--- /dev/null
+From c9c8555da3d5f79c512e19934b6e7139974ee272 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 22:39:38 +0200
+Subject: ARM: dts: rockchip: drop grf reference from rk3036 hdmi
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit 1580ccb6ed9dc76b8ff3e2d8912e8215c8b0fa6d ]
+
+Neither the binding nor the driver implementation specify/use the grf
+reference provided in the rk3036. And neither does the newer rk3128
+user of the hdmi controller. So drop the rockchip,grf property.
+
+Fixes: b7217cf19c63 ("ARM: dts: rockchip: add hdmi device node for rk3036")
+Cc: Caesar Wang <wxt@rock-chips.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20241008203940.2573684-13-heiko@sntech.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3036.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/rk3036.dtsi b/arch/arm/boot/dts/rk3036.dtsi
+index 4db4e19b22a1e..e0d4c71f109a7 100644
+--- a/arch/arm/boot/dts/rk3036.dtsi
++++ b/arch/arm/boot/dts/rk3036.dtsi
+@@ -398,7 +398,6 @@
+ interrupts = <GIC_SPI 45 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cru PCLK_HDMI>;
+ clock-names = "pclk";
+- rockchip,grf = <&grf>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&hdmi_ctl>;
+ status = "disabled";
+--
+2.43.0
+
--- /dev/null
+From 7bfdecabcbc755ceec2c427a1d0a46589e26f4bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 22:39:37 +0200
+Subject: ARM: dts: rockchip: fix rk3036 acodec node
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit c7206853cd7d31c52575fb1dc7616b4398f3bc8f ]
+
+The acodec node is not conformant to the binding.
+
+Set the correct nodename, use the correct compatible, add the needed
+#sound-dai-cells and sort the rockchip,grf below clocks properties
+as expected.
+
+Fixes: faea098e1808 ("ARM: dts: rockchip: add core rk3036 dtsi")
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20241008203940.2573684-12-heiko@sntech.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3036.dtsi | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/rk3036.dtsi b/arch/arm/boot/dts/rk3036.dtsi
+index 0af1a86f9dc45..4db4e19b22a1e 100644
+--- a/arch/arm/boot/dts/rk3036.dtsi
++++ b/arch/arm/boot/dts/rk3036.dtsi
+@@ -382,12 +382,13 @@
+ };
+ };
+
+- acodec: acodec-ana@20030000 {
+- compatible = "rk3036-codec";
++ acodec: audio-codec@20030000 {
++ compatible = "rockchip,rk3036-codec";
+ reg = <0x20030000 0x4000>;
+- rockchip,grf = <&grf>;
+ clock-names = "acodec_pclk";
+ clocks = <&cru PCLK_ACODEC>;
++ rockchip,grf = <&grf>;
++ #sound-dai-cells = <0>;
+ status = "disabled";
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 86a3ec6bff49f84a3247921a8aa1b0e063561fb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 22:39:40 +0200
+Subject: ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit 77a9a7f2d3b94d29d13d71b851114d593a2147cf ]
+
+Both the node name as well as the compatible were not named
+according to the binding expectations, fix that.
+
+Fixes: 47bf3a5c9e2a ("ARM: dts: rockchip: add the sound setup for rk3036-kylin board")
+Cc: Caesar Wang <wxt@rock-chips.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20241008203940.2573684-15-heiko@sntech.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3036-kylin.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/rk3036-kylin.dts b/arch/arm/boot/dts/rk3036-kylin.dts
+index e817eba8c622b..0c8cd25d0ba5c 100644
+--- a/arch/arm/boot/dts/rk3036-kylin.dts
++++ b/arch/arm/boot/dts/rk3036-kylin.dts
+@@ -300,8 +300,8 @@
+ &i2c2 {
+ status = "okay";
+
+- rt5616: rt5616@1b {
+- compatible = "rt5616";
++ rt5616: audio-codec@1b {
++ compatible = "realtek,rt5616";
+ reg = <0x1b>;
+ clocks = <&cru SCLK_I2S_OUT>;
+ clock-names = "mclk";
+--
+2.43.0
+
--- /dev/null
+From 50b270c466d26687e03b1659642e033438698545 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 22:39:39 +0200
+Subject: ARM: dts: rockchip: Fix the spi controller on rk3036
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit 8bade1ad1f0821aef31f6a8fb1027ae292566d85 ]
+
+Compatible and clock names did not match the existing binding.
+So set the correct values and re-order+rename the clocks.
+
+It looks like no rk3036 board did use the spi controller so far,
+so this was never detected on a running device yet.
+
+Fixes: f629fcfab2cd ("ARM: dts: rockchip: support the spi for rk3036")
+Cc: Caesar Wang <wxt@rock-chips.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20241008203940.2573684-14-heiko@sntech.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3036.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/rk3036.dtsi b/arch/arm/boot/dts/rk3036.dtsi
+index e0d4c71f109a7..d7a86f21cf23f 100644
+--- a/arch/arm/boot/dts/rk3036.dtsi
++++ b/arch/arm/boot/dts/rk3036.dtsi
+@@ -550,11 +550,11 @@
+ };
+
+ spi: spi@20074000 {
+- compatible = "rockchip,rockchip-spi";
++ compatible = "rockchip,rk3036-spi";
+ reg = <0x20074000 0x1000>;
+ interrupts = <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH>;
+- clocks = <&cru PCLK_SPI>, <&cru SCLK_SPI>;
+- clock-names = "apb-pclk","spi_pclk";
++ clocks = <&cru SCLK_SPI>, <&cru PCLK_SPI>;
++ clock-names = "spiclk", "apb_pclk";
+ dmas = <&pdma 8>, <&pdma 9>;
+ dma-names = "tx", "rx";
+ pinctrl-names = "default";
+--
+2.43.0
+
--- /dev/null
+From 2cb7440332eb941684378c4539971064dd75e5d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 10:52:21 +0800
+Subject: arm64: dts: imx8mp: correct sdhc ipg clk
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit eab6ba2aa3bbaf598a66e31f709bf84b7bb7dc8a ]
+
+The ipg clk for sdhc sources from IPG_CLK_ROOT per i.MX 8M Plus
+Applications Processor Reference Manual, Table 5-2. System Clocks.
+
+Fixes: 6d9b8d20431f ("arm64: dts: freescale: Add i.MX8MP dtsi support")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mp.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mp.dtsi b/arch/arm64/boot/dts/freescale/imx8mp.dtsi
+index 4e8cde8972e82..b5130e7be8263 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mp.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mp.dtsi
+@@ -740,7 +740,7 @@
+ compatible = "fsl,imx8mp-usdhc", "fsl,imx7d-usdhc";
+ reg = <0x30b40000 0x10000>;
+ interrupts = <GIC_SPI 22 IRQ_TYPE_LEVEL_HIGH>;
+- clocks = <&clk IMX8MP_CLK_DUMMY>,
++ clocks = <&clk IMX8MP_CLK_IPG_ROOT>,
+ <&clk IMX8MP_CLK_NAND_USDHC_BUS>,
+ <&clk IMX8MP_CLK_USDHC1_ROOT>;
+ clock-names = "ipg", "ahb", "per";
+@@ -754,7 +754,7 @@
+ compatible = "fsl,imx8mp-usdhc", "fsl,imx7d-usdhc";
+ reg = <0x30b50000 0x10000>;
+ interrupts = <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH>;
+- clocks = <&clk IMX8MP_CLK_DUMMY>,
++ clocks = <&clk IMX8MP_CLK_IPG_ROOT>,
+ <&clk IMX8MP_CLK_NAND_USDHC_BUS>,
+ <&clk IMX8MP_CLK_USDHC2_ROOT>;
+ clock-names = "ipg", "ahb", "per";
+@@ -768,7 +768,7 @@
+ compatible = "fsl,imx8mp-usdhc", "fsl,imx7d-usdhc";
+ reg = <0x30b60000 0x10000>;
+ interrupts = <GIC_SPI 24 IRQ_TYPE_LEVEL_HIGH>;
+- clocks = <&clk IMX8MP_CLK_DUMMY>,
++ clocks = <&clk IMX8MP_CLK_IPG_ROOT>,
+ <&clk IMX8MP_CLK_NAND_USDHC_BUS>,
+ <&clk IMX8MP_CLK_USDHC3_ROOT>;
+ clock-names = "ipg", "ahb", "per";
+--
+2.43.0
+
--- /dev/null
+From f62f60069ad46682722bc372c80e5c6b5cf0643b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 22:39:30 +0200
+Subject: arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit ea74528aaea5a1dfc8e3de09ef2af37530eca526 ]
+
+The expected clock-name is different, and extclk also is deprecated
+in favor of txco for clocks that are not crystals.
+
+So fix it to match the binding.
+
+Fixes: c72235c288c8 ("arm64: dts: rockchip: Add on-board WiFi/BT support for Rock960 boards")
+Cc: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20241008203940.2573684-5-heiko@sntech.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-rock960.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock960.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rock960.dtsi
+index 25dc61c26a943..68d59394a9304 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rock960.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock960.dtsi
+@@ -574,7 +574,7 @@
+ bluetooth {
+ compatible = "brcm,bcm43438-bt";
+ clocks = <&rk808 1>;
+- clock-names = "ext_clock";
++ clock-names = "txco";
+ device-wakeup-gpios = <&gpio2 RK_PD3 GPIO_ACTIVE_HIGH>;
+ host-wakeup-gpios = <&gpio0 RK_PA4 GPIO_ACTIVE_HIGH>;
+ shutdown-gpios = <&gpio0 RK_PB1 GPIO_ACTIVE_HIGH>;
+--
+2.43.0
+
--- /dev/null
+From 4cbb92432d152273ee5061400d742d13a9503b1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 22:39:33 +0200
+Subject: arm64: dts: rockchip: Fix LED triggers on rk3308-roc-cc
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit 3a53a7187f41ec3db12cf4c2cb0db4ba87c2f3a1 ]
+
+There are two LEDs on the board, power and user events.
+Currently both are assigned undocumented IR(-remote)
+triggers that are probably only part of the vendor-kernel.
+
+To make dtbs check happier, assign the power-led to a generic
+default-on trigger and the user led to the documented rc-feedback
+trigger that should mostly match its current usage.
+
+Fixes: 4403e1237be3 ("arm64: dts: rockchip: Add devicetree for board roc-rk3308-cc")
+Cc: Andy Yan <andy.yan@rock-chips.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20241008203940.2573684-8-heiko@sntech.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts b/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts
+index 7ea48167747c6..70aeca428b380 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts
+@@ -36,14 +36,14 @@
+
+ power_led: led-0 {
+ label = "firefly:red:power";
+- linux,default-trigger = "ir-power-click";
++ linux,default-trigger = "default-on";
+ default-state = "on";
+ gpios = <&gpio0 RK_PA6 GPIO_ACTIVE_HIGH>;
+ };
+
+ user_led: led-1 {
+ label = "firefly:blue:user";
+- linux,default-trigger = "ir-user-click";
++ linux,default-trigger = "rc-feedback";
+ default-state = "off";
+ gpios = <&gpio0 RK_PB2 GPIO_ACTIVE_HIGH>;
+ };
+--
+2.43.0
+
--- /dev/null
+From 5a92060877ec567f76783ba31a99a47e11c710cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2024 15:48:41 +0200
+Subject: arm64: dts: rockchip: Fix rt5651 compatible value on
+ rk3399-sapphire-excavator
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 577b5761679da90e691acc939ebbe7879fff5f31 ]
+
+There are no DT bindings and driver support for a "rockchip,rt5651"
+codec. Replace "rockchip,rt5651" by "realtek,rt5651", which matches the
+"simple-audio-card,name" property in the "rt5651-sound" node.
+
+Fixes: 0a3c78e251b3a266 ("arm64: dts: rockchip: Add support for rk3399 excavator main board")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/abc6c89811b3911785601d6d590483eacb145102.1727358193.git.geert+renesas@glider.be
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts b/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts
+index f6b2199a42bda..3b168da34617b 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts
+@@ -163,7 +163,7 @@
+ status = "okay";
+
+ rt5651: rt5651@1a {
+- compatible = "rockchip,rt5651";
++ compatible = "realtek,rt5651";
+ reg = <0x1a>;
+ clocks = <&cru SCLK_I2S_8CH_OUT>;
+ clock-names = "mclk";
+--
+2.43.0
+
--- /dev/null
+From 65c79fd115f4abb4909c64f8b1790307fb99a2c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 22:39:32 +0200
+Subject: arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma
+ lion
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit 5ed96580568c4f79a0aff11a67f10b3e9229ba86 ]
+
+All Theobroma boards use a ti,amc6821 as fan controller.
+It normally runs in an automatically controlled way and while it may be
+possible to use it as part of a dt-based thermal management, this is
+not yet specified in the binding, nor implemented in any kernel.
+
+Newer boards already don't contain that #cooling-cells property, but
+older ones do. So remove them for now, they can be re-added if thermal
+integration gets implemented in the future.
+
+There are two further occurences in v6.12-rc in px30-ringneck and
+rk3399-puma, but those already get removed by the i2c-mux conversion
+scheduled for 6.13 . As the undocumented property is in the kernel so
+long, I opted for not causing extra merge conflicts between 6.12 and 6.13
+
+Fixes: d99a02bcfa81 ("arm64: dts: rockchip: add RK3368-uQ7 (Lion) SoM")
+Cc: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+Cc: Klaus Goger <klaus.goger@theobroma-systems.com>
+Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20241008203940.2573684-7-heiko@sntech.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi b/arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi
+index bcd7977fb0f8e..6b28bfec8b4b6 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi
+@@ -60,7 +60,6 @@
+ fan: fan@18 {
+ compatible = "ti,amc6821";
+ reg = <0x18>;
+- #cooling-cells = <2>;
+ };
+
+ rtc_twi: rtc@6f {
+--
+2.43.0
+
--- /dev/null
+From 54bb4dd6cd9ed87b518119f4ce553fd93369c209 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 13:15:37 +0200
+Subject: arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328
+
+From: Diederik de Haas <didi.debian@cknow.org>
+
+[ Upstream commit de50a7e3681771c6b990238af82bf1dea9b11b21 ]
+
+The "synopsys,dw-hdmi.yaml" binding specifies that the interrupts
+property of the hdmi node has 'maxItems: 1', so the hdmi node in
+rk3328.dtsi having 2 is incorrect.
+
+Paragraph 1.3 ("System Interrupt connection") of the RK3328 TRM v1.1
+page 16 and 17 define the following hdmi related interrupts:
+- 67 hdmi_intr
+- 103 hdmi_intr_wakeup
+
+The difference of 32 is due to a different base used in the TRM.
+
+The RK3399 (which uses the same binding) has '23: hdmi_irq' and
+'24: hdmi_wakeup_irq' according to its TRM (page 19).
+The RK3568 (also same binding) has '76: hdmi_wakeup' and '77: hdmi'
+according to page 17 of its TRM.
+In both cases the non-wakeup IRQ was used, so use that too for rk3328.
+
+Helped-by: Heiko Stuebner <heiko@sntech.de>
+Fixes: 725e351c265a ("arm64: dts: rockchip: add rk3328 display nodes")
+Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
+Link: https://lore.kernel.org/r/20241008113344.23957-3-didi.debian@cknow.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3328.dtsi | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3328.dtsi b/arch/arm64/boot/dts/rockchip/rk3328.dtsi
+index 21755dd5b4c45..f73cb7667baba 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi
+@@ -711,8 +711,7 @@
+ compatible = "rockchip,rk3328-dw-hdmi";
+ reg = <0x0 0xff3c0000 0x0 0x20000>;
+ reg-io-width = <4>;
+- interrupts = <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 71 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cru PCLK_HDMI>,
+ <&cru SCLK_HDMI_SFC>,
+ <&cru SCLK_RTC32K>;
+--
+2.43.0
+
--- /dev/null
+From 4927858aafe593deb15a745da572d01e68eee844 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 15:53:13 +0200
+Subject: can: c_can: fix {rx,tx}_errors statistics
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit 4d6d26537940f3b3e17138987ed9e4a334780bf7 ]
+
+The c_can_handle_bus_err() function was incorrectly incrementing only the
+receive error counter, even in cases of bit or acknowledgment errors that
+occur during transmission. The patch fixes the issue by incrementing the
+appropriate counter based on the type of error.
+
+Fixes: 881ff67ad450 ("can: c_can: Added support for Bosch C_CAN controller")
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Link: https://patch.msgid.link/20241014135319.2009782-1-dario.binacchi@amarulasolutions.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/c_can/c_can_main.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/c_can/c_can_main.c b/drivers/net/can/c_can/c_can_main.c
+index e04d4e7cc8683..8ab43f1272bd9 100644
+--- a/drivers/net/can/c_can/c_can_main.c
++++ b/drivers/net/can/c_can/c_can_main.c
+@@ -1022,7 +1022,6 @@ static int c_can_handle_bus_err(struct net_device *dev,
+
+ /* common for all type of bus errors */
+ priv->can.can_stats.bus_error++;
+- stats->rx_errors++;
+
+ /* propagate the error condition to the CAN stack */
+ skb = alloc_can_err_skb(dev, &cf);
+@@ -1038,26 +1037,32 @@ static int c_can_handle_bus_err(struct net_device *dev,
+ case LEC_STUFF_ERROR:
+ netdev_dbg(dev, "stuff error\n");
+ cf->data[2] |= CAN_ERR_PROT_STUFF;
++ stats->rx_errors++;
+ break;
+ case LEC_FORM_ERROR:
+ netdev_dbg(dev, "form error\n");
+ cf->data[2] |= CAN_ERR_PROT_FORM;
++ stats->rx_errors++;
+ break;
+ case LEC_ACK_ERROR:
+ netdev_dbg(dev, "ack error\n");
+ cf->data[3] = CAN_ERR_PROT_LOC_ACK;
++ stats->tx_errors++;
+ break;
+ case LEC_BIT1_ERROR:
+ netdev_dbg(dev, "bit1 error\n");
+ cf->data[2] |= CAN_ERR_PROT_BIT1;
++ stats->tx_errors++;
+ break;
+ case LEC_BIT0_ERROR:
+ netdev_dbg(dev, "bit0 error\n");
+ cf->data[2] |= CAN_ERR_PROT_BIT0;
++ stats->tx_errors++;
+ break;
+ case LEC_CRC_ERROR:
+ netdev_dbg(dev, "CRC error\n");
+ cf->data[3] = CAN_ERR_PROT_LOC_CRC_SEQ;
++ stats->rx_errors++;
+ break;
+ default:
+ break;
+--
+2.43.0
+
--- /dev/null
+From 22955e1e2d7cfd0629d38e1b12885c8842c3210e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 15:44:35 +0100
+Subject: HID: core: zero-initialize the report buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiri Kosina <jkosina@suse.com>
+
+[ Upstream commit 177f25d1292c7e16e1199b39c85480f7f8815552 ]
+
+Since the report buffer is used by all kinds of drivers in various ways, let's
+zero-initialize it during allocation to make sure that it can't be ever used
+to leak kernel memory via specially-crafted report.
+
+Fixes: 27ce405039bf ("HID: fix data access in implement()")
+Reported-by: Benoît Sevens <bsevens@google.com>
+Acked-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 15f4a80477974..07c2e5e38fcba 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1664,7 +1664,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags)
+
+ u32 len = hid_report_len(report) + 7;
+
+- return kmalloc(len, flags);
++ return kzalloc(len, flags);
+ }
+ EXPORT_SYMBOL_GPL(hid_alloc_report_buf);
+
+--
+2.43.0
+
--- /dev/null
+From fcdd92095533afcb85f23bc3125d18eaf51e6601 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 11:30:11 +0200
+Subject: i40e: fix race condition by adding filter's intermediate sync state
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit f30490e9695ef7da3d0899c6a0293cc7cd373567 ]
+
+Fix a race condition in the i40e driver that leads to MAC/VLAN filters
+becoming corrupted and leaking. Address the issue that occurs under
+heavy load when multiple threads are concurrently modifying MAC/VLAN
+filters by setting mac and port VLAN.
+
+1. Thread T0 allocates a filter in i40e_add_filter() within
+ i40e_ndo_set_vf_port_vlan().
+2. Thread T1 concurrently frees the filter in __i40e_del_filter() within
+ i40e_ndo_set_vf_mac().
+3. Subsequently, i40e_service_task() calls i40e_sync_vsi_filters(), which
+ refers to the already freed filter memory, causing corruption.
+
+Reproduction steps:
+1. Spawn multiple VFs.
+2. Apply a concurrent heavy load by running parallel operations to change
+ MAC addresses on the VFs and change port VLANs on the host.
+3. Observe errors in dmesg:
+"Error I40E_AQ_RC_ENOSPC adding RX filters on VF XX,
+ please set promiscuous on manually for VF XX".
+
+Exact code for stable reproduction Intel can't open-source now.
+
+The fix involves implementing a new intermediate filter state,
+I40E_FILTER_NEW_SYNC, for the time when a filter is on a tmp_add_list.
+These filters cannot be deleted from the hash list directly but
+must be removed using the full process.
+
+Fixes: 278e7d0b9d68 ("i40e: store MAC/VLAN filters in a hash with the MAC Address as key")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Reviewed-by: Michal Schmidt <mschmidt@redhat.com>
+Tested-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 1 +
+ drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 1 +
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 12 ++++++++++--
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
+index a05103e2fb522..a143440f3db62 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -776,6 +776,7 @@ enum i40e_filter_state {
+ I40E_FILTER_ACTIVE, /* Added to switch by FW */
+ I40E_FILTER_FAILED, /* Rejected by FW */
+ I40E_FILTER_REMOVE, /* To be removed */
++ I40E_FILTER_NEW_SYNC, /* New, not sent yet, is in i40e_sync_vsi_filters() */
+ /* There is no 'removed' state; the filter struct is freed */
+ };
+ struct i40e_mac_filter {
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
+index 7c5f874ef335a..503818f0714d4 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
+@@ -105,6 +105,7 @@ static char *i40e_filter_state_string[] = {
+ "ACTIVE",
+ "FAILED",
+ "REMOVE",
++ "NEW_SYNC",
+ };
+
+ /**
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index c1f21713ab8d1..bc5da0b8648c1 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -1233,6 +1233,7 @@ int i40e_count_filters(struct i40e_vsi *vsi)
+
+ hash_for_each_safe(vsi->mac_filter_hash, bkt, h, f, hlist) {
+ if (f->state == I40E_FILTER_NEW ||
++ f->state == I40E_FILTER_NEW_SYNC ||
+ f->state == I40E_FILTER_ACTIVE)
+ ++cnt;
+ }
+@@ -1419,6 +1420,8 @@ static int i40e_correct_mac_vlan_filters(struct i40e_vsi *vsi,
+
+ new->f = add_head;
+ new->state = add_head->state;
++ if (add_head->state == I40E_FILTER_NEW)
++ add_head->state = I40E_FILTER_NEW_SYNC;
+
+ /* Add the new filter to the tmp list */
+ hlist_add_head(&new->hlist, tmp_add_list);
+@@ -1528,6 +1531,8 @@ static int i40e_correct_vf_mac_vlan_filters(struct i40e_vsi *vsi,
+ return -ENOMEM;
+ new_mac->f = add_head;
+ new_mac->state = add_head->state;
++ if (add_head->state == I40E_FILTER_NEW)
++ add_head->state = I40E_FILTER_NEW_SYNC;
+
+ /* Add the new filter to the tmp list */
+ hlist_add_head(&new_mac->hlist, tmp_add_list);
+@@ -2417,7 +2422,8 @@ static int
+ i40e_aqc_broadcast_filter(struct i40e_vsi *vsi, const char *vsi_name,
+ struct i40e_mac_filter *f)
+ {
+- bool enable = f->state == I40E_FILTER_NEW;
++ bool enable = f->state == I40E_FILTER_NEW ||
++ f->state == I40E_FILTER_NEW_SYNC;
+ struct i40e_hw *hw = &vsi->back->hw;
+ int aq_ret;
+
+@@ -2591,6 +2597,7 @@ int i40e_sync_vsi_filters(struct i40e_vsi *vsi)
+
+ /* Add it to the hash list */
+ hlist_add_head(&new->hlist, &tmp_add_list);
++ f->state = I40E_FILTER_NEW_SYNC;
+ }
+
+ /* Count the number of active (current and new) VLAN
+@@ -2742,7 +2749,8 @@ int i40e_sync_vsi_filters(struct i40e_vsi *vsi)
+ spin_lock_bh(&vsi->mac_filter_hash_lock);
+ hlist_for_each_entry_safe(new, h, &tmp_add_list, hlist) {
+ /* Only update the state if we're still NEW */
+- if (new->f->state == I40E_FILTER_NEW)
++ if (new->f->state == I40E_FILTER_NEW ||
++ new->f->state == I40E_FILTER_NEW_SYNC)
+ new->f->state = new->state;
+ hlist_del(&new->hlist);
+ netdev_hw_addr_refcnt(new->f, vsi->netdev, -1);
+--
+2.43.0
+
--- /dev/null
+From 7e2a5f21cda42173332e14514a36b33f1462de38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 21:01:38 +0800
+Subject: net: arc: fix the device for dma_map_single/dma_unmap_single
+
+From: Johan Jonker <jbx6244@gmail.com>
+
+[ Upstream commit 71803c1dfa29e0d13b99e48fda11107cc8caebc7 ]
+
+The ndev->dev and pdev->dev aren't the same device, use ndev->dev.parent
+which has dma_mask, ndev->dev.parent is just pdev->dev.
+Or it would cause the following issue:
+
+[ 39.933526] ------------[ cut here ]------------
+[ 39.938414] WARNING: CPU: 1 PID: 501 at kernel/dma/mapping.c:149 dma_map_page_attrs+0x90/0x1f8
+
+Fixes: f959dcd6ddfd ("dma-direct: Fix potential NULL pointer dereference")
+Signed-off-by: David Wu <david.wu@rock-chips.com>
+Signed-off-by: Johan Jonker <jbx6244@gmail.com>
+Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/arc/emac_main.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/arc/emac_main.c b/drivers/net/ethernet/arc/emac_main.c
+index 333333692caa5..bafa63e5ce252 100644
+--- a/drivers/net/ethernet/arc/emac_main.c
++++ b/drivers/net/ethernet/arc/emac_main.c
+@@ -111,6 +111,7 @@ static void arc_emac_tx_clean(struct net_device *ndev)
+ {
+ struct arc_emac_priv *priv = netdev_priv(ndev);
+ struct net_device_stats *stats = &ndev->stats;
++ struct device *dev = ndev->dev.parent;
+ unsigned int i;
+
+ for (i = 0; i < TX_BD_NUM; i++) {
+@@ -140,7 +141,7 @@ static void arc_emac_tx_clean(struct net_device *ndev)
+ stats->tx_bytes += skb->len;
+ }
+
+- dma_unmap_single(&ndev->dev, dma_unmap_addr(tx_buff, addr),
++ dma_unmap_single(dev, dma_unmap_addr(tx_buff, addr),
+ dma_unmap_len(tx_buff, len), DMA_TO_DEVICE);
+
+ /* return the sk_buff to system */
+@@ -174,6 +175,7 @@ static void arc_emac_tx_clean(struct net_device *ndev)
+ static int arc_emac_rx(struct net_device *ndev, int budget)
+ {
+ struct arc_emac_priv *priv = netdev_priv(ndev);
++ struct device *dev = ndev->dev.parent;
+ unsigned int work_done;
+
+ for (work_done = 0; work_done < budget; work_done++) {
+@@ -223,9 +225,9 @@ static int arc_emac_rx(struct net_device *ndev, int budget)
+ continue;
+ }
+
+- addr = dma_map_single(&ndev->dev, (void *)skb->data,
++ addr = dma_map_single(dev, (void *)skb->data,
+ EMAC_BUFFER_SIZE, DMA_FROM_DEVICE);
+- if (dma_mapping_error(&ndev->dev, addr)) {
++ if (dma_mapping_error(dev, addr)) {
+ if (net_ratelimit())
+ netdev_err(ndev, "cannot map dma buffer\n");
+ dev_kfree_skb(skb);
+@@ -237,7 +239,7 @@ static int arc_emac_rx(struct net_device *ndev, int budget)
+ }
+
+ /* unmap previosly mapped skb */
+- dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr),
++ dma_unmap_single(dev, dma_unmap_addr(rx_buff, addr),
+ dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE);
+
+ pktlen = info & LEN_MASK;
+@@ -423,6 +425,7 @@ static int arc_emac_open(struct net_device *ndev)
+ {
+ struct arc_emac_priv *priv = netdev_priv(ndev);
+ struct phy_device *phy_dev = ndev->phydev;
++ struct device *dev = ndev->dev.parent;
+ int i;
+
+ phy_dev->autoneg = AUTONEG_ENABLE;
+@@ -445,9 +448,9 @@ static int arc_emac_open(struct net_device *ndev)
+ if (unlikely(!rx_buff->skb))
+ return -ENOMEM;
+
+- addr = dma_map_single(&ndev->dev, (void *)rx_buff->skb->data,
++ addr = dma_map_single(dev, (void *)rx_buff->skb->data,
+ EMAC_BUFFER_SIZE, DMA_FROM_DEVICE);
+- if (dma_mapping_error(&ndev->dev, addr)) {
++ if (dma_mapping_error(dev, addr)) {
+ netdev_err(ndev, "cannot dma map\n");
+ dev_kfree_skb(rx_buff->skb);
+ return -ENOMEM;
+@@ -548,6 +551,7 @@ static void arc_emac_set_rx_mode(struct net_device *ndev)
+ static void arc_free_tx_queue(struct net_device *ndev)
+ {
+ struct arc_emac_priv *priv = netdev_priv(ndev);
++ struct device *dev = ndev->dev.parent;
+ unsigned int i;
+
+ for (i = 0; i < TX_BD_NUM; i++) {
+@@ -555,7 +559,7 @@ static void arc_free_tx_queue(struct net_device *ndev)
+ struct buffer_state *tx_buff = &priv->tx_buff[i];
+
+ if (tx_buff->skb) {
+- dma_unmap_single(&ndev->dev,
++ dma_unmap_single(dev,
+ dma_unmap_addr(tx_buff, addr),
+ dma_unmap_len(tx_buff, len),
+ DMA_TO_DEVICE);
+@@ -579,6 +583,7 @@ static void arc_free_tx_queue(struct net_device *ndev)
+ static void arc_free_rx_queue(struct net_device *ndev)
+ {
+ struct arc_emac_priv *priv = netdev_priv(ndev);
++ struct device *dev = ndev->dev.parent;
+ unsigned int i;
+
+ for (i = 0; i < RX_BD_NUM; i++) {
+@@ -586,7 +591,7 @@ static void arc_free_rx_queue(struct net_device *ndev)
+ struct buffer_state *rx_buff = &priv->rx_buff[i];
+
+ if (rx_buff->skb) {
+- dma_unmap_single(&ndev->dev,
++ dma_unmap_single(dev,
+ dma_unmap_addr(rx_buff, addr),
+ dma_unmap_len(rx_buff, len),
+ DMA_FROM_DEVICE);
+@@ -679,6 +684,7 @@ static netdev_tx_t arc_emac_tx(struct sk_buff *skb, struct net_device *ndev)
+ unsigned int len, *txbd_curr = &priv->txbd_curr;
+ struct net_device_stats *stats = &ndev->stats;
+ __le32 *info = &priv->txbd[*txbd_curr].info;
++ struct device *dev = ndev->dev.parent;
+ dma_addr_t addr;
+
+ if (skb_padto(skb, ETH_ZLEN))
+@@ -692,10 +698,9 @@ static netdev_tx_t arc_emac_tx(struct sk_buff *skb, struct net_device *ndev)
+ return NETDEV_TX_BUSY;
+ }
+
+- addr = dma_map_single(&ndev->dev, (void *)skb->data, len,
+- DMA_TO_DEVICE);
++ addr = dma_map_single(dev, (void *)skb->data, len, DMA_TO_DEVICE);
+
+- if (unlikely(dma_mapping_error(&ndev->dev, addr))) {
++ if (unlikely(dma_mapping_error(dev, addr))) {
+ stats->tx_dropped++;
+ stats->tx_errors++;
+ dev_kfree_skb_any(skb);
+--
+2.43.0
+
--- /dev/null
+From 8ace62f3cec58ace817ac9448d58d4b11e546514 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 17:04:06 +0800
+Subject: net: enetc: set MAC address to the VF net_device
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit badccd49b93bb945bf4e5cc8707db67cdc5e27e5 ]
+
+The MAC address of VF can be configured through the mailbox mechanism of
+ENETC, but the previous implementation forgot to set the MAC address in
+net_device, resulting in the SMAC of the sent frames still being the old
+MAC address. Since the MAC address in the hardware has been changed, Rx
+cannot receive frames with the DMAC address as the new MAC address. The
+most obvious phenomenon is that after changing the MAC address, we can
+see that the MAC address of eno0vf0 has not changed through the "ifconfig
+eno0vf0" command and the IP address cannot be obtained .
+
+root@ls1028ardb:~# ifconfig eno0vf0 down
+root@ls1028ardb:~# ifconfig eno0vf0 hw ether 00:04:9f:3a:4d:56 up
+root@ls1028ardb:~# ifconfig eno0vf0
+eno0vf0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
+ ether 66:36:2c:3b:87:76 txqueuelen 1000 (Ethernet)
+ RX packets 794 bytes 69239 (69.2 KB)
+ RX errors 0 dropped 0 overruns 0 frame 0
+ TX packets 11 bytes 2226 (2.2 KB)
+ TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
+
+Fixes: beb74ac878c8 ("enetc: Add vf to pf messaging support")
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Claudiu Manoil <claudiu.manoil@nxp.com>
+Link: https://patch.msgid.link/20241029090406.841836-1-wei.fang@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc_vf.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc_vf.c b/drivers/net/ethernet/freescale/enetc/enetc_vf.c
+index acd4a3167ed6a..88dfcebf2b873 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc_vf.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc_vf.c
+@@ -78,11 +78,18 @@ static int enetc_vf_set_mac_addr(struct net_device *ndev, void *addr)
+ {
+ struct enetc_ndev_priv *priv = netdev_priv(ndev);
+ struct sockaddr *saddr = addr;
++ int err;
+
+ if (!is_valid_ether_addr(saddr->sa_data))
+ return -EADDRNOTAVAIL;
+
+- return enetc_msg_vsi_set_primary_mac_addr(priv, saddr);
++ err = enetc_msg_vsi_set_primary_mac_addr(priv, saddr);
++ if (err)
++ return err;
++
++ eth_hw_addr_set(ndev, saddr->sa_data);
++
++ return 0;
+ }
+
+ static int enetc_vf_set_features(struct net_device *ndev,
+--
+2.43.0
+
--- /dev/null
+From 69fdacbc21aafd60232e43fc5e72ac65a2290ebf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 17:15:07 +0800
+Subject: net: hns3: fix kernel crash when uninstalling driver
+
+From: Peiyang Wang <wangpeiyang1@huawei.com>
+
+[ Upstream commit df3dff8ab6d79edc942464999d06fbaedf8cdd18 ]
+
+When the driver is uninstalled and the VF is disabled concurrently, a
+kernel crash occurs. The reason is that the two actions call function
+pci_disable_sriov(). The num_VFs is checked to determine whether to
+release the corresponding resources. During the second calling, num_VFs
+is not 0 and the resource release function is called. However, the
+corresponding resource has been released during the first invoking.
+Therefore, the problem occurs:
+
+[15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
+...
+[15278.131557][T50670] Call trace:
+[15278.134686][T50670] klist_put+0x28/0x12c
+[15278.138682][T50670] klist_del+0x14/0x20
+[15278.142592][T50670] device_del+0xbc/0x3c0
+[15278.146676][T50670] pci_remove_bus_device+0x84/0x120
+[15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80
+[15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c
+[15278.162485][T50670] sriov_disable+0x50/0x11c
+[15278.166829][T50670] pci_disable_sriov+0x24/0x30
+[15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3]
+[15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge]
+[15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230
+[15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30
+[15278.193848][T50670] invoke_syscall+0x50/0x11c
+[15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164
+[15278.203837][T50670] do_el0_svc+0x34/0xcc
+[15278.207834][T50670] el0_svc+0x20/0x30
+
+For details, see the following figure.
+
+ rmmod hclge disable VFs
+----------------------------------------------------
+hclge_exit() sriov_numvfs_store()
+ ... device_lock()
+ pci_disable_sriov() hns3_pci_sriov_configure()
+ pci_disable_sriov()
+ sriov_disable()
+ sriov_disable() if !num_VFs :
+ if !num_VFs : return;
+ return; sriov_del_vfs()
+ sriov_del_vfs() ...
+ ... klist_put()
+ klist_put() ...
+ ... num_VFs = 0;
+ num_VFs = 0; device_unlock();
+
+In this patch, when driver is removing, we get the device_lock()
+to protect num_VFs, just like sriov_numvfs_store().
+
+Fixes: 0dd8a25f355b ("net: hns3: disable sriov before unload hclge layer")
+Signed-off-by: Peiyang Wang <wangpeiyang1@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241101091507.3644584-1-shaojijie@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hnae3.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.c b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
+index 67b0bf310daaa..9a63fbc694083 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
+@@ -25,8 +25,11 @@ void hnae3_unregister_ae_algo_prepare(struct hnae3_ae_algo *ae_algo)
+ pci_id = pci_match_id(ae_algo->pdev_id_table, ae_dev->pdev);
+ if (!pci_id)
+ continue;
+- if (IS_ENABLED(CONFIG_PCI_IOV))
++ if (IS_ENABLED(CONFIG_PCI_IOV)) {
++ device_lock(&ae_dev->pdev->dev);
+ pci_disable_sriov(ae_dev->pdev);
++ device_unlock(&ae_dev->pdev->dev);
++ }
+ }
+ }
+ EXPORT_SYMBOL(hnae3_unregister_ae_algo_prepare);
+--
+2.43.0
+
--- /dev/null
+From e0a04e20a489d02e469549f3a941fcc76739fc3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Nov 2024 16:15:05 +0100
+Subject: net: phy: ti: add PHY_RST_AFTER_CLK_EN flag
+
+From: Diogo Silva <diogompaissilva@gmail.com>
+
+[ Upstream commit 256748d5480bb3c4b731236c6d6fc86a8e2815d8 ]
+
+DP83848 datasheet (section 4.7.2) indicates that the reset pin should be
+toggled after the clocks are running. Add the PHY_RST_AFTER_CLK_EN to
+make sure that this indication is respected.
+
+In my experience not having this flag enabled would lead to, on some
+boots, the wrong MII mode being selected if the PHY was initialized on
+the bootloader and was receiving data during Linux boot.
+
+Signed-off-by: Diogo Silva <diogompaissilva@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Fixes: 34e45ad9378c ("net: phy: dp83848: Add TI DP83848 Ethernet PHY")
+Link: https://patch.msgid.link/20241102151504.811306-1-paissilva@ld-100007.ds1.internal
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/dp83848.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/phy/dp83848.c b/drivers/net/phy/dp83848.c
+index 937061acfc613..351411f0aa6f4 100644
+--- a/drivers/net/phy/dp83848.c
++++ b/drivers/net/phy/dp83848.c
+@@ -147,6 +147,8 @@ MODULE_DEVICE_TABLE(mdio, dp83848_tbl);
+ /* IRQ related */ \
+ .config_intr = dp83848_config_intr, \
+ .handle_interrupt = dp83848_handle_interrupt, \
++ \
++ .flags = PHY_RST_AFTER_CLK_EN, \
+ }
+
+ static struct phy_driver dp83848_driver[] = {
+--
+2.43.0
+
--- /dev/null
+From fa99a99680e54814ba505b7de3d359524ca73d29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 17:17:29 -0400
+Subject: net: stmmac: Fix unbalanced IRQ wake disable warning on single irq
+ case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: NÃcolas F. R. A. Prado <nfraprado@collabora.com>
+
+[ Upstream commit 25d70702142ac2115e75e01a0a985c6ea1d78033 ]
+
+Commit a23aa0404218 ("net: stmmac: ethtool: Fixed calltrace caused by
+unbalanced disable_irq_wake calls") introduced checks to prevent
+unbalanced enable and disable IRQ wake calls. However it only
+initialized the auxiliary variable on one of the paths,
+stmmac_request_irq_multi_msi(), missing the other,
+stmmac_request_irq_single().
+
+Add the same initialization on stmmac_request_irq_single() to prevent
+"Unbalanced IRQ <x> wake disable" warnings from being printed the first
+time disable_irq_wake() is called on platforms that run on that code
+path.
+
+Fixes: a23aa0404218 ("net: stmmac: ethtool: Fixed calltrace caused by unbalanced disable_irq_wake calls")
+Signed-off-by: NÃcolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241101-stmmac-unbalanced-wake-single-fix-v1-1-5952524c97f0@collabora.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 4a194f30f4a83..2478caeec763f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3650,6 +3650,7 @@ static int stmmac_request_irq_single(struct net_device *dev)
+ /* Request the Wake IRQ in case of another line
+ * is used for WoL
+ */
++ priv->wol_irq_disabled = true;
+ if (priv->wol_irq > 0 && priv->wol_irq != dev->irq) {
+ ret = request_irq(priv->wol_irq, stmmac_interrupt,
+ IRQF_SHARED, dev->name, dev);
+--
+2.43.0
+
--- /dev/null
+From e9ff8000e2e63571ec40b2ab8fb6b54679412784 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 08:49:24 -0500
+Subject: NFS: Add a tracepoint to show the results of nfs_set_cache_invalid()
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+[ Upstream commit 93c2e5e0a9ecfc183ab1204e1ecaa7ee7eb2a61a ]
+
+This provides some insight into the client's invalidation behavior to show
+both when the client uses the helper, and the results of calling the
+helper which can vary depending on how the helper is called.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Stable-dep-of: 867da60d463b ("nfs: avoid i_lock contention in nfs_clear_invalid_mapping")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 1 +
+ fs/nfs/nfstrace.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 48ade92d4ce8c..3861cd056cec3 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -219,6 +219,7 @@ void nfs_set_cache_invalid(struct inode *inode, unsigned long flags)
+ NFS_INO_DATA_INVAL_DEFER);
+ else if (nfsi->cache_validity & NFS_INO_INVALID_DATA)
+ nfsi->cache_validity &= ~NFS_INO_DATA_INVAL_DEFER;
++ trace_nfs_set_cache_invalid(inode, 0);
+ }
+ EXPORT_SYMBOL_GPL(nfs_set_cache_invalid);
+
+diff --git a/fs/nfs/nfstrace.h b/fs/nfs/nfstrace.h
+index 6804ca2efbf99..cbdfe091f56a6 100644
+--- a/fs/nfs/nfstrace.h
++++ b/fs/nfs/nfstrace.h
+@@ -162,6 +162,7 @@ DEFINE_NFS_INODE_EVENT_DONE(nfs_writeback_inode_exit);
+ DEFINE_NFS_INODE_EVENT(nfs_fsync_enter);
+ DEFINE_NFS_INODE_EVENT_DONE(nfs_fsync_exit);
+ DEFINE_NFS_INODE_EVENT(nfs_access_enter);
++DEFINE_NFS_INODE_EVENT_DONE(nfs_set_cache_invalid);
+
+ TRACE_EVENT(nfs_access_exit,
+ TP_PROTO(
+--
+2.43.0
+
--- /dev/null
+From bd9f1d8ce0ec67bf275ff05fcf75ba714a8f2c66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Oct 2024 17:15:41 -0400
+Subject: nfs: avoid i_lock contention in nfs_clear_invalid_mapping
+
+From: Mike Snitzer <snitzer@kernel.org>
+
+[ Upstream commit 867da60d463bb2a3e28c9235c487e56e96cffa00 ]
+
+Multi-threaded buffered reads to the same file exposed significant
+inode spinlock contention in nfs_clear_invalid_mapping().
+
+Eliminate this spinlock contention by checking flags without locking,
+instead using smp_rmb and smp_load_acquire accordingly, but then take
+spinlock and double-check these inode flags.
+
+Also refactor nfs_set_cache_invalid() slightly to use
+smp_store_release() to pair with nfs_clear_invalid_mapping()'s
+smp_load_acquire().
+
+While this fix is beneficial for all multi-threaded buffered reads
+issued by an NFS client, this issue was identified in the context of
+surprisingly low LOCALIO performance with 4K multi-threaded buffered
+read IO. This fix dramatically speeds up LOCALIO performance:
+
+before: read: IOPS=1583k, BW=6182MiB/s (6482MB/s)(121GiB/20002msec)
+after: read: IOPS=3046k, BW=11.6GiB/s (12.5GB/s)(232GiB/20001msec)
+
+Fixes: 17dfeb911339 ("NFS: Fix races in nfs_revalidate_mapping")
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index edf59f809ded9..eb549a66a748e 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -212,12 +212,15 @@ void nfs_set_cache_invalid(struct inode *inode, unsigned long flags)
+ nfs_fscache_invalidate(inode);
+ flags &= ~(NFS_INO_REVAL_PAGECACHE | NFS_INO_REVAL_FORCED);
+
+- nfsi->cache_validity |= flags;
++ flags |= nfsi->cache_validity;
++ if (inode->i_mapping->nrpages == 0)
++ flags &= ~NFS_INO_INVALID_DATA;
+
+- if (inode->i_mapping->nrpages == 0) {
+- nfsi->cache_validity &= ~NFS_INO_INVALID_DATA;
+- nfs_ooo_clear(nfsi);
+- } else if (nfsi->cache_validity & NFS_INO_INVALID_DATA) {
++ /* pairs with nfs_clear_invalid_mapping()'s smp_load_acquire() */
++ smp_store_release(&nfsi->cache_validity, flags);
++
++ if (inode->i_mapping->nrpages == 0 ||
++ nfsi->cache_validity & NFS_INO_INVALID_DATA) {
+ nfs_ooo_clear(nfsi);
+ }
+ trace_nfs_set_cache_invalid(inode, 0);
+@@ -1350,6 +1353,13 @@ int nfs_clear_invalid_mapping(struct address_space *mapping)
+ nfs_wait_bit_killable, TASK_KILLABLE);
+ if (ret)
+ goto out;
++ smp_rmb(); /* pairs with smp_wmb() below */
++ if (test_bit(NFS_INO_INVALIDATING, bitlock))
++ continue;
++ /* pairs with nfs_set_cache_invalid()'s smp_store_release() */
++ if (!(smp_load_acquire(&nfsi->cache_validity) & NFS_INO_INVALID_DATA))
++ goto out;
++ /* Slow-path that double-checks with spinlock held */
+ spin_lock(&inode->i_lock);
+ if (test_bit(NFS_INO_INVALIDATING, bitlock)) {
+ spin_unlock(&inode->i_lock);
+--
+2.43.0
+
--- /dev/null
+From 00c3662ebe3607e45391637669aca3a934bf06f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Mar 2023 09:27:04 +1100
+Subject: NFSv3: handle out-of-order write replies.
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 3db63daabe210af32a09533fe7d8d47c711a103c ]
+
+NFSv3 includes pre/post wcc attributes which allow the client to
+determine if all changes to the file have been made by the client
+itself, or if any might have been made by some other client.
+
+If there are gaps in the pre/post ctime sequence it must be assumed that
+some other client changed the file in that gap and the local cache must
+be suspect. The next time the file is opened the cache should be
+invalidated.
+
+Since Commit 1c341b777501 ("NFS: Add deferred cache invalidation for
+close-to-open consistency violations") in linux 5.3 the Linux client has
+been triggering this invalidation. The chunk in nfs_update_inode() in
+particularly triggers.
+
+Unfortunately Linux NFS assumes that all replies will be processed in
+the order sent, and will arrive in the order processed. This is not
+true in general. Consequently Linux NFS might ignore the wcc info in a
+WRITE reply because the reply is in response to a WRITE that was sent
+before some other request for which a reply has already been seen. This
+is detected by Linux using the gencount tests in nfs_inode_attr_cmp().
+
+Also, when the gencount tests pass it is still possible that the request
+were processed on the server in a different order, and a gap seen in
+the ctime sequence might be filled in by a subsequent reply, so gaps
+should not immediately trigger delayed invalidation.
+
+The net result is that writing to a server and then reading the file
+back can result in going to the server for the read rather than serving
+it from cache - all because a couple of replies arrived out-of-order.
+This is a performance regression over kernels before 5.3, though the
+change in 5.3 is a correctness improvement.
+
+This has been seen with Linux writing to a Netapp server which
+occasionally re-orders requests. In testing the majority of requests
+were in-order, but a few (maybe 2 or three at a time) could be
+re-ordered.
+
+This patch addresses the problem by recording any gaps seen in the
+pre/post ctime sequence and not triggering invalidation until either
+there are too many gaps to fit in the table, or until there are no more
+active writes and the remaining gaps cannot be resolved.
+
+We allocate a table of 16 gaps on demand. If the allocation fails we
+revert to current behaviour which is of little cost as we are unlikely
+to be able to cache the writes anyway.
+
+In the table we store "start->end" pair when iversion is updated and
+"end<-start" pairs pre/post pairs reported by the server. Usually these
+exactly cancel out and so nothing is stored. When there are
+out-of-order replies we do store gaps and these will eventually be
+cancelled against later replies when this client is the only writer.
+
+If the final write is out-of-order there may be one gap remaining when
+the file is closed. This will be noticed and if there is precisely on
+gap and if the iversion can be advanced to match it, then we do so.
+
+This patch makes no attempt to handle directories correctly. The same
+problem potentially exists in the out-of-order replies to create/unlink
+requests can cause future lookup requires to be sent to the server
+unnecessarily. A similar scheme using the same primitives could be used
+to notice and handle out-of-order replies.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Stable-dep-of: 867da60d463b ("nfs: avoid i_lock contention in nfs_clear_invalid_mapping")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 112 +++++++++++++++++++++++++++++++++++------
+ include/linux/nfs_fs.h | 47 +++++++++++++++++
+ 2 files changed, 144 insertions(+), 15 deletions(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 3861cd056cec3..edf59f809ded9 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -214,11 +214,12 @@ void nfs_set_cache_invalid(struct inode *inode, unsigned long flags)
+
+ nfsi->cache_validity |= flags;
+
+- if (inode->i_mapping->nrpages == 0)
+- nfsi->cache_validity &= ~(NFS_INO_INVALID_DATA |
+- NFS_INO_DATA_INVAL_DEFER);
+- else if (nfsi->cache_validity & NFS_INO_INVALID_DATA)
+- nfsi->cache_validity &= ~NFS_INO_DATA_INVAL_DEFER;
++ if (inode->i_mapping->nrpages == 0) {
++ nfsi->cache_validity &= ~NFS_INO_INVALID_DATA;
++ nfs_ooo_clear(nfsi);
++ } else if (nfsi->cache_validity & NFS_INO_INVALID_DATA) {
++ nfs_ooo_clear(nfsi);
++ }
+ trace_nfs_set_cache_invalid(inode, 0);
+ }
+ EXPORT_SYMBOL_GPL(nfs_set_cache_invalid);
+@@ -692,9 +693,10 @@ static int nfs_vmtruncate(struct inode * inode, loff_t offset)
+
+ i_size_write(inode, offset);
+ /* Optimisation */
+- if (offset == 0)
+- NFS_I(inode)->cache_validity &= ~(NFS_INO_INVALID_DATA |
+- NFS_INO_DATA_INVAL_DEFER);
++ if (offset == 0) {
++ NFS_I(inode)->cache_validity &= ~NFS_INO_INVALID_DATA;
++ nfs_ooo_clear(NFS_I(inode));
++ }
+ NFS_I(inode)->cache_validity &= ~NFS_INO_INVALID_SIZE;
+
+ spin_unlock(&inode->i_lock);
+@@ -1109,7 +1111,7 @@ void nfs_inode_attach_open_context(struct nfs_open_context *ctx)
+
+ spin_lock(&inode->i_lock);
+ if (list_empty(&nfsi->open_files) &&
+- (nfsi->cache_validity & NFS_INO_DATA_INVAL_DEFER))
++ nfs_ooo_test(nfsi))
+ nfs_set_cache_invalid(inode, NFS_INO_INVALID_DATA |
+ NFS_INO_REVAL_FORCED);
+ list_add_tail_rcu(&ctx->list, &nfsi->open_files);
+@@ -1361,8 +1363,8 @@ int nfs_clear_invalid_mapping(struct address_space *mapping)
+
+ set_bit(NFS_INO_INVALIDATING, bitlock);
+ smp_wmb();
+- nfsi->cache_validity &=
+- ~(NFS_INO_INVALID_DATA | NFS_INO_DATA_INVAL_DEFER);
++ nfsi->cache_validity &= ~NFS_INO_INVALID_DATA;
++ nfs_ooo_clear(nfsi);
+ spin_unlock(&inode->i_lock);
+ trace_nfs_invalidate_mapping_enter(inode);
+ ret = nfs_invalidate_mapping(inode, mapping);
+@@ -1825,6 +1827,66 @@ static int nfs_inode_finish_partial_attr_update(const struct nfs_fattr *fattr,
+ return 0;
+ }
+
++static void nfs_ooo_merge(struct nfs_inode *nfsi,
++ u64 start, u64 end)
++{
++ int i, cnt;
++
++ if (nfsi->cache_validity & NFS_INO_DATA_INVAL_DEFER)
++ /* No point merging anything */
++ return;
++
++ if (!nfsi->ooo) {
++ nfsi->ooo = kmalloc(sizeof(*nfsi->ooo), GFP_ATOMIC);
++ if (!nfsi->ooo) {
++ nfsi->cache_validity |= NFS_INO_DATA_INVAL_DEFER;
++ return;
++ }
++ nfsi->ooo->cnt = 0;
++ }
++
++ /* add this range, merging if possible */
++ cnt = nfsi->ooo->cnt;
++ for (i = 0; i < cnt; i++) {
++ if (end == nfsi->ooo->gap[i].start)
++ end = nfsi->ooo->gap[i].end;
++ else if (start == nfsi->ooo->gap[i].end)
++ start = nfsi->ooo->gap[i].start;
++ else
++ continue;
++ /* Remove 'i' from table and loop to insert the new range */
++ cnt -= 1;
++ nfsi->ooo->gap[i] = nfsi->ooo->gap[cnt];
++ i = -1;
++ }
++ if (start != end) {
++ if (cnt >= ARRAY_SIZE(nfsi->ooo->gap)) {
++ nfsi->cache_validity |= NFS_INO_DATA_INVAL_DEFER;
++ kfree(nfsi->ooo);
++ nfsi->ooo = NULL;
++ return;
++ }
++ nfsi->ooo->gap[cnt].start = start;
++ nfsi->ooo->gap[cnt].end = end;
++ cnt += 1;
++ }
++ nfsi->ooo->cnt = cnt;
++}
++
++static void nfs_ooo_record(struct nfs_inode *nfsi,
++ struct nfs_fattr *fattr)
++{
++ /* This reply was out-of-order, so record in the
++ * pre/post change id, possibly cancelling
++ * gaps created when iversion was jumpped forward.
++ */
++ if ((fattr->valid & NFS_ATTR_FATTR_CHANGE) &&
++ (fattr->valid & NFS_ATTR_FATTR_PRECHANGE))
++ nfs_ooo_merge(nfsi,
++ fattr->change_attr,
++ fattr->pre_change_attr);
++}
++
+ static int nfs_refresh_inode_locked(struct inode *inode,
+ struct nfs_fattr *fattr)
+ {
+@@ -1835,8 +1897,12 @@ static int nfs_refresh_inode_locked(struct inode *inode,
+
+ if (attr_cmp > 0 || nfs_inode_finish_partial_attr_update(fattr, inode))
+ ret = nfs_update_inode(inode, fattr);
+- else if (attr_cmp == 0)
+- ret = nfs_check_inode_attributes(inode, fattr);
++ else {
++ nfs_ooo_record(NFS_I(inode), fattr);
++
++ if (attr_cmp == 0)
++ ret = nfs_check_inode_attributes(inode, fattr);
++ }
+
+ trace_nfs_refresh_inode_exit(inode, ret);
+ return ret;
+@@ -1927,6 +1993,8 @@ int nfs_post_op_update_inode_force_wcc_locked(struct inode *inode, struct nfs_fa
+ if (attr_cmp < 0)
+ return 0;
+ if ((fattr->valid & NFS_ATTR_FATTR) == 0 || !attr_cmp) {
++ /* Record the pre/post change info before clearing PRECHANGE */
++ nfs_ooo_record(NFS_I(inode), fattr);
+ fattr->valid &= ~(NFS_ATTR_FATTR_PRECHANGE
+ | NFS_ATTR_FATTR_PRESIZE
+ | NFS_ATTR_FATTR_PREMTIME
+@@ -2081,6 +2149,15 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+
+ /* More cache consistency checks */
+ if (fattr->valid & NFS_ATTR_FATTR_CHANGE) {
++ if (!have_writers && nfsi->ooo && nfsi->ooo->cnt == 1 &&
++ nfsi->ooo->gap[0].end == inode_peek_iversion_raw(inode)) {
++ /* There is one remaining gap that hasn't been
++ * merged into iversion - do that now.
++ */
++ inode_set_iversion_raw(inode, nfsi->ooo->gap[0].start);
++ kfree(nfsi->ooo);
++ nfsi->ooo = NULL;
++ }
+ if (!inode_eq_iversion_raw(inode, fattr->change_attr)) {
+ /* Could it be a race with writeback? */
+ if (!(have_writers || have_delegation)) {
+@@ -2102,8 +2179,11 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+ dprintk("NFS: change_attr change on server for file %s/%ld\n",
+ inode->i_sb->s_id,
+ inode->i_ino);
+- } else if (!have_delegation)
+- nfsi->cache_validity |= NFS_INO_DATA_INVAL_DEFER;
++ } else if (!have_delegation) {
++ nfs_ooo_record(nfsi, fattr);
++ nfs_ooo_merge(nfsi, inode_peek_iversion_raw(inode),
++ fattr->change_attr);
++ }
+ inode_set_iversion_raw(inode, fattr->change_attr);
+ }
+ } else {
+@@ -2265,6 +2345,7 @@ struct inode *nfs_alloc_inode(struct super_block *sb)
+ return NULL;
+ nfsi->flags = 0UL;
+ nfsi->cache_validity = 0UL;
++ nfsi->ooo = NULL;
+ #if IS_ENABLED(CONFIG_NFS_V4)
+ nfsi->nfs4_acl = NULL;
+ #endif /* CONFIG_NFS_V4 */
+@@ -2277,6 +2358,7 @@ EXPORT_SYMBOL_GPL(nfs_alloc_inode);
+
+ void nfs_free_inode(struct inode *inode)
+ {
++ kfree(NFS_I(inode)->ooo);
+ kmem_cache_free(nfs_inode_cachep, NFS_I(inode));
+ }
+ EXPORT_SYMBOL_GPL(nfs_free_inode);
+diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
+index 886bfa99a6af4..218e79ba263b2 100644
+--- a/include/linux/nfs_fs.h
++++ b/include/linux/nfs_fs.h
+@@ -189,6 +189,39 @@ struct nfs_inode {
+ /* Open contexts for shared mmap writes */
+ struct list_head open_files;
+
++ /* Keep track of out-of-order replies.
++ * The ooo array contains start/end pairs of
++ * numbers from the changeid sequence when
++ * the inode's iversion has been updated.
++ * It also contains end/start pair (i.e. reverse order)
++ * of sections of the changeid sequence that have
++ * been seen in replies from the server.
++ * Normally these should match and when both
++ * A:B and B:A are found in ooo, they are both removed.
++ * And if a reply with A:B causes an iversion update
++ * of A:B, then neither are added.
++ * When a reply has pre_change that doesn't match
++ * iversion, then the changeid pair and any consequent
++ * change in iversion ARE added. Later replies
++ * might fill in the gaps, or possibly a gap is caused
++ * by a change from another client.
++ * When a file or directory is opened, if the ooo table
++ * is not empty, then we assume the gaps were due to
++ * another client and we invalidate the cached data.
++ *
++ * We can only track a limited number of concurrent gaps.
++ * Currently that limit is 16.
++ * We allocate the table on demand. If there is insufficient
++ * memory, then we probably cannot cache the file anyway
++ * so there is no loss.
++ */
++ struct {
++ int cnt;
++ struct {
++ u64 start, end;
++ } gap[16];
++ } *ooo;
++
+ #if IS_ENABLED(CONFIG_NFS_V4)
+ struct nfs4_cached_acl *nfs4_acl;
+ /* NFSv4 state */
+@@ -624,6 +657,20 @@ nfs_fileid_to_ino_t(u64 fileid)
+ return ino;
+ }
+
++static inline void nfs_ooo_clear(struct nfs_inode *nfsi)
++{
++ nfsi->cache_validity &= ~NFS_INO_DATA_INVAL_DEFER;
++ kfree(nfsi->ooo);
++ nfsi->ooo = NULL;
++}
++
++static inline bool nfs_ooo_test(struct nfs_inode *nfsi)
++{
++ return (nfsi->cache_validity & NFS_INO_DATA_INVAL_DEFER) ||
++ (nfsi->ooo && nfsi->ooo->cnt > 0);
++
++}
++
+ #define NFS_JUKEBOX_RETRY_TIME (5 * HZ)
+
+
+--
+2.43.0
+
--- /dev/null
+From e4d6916c0bf90aa5efd2360e3ad36c7a6919745a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 11:07:23 +1000
+Subject: NFSv3: only use NFS timeout for MOUNT when protocols are compatible
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 6e2a10343ecb71c4457bc16be05758f9c7aae7d9 ]
+
+If a timeout is specified in the mount options, it currently applies to
+both the NFS protocol and (with v3) the MOUNT protocol. This is
+sensible when they both use the same underlying protocol, or those
+protocols are compatible w.r.t timeouts as RDMA and TCP are.
+
+However if, for example, NFS is using TCP and MOUNT is using UDP then
+using the same timeout doesn't make much sense.
+
+If you
+ mount -o vers=3,proto=tcp,mountproto=udp,timeo=600,retrans=5 \
+ server:/path /mountpoint
+
+then the timeo=600 which was intended for the NFS/TCP request will
+apply to the MOUNT/UDP requests with the result that there will only be
+one request sent (because UDP has a maximum timeout of 60 seconds).
+This is not what a reasonable person might expect.
+
+This patch disables the sharing of timeout information in cases where
+the underlying protocols are not compatible.
+
+Fixes: c9301cb35b59 ("nfs: hornor timeo and retrans option when mounting NFSv3")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index 9e672aed35901..f91cb1267b44e 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -867,7 +867,15 @@ static int nfs_request_mount(struct fs_context *fc,
+ * Now ask the mount server to map our export path
+ * to a file handle.
+ */
+- status = nfs_mount(&request, ctx->timeo, ctx->retrans);
++ if ((request.protocol == XPRT_TRANSPORT_UDP) ==
++ !(ctx->flags & NFS_MOUNT_TCP))
++ /*
++ * NFS protocol and mount protocol are both UDP or neither UDP
++ * so timeouts are compatible. Use NFS timeouts for MOUNT
++ */
++ status = nfs_mount(&request, ctx->timeo, ctx->retrans);
++ else
++ status = nfs_mount(&request, NFS_UNSPEC_TIMEO, NFS_UNSPEC_RETRANS);
+ if (status != 0) {
+ dfprintk(MOUNT, "NFS: unable to mount server %s, error %d\n",
+ request.hostname, status);
+--
+2.43.0
+
--- /dev/null
+From 4fc1b692869091054e78c8a4b2a23c673f6d2386 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 13:46:21 -0400
+Subject: sctp: properly validate chunk size in sctp_sf_ootb()
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 0ead60804b64f5bd6999eec88e503c6a1a242d41 ]
+
+A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add
+size validation when walking chunks") is also required in sctp_sf_ootb()
+to address a crash reported by syzbot:
+
+ BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
+ sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
+ sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
+ sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
+ sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
+ sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243
+ sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
+ ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
+ ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233
+
+Reported-by: syzbot+f0cbb34d39392f2746ca@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/a29ebb6d8b9f8affd0f9abb296faafafe10c17d8.1730223981.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 13acb84b00c2b..b5f5ee233b59d 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3736,7 +3736,7 @@ enum sctp_disposition sctp_sf_ootb(struct net *net,
+ }
+
+ ch = (struct sctp_chunkhdr *)ch_end;
+- } while (ch_end < skb_tail_pointer(skb));
++ } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
+
+ if (ootb_shut_ack)
+ return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
+--
+2.43.0
+
--- /dev/null
+From 6dcbeb0da2926af6f247663c1b659f9ff099a75c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 12:46:39 +0000
+Subject: security/keys: fix slab-out-of-bounds in key_task_permission
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit 4a74da044ec9ec8679e6beccc4306b936b62873f ]
+
+KASAN reports an out of bounds read:
+BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36
+BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]
+BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410
+security/keys/permission.c:54
+Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362
+
+CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15
+Call Trace:
+ __dump_stack lib/dump_stack.c:82 [inline]
+ dump_stack+0x107/0x167 lib/dump_stack.c:123
+ print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400
+ __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
+ kasan_report+0x3a/0x50 mm/kasan/report.c:585
+ __kuid_val include/linux/uidgid.h:36 [inline]
+ uid_eq include/linux/uidgid.h:63 [inline]
+ key_task_permission+0x394/0x410 security/keys/permission.c:54
+ search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793
+
+This issue was also reported by syzbot.
+
+It can be reproduced by following these steps(more details [1]):
+1. Obtain more than 32 inputs that have similar hashes, which ends with the
+ pattern '0xxxxxxxe6'.
+2. Reboot and add the keys obtained in step 1.
+
+The reproducer demonstrates how this issue happened:
+1. In the search_nested_keyrings function, when it iterates through the
+ slots in a node(below tag ascend_to_node), if the slot pointer is meta
+ and node->back_pointer != NULL(it means a root), it will proceed to
+ descend_to_node. However, there is an exception. If node is the root,
+ and one of the slots points to a shortcut, it will be treated as a
+ keyring.
+2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.
+ However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as
+ ASSOC_ARRAY_PTR_SUBTYPE_MASK.
+3. When 32 keys with the similar hashes are added to the tree, the ROOT
+ has keys with hashes that are not similar (e.g. slot 0) and it splits
+ NODE A without using a shortcut. When NODE A is filled with keys that
+ all hashes are xxe6, the keys are similar, NODE A will split with a
+ shortcut. Finally, it forms the tree as shown below, where slot 6 points
+ to a shortcut.
+
+ NODE A
+ +------>+---+
+ ROOT | | 0 | xxe6
+ +---+ | +---+
+ xxxx | 0 | shortcut : : xxe6
+ +---+ | +---+
+ xxe6 : : | | | xxe6
+ +---+ | +---+
+ | 6 |---+ : : xxe6
+ +---+ +---+
+ xxe6 : : | f | xxe6
+ +---+ +---+
+ xxe6 | f |
+ +---+
+
+4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,
+ it may be mistakenly transferred to a key*, leading to a read
+ out-of-bounds read.
+
+To fix this issue, one should jump to descend_to_node if the ptr is a
+shortcut, regardless of whether the node is root or not.
+
+[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/
+
+[jarkko: tweaked the commit message a bit to have an appropriate closes
+ tag.]
+Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
+Reported-by: syzbot+5b415c07907a2990d1a3@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000cbb7860611f61147@google.com/T/
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/keys/keyring.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index 5e6a907607530..1febc2a8abcf6 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -772,8 +772,11 @@ static bool search_nested_keyrings(struct key *keyring,
+ for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
+ ptr = READ_ONCE(node->slots[slot]);
+
+- if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
+- goto descend_to_node;
++ if (assoc_array_ptr_is_meta(ptr)) {
++ if (node->back_pointer ||
++ assoc_array_ptr_is_shortcut(ptr))
++ goto descend_to_node;
++ }
+
+ if (!keyring_ptr_is_keyring(ptr))
+ continue;
+--
+2.43.0
+
+arm64-dts-rockchip-fix-rt5651-compatible-value-on-rk.patch
+arm64-dts-rockchip-remove-hdmi-s-2nd-interrupt-on-rk.patch
+arm64-dts-rockchip-fix-bluetooth-properties-on-rock9.patch
+arm64-dts-rockchip-remove-cooling-cells-from-fan-on-.patch
+arm64-dts-rockchip-fix-led-triggers-on-rk3308-roc-cc.patch
+arm64-dts-imx8mp-correct-sdhc-ipg-clk.patch
+arm-dts-rockchip-fix-rk3036-acodec-node.patch
+arm-dts-rockchip-drop-grf-reference-from-rk3036-hdmi.patch
+arm-dts-rockchip-fix-the-spi-controller-on-rk3036.patch
+arm-dts-rockchip-fix-the-realtek-audio-codec-on-rk30.patch
+hid-core-zero-initialize-the-report-buffer.patch
+nfsv3-only-use-nfs-timeout-for-mount-when-protocols-.patch
+nfs-add-a-tracepoint-to-show-the-results-of-nfs_set_.patch
+nfsv3-handle-out-of-order-write-replies.patch
+nfs-avoid-i_lock-contention-in-nfs_clear_invalid_map.patch
+security-keys-fix-slab-out-of-bounds-in-key_task_per.patch
+net-enetc-set-mac-address-to-the-vf-net_device.patch
+sctp-properly-validate-chunk-size-in-sctp_sf_ootb.patch
+can-c_can-fix-rx-tx-_errors-statistics.patch
+i40e-fix-race-condition-by-adding-filter-s-intermedi.patch
+net-hns3-fix-kernel-crash-when-uninstalling-driver.patch
+net-phy-ti-add-phy_rst_after_clk_en-flag.patch
+net-stmmac-fix-unbalanced-irq-wake-disable-warning-o.patch
+net-arc-fix-the-device-for-dma_map_single-dma_unmap_.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
