_length; j++, k++)
++ fwrite(&k, sizeof(char), 1, file);
++ }
+ fflush(file);
+ fseek(file, 0, SEEK_SET);
+
+@@ -622,7 +624,9 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt,
+ * This is really only useful for testing edge cases in code
+ * paths.
+ */
+- total_bytes = (float)iov_count * (float)iov_length * (float)cnt;
++ total_bytes = (float)iov_length * (float)cnt;
++ if (!opt->sendpage)
++ total_bytes *= (float)iov_count;
+ if (txmsg_apply)
+ txmsg_pop_total = txmsg_pop * (total_bytes / txmsg_apply);
+ else
+@@ -700,7 +704,7 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt,
+
+ if (data) {
+ int chunk_sz = opt->sendpage ?
+- iov_length * cnt :
++ iov_length :
+ iov_length * iov_count;
+
+ errno = msg_verify_data(&msg, recv, chunk_sz, &k, &bytes_cnt);
+@@ -1469,8 +1473,8 @@ static void test_send_many(struct sockmap_options *opt, int cgrp)
+
+ static void test_send_large(struct sockmap_options *opt, int cgrp)
+ {
+- opt->iov_length = 256;
+- opt->iov_count = 1024;
++ opt->iov_length = 8192;
++ opt->iov_count = 32;
+ opt->rate = 2;
+ test_exec(cgrp, opt);
+ }
+--
+2.43.0
+
--- /dev/null
+From 8e422d73659b95e7e96d46f9edb75d276e2e0638 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 22:25:15 +0000
+Subject: selftests/bpf: Fix total_bytes in msg_loop_rx in test_sockmap
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit 523dffccbadea0cfd65f1ff04944b864c558c4a8 ]
+
+total_bytes in msg_loop_rx should also take push into account, otherwise
+total_bytes will be a smaller value, which makes the msg_loop_rx end early.
+
+Besides, total_bytes has already taken pop into account, so we don't need
+to subtract some bytes from iov_buf in sendmsg_test. The additional
+subtraction may make total_bytes a negative number, and msg_loop_rx will
+just end without checking anything.
+
+Fixes: 18d4e900a450 ("bpf: Selftests, improve test_sockmap total bytes counter")
+Fixes: d69672147faa ("selftests, bpf: Add one test for sockmap with strparser")
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20241106222520.527076-4-zijianzhang@bytedance.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_sockmap.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c
+index 07edc88fa9cba..0d21c6c752dae 100644
+--- a/tools/testing/selftests/bpf/test_sockmap.c
++++ b/tools/testing/selftests/bpf/test_sockmap.c
+@@ -605,8 +605,8 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt,
+ }
+ clock_gettime(CLOCK_MONOTONIC, &s->end);
+ } else {
++ float total_bytes, txmsg_pop_total, txmsg_push_total;
+ int slct, recvp = 0, recv, max_fd = fd;
+- float total_bytes, txmsg_pop_total;
+ int fd_flags = O_NONBLOCK;
+ struct timeval timeout;
+ unsigned char k = 0;
+@@ -627,10 +627,14 @@ static int msg_loop(int fd, int iov_count, int iov_length, int cnt,
+ total_bytes = (float)iov_length * (float)cnt;
+ if (!opt->sendpage)
+ total_bytes *= (float)iov_count;
+- if (txmsg_apply)
++ if (txmsg_apply) {
++ txmsg_push_total = txmsg_end_push * (total_bytes / txmsg_apply);
+ txmsg_pop_total = txmsg_pop * (total_bytes / txmsg_apply);
+- else
++ } else {
++ txmsg_push_total = txmsg_end_push * cnt;
+ txmsg_pop_total = txmsg_pop * cnt;
++ }
++ total_bytes += txmsg_push_total;
+ total_bytes -= txmsg_pop_total;
+ err = clock_gettime(CLOCK_MONOTONIC, &s->start);
+ if (err < 0)
+@@ -799,8 +803,6 @@ static int sendmsg_test(struct sockmap_options *opt)
+
+ rxpid = fork();
+ if (rxpid == 0) {
+- if (txmsg_pop || txmsg_start_pop)
+- iov_buf -= (txmsg_pop - txmsg_start_pop + 1);
+ if (opt->drop_expected || txmsg_ktls_skb_drop)
+ _exit(0);
+
+--
+2.43.0
+
--- /dev/null
+From 74969423c387528fab78ef8a36e17fcea9df0d94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 20:37:31 +0000
+Subject: selftests/bpf: Fix txmsg_redir of test_txmsg_pull in test_sockmap
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit b29e231d66303c12b7b8ac3ac2a057df06b161e8 ]
+
+txmsg_redir in "Test pull + redirect" case of test_txmsg_pull should be
+1 instead of 0.
+
+Fixes: 328aa08a081b ("bpf: Selftests, break down test_sockmap into subtests")
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Link: https://lore.kernel.org/r/20241012203731.1248619-3-zijianzhang@bytedance.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_sockmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c
+index 72023e1b894db..1954c2aeb7a9c 100644
+--- a/tools/testing/selftests/bpf/test_sockmap.c
++++ b/tools/testing/selftests/bpf/test_sockmap.c
+@@ -1609,7 +1609,7 @@ static void test_txmsg_pull(int cgrp, struct sockmap_options *opt)
+ test_send_large(opt, cgrp);
+
+ /* Test pull + redirect */
+- txmsg_redir = 0;
++ txmsg_redir = 1;
+ txmsg_start = 1;
+ txmsg_end = 2;
+ test_send(opt, cgrp);
+--
+2.43.0
+
--- /dev/null
+From ea5af68aa289babbf70d39afd1d7699fe8a24dfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Nov 2024 00:41:14 +1100
+Subject: selftests/mount_setattr: Fix failures on 64K PAGE_SIZE kernels
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit f13242a46438e690067a4bf47068fde4d5719947 ]
+
+Currently the mount_setattr_test fails on machines with a 64K PAGE_SIZE,
+with errors such as:
+
+ # RUN mount_setattr_idmapped.invalid_fd_negative ...
+ mkfs.ext4: No space left on device while writing out and closing file system
+ # mount_setattr_test.c:1055:invalid_fd_negative:Expected system("mkfs.ext4 -q /mnt/C/ext4.img") (256) == 0 (0)
+ # invalid_fd_negative: Test terminated by assertion
+ # FAIL mount_setattr_idmapped.invalid_fd_negative
+ not ok 12 mount_setattr_idmapped.invalid_fd_negative
+
+The code creates a 100,000 byte tmpfs:
+
+ ASSERT_EQ(mount("testing", "/mnt", "tmpfs", MS_NOATIME | MS_NODEV,
+ "size=100000,mode=700"), 0);
+
+And then a little later creates a 2MB ext4 filesystem in that tmpfs:
+
+ ASSERT_EQ(ftruncate(img_fd, 1024 * 2048), 0);
+ ASSERT_EQ(system("mkfs.ext4 -q /mnt/C/ext4.img"), 0);
+
+At first glance it seems like that should never work, after all 2MB is
+larger than 100,000 bytes. However the filesystem image doesn't actually
+occupy 2MB on "disk" (actually RAM, due to tmpfs). On 4K kernels the
+ext4.img uses ~84KB of actual space (according to du), which just fits.
+
+However on 64K PAGE_SIZE kernels the ext4.img takes at least 256KB,
+which is too large to fit in the tmpfs, hence the errors.
+
+It seems fraught to rely on the ext4.img taking less space on disk than
+the allocated size, so instead create the tmpfs with a size of 2MB. With
+that all 21 tests pass on 64K PAGE_SIZE kernels.
+
+Fixes: 01eadc8dd96d ("tests: add mount_setattr() selftests")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20241115134114.1219555-1-mpe@ellerman.id.au
+Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/mount_setattr/mount_setattr_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/mount_setattr/mount_setattr_test.c b/tools/testing/selftests/mount_setattr/mount_setattr_test.c
+index c6a8c732b8021..304e6422a1f1c 100644
+--- a/tools/testing/selftests/mount_setattr/mount_setattr_test.c
++++ b/tools/testing/selftests/mount_setattr/mount_setattr_test.c
+@@ -1026,7 +1026,7 @@ FIXTURE_SETUP(mount_setattr_idmapped)
+ "size=100000,mode=700"), 0);
+
+ ASSERT_EQ(mount("testing", "/mnt", "tmpfs", MS_NOATIME | MS_NODEV,
+- "size=100000,mode=700"), 0);
++ "size=2m,mode=700"), 0);
+
+ ASSERT_EQ(mkdir("/mnt/A", 0777), 0);
+
+--
+2.43.0
+
--- /dev/null
+From 63f0e0c28f19430b4b9f6d35776609f92ddab23c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2024 19:23:51 +0100
+Subject: selftests: net: really check for bg process completion
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 52ed077aa6336dbef83a2d6d21c52d1706fb7f16 ]
+
+A recent refactor transformed the check for process completion
+in a true statement, due to a typo.
+
+As a result, the relevant test-case is unable to catch the
+regression it was supposed to detect.
+
+Restore the correct condition.
+
+Fixes: 691bb4e49c98 ("selftests: net: avoid just another constant wait")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/0e6f213811f8e93a235307e683af8225cc6277ae.1730828007.git.pabeni@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/pmtu.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/pmtu.sh b/tools/testing/selftests/net/pmtu.sh
+index 00ab4c6e40446..dbfa56173d291 100755
+--- a/tools/testing/selftests/net/pmtu.sh
++++ b/tools/testing/selftests/net/pmtu.sh
+@@ -1932,7 +1932,7 @@ check_running() {
+ pid=${1}
+ cmd=${2}
+
+- [ "$(cat /proc/${pid}/cmdline 2>/dev/null | tr -d '\0')" = "{cmd}" ]
++ [ "$(cat /proc/${pid}/cmdline 2>/dev/null | tr -d '\0')" = "${cmd}" ]
+ }
+
+ test_cleanup_vxlanX_exception() {
+--
+2.43.0
+
--- /dev/null
+From c77fb7cfc8dde3f9098f2b430e60a30069a3e8c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 14:18:41 -0700
+Subject: selftests/resctrl: Protect against array overrun during iMC config
+ parsing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Reinette Chatre <reinette.chatre@intel.com>
+
+[ Upstream commit 48ed4e799e8fbebae838dca404a8527763d41191 ]
+
+The MBM and MBA tests need to discover the event and umask with which to
+configure the performance event used to measure read memory bandwidth.
+This is done by parsing the
+/sys/bus/event_source/devices/uncore_imc_<imc instance>/events/cas_count_read
+file for each iMC instance that contains the formatted
+output: "event=<event>,umask=<umask>"
+
+Parsing of cas_count_read contents is done by initializing an array of
+MAX_TOKENS elements with tokens (deliminated by "=,") from this file.
+Remove the unnecessary append of a delimiter to the string needing to be
+parsed. Per the strtok() man page: "delimiter bytes at the start or end of
+the string are ignored". This has no impact on the token placement within
+the array.
+
+After initialization, the actual event and umask is determined by
+parsing the tokens directly following the "event" and "umask" tokens
+respectively.
+
+Iterating through the array up to index "i < MAX_TOKENS" but then
+accessing index "i + 1" risks array overrun during the final iteration.
+Avoid array overrun by ensuring that the index used within for
+loop will always be valid.
+
+Fixes: 1d3f08687d76 ("selftests/resctrl: Read memory bandwidth from perf IMC counter and from resctrl file system")
+Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/resctrl/resctrl_val.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/resctrl/resctrl_val.c b/tools/testing/selftests/resctrl/resctrl_val.c
+index 00864242d76c6..d2ee8ac8dd8e8 100644
+--- a/tools/testing/selftests/resctrl/resctrl_val.c
++++ b/tools/testing/selftests/resctrl/resctrl_val.c
+@@ -102,13 +102,12 @@ void get_event_and_umask(char *cas_count_cfg, int count, bool op)
+ char *token[MAX_TOKENS];
+ int i = 0;
+
+- strcat(cas_count_cfg, ",");
+ token[0] = strtok(cas_count_cfg, "=,");
+
+ for (i = 1; i < MAX_TOKENS; i++)
+ token[i] = strtok(NULL, "=,");
+
+- for (i = 0; i < MAX_TOKENS; i++) {
++ for (i = 0; i < MAX_TOKENS - 1; i++) {
+ if (!token[i])
+ break;
+ if (strcmp(token[i], "event") == 0) {
+--
+2.43.0
+
--- /dev/null
+From 75baf6712a0cde00c58c457d22c47011c6c0a240 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 12:20:59 +0200
+Subject: seqlock/latch: Provide raw_read_seqcount_latch_retry()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit d16317de9b412aa7bd3598c607112298e36b4352 ]
+
+The read side of seqcount_latch consists of:
+
+ do {
+ seq = raw_read_seqcount_latch(&latch->seq);
+ ...
+ } while (read_seqcount_latch_retry(&latch->seq, seq));
+
+which is asymmetric in the raw_ department, and sure enough,
+read_seqcount_latch_retry() includes (explicit) instrumentation where
+raw_read_seqcount_latch() does not.
+
+This inconsistency becomes a problem when trying to use it from
+noinstr code. As such, fix it by renaming and re-implementing
+raw_read_seqcount_latch_retry() without the instrumentation.
+
+Specifically the instrumentation in question is kcsan_atomic_next(0)
+in do___read_seqcount_retry(). Loosing this annotation is not a
+problem because raw_read_seqcount_latch() does not pass through
+kcsan_atomic_next(KCSAN_SEQLOCK_REGION_MAX).
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Tested-by: Michael Kelley <mikelley@microsoft.com> # Hyper-V
+Link: https://lore.kernel.org/r/20230519102715.233598176@infradead.org
+Stable-dep-of: 5c1806c41ce0 ("kcsan, seqlock: Support seqcount_latch_t")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rbtree_latch.h | 2 +-
+ include/linux/seqlock.h | 15 ++++++++-------
+ kernel/printk/printk.c | 2 +-
+ kernel/time/sched_clock.c | 2 +-
+ kernel/time/timekeeping.c | 4 ++--
+ 5 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/rbtree_latch.h b/include/linux/rbtree_latch.h
+index 3d1a9e716b803..6a0999c26c7cf 100644
+--- a/include/linux/rbtree_latch.h
++++ b/include/linux/rbtree_latch.h
+@@ -206,7 +206,7 @@ latch_tree_find(void *key, struct latch_tree_root *root,
+ do {
+ seq = raw_read_seqcount_latch(&root->seq);
+ node = __lt_find(key, root, seq & 1, ops->comp);
+- } while (read_seqcount_latch_retry(&root->seq, seq));
++ } while (raw_read_seqcount_latch_retry(&root->seq, seq));
+
+ return node;
+ }
+diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h
+index d778af83c8f36..e9bd2f65d7f4e 100644
+--- a/include/linux/seqlock.h
++++ b/include/linux/seqlock.h
+@@ -671,9 +671,9 @@ typedef struct {
+ *
+ * Return: sequence counter raw value. Use the lowest bit as an index for
+ * picking which data copy to read. The full counter must then be checked
+- * with read_seqcount_latch_retry().
++ * with raw_read_seqcount_latch_retry().
+ */
+-static inline unsigned raw_read_seqcount_latch(const seqcount_latch_t *s)
++static __always_inline unsigned raw_read_seqcount_latch(const seqcount_latch_t *s)
+ {
+ /*
+ * Pairs with the first smp_wmb() in raw_write_seqcount_latch().
+@@ -683,16 +683,17 @@ static inline unsigned raw_read_seqcount_latch(const seqcount_latch_t *s)
+ }
+
+ /**
+- * read_seqcount_latch_retry() - end a seqcount_latch_t read section
++ * raw_read_seqcount_latch_retry() - end a seqcount_latch_t read section
+ * @s: Pointer to seqcount_latch_t
+ * @start: count, from raw_read_seqcount_latch()
+ *
+ * Return: true if a read section retry is required, else false
+ */
+-static inline int
+-read_seqcount_latch_retry(const seqcount_latch_t *s, unsigned start)
++static __always_inline int
++raw_read_seqcount_latch_retry(const seqcount_latch_t *s, unsigned start)
+ {
+- return read_seqcount_retry(&s->seqcount, start);
++ smp_rmb();
++ return unlikely(READ_ONCE(s->seqcount.sequence) != start);
+ }
+
+ /**
+@@ -752,7 +753,7 @@ read_seqcount_latch_retry(const seqcount_latch_t *s, unsigned start)
+ * entry = data_query(latch->data[idx], ...);
+ *
+ * // This includes needed smp_rmb()
+- * } while (read_seqcount_latch_retry(&latch->seq, seq));
++ * } while (raw_read_seqcount_latch_retry(&latch->seq, seq));
+ *
+ * return entry;
+ * }
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index 0ae06d5046bb0..5a88134fba79f 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -457,7 +457,7 @@ static u64 latched_seq_read_nolock(struct latched_seq *ls)
+ seq = raw_read_seqcount_latch(&ls->latch);
+ idx = seq & 0x1;
+ val = ls->val[idx];
+- } while (read_seqcount_latch_retry(&ls->latch, seq));
++ } while (raw_read_seqcount_latch_retry(&ls->latch, seq));
+
+ return val;
+ }
+diff --git a/kernel/time/sched_clock.c b/kernel/time/sched_clock.c
+index 8464c5acc9133..e8f2fb09a214d 100644
+--- a/kernel/time/sched_clock.c
++++ b/kernel/time/sched_clock.c
+@@ -77,7 +77,7 @@ notrace struct clock_read_data *sched_clock_read_begin(unsigned int *seq)
+
+ notrace int sched_clock_read_retry(unsigned int seq)
+ {
+- return read_seqcount_latch_retry(&cd.seq, seq);
++ return raw_read_seqcount_latch_retry(&cd.seq, seq);
+ }
+
+ unsigned long long notrace sched_clock(void)
+diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
+index 8ac43afc11f96..dd294e96193be 100644
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -450,7 +450,7 @@ static __always_inline u64 __ktime_get_fast_ns(struct tk_fast *tkf)
+ tkr = tkf->base + (seq & 0x01);
+ now = ktime_to_ns(tkr->base);
+ now += fast_tk_get_delta_ns(tkr);
+- } while (read_seqcount_latch_retry(&tkf->seq, seq));
++ } while (raw_read_seqcount_latch_retry(&tkf->seq, seq));
+
+ return now;
+ }
+@@ -566,7 +566,7 @@ static __always_inline u64 __ktime_get_real_fast(struct tk_fast *tkf, u64 *mono)
+ basem = ktime_to_ns(tkr->base);
+ baser = ktime_to_ns(tkr->base_real);
+ delta = fast_tk_get_delta_ns(tkr);
+- } while (read_seqcount_latch_retry(&tkf->seq, seq));
++ } while (raw_read_seqcount_latch_retry(&tkf->seq, seq));
+
+ if (mono)
+ *mono = basem + delta;
+--
+2.43.0
+
wifi-rtw89-avoid-to-add-interface-to-list-twice-when.patch
drm-amd-display-initialize-denominators-default-to-1.patch
fs-inode-prevent-dump_mapping-accessing-invalid-dent.patch
+x86-barrier-do-not-serialize-msr-accesses-on-amd.patch
+kselftest-arm64-mte-fix-printf-type-warnings-about-_.patch
+kselftest-arm64-mte-fix-printf-type-warnings-about-l.patch
+s390-cio-do-not-unregister-the-subchannel-based-on-d.patch
+x86-pvh-set-phys_base-when-calling-xen_prepare_pvh.patch
+x86-pvh-call-c-code-via-the-kernel-virtual-mapping.patch
+brd-defer-automatic-disk-creation-until-module-initi.patch
+ext4-make-abort-mount-option-handling-standard.patch
+ext4-avoid-remount-errors-with-abort-mount-option.patch
+mips-asm-fix-warning-when-disabling-mips_fp_support.patch
+initramfs-avoid-filename-buffer-overrun.patch
+nvme-pci-fix-freeing-of-the-hmb-descriptor-table.patch
+m68k-mvme147-fix-scsi-controller-irq-numbers.patch
+m68k-mvme16x-add-and-use-mvme16x.h.patch
+m68k-mvme147-reinstate-early-console.patch
+arm64-fix-.data.rel.ro-size-assertion-when-config_lt.patch
+acpi-arm64-adjust-error-handling-procedure-in-gtdt_p.patch
+cachefiles-fix-missing-pos-updates-in-cachefiles_ond.patch
+netfs-fscache-add-a-memory-barrier-for-fscache_volum.patch
+block-fix-bio_split_rw_at-to-take-zone_write_granula.patch
+s390-syscalls-avoid-creation-of-arch-arch-directory.patch
+hfsplus-don-t-query-the-device-logical-block-size-mu.patch
+nvme-pci-reverse-request-order-in-nvme_queue_rqs.patch
+virtio_blk-reverse-request-order-in-virtio_queue_rqs.patch
+crypto-caam-fix-the-pointer-passed-to-caam_qi_shutdo.patch
+firmware-google-unregister-driver_info-on-failure.patch
+edac-bluefield-fix-potential-integer-overflow.patch
+crypto-qat-remove-faulty-arbiter-config-reset.patch
+thermal-core-initialize-thermal-zones-before-registe.patch
+edac-fsl_ddr-fix-bad-bit-shift-operations.patch
+crypto-pcrypt-call-crypto-layer-directly-when-padata.patch
+crypto-cavium-fix-the-if-condition-to-exit-loop-afte.patch
+crypto-hisilicon-qm-disable-same-error-report-before.patch
+edac-igen6-avoid-segmentation-fault-on-module-unload.patch
+crypto-inside-secure-fix-the-return-value-of-safexce.patch
+doc-rcu-update-printed-dynticks-counter-bits.patch
+hwmon-nct6775-core-fix-overflows-seen-when-writing-l.patch
+acpi-cppc-fix-_cpc-register-setting-issue.patch
+crypto-caam-add-error-check-to-caam_rsa_set_priv_key.patch
+crypto-bcm-add-error-check-in-the-ahash_hmac_init-fu.patch
+crypto-cavium-fix-an-error-handling-path-in-cpt_ucod.patch
+tools-lib-thermal-make-more-generic-the-command-enco.patch
+thermal-lib-fix-memory-leak-on-error-in-thermal_genl.patch
+time-fix-references-to-_msecs_to_jiffies-handling-of.patch
+seqlock-latch-provide-raw_read_seqcount_latch_retry.patch
+kcsan-seqlock-support-seqcount_latch_t.patch
+kcsan-seqlock-fix-incorrect-assumption-in-read_seqbe.patch
+clocksource-drivers-sp804-make-user-selectable.patch
+clocksource-drivers-timer-ti-dm-fix-child-node-refco.patch
+spi-spi-fsl-lpspi-downgrade-log-level-for-pio-mode.patch
+spi-spi-fsl-lpspi-use-irqf_no_autoen-flag-in-request.patch
+drivers-soc-xilinx-add-the-missing-kfree-in-xlnx_add.patch
+microblaze-export-xmb_manager-functions.patch
+arm64-dts-mt8195-fix-dtbs_check-error-for-infracfg_a.patch
+soc-ti-smartreflex-use-irqf_no_autoen-flag-in-reques.patch
+soc-qcom-geni-se-fix-array-underflow-in-geni_se_clk_.patch
+mmc-mmc_spi-drop-buggy-snprintf.patch
+tpm-fix-signed-unsigned-bug-when-checking-event-logs.patch
+arm64-dts-mt8183-krane-fix-the-address-of-eeprom-at-.patch
+arm64-dts-mt8183-kukui-fix-the-address-of-eeprom-at-.patch
+arm64-dts-mediatek-mt8173-elm-hana-add-vdd-supply-to.patch
+revert-cgroup-fix-memory-leak-caused-by-missing-cgro.patch
+cgroup-bpf-only-cgroup-v2-can-be-attached-by-bpf-pro.patch
+arm64-dts-mt8183-fennel-add-i2c2-s-i2c-scl-internal-.patch
+arm64-dts-mt8183-burnet-add-i2c2-s-i2c-scl-internal-.patch
+arm64-dts-mt8183-cozmo-add-i2c2-s-i2c-scl-internal-d.patch
+arm64-dts-mt8183-damu-add-i2c2-s-i2c-scl-internal-de.patch
+pwm-imx27-workaround-of-the-pwm-output-bug-when-decr.patch
+arm-dts-cubieboard4-fix-dcdc5-regulator-constraints.patch
+pmdomain-ti-sci-add-missing-of_node_put-for-args.np.patch
+spi-tegra210-quad-avoid-shift-out-of-bounds.patch
+spi-zynqmp-gqspi-undo-runtime-pm-changes-at-driver-e.patch
+regmap-irq-set-lockdep-class-for-hierarchical-irq-do.patch
+arm64-dts-mt8183-jacuzzi-move-panel-under-aux-bus.patch
+arm64-dts-mediatek-mt8183-kukui-jacuzzi-fix-dp-bridg.patch
+arm64-dts-mediatek-mt8183-kukui-jacuzzi-add-supplies.patch
+selftests-resctrl-protect-against-array-overrun-duri.patch
+firmware-arm_scpi-check-the-dvfs-opp-count-returned-.patch
+venus-venc-add-handling-for-vidioc_encoder_cmd.patch
+media-venus-provide-ctx-queue-lock-for-ioctl-synchro.patch
+media-venus-fix-enc-dec-destruction-order.patch
+media-venus-sync-with-threaded-irq-during-inst-destr.patch
+media-atomisp-add-check-for-rgby_data-memory-allocat.patch
+platform-x86-panasonic-laptop-return-errno-correctly.patch
+drm-mm-mark-drm_mm_interval_tree-functions-with-__ma.patch
+drm-vc4-hvs-don-t-write-gamma-luts-on-2711.patch
+drm-vc4-hdmi-avoid-hang-with-debug-registers-when-su.patch
+drm-vc4-hvs-fix-dlist-debug-not-resetting-the-next-e.patch
+drm-vc4-hvs-remove-incorrect-limit-from-hvs_dlist-de.patch
+drm-vc4-hvs-correct-logic-on-stopping-an-hvs-channel.patch
+wifi-ath9k-add-range-check-for-conn_rsp_epid-in-htc_.patch
+drm-omap-fix-possible-null-dereference.patch
+drm-omap-fix-locking-in-omap_gem_new_dmabuf.patch
+wifi-p54-use-irqf_no_autoen-flag-in-request_irq.patch
+wifi-mwifiex-use-irqf_no_autoen-flag-in-request_irq.patch
+drm-imx-dcss-use-irqf_no_autoen-flag-in-request_irq.patch
+drm-imx-ipuv3-use-irqf_no_autoen-flag-in-request_irq.patch
+drm-v3d-address-race-condition-in-mmu-flush.patch
+wifi-ath10k-fix-invalid-vht-parameters-in-supported_.patch
+wifi-ath10k-fix-invalid-vht-parameters-in-supported_.patch-23756
+dt-bindings-vendor-prefixes-add-neofidelity-inc.patch
+asoc-fsl_micfil-fix-regmap_write_bits-usage.patch
+asoc-dt-bindings-mt6359-update-generic-node-name-and.patch
+drm-bridge-anx7625-drop-edid-cache-on-bridge-power-o.patch
+libbpf-fix-output-.symtab-byte-order-during-linking.patch
+bpf-fix-the-xdp_adjust_tail-sample-prog-issue.patch
+selftests-bpf-add-csum-helpers.patch
+selftests-bpf-fix-backtrace-printing-for-selftests-c.patch
+selftests-bpf-add-missing-header-include-for-htons.patch
+libbpf-fix-sym_is_subprog-logic-for-weak-global-subp.patch
+libbpf-never-interpret-subprogs-in-.text-as-entry-pr.patch
+netdevsim-copy-addresses-for-both-in-and-out-paths.patch
+drm-bridge-tc358767-fix-link-properties-discovery.patch
+selftests-bpf-fix-msg_verify_data-in-test_sockmap.patch
+selftests-bpf-fix-txmsg_redir-of-test_txmsg_pull-in-.patch
+wifi-mwifiex-fix-memcpy-field-spanning-write-warning.patch
+drm-fsl-dcu-enable-pixclk-on-ls1021a.patch
+octeontx2-pf-handle-otx2_mbox_get_rsp-errors-in-otx2.patch
+octeontx2-pf-handle-otx2_mbox_get_rsp-errors-in-otx2.patch-16434
+octeontx2-pf-handle-otx2_mbox_get_rsp-errors-in-otx2.patch-29601
+octeontx2-pf-handle-otx2_mbox_get_rsp-errors-in-cn10.patch
+octeontx2-pf-handle-otx2_mbox_get_rsp-errors-in-otx2.patch-32595
+octeontx2-pf-handle-otx2_mbox_get_rsp-errors-in-otx2.patch-5884
+drm-panfrost-remove-unused-id_mask-from-struct-panfr.patch
+bpf-arm64-remove-garbage-frame-for-struct_ops-trampo.patch
+drm-msm-adreno-use-irqf_no_autoen-flag-in-request_ir.patch
+drm-msm-gpu-add-devfreq-tuning-debugfs.patch
+drm-msm-gpu-bypass-pm-qos-constraint-for-idle-clamp.patch
+drm-msm-gpu-check-the-status-of-registration-to-pm-q.patch
+drm-etnaviv-request-pages-from-dma32-zone-on-address.patch
+drm-etnaviv-fix-power-register-offset-on-gc300.patch
+drm-etnaviv-hold-gpu-lock-across-perfmon-sampling.patch
+wifi-wfx-fix-error-handling-in-wfx_core_init.patch
+drm-msm-dpu-cast-crtc_clk-calculation-to-u64-in-_dpu.patch
+netfilter-nf_tables-skip-transaction-if-update-objec.patch
+netfilter-nf_tables-must-hold-rcu-read-lock-while-it.patch
+netlink-typographical-error-in-nlmsg_type-constants-.patch
+selftests-bpf-add-txmsg_pass-to-pull-push-pop-in-tes.patch
+selftests-bpf-fix-sendpage-data-logic-in-test_sockma.patch
+selftests-bpf-fix-total_bytes-in-msg_loop_rx-in-test.patch
+selftests-bpf-add-push-pop-checking-for-msg_verify_d.patch
+bpf-sockmap-several-fixes-to-bpf_msg_push_data.patch
+bpf-sockmap-several-fixes-to-bpf_msg_pop_data.patch
+bpf-sockmap-fix-sk_msg_reset_curr.patch
+sock_diag-add-module-pointer-to-struct-sock_diag_han.patch
+sock_diag-allow-concurrent-operations.patch
+sock_diag-allow-concurrent-operation-in-sock_diag_rc.patch
+net-use-unrcu_pointer-helper.patch
+ipv6-release-nexthop-on-device-removal.patch
+selftests-net-really-check-for-bg-process-completion.patch
+drm-amdkfd-fix-wrong-usage-of-init_work.patch
+net-rfkill-gpio-add-check-for-clk_enable.patch
+alsa-usx2y-use-snd_card_free_when_closed-at-disconne.patch
+alsa-us122l-use-snd_card_free_when_closed-at-disconn.patch
+alsa-caiaq-use-snd_card_free_when_closed-at-disconne.patch
+alsa-6fire-release-resources-at-card-release.patch
+bluetooth-fix-use-after-free-in-device_for_each_chil.patch
+netpoll-use-rcu_access_pointer-in-netpoll_poll_lock.patch
+wireguard-selftests-load-nf_conntrack-if-not-present.patch
+bpf-fix-recursive-lock-when-verdict-program-return-s.patch
+unicode-fix-utf8_load-error-path.patch
+trace-trace_event_perf-remove-duplicate-samples-on-t.patch
+pinctrl-zynqmp-drop-excess-struct-member-description.patch
+powerpc-vdso-flag-vdso64-entry-points-as-functions.patch
+mfd-tps65010-use-irqf_no_autoen-flag-in-request_irq-.patch
+mfd-da9052-spi-change-read-mask-to-write-mask.patch
+mfd-intel_soc_pmic_bxtwc-use-irq-domain-for-usb-type.patch
+mfd-intel_soc_pmic_bxtwc-use-irq-domain-for-tmu-devi.patch
+mfd-intel_soc_pmic_bxtwc-use-irq-domain-for-pmic-dev.patch
+cpufreq-loongson2-unregister-platform_driver-on-fail.patch
+powerpc-fadump-refactor-and-prepare-fadump_cma_init-.patch
+powerpc-fadump-move-fadump_cma_init-to-setup_arch-af.patch
+memory-renesas-rpc-if-improve-runtime-pm-handling.patch
+memory-renesas-rpc-if-pass-device-instead-of-rpcif-t.patch
+memory-renesas-rpc-if-remove-runtime-pm-wrappers.patch
+mtd-hyperbus-rpc-if-convert-to-platform-remove-callb.patch
+mtd-hyperbus-rpc-if-add-missing-module_device_table.patch
+mtd-rawnand-atmel-fix-possible-memory-leak.patch
+powerpc-mm-fault-fix-kfence-page-fault-reporting.patch
+powerpc-pseries-fix-dtl_access_lock-to-be-a-rw_semap.patch
+cpufreq-cppc-fix-possible-null-ptr-deref-for-cpufreq.patch
+cpufreq-cppc-fix-possible-null-ptr-deref-for-cppc_ge.patch
+rdma-hns-fix-an-aeqe-overflow-error-caused-by-untime.patch
+rdma-hns-add-clear_hem-return-value-to-log.patch
+rdma-hns-use-dev_-printings-in-hem-code-instead-of-i.patch
+rdma-hns-remove-unnecessary-qp-type-checks.patch
+rdma-hns-fix-cpu-stuck-caused-by-printings-during-re.patch
+rdma-bnxt_re-check-cqe-flags-to-know-imm_data-vs-inv.patch
+clk-sunxi-ng-d1-fix-pll_audio0-preset.patch
+clk-renesas-rzg2l-fix-foutpostdiv-clk.patch
+clk-imx-lpcg-scu-sw-workaround-for-errata-e10858.patch
+clk-imx-fracn-gppll-correct-pll-initialization-flow.patch
+clk-imx-fracn-gppll-fix-pll-power-up.patch
+clk-imx-clk-scu-fix-clk-enable-state-save-and-restor.patch
+iommu-vt-d-fix-checks-and-print-in-dmar_fault_dump_p.patch
+iommu-vt-d-fix-checks-and-print-in-pgtable_walk.patch
+checkpatch-warn-when-reported-by-is-not-followed-by-.patch
+checkpatch-check-for-missing-fixes-tags.patch
+checkpatch-always-parse-orig_commit-in-fixes-tag.patch
+mfd-rt5033-fix-missing-regmap_del_irq_chip.patch
+fs-proc-kcore.c-fix-coccinelle-reported-error-instan.patch
+scsi-bfa-fix-use-after-free-in-bfad_im_module_exit.patch
+scsi-fusion-remove-unused-variable-rc.patch
+scsi-qedf-fix-a-possible-memory-leak-in-qedf_alloc_a.patch
+scsi-qedi-fix-a-possible-memory-leak-in-qedi_alloc_a.patch
+rdma-hns-fix-out-of-order-issue-of-requester-when-se.patch
+rdma-hns-fix-null-pointer-derefernce-in-hns_roce_map.patch
+cpufreq-cppc-fix-wrong-return-value-in-cppc_get_cpu_.patch
+cpufreq-cppc-fix-wrong-return-value-in-cppc_get_cpu_.patch-30306
+ocfs2-fix-uninitialized-value-in-ocfs2_file_read_ite.patch
+dax-delete-a-stale-directory-pmem.patch
+kvm-ppc-book3s-hv-stop-using-vc-dpdes-for-nested-kvm.patch
+kvm-ppc-book3s-hv-avoid-returning-to-nested-hypervis.patch
+powerpc-sstep-make-emulate_vsx_load-and-emulate_vsx_.patch
+powerpc-kexec-fix-return-of-uninitialized-variable.patch
+fbdev-sh7760fb-alloc-dma-memory-from-hardware-device.patch
+fbdev-sh7760fb-fix-a-possible-memory-leak-in-sh7760f.patch
+clk-clk-apple-nco-add-null-check-in-applnco_probe.patch
+dt-bindings-clock-axi-clkgen-include-axi-clk.patch
+clk-clk-axi-clkgen-make-sure-to-enable-the-axi-bus-c.patch
+pinctrl-k210-undef-k210_pc_default.patch
+smb-cached-directories-can-be-more-than-root-file-ha.patch
+mailbox-arm_mhuv2-clean-up-loop-in-get_irq_chan_comb.patch
+perf-cs-etm-don-t-flush-when-packet_queue-fills-up.patch
+pci-fix-reset_method_store-memory-leak.patch
+perf-stat-close-cork_fd-when-create_perf_stat_counte.patch
+perf-stat-fix-affinity-memory-leaks-on-error-path.patch
+f2fs-compress-fix-inconsistent-update-of-i_blocks-in.patch
+f2fs-fix-to-account-dirty-data-in-__get_secs_require.patch
+perf-probe-fix-libdw-memory-leak.patch
+perf-probe-correct-demangled-symbols-in-c-program.patch
+pci-cpqphp-use-pci_possible_error-to-check-config-re.patch
+pci-cpqphp-fix-pcibios_-return-value-confusion.patch
+perf-ftrace-latency-fix-unit-on-histogram-first-entr.patch
+f2fs-fix-the-wrong-f2fs_bug_on-condition-in-f2fs_do_.patch
+f2fs-remove-struct-segment_allocation-default_salloc.patch
+f2fs-open-code-allocate_segment_by_default.patch
+f2fs-remove-the-unused-flush-argument-to-change_curs.patch
+f2fs-check-curseg-inited-before-write_sum_page-in-ch.patch
+f2fs-fix-to-avoid-use-gc_at-when-setting-gc_mode-as-.patch
+f2fs-fix-to-avoid-forcing-direct-write-to-use-buffer.patch
+perf-trace-avoid-garbage-when-not-printing-a-trace-e.patch
+m68k-mcfgpio-fix-incorrect-register-offset-for-confi.patch
+m68k-coldfire-device.c-only-build-fec-when-hw-macros.patch
+svcrdma-address-an-integer-overflow.patch
+perf-trace-do-not-lose-last-events-in-a-race.patch
+perf-trace-avoid-garbage-when-not-printing-a-syscall.patch
+remoteproc-qcom-q6v5-use-_clk_get_optional-for-aggre.patch
+remoteproc-qcom-pas-add-minidump_id-to-sm8350-resour.patch
+rpmsg-glink-fix-glink-command-prefix.patch
+rpmsg-glink-use-only-lower-16-bits-of-param2-for-cmd.patch
+remoteproc-qcom_q6v5_mss-re-order-writes-to-the-imem.patch
+nfsd-prevent-null-dereference-in-nfsd4_process_cb_up.patch
+nfsd-cap-the-number-of-bytes-copied-by-nfs4_reset_re.patch
+sunrpc-simplify-two-level-sysctl-registration-for-sv.patch
+svcrdma-fix-miss-destroy-percpu_counter-in-svc_rdma_.patch
+nfsd-fix-nfsd4_shutdown_copy.patch
+hwmon-tps23861-fix-reporting-of-negative-temperature.patch
+vdpa-mlx5-fix-suboptimal-range-on-iotlb-iteration.patch
+selftests-mount_setattr-fix-failures-on-64k-page_siz.patch
+vfio-pci-properly-hide-first-in-list-pcie-extended-c.patch
+fs_parser-update-mount_api-doc-to-match-function-sig.patch
+loongarch-tweak-cflags-for-clang-compatibility.patch
+loongarch-fix-build-failure-with-gcc-15-std-gnu23.patch
+loongarch-bpf-sign-extend-return-values.patch
+power-supply-core-remove-might_sleep-from-power_supp.patch
+power-supply-bq27xxx-fix-registers-of-bq27426.patch
+net-usb-lan78xx-fix-double-free-issue-with-interrupt.patch
+net-usb-lan78xx-fix-memory-leak-on-device-unplug-by-.patch
+tg3-set-coherent-dma-mask-bits-to-31-for-bcm57766-ch.patch
+net-usb-lan78xx-fix-refcounting-and-autosuspend-on-i.patch
+s390-iucv-msg_peek-causes-memory-leak-in-iucv_sock_d.patch
+net-ipv6-delete-temporary-address-if-mngtmpaddr-is-r.patch
+net-mdio-ipq4019-add-missing-error-check.patch
+marvell-pxa168_eth-fix-call-balance-of-pep-clk-handl.patch
+net-stmmac-dwmac-socfpga-set-rx-watchdog-interrupt-a.patch
+octeontx2-af-rpm-fix-mismatch-in-lmac-type.patch
+spi-atmel-quadspi-fix-register-name-in-verbose-loggi.patch
+net-hsr-fix-hsr_init_sk-vs-network-transport-headers.patch
+bnxt_en-reserve-rings-after-pcie-aer-recovery-if-nic.patch
+bluetooth-mgmt-fix-slab-use-after-free-read-in-set_p.patch
+crypto-api-add-crypto_tfm_get.patch
+crypto-api-add-crypto_clone_tfm.patch
+llc-improve-setsockopt-handling-of-malformed-user-in.patch
+rxrpc-improve-setsockopt-handling-of-malformed-user-.patch
+tcp-fix-use-after-free-of-nreq-in-reqsk_timer_handle.patch
+ip6mr-fix-tables-suspicious-rcu-usage.patch
+ipmr-fix-tables-suspicious-rcu-usage.patch
+iio-light-al3010-fix-an-error-handling-path-in-al301.patch
+usb-using-mutex-lock-and-supporting-o_nonblock-flag-.patch
+usb-yurex-make-waiting-on-yurex_write-interruptible.patch
+usb-chaoskey-fail-open-after-removal.patch
+usb-chaoskey-fix-possible-deadlock-chaoskey_list_loc.patch
+misc-apds990x-fix-missing-pm_runtime_disable.patch
+counter-stm32-timer-cnt-add-check-for-clk_enable.patch
+counter-ti-ecap-capture-add-check-for-clk_enable.patch
+staging-greybus-uart-fix-atomicity-violation-in-get_.patch
+alsa-hda-realtek-update-alc256-depop-procedure.patch
+apparmor-fix-do-simple-duplicate-message-elimination.patch
+asoc-amd-yc-fix-for-enabling-dmic-on-acp6x-via-_dsd-.patch
--- /dev/null
+From cd83a5df3511b003ffb590ae19d10d8b3863d992 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2024 14:29:02 -0800
+Subject: smb: cached directories can be more than root file handle
+
+From: Paul Aurich <paul@darkrain42.org>
+
+[ Upstream commit 128630e1dbec8074c7707aad107299169047e68f ]
+
+Update this log message since cached fids may represent things other
+than the root of a mount.
+
+Fixes: e4029e072673 ("cifs: find and use the dentry for cached non-root directories also")
+Signed-off-by: Paul Aurich <paul@darkrain42.org>
+Reviewed-by: Bharath SM <bharathsm@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cached_dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/cached_dir.c b/fs/smb/client/cached_dir.c
+index 2ca1881919c7b..d09226c1ac902 100644
+--- a/fs/smb/client/cached_dir.c
++++ b/fs/smb/client/cached_dir.c
+@@ -354,7 +354,7 @@ int open_cached_dir_by_dentry(struct cifs_tcon *tcon,
+ spin_lock(&cfids->cfid_list_lock);
+ list_for_each_entry(cfid, &cfids->entries, entry) {
+ if (dentry && cfid->dentry == dentry) {
+- cifs_dbg(FYI, "found a cached root file handle by dentry\n");
++ cifs_dbg(FYI, "found a cached file handle by dentry\n");
+ kref_get(&cfid->refcount);
+ *ret_cfid = cfid;
+ spin_unlock(&cfids->cfid_list_lock);
+--
+2.43.0
+
--- /dev/null
+From 6d5b29dfe5482f1c2d32d6df69b6bf7ff5faed96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 10:51:31 +0300
+Subject: soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 78261cb08f06c93d362cab5c5034bf5899bc7552 ]
+
+This loop is supposed to break if the frequency returned from
+clk_round_rate() is the same as on the previous iteration. However,
+that check doesn't make sense on the first iteration through the loop.
+It leads to reading before the start of these->clk_perf_tbl[] array.
+
+Fixes: eddac5af0654 ("soc: qcom: Add GENI based QUP Wrapper driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/8cd12678-f44a-4b16-a579-c8f11175ee8c@stanley.mountain
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/qcom-geni-se.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/qcom/qcom-geni-se.c b/drivers/soc/qcom/qcom-geni-se.c
+index a0ceeede450f1..d18309d3d0401 100644
+--- a/drivers/soc/qcom/qcom-geni-se.c
++++ b/drivers/soc/qcom/qcom-geni-se.c
+@@ -597,7 +597,8 @@ int geni_se_clk_tbl_get(struct geni_se *se, unsigned long **tbl)
+
+ for (i = 0; i < MAX_CLK_PERF_LEVEL; i++) {
+ freq = clk_round_rate(se->clk, freq + 1);
+- if (freq <= 0 || freq == se->clk_perf_tbl[i - 1])
++ if (freq <= 0 ||
++ (i > 0 && freq == se->clk_perf_tbl[i - 1]))
+ break;
+ se->clk_perf_tbl[i] = freq;
+ }
+--
+2.43.0
+
--- /dev/null
+From d30ffc9d0a4173b77e88780643d3cfd2bb3a796a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 11:41:47 +0800
+Subject: soc: ti: smartreflex: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 16a0a69244240cfa32c525c021c40f85e090557a ]
+
+If request_irq() fails in sr_late_init(), there is no need to enable
+the irq, and if it succeeds, disable_irq() after request_irq() still has
+a time gap in which interrupts can come.
+
+request_irq() with IRQF_NO_AUTOEN flag will disable IRQ auto-enable when
+request IRQ.
+
+Fixes: 1279ba5916f6 ("OMAP3+: SR: disable interrupt by default")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/r/20240912034147.3014213-1-ruanjinjie@huawei.com
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/ti/smartreflex.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/ti/smartreflex.c b/drivers/soc/ti/smartreflex.c
+index 6a389a6444f36..e2e06b8488227 100644
+--- a/drivers/soc/ti/smartreflex.c
++++ b/drivers/soc/ti/smartreflex.c
+@@ -203,10 +203,10 @@ static int sr_late_init(struct omap_sr *sr_info)
+
+ if (sr_class->notify && sr_class->notify_flags && sr_info->irq) {
+ ret = devm_request_irq(&sr_info->pdev->dev, sr_info->irq,
+- sr_interrupt, 0, sr_info->name, sr_info);
++ sr_interrupt, IRQF_NO_AUTOEN,
++ sr_info->name, sr_info);
+ if (ret)
+ goto error;
+- disable_irq(sr_info->irq);
+ }
+
+ if (pdata && pdata->enable_on_init)
+--
+2.43.0
+
--- /dev/null
+From 6747c6aaee7407018f7e327365cf03ad0b252f26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jan 2024 11:25:59 +0000
+Subject: sock_diag: add module pointer to "struct sock_diag_handler"
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 114b4bb1cc19239b272d52ebbe156053483fe2f8 ]
+
+Following patch is going to use RCU instead of
+sock_diag_table_mutex acquisition.
+
+This patch is a preparation, no change of behavior yet.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: eb02688c5c45 ("ipv6: release nexthop on device removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sock_diag.h | 1 +
+ net/ipv4/inet_diag.c | 2 ++
+ net/netlink/diag.c | 1 +
+ net/packet/diag.c | 1 +
+ net/smc/smc_diag.c | 1 +
+ net/tipc/diag.c | 1 +
+ net/unix/diag.c | 1 +
+ net/vmw_vsock/diag.c | 1 +
+ net/xdp/xsk_diag.c | 1 +
+ 9 files changed, 10 insertions(+)
+
+diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
+index 0b9ecd8cf9793..7c07754d711b9 100644
+--- a/include/linux/sock_diag.h
++++ b/include/linux/sock_diag.h
+@@ -13,6 +13,7 @@ struct nlmsghdr;
+ struct sock;
+
+ struct sock_diag_handler {
++ struct module *owner;
+ __u8 family;
+ int (*dump)(struct sk_buff *skb, struct nlmsghdr *nlh);
+ int (*get_info)(struct sk_buff *skb, struct sock *sk);
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index e4e1999d93f50..a3d0e18885f59 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -1397,6 +1397,7 @@ int inet_diag_handler_get_info(struct sk_buff *skb, struct sock *sk)
+ }
+
+ static const struct sock_diag_handler inet_diag_handler = {
++ .owner = THIS_MODULE,
+ .family = AF_INET,
+ .dump = inet_diag_handler_cmd,
+ .get_info = inet_diag_handler_get_info,
+@@ -1404,6 +1405,7 @@ static const struct sock_diag_handler inet_diag_handler = {
+ };
+
+ static const struct sock_diag_handler inet6_diag_handler = {
++ .owner = THIS_MODULE,
+ .family = AF_INET6,
+ .dump = inet_diag_handler_cmd,
+ .get_info = inet_diag_handler_get_info,
+diff --git a/net/netlink/diag.c b/net/netlink/diag.c
+index 9c4f231be2757..7b15aa5f7bc20 100644
+--- a/net/netlink/diag.c
++++ b/net/netlink/diag.c
+@@ -241,6 +241,7 @@ static int netlink_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h)
+ }
+
+ static const struct sock_diag_handler netlink_diag_handler = {
++ .owner = THIS_MODULE,
+ .family = AF_NETLINK,
+ .dump = netlink_diag_handler_dump,
+ };
+diff --git a/net/packet/diag.c b/net/packet/diag.c
+index a68a84574c739..057ee37bd0766 100644
+--- a/net/packet/diag.c
++++ b/net/packet/diag.c
+@@ -245,6 +245,7 @@ static int packet_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h)
+ }
+
+ static const struct sock_diag_handler packet_diag_handler = {
++ .owner = THIS_MODULE,
+ .family = AF_PACKET,
+ .dump = packet_diag_handler_dump,
+ };
+diff --git a/net/smc/smc_diag.c b/net/smc/smc_diag.c
+index 7a907186a33ae..2d1cd033398b6 100644
+--- a/net/smc/smc_diag.c
++++ b/net/smc/smc_diag.c
+@@ -249,6 +249,7 @@ static int smc_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h)
+ }
+
+ static const struct sock_diag_handler smc_diag_handler = {
++ .owner = THIS_MODULE,
+ .family = AF_SMC,
+ .dump = smc_diag_handler_dump,
+ };
+diff --git a/net/tipc/diag.c b/net/tipc/diag.c
+index 73137f4aeb68f..11da9d2ebbf69 100644
+--- a/net/tipc/diag.c
++++ b/net/tipc/diag.c
+@@ -95,6 +95,7 @@ static int tipc_sock_diag_handler_dump(struct sk_buff *skb,
+ }
+
+ static const struct sock_diag_handler tipc_sock_diag_handler = {
++ .owner = THIS_MODULE,
+ .family = AF_TIPC,
+ .dump = tipc_sock_diag_handler_dump,
+ };
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index 1de7500b41b61..a6bd861314df0 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -322,6 +322,7 @@ static int unix_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h)
+ }
+
+ static const struct sock_diag_handler unix_diag_handler = {
++ .owner = THIS_MODULE,
+ .family = AF_UNIX,
+ .dump = unix_diag_handler_dump,
+ };
+diff --git a/net/vmw_vsock/diag.c b/net/vmw_vsock/diag.c
+index a2823b1c5e28b..6efa9eb93336f 100644
+--- a/net/vmw_vsock/diag.c
++++ b/net/vmw_vsock/diag.c
+@@ -157,6 +157,7 @@ static int vsock_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h)
+ }
+
+ static const struct sock_diag_handler vsock_diag_handler = {
++ .owner = THIS_MODULE,
+ .family = AF_VSOCK,
+ .dump = vsock_diag_handler_dump,
+ };
+diff --git a/net/xdp/xsk_diag.c b/net/xdp/xsk_diag.c
+index 22b36c8143cfd..e1012bfec7207 100644
+--- a/net/xdp/xsk_diag.c
++++ b/net/xdp/xsk_diag.c
+@@ -194,6 +194,7 @@ static int xsk_diag_handler_dump(struct sk_buff *nlskb, struct nlmsghdr *hdr)
+ }
+
+ static const struct sock_diag_handler xsk_diag_handler = {
++ .owner = THIS_MODULE,
+ .family = AF_XDP,
+ .dump = xsk_diag_handler_dump,
+ };
+--
+2.43.0
+
--- /dev/null
+From 3823d0f51476b4d1821415cca86b4fb1df9192ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jan 2024 11:26:01 +0000
+Subject: sock_diag: allow concurrent operation in sock_diag_rcv_msg()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 86e8921df05c6e9423ab74ab8d41022775d8b83a ]
+
+TCPDIAG_GETSOCK and DCCPDIAG_GETSOCK diag are serialized
+on sock_diag_table_mutex.
+
+This is to make sure inet_diag module is not unloaded
+while diag was ongoing.
+
+It is time to get rid of this mutex and use RCU protection,
+allowing full parallelism.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: eb02688c5c45 ("ipv6: release nexthop on device removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sock_diag.h | 9 ++++++--
+ net/core/sock_diag.c | 43 +++++++++++++++++++++++----------------
+ net/ipv4/inet_diag.c | 9 ++++++--
+ 3 files changed, 40 insertions(+), 21 deletions(-)
+
+diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
+index 7c07754d711b9..110978dc9af1b 100644
+--- a/include/linux/sock_diag.h
++++ b/include/linux/sock_diag.h
+@@ -23,8 +23,13 @@ struct sock_diag_handler {
+ int sock_diag_register(const struct sock_diag_handler *h);
+ void sock_diag_unregister(const struct sock_diag_handler *h);
+
+-void sock_diag_register_inet_compat(int (*fn)(struct sk_buff *skb, struct nlmsghdr *nlh));
+-void sock_diag_unregister_inet_compat(int (*fn)(struct sk_buff *skb, struct nlmsghdr *nlh));
++struct sock_diag_inet_compat {
++ struct module *owner;
++ int (*fn)(struct sk_buff *skb, struct nlmsghdr *nlh);
++};
++
++void sock_diag_register_inet_compat(const struct sock_diag_inet_compat *ptr);
++void sock_diag_unregister_inet_compat(const struct sock_diag_inet_compat *ptr);
+
+ u64 __sock_gen_cookie(struct sock *sk);
+
+diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
+index 73b2e36032b3e..d36beb9a9a928 100644
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -17,8 +17,9 @@
+ #include <linux/sock_diag.h>
+
+ static const struct sock_diag_handler __rcu *sock_diag_handlers[AF_MAX];
+-static int (*inet_rcv_compat)(struct sk_buff *skb, struct nlmsghdr *nlh);
+-static DEFINE_MUTEX(sock_diag_table_mutex);
++
++static struct sock_diag_inet_compat __rcu *inet_rcv_compat;
++
+ static struct workqueue_struct *broadcast_wq;
+
+ DEFINE_COOKIE(sock_cookie);
+@@ -181,19 +182,20 @@ void sock_diag_broadcast_destroy(struct sock *sk)
+ queue_work(broadcast_wq, &bsk->work);
+ }
+
+-void sock_diag_register_inet_compat(int (*fn)(struct sk_buff *skb, struct nlmsghdr *nlh))
++void sock_diag_register_inet_compat(const struct sock_diag_inet_compat *ptr)
+ {
+- mutex_lock(&sock_diag_table_mutex);
+- inet_rcv_compat = fn;
+- mutex_unlock(&sock_diag_table_mutex);
++ xchg((__force const struct sock_diag_inet_compat **)&inet_rcv_compat,
++ ptr);
+ }
+ EXPORT_SYMBOL_GPL(sock_diag_register_inet_compat);
+
+-void sock_diag_unregister_inet_compat(int (*fn)(struct sk_buff *skb, struct nlmsghdr *nlh))
++void sock_diag_unregister_inet_compat(const struct sock_diag_inet_compat *ptr)
+ {
+- mutex_lock(&sock_diag_table_mutex);
+- inet_rcv_compat = NULL;
+- mutex_unlock(&sock_diag_table_mutex);
++ const struct sock_diag_inet_compat *old;
++
++ old = xchg((__force const struct sock_diag_inet_compat **)&inet_rcv_compat,
++ NULL);
++ WARN_ON_ONCE(old != ptr);
+ }
+ EXPORT_SYMBOL_GPL(sock_diag_unregister_inet_compat);
+
+@@ -256,20 +258,27 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
+ static int sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct netlink_ext_ack *extack)
+ {
++ const struct sock_diag_inet_compat *ptr;
+ int ret;
+
+ switch (nlh->nlmsg_type) {
+ case TCPDIAG_GETSOCK:
+ case DCCPDIAG_GETSOCK:
+- if (inet_rcv_compat == NULL)
++
++ if (!rcu_access_pointer(inet_rcv_compat))
+ sock_load_diag_module(AF_INET, 0);
+
+- mutex_lock(&sock_diag_table_mutex);
+- if (inet_rcv_compat != NULL)
+- ret = inet_rcv_compat(skb, nlh);
+- else
+- ret = -EOPNOTSUPP;
+- mutex_unlock(&sock_diag_table_mutex);
++ rcu_read_lock();
++ ptr = rcu_dereference(inet_rcv_compat);
++ if (ptr && !try_module_get(ptr->owner))
++ ptr = NULL;
++ rcu_read_unlock();
++
++ ret = -EOPNOTSUPP;
++ if (ptr) {
++ ret = ptr->fn(skb, nlh);
++ module_put(ptr->owner);
++ }
+
+ return ret;
+ case SOCK_DIAG_BY_FAMILY:
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index a3d0e18885f59..2bd5d0ed7a6fc 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -1445,6 +1445,11 @@ void inet_diag_unregister(const struct inet_diag_handler *h)
+ }
+ EXPORT_SYMBOL_GPL(inet_diag_unregister);
+
++static const struct sock_diag_inet_compat inet_diag_compat = {
++ .owner = THIS_MODULE,
++ .fn = inet_diag_rcv_msg_compat,
++};
++
+ static int __init inet_diag_init(void)
+ {
+ const int inet_diag_table_size = (IPPROTO_MAX *
+@@ -1463,7 +1468,7 @@ static int __init inet_diag_init(void)
+ if (err)
+ goto out_free_inet;
+
+- sock_diag_register_inet_compat(inet_diag_rcv_msg_compat);
++ sock_diag_register_inet_compat(&inet_diag_compat);
+ out:
+ return err;
+
+@@ -1478,7 +1483,7 @@ static void __exit inet_diag_exit(void)
+ {
+ sock_diag_unregister(&inet6_diag_handler);
+ sock_diag_unregister(&inet_diag_handler);
+- sock_diag_unregister_inet_compat(inet_diag_rcv_msg_compat);
++ sock_diag_unregister_inet_compat(&inet_diag_compat);
+ kfree(inet_diag_table);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 880820a4f2099292b87319dd0e6a25a26ad779de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jan 2024 11:26:00 +0000
+Subject: sock_diag: allow concurrent operations
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 1d55a6974756cf3979efd2cc68bcece611a44053 ]
+
+sock_diag_broadcast_destroy_work() and __sock_diag_cmd()
+are currently using sock_diag_table_mutex to protect
+against concurrent sock_diag_handlers[] changes.
+
+This makes inet_diag dump serialized, thus less scalable
+than legacy /proc files.
+
+It is time to switch to full RCU protection.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: eb02688c5c45 ("ipv6: release nexthop on device removal")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock_diag.c | 73 +++++++++++++++++++++++++-------------------
+ 1 file changed, 42 insertions(+), 31 deletions(-)
+
+diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
+index e6ea6764d10ab..73b2e36032b3e 100644
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -16,7 +16,7 @@
+ #include <linux/inet_diag.h>
+ #include <linux/sock_diag.h>
+
+-static const struct sock_diag_handler *sock_diag_handlers[AF_MAX];
++static const struct sock_diag_handler __rcu *sock_diag_handlers[AF_MAX];
+ static int (*inet_rcv_compat)(struct sk_buff *skb, struct nlmsghdr *nlh);
+ static DEFINE_MUTEX(sock_diag_table_mutex);
+ static struct workqueue_struct *broadcast_wq;
+@@ -119,6 +119,24 @@ static size_t sock_diag_nlmsg_size(void)
+ + nla_total_size_64bit(sizeof(struct tcp_info))); /* INET_DIAG_INFO */
+ }
+
++static const struct sock_diag_handler *sock_diag_lock_handler(int family)
++{
++ const struct sock_diag_handler *handler;
++
++ rcu_read_lock();
++ handler = rcu_dereference(sock_diag_handlers[family]);
++ if (handler && !try_module_get(handler->owner))
++ handler = NULL;
++ rcu_read_unlock();
++
++ return handler;
++}
++
++static void sock_diag_unlock_handler(const struct sock_diag_handler *handler)
++{
++ module_put(handler->owner);
++}
++
+ static void sock_diag_broadcast_destroy_work(struct work_struct *work)
+ {
+ struct broadcast_sk *bsk =
+@@ -135,12 +153,12 @@ static void sock_diag_broadcast_destroy_work(struct work_struct *work)
+ if (!skb)
+ goto out;
+
+- mutex_lock(&sock_diag_table_mutex);
+- hndl = sock_diag_handlers[sk->sk_family];
+- if (hndl && hndl->get_info)
+- err = hndl->get_info(skb, sk);
+- mutex_unlock(&sock_diag_table_mutex);
+-
++ hndl = sock_diag_lock_handler(sk->sk_family);
++ if (hndl) {
++ if (hndl->get_info)
++ err = hndl->get_info(skb, sk);
++ sock_diag_unlock_handler(hndl);
++ }
+ if (!err)
+ nlmsg_multicast(sock_net(sk)->diag_nlsk, skb, 0, group,
+ GFP_KERNEL);
+@@ -181,33 +199,26 @@ EXPORT_SYMBOL_GPL(sock_diag_unregister_inet_compat);
+
+ int sock_diag_register(const struct sock_diag_handler *hndl)
+ {
+- int err = 0;
++ int family = hndl->family;
+
+- if (hndl->family >= AF_MAX)
++ if (family >= AF_MAX)
+ return -EINVAL;
+
+- mutex_lock(&sock_diag_table_mutex);
+- if (sock_diag_handlers[hndl->family])
+- err = -EBUSY;
+- else
+- WRITE_ONCE(sock_diag_handlers[hndl->family], hndl);
+- mutex_unlock(&sock_diag_table_mutex);
+-
+- return err;
++ return !cmpxchg((const struct sock_diag_handler **)
++ &sock_diag_handlers[family],
++ NULL, hndl) ? 0 : -EBUSY;
+ }
+ EXPORT_SYMBOL_GPL(sock_diag_register);
+
+-void sock_diag_unregister(const struct sock_diag_handler *hnld)
++void sock_diag_unregister(const struct sock_diag_handler *hndl)
+ {
+- int family = hnld->family;
++ int family = hndl->family;
+
+ if (family >= AF_MAX)
+ return;
+
+- mutex_lock(&sock_diag_table_mutex);
+- BUG_ON(sock_diag_handlers[family] != hnld);
+- WRITE_ONCE(sock_diag_handlers[family], NULL);
+- mutex_unlock(&sock_diag_table_mutex);
++ xchg((const struct sock_diag_handler **)&sock_diag_handlers[family],
++ NULL);
+ }
+ EXPORT_SYMBOL_GPL(sock_diag_unregister);
+
+@@ -224,20 +235,20 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
+ return -EINVAL;
+ req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX);
+
+- if (READ_ONCE(sock_diag_handlers[req->sdiag_family]) == NULL)
++ if (!rcu_access_pointer(sock_diag_handlers[req->sdiag_family]))
+ sock_load_diag_module(req->sdiag_family, 0);
+
+- mutex_lock(&sock_diag_table_mutex);
+- hndl = sock_diag_handlers[req->sdiag_family];
++ hndl = sock_diag_lock_handler(req->sdiag_family);
+ if (hndl == NULL)
+- err = -ENOENT;
+- else if (nlh->nlmsg_type == SOCK_DIAG_BY_FAMILY)
++ return -ENOENT;
++
++ if (nlh->nlmsg_type == SOCK_DIAG_BY_FAMILY)
+ err = hndl->dump(skb, nlh);
+ else if (nlh->nlmsg_type == SOCK_DESTROY && hndl->destroy)
+ err = hndl->destroy(skb, nlh);
+ else
+ err = -EOPNOTSUPP;
+- mutex_unlock(&sock_diag_table_mutex);
++ sock_diag_unlock_handler(hndl);
+
+ return err;
+ }
+@@ -283,12 +294,12 @@ static int sock_diag_bind(struct net *net, int group)
+ switch (group) {
+ case SKNLGRP_INET_TCP_DESTROY:
+ case SKNLGRP_INET_UDP_DESTROY:
+- if (!READ_ONCE(sock_diag_handlers[AF_INET]))
++ if (!rcu_access_pointer(sock_diag_handlers[AF_INET]))
+ sock_load_diag_module(AF_INET, 0);
+ break;
+ case SKNLGRP_INET6_TCP_DESTROY:
+ case SKNLGRP_INET6_UDP_DESTROY:
+- if (!READ_ONCE(sock_diag_handlers[AF_INET6]))
++ if (!rcu_access_pointer(sock_diag_handlers[AF_INET6]))
+ sock_load_diag_module(AF_INET6, 0);
+ break;
+ }
+--
+2.43.0
+
--- /dev/null
+From 751fe7f6715ef1d8743d64c679f2b2bc6c3a8cb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 15:13:02 +0100
+Subject: spi: atmel-quadspi: Fix register name in verbose logging function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Csókás, Bence <csokas.bence@prolan.hu>
+
+[ Upstream commit 2ac40e6d0ccdd93031f8b1af61b0fe5cdd704923 ]
+
+`atmel_qspi_reg_name()` is used for pretty-printing register offsets
+for verbose logging of register accesses. However, due to a typo
+(likely a copy-paste error), QSPI_RD's offset prints as "MR", the
+name of the previous register. Fix this typo.
+
+Fixes: c528ecfbef04 ("spi: atmel-quadspi: Add verbose debug facilities to monitor register accesses")
+Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
+Reviewed-by: Alexander Dahl <ada@thorsis.com>
+Link: https://patch.msgid.link/20241122141302.2599636-1-csokas.bence@prolan.hu
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/atmel-quadspi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c
+index d96c40e7c8123..b5afe5790b1d2 100644
+--- a/drivers/spi/atmel-quadspi.c
++++ b/drivers/spi/atmel-quadspi.c
+@@ -183,7 +183,7 @@ static const char *atmel_qspi_reg_name(u32 offset, char *tmp, size_t sz)
+ case QSPI_MR:
+ return "MR";
+ case QSPI_RD:
+- return "MR";
++ return "RD";
+ case QSPI_TD:
+ return "TD";
+ case QSPI_SR:
+--
+2.43.0
+
--- /dev/null
+From 86a97dfdbe415693122d223f3d720f1a77490d3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 09:28:49 +0200
+Subject: spi: spi-fsl-lpspi: downgrade log level for pio mode
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit d5786c88cacbb859f465e8e93c26154585c1008d ]
+
+Having no DMA is not an error. The simplest reason is not having it
+configured. SPI will still be usable, so raise a warning instead to
+get still some attention.
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Link: https://lore.kernel.org/r/20230531072850.739021-1-alexander.stein@ew.tq-group.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 003c7e01916c ("spi: spi-fsl-lpspi: Use IRQF_NO_AUTOEN flag in request_irq()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-lpspi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c
+index 7d016464037c3..b9e602447eca5 100644
+--- a/drivers/spi/spi-fsl-lpspi.c
++++ b/drivers/spi/spi-fsl-lpspi.c
+@@ -908,7 +908,7 @@ static int fsl_lpspi_probe(struct platform_device *pdev)
+ if (ret == -EPROBE_DEFER)
+ goto out_pm_get;
+ if (ret < 0)
+- dev_err(&pdev->dev, "dma setup error %d, use pio\n", ret);
++ dev_warn(&pdev->dev, "dma setup error %d, use pio\n", ret);
+ else
+ /*
+ * disable LPSPI module IRQ when enable DMA mode successfully,
+--
+2.43.0
+
--- /dev/null
+From 211e5590137762263d9e5cb77c57c458b010e53d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 10:28:28 +0800
+Subject: spi: spi-fsl-lpspi: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 003c7e01916c5e2af95add9b0cbda2e6163873e8 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: 9728fb3ce117 ("spi: lpspi: disable lpspi module irq in DMA mode")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://patch.msgid.link/20240906022828.891812-1-ruanjinjie@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-lpspi.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c
+index b9e602447eca5..246d133238822 100644
+--- a/drivers/spi/spi-fsl-lpspi.c
++++ b/drivers/spi/spi-fsl-lpspi.c
+@@ -870,7 +870,7 @@ static int fsl_lpspi_probe(struct platform_device *pdev)
+ goto out_controller_put;
+ }
+
+- ret = devm_request_irq(&pdev->dev, irq, fsl_lpspi_isr, 0,
++ ret = devm_request_irq(&pdev->dev, irq, fsl_lpspi_isr, IRQF_NO_AUTOEN,
+ dev_name(&pdev->dev), fsl_lpspi);
+ if (ret) {
+ dev_err(&pdev->dev, "can't get irq%d: %d\n", irq, ret);
+@@ -907,14 +907,10 @@ static int fsl_lpspi_probe(struct platform_device *pdev)
+ ret = fsl_lpspi_dma_init(&pdev->dev, fsl_lpspi, controller);
+ if (ret == -EPROBE_DEFER)
+ goto out_pm_get;
+- if (ret < 0)
++ if (ret < 0) {
+ dev_warn(&pdev->dev, "dma setup error %d, use pio\n", ret);
+- else
+- /*
+- * disable LPSPI module IRQ when enable DMA mode successfully,
+- * to prevent the unexpected LPSPI module IRQ events.
+- */
+- disable_irq(irq);
++ enable_irq(irq);
++ }
+
+ ret = devm_spi_register_controller(&pdev->dev, controller);
+ if (ret < 0) {
+--
+2.43.0
+
--- /dev/null
+From 068d5e8bd42ec02dee831a9622f290431fb8ef4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 05:53:59 -0700
+Subject: spi: tegra210-quad: Avoid shift-out-of-bounds
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit f399051ec1ff02e74ae5c2517aed2cc486fd005b ]
+
+A shift-out-of-bounds issue was identified by UBSAN in the
+tegra_qspi_fill_tx_fifo_from_client_txbuf() function.
+
+ UBSAN: shift-out-of-bounds in drivers/spi/spi-tegra210-quad.c:345:27
+ shift exponent 32 is too large for 32-bit type 'u32' (aka 'unsigned int')
+ Call trace:
+ tegra_qspi_start_cpu_based_transfer
+
+The problem arises when shifting the contents of tx_buf left by 8 times
+the value of i, which can exceed 4 and result in an exponent larger than
+32 bits.
+
+Resolve this by restrict the value of i to be less than 4, preventing
+the shift operation from overflowing.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Fixes: 921fc1838fb0 ("spi: tegra210-quad: Add support for Tegra210 QSPI controller")
+Link: https://patch.msgid.link/20241004125400.1791089-1-leitao@debian.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra210-quad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
+index 06c54d49076ae..5ac5cb885552b 100644
+--- a/drivers/spi/spi-tegra210-quad.c
++++ b/drivers/spi/spi-tegra210-quad.c
+@@ -340,7 +340,7 @@ tegra_qspi_fill_tx_fifo_from_client_txbuf(struct tegra_qspi *tqspi, struct spi_t
+ for (count = 0; count < max_n_32bit; count++) {
+ u32 x = 0;
+
+- for (i = 0; len && (i < bytes_per_word); i++, len--)
++ for (i = 0; len && (i < min(4, bytes_per_word)); i++, len--)
+ x |= (u32)(*tx_buf++) << (i * 8);
+ tegra_qspi_writel(tqspi, x, QSPI_TX_FIFO);
+ }
+--
+2.43.0
+
--- /dev/null
+From e50124fa4901c0f31c8c07547e64b3707aac2964 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Sep 2024 17:11:35 +0800
+Subject: =?UTF-8?q?spi:=20zynqmp-gqspi:=20Undo=20runtime=20PM=20changes=20?=
+ =?UTF-8?q?at=20driver=20exit=20time=E2=80=8B?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 2219576883e709737f3100aa9ded84976be49bd7 ]
+
+It's important to undo pm_runtime_use_autosuspend() with
+pm_runtime_dont_use_autosuspend() at driver exit time.
+
+So, call pm_runtime_dont_use_autosuspend() at driver exit time
+to fix it.
+
+Fixes: 9e3a000362ae ("spi: zynqmp: Add pm runtime support")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://patch.msgid.link/20240920091135.2741574-1-ruanjinjie@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-zynqmp-gqspi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi-zynqmp-gqspi.c b/drivers/spi/spi-zynqmp-gqspi.c
+index 3b56d5e7080e1..c89544ae5ed91 100644
+--- a/drivers/spi/spi-zynqmp-gqspi.c
++++ b/drivers/spi/spi-zynqmp-gqspi.c
+@@ -1219,6 +1219,7 @@ static int zynqmp_qspi_probe(struct platform_device *pdev)
+
+ clk_dis_all:
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
+ clk_disable_unprepare(xqspi->refclk);
+@@ -1249,6 +1250,7 @@ static int zynqmp_qspi_remove(struct platform_device *pdev)
+ zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0);
+
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
+ clk_disable_unprepare(xqspi->refclk);
+--
+2.43.0
+
--- /dev/null
+From 4006fbd05de7a109badd548ef342d6342a260f7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 19:33:37 +0800
+Subject: staging: greybus: uart: Fix atomicity violation in get_serial_info()
+
+From: Qiu-ji Chen <chenqiuji666@gmail.com>
+
+[ Upstream commit fe0ebeafc3b723b2f8edf27ecec6d353b08397df ]
+
+Our static checker found a bug where set_serial_info() uses a mutex, but
+get_serial_info() does not. Fortunately, the impact of this is relatively
+minor. It doesn't cause a crash or any other serious issues. However, if a
+race condition occurs between set_serial_info() and get_serial_info(),
+there is a chance that the data returned by get_serial_info() will be
+meaningless.
+
+Signed-off-by: Qiu-ji Chen <chenqiuji666@gmail.com>
+Fixes: 0aad5ad563c8 ("greybus/uart: switch to ->[sg]et_serial()")
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Alex Elder <elder@riscstar.com>
+Link: https://lore.kernel.org/r/20241107113337.402042-1-chenqiuji666@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/greybus/uart.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/staging/greybus/uart.c b/drivers/staging/greybus/uart.c
+index 90ff07f2cbf76..2d6c4ae8482d1 100644
+--- a/drivers/staging/greybus/uart.c
++++ b/drivers/staging/greybus/uart.c
+@@ -597,11 +597,13 @@ static int get_serial_info(struct tty_struct *tty,
+ struct gb_tty *gb_tty = tty->driver_data;
+
+ ss->line = gb_tty->minor;
++ mutex_lock(&gb_tty->port.mutex);
+ ss->close_delay = jiffies_to_msecs(gb_tty->port.close_delay) / 10;
+ ss->closing_wait =
+ gb_tty->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+ ASYNC_CLOSING_WAIT_NONE :
+ jiffies_to_msecs(gb_tty->port.closing_wait) / 10;
++ mutex_unlock(&gb_tty->port.mutex);
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From b1bd19714bdba2cc0b7045cbccc790dcf7b7c781 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Mar 2023 15:39:40 -0800
+Subject: sunrpc: simplify two-level sysctl registration for svcrdma_parm_table
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+[ Upstream commit 376bcd9b37632cf191711a68aa25ab42f0048c2e ]
+
+There is no need to declare two tables to just create directories,
+this can be easily be done with a prefix path with register_sysctl().
+
+Simplify this registration.
+
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Stable-dep-of: ce89e742a4c1 ("svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprtrdma/svc_rdma.c | 21 ++-------------------
+ 1 file changed, 2 insertions(+), 19 deletions(-)
+
+diff --git a/net/sunrpc/xprtrdma/svc_rdma.c b/net/sunrpc/xprtrdma/svc_rdma.c
+index 5bc20e9d09cd8..f0d5eeed4c886 100644
+--- a/net/sunrpc/xprtrdma/svc_rdma.c
++++ b/net/sunrpc/xprtrdma/svc_rdma.c
+@@ -212,24 +212,6 @@ static struct ctl_table svcrdma_parm_table[] = {
+ { },
+ };
+
+-static struct ctl_table svcrdma_table[] = {
+- {
+- .procname = "svc_rdma",
+- .mode = 0555,
+- .child = svcrdma_parm_table
+- },
+- { },
+-};
+-
+-static struct ctl_table svcrdma_root_table[] = {
+- {
+- .procname = "sunrpc",
+- .mode = 0555,
+- .child = svcrdma_table
+- },
+- { },
+-};
+-
+ static void svc_rdma_proc_cleanup(void)
+ {
+ if (!svcrdma_table_header)
+@@ -263,7 +245,8 @@ static int svc_rdma_proc_init(void)
+ if (rc)
+ goto out_err;
+
+- svcrdma_table_header = register_sysctl_table(svcrdma_root_table);
++ svcrdma_table_header = register_sysctl("sunrpc/svc_rdma",
++ svcrdma_parm_table);
+ return 0;
+
+ out_err:
+--
+2.43.0
+
--- /dev/null
+From 8715ab8a347bf90730c7f09c92abac634a4a1b7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2024 12:15:29 -0400
+Subject: svcrdma: Address an integer overflow
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 3c63d8946e578663b868cb9912dac616ea68bfd0 ]
+
+Dan Carpenter reports:
+> Commit 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" data
+> structure") from Jun 22, 2020 (linux-next), leads to the following
+> Smatch static checker warning:
+>
+> net/sunrpc/xprtrdma/svc_rdma_recvfrom.c:498 xdr_check_write_chunk()
+> warn: potential user controlled sizeof overflow 'segcount * 4 * 4'
+>
+> net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+> 488 static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt)
+> 489 {
+> 490 u32 segcount;
+> 491 __be32 *p;
+> 492
+> 493 if (xdr_stream_decode_u32(&rctxt->rc_stream, &segcount))
+> ^^^^^^^^
+>
+> 494 return false;
+> 495
+> 496 /* A bogus segcount causes this buffer overflow check to fail. */
+> 497 p = xdr_inline_decode(&rctxt->rc_stream,
+> --> 498 segcount * rpcrdma_segment_maxsz * sizeof(*p));
+>
+>
+> segcount is an untrusted u32. On 32bit systems anything >= SIZE_MAX / 16 will
+> have an integer overflow and some those values will be accepted by
+> xdr_inline_decode().
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" data structure")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+index b2dd01e5274e9..186c9c12432b1 100644
+--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+@@ -482,7 +482,13 @@ static bool xdr_check_write_chunk(struct svc_rdma_recv_ctxt *rctxt)
+ if (xdr_stream_decode_u32(&rctxt->rc_stream, &segcount))
+ return false;
+
+- /* A bogus segcount causes this buffer overflow check to fail. */
++ /* Before trusting the segcount value enough to use it in
++ * a computation, perform a simple range check. This is an
++ * arbitrary but sensible limit (ie, not architectural).
++ */
++ if (unlikely(segcount > RPCSVC_MAXPAGES))
++ return false;
++
+ p = xdr_inline_decode(&rctxt->rc_stream,
+ segcount * rpcrdma_segment_maxsz * sizeof(*p));
+ return p != NULL;
+--
+2.43.0
+
--- /dev/null
+From b2474cc80102072b20605e247ee9542c66b2bf07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 09:55:20 +0800
+Subject: svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init()
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit ce89e742a4c12b20f09a43fec1b21db33f2166cd ]
+
+There's issue as follows:
+RPC: Registered rdma transport module.
+RPC: Registered rdma backchannel transport module.
+RPC: Unregistered rdma transport module.
+RPC: Unregistered rdma backchannel transport module.
+BUG: unable to handle page fault for address: fffffbfff80c609a
+PGD 123fee067 P4D 123fee067 PUD 123fea067 PMD 10c624067 PTE 0
+Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
+RIP: 0010:percpu_counter_destroy_many+0xf7/0x2a0
+Call Trace:
+ <TASK>
+ __die+0x1f/0x70
+ page_fault_oops+0x2cd/0x860
+ spurious_kernel_fault+0x36/0x450
+ do_kern_addr_fault+0xca/0x100
+ exc_page_fault+0x128/0x150
+ asm_exc_page_fault+0x26/0x30
+ percpu_counter_destroy_many+0xf7/0x2a0
+ mmdrop+0x209/0x350
+ finish_task_switch.isra.0+0x481/0x840
+ schedule_tail+0xe/0xd0
+ ret_from_fork+0x23/0x80
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+If register_sysctl() return NULL, then svc_rdma_proc_cleanup() will not
+destroy the percpu counters which init in svc_rdma_proc_init().
+If CONFIG_HOTPLUG_CPU is enabled, residual nodes may be in the
+'percpu_counters' list. The above issue may occur once the module is
+removed. If the CONFIG_HOTPLUG_CPU configuration is not enabled, memory
+leakage occurs.
+To solve above issue just destroy all percpu counters when
+register_sysctl() return NULL.
+
+Fixes: 1e7e55731628 ("svcrdma: Restore read and write stats")
+Fixes: 22df5a22462e ("svcrdma: Convert rdma_stat_sq_starve to a per-CPU counter")
+Fixes: df971cd853c0 ("svcrdma: Convert rdma_stat_recv to a per-CPU counter")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprtrdma/svc_rdma.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/net/sunrpc/xprtrdma/svc_rdma.c b/net/sunrpc/xprtrdma/svc_rdma.c
+index f0d5eeed4c886..e1d4e426b21fa 100644
+--- a/net/sunrpc/xprtrdma/svc_rdma.c
++++ b/net/sunrpc/xprtrdma/svc_rdma.c
+@@ -234,25 +234,34 @@ static int svc_rdma_proc_init(void)
+
+ rc = percpu_counter_init(&svcrdma_stat_read, 0, GFP_KERNEL);
+ if (rc)
+- goto out_err;
++ goto err;
+ rc = percpu_counter_init(&svcrdma_stat_recv, 0, GFP_KERNEL);
+ if (rc)
+- goto out_err;
++ goto err_read;
+ rc = percpu_counter_init(&svcrdma_stat_sq_starve, 0, GFP_KERNEL);
+ if (rc)
+- goto out_err;
++ goto err_recv;
+ rc = percpu_counter_init(&svcrdma_stat_write, 0, GFP_KERNEL);
+ if (rc)
+- goto out_err;
++ goto err_sq;
+
+ svcrdma_table_header = register_sysctl("sunrpc/svc_rdma",
+ svcrdma_parm_table);
++ if (!svcrdma_table_header)
++ goto err_write;
++
+ return 0;
+
+-out_err:
++err_write:
++ rc = -ENOMEM;
++ percpu_counter_destroy(&svcrdma_stat_write);
++err_sq:
+ percpu_counter_destroy(&svcrdma_stat_sq_starve);
++err_recv:
+ percpu_counter_destroy(&svcrdma_stat_recv);
++err_read:
+ percpu_counter_destroy(&svcrdma_stat_read);
++err:
+ return rc;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 2736ec7d6fa314c6b5de202986bfc6bbd9b1e113 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Nov 2024 09:42:36 -0800
+Subject: tcp: Fix use-after-free of nreq in reqsk_timer_handler().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit c31e72d021db2714df03df6c42855a1db592716c ]
+
+The cited commit replaced inet_csk_reqsk_queue_drop_and_put() with
+__inet_csk_reqsk_queue_drop() and reqsk_put() in reqsk_timer_handler().
+
+Then, oreq should be passed to reqsk_put() instead of req; otherwise
+use-after-free of nreq could happen when reqsk is migrated but the
+retry attempt failed (e.g. due to timeout).
+
+Let's pass oreq to reqsk_put().
+
+Fixes: e8c526f2bdf1 ("tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().")
+Reported-by: Liu Jian <liujian56@huawei.com>
+Closes: https://lore.kernel.org/netdev/1284490f-9525-42ee-b7b8-ccadf6606f6d@huawei.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Liu Jian <liujian56@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20241123174236.62438-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_connection_sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index 569186f741fb2..8fa56a17f03a6 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -1121,7 +1121,7 @@ static void reqsk_timer_handler(struct timer_list *t)
+
+ drop:
+ __inet_csk_reqsk_queue_drop(sk_listener, oreq, true);
+- reqsk_put(req);
++ reqsk_put(oreq);
+ }
+
+ static bool reqsk_queue_hash_req(struct request_sock *req,
+--
+2.43.0
+
--- /dev/null
+From 599a1033243e6b15539e7234a90c326961f35d25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 21:57:41 -0800
+Subject: tg3: Set coherent DMA mask bits to 31 for BCM57766 chipsets
+
+From: Pavan Chebbi <pavan.chebbi@broadcom.com>
+
+[ Upstream commit 614f4d166eeeb9bd709b0ad29552f691c0f45776 ]
+
+The hardware on Broadcom 1G chipsets have a known limitation
+where they cannot handle DMA addresses that cross over 4GB.
+When such an address is encountered, the hardware sets the
+address overflow error bit in the DMA status register and
+triggers a reset.
+
+However, BCM57766 hardware is setting the overflow bit and
+triggering a reset in some cases when there is no actual
+underlying address overflow. The hardware team analyzed the
+issue and concluded that it is happening when the status
+block update has an address with higher (b16 to b31) bits
+as 0xffff following a previous update that had lowest bits
+as 0xffff.
+
+To work around this bug in the BCM57766 hardware, set the
+coherent dma mask from the current 64b to 31b. This will
+ensure that upper bits of the status block DMA address are
+always at most 0x7fff, thus avoiding the improper overflow
+check described above. This work around is intended for only
+status block and ring memories and has no effect on TX and
+RX buffers as they do not require coherent memory.
+
+Fixes: 72f2afb8a685 ("[TG3]: Add DMA address workaround")
+Reported-by: Salam Noureddine <noureddine@arista.com>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Link: https://patch.msgid.link/20241119055741.147144-1-pavan.chebbi@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/tg3.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index 0c694ab3c110c..dab0ab10d111a 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -17736,6 +17736,9 @@ static int tg3_init_one(struct pci_dev *pdev,
+ } else
+ persist_dma_mask = dma_mask = DMA_BIT_MASK(64);
+
++ if (tg3_asic_rev(tp) == ASIC_REV_57766)
++ persist_dma_mask = DMA_BIT_MASK(31);
++
+ /* Configure DMA attributes. */
+ if (dma_mask > DMA_BIT_MASK(32)) {
+ err = dma_set_mask(&pdev->dev, dma_mask);
+--
+2.43.0
+
--- /dev/null
+From 24d6278e84099cec0bc1a4a06ec7a621c7bbf33f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 21:05:49 +0200
+Subject: thermal: core: Initialize thermal zones before registering them
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 662f920f7e390db5d1a6792a2b0ffa59b6c962fc ]
+
+Since user space can start interacting with a new thermal zone as soon
+as device_register() called by thermal_zone_device_register_with_trips()
+returns, it is better to initialize the thermal zone before calling
+device_register() on it.
+
+Fixes: d0df264fbd3c ("thermal/core: Remove pointless thermal_zone_device_reset() function")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://patch.msgid.link/3336146.44csPzL39Z@rjwysocki.net
+Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index ebb36b2c72d5d..ba6f44f8b2623 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -1271,6 +1271,7 @@ thermal_zone_device_register_with_trips(const char *type, struct thermal_trip *t
+ thermal_zone_destroy_device_groups(tz);
+ goto remove_id;
+ }
++ thermal_zone_device_init(tz);
+ result = device_register(&tz->device);
+ if (result)
+ goto release_device;
+@@ -1313,7 +1314,6 @@ thermal_zone_device_register_with_trips(const char *type, struct thermal_trip *t
+
+ INIT_DELAYED_WORK(&tz->poll_queue, thermal_zone_device_check);
+
+- thermal_zone_device_init(tz);
+ /* Update the new thermal zone and mark it as already updated. */
+ if (atomic_cmpxchg(&tz->need_update, 1, 0))
+ thermal_zone_device_update(tz, THERMAL_EVENT_UNSPECIFIED);
+--
+2.43.0
+
--- /dev/null
+From 489151ee22d66c3efc61a398d54966ebbd5eeff0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 12:59:38 +0200
+Subject: thermal/lib: Fix memory leak on error in thermal_genl_auto()
+
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+
+[ Upstream commit 7569406e95f2353070d88ebc88e8c13698542317 ]
+
+The function thermal_genl_auto() does not free the allocated message
+in the error path. Fix that by putting a out label and jump to it
+which will free the message instead of directly returning an error.
+
+Fixes: 47c4b0de080a ("tools/lib/thermal: Add a thermal library")
+Reported-by: Lukasz Luba <lukasz.luba@arm.com>\a
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
+Link: https://patch.msgid.link/20241024105938.1095358-1-daniel.lezcano@linaro.org
+[ rjw: Fixed up the !msg error path, added Fixes tag ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/thermal/commands.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/tools/lib/thermal/commands.c b/tools/lib/thermal/commands.c
+index a9223df91dcf5..27b4442f0e347 100644
+--- a/tools/lib/thermal/commands.c
++++ b/tools/lib/thermal/commands.c
+@@ -279,6 +279,7 @@ static thermal_error_t thermal_genl_auto(struct thermal_handler *th, cmd_cb_t cm
+ struct cmd_param *param,
+ int cmd, int flags, void *arg)
+ {
++ thermal_error_t ret = THERMAL_ERROR;
+ struct nl_msg *msg;
+ void *hdr;
+
+@@ -289,17 +290,19 @@ static thermal_error_t thermal_genl_auto(struct thermal_handler *th, cmd_cb_t cm
+ hdr = genlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, thermal_cmd_ops.o_id,
+ 0, flags, cmd, THERMAL_GENL_VERSION);
+ if (!hdr)
+- return THERMAL_ERROR;
++ goto out;
+
+ if (cmd_cb && cmd_cb(msg, param))
+- return THERMAL_ERROR;
++ goto out;
+
+ if (nl_send_msg(th->sk_cmd, th->cb_cmd, msg, genl_handle_msg, arg))
+- return THERMAL_ERROR;
++ goto out;
+
++ ret = THERMAL_SUCCESS;
++out:
+ nlmsg_free(msg);
+
+- return THERMAL_SUCCESS;
++ return ret;
+ }
+
+ thermal_error_t thermal_cmd_get_tz(struct thermal_handler *th, struct thermal_zone **tz)
+--
+2.43.0
+
--- /dev/null
+From 36315077f4ed5f3b06e88ed85aef845646a96d7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 13:01:41 +0200
+Subject: time: Fix references to _msecs_to_jiffies() handling of values
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+[ Upstream commit 92b043fd995a63a57aae29ff85a39b6f30cd440c ]
+
+The details about the handling of the "normal" values were moved
+to the _msecs_to_jiffies() helpers in commit ca42aaf0c861 ("time:
+Refactor msecs_to_jiffies"). However, the same commit still mentioned
+__msecs_to_jiffies() in the added documentation.
+
+Thus point to _msecs_to_jiffies() instead.
+
+Fixes: ca42aaf0c861 ("time: Refactor msecs_to_jiffies")
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/20241025110141.157205-2-ojeda@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/jiffies.h | 2 +-
+ kernel/time/time.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h
+index 5e13f801c9021..3778e26f7b14c 100644
+--- a/include/linux/jiffies.h
++++ b/include/linux/jiffies.h
+@@ -349,7 +349,7 @@ static inline unsigned long _msecs_to_jiffies(const unsigned int m)
+ * - all other values are converted to jiffies by either multiplying
+ * the input value by a factor or dividing it with a factor and
+ * handling any 32-bit overflows.
+- * for the details see __msecs_to_jiffies()
++ * for the details see _msecs_to_jiffies()
+ *
+ * msecs_to_jiffies() checks for the passed in value being a constant
+ * via __builtin_constant_p() allowing gcc to eliminate most of the
+diff --git a/kernel/time/time.c b/kernel/time/time.c
+index 526257b3727ca..a92c7f3277ad6 100644
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -539,7 +539,7 @@ EXPORT_SYMBOL(ns_to_timespec64);
+ * - all other values are converted to jiffies by either multiplying
+ * the input value by a factor or dividing it with a factor and
+ * handling any 32-bit overflows.
+- * for the details see __msecs_to_jiffies()
++ * for the details see _msecs_to_jiffies()
+ *
+ * msecs_to_jiffies() checks for the passed in value being a constant
+ * via __builtin_constant_p() allowing gcc to eliminate most of the
+--
+2.43.0
+
--- /dev/null
+From cac5a0657199d172265f9c89748642fe98e207a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2024 17:51:43 +0200
+Subject: tools/lib/thermal: Make more generic the command encoding function
+
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+
+[ Upstream commit 24b216b2d13568c703a76137ef54a2a9531a71d8 ]
+
+The thermal netlink has been extended with more commands which require
+an encoding with more information. The generic encoding function puts
+the thermal zone id with the command name. It is the unique
+parameters.
+
+The next changes will provide more parameters to the command. Set the
+scene for those new parameters by making the encoding function more
+generic.
+
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
+Link: https://patch.msgid.link/20241022155147.463475-4-daniel.lezcano@linaro.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Stable-dep-of: 7569406e95f2 ("thermal/lib: Fix memory leak on error in thermal_genl_auto()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/thermal/commands.c | 41 ++++++++++++++++++++++++++++--------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/tools/lib/thermal/commands.c b/tools/lib/thermal/commands.c
+index 73d4d4e8d6ec0..a9223df91dcf5 100644
+--- a/tools/lib/thermal/commands.c
++++ b/tools/lib/thermal/commands.c
+@@ -261,8 +261,23 @@ static struct genl_ops thermal_cmd_ops = {
+ .o_ncmds = ARRAY_SIZE(thermal_cmds),
+ };
+
+-static thermal_error_t thermal_genl_auto(struct thermal_handler *th, int id, int cmd,
+- int flags, void *arg)
++struct cmd_param {
++ int tz_id;
++};
++
++typedef int (*cmd_cb_t)(struct nl_msg *, struct cmd_param *);
++
++static int thermal_genl_tz_id_encode(struct nl_msg *msg, struct cmd_param *p)
++{
++ if (p->tz_id >= 0 && nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_ID, p->tz_id))
++ return -1;
++
++ return 0;
++}
++
++static thermal_error_t thermal_genl_auto(struct thermal_handler *th, cmd_cb_t cmd_cb,
++ struct cmd_param *param,
++ int cmd, int flags, void *arg)
+ {
+ struct nl_msg *msg;
+ void *hdr;
+@@ -276,7 +291,7 @@ static thermal_error_t thermal_genl_auto(struct thermal_handler *th, int id, int
+ if (!hdr)
+ return THERMAL_ERROR;
+
+- if (id >= 0 && nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_ID, id))
++ if (cmd_cb && cmd_cb(msg, param))
+ return THERMAL_ERROR;
+
+ if (nl_send_msg(th->sk_cmd, th->cb_cmd, msg, genl_handle_msg, arg))
+@@ -289,30 +304,38 @@ static thermal_error_t thermal_genl_auto(struct thermal_handler *th, int id, int
+
+ thermal_error_t thermal_cmd_get_tz(struct thermal_handler *th, struct thermal_zone **tz)
+ {
+- return thermal_genl_auto(th, -1, THERMAL_GENL_CMD_TZ_GET_ID,
++ return thermal_genl_auto(th, NULL, NULL, THERMAL_GENL_CMD_TZ_GET_ID,
+ NLM_F_DUMP | NLM_F_ACK, tz);
+ }
+
+ thermal_error_t thermal_cmd_get_cdev(struct thermal_handler *th, struct thermal_cdev **tc)
+ {
+- return thermal_genl_auto(th, -1, THERMAL_GENL_CMD_CDEV_GET,
++ return thermal_genl_auto(th, NULL, NULL, THERMAL_GENL_CMD_CDEV_GET,
+ NLM_F_DUMP | NLM_F_ACK, tc);
+ }
+
+ thermal_error_t thermal_cmd_get_trip(struct thermal_handler *th, struct thermal_zone *tz)
+ {
+- return thermal_genl_auto(th, tz->id, THERMAL_GENL_CMD_TZ_GET_TRIP,
+- 0, tz);
++ struct cmd_param p = { .tz_id = tz->id };
++
++ return thermal_genl_auto(th, thermal_genl_tz_id_encode, &p,
++ THERMAL_GENL_CMD_TZ_GET_TRIP, 0, tz);
+ }
+
+ thermal_error_t thermal_cmd_get_governor(struct thermal_handler *th, struct thermal_zone *tz)
+ {
+- return thermal_genl_auto(th, tz->id, THERMAL_GENL_CMD_TZ_GET_GOV, 0, tz);
++ struct cmd_param p = { .tz_id = tz->id };
++
++ return thermal_genl_auto(th, thermal_genl_tz_id_encode, &p,
++ THERMAL_GENL_CMD_TZ_GET_GOV, 0, tz);
+ }
+
+ thermal_error_t thermal_cmd_get_temp(struct thermal_handler *th, struct thermal_zone *tz)
+ {
+- return thermal_genl_auto(th, tz->id, THERMAL_GENL_CMD_TZ_GET_TEMP, 0, tz);
++ struct cmd_param p = { .tz_id = tz->id };
++
++ return thermal_genl_auto(th, thermal_genl_tz_id_encode, &p,
++ THERMAL_GENL_CMD_TZ_GET_TEMP, 0, tz);
+ }
+
+ thermal_error_t thermal_cmd_exit(struct thermal_handler *th)
+--
+2.43.0
+
--- /dev/null
+From 3bf83c9d8b04669047feefe9cc95cb120dc4e91a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 19:19:51 -0400
+Subject: tpm: fix signed/unsigned bug when checking event logs
+
+From: Gregory Price <gourry@gourry.net>
+
+[ Upstream commit e6d654e9f5a97742cfe794b1c4bb5d3fb2d25e98 ]
+
+A prior bugfix that fixes a signed/unsigned error causes
+another signed unsigned error.
+
+A situation where log_tbl->size is invalid can cause the
+size passed to memblock_reserve to become negative.
+
+log_size from the main event log is an unsigned int, and
+the code reduces to the following
+
+u64 value = (int)unsigned_value;
+
+This results in sign extension, and the value sent to
+memblock_reserve becomes effectively negative.
+
+Fixes: be59d57f9806 ("efi/tpm: Fix sanity check of unsigned tbl_size being less than zero")
+Signed-off-by: Gregory Price <gourry@gourry.net>
+Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/tpm.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c
+index e8d69bd548f3f..9c3613e6af158 100644
+--- a/drivers/firmware/efi/tpm.c
++++ b/drivers/firmware/efi/tpm.c
+@@ -40,7 +40,8 @@ int __init efi_tpm_eventlog_init(void)
+ {
+ struct linux_efi_tpm_eventlog *log_tbl;
+ struct efi_tcg2_final_events_table *final_tbl;
+- int tbl_size;
++ unsigned int tbl_size;
++ int final_tbl_size;
+ int ret = 0;
+
+ if (efi.tpm_log == EFI_INVALID_TABLE_ADDR) {
+@@ -80,26 +81,26 @@ int __init efi_tpm_eventlog_init(void)
+ goto out;
+ }
+
+- tbl_size = 0;
++ final_tbl_size = 0;
+ if (final_tbl->nr_events != 0) {
+ void *events = (void *)efi.tpm_final_log
+ + sizeof(final_tbl->version)
+ + sizeof(final_tbl->nr_events);
+
+- tbl_size = tpm2_calc_event_log_size(events,
+- final_tbl->nr_events,
+- log_tbl->log);
++ final_tbl_size = tpm2_calc_event_log_size(events,
++ final_tbl->nr_events,
++ log_tbl->log);
+ }
+
+- if (tbl_size < 0) {
++ if (final_tbl_size < 0) {
+ pr_err(FW_BUG "Failed to parse event in TPM Final Events Log\n");
+ ret = -EINVAL;
+ goto out_calc;
+ }
+
+ memblock_reserve(efi.tpm_final_log,
+- tbl_size + sizeof(*final_tbl));
+- efi_tpm_final_log_size = tbl_size;
++ final_tbl_size + sizeof(*final_tbl));
++ efi_tpm_final_log_size = final_tbl_size;
+
+ out_calc:
+ early_memunmap(final_tbl, sizeof(*final_tbl));
+--
+2.43.0
+
--- /dev/null
+From 76696347db1f94f6572911446e0ecdbc2c620ef1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 03:13:47 +0100
+Subject: trace/trace_event_perf: remove duplicate samples on the first
+ tracepoint event
+
+From: Levi Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit afe5960dc208fe069ddaaeb0994d857b24ac19d1 ]
+
+When a tracepoint event is created with attr.freq = 1,
+'hwc->period_left' is not initialized correctly. As a result,
+in the perf_swevent_overflow() function, when the first time the event occurs,
+it calculates the event overflow and the perf_swevent_set_period() returns 3,
+this leads to the event are recorded for three duplicate times.
+
+Step to reproduce:
+ 1. Enable the tracepoint event & starting tracing
+ $ echo 1 > /sys/kernel/tracing/events/module/module_free
+ $ echo 1 > /sys/kernel/tracing/tracing_on
+
+ 2. Record with perf
+ $ perf record -a --strict-freq -F 1 -e "module:module_free"
+
+ 3. Trigger module_free event.
+ $ modprobe -i sunrpc
+ $ modprobe -r sunrpc
+
+Result:
+ - Trace pipe result:
+ $ cat trace_pipe
+ modprobe-174509 [003] ..... 6504.868896: module_free: sunrpc
+
+ - perf sample:
+ modprobe 174509 [003] 6504.868980: module:module_free: sunrpc
+ modprobe 174509 [003] 6504.868980: module:module_free: sunrpc
+ modprobe 174509 [003] 6504.868980: module:module_free: sunrpc
+
+By setting period_left via perf_swevent_set_period() as other sw_event did,
+This problem could be solved.
+
+After patch:
+ - Trace pipe result:
+ $ cat trace_pipe
+ modprobe 1153096 [068] 613468.867774: module:module_free: xfs
+
+ - perf sample
+ modprobe 1153096 [068] 613468.867794: module:module_free: xfs
+
+Link: https://lore.kernel.org/20240913021347.595330-1-yeoreum.yun@arm.com
+Fixes: bd2b5b12849a ("perf_counter: More aggressive frequency adjustment")
+Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_event_perf.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/kernel/trace/trace_event_perf.c b/kernel/trace/trace_event_perf.c
+index 61e3a2620fa3c..f2000cf2b3bba 100644
+--- a/kernel/trace/trace_event_perf.c
++++ b/kernel/trace/trace_event_perf.c
+@@ -356,10 +356,16 @@ void perf_uprobe_destroy(struct perf_event *p_event)
+ int perf_trace_add(struct perf_event *p_event, int flags)
+ {
+ struct trace_event_call *tp_event = p_event->tp_event;
++ struct hw_perf_event *hwc = &p_event->hw;
+
+ if (!(flags & PERF_EF_START))
+ p_event->hw.state = PERF_HES_STOPPED;
+
++ if (is_sampling_event(p_event)) {
++ hwc->last_period = hwc->sample_period;
++ perf_swevent_set_period(p_event);
++ }
++
+ /*
+ * If TRACE_REG_PERF_ADD returns false; no custom action was performed
+ * and we need to take the default action of enqueueing our event on
+--
+2.43.0
+
--- /dev/null
+From c470bb8590e7273028373d078cc8571166caa475 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 19:55:03 -0300
+Subject: unicode: Fix utf8_load() error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: André Almeida <andrealmeid@igalia.com>
+
+[ Upstream commit 156bb2c569cd869583c593d27a5bd69e7b2a4264 ]
+
+utf8_load() requests the symbol "utf8_data_table" and then checks if the
+requested UTF-8 version is supported. If it's unsupported, it tries to
+put the data table using symbol_put(). If an unsupported version is
+requested, symbol_put() fails like this:
+
+ kernel BUG at kernel/module/main.c:786!
+ RIP: 0010:__symbol_put+0x93/0xb0
+ Call Trace:
+ <TASK>
+ ? __die_body.cold+0x19/0x27
+ ? die+0x2e/0x50
+ ? do_trap+0xca/0x110
+ ? do_error_trap+0x65/0x80
+ ? __symbol_put+0x93/0xb0
+ ? exc_invalid_op+0x51/0x70
+ ? __symbol_put+0x93/0xb0
+ ? asm_exc_invalid_op+0x1a/0x20
+ ? __pfx_cmp_name+0x10/0x10
+ ? __symbol_put+0x93/0xb0
+ ? __symbol_put+0x62/0xb0
+ utf8_load+0xf8/0x150
+
+That happens because symbol_put() expects the unique string that
+identify the symbol, instead of a pointer to the loaded symbol. Fix that
+by using such string.
+
+Fixes: 2b3d04787012 ("unicode: Add utf8-data module")
+Signed-off-by: André Almeida <andrealmeid@igalia.com>
+Reviewed-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20240902225511.757831-2-andrealmeid@igalia.com
+Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/unicode/utf8-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/unicode/utf8-core.c b/fs/unicode/utf8-core.c
+index 67aaadc3ab072..c887edc4f527c 100644
+--- a/fs/unicode/utf8-core.c
++++ b/fs/unicode/utf8-core.c
+@@ -198,7 +198,7 @@ struct unicode_map *utf8_load(unsigned int version)
+ return um;
+
+ out_symbol_put:
+- symbol_put(um->tables);
++ symbol_put(utf8_data_table);
+ out_free_um:
+ kfree(um);
+ return ERR_PTR(-EINVAL);
+--
+2.43.0
+
--- /dev/null
+From 0e28ef45684455cd58a3e885690f00ec16fece45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 15:21:41 +0200
+Subject: USB: chaoskey: fail open after removal
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 422dc0a4d12d0b80dd3aab3fe5943f665ba8f041 ]
+
+chaoskey_open() takes the lock only to increase the
+counter of openings. That means that the mutual exclusion
+with chaoskey_disconnect() cannot prevent an increase
+of the counter and chaoskey_open() returning a success.
+
+If that race is hit, chaoskey_disconnect() will happily
+free all resources associated with the device after
+it has dropped the lock, as it has read the counter
+as zero.
+
+To prevent this race chaoskey_open() has to check
+the presence of the device under the lock.
+However, the current per device lock cannot be used,
+because it is a part of the data structure to be
+freed. Hence an additional global mutex is needed.
+The issue is as old as the driver.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+422188bce66e76020e55@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=422188bce66e76020e55
+Fixes: 66e3e591891da ("usb: Add driver for Altus Metrum ChaosKey device (v2)")
+Rule: add
+Link: https://lore.kernel.org/stable/20241002132201.552578-1-oneukum%40suse.com
+Link: https://lore.kernel.org/r/20241002132201.552578-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/chaoskey.c | 35 ++++++++++++++++++++++++-----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/usb/misc/chaoskey.c b/drivers/usb/misc/chaoskey.c
+index 87067c3d6109b..32fa7fd50c380 100644
+--- a/drivers/usb/misc/chaoskey.c
++++ b/drivers/usb/misc/chaoskey.c
+@@ -27,6 +27,8 @@ static struct usb_class_driver chaoskey_class;
+ static int chaoskey_rng_read(struct hwrng *rng, void *data,
+ size_t max, bool wait);
+
++static DEFINE_MUTEX(chaoskey_list_lock);
++
+ #define usb_dbg(usb_if, format, arg...) \
+ dev_dbg(&(usb_if)->dev, format, ## arg)
+
+@@ -231,6 +233,7 @@ static void chaoskey_disconnect(struct usb_interface *interface)
+ if (dev->hwrng_registered)
+ hwrng_unregister(&dev->hwrng);
+
++ mutex_lock(&chaoskey_list_lock);
+ usb_deregister_dev(interface, &chaoskey_class);
+
+ usb_set_intfdata(interface, NULL);
+@@ -245,6 +248,7 @@ static void chaoskey_disconnect(struct usb_interface *interface)
+ } else
+ mutex_unlock(&dev->lock);
+
++ mutex_unlock(&chaoskey_list_lock);
+ usb_dbg(interface, "disconnect done");
+ }
+
+@@ -252,6 +256,7 @@ static int chaoskey_open(struct inode *inode, struct file *file)
+ {
+ struct chaoskey *dev;
+ struct usb_interface *interface;
++ int rv = 0;
+
+ /* get the interface from minor number and driver information */
+ interface = usb_find_interface(&chaoskey_driver, iminor(inode));
+@@ -267,18 +272,23 @@ static int chaoskey_open(struct inode *inode, struct file *file)
+ }
+
+ file->private_data = dev;
++ mutex_lock(&chaoskey_list_lock);
+ mutex_lock(&dev->lock);
+- ++dev->open;
++ if (dev->present)
++ ++dev->open;
++ else
++ rv = -ENODEV;
+ mutex_unlock(&dev->lock);
++ mutex_unlock(&chaoskey_list_lock);
+
+- usb_dbg(interface, "open success");
+- return 0;
++ return rv;
+ }
+
+ static int chaoskey_release(struct inode *inode, struct file *file)
+ {
+ struct chaoskey *dev = file->private_data;
+ struct usb_interface *interface;
++ int rv = 0;
+
+ if (dev == NULL)
+ return -ENODEV;
+@@ -287,14 +297,15 @@ static int chaoskey_release(struct inode *inode, struct file *file)
+
+ usb_dbg(interface, "release");
+
++ mutex_lock(&chaoskey_list_lock);
+ mutex_lock(&dev->lock);
+
+ usb_dbg(interface, "open count at release is %d", dev->open);
+
+ if (dev->open <= 0) {
+ usb_dbg(interface, "invalid open count (%d)", dev->open);
+- mutex_unlock(&dev->lock);
+- return -ENODEV;
++ rv = -ENODEV;
++ goto bail;
+ }
+
+ --dev->open;
+@@ -303,13 +314,15 @@ static int chaoskey_release(struct inode *inode, struct file *file)
+ if (dev->open == 0) {
+ mutex_unlock(&dev->lock);
+ chaoskey_free(dev);
+- } else
+- mutex_unlock(&dev->lock);
+- } else
+- mutex_unlock(&dev->lock);
+-
++ goto destruction;
++ }
++ }
++bail:
++ mutex_unlock(&dev->lock);
++destruction:
++ mutex_lock(&chaoskey_list_lock);
+ usb_dbg(interface, "release success");
+- return 0;
++ return rv;
+ }
+
+ static void chaos_read_callback(struct urb *urb)
+--
+2.43.0
+
--- /dev/null
+From 0974fabaa32d85e3ccfb17a2fce0e2fc50e13e68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 22:52:07 +0800
+Subject: USB: chaoskey: Fix possible deadlock chaoskey_list_lock
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit d73dc7b182be4238b75278bfae16afb4c5564a58 ]
+
+[Syzbot reported two possible deadlocks]
+The first possible deadlock is:
+WARNING: possible recursive locking detected
+6.12.0-rc1-syzkaller-00027-g4a9fe2a8ac53 #0 Not tainted
+--------------------------------------------
+syz-executor363/2651 is trying to acquire lock:
+ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_release+0x15d/0x2c0 drivers/usb/misc/chaoskey.c:322
+
+but task is already holding lock:
+ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_release+0x7f/0x2c0 drivers/usb/misc/chaoskey.c:299
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(chaoskey_list_lock);
+ lock(chaoskey_list_lock);
+
+ *** DEADLOCK ***
+
+The second possible deadlock is:
+WARNING: possible circular locking dependency detected
+6.12.0-rc1-syzkaller-00027-g4a9fe2a8ac53 #0 Not tainted
+------------------------------------------------------
+kworker/0:2/804 is trying to acquire lock:
+ffffffff899dadb0 (minor_rwsem){++++}-{3:3}, at: usb_deregister_dev+0x7c/0x1e0 drivers/usb/core/file.c:186
+
+but task is already holding lock:
+ffffffff89b120e8 (chaoskey_list_lock){+.+.}-{3:3}, at: chaoskey_disconnect+0xa8/0x2a0 drivers/usb/misc/chaoskey.c:235
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #1 (chaoskey_list_lock){+.+.}-{3:3}:
+ __mutex_lock_common kernel/locking/mutex.c:608 [inline]
+ __mutex_lock+0x175/0x9c0 kernel/locking/mutex.c:752
+ chaoskey_open+0xdd/0x220 drivers/usb/misc/chaoskey.c:274
+ usb_open+0x186/0x220 drivers/usb/core/file.c:47
+ chrdev_open+0x237/0x6a0 fs/char_dev.c:414
+ do_dentry_open+0x6cb/0x1390 fs/open.c:958
+ vfs_open+0x82/0x3f0 fs/open.c:1088
+ do_open fs/namei.c:3774 [inline]
+ path_openat+0x1e6a/0x2d60 fs/namei.c:3933
+ do_filp_open+0x1dc/0x430 fs/namei.c:3960
+ do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
+ do_sys_open fs/open.c:1430 [inline]
+ __do_sys_openat fs/open.c:1446 [inline]
+ __se_sys_openat fs/open.c:1441 [inline]
+ __x64_sys_openat+0x175/0x210 fs/open.c:1441
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+-> #0 (minor_rwsem){++++}-{3:3}:
+ check_prev_add kernel/locking/lockdep.c:3161 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3280 [inline]
+ validate_chain kernel/locking/lockdep.c:3904 [inline]
+ __lock_acquire+0x250b/0x3ce0 kernel/locking/lockdep.c:5202
+ lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825
+ down_write+0x93/0x200 kernel/locking/rwsem.c:1577
+ usb_deregister_dev+0x7c/0x1e0 drivers/usb/core/file.c:186
+ chaoskey_disconnect+0xb7/0x2a0 drivers/usb/misc/chaoskey.c:236
+ usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
+ device_remove drivers/base/dd.c:569 [inline]
+ device_remove+0x122/0x170 drivers/base/dd.c:561
+ __device_release_driver drivers/base/dd.c:1273 [inline]
+ device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
+ bus_remove_device+0x22f/0x420 drivers/base/bus.c:576
+ device_del+0x396/0x9f0 drivers/base/core.c:3864
+ usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
+ usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
+ hub_port_connect drivers/usb/core/hub.c:5361 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
+ port_event drivers/usb/core/hub.c:5821 [inline]
+ hub_event+0x1bed/0x4f40 drivers/usb/core/hub.c:5903
+ process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
+ process_scheduled_works kernel/workqueue.c:3310 [inline]
+ worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
+ kthread+0x2c1/0x3a0 kernel/kthread.c:389
+ ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(chaoskey_list_lock);
+ lock(minor_rwsem);
+ lock(chaoskey_list_lock);
+ lock(minor_rwsem);
+
+ *** DEADLOCK ***
+[Analysis]
+The first is AA lock, it because wrong logic, it need a unlock.
+The second is AB lock, it needs to rearrange the order of lock usage.
+
+Fixes: 422dc0a4d12d ("USB: chaoskey: fail open after removal")
+Reported-by: syzbot+685e14d04fe35692d3bc@syzkaller.appspotmail.com
+Reported-by: syzbot+1f8ca5ee82576ec01f12@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=685e14d04fe35692d3bc
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Tested-by: syzbot+685e14d04fe35692d3bc@syzkaller.appspotmail.com
+Reported-by: syzbot+5f1ce62e956b7b19610e@syzkaller.appspotmail.com
+Tested-by: syzbot+5f1ce62e956b7b19610e@syzkaller.appspotmail.com
+Tested-by: syzbot+1f8ca5ee82576ec01f12@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/tencent_84EB865C89862EC22EE94CB3A7C706C59206@qq.com
+Cc: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/chaoskey.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/chaoskey.c b/drivers/usb/misc/chaoskey.c
+index 32fa7fd50c380..d99d424c05a7a 100644
+--- a/drivers/usb/misc/chaoskey.c
++++ b/drivers/usb/misc/chaoskey.c
+@@ -233,10 +233,10 @@ static void chaoskey_disconnect(struct usb_interface *interface)
+ if (dev->hwrng_registered)
+ hwrng_unregister(&dev->hwrng);
+
+- mutex_lock(&chaoskey_list_lock);
+ usb_deregister_dev(interface, &chaoskey_class);
+
+ usb_set_intfdata(interface, NULL);
++ mutex_lock(&chaoskey_list_lock);
+ mutex_lock(&dev->lock);
+
+ dev->present = false;
+@@ -320,7 +320,7 @@ static int chaoskey_release(struct inode *inode, struct file *file)
+ bail:
+ mutex_unlock(&dev->lock);
+ destruction:
+- mutex_lock(&chaoskey_list_lock);
++ mutex_unlock(&chaoskey_list_lock);
+ usb_dbg(interface, "release success");
+ return rv;
+ }
+--
+2.43.0
+
--- /dev/null
+From 4b065b2c04e2c532582dc886bf65d920df6e1250 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 19:34:03 +0900
+Subject: usb: using mutex lock and supporting O_NONBLOCK flag in
+ iowarrior_read()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+[ Upstream commit 44feafbaa66ec86232b123bb8437a6a262442025 ]
+
+iowarrior_read() uses the iowarrior dev structure, but does not use any
+lock on the structure. This can cause various bugs including data-races,
+so it is more appropriate to use a mutex lock to safely protect the
+iowarrior dev structure. When using a mutex lock, you should split the
+branch to prevent blocking when the O_NONBLOCK flag is set.
+
+In addition, it is unnecessary to check for NULL on the iowarrior dev
+structure obtained by reading file->private_data. Therefore, it is
+better to remove the check.
+
+Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Link: https://lore.kernel.org/r/20240919103403.3986-1-aha310510@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/iowarrior.c | 46 ++++++++++++++++++++++++++++--------
+ 1 file changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
+index b421f13260875..2fde8dd0b3e21 100644
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -277,28 +277,45 @@ static ssize_t iowarrior_read(struct file *file, char __user *buffer,
+ struct iowarrior *dev;
+ int read_idx;
+ int offset;
++ int retval;
+
+ dev = file->private_data;
+
++ if (file->f_flags & O_NONBLOCK) {
++ retval = mutex_trylock(&dev->mutex);
++ if (!retval)
++ return -EAGAIN;
++ } else {
++ retval = mutex_lock_interruptible(&dev->mutex);
++ if (retval)
++ return -ERESTARTSYS;
++ }
++
+ /* verify that the device wasn't unplugged */
+- if (!dev || !dev->present)
+- return -ENODEV;
++ if (!dev->present) {
++ retval = -ENODEV;
++ goto exit;
++ }
+
+ dev_dbg(&dev->interface->dev, "minor %d, count = %zd\n",
+ dev->minor, count);
+
+ /* read count must be packet size (+ time stamp) */
+ if ((count != dev->report_size)
+- && (count != (dev->report_size + 1)))
+- return -EINVAL;
++ && (count != (dev->report_size + 1))) {
++ retval = -EINVAL;
++ goto exit;
++ }
+
+ /* repeat until no buffer overrun in callback handler occur */
+ do {
+ atomic_set(&dev->overflow_flag, 0);
+ if ((read_idx = read_index(dev)) == -1) {
+ /* queue empty */
+- if (file->f_flags & O_NONBLOCK)
+- return -EAGAIN;
++ if (file->f_flags & O_NONBLOCK) {
++ retval = -EAGAIN;
++ goto exit;
++ }
+ else {
+ //next line will return when there is either new data, or the device is unplugged
+ int r = wait_event_interruptible(dev->read_wait,
+@@ -309,28 +326,37 @@ static ssize_t iowarrior_read(struct file *file, char __user *buffer,
+ -1));
+ if (r) {
+ //we were interrupted by a signal
+- return -ERESTART;
++ retval = -ERESTART;
++ goto exit;
+ }
+ if (!dev->present) {
+ //The device was unplugged
+- return -ENODEV;
++ retval = -ENODEV;
++ goto exit;
+ }
+ if (read_idx == -1) {
+ // Can this happen ???
+- return 0;
++ retval = 0;
++ goto exit;
+ }
+ }
+ }
+
+ offset = read_idx * (dev->report_size + 1);
+ if (copy_to_user(buffer, dev->read_queue + offset, count)) {
+- return -EFAULT;
++ retval = -EFAULT;
++ goto exit;
+ }
+ } while (atomic_read(&dev->overflow_flag));
+
+ read_idx = ++read_idx == MAX_INTERRUPT_BUFFER ? 0 : read_idx;
+ atomic_set(&dev->read_idx, read_idx);
++ mutex_unlock(&dev->mutex);
+ return count;
++
++exit:
++ mutex_unlock(&dev->mutex);
++ return retval;
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 3d43204e5539bf4f4569c8d00cfb7a38c1c82e4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 10:43:45 +0200
+Subject: usb: yurex: make waiting on yurex_write interruptible
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit e0aa9614ab0fd35b404e4b16ebe879f9fc152591 ]
+
+The IO yurex_write() needs to wait for in order to have a device
+ready for writing again can take a long time time.
+Consequently the sleep is done in an interruptible state.
+Therefore others waiting for yurex_write() itself to finish should
+use mutex_lock_interruptible.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Fixes: 6bc235a2e24a5 ("USB: add driver for Meywa-Denki & Kayac YUREX")
+Rule: add
+Link: https://lore.kernel.org/stable/20240924084415.300557-1-oneukum%40suse.com
+Link: https://lore.kernel.org/r/20240924084415.300557-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/iowarrior.c | 4 ----
+ drivers/usb/misc/yurex.c | 5 ++++-
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
+index 2fde8dd0b3e21..5606c5a2624a7 100644
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -912,7 +912,6 @@ static int iowarrior_probe(struct usb_interface *interface,
+ static void iowarrior_disconnect(struct usb_interface *interface)
+ {
+ struct iowarrior *dev = usb_get_intfdata(interface);
+- int minor = dev->minor;
+
+ usb_deregister_dev(interface, &iowarrior_class);
+
+@@ -936,9 +935,6 @@ static void iowarrior_disconnect(struct usb_interface *interface)
+ mutex_unlock(&dev->mutex);
+ iowarrior_delete(dev);
+ }
+-
+- dev_info(&interface->dev, "I/O-Warror #%d now disconnected\n",
+- minor - IOWARRIOR_MINOR_BASE);
+ }
+
+ /* usb specific object needed to register this driver with the usb subsystem */
+diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
+index c313cd41f7a5a..0eed614ac1273 100644
+--- a/drivers/usb/misc/yurex.c
++++ b/drivers/usb/misc/yurex.c
+@@ -441,7 +441,10 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer,
+ if (count == 0)
+ goto error;
+
+- mutex_lock(&dev->io_mutex);
++ retval = mutex_lock_interruptible(&dev->io_mutex);
++ if (retval < 0)
++ return -EINTR;
++
+ if (dev->disconnected) { /* already disconnected */
+ mutex_unlock(&dev->io_mutex);
+ retval = -ENODEV;
+--
+2.43.0
+
--- /dev/null
+From f384c38a5b90433278ed1502a79d04fa50c171da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2024 16:40:40 +0300
+Subject: vdpa/mlx5: Fix suboptimal range on iotlb iteration
+
+From: Si-Wei Liu <si-wei.liu@oracle.com>
+
+[ Upstream commit 35025963326e44d8bced3eecd42d2f040f4f0024 ]
+
+The starting iova address to iterate iotlb map entry within a range
+was set to an irrelevant value when passing to the itree_next()
+iterator, although luckily it doesn't affect the outcome of finding
+out the granule of the smallest iotlb map size. Fix the code to make
+it consistent with the following for-loop.
+
+Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code")
+Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Message-Id: <20241021134040.975221-3-dtatulea@nvidia.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/mlx5/core/mr.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/vdpa/mlx5/core/mr.c b/drivers/vdpa/mlx5/core/mr.c
+index 4f0a2edc2333d..b6ac21b0322d7 100644
+--- a/drivers/vdpa/mlx5/core/mr.c
++++ b/drivers/vdpa/mlx5/core/mr.c
+@@ -227,7 +227,6 @@ static int map_direct_mr(struct mlx5_vdpa_dev *mvdev, struct mlx5_vdpa_direct_mr
+ unsigned long lgcd = 0;
+ int log_entity_size;
+ unsigned long size;
+- u64 start = 0;
+ int err;
+ struct page *pg;
+ unsigned int nsg;
+@@ -238,10 +237,9 @@ static int map_direct_mr(struct mlx5_vdpa_dev *mvdev, struct mlx5_vdpa_direct_mr
+ struct device *dma = mvdev->vdev.dma_dev;
+
+ for (map = vhost_iotlb_itree_first(iotlb, mr->start, mr->end - 1);
+- map; map = vhost_iotlb_itree_next(map, start, mr->end - 1)) {
++ map; map = vhost_iotlb_itree_next(map, mr->start, mr->end - 1)) {
+ size = maplen(map, mr);
+ lgcd = gcd(lgcd, size);
+- start += size;
+ }
+ log_entity_size = ilog2(lgcd);
+
+--
+2.43.0
+
--- /dev/null
+From 1850f8122cf15bb3f4340d4a78fc4e471fc11c64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Apr 2023 12:45:23 +0530
+Subject: venus: venc: add handling for VIDIOC_ENCODER_CMD
+
+From: Dikshita Agarwal <quic_dikshita@quicinc.com>
+
+[ Upstream commit 7493db46e4c4aa5126dd32f8eae12a4cdcf7a401 ]
+
+Add handling for below commands in encoder:
+1. V4L2_ENC_CMD_STOP
+2. V4L2_ENC_CMD_START
+
+Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Stable-dep-of: 6c9934c5a00a ("media: venus: fix enc/dec destruction order")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/core.h | 9 ++++
+ drivers/media/platform/qcom/venus/venc.c | 68 ++++++++++++++++++++++++
+ 2 files changed, 77 insertions(+)
+
+diff --git a/drivers/media/platform/qcom/venus/core.h b/drivers/media/platform/qcom/venus/core.h
+index 32551c2602a98..d147154c01ea5 100644
+--- a/drivers/media/platform/qcom/venus/core.h
++++ b/drivers/media/platform/qcom/venus/core.h
+@@ -317,6 +317,14 @@ enum venus_dec_state {
+ VENUS_DEC_STATE_DRC = 7,
+ };
+
++enum venus_enc_state {
++ VENUS_ENC_STATE_DEINIT = 0,
++ VENUS_ENC_STATE_INIT = 1,
++ VENUS_ENC_STATE_ENCODING = 2,
++ VENUS_ENC_STATE_STOPPED = 3,
++ VENUS_ENC_STATE_DRAIN = 4,
++};
++
+ struct venus_ts_metadata {
+ bool used;
+ u64 ts_ns;
+@@ -428,6 +436,7 @@ struct venus_inst {
+ u8 quantization;
+ u8 xfer_func;
+ enum venus_dec_state codec_state;
++ enum venus_enc_state enc_state;
+ wait_queue_head_t reconf_wait;
+ unsigned int subscriptions;
+ int buf_count;
+diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c
+index cdb12546c4fa6..f4921dbe6b7ec 100644
+--- a/drivers/media/platform/qcom/venus/venc.c
++++ b/drivers/media/platform/qcom/venus/venc.c
+@@ -520,6 +520,51 @@ static int venc_subscribe_event(struct v4l2_fh *fh,
+ }
+ }
+
++static int
++venc_encoder_cmd(struct file *file, void *fh, struct v4l2_encoder_cmd *cmd)
++{
++ struct venus_inst *inst = to_inst(file);
++ struct hfi_frame_data fdata = {0};
++ int ret = 0;
++
++ ret = v4l2_m2m_ioctl_try_encoder_cmd(file, fh, cmd);
++ if (ret)
++ return ret;
++
++ mutex_lock(&inst->lock);
++
++ if (cmd->cmd == V4L2_ENC_CMD_STOP &&
++ inst->enc_state == VENUS_ENC_STATE_ENCODING) {
++ /*
++ * Implement V4L2_ENC_CMD_STOP by enqueue an empty buffer on
++ * encoder input to signal EOS.
++ */
++ if (!(inst->streamon_out && inst->streamon_cap))
++ goto unlock;
++
++ fdata.buffer_type = HFI_BUFFER_INPUT;
++ fdata.flags |= HFI_BUFFERFLAG_EOS;
++ fdata.device_addr = 0xdeadb000;
++
++ ret = hfi_session_process_buf(inst, &fdata);
++
++ inst->enc_state = VENUS_ENC_STATE_DRAIN;
++ } else if (cmd->cmd == V4L2_ENC_CMD_START) {
++ if (inst->enc_state == VENUS_ENC_STATE_DRAIN) {
++ ret = -EBUSY;
++ goto unlock;
++ }
++ if (inst->enc_state == VENUS_ENC_STATE_STOPPED) {
++ vb2_clear_last_buffer_dequeued(&inst->fh.m2m_ctx->cap_q_ctx.q);
++ inst->enc_state = VENUS_ENC_STATE_ENCODING;
++ }
++ }
++
++unlock:
++ mutex_unlock(&inst->lock);
++ return ret;
++}
++
+ static const struct v4l2_ioctl_ops venc_ioctl_ops = {
+ .vidioc_querycap = venc_querycap,
+ .vidioc_enum_fmt_vid_cap = venc_enum_fmt,
+@@ -548,6 +593,7 @@ static const struct v4l2_ioctl_ops venc_ioctl_ops = {
+ .vidioc_subscribe_event = venc_subscribe_event,
+ .vidioc_unsubscribe_event = v4l2_event_unsubscribe,
+ .vidioc_try_encoder_cmd = v4l2_m2m_ioctl_try_encoder_cmd,
++ .vidioc_encoder_cmd = venc_encoder_cmd,
+ };
+
+ static int venc_pm_get(struct venus_inst *inst)
+@@ -1196,6 +1242,8 @@ static int venc_start_streaming(struct vb2_queue *q, unsigned int count)
+ if (ret)
+ goto error;
+
++ inst->enc_state = VENUS_ENC_STATE_ENCODING;
++
+ mutex_unlock(&inst->lock);
+
+ return 0;
+@@ -1215,10 +1263,21 @@ static int venc_start_streaming(struct vb2_queue *q, unsigned int count)
+ static void venc_vb2_buf_queue(struct vb2_buffer *vb)
+ {
+ struct venus_inst *inst = vb2_get_drv_priv(vb->vb2_queue);
++ struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb);
+
+ venc_pm_get_put(inst);
+
+ mutex_lock(&inst->lock);
++
++ if (inst->enc_state == VENUS_ENC_STATE_STOPPED) {
++ vbuf->sequence = inst->sequence_cap++;
++ vbuf->field = V4L2_FIELD_NONE;
++ vb2_set_plane_payload(vb, 0, 0);
++ v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_DONE);
++ mutex_unlock(&inst->lock);
++ return;
++ }
++
+ venus_helper_vb2_buf_queue(vb);
+ mutex_unlock(&inst->lock);
+ }
+@@ -1260,6 +1319,10 @@ static void venc_buf_done(struct venus_inst *inst, unsigned int buf_type,
+ vb->planes[0].data_offset = data_offset;
+ vb->timestamp = timestamp_us * NSEC_PER_USEC;
+ vbuf->sequence = inst->sequence_cap++;
++ if ((vbuf->flags & V4L2_BUF_FLAG_LAST) &&
++ inst->enc_state == VENUS_ENC_STATE_DRAIN) {
++ inst->enc_state = VENUS_ENC_STATE_STOPPED;
++ }
+ } else {
+ vbuf->sequence = inst->sequence_out++;
+ }
+@@ -1362,6 +1425,9 @@ static int venc_open(struct file *file)
+ inst->core_acquired = false;
+ inst->nonblock = file->f_flags & O_NONBLOCK;
+
++ if (inst->enc_state == VENUS_ENC_STATE_DEINIT)
++ inst->enc_state = VENUS_ENC_STATE_INIT;
++
+ venus_helper_init_instance(inst);
+
+ ret = venc_ctrl_init(inst);
+@@ -1424,6 +1490,8 @@ static int venc_close(struct file *file)
+ v4l2_fh_del(&inst->fh);
+ v4l2_fh_exit(&inst->fh);
+
++ inst->enc_state = VENUS_ENC_STATE_DEINIT;
++
+ venc_pm_put(inst, false);
+
+ kfree(inst);
+--
+2.43.0
+
--- /dev/null
+From 62d6a21e149524eebcaada2e0be4bdc909b5bf60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Nov 2024 16:27:39 +0200
+Subject: vfio/pci: Properly hide first-in-list PCIe extended capability
+
+From: Avihai Horon <avihaih@nvidia.com>
+
+[ Upstream commit fe4bf8d0b6716a423b16495d55b35d3fe515905d ]
+
+There are cases where a PCIe extended capability should be hidden from
+the user. For example, an unknown capability (i.e., capability with ID
+greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally
+chosen to be hidden from the user.
+
+Hiding a capability is done by virtualizing and modifying the 'Next
+Capability Offset' field of the previous capability so it points to the
+capability after the one that should be hidden.
+
+The special case where the first capability in the list should be hidden
+is handled differently because there is no previous capability that can
+be modified. In this case, the capability ID and version are zeroed
+while leaving the next pointer intact. This hides the capability and
+leaves an anchor for the rest of the capability list.
+
+However, today, hiding the first capability in the list is not done
+properly if the capability is unknown, as struct
+vfio_pci_core_device->pci_config_map is set to the capability ID during
+initialization but the capability ID is not properly checked later when
+used in vfio_config_do_rw(). This leads to the following warning [1] and
+to an out-of-bounds access to ecap_perms array.
+
+Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater
+than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct
+read only access instead of the ecap_perms array.
+
+Note that this is safe since the above is the only case where cap_id can
+exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which
+are already checked before).
+
+[1]
+
+WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
+CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1
+(snip)
+Call Trace:
+ <TASK>
+ ? show_regs+0x69/0x80
+ ? __warn+0x8d/0x140
+ ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
+ ? report_bug+0x18f/0x1a0
+ ? handle_bug+0x63/0xa0
+ ? exc_invalid_op+0x19/0x70
+ ? asm_exc_invalid_op+0x1b/0x20
+ ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]
+ ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]
+ vfio_pci_rw+0x101/0x1b0 [vfio_pci_core]
+ vfio_pci_core_read+0x1d/0x30 [vfio_pci_core]
+ vfio_device_fops_read+0x27/0x40 [vfio]
+ vfs_read+0xbd/0x340
+ ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]
+ ? __rseq_handle_notify_resume+0xa4/0x4b0
+ __x64_sys_pread64+0x96/0xc0
+ x64_sys_call+0x1c3d/0x20d0
+ do_syscall_64+0x4d/0x120
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver")
+Signed-off-by: Avihai Horon <avihaih@nvidia.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Tested-by: Yi Liu <yi.l.liu@intel.com>
+Link: https://lore.kernel.org/r/20241124142739.21698-1-avihaih@nvidia.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_config.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
+index 523e0144c86fa..7902e1ec0fef2 100644
+--- a/drivers/vfio/pci/vfio_pci_config.c
++++ b/drivers/vfio/pci/vfio_pci_config.c
+@@ -312,6 +312,10 @@ static int vfio_virt_config_read(struct vfio_pci_core_device *vdev, int pos,
+ return count;
+ }
+
++static struct perm_bits direct_ro_perms = {
++ .readfn = vfio_direct_config_read,
++};
++
+ /* Default capability regions to read-only, no-virtualization */
+ static struct perm_bits cap_perms[PCI_CAP_ID_MAX + 1] = {
+ [0 ... PCI_CAP_ID_MAX] = { .readfn = vfio_direct_config_read }
+@@ -1890,9 +1894,17 @@ static ssize_t vfio_config_do_rw(struct vfio_pci_core_device *vdev, char __user
+ cap_start = *ppos;
+ } else {
+ if (*ppos >= PCI_CFG_SPACE_SIZE) {
+- WARN_ON(cap_id > PCI_EXT_CAP_ID_MAX);
++ /*
++ * We can get a cap_id that exceeds PCI_EXT_CAP_ID_MAX
++ * if we're hiding an unknown capability at the start
++ * of the extended capability list. Use default, ro
++ * access, which will virtualize the id and next values.
++ */
++ if (cap_id > PCI_EXT_CAP_ID_MAX)
++ perm = &direct_ro_perms;
++ else
++ perm = &ecap_perms[cap_id];
+
+- perm = &ecap_perms[cap_id];
+ cap_start = vfio_find_cap_start(vdev, *ppos);
+ } else {
+ WARN_ON(cap_id > PCI_CAP_ID_MAX);
+--
+2.43.0
+
--- /dev/null
+From 7e9d6332b01b4e79b45a6a79d47d0d27b9b99d10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 16:20:42 +0100
+Subject: virtio_blk: reverse request order in virtio_queue_rqs
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 7f212e997edbb7a2cb85cef2ac14265dfaf88717 ]
+
+blk_mq_flush_plug_list submits requests in the reverse order that they
+were submitted, which leads to a rather suboptimal I/O pattern
+especially in rotational devices. Fix this by rewriting virtio_queue_rqs
+so that it always pops the requests from the passed in request list, and
+then adds them to the head of a local submit list. This actually
+simplifies the code a bit as it removes the complicated list splicing,
+at the cost of extra updates of the rq_next pointer. As that should be
+cache hot anyway it should be an easy price to pay.
+
+Fixes: 0e9911fa768f ("virtio-blk: support mq_ops->queue_rqs()")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20241113152050.157179-3-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/virtio_blk.c | 46 +++++++++++++++++---------------------
+ 1 file changed, 21 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
+index 505026f0025c7..28644729dc976 100644
+--- a/drivers/block/virtio_blk.c
++++ b/drivers/block/virtio_blk.c
+@@ -399,18 +399,18 @@ static bool virtblk_prep_rq_batch(struct request *req)
+ return virtblk_prep_rq(req->mq_hctx, vblk, req, vbr) == BLK_STS_OK;
+ }
+
+-static bool virtblk_add_req_batch(struct virtio_blk_vq *vq,
++static void virtblk_add_req_batch(struct virtio_blk_vq *vq,
+ struct request **rqlist)
+ {
++ struct request *req;
+ unsigned long flags;
+- int err;
+ bool kick;
+
+ spin_lock_irqsave(&vq->lock, flags);
+
+- while (!rq_list_empty(*rqlist)) {
+- struct request *req = rq_list_pop(rqlist);
++ while ((req = rq_list_pop(rqlist))) {
+ struct virtblk_req *vbr = blk_mq_rq_to_pdu(req);
++ int err;
+
+ err = virtblk_add_req(vq->vq, vbr);
+ if (err) {
+@@ -423,37 +423,33 @@ static bool virtblk_add_req_batch(struct virtio_blk_vq *vq,
+ kick = virtqueue_kick_prepare(vq->vq);
+ spin_unlock_irqrestore(&vq->lock, flags);
+
+- return kick;
++ if (kick)
++ virtqueue_notify(vq->vq);
+ }
+
+ static void virtio_queue_rqs(struct request **rqlist)
+ {
+- struct request *req, *next, *prev = NULL;
++ struct request *submit_list = NULL;
+ struct request *requeue_list = NULL;
++ struct request **requeue_lastp = &requeue_list;
++ struct virtio_blk_vq *vq = NULL;
++ struct request *req;
+
+- rq_list_for_each_safe(rqlist, req, next) {
+- struct virtio_blk_vq *vq = get_virtio_blk_vq(req->mq_hctx);
+- bool kick;
+-
+- if (!virtblk_prep_rq_batch(req)) {
+- rq_list_move(rqlist, &requeue_list, req, prev);
+- req = prev;
+- if (!req)
+- continue;
+- }
++ while ((req = rq_list_pop(rqlist))) {
++ struct virtio_blk_vq *this_vq = get_virtio_blk_vq(req->mq_hctx);
+
+- if (!next || req->mq_hctx != next->mq_hctx) {
+- req->rq_next = NULL;
+- kick = virtblk_add_req_batch(vq, rqlist);
+- if (kick)
+- virtqueue_notify(vq->vq);
++ if (vq && vq != this_vq)
++ virtblk_add_req_batch(vq, &submit_list);
++ vq = this_vq;
+
+- *rqlist = next;
+- prev = NULL;
+- } else
+- prev = req;
++ if (virtblk_prep_rq_batch(req))
++ rq_list_add(&submit_list, req); /* reverse order */
++ else
++ rq_list_add_tail(&requeue_lastp, req);
+ }
+
++ if (vq)
++ virtblk_add_req_batch(vq, &submit_list);
+ *rqlist = requeue_list;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 7d1ee9ad40206f28c5b98edfb53bfcd85a249b94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jul 2024 10:03:43 +0800
+Subject: wifi: ath10k: fix invalid VHT parameters in
+ supported_vht_mcs_rate_nss1
+
+From: Baochen Qiang <quic_bqiang@quicinc.com>
+
+[ Upstream commit d50886b27850447d90c0cd40c725238097909d1e ]
+
+In supported_vht_mcs_rate_nss1, the rate for MCS9 & VHT20 is defined as
+{780, 867}, this does not align with firmware's definition and therefore
+fails the verification in ath10k_mac_get_rate_flags_vht():
+
+ invalid vht params rate 960 100kbps nss 1 mcs 9
+
+Change it to {865, 960} to align with firmware, so this issue could be
+fixed.
+
+Since ath10k_hw_params::supports_peer_stats_info is enabled only for
+QCA6174, this change does not affect other chips.
+
+Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00309-QCARMSWPZ-1
+
+Fixes: 3344b99d69ab ("ath10k: add bitrate parse for peer stats info")
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Closes: https://lore.kernel.org/lkml/fba24cd3-4a1e-4072-8585-8402272788ff@molgen.mpg.de/
+Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240711020344.98040-2-quic_bqiang@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index ec5c54672dfee..7e2700c0df1c7 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -9120,7 +9120,7 @@ static const struct ath10k_index_vht_data_rate_type supported_vht_mcs_rate_nss1[
+ {6, {2633, 2925}, {1215, 1350}, {585, 650} },
+ {7, {2925, 3250}, {1350, 1500}, {650, 722} },
+ {8, {3510, 3900}, {1620, 1800}, {780, 867} },
+- {9, {3900, 4333}, {1800, 2000}, {780, 867} }
++ {9, {3900, 4333}, {1800, 2000}, {865, 960} }
+ };
+
+ /*MCS parameters with Nss = 2 */
+--
+2.43.0
+
--- /dev/null
+From cd124ab5103909f4155e64df8b6af154f5e0ee6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jul 2024 10:03:44 +0800
+Subject: wifi: ath10k: fix invalid VHT parameters in
+ supported_vht_mcs_rate_nss2
+
+From: Baochen Qiang <quic_bqiang@quicinc.com>
+
+[ Upstream commit 52db16ec5bae7bd027804265b968259d1a6c3970 ]
+
+In supported_vht_mcs_rate_nss2, the rate for MCS9 & VHT20 is defined as
+{1560, 1733}, this does not align with firmware's definition and therefore
+fails the verification in ath10k_mac_get_rate_flags_vht():
+
+ invalid vht params rate 1730 100kbps nss 2 mcs 9
+
+and:
+
+ invalid vht params rate 1920 100kbps nss 2 mcs 9
+
+Change it to {1730, 1920} to align with firmware to fix the issue.
+
+Since ath10k_hw_params::supports_peer_stats_info is enabled only for
+QCA6174, this change does not affect other chips.
+
+Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00309-QCARMSWPZ-1
+
+Fixes: 3344b99d69ab ("ath10k: add bitrate parse for peer stats info")
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Closes: https://lore.kernel.org/lkml/fba24cd3-4a1e-4072-8585-8402272788ff@molgen.mpg.de/
+Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Tested-by: Paul Menzel <pmenzel@molgen.mpg.de> # Dell XPS 13 9360
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240711020344.98040-3-quic_bqiang@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 7e2700c0df1c7..184c722255c65 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -9135,7 +9135,7 @@ static const struct ath10k_index_vht_data_rate_type supported_vht_mcs_rate_nss2[
+ {6, {5265, 5850}, {2430, 2700}, {1170, 1300} },
+ {7, {5850, 6500}, {2700, 3000}, {1300, 1444} },
+ {8, {7020, 7800}, {3240, 3600}, {1560, 1733} },
+- {9, {7800, 8667}, {3600, 4000}, {1560, 1733} }
++ {9, {7800, 8667}, {3600, 4000}, {1730, 1920} }
+ };
+
+ static void ath10k_mac_get_rate_flags_ht(struct ath10k *ar, u32 rate, u8 nss, u8 mcs,
+--
+2.43.0
+
--- /dev/null
+From f9dca2366558256e07efa15a61e05ba527c45406 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Sep 2024 12:06:03 +0300
+Subject: wifi: ath9k: add range check for conn_rsp_epid in
+ htc_connect_service()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+[ Upstream commit 8619593634cbdf5abf43f5714df49b04e4ef09ab ]
+
+I found the following bug in my fuzzer:
+
+ UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
+ index 255 is out of range for type 'htc_endpoint [22]'
+ CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.11.0-rc6-dirty #14
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+ Workqueue: events request_firmware_work_func
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x180/0x1b0
+ __ubsan_handle_out_of_bounds+0xd4/0x130
+ htc_issue_send.constprop.0+0x20c/0x230
+ ? _raw_spin_unlock_irqrestore+0x3c/0x70
+ ath9k_wmi_cmd+0x41d/0x610
+ ? mark_held_locks+0x9f/0xe0
+ ...
+
+Since this bug has been confirmed to be caused by insufficient verification
+of conn_rsp_epid, I think it would be appropriate to add a range check for
+conn_rsp_epid to htc_connect_service() to prevent the bug from occurring.
+
+Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240909103855.68006-1-aha310510@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_hst.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index 99667aba289df..00dc97ac53b9d 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -294,6 +294,9 @@ int htc_connect_service(struct htc_target *target,
+ return -ETIMEDOUT;
+ }
+
++ if (target->conn_rsp_epid < 0 || target->conn_rsp_epid >= ENDPOINT_MAX)
++ return -EINVAL;
++
+ *conn_rsp_epid = target->conn_rsp_epid;
+ return 0;
+ err:
+--
+2.43.0
+
--- /dev/null
+From a62f2605baff8e64b5370467dcb0a4830eaea179 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 01:20:54 +0300
+Subject: wifi: mwifiex: Fix memcpy() field-spanning write warning in
+ mwifiex_config_scan()
+
+From: Alper Nebi Yasak <alpernebiyasak@gmail.com>
+
+[ Upstream commit d241a139c2e9f8a479f25c75ebd5391e6a448500 ]
+
+Replace one-element array with a flexible-array member in `struct
+mwifiex_ie_types_wildcard_ssid_params` to fix the following warning
+on a MT8173 Chromebook (mt8173-elm-hana):
+
+[ 356.775250] ------------[ cut here ]------------
+[ 356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1)
+[ 356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex]
+
+The "(size 6)" above is exactly the length of the SSID of the network
+this device was connected to. The source of the warning looks like:
+
+ ssid_len = user_scan_in->ssid_list[i].ssid_len;
+ [...]
+ memcpy(wildcard_ssid_tlv->ssid,
+ user_scan_in->ssid_list[i].ssid, ssid_len);
+
+There is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this
+struct, but it already didn't account for the size of the one-element
+array, so it doesn't need to be changed.
+
+Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
+Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
+Acked-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20241007222301.24154-1-alpernebiyasak@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
+index 26979013ca52d..9c9fe5757b295 100644
+--- a/drivers/net/wireless/marvell/mwifiex/fw.h
++++ b/drivers/net/wireless/marvell/mwifiex/fw.h
+@@ -842,7 +842,7 @@ struct mwifiex_ietypes_chanstats {
+ struct mwifiex_ie_types_wildcard_ssid_params {
+ struct mwifiex_ie_types_header header;
+ u8 max_ssid_length;
+- u8 ssid[1];
++ u8 ssid[];
+ } __packed;
+
+ #define TSF_DATA_SIZE 8
+--
+2.43.0
+
--- /dev/null
+From bb49c58fb69f60b4cb711c24957d48708c720e58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 20:43:13 +0800
+Subject: wifi: mwifiex: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 9a98dd48b6d834d7a3fe5e8e7b8c3a1d006f9685 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: 853402a00823 ("mwifiex: Enable WoWLAN for both sdio and pcie")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Acked-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20240910124314.698896-3-ruanjinjie@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c
+index da2e6557e6841..59225fcacd59a 100644
+--- a/drivers/net/wireless/marvell/mwifiex/main.c
++++ b/drivers/net/wireless/marvell/mwifiex/main.c
+@@ -1638,7 +1638,8 @@ static void mwifiex_probe_of(struct mwifiex_adapter *adapter)
+ }
+
+ ret = devm_request_irq(dev, adapter->irq_wakeup,
+- mwifiex_irq_wakeup_handler, IRQF_TRIGGER_LOW,
++ mwifiex_irq_wakeup_handler,
++ IRQF_TRIGGER_LOW | IRQF_NO_AUTOEN,
+ "wifi_wake", adapter);
+ if (ret) {
+ dev_err(dev, "Failed to request irq_wakeup %d (%d)\n",
+@@ -1646,7 +1647,6 @@ static void mwifiex_probe_of(struct mwifiex_adapter *adapter)
+ goto err_exit;
+ }
+
+- disable_irq(adapter->irq_wakeup);
+ if (device_init_wakeup(dev, true)) {
+ dev_err(dev, "fail to init wakeup for mwifiex\n");
+ goto err_exit;
+--
+2.43.0
+
--- /dev/null
+From c745dbf00c99023420040795ecc6a57d4075b49a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 20:43:12 +0800
+Subject: wifi: p54: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit bcd1371bd85e560ccc9159b7747f94bfe43b77a6 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: cd8d3d321285 ("p54spi: p54spi driver")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20240910124314.698896-2-ruanjinjie@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intersil/p54/p54spi.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/intersil/p54/p54spi.c b/drivers/net/wireless/intersil/p54/p54spi.c
+index 19152fd449ba7..6fc694e8b7f80 100644
+--- a/drivers/net/wireless/intersil/p54/p54spi.c
++++ b/drivers/net/wireless/intersil/p54/p54spi.c
+@@ -623,7 +623,7 @@ static int p54spi_probe(struct spi_device *spi)
+ gpio_direction_input(p54spi_gpio_irq);
+
+ ret = request_irq(gpio_to_irq(p54spi_gpio_irq),
+- p54spi_interrupt, 0, "p54spi",
++ p54spi_interrupt, IRQF_NO_AUTOEN, "p54spi",
+ priv->spi);
+ if (ret < 0) {
+ dev_err(&priv->spi->dev, "request_irq() failed");
+@@ -632,8 +632,6 @@ static int p54spi_probe(struct spi_device *spi)
+
+ irq_set_irq_type(gpio_to_irq(p54spi_gpio_irq), IRQ_TYPE_EDGE_RISING);
+
+- disable_irq(gpio_to_irq(p54spi_gpio_irq));
+-
+ INIT_WORK(&priv->work, p54spi_work);
+ init_completion(&priv->fw_comp);
+ INIT_LIST_HEAD(&priv->tx_pending);
+--
+2.43.0
+
--- /dev/null
+From 4e704a052ac03b28f89c38794bc7bc0bba51d721 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2024 17:04:53 +0800
+Subject: wifi: wfx: Fix error handling in wfx_core_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 3b88a9876779b55478a4dde867e73f7a100ffa23 ]
+
+The wfx_core_init() returns without checking the retval from
+sdio_register_driver().
+If the sdio_register_driver() failed, the module failed to install,
+leaving the wfx_spi_driver not unregistered.
+
+Fixes: a7a91ca5a23d ("staging: wfx: add infrastructure for new driver")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20241022090453.84679-1-yuancan@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/silabs/wfx/main.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/silabs/wfx/main.c b/drivers/net/wireless/silabs/wfx/main.c
+index 84d82ddded567..2a3dc7d961edc 100644
+--- a/drivers/net/wireless/silabs/wfx/main.c
++++ b/drivers/net/wireless/silabs/wfx/main.c
+@@ -479,10 +479,23 @@ static int __init wfx_core_init(void)
+ {
+ int ret = 0;
+
+- if (IS_ENABLED(CONFIG_SPI))
++ if (IS_ENABLED(CONFIG_SPI)) {
+ ret = spi_register_driver(&wfx_spi_driver);
+- if (IS_ENABLED(CONFIG_MMC) && !ret)
++ if (ret)
++ goto out;
++ }
++ if (IS_ENABLED(CONFIG_MMC)) {
+ ret = sdio_register_driver(&wfx_sdio_driver);
++ if (ret)
++ goto unregister_spi;
++ }
++
++ return 0;
++
++unregister_spi:
++ if (IS_ENABLED(CONFIG_SPI))
++ spi_unregister_driver(&wfx_spi_driver);
++out:
+ return ret;
+ }
+ module_init(wfx_core_init);
+--
+2.43.0
+
--- /dev/null
+From 870b69a5dddfb5b6add50ed8825b0b0ca4b70db5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Nov 2024 22:20:29 +0100
+Subject: wireguard: selftests: load nf_conntrack if not present
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 0290abc9860917f1ee8b58309c2bbd740a39ee8e ]
+
+Some distros may not load nf_conntrack by default, which will cause
+subsequent nf_conntrack sets to fail. Load this module if it is not
+already loaded.
+
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+[ Jason: add [[ -e ... ]] check so this works in the qemu harness. ]
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Link: https://patch.msgid.link/20241117212030.629159-4-Jason@zx2c4.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/wireguard/netns.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh
+index 405ff262ca93d..55500f901fbc3 100755
+--- a/tools/testing/selftests/wireguard/netns.sh
++++ b/tools/testing/selftests/wireguard/netns.sh
+@@ -332,6 +332,7 @@ waitiface $netns1 vethc
+ waitiface $netns2 veths
+
+ n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
++[[ -e /proc/sys/net/netfilter/nf_conntrack_udp_timeout ]] || modprobe nf_conntrack
+ n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout'
+ n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream'
+ n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
+--
+2.43.0
+
--- /dev/null
+From 3b9bf263c82ba7035a55d6859aed2247a4637c78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Oct 2023 14:24:16 +0200
+Subject: x86/barrier: Do not serialize MSR accesses on AMD
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+commit 04c3024560d3a14acd18d0a51a1d0a89d29b7eb5 upstream.
+
+AMD does not have the requirement for a synchronization barrier when
+acccessing a certain group of MSRs. Do not incur that unnecessary
+penalty there.
+
+There will be a CPUID bit which explicitly states that a MFENCE is not
+needed. Once that bit is added to the APM, this will be extended with
+it.
+
+While at it, move to processor.h to avoid include hell. Untangling that
+file properly is a matter for another day.
+
+Some notes on the performance aspect of why this is relevant, courtesy
+of Kishon VijayAbraham <Kishon.VijayAbraham@amd.com>:
+
+On a AMD Zen4 system with 96 cores, a modified ipi-bench[1] on a VM
+shows x2AVIC IPI rate is 3% to 4% lower than AVIC IPI rate. The
+ipi-bench is modified so that the IPIs are sent between two vCPUs in the
+same CCX. This also requires to pin the vCPU to a physical core to
+prevent any latencies. This simulates the use case of pinning vCPUs to
+the thread of a single CCX to avoid interrupt IPI latency.
+
+In order to avoid run-to-run variance (for both x2AVIC and AVIC), the
+below configurations are done:
+
+ 1) Disable Power States in BIOS (to prevent the system from going to
+ lower power state)
+
+ 2) Run the system at fixed frequency 2500MHz (to prevent the system
+ from increasing the frequency when the load is more)
+
+With the above configuration:
+
+*) Performance measured using ipi-bench for AVIC:
+ Average Latency: 1124.98ns [Time to send IPI from one vCPU to another vCPU]
+
+ Cumulative throughput: 42.6759M/s [Total number of IPIs sent in a second from
+ 48 vCPUs simultaneously]
+
+*) Performance measured using ipi-bench for x2AVIC:
+ Average Latency: 1172.42ns [Time to send IPI from one vCPU to another vCPU]
+
+ Cumulative throughput: 40.9432M/s [Total number of IPIs sent in a second from
+ 48 vCPUs simultaneously]
+
+From above, x2AVIC latency is ~4% more than AVIC. However, the expectation is
+x2AVIC performance to be better or equivalent to AVIC. Upon analyzing
+the perf captures, it is observed significant time is spent in
+weak_wrmsr_fence() invoked by x2apic_send_IPI().
+
+With the fix to skip weak_wrmsr_fence()
+
+*) Performance measured using ipi-bench for x2AVIC:
+ Average Latency: 1117.44ns [Time to send IPI from one vCPU to another vCPU]
+
+ Cumulative throughput: 42.9608M/s [Total number of IPIs sent in a second from
+ 48 vCPUs simultaneously]
+
+Comparing the performance of x2AVIC with and without the fix, it can be seen
+the performance improves by ~4%.
+
+Performance captured using an unmodified ipi-bench using the 'mesh-ipi' option
+with and without weak_wrmsr_fence() on a Zen4 system also showed significant
+performance improvement without weak_wrmsr_fence(). The 'mesh-ipi' option ignores
+CCX or CCD and just picks random vCPU.
+
+ Average throughput (10 iterations) with weak_wrmsr_fence(),
+ Cumulative throughput: 4933374 IPI/s
+
+ Average throughput (10 iterations) without weak_wrmsr_fence(),
+ Cumulative throughput: 6355156 IPI/s
+
+[1] https://github.com/bytedance/kvm-utils/tree/master/microbenchmark/ipi-bench
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/20230622095212.20940-1-bp@alien8.de
+Signed-off-by: Kishon Vijay Abraham I <kvijayab@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/barrier.h | 18 ------------------
+ arch/x86/include/asm/cpufeatures.h | 1 +
+ arch/x86/include/asm/processor.h | 18 ++++++++++++++++++
+ arch/x86/kernel/cpu/amd.c | 3 +++
+ arch/x86/kernel/cpu/common.c | 7 +++++++
+ arch/x86/kernel/cpu/hygon.c | 3 +++
+ 6 files changed, 32 insertions(+), 18 deletions(-)
+
+diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
+index 35389b2af88ee..0216f63a366b5 100644
+--- a/arch/x86/include/asm/barrier.h
++++ b/arch/x86/include/asm/barrier.h
+@@ -81,22 +81,4 @@ do { \
+
+ #include <asm-generic/barrier.h>
+
+-/*
+- * Make previous memory operations globally visible before
+- * a WRMSR.
+- *
+- * MFENCE makes writes visible, but only affects load/store
+- * instructions. WRMSR is unfortunately not a load/store
+- * instruction and is unaffected by MFENCE. The LFENCE ensures
+- * that the WRMSR is not reordered.
+- *
+- * Most WRMSRs are full serializing instructions themselves and
+- * do not require this barrier. This is only required for the
+- * IA32_TSC_DEADLINE and X2APIC MSRs.
+- */
+-static inline void weak_wrmsr_fence(void)
+-{
+- asm volatile("mfence; lfence" : : : "memory");
+-}
+-
+ #endif /* _ASM_X86_BARRIER_H */
+diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
+index 91224a9261377..5709cbba28e7a 100644
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -311,6 +311,7 @@
+ #define X86_FEATURE_SRSO (11*32+24) /* "" AMD BTB untrain RETs */
+ #define X86_FEATURE_SRSO_ALIAS (11*32+25) /* "" AMD BTB untrain RETs through aliasing */
+ #define X86_FEATURE_IBPB_ON_VMEXIT (11*32+26) /* "" Issue an IBPB only on VMEXIT */
++#define X86_FEATURE_APIC_MSRS_FENCE (11*32+27) /* "" IA32_TSC_DEADLINE and X2APIC MSRs need fencing */
+
+ /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
+ #define X86_FEATURE_AVX_VNNI (12*32+ 4) /* AVX VNNI instructions */
+diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
+index 3ed6cc7785037..d2b93b68fe563 100644
+--- a/arch/x86/include/asm/processor.h
++++ b/arch/x86/include/asm/processor.h
+@@ -868,4 +868,22 @@ bool arch_is_platform_page(u64 paddr);
+
+ extern bool gds_ucode_mitigated(void);
+
++/*
++ * Make previous memory operations globally visible before
++ * a WRMSR.
++ *
++ * MFENCE makes writes visible, but only affects load/store
++ * instructions. WRMSR is unfortunately not a load/store
++ * instruction and is unaffected by MFENCE. The LFENCE ensures
++ * that the WRMSR is not reordered.
++ *
++ * Most WRMSRs are full serializing instructions themselves and
++ * do not require this barrier. This is only required for the
++ * IA32_TSC_DEADLINE and X2APIC MSRs.
++ */
++static inline void weak_wrmsr_fence(void)
++{
++ alternative("mfence; lfence", "", ALT_NOT(X86_FEATURE_APIC_MSRS_FENCE));
++}
++
+ #endif /* _ASM_X86_PROCESSOR_H */
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 425092806f8fe..37796a1d0715f 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1133,6 +1133,9 @@ static void init_amd(struct cpuinfo_x86 *c)
+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR) &&
+ cpu_has_amd_erratum(c, amd_erratum_1485))
+ msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT);
++
++ /* AMD CPUs don't need fencing after x2APIC/TSC_DEADLINE MSR writes. */
++ clear_cpu_cap(c, X86_FEATURE_APIC_MSRS_FENCE);
+ }
+
+ #ifdef CONFIG_X86_32
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index b4e999048e9a4..e8daf4093eb8c 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -1883,6 +1883,13 @@ static void identify_cpu(struct cpuinfo_x86 *c)
+ c->apicid = apic->phys_pkg_id(c->initial_apicid, 0);
+ #endif
+
++
++ /*
++ * Set default APIC and TSC_DEADLINE MSR fencing flag. AMD and
++ * Hygon will clear it in ->c_init() below.
++ */
++ set_cpu_cap(c, X86_FEATURE_APIC_MSRS_FENCE);
++
+ /*
+ * Vendor-specific initialization. In this section we
+ * canonicalize the feature flags, meaning if there are
+diff --git a/arch/x86/kernel/cpu/hygon.c b/arch/x86/kernel/cpu/hygon.c
+index 9e8380bd4fb9f..8a80d5343f3a1 100644
+--- a/arch/x86/kernel/cpu/hygon.c
++++ b/arch/x86/kernel/cpu/hygon.c
+@@ -347,6 +347,9 @@ static void init_hygon(struct cpuinfo_x86 *c)
+ set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
+
+ check_null_seg_clears_base(c);
++
++ /* Hygon CPUs don't need fencing after x2APIC/TSC_DEADLINE MSR writes. */
++ clear_cpu_cap(c, X86_FEATURE_APIC_MSRS_FENCE);
+ }
+
+ static void cpu_detect_tlb_hygon(struct cpuinfo_x86 *c)
+--
+2.43.0
+
--- /dev/null
+From af77177b5a707a01ecb5db0af3c4d4d28cf1e277 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 18:04:40 +0200
+Subject: x86/pvh: Call C code via the kernel virtual mapping
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit e8fbc0d9cab6c1ee6403f42c0991b0c1d5dbc092 ]
+
+Calling C code via a different mapping than it was linked at is
+problematic, because the compiler assumes that RIP-relative and absolute
+symbol references are interchangeable. GCC in particular may use
+RIP-relative per-CPU variable references even when not using -fpic.
+
+So call xen_prepare_pvh() via its kernel virtual mapping on x86_64, so
+that those RIP-relative references produce the correct values. This
+matches the pre-existing behavior for i386, which also invokes
+xen_prepare_pvh() via the kernel virtual mapping before invoking
+startup_32 with paging disabled again.
+
+Fixes: 7243b93345f7 ("xen/pvh: Bootstrap PVH guest")
+Tested-by: Jason Andryuk <jason.andryuk@amd.com>
+Reviewed-by: Jason Andryuk <jason.andryuk@amd.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Message-ID: <20241009160438.3884381-8-ardb+git@google.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/pvh/head.S | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/platform/pvh/head.S b/arch/x86/platform/pvh/head.S
+index 82efba4022ac0..7fe6526b30769 100644
+--- a/arch/x86/platform/pvh/head.S
++++ b/arch/x86/platform/pvh/head.S
+@@ -107,7 +107,14 @@ SYM_CODE_START_LOCAL(pvh_start_xen)
+ movq %rbp, %rbx
+ subq $_pa(pvh_start_xen), %rbx
+ movq %rbx, phys_base(%rip)
+- call xen_prepare_pvh
++
++ /* Call xen_prepare_pvh() via the kernel virtual mapping */
++ leaq xen_prepare_pvh(%rip), %rax
++ subq phys_base(%rip), %rax
++ addq $__START_KERNEL_map, %rax
++ ANNOTATE_RETPOLINE_SAFE
++ call *%rax
++
+ /*
+ * Clear phys_base. __startup_64 will *add* to its value,
+ * so reset to 0.
+--
+2.43.0
+
--- /dev/null
+From fee61b0f456c6aff64b22290f06d12b78ce420da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Aug 2024 15:36:28 -0400
+Subject: x86/pvh: Set phys_base when calling xen_prepare_pvh()
+
+From: Jason Andryuk <jason.andryuk@amd.com>
+
+[ Upstream commit b464b461d27d564125db760938643374864c1b1f ]
+
+phys_base needs to be set for __pa() to work in xen_pvh_init() when
+finding the hypercall page. Set it before calling into
+xen_prepare_pvh(), which calls xen_pvh_init(). Clear it afterward to
+avoid __startup_64() adding to it and creating an incorrect value.
+
+Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20240823193630.2583107-4-jason.andryuk@amd.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: e8fbc0d9cab6 ("x86/pvh: Call C code via the kernel virtual mapping")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/pvh/head.S | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/arch/x86/platform/pvh/head.S b/arch/x86/platform/pvh/head.S
+index 7fe564eaf228a..82efba4022ac0 100644
+--- a/arch/x86/platform/pvh/head.S
++++ b/arch/x86/platform/pvh/head.S
+@@ -100,7 +100,20 @@ SYM_CODE_START_LOCAL(pvh_start_xen)
+ xor %edx, %edx
+ wrmsr
+
++ /*
++ * Calculate load offset and store in phys_base. __pa() needs
++ * phys_base set to calculate the hypercall page in xen_pvh_init().
++ */
++ movq %rbp, %rbx
++ subq $_pa(pvh_start_xen), %rbx
++ movq %rbx, phys_base(%rip)
+ call xen_prepare_pvh
++ /*
++ * Clear phys_base. __startup_64 will *add* to its value,
++ * so reset to 0.
++ */
++ xor %rbx, %rbx
++ movq %rbx, phys_base(%rip)
+
+ /* startup_64 expects boot_params in %rsi. */
+ mov $_pa(pvh_bootparams), %rsi
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
