6.8-stable patches

added patches:
	ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch
	fbdev-fix-incorrect-address-computation-in-deferred-io.patch
	firmware-qcom-uefisecapp-fix-memory-related-io-errors-and-crashes.patch
	macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch
	macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch
	mtd-diskonchip-work-around-ubsan-link-failure.patch
	mtd-limit-otp-nvmem-cell-parse-to-non-nand-devices.patch
	net-b44-set-pause-params-only-when-interface-is-up.patch
	net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch
	phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch
	phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch
	stackdepot-respect-__gfp_nolockdep-allocation-flag.patch
	udp-preserve-the-connected-status-if-only-udp-cmsg.patch
	wifi-nl80211-don-t-free-null-coalescing-rule.patch

15 files changed, 1379 insertions, 0 deletions

diff --git a/queue-6.8/ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch b/queue-6.8/ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch
new file mode 100644
index 0000000000..7b6bc94120
--- /dev/null
+++ b/queue-6.8/ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch
@@ -0,0 +1,78 @@
+From 6e159fd653d7ebf6290358e0330a0cb8a75cf73b Mon Sep 17 00:00:00 2001
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Date: Tue, 23 Apr 2024 11:13:03 -0700
+Subject: ethernet: Add helper for assigning packet type when dest address does not match device address
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+commit 6e159fd653d7ebf6290358e0330a0cb8a75cf73b upstream.
+
+Enable reuse of logic in eth_type_trans for determining packet type.
+
+Suggested-by: Sabrina Dubroca <sd@queasysnail.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240423181319.115860-3-rrameshbabu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/etherdevice.h |   25 +++++++++++++++++++++++++
+ net/ethernet/eth.c          |   12 +-----------
+ 2 files changed, 26 insertions(+), 11 deletions(-)
+
+--- a/include/linux/etherdevice.h
++++ b/include/linux/etherdevice.h
+@@ -608,6 +608,31 @@ static inline void eth_hw_addr_gen(struc
+ }
+ 
+ /**
++ * eth_skb_pkt_type - Assign packet type if destination address does not match
++ * @skb: Assigned a packet type if address does not match @dev address
++ * @dev: Network device used to compare packet address against
++ *
++ * If the destination MAC address of the packet does not match the network
++ * device address, assign an appropriate packet type.
++ */
++static inline void eth_skb_pkt_type(struct sk_buff *skb,
++				    const struct net_device *dev)
++{
++	const struct ethhdr *eth = eth_hdr(skb);
++
++	if (unlikely(!ether_addr_equal_64bits(eth->h_dest, dev->dev_addr))) {
++		if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) {
++			if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast))
++				skb->pkt_type = PACKET_BROADCAST;
++			else
++				skb->pkt_type = PACKET_MULTICAST;
++		} else {
++			skb->pkt_type = PACKET_OTHERHOST;
++		}
++	}
++}
++
++/**
+  * eth_skb_pad - Pad buffer to mininum number of octets for Ethernet frame
+  * @skb: Buffer to pad
+  *
+--- a/net/ethernet/eth.c
++++ b/net/ethernet/eth.c
+@@ -164,17 +164,7 @@ __be16 eth_type_trans(struct sk_buff *sk
+ 	eth = (struct ethhdr *)skb->data;
+ 	skb_pull_inline(skb, ETH_HLEN);
+ 
+-	if (unlikely(!ether_addr_equal_64bits(eth->h_dest,
+-					      dev->dev_addr))) {
+-		if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) {
+-			if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast))
+-				skb->pkt_type = PACKET_BROADCAST;
+-			else
+-				skb->pkt_type = PACKET_MULTICAST;
+-		} else {
+-			skb->pkt_type = PACKET_OTHERHOST;
+-		}
+-	}
++	eth_skb_pkt_type(skb, dev);
+ 
+ 	/*
+ 	 * Some variants of DSA tagging don't have an ethertype field
diff --git a/queue-6.8/fbdev-fix-incorrect-address-computation-in-deferred-io.patch b/queue-6.8/fbdev-fix-incorrect-address-computation-in-deferred-io.patch
new file mode 100644
index 0000000000..a7e0bbf190
--- /dev/null
+++ b/queue-6.8/fbdev-fix-incorrect-address-computation-in-deferred-io.patch
@@ -0,0 +1,55 @@
+From 78d9161d2bcd442d93d917339297ffa057dbee8c Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Tue, 23 Apr 2024 13:50:53 +0200
+Subject: fbdev: fix incorrect address computation in deferred IO
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit 78d9161d2bcd442d93d917339297ffa057dbee8c upstream.
+
+With deferred IO enabled, a page fault happens when data is written to the
+framebuffer device. Then driver determines which page is being updated by
+calculating the offset of the written virtual address within the virtual
+memory area, and uses this offset to get the updated page within the
+internal buffer. This page is later copied to hardware (thus the name
+"deferred IO").
+
+This offset calculation is only correct if the virtual memory area is
+mapped to the beginning of the internal buffer. Otherwise this is wrong.
+For example, if users do:
+    mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000);
+
+Then the virtual memory area will mapped at offset 0xff000 within the
+internal buffer. This offset 0xff000 is not accounted for, and wrong page
+is updated.
+
+Correct the calculation by using vmf->pgoff instead. With this change, the
+variable "offset" will no longer hold the exact offset value, but it is
+rounded down to multiples of PAGE_SIZE. But this is still correct, because
+this variable is only used to calculate the page offset.
+
+Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@oracle.com
+Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240423115053.4490-1-namcao@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fb_defio.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/core/fb_defio.c
++++ b/drivers/video/fbdev/core/fb_defio.c
+@@ -196,7 +196,7 @@ err_mutex_unlock:
+  */
+ static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf)
+ {
+-	unsigned long offset = vmf->address - vmf->vma->vm_start;
++	unsigned long offset = vmf->pgoff << PAGE_SHIFT;
+ 	struct page *page = vmf->page;
+ 
+ 	file_update_time(vmf->vma->vm_file);
diff --git a/queue-6.8/firmware-qcom-uefisecapp-fix-memory-related-io-errors-and-crashes.patch b/queue-6.8/firmware-qcom-uefisecapp-fix-memory-related-io-errors-and-crashes.patch
new file mode 100644
index 0000000000..1756d9f716
--- /dev/null
+++ b/queue-6.8/firmware-qcom-uefisecapp-fix-memory-related-io-errors-and-crashes.patch
@@ -0,0 +1,522 @@
+From ed09f81eeaa8f9265e1787282cb283f10285c259 Mon Sep 17 00:00:00 2001
+From: Maximilian Luz <luzmaximilian@gmail.com>
+Date: Sat, 6 Apr 2024 15:01:09 +0200
+Subject: firmware: qcom: uefisecapp: Fix memory related IO errors and crashes
+
+From: Maximilian Luz <luzmaximilian@gmail.com>
+
+commit ed09f81eeaa8f9265e1787282cb283f10285c259 upstream.
+
+It turns out that while the QSEECOM APP_SEND command has specific fields
+for request and response buffers, uefisecapp expects them both to be in
+a single memory region. Failure to adhere to this has (so far) resulted
+in either no response being written to the response buffer (causing an
+EIO to be emitted down the line), the SCM call to fail with EINVAL
+(i.e., directly from TZ/firmware), or the device to be hard-reset.
+
+While this issue can be triggered deterministically, in the current form
+it seems to happen rather sporadically (which is why it has gone
+unnoticed during earlier testing). This is likely due to the two
+kzalloc() calls (for request and response) being directly after each
+other. Which means that those likely return consecutive regions most of
+the time, especially when not much else is going on in the system.
+
+Fix this by allocating a single memory region for both request and
+response buffers, properly aligning both structs inside it. This
+unfortunately also means that the qcom_scm_qseecom_app_send() interface
+needs to be restructured, as it should no longer map the DMA regions
+separately. Therefore, move the responsibility of DMA allocation (or
+mapping) to the caller.
+
+Fixes: 759e7a2b62eb ("firmware: Add support for Qualcomm UEFI Secure Application")
+Cc: stable@vger.kernel.org  # 6.7
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
+Tested-by: Konrad Dybcio <konrad.dybcio@linaro.org> # X13s
+Link: https://lore.kernel.org/r/20240406130125.1047436-1-luzmaximilian@gmail.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../firmware/qcom/qcom_qseecom_uefisecapp.c   | 137 ++++++++++++------
+ drivers/firmware/qcom/qcom_scm.c              |  37 +----
+ include/linux/firmware/qcom/qcom_qseecom.h    |  55 ++++++-
+ include/linux/firmware/qcom/qcom_scm.h        |  10 +-
+ 4 files changed, 153 insertions(+), 86 deletions(-)
+
+diff --git a/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c b/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c
+index 32188f098ef3..bc550ad0dbe0 100644
+--- a/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c
++++ b/drivers/firmware/qcom/qcom_qseecom_uefisecapp.c
+@@ -221,6 +221,19 @@ struct qsee_rsp_uefi_query_variable_info {
+  * alignment of 8 bytes (64 bits) for GUIDs. Our definition of efi_guid_t,
+  * however, has an alignment of 4 byte (32 bits). So far, this seems to work
+  * fine here. See also the comment on the typedef of efi_guid_t.
++ *
++ * Note: It looks like uefisecapp is quite picky about how the memory passed to
++ * it is structured and aligned. In particular the request/response setup used
++ * for QSEE_CMD_UEFI_GET_VARIABLE. While qcom_qseecom_app_send(), in theory,
++ * accepts separate buffers/addresses for the request and response parts, in
++ * practice, however, it seems to expect them to be both part of a larger
++ * contiguous block. We initially allocated separate buffers for the request
++ * and response but this caused the QSEE_CMD_UEFI_GET_VARIABLE command to
++ * either not write any response to the response buffer or outright crash the
++ * device. Therefore, we now allocate a single contiguous block of DMA memory
++ * for both and properly align the data using the macros below. In particular,
++ * request and response structs are aligned at 8 byte (via __reqdata_offs()),
++ * following the driver that this has been reverse-engineered from.
+  */
+ #define qcuefi_buf_align_fields(fields...)					\
+ 	({									\
+@@ -244,6 +257,12 @@ struct qsee_rsp_uefi_query_variable_info {
+ #define __array_offs(type, count, offset)					\
+ 	__field_impl(sizeof(type) * (count), __alignof__(type), offset)
+ 
++#define __array_offs_aligned(type, count, align, offset)			\
++	__field_impl(sizeof(type) * (count), align, offset)
++
++#define __reqdata_offs(size, offset)						\
++	__array_offs_aligned(u8, size, 8, offset)
++
+ #define __array(type, count)		__array_offs(type, count, NULL)
+ #define __field_offs(type, offset)	__array_offs(type, 1, offset)
+ #define __field(type)			__array_offs(type, 1, NULL)
+@@ -277,10 +296,15 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e
+ 	unsigned long buffer_size = *data_size;
+ 	efi_status_t efi_status = EFI_SUCCESS;
+ 	unsigned long name_length;
++	dma_addr_t cmd_buf_dma;
++	size_t cmd_buf_size;
++	void *cmd_buf;
+ 	size_t guid_offs;
+ 	size_t name_offs;
+ 	size_t req_size;
+ 	size_t rsp_size;
++	size_t req_offs;
++	size_t rsp_offs;
+ 	ssize_t status;
+ 
+ 	if (!name || !guid)
+@@ -304,17 +328,19 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e
+ 		__array(u8, buffer_size)
+ 	);
+ 
+-	req_data = kzalloc(req_size, GFP_KERNEL);
+-	if (!req_data) {
++	cmd_buf_size = qcuefi_buf_align_fields(
++		__reqdata_offs(req_size, &req_offs)
++		__reqdata_offs(rsp_size, &rsp_offs)
++	);
++
++	cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL);
++	if (!cmd_buf) {
+ 		efi_status = EFI_OUT_OF_RESOURCES;
+ 		goto out;
+ 	}
+ 
+-	rsp_data = kzalloc(rsp_size, GFP_KERNEL);
+-	if (!rsp_data) {
+-		efi_status = EFI_OUT_OF_RESOURCES;
+-		goto out_free_req;
+-	}
++	req_data = cmd_buf + req_offs;
++	rsp_data = cmd_buf + rsp_offs;
+ 
+ 	req_data->command_id = QSEE_CMD_UEFI_GET_VARIABLE;
+ 	req_data->data_size = buffer_size;
+@@ -332,7 +358,9 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e
+ 
+ 	memcpy(((void *)req_data) + req_data->guid_offset, guid, req_data->guid_size);
+ 
+-	status = qcom_qseecom_app_send(qcuefi->client, req_data, req_size, rsp_data, rsp_size);
++	status = qcom_qseecom_app_send(qcuefi->client,
++				       cmd_buf_dma + req_offs, req_size,
++				       cmd_buf_dma + rsp_offs, rsp_size);
+ 	if (status) {
+ 		efi_status = EFI_DEVICE_ERROR;
+ 		goto out_free;
+@@ -407,9 +435,7 @@ static efi_status_t qsee_uefi_get_variable(struct qcuefi_client *qcuefi, const e
+ 	memcpy(data, ((void *)rsp_data) + rsp_data->data_offset, rsp_data->data_size);
+ 
+ out_free:
+-	kfree(rsp_data);
+-out_free_req:
+-	kfree(req_data);
++	qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma);
+ out:
+ 	return efi_status;
+ }
+@@ -422,10 +448,15 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e
+ 	struct qsee_rsp_uefi_set_variable *rsp_data;
+ 	efi_status_t efi_status = EFI_SUCCESS;
+ 	unsigned long name_length;
++	dma_addr_t cmd_buf_dma;
++	size_t cmd_buf_size;
++	void *cmd_buf;
+ 	size_t name_offs;
+ 	size_t guid_offs;
+ 	size_t data_offs;
+ 	size_t req_size;
++	size_t req_offs;
++	size_t rsp_offs;
+ 	ssize_t status;
+ 
+ 	if (!name || !guid)
+@@ -450,17 +481,19 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e
+ 		__array_offs(u8, data_size, &data_offs)
+ 	);
+ 
+-	req_data = kzalloc(req_size, GFP_KERNEL);
+-	if (!req_data) {
++	cmd_buf_size = qcuefi_buf_align_fields(
++		__reqdata_offs(req_size, &req_offs)
++		__reqdata_offs(sizeof(*rsp_data), &rsp_offs)
++	);
++
++	cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL);
++	if (!cmd_buf) {
+ 		efi_status = EFI_OUT_OF_RESOURCES;
+ 		goto out;
+ 	}
+ 
+-	rsp_data = kzalloc(sizeof(*rsp_data), GFP_KERNEL);
+-	if (!rsp_data) {
+-		efi_status = EFI_OUT_OF_RESOURCES;
+-		goto out_free_req;
+-	}
++	req_data = cmd_buf + req_offs;
++	rsp_data = cmd_buf + rsp_offs;
+ 
+ 	req_data->command_id = QSEE_CMD_UEFI_SET_VARIABLE;
+ 	req_data->attributes = attributes;
+@@ -483,8 +516,9 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e
+ 	if (data_size)
+ 		memcpy(((void *)req_data) + req_data->data_offset, data, req_data->data_size);
+ 
+-	status = qcom_qseecom_app_send(qcuefi->client, req_data, req_size, rsp_data,
+-				       sizeof(*rsp_data));
++	status = qcom_qseecom_app_send(qcuefi->client,
++				       cmd_buf_dma + req_offs, req_size,
++				       cmd_buf_dma + rsp_offs, sizeof(*rsp_data));
+ 	if (status) {
+ 		efi_status = EFI_DEVICE_ERROR;
+ 		goto out_free;
+@@ -507,9 +541,7 @@ static efi_status_t qsee_uefi_set_variable(struct qcuefi_client *qcuefi, const e
+ 	}
+ 
+ out_free:
+-	kfree(rsp_data);
+-out_free_req:
+-	kfree(req_data);
++	qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma);
+ out:
+ 	return efi_status;
+ }
+@@ -521,10 +553,15 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi,
+ 	struct qsee_req_uefi_get_next_variable *req_data;
+ 	struct qsee_rsp_uefi_get_next_variable *rsp_data;
+ 	efi_status_t efi_status = EFI_SUCCESS;
++	dma_addr_t cmd_buf_dma;
++	size_t cmd_buf_size;
++	void *cmd_buf;
+ 	size_t guid_offs;
+ 	size_t name_offs;
+ 	size_t req_size;
+ 	size_t rsp_size;
++	size_t req_offs;
++	size_t rsp_offs;
+ 	ssize_t status;
+ 
+ 	if (!name_size || !name || !guid)
+@@ -545,17 +582,19 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi,
+ 		__array(*name, *name_size / sizeof(*name))
+ 	);
+ 
+-	req_data = kzalloc(req_size, GFP_KERNEL);
+-	if (!req_data) {
++	cmd_buf_size = qcuefi_buf_align_fields(
++		__reqdata_offs(req_size, &req_offs)
++		__reqdata_offs(rsp_size, &rsp_offs)
++	);
++
++	cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL);
++	if (!cmd_buf) {
+ 		efi_status = EFI_OUT_OF_RESOURCES;
+ 		goto out;
+ 	}
+ 
+-	rsp_data = kzalloc(rsp_size, GFP_KERNEL);
+-	if (!rsp_data) {
+-		efi_status = EFI_OUT_OF_RESOURCES;
+-		goto out_free_req;
+-	}
++	req_data = cmd_buf + req_offs;
++	rsp_data = cmd_buf + rsp_offs;
+ 
+ 	req_data->command_id = QSEE_CMD_UEFI_GET_NEXT_VARIABLE;
+ 	req_data->guid_offset = guid_offs;
+@@ -572,7 +611,9 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi,
+ 		goto out_free;
+ 	}
+ 
+-	status = qcom_qseecom_app_send(qcuefi->client, req_data, req_size, rsp_data, rsp_size);
++	status = qcom_qseecom_app_send(qcuefi->client,
++				       cmd_buf_dma + req_offs, req_size,
++				       cmd_buf_dma + rsp_offs, rsp_size);
+ 	if (status) {
+ 		efi_status = EFI_DEVICE_ERROR;
+ 		goto out_free;
+@@ -645,9 +686,7 @@ static efi_status_t qsee_uefi_get_next_variable(struct qcuefi_client *qcuefi,
+ 	}
+ 
+ out_free:
+-	kfree(rsp_data);
+-out_free_req:
+-	kfree(req_data);
++	qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma);
+ out:
+ 	return efi_status;
+ }
+@@ -659,26 +698,34 @@ static efi_status_t qsee_uefi_query_variable_info(struct qcuefi_client *qcuefi,
+ 	struct qsee_req_uefi_query_variable_info *req_data;
+ 	struct qsee_rsp_uefi_query_variable_info *rsp_data;
+ 	efi_status_t efi_status = EFI_SUCCESS;
++	dma_addr_t cmd_buf_dma;
++	size_t cmd_buf_size;
++	void *cmd_buf;
++	size_t req_offs;
++	size_t rsp_offs;
+ 	int status;
+ 
+-	req_data = kzalloc(sizeof(*req_data), GFP_KERNEL);
+-	if (!req_data) {
++	cmd_buf_size = qcuefi_buf_align_fields(
++		__reqdata_offs(sizeof(*req_data), &req_offs)
++		__reqdata_offs(sizeof(*rsp_data), &rsp_offs)
++	);
++
++	cmd_buf = qseecom_dma_alloc(qcuefi->client, cmd_buf_size, &cmd_buf_dma, GFP_KERNEL);
++	if (!cmd_buf) {
+ 		efi_status = EFI_OUT_OF_RESOURCES;
+ 		goto out;
+ 	}
+ 
+-	rsp_data = kzalloc(sizeof(*rsp_data), GFP_KERNEL);
+-	if (!rsp_data) {
+-		efi_status = EFI_OUT_OF_RESOURCES;
+-		goto out_free_req;
+-	}
++	req_data = cmd_buf + req_offs;
++	rsp_data = cmd_buf + rsp_offs;
+ 
+ 	req_data->command_id = QSEE_CMD_UEFI_QUERY_VARIABLE_INFO;
+ 	req_data->attributes = attr;
+ 	req_data->length = sizeof(*req_data);
+ 
+-	status = qcom_qseecom_app_send(qcuefi->client, req_data, sizeof(*req_data), rsp_data,
+-				       sizeof(*rsp_data));
++	status = qcom_qseecom_app_send(qcuefi->client,
++				       cmd_buf_dma + req_offs, sizeof(*req_data),
++				       cmd_buf_dma + rsp_offs, sizeof(*rsp_data));
+ 	if (status) {
+ 		efi_status = EFI_DEVICE_ERROR;
+ 		goto out_free;
+@@ -711,9 +758,7 @@ static efi_status_t qsee_uefi_query_variable_info(struct qcuefi_client *qcuefi,
+ 		*max_variable_size = rsp_data->max_variable_size;
+ 
+ out_free:
+-	kfree(rsp_data);
+-out_free_req:
+-	kfree(req_data);
++	qseecom_dma_free(qcuefi->client, cmd_buf_size, cmd_buf, cmd_buf_dma);
+ out:
+ 	return efi_status;
+ }
+diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
+index 520de9b5633a..90283f160a22 100644
+--- a/drivers/firmware/qcom/qcom_scm.c
++++ b/drivers/firmware/qcom/qcom_scm.c
+@@ -1576,9 +1576,9 @@ EXPORT_SYMBOL_GPL(qcom_scm_qseecom_app_get_id);
+ /**
+  * qcom_scm_qseecom_app_send() - Send to and receive data from a given QSEE app.
+  * @app_id:   The ID of the target app.
+- * @req:      Request buffer sent to the app (must be DMA-mappable).
++ * @req:      DMA address of the request buffer sent to the app.
+  * @req_size: Size of the request buffer.
+- * @rsp:      Response buffer, written to by the app (must be DMA-mappable).
++ * @rsp:      DMA address of the response buffer, written to by the app.
+  * @rsp_size: Size of the response buffer.
+  *
+  * Sends a request to the QSEE app associated with the given ID and read back
+@@ -1589,33 +1589,13 @@ EXPORT_SYMBOL_GPL(qcom_scm_qseecom_app_get_id);
+  *
+  * Return: Zero on success, nonzero on failure.
+  */
+-int qcom_scm_qseecom_app_send(u32 app_id, void *req, size_t req_size, void *rsp,
+-			      size_t rsp_size)
++int qcom_scm_qseecom_app_send(u32 app_id, dma_addr_t req, size_t req_size,
++			      dma_addr_t rsp, size_t rsp_size)
+ {
+ 	struct qcom_scm_qseecom_resp res = {};
+ 	struct qcom_scm_desc desc = {};
+-	dma_addr_t req_phys;
+-	dma_addr_t rsp_phys;
+ 	int status;
+ 
+-	/* Map request buffer */
+-	req_phys = dma_map_single(__scm->dev, req, req_size, DMA_TO_DEVICE);
+-	status = dma_mapping_error(__scm->dev, req_phys);
+-	if (status) {
+-		dev_err(__scm->dev, "qseecom: failed to map request buffer\n");
+-		return status;
+-	}
+-
+-	/* Map response buffer */
+-	rsp_phys = dma_map_single(__scm->dev, rsp, rsp_size, DMA_FROM_DEVICE);
+-	status = dma_mapping_error(__scm->dev, rsp_phys);
+-	if (status) {
+-		dma_unmap_single(__scm->dev, req_phys, req_size, DMA_TO_DEVICE);
+-		dev_err(__scm->dev, "qseecom: failed to map response buffer\n");
+-		return status;
+-	}
+-
+-	/* Set up SCM call data */
+ 	desc.owner = QSEECOM_TZ_OWNER_TZ_APPS;
+ 	desc.svc = QSEECOM_TZ_SVC_APP_ID_PLACEHOLDER;
+ 	desc.cmd = QSEECOM_TZ_CMD_APP_SEND;
+@@ -1623,18 +1603,13 @@ int qcom_scm_qseecom_app_send(u32 app_id, void *req, size_t req_size, void *rsp,
+ 				     QCOM_SCM_RW, QCOM_SCM_VAL,
+ 				     QCOM_SCM_RW, QCOM_SCM_VAL);
+ 	desc.args[0] = app_id;
+-	desc.args[1] = req_phys;
++	desc.args[1] = req;
+ 	desc.args[2] = req_size;
+-	desc.args[3] = rsp_phys;
++	desc.args[3] = rsp;
+ 	desc.args[4] = rsp_size;
+ 
+-	/* Perform call */
+ 	status = qcom_scm_qseecom_call(&desc, &res);
+ 
+-	/* Unmap buffers */
+-	dma_unmap_single(__scm->dev, rsp_phys, rsp_size, DMA_FROM_DEVICE);
+-	dma_unmap_single(__scm->dev, req_phys, req_size, DMA_TO_DEVICE);
+-
+ 	if (status)
+ 		return status;
+ 
+diff --git a/include/linux/firmware/qcom/qcom_qseecom.h b/include/linux/firmware/qcom/qcom_qseecom.h
+index 5c28298a98be..366243ee9609 100644
+--- a/include/linux/firmware/qcom/qcom_qseecom.h
++++ b/include/linux/firmware/qcom/qcom_qseecom.h
+@@ -10,6 +10,7 @@
+ #define __QCOM_QSEECOM_H
+ 
+ #include <linux/auxiliary_bus.h>
++#include <linux/dma-mapping.h>
+ #include <linux/types.h>
+ 
+ #include <linux/firmware/qcom/qcom_scm.h>
+@@ -24,12 +25,57 @@ struct qseecom_client {
+ 	u32 app_id;
+ };
+ 
++/**
++ * qseecom_scm_dev() - Get the SCM device associated with the QSEECOM client.
++ * @client: The QSEECOM client device.
++ *
++ * Returns the SCM device under which the provided QSEECOM client device
++ * operates. This function is intended to be used for DMA allocations.
++ */
++static inline struct device *qseecom_scm_dev(struct qseecom_client *client)
++{
++	return client->aux_dev.dev.parent->parent;
++}
++
++/**
++ * qseecom_dma_alloc() - Allocate DMA memory for a QSEECOM client.
++ * @client:     The QSEECOM client to allocate the memory for.
++ * @size:       The number of bytes to allocate.
++ * @dma_handle: Pointer to where the DMA address should be stored.
++ * @gfp:        Allocation flags.
++ *
++ * Wrapper function for dma_alloc_coherent(), allocating DMA memory usable for
++ * TZ/QSEECOM communication. Refer to dma_alloc_coherent() for details.
++ */
++static inline void *qseecom_dma_alloc(struct qseecom_client *client, size_t size,
++				      dma_addr_t *dma_handle, gfp_t gfp)
++{
++	return dma_alloc_coherent(qseecom_scm_dev(client), size, dma_handle, gfp);
++}
++
++/**
++ * dma_free_coherent() - Free QSEECOM DMA memory.
++ * @client:     The QSEECOM client for which the memory has been allocated.
++ * @size:       The number of bytes allocated.
++ * @cpu_addr:   Virtual memory address to free.
++ * @dma_handle: DMA memory address to free.
++ *
++ * Wrapper function for dma_free_coherent(), freeing memory previously
++ * allocated with qseecom_dma_alloc(). Refer to dma_free_coherent() for
++ * details.
++ */
++static inline void qseecom_dma_free(struct qseecom_client *client, size_t size,
++				    void *cpu_addr, dma_addr_t dma_handle)
++{
++	return dma_free_coherent(qseecom_scm_dev(client), size, cpu_addr, dma_handle);
++}
++
+ /**
+  * qcom_qseecom_app_send() - Send to and receive data from a given QSEE app.
+  * @client:   The QSEECOM client associated with the target app.
+- * @req:      Request buffer sent to the app (must be DMA-mappable).
++ * @req:      DMA address of the request buffer sent to the app.
+  * @req_size: Size of the request buffer.
+- * @rsp:      Response buffer, written to by the app (must be DMA-mappable).
++ * @rsp:      DMA address of the response buffer, written to by the app.
+  * @rsp_size: Size of the response buffer.
+  *
+  * Sends a request to the QSEE app associated with the given client and read
+@@ -43,8 +89,9 @@ struct qseecom_client {
+  *
+  * Return: Zero on success, nonzero on failure.
+  */
+-static inline int qcom_qseecom_app_send(struct qseecom_client *client, void *req, size_t req_size,
+-					void *rsp, size_t rsp_size)
++static inline int qcom_qseecom_app_send(struct qseecom_client *client,
++					dma_addr_t req, size_t req_size,
++					dma_addr_t rsp, size_t rsp_size)
+ {
+ 	return qcom_scm_qseecom_app_send(client->app_id, req, req_size, rsp, rsp_size);
+ }
+diff --git a/include/linux/firmware/qcom/qcom_scm.h b/include/linux/firmware/qcom/qcom_scm.h
+index ccaf28846054..aaa19f93ac43 100644
+--- a/include/linux/firmware/qcom/qcom_scm.h
++++ b/include/linux/firmware/qcom/qcom_scm.h
+@@ -118,8 +118,8 @@ bool qcom_scm_lmh_dcvsh_available(void);
+ #ifdef CONFIG_QCOM_QSEECOM
+ 
+ int qcom_scm_qseecom_app_get_id(const char *app_name, u32 *app_id);
+-int qcom_scm_qseecom_app_send(u32 app_id, void *req, size_t req_size, void *rsp,
+-			      size_t rsp_size);
++int qcom_scm_qseecom_app_send(u32 app_id, dma_addr_t req, size_t req_size,
++			      dma_addr_t rsp, size_t rsp_size);
+ 
+ #else /* CONFIG_QCOM_QSEECOM */
+ 
+@@ -128,9 +128,9 @@ static inline int qcom_scm_qseecom_app_get_id(const char *app_name, u32 *app_id)
+ 	return -EINVAL;
+ }
+ 
+-static inline int qcom_scm_qseecom_app_send(u32 app_id, void *req,
+-					    size_t req_size, void *rsp,
+-					    size_t rsp_size)
++static inline int qcom_scm_qseecom_app_send(u32 app_id,
++					    dma_addr_t req, size_t req_size,
++					    dma_addr_t rsp, size_t rsp_size)
+ {
+ 	return -EINVAL;
+ }
+-- 
+2.44.0
+
diff --git a/queue-6.8/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch b/queue-6.8/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch
new file mode 100644
index 0000000000..51e62783c9
--- /dev/null
+++ b/queue-6.8/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch
@@ -0,0 +1,113 @@
+From 642c984dd0e37dbaec9f87bd1211e5fac1f142bf Mon Sep 17 00:00:00 2001
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Date: Tue, 23 Apr 2024 11:13:04 -0700
+Subject: macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream.
+
+Can now correctly identify where the packets should be delivered by using
+md_dst or its absence on devices that provide it.
+
+This detection is not possible without device drivers that update md_dst. A
+fallback pattern should be used for supporting such device drivers. This
+fallback mode causes multicast messages to be cloned to both the non-macsec
+and macsec ports, independent of whether the multicast message received was
+encrypted over MACsec or not. Other non-macsec traffic may also fail to be
+handled correctly for devices in promiscuous mode.
+
+Link: https://lore.kernel.org/netdev/ZULRxX9eIbFiVi7v@hog/
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: stable@vger.kernel.org
+Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240423181319.115860-4-rrameshbabu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c |   46 ++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 36 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -999,10 +999,12 @@ static enum rx_handler_result handle_not
+ 	struct metadata_dst *md_dst;
+ 	struct macsec_rxh_data *rxd;
+ 	struct macsec_dev *macsec;
++	bool is_macsec_md_dst;
+ 
+ 	rcu_read_lock();
+ 	rxd = macsec_data_rcu(skb->dev);
+ 	md_dst = skb_metadata_dst(skb);
++	is_macsec_md_dst = md_dst && md_dst->type == METADATA_MACSEC;
+ 
+ 	list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
+ 		struct sk_buff *nskb;
+@@ -1013,14 +1015,42 @@ static enum rx_handler_result handle_not
+ 		 * the SecTAG, so we have to deduce which port to deliver to.
+ 		 */
+ 		if (macsec_is_offloaded(macsec) && netif_running(ndev)) {
+-			struct macsec_rx_sc *rx_sc = NULL;
++			const struct macsec_ops *ops;
+ 
+-			if (md_dst && md_dst->type == METADATA_MACSEC)
+-				rx_sc = find_rx_sc(&macsec->secy, md_dst->u.macsec_info.sci);
++			ops = macsec_get_ops(macsec, NULL);
+ 
+-			if (md_dst && md_dst->type == METADATA_MACSEC && !rx_sc)
++			if (ops->rx_uses_md_dst && !is_macsec_md_dst)
+ 				continue;
+ 
++			if (is_macsec_md_dst) {
++				struct macsec_rx_sc *rx_sc;
++
++				/* All drivers that implement MACsec offload
++				 * support using skb metadata destinations must
++				 * indicate that they do so.
++				 */
++				DEBUG_NET_WARN_ON_ONCE(!ops->rx_uses_md_dst);
++				rx_sc = find_rx_sc(&macsec->secy,
++						   md_dst->u.macsec_info.sci);
++				if (!rx_sc)
++					continue;
++				/* device indicated macsec offload occurred */
++				skb->dev = ndev;
++				skb->pkt_type = PACKET_HOST;
++				eth_skb_pkt_type(skb, ndev);
++				ret = RX_HANDLER_ANOTHER;
++				goto out;
++			}
++
++			/* This datapath is insecure because it is unable to
++			 * enforce isolation of broadcast/multicast traffic and
++			 * unicast traffic with promiscuous mode on the macsec
++			 * netdev. Since the core stack has no mechanism to
++			 * check that the hardware did indeed receive MACsec
++			 * traffic, it is possible that the response handling
++			 * done by the MACsec port was to a plaintext packet.
++			 * This violates the MACsec protocol standard.
++			 */
+ 			if (ether_addr_equal_64bits(hdr->h_dest,
+ 						    ndev->dev_addr)) {
+ 				/* exact match, divert skb to this port */
+@@ -1036,14 +1066,10 @@ static enum rx_handler_result handle_not
+ 					break;
+ 
+ 				nskb->dev = ndev;
+-				if (ether_addr_equal_64bits(hdr->h_dest,
+-							    ndev->broadcast))
+-					nskb->pkt_type = PACKET_BROADCAST;
+-				else
+-					nskb->pkt_type = PACKET_MULTICAST;
++				eth_skb_pkt_type(nskb, ndev);
+ 
+ 				__netif_rx(nskb);
+-			} else if (rx_sc || ndev->flags & IFF_PROMISC) {
++			} else if (ndev->flags & IFF_PROMISC) {
+ 				skb->dev = ndev;
+ 				skb->pkt_type = PACKET_HOST;
+ 				ret = RX_HANDLER_ANOTHER;
diff --git a/queue-6.8/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch b/queue-6.8/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch
new file mode 100644
index 0000000000..7d8d596d38
--- /dev/null
+++ b/queue-6.8/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch
@@ -0,0 +1,47 @@
+From 475747a19316b08e856c666a20503e73d7ed67ed Mon Sep 17 00:00:00 2001
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Date: Tue, 23 Apr 2024 11:13:02 -0700
+Subject: macsec: Enable devices to advertise whether they update sk_buff md_dst during offloads
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+commit 475747a19316b08e856c666a20503e73d7ed67ed upstream.
+
+Cannot know whether a Rx skb missing md_dst is intended for MACsec or not
+without knowing whether the device is able to update this field during an
+offload. Assume that an offload to a MACsec device cannot support updating
+md_dst by default. Capable devices can advertise that they do indicate that
+an skb is related to a MACsec offloaded packet using the md_dst.
+
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: stable@vger.kernel.org
+Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240423181319.115860-2-rrameshbabu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/macsec.h |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/net/macsec.h
++++ b/include/net/macsec.h
+@@ -321,6 +321,7 @@ struct macsec_context {
+  *	for the TX tag
+  * @needed_tailroom: number of bytes reserved at the end of the sk_buff for the
+  *	TX tag
++ * @rx_uses_md_dst: whether MACsec device offload supports sk_buff md_dst
+  */
+ struct macsec_ops {
+ 	/* Device wide */
+@@ -352,6 +353,7 @@ struct macsec_ops {
+ 				 struct sk_buff *skb);
+ 	unsigned int needed_headroom;
+ 	unsigned int needed_tailroom;
++	bool rx_uses_md_dst;
+ };
+ 
+ void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
diff --git a/queue-6.8/mtd-diskonchip-work-around-ubsan-link-failure.patch b/queue-6.8/mtd-diskonchip-work-around-ubsan-link-failure.patch
new file mode 100644
index 0000000000..78d89fe896
--- /dev/null
+++ b/queue-6.8/mtd-diskonchip-work-around-ubsan-link-failure.patch
@@ -0,0 +1,56 @@
+From 21c9fb611c25d5cd038f6fe485232e7884bb0b3d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 5 Apr 2024 16:30:04 +0200
+Subject: mtd: diskonchip: work around ubsan link failure
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 21c9fb611c25d5cd038f6fe485232e7884bb0b3d upstream.
+
+I ran into a randconfig build failure with UBSAN using gcc-13.2:
+
+arm-linux-gnueabi-ld: error: unplaced orphan section `.bss..Lubsan_data31' from `drivers/mtd/nand/raw/diskonchip.o'
+
+I'm not entirely sure what is going on here, but I suspect this has something
+to do with the check for the end of the doc_locations[] array that contains
+an (unsigned long)0xffffffff element, which is compared against the signed
+(int)0xffffffff. If this is the case, we should get a runtime check for
+undefined behavior, but we instead get an unexpected build-time error.
+
+I would have expected this to work fine on 32-bit architectures despite the
+signed integer overflow, though on 64-bit architectures this likely won't
+ever work.
+
+Changing the contition to instead check for the size of the array makes the
+code safe everywhere and avoids the ubsan check that leads to the link
+error. The loop code goes back to before 2.6.12.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240405143015.717429-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/diskonchip.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/raw/diskonchip.c
++++ b/drivers/mtd/nand/raw/diskonchip.c
+@@ -53,7 +53,7 @@ static unsigned long doc_locations[] __i
+ 	0xe8000, 0xea000, 0xec000, 0xee000,
+ #endif
+ #endif
+-	0xffffffff };
++};
+ 
+ static struct mtd_info *doclist = NULL;
+ 
+@@ -1554,7 +1554,7 @@ static int __init init_nanddoc(void)
+ 		if (ret < 0)
+ 			return ret;
+ 	} else {
+-		for (i = 0; (doc_locations[i] != 0xffffffff); i++) {
++		for (i = 0; i < ARRAY_SIZE(doc_locations); i++) {
+ 			doc_probe(doc_locations[i]);
+ 		}
+ 	}
diff --git a/queue-6.8/mtd-limit-otp-nvmem-cell-parse-to-non-nand-devices.patch b/queue-6.8/mtd-limit-otp-nvmem-cell-parse-to-non-nand-devices.patch
new file mode 100644
index 0000000000..55a4419f10
--- /dev/null
+++ b/queue-6.8/mtd-limit-otp-nvmem-cell-parse-to-non-nand-devices.patch
@@ -0,0 +1,57 @@
+From d2d73a6dd17365c43e109263841f7c26da55cfb0 Mon Sep 17 00:00:00 2001
+From: Christian Marangi <ansuelsmth@gmail.com>
+Date: Fri, 12 Apr 2024 12:50:26 +0200
+Subject: mtd: limit OTP NVMEM cell parse to non-NAND devices
+
+From: Christian Marangi <ansuelsmth@gmail.com>
+
+commit d2d73a6dd17365c43e109263841f7c26da55cfb0 upstream.
+
+MTD OTP logic is very fragile on parsing NVMEM cell and can be
+problematic with some specific kind of devices.
+
+The problem was discovered by e87161321a40 ("mtd: rawnand: macronix:
+OTP access for MX30LFxG18AC") where OTP support was added to a NAND
+device. With the case of NAND devices, it does require a node where ECC
+info are declared and all the fixed partitions, and this cause the OTP
+codepath to parse this node as OTP NVMEM cells, making probe fail and
+the NAND device registration fail.
+
+MTD OTP parsing should have been limited to always using compatible to
+prevent this error by using node with compatible "otp-user" or
+"otp-factory".
+
+NVMEM across the years had various iteration on how cells could be
+declared in DT, in some old implementation, no_of_node should have been
+enabled but now add_legacy_fixed_of_cells should be used to disable
+NVMEM to parse child node as NVMEM cell.
+
+To fix this and limit any regression with other MTD that makes use of
+declaring OTP as direct child of the dev node, disable
+add_legacy_fixed_of_cells if we detect the MTD type is Nand.
+
+With the following logic, the OTP NVMEM entry is correctly created with
+no cells and the MTD Nand is correctly probed and partitions are
+correctly exposed.
+
+Fixes: 4b361cfa8624 ("mtd: core: add OTP nvmem provider support")
+Cc: <stable@vger.kernel.org> # v6.7+
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240412105030.1598-1-ansuelsmth@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/mtdcore.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -900,7 +900,7 @@ static struct nvmem_device *mtd_otp_nvme
+ 	config.name = compatible;
+ 	config.id = NVMEM_DEVID_AUTO;
+ 	config.owner = THIS_MODULE;
+-	config.add_legacy_fixed_of_cells = true;
++	config.add_legacy_fixed_of_cells = !mtd_type_is_nand(mtd);
+ 	config.type = NVMEM_TYPE_OTP;
+ 	config.root_only = true;
+ 	config.ignore_wp = true;
diff --git a/queue-6.8/net-b44-set-pause-params-only-when-interface-is-up.patch b/queue-6.8/net-b44-set-pause-params-only-when-interface-is-up.patch
new file mode 100644
index 0000000000..01e9da9b65
--- /dev/null
+++ b/queue-6.8/net-b44-set-pause-params-only-when-interface-is-up.patch
@@ -0,0 +1,61 @@
+From e3eb7dd47bd4806f00e104eb6da092c435f9fb21 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Peter=20M=C3=BCnster?= <pm@a16n.net>
+Date: Wed, 24 Apr 2024 15:51:52 +0200
+Subject: net: b44: set pause params only when interface is up
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Münster <pm@a16n.net>
+
+commit e3eb7dd47bd4806f00e104eb6da092c435f9fb21 upstream.
+
+b44_free_rings() accesses b44::rx_buffers (and ::tx_buffers)
+unconditionally, but b44::rx_buffers is only valid when the
+device is up (they get allocated in b44_open(), and deallocated
+again in b44_close()), any other time these are just a NULL pointers.
+
+So if you try to change the pause params while the network interface
+is disabled/administratively down, everything explodes (which likely
+netifd tries to do).
+
+Link: https://github.com/openwrt/openwrt/issues/13789
+Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2)
+Cc: stable@vger.kernel.org
+Reported-by: Peter Münster <pm@a16n.net>
+Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Vaclav Svoboda <svoboda@neng.cz>
+Tested-by: Peter Münster <pm@a16n.net>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Peter Münster <pm@a16n.net>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Link: https://lore.kernel.org/r/87y192oolj.fsf@a16n.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/b44.c |   14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/b44.c
++++ b/drivers/net/ethernet/broadcom/b44.c
+@@ -2009,12 +2009,14 @@ static int b44_set_pauseparam(struct net
+ 		bp->flags |= B44_FLAG_TX_PAUSE;
+ 	else
+ 		bp->flags &= ~B44_FLAG_TX_PAUSE;
+-	if (bp->flags & B44_FLAG_PAUSE_AUTO) {
+-		b44_halt(bp);
+-		b44_init_rings(bp);
+-		b44_init_hw(bp, B44_FULL_RESET);
+-	} else {
+-		__b44_set_flow_ctrl(bp, bp->flags);
++	if (netif_running(dev)) {
++		if (bp->flags & B44_FLAG_PAUSE_AUTO) {
++			b44_halt(bp);
++			b44_init_rings(bp);
++			b44_init_hw(bp, B44_FULL_RESET);
++		} else {
++			__b44_set_flow_ctrl(bp, bp->flags);
++		}
+ 	}
+ 	spin_unlock_irq(&bp->lock);
+ 
diff --git a/queue-6.8/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch b/queue-6.8/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch
new file mode 100644
index 0000000000..e00db17130
--- /dev/null
+++ b/queue-6.8/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch
@@ -0,0 +1,37 @@
+From 39d26a8f2efcb8b5665fe7d54a7dba306a8f1dff Mon Sep 17 00:00:00 2001
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Date: Tue, 23 Apr 2024 11:13:05 -0700
+Subject: net/mlx5e: Advertise mlx5 ethernet driver updates sk_buff md_dst for MACsec
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+commit 39d26a8f2efcb8b5665fe7d54a7dba306a8f1dff upstream.
+
+mlx5 Rx flow steering and CQE handling enable the driver to be able to
+update an skb's md_dst attribute as MACsec when MACsec traffic arrives when
+a device is configured for offloading. Advertise this to the core stack to
+take advantage of this capability.
+
+Cc: stable@vger.kernel.org
+Fixes: b7c9400cbc48 ("net/mlx5e: Implement MACsec Rx data path using MACsec skb_metadata_dst")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240423181319.115860-5-rrameshbabu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+@@ -1640,6 +1640,7 @@ static const struct macsec_ops macsec_of
+ 	.mdo_add_secy = mlx5e_macsec_add_secy,
+ 	.mdo_upd_secy = mlx5e_macsec_upd_secy,
+ 	.mdo_del_secy = mlx5e_macsec_del_secy,
++	.rx_uses_md_dst = true,
+ };
+ 
+ bool mlx5e_macsec_handle_tx_skb(struct mlx5e_macsec *macsec, struct sk_buff *skb)
diff --git a/queue-6.8/phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch b/queue-6.8/phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch
new file mode 100644
index 0000000000..e7a59e4239
--- /dev/null
+++ b/queue-6.8/phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch
@@ -0,0 +1,55 @@
+From ee13e1f3c72b9464a4d73017c060ab503eed653a Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Thu, 4 Apr 2024 17:01:03 -0700
+Subject: phy: qcom: qmp-combo: Fix register base for QSERDES_DP_PHY_MODE
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+commit ee13e1f3c72b9464a4d73017c060ab503eed653a upstream.
+
+The register base that was used to write to the QSERDES_DP_PHY_MODE
+register was 'dp_dp_phy' before commit 815891eee668 ("phy:
+qcom-qmp-combo: Introduce orientation variable"). There isn't any
+explanation in the commit why this is changed, so I suspect it was an
+oversight or happened while being extracted from some other series.
+Oddly the value being 0x4c or 0x5c doesn't seem to matter for me, so I
+suspect this is dead code, but that can be fixed in another patch. It's
+not good to write to the wrong register space, and maybe some other
+version of this phy relies on this.
+
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Cc: Neil Armstrong <neil.armstrong@linaro.org>
+Cc: Abel Vesa <abel.vesa@linaro.org>
+Cc: Steev Klimaszewski <steev@kali.org>
+Cc: Johan Hovold <johan+linaro@kernel.org>
+Cc: Bjorn Andersson <quic_bjorande@quicinc.com>
+Cc: stable@vger.kernel.org      # 6.5
+Fixes: 815891eee668 ("phy: qcom-qmp-combo: Introduce orientation variable")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Bjorn Andersson <quic_bjorande@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20240405000111.1450598-1-swboyd@chromium.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-combo.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+@@ -2211,9 +2211,9 @@ static bool qmp_combo_configure_dp_mode(
+ 	writel(val, qmp->dp_dp_phy + QSERDES_DP_PHY_PD_CTL);
+ 
+ 	if (reverse)
+-		writel(0x4c, qmp->pcs + QSERDES_DP_PHY_MODE);
++		writel(0x4c, qmp->dp_dp_phy + QSERDES_DP_PHY_MODE);
+ 	else
+-		writel(0x5c, qmp->pcs + QSERDES_DP_PHY_MODE);
++		writel(0x5c, qmp->dp_dp_phy + QSERDES_DP_PHY_MODE);
+ 
+ 	return reverse;
+ }
diff --git a/queue-6.8/phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch b/queue-6.8/phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch
new file mode 100644
index 0000000000..e60377639f
--- /dev/null
+++ b/queue-6.8/phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch
@@ -0,0 +1,87 @@
+From 5abed58a8bde6d349bde364a160510b5bb904d18 Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Thu, 4 Apr 2024 16:43:44 -0700
+Subject: phy: qcom: qmp-combo: Fix VCO div offset on v3
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+commit 5abed58a8bde6d349bde364a160510b5bb904d18 upstream.
+
+Commit ec17373aebd0 ("phy: qcom: qmp-combo: extract common function to
+setup clocks") changed the offset that is used to write to
+DP_PHY_VCO_DIV from QSERDES_V3_DP_PHY_VCO_DIV to
+QSERDES_V4_DP_PHY_VCO_DIV. Unfortunately, this offset is different
+between v3 and v4 phys:
+
+ #define QSERDES_V3_DP_PHY_VCO_DIV                 0x064
+ #define QSERDES_V4_DP_PHY_VCO_DIV                 0x070
+
+meaning that we write the wrong register on v3 phys now. Add another
+generic register to 'regs' and use it here instead of a version specific
+define to fix this.
+
+This was discovered after Abhinav looked over register dumps with me
+from sc7180 Trogdor devices that started failing to light up the
+external display with v6.6 based kernels. It turns out that some
+monitors are very specific about their link clk frequency and if the
+default power on reset value is still there the monitor will show a
+blank screen or a garbled display. Other monitors are perfectly happy to
+get a bad clock signal.
+
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Fixes: ec17373aebd0 ("phy: qcom: qmp-combo: extract common function to setup clocks")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20240404234345.1446300-1-swboyd@chromium.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-combo.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+@@ -112,6 +112,7 @@ enum qphy_reg_layout {
+ 	QPHY_COM_BIAS_EN_CLKBUFLR_EN,
+ 
+ 	QPHY_DP_PHY_STATUS,
++	QPHY_DP_PHY_VCO_DIV,
+ 
+ 	QPHY_TX_TX_POL_INV,
+ 	QPHY_TX_TX_DRV_LVL,
+@@ -137,6 +138,7 @@ static const unsigned int qmp_v3_usb3phy
+ 	[QPHY_COM_BIAS_EN_CLKBUFLR_EN]	= QSERDES_V3_COM_BIAS_EN_CLKBUFLR_EN,
+ 
+ 	[QPHY_DP_PHY_STATUS]		= QSERDES_V3_DP_PHY_STATUS,
++	[QPHY_DP_PHY_VCO_DIV]		= QSERDES_V3_DP_PHY_VCO_DIV,
+ 
+ 	[QPHY_TX_TX_POL_INV]		= QSERDES_V3_TX_TX_POL_INV,
+ 	[QPHY_TX_TX_DRV_LVL]		= QSERDES_V3_TX_TX_DRV_LVL,
+@@ -161,6 +163,7 @@ static const unsigned int qmp_v45_usb3ph
+ 	[QPHY_COM_BIAS_EN_CLKBUFLR_EN]	= QSERDES_V4_COM_BIAS_EN_CLKBUFLR_EN,
+ 
+ 	[QPHY_DP_PHY_STATUS]		= QSERDES_V4_DP_PHY_STATUS,
++	[QPHY_DP_PHY_VCO_DIV]		= QSERDES_V4_DP_PHY_VCO_DIV,
+ 
+ 	[QPHY_TX_TX_POL_INV]		= QSERDES_V4_TX_TX_POL_INV,
+ 	[QPHY_TX_TX_DRV_LVL]		= QSERDES_V4_TX_TX_DRV_LVL,
+@@ -2223,6 +2226,7 @@ static int qmp_combo_configure_dp_clocks
+ 	const struct phy_configure_opts_dp *dp_opts = &qmp->dp_opts;
+ 	u32 phy_vco_div;
+ 	unsigned long pixel_freq;
++	const struct qmp_phy_cfg *cfg = qmp->cfg;
+ 
+ 	switch (dp_opts->link_rate) {
+ 	case 1620:
+@@ -2245,7 +2249,7 @@ static int qmp_combo_configure_dp_clocks
+ 		/* Other link rates aren't supported */
+ 		return -EINVAL;
+ 	}
+-	writel(phy_vco_div, qmp->dp_dp_phy + QSERDES_V4_DP_PHY_VCO_DIV);
++	writel(phy_vco_div, qmp->dp_dp_phy + cfg->regs[QPHY_DP_PHY_VCO_DIV]);
+ 
+ 	clk_set_rate(qmp->dp_link_hw.clk, dp_opts->link_rate * 100000);
+ 	clk_set_rate(qmp->dp_pixel_hw.clk, pixel_freq);
diff --git a/queue-6.8/series b/queue-6.8/series
index a8d533f769..ee9a5060ce 100644
--- a/queue-6.8/series
+++ b/queue-6.8/series
@@ -182,3 +182,17 @@ irqchip-gic-v3-its-prevent-double-free-on-error.patch
 acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch
 acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch
 acpi-cppc-fix-access-width-used-for-pcc-registers.patch
+net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch
+ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch
+net-b44-set-pause-params-only-when-interface-is-up.patch
+macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch
+macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch
+stackdepot-respect-__gfp_nolockdep-allocation-flag.patch
+fbdev-fix-incorrect-address-computation-in-deferred-io.patch
+udp-preserve-the-connected-status-if-only-udp-cmsg.patch
+wifi-nl80211-don-t-free-null-coalescing-rule.patch
+mtd-limit-otp-nvmem-cell-parse-to-non-nand-devices.patch
+mtd-diskonchip-work-around-ubsan-link-failure.patch
+firmware-qcom-uefisecapp-fix-memory-related-io-errors-and-crashes.patch
+phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch
+phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch
diff --git a/queue-6.8/stackdepot-respect-__gfp_nolockdep-allocation-flag.patch b/queue-6.8/stackdepot-respect-__gfp_nolockdep-allocation-flag.patch
new file mode 100644
index 0000000000..39312d2fe8
--- /dev/null
+++ b/queue-6.8/stackdepot-respect-__gfp_nolockdep-allocation-flag.patch
@@ -0,0 +1,95 @@
+From 6fe60465e1d53ea321ee909be26d97529e8f746c Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Date: Thu, 18 Apr 2024 16:11:33 +0200
+Subject: stackdepot: respect __GFP_NOLOCKDEP allocation flag
+
+From: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+
+commit 6fe60465e1d53ea321ee909be26d97529e8f746c upstream.
+
+If stack_depot_save_flags() allocates memory it always drops
+__GFP_NOLOCKDEP flag.  So when KASAN tries to track __GFP_NOLOCKDEP
+allocation we may end up with lockdep splat like bellow:
+
+======================================================
+ WARNING: possible circular locking dependency detected
+ 6.9.0-rc3+ #49 Not tainted
+ ------------------------------------------------------
+ kswapd0/149 is trying to acquire lock:
+ ffff88811346a920
+(&xfs_nondir_ilock_class){++++}-{4:4}, at: xfs_reclaim_inode+0x3ac/0x590
+[xfs]
+
+ but task is already holding lock:
+ ffffffff8bb33100 (fs_reclaim){+.+.}-{0:0}, at:
+balance_pgdat+0x5d9/0xad0
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+ -> #1 (fs_reclaim){+.+.}-{0:0}:
+        __lock_acquire+0x7da/0x1030
+        lock_acquire+0x15d/0x400
+        fs_reclaim_acquire+0xb5/0x100
+ prepare_alloc_pages.constprop.0+0xc5/0x230
+        __alloc_pages+0x12a/0x3f0
+        alloc_pages_mpol+0x175/0x340
+        stack_depot_save_flags+0x4c5/0x510
+        kasan_save_stack+0x30/0x40
+        kasan_save_track+0x10/0x30
+        __kasan_slab_alloc+0x83/0x90
+        kmem_cache_alloc+0x15e/0x4a0
+        __alloc_object+0x35/0x370
+        __create_object+0x22/0x90
+ __kmalloc_node_track_caller+0x477/0x5b0
+        krealloc+0x5f/0x110
+        xfs_iext_insert_raw+0x4b2/0x6e0 [xfs]
+        xfs_iext_insert+0x2e/0x130 [xfs]
+        xfs_iread_bmbt_block+0x1a9/0x4d0 [xfs]
+        xfs_btree_visit_block+0xfb/0x290 [xfs]
+        xfs_btree_visit_blocks+0x215/0x2c0 [xfs]
+        xfs_iread_extents+0x1a2/0x2e0 [xfs]
+ xfs_buffered_write_iomap_begin+0x376/0x10a0 [xfs]
+        iomap_iter+0x1d1/0x2d0
+ iomap_file_buffered_write+0x120/0x1a0
+        xfs_file_buffered_write+0x128/0x4b0 [xfs]
+        vfs_write+0x675/0x890
+        ksys_write+0xc3/0x160
+        do_syscall_64+0x94/0x170
+ entry_SYSCALL_64_after_hwframe+0x71/0x79
+
+Always preserve __GFP_NOLOCKDEP to fix this.
+
+Link: https://lkml.kernel.org/r/20240418141133.22950-1-ryabinin.a.a@gmail.com
+Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
+Signed-off-by: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Reported-by: Xiubo Li <xiubli@redhat.com>
+Closes: https://lore.kernel.org/all/a0caa289-ca02-48eb-9bf2-d86fd47b71f4@redhat.com/
+Reported-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Closes: https://lore.kernel.org/all/f9ff999a-e170-b66b-7caf-293f2b147ac2@opensource.wdc.com/
+Suggested-by: Dave Chinner <david@fromorbit.com>
+Tested-by: Xiubo Li <xiubli@redhat.com>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/stackdepot.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/stackdepot.c
++++ b/lib/stackdepot.c
+@@ -627,10 +627,10 @@ depot_stack_handle_t stack_depot_save_fl
+ 		/*
+ 		 * Zero out zone modifiers, as we don't have specific zone
+ 		 * requirements. Keep the flags related to allocation in atomic
+-		 * contexts and I/O.
++		 * contexts, I/O, nolockdep.
+ 		 */
+ 		alloc_flags &= ~GFP_ZONEMASK;
+-		alloc_flags &= (GFP_ATOMIC | GFP_KERNEL);
++		alloc_flags &= (GFP_ATOMIC | GFP_KERNEL | __GFP_NOLOCKDEP);
+ 		alloc_flags |= __GFP_NOWARN;
+ 		page = alloc_pages(alloc_flags, DEPOT_POOL_ORDER);
+ 		if (page)
diff --git a/queue-6.8/udp-preserve-the-connected-status-if-only-udp-cmsg.patch b/queue-6.8/udp-preserve-the-connected-status-if-only-udp-cmsg.patch
new file mode 100644
index 0000000000..b35b4fddb6
--- /dev/null
+++ b/queue-6.8/udp-preserve-the-connected-status-if-only-udp-cmsg.patch
@@ -0,0 +1,70 @@
+From 680d11f6e5427b6af1321932286722d24a8b16c1 Mon Sep 17 00:00:00 2001
+From: Yick Xie <yick.xie@gmail.com>
+Date: Fri, 19 Apr 2024 01:06:10 +0800
+Subject: udp: preserve the connected status if only UDP cmsg
+
+From: Yick Xie <yick.xie@gmail.com>
+
+commit 680d11f6e5427b6af1321932286722d24a8b16c1 upstream.
+
+If "udp_cmsg_send()" returned 0 (i.e. only UDP cmsg),
+"connected" should not be set to 0. Otherwise it stops
+the connected socket from using the cached route.
+
+Fixes: 2e8de8576343 ("udp: add gso segment cmsg")
+Signed-off-by: Yick Xie <yick.xie@gmail.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20240418170610.867084-1-yick.xie@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c |    5 +++--
+ net/ipv6/udp.c |    5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1125,16 +1125,17 @@ int udp_sendmsg(struct sock *sk, struct
+ 
+ 	if (msg->msg_controllen) {
+ 		err = udp_cmsg_send(sk, msg, &ipc.gso_size);
+-		if (err > 0)
++		if (err > 0) {
+ 			err = ip_cmsg_send(sk, msg, &ipc,
+ 					   sk->sk_family == AF_INET6);
++			connected = 0;
++		}
+ 		if (unlikely(err < 0)) {
+ 			kfree(ipc.opt);
+ 			return err;
+ 		}
+ 		if (ipc.opt)
+ 			free = 1;
+-		connected = 0;
+ 	}
+ 	if (!ipc.opt) {
+ 		struct ip_options_rcu *inet_opt;
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1476,9 +1476,11 @@ do_udp_sendmsg:
+ 		ipc6.opt = opt;
+ 
+ 		err = udp_cmsg_send(sk, msg, &ipc6.gso_size);
+-		if (err > 0)
++		if (err > 0) {
+ 			err = ip6_datagram_send_ctl(sock_net(sk), sk, msg, fl6,
+ 						    &ipc6);
++			connected = false;
++		}
+ 		if (err < 0) {
+ 			fl6_sock_release(flowlabel);
+ 			return err;
+@@ -1490,7 +1492,6 @@ do_udp_sendmsg:
+ 		}
+ 		if (!(opt->opt_nflen|opt->opt_flen))
+ 			opt = NULL;
+-		connected = false;
+ 	}
+ 	if (!opt) {
+ 		opt = txopt_get(np);
diff --git a/queue-6.8/wifi-nl80211-don-t-free-null-coalescing-rule.patch b/queue-6.8/wifi-nl80211-don-t-free-null-coalescing-rule.patch
new file mode 100644
index 0000000000..57f394cc14
--- /dev/null
+++ b/queue-6.8/wifi-nl80211-don-t-free-null-coalescing-rule.patch
@@ -0,0 +1,32 @@
+From 801ea33ae82d6a9d954074fbcf8ea9d18f1543a7 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 18 Apr 2024 10:52:23 +0200
+Subject: wifi: nl80211: don't free NULL coalescing rule
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 801ea33ae82d6a9d954074fbcf8ea9d18f1543a7 upstream.
+
+If the parsing fails, we can dereference a NULL pointer here.
+
+Cc: stable@vger.kernel.org
+Fixes: be29b99a9b51 ("cfg80211/nl80211: Add packet coalesce support")
+Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240418105220.b328f80406e7.Id75d961050deb05b3e4e354e024866f350c68103@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/nl80211.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -14092,6 +14092,8 @@ static int nl80211_set_coalesce(struct s
+ error:
+ 	for (i = 0; i < new_coalesce.n_rules; i++) {
+ 		tmp_rule = &new_coalesce.rules[i];
++		if (!tmp_rule)
++			continue;
+ 		for (j = 0; j < tmp_rule->n_patterns; j++)
+ 			kfree(tmp_rule->patterns[j].mask);
+ 		kfree(tmp_rule->patterns);