6.6-stable patches

added patches:
	bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch
	macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch
	macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch
	net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch
	ovl-fix-memory-leak-in-ovl_parse_param.patch
	phy-qcom-qmp-combo-fix-vco-div-offset-on-v5_5nm-and-v6.patch
	revert-riscv-kdump-fix-crashkernel-reserving-problem-on-risc-v.patch

8 files changed, 450 insertions, 0 deletions

diff --git a/queue-6.6/bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch b/queue-6.6/bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch
new file mode 100644
index 0000000000..62b5b57775
--- /dev/null
+++ b/queue-6.6/bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch
@@ -0,0 +1,44 @@
+From 5af385f5f4cddf908f663974847a4083b2ff2c79 Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Mon, 29 Apr 2024 15:47:51 +0100
+Subject: bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit 5af385f5f4cddf908f663974847a4083b2ff2c79 upstream.
+
+bits_per() rounds up to the next power of two when passed a power of
+two.  This causes crashes on some machines and configurations.
+
+Reported-by: Михаил Новоселов <m.novosyolov@rosalinux.ru>
+Tested-by: Ильфат Гаптрахманов <i.gaptrakhmanov@rosalinux.ru>
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3347
+Link: https://lore.kernel.org/all/1c978cf1-2934-4e66-e4b3-e81b04cb3571@rosalinux.ru/
+Fixes: f2d5dcb48f7b (bounds: support non-power-of-two CONFIG_NR_CPUS)
+Cc:  <stable@vger.kernel.org>
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bounds.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bounds.c
++++ b/kernel/bounds.c
+@@ -19,7 +19,7 @@ int main(void)
+ 	DEFINE(NR_PAGEFLAGS, __NR_PAGEFLAGS);
+ 	DEFINE(MAX_NR_ZONES, __MAX_NR_ZONES);
+ #ifdef CONFIG_SMP
+-	DEFINE(NR_CPUS_BITS, bits_per(CONFIG_NR_CPUS));
++	DEFINE(NR_CPUS_BITS, order_base_2(CONFIG_NR_CPUS));
+ #endif
+ 	DEFINE(SPINLOCK_SIZE, sizeof(spinlock_t));
+ #ifdef CONFIG_LRU_GEN
diff --git a/queue-6.6/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch b/queue-6.6/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch
new file mode 100644
index 0000000000..df4b5ad324
--- /dev/null
+++ b/queue-6.6/macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch
@@ -0,0 +1,116 @@
+From stable+bounces-41778-greg=kroah.com@vger.kernel.org Tue Apr 30 02:44:05 2024
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Date: Mon, 29 Apr 2024 17:43:04 -0700
+Subject: macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst
+To: stable@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, bpoirier@nvidia.com, cratiu@nvidia.com, kuba@kernel.org, sd@queasysnail.net, Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Message-ID: <20240430004312.299070-4-rrameshbabu@nvidia.com>
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream.
+
+Can now correctly identify where the packets should be delivered by using
+md_dst or its absence on devices that provide it.
+
+This detection is not possible without device drivers that update md_dst. A
+fallback pattern should be used for supporting such device drivers. This
+fallback mode causes multicast messages to be cloned to both the non-macsec
+and macsec ports, independent of whether the multicast message received was
+encrypted over MACsec or not. Other non-macsec traffic may also fail to be
+handled correctly for devices in promiscuous mode.
+
+Link: https://lore.kernel.org/netdev/ZULRxX9eIbFiVi7v@hog/
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: stable@vger.kernel.org
+Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240423181319.115860-4-rrameshbabu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c |   46 ++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 36 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -996,10 +996,12 @@ static enum rx_handler_result handle_not
+ 	struct metadata_dst *md_dst;
+ 	struct macsec_rxh_data *rxd;
+ 	struct macsec_dev *macsec;
++	bool is_macsec_md_dst;
+ 
+ 	rcu_read_lock();
+ 	rxd = macsec_data_rcu(skb->dev);
+ 	md_dst = skb_metadata_dst(skb);
++	is_macsec_md_dst = md_dst && md_dst->type == METADATA_MACSEC;
+ 
+ 	list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
+ 		struct sk_buff *nskb;
+@@ -1010,14 +1012,42 @@ static enum rx_handler_result handle_not
+ 		 * the SecTAG, so we have to deduce which port to deliver to.
+ 		 */
+ 		if (macsec_is_offloaded(macsec) && netif_running(ndev)) {
+-			struct macsec_rx_sc *rx_sc = NULL;
++			const struct macsec_ops *ops;
+ 
+-			if (md_dst && md_dst->type == METADATA_MACSEC)
+-				rx_sc = find_rx_sc(&macsec->secy, md_dst->u.macsec_info.sci);
++			ops = macsec_get_ops(macsec, NULL);
+ 
+-			if (md_dst && md_dst->type == METADATA_MACSEC && !rx_sc)
++			if (ops->rx_uses_md_dst && !is_macsec_md_dst)
+ 				continue;
+ 
++			if (is_macsec_md_dst) {
++				struct macsec_rx_sc *rx_sc;
++
++				/* All drivers that implement MACsec offload
++				 * support using skb metadata destinations must
++				 * indicate that they do so.
++				 */
++				DEBUG_NET_WARN_ON_ONCE(!ops->rx_uses_md_dst);
++				rx_sc = find_rx_sc(&macsec->secy,
++						   md_dst->u.macsec_info.sci);
++				if (!rx_sc)
++					continue;
++				/* device indicated macsec offload occurred */
++				skb->dev = ndev;
++				skb->pkt_type = PACKET_HOST;
++				eth_skb_pkt_type(skb, ndev);
++				ret = RX_HANDLER_ANOTHER;
++				goto out;
++			}
++
++			/* This datapath is insecure because it is unable to
++			 * enforce isolation of broadcast/multicast traffic and
++			 * unicast traffic with promiscuous mode on the macsec
++			 * netdev. Since the core stack has no mechanism to
++			 * check that the hardware did indeed receive MACsec
++			 * traffic, it is possible that the response handling
++			 * done by the MACsec port was to a plaintext packet.
++			 * This violates the MACsec protocol standard.
++			 */
+ 			if (ether_addr_equal_64bits(hdr->h_dest,
+ 						    ndev->dev_addr)) {
+ 				/* exact match, divert skb to this port */
+@@ -1033,14 +1063,10 @@ static enum rx_handler_result handle_not
+ 					break;
+ 
+ 				nskb->dev = ndev;
+-				if (ether_addr_equal_64bits(hdr->h_dest,
+-							    ndev->broadcast))
+-					nskb->pkt_type = PACKET_BROADCAST;
+-				else
+-					nskb->pkt_type = PACKET_MULTICAST;
++				eth_skb_pkt_type(nskb, ndev);
+ 
+ 				__netif_rx(nskb);
+-			} else if (rx_sc || ndev->flags & IFF_PROMISC) {
++			} else if (ndev->flags & IFF_PROMISC) {
+ 				skb->dev = ndev;
+ 				skb->pkt_type = PACKET_HOST;
+ 				ret = RX_HANDLER_ANOTHER;
diff --git a/queue-6.6/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch b/queue-6.6/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch
new file mode 100644
index 0000000000..e5fdea4dc7
--- /dev/null
+++ b/queue-6.6/macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch
@@ -0,0 +1,45 @@
+From stable+bounces-41776-greg=kroah.com@vger.kernel.org Tue Apr 30 02:44:03 2024
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Date: Mon, 29 Apr 2024 17:43:02 -0700
+Subject: macsec: Enable devices to advertise whether they update sk_buff md_dst during offloads
+To: stable@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, bpoirier@nvidia.com, cratiu@nvidia.com, kuba@kernel.org, sd@queasysnail.net, Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Message-ID: <20240430004312.299070-2-rrameshbabu@nvidia.com>
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+commit 475747a19316b08e856c666a20503e73d7ed67ed upstream.
+
+Omit rx_use_md_dst comment in upstream commit since macsec_ops is not
+documented.
+
+Cannot know whether a Rx skb missing md_dst is intended for MACsec or not
+without knowing whether the device is able to update this field during an
+offload. Assume that an offload to a MACsec device cannot support updating
+md_dst by default. Capable devices can advertise that they do indicate that
+an skb is related to a MACsec offloaded packet using the md_dst.
+
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: stable@vger.kernel.org
+Fixes: 860ead89b851 ("net/macsec: Add MACsec skb_metadata_dst Rx Data path support")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240423181319.115860-2-rrameshbabu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/macsec.h |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/net/macsec.h
++++ b/include/net/macsec.h
+@@ -303,6 +303,7 @@ struct macsec_ops {
+ 	int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx);
+ 	int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx);
+ 	int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx);
++	bool rx_uses_md_dst;
+ };
+ 
+ void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
diff --git a/queue-6.6/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch b/queue-6.6/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch
new file mode 100644
index 0000000000..45b085ad2c
--- /dev/null
+++ b/queue-6.6/net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch
@@ -0,0 +1,40 @@
+From stable+bounces-41777-greg=kroah.com@vger.kernel.org Tue Apr 30 02:44:04 2024
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Date: Mon, 29 Apr 2024 17:43:05 -0700
+Subject: net/mlx5e: Advertise mlx5 ethernet driver updates sk_buff md_dst for MACsec
+To: stable@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, bpoirier@nvidia.com, cratiu@nvidia.com, kuba@kernel.org, sd@queasysnail.net, Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Message-ID: <20240430004312.299070-5-rrameshbabu@nvidia.com>
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+commit 39d26a8f2efcb8b5665fe7d54a7dba306a8f1dff upstream.
+
+mlx5 Rx flow steering and CQE handling enable the driver to be able to
+update an skb's md_dst attribute as MACsec when MACsec traffic arrives when
+a device is configured for offloading. Advertise this to the core stack to
+take advantage of this capability.
+
+Cc: stable@vger.kernel.org
+Fixes: b7c9400cbc48 ("net/mlx5e: Implement MACsec Rx data path using MACsec skb_metadata_dst")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240423181319.115860-5-rrameshbabu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+@@ -1640,6 +1640,7 @@ static const struct macsec_ops macsec_of
+ 	.mdo_add_secy = mlx5e_macsec_add_secy,
+ 	.mdo_upd_secy = mlx5e_macsec_upd_secy,
+ 	.mdo_del_secy = mlx5e_macsec_del_secy,
++	.rx_uses_md_dst = true,
+ };
+ 
+ bool mlx5e_macsec_handle_tx_skb(struct mlx5e_macsec *macsec, struct sk_buff *skb)
diff --git a/queue-6.6/ovl-fix-memory-leak-in-ovl_parse_param.patch b/queue-6.6/ovl-fix-memory-leak-in-ovl_parse_param.patch
new file mode 100644
index 0000000000..f76e065588
--- /dev/null
+++ b/queue-6.6/ovl-fix-memory-leak-in-ovl_parse_param.patch
@@ -0,0 +1,73 @@
+From 37f32f52643869131ec01bb69bdf9f404f6109fb Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Sun, 12 Nov 2023 10:11:25 +0200
+Subject: ovl: fix memory leak in ovl_parse_param()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 37f32f52643869131ec01bb69bdf9f404f6109fb upstream.
+
+On failure to parse parameters in ovl_parse_param_lowerdir(), it is
+necessary to update ctx->nr with the correct nr before using
+ovl_reset_lowerdirs() to release l->name.
+
+Reported-and-tested-by: syzbot+26eedf3631650972f17c@syzkaller.appspotmail.com
+Fixes: c835110b588a ("ovl: remove unused code in lowerdir param parsing")
+Co-authored-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/params.c |   11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/fs/overlayfs/params.c
++++ b/fs/overlayfs/params.c
+@@ -438,7 +438,7 @@ static int ovl_parse_param_lowerdir(cons
+ 	struct ovl_fs_context *ctx = fc->fs_private;
+ 	struct ovl_fs_context_layer *l;
+ 	char *dup = NULL, *iter;
+-	ssize_t nr_lower = 0, nr = 0, nr_data = 0;
++	ssize_t nr_lower, nr;
+ 	bool data_layer = false;
+ 
+ 	/*
+@@ -490,6 +490,7 @@ static int ovl_parse_param_lowerdir(cons
+ 	iter = dup;
+ 	l = ctx->lower;
+ 	for (nr = 0; nr < nr_lower; nr++, l++) {
++		ctx->nr++;
+ 		memset(l, 0, sizeof(*l));
+ 
+ 		err = ovl_mount_dir(iter, &l->path);
+@@ -506,10 +507,10 @@ static int ovl_parse_param_lowerdir(cons
+ 			goto out_put;
+ 
+ 		if (data_layer)
+-			nr_data++;
++			ctx->nr_data++;
+ 
+ 		/* Calling strchr() again would overrun. */
+-		if ((nr + 1) == nr_lower)
++		if (ctx->nr == nr_lower)
+ 			break;
+ 
+ 		err = -EINVAL;
+@@ -519,7 +520,7 @@ static int ovl_parse_param_lowerdir(cons
+ 			 * This is a regular layer so we require that
+ 			 * there are no data layers.
+ 			 */
+-			if ((ctx->nr_data + nr_data) > 0) {
++			if (ctx->nr_data > 0) {
+ 				pr_err("regular lower layers cannot follow data lower layers");
+ 				goto out_put;
+ 			}
+@@ -532,8 +533,6 @@ static int ovl_parse_param_lowerdir(cons
+ 		data_layer = true;
+ 		iter++;
+ 	}
+-	ctx->nr = nr_lower;
+-	ctx->nr_data += nr_data;
+ 	kfree(dup);
+ 	return 0;
+ 
diff --git a/queue-6.6/phy-qcom-qmp-combo-fix-vco-div-offset-on-v5_5nm-and-v6.patch b/queue-6.6/phy-qcom-qmp-combo-fix-vco-div-offset-on-v5_5nm-and-v6.patch
new file mode 100644
index 0000000000..6042eb3722
--- /dev/null
+++ b/queue-6.6/phy-qcom-qmp-combo-fix-vco-div-offset-on-v5_5nm-and-v6.patch
@@ -0,0 +1,68 @@
+From 025a6f7448f7bb5f4fceb62498ee33d89ae266bb Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 8 Apr 2024 11:30:23 +0200
+Subject: phy: qcom: qmp-combo: fix VCO div offset on v5_5nm and v6
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 025a6f7448f7bb5f4fceb62498ee33d89ae266bb upstream.
+
+Commit 5abed58a8bde ("phy: qcom: qmp-combo: Fix VCO div offset on v3")
+fixed a regression introduced in 6.5 by making sure that the correct
+offset is used for the DP_PHY_VCO_DIV register on v3 hardware.
+
+Unfortunately, that fix instead broke DisplayPort on v5_5nm and v6
+hardware as it failed to add the corresponding offsets also to those
+register tables.
+
+Fixes: 815891eee668 ("phy: qcom-qmp-combo: Introduce orientation variable")
+Fixes: 5abed58a8bde ("phy: qcom: qmp-combo: Fix VCO div offset on v3")
+Cc: stable@vger.kernel.org	# 6.5: 5abed58a8bde
+Cc: Stephen Boyd <swboyd@chromium.org>
+Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Link: https://lore.kernel.org/r/20240408093023.506-1-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-combo.c |    2 ++
+ drivers/phy/qualcomm/phy-qcom-qmp.h       |    2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+@@ -188,6 +188,7 @@ static const unsigned int qmp_v5_5nm_usb
+ 	[QPHY_COM_BIAS_EN_CLKBUFLR_EN]	= QSERDES_V5_COM_BIAS_EN_CLKBUFLR_EN,
+ 
+ 	[QPHY_DP_PHY_STATUS]		= QSERDES_V5_DP_PHY_STATUS,
++	[QPHY_DP_PHY_VCO_DIV]		= QSERDES_V5_DP_PHY_VCO_DIV,
+ 
+ 	[QPHY_TX_TX_POL_INV]		= QSERDES_V5_5NM_TX_TX_POL_INV,
+ 	[QPHY_TX_TX_DRV_LVL]		= QSERDES_V5_5NM_TX_TX_DRV_LVL,
+@@ -212,6 +213,7 @@ static const unsigned int qmp_v6_usb3phy
+ 	[QPHY_COM_BIAS_EN_CLKBUFLR_EN]	= QSERDES_V6_COM_PLL_BIAS_EN_CLK_BUFLR_EN,
+ 
+ 	[QPHY_DP_PHY_STATUS]		= QSERDES_V6_DP_PHY_STATUS,
++	[QPHY_DP_PHY_VCO_DIV]		= QSERDES_V6_DP_PHY_VCO_DIV,
+ 
+ 	[QPHY_TX_TX_POL_INV]		= QSERDES_V6_TX_TX_POL_INV,
+ 	[QPHY_TX_TX_DRV_LVL]		= QSERDES_V6_TX_TX_DRV_LVL,
+--- a/drivers/phy/qualcomm/phy-qcom-qmp.h
++++ b/drivers/phy/qualcomm/phy-qcom-qmp.h
+@@ -134,9 +134,11 @@
+ #define QPHY_V4_PCS_MISC_TYPEC_STATUS			0x10
+ #define QPHY_V4_PCS_MISC_PLACEHOLDER_STATUS		0x14
+ 
++#define QSERDES_V5_DP_PHY_VCO_DIV			0x070
+ #define QSERDES_V5_DP_PHY_STATUS			0x0dc
+ 
+ /* Only for QMP V6 PHY - DP PHY registers */
++#define QSERDES_V6_DP_PHY_VCO_DIV			0x070
+ #define QSERDES_V6_DP_PHY_AUX_INTERRUPT_STATUS		0x0e0
+ #define QSERDES_V6_DP_PHY_STATUS			0x0e4
+ 
diff --git a/queue-6.6/revert-riscv-kdump-fix-crashkernel-reserving-problem-on-risc-v.patch b/queue-6.6/revert-riscv-kdump-fix-crashkernel-reserving-problem-on-risc-v.patch
new file mode 100644
index 0000000000..cdcd418b17
--- /dev/null
+++ b/queue-6.6/revert-riscv-kdump-fix-crashkernel-reserving-problem-on-risc-v.patch
@@ -0,0 +1,57 @@
+From xingmingzheng@iscas.ac.cn  Tue Apr 30 09:53:50 2024
+From: Mingzheng Xing <xingmingzheng@iscas.ac.cn>
+Date: Tue, 30 Apr 2024 11:24:03 +0800
+Subject: Revert "riscv: kdump: fix crashkernel reserving problem on RISC-V"
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
+Cc: Baoquan He <bhe@redhat.com>, Mingzheng Xing <xingmingzheng@iscas.ac.cn>, Chen Jiahao <chenjiahao16@huawei.com>
+Message-ID: <20240430032403.19562-1-xingmingzheng@iscas.ac.cn>
+
+From: Mingzheng Xing <xingmingzheng@iscas.ac.cn>
+
+This reverts commit 1d6cd2146c2b58bc91266db1d5d6a5f9632e14c0 which was
+mistakenly added into v6.6.y and the commit corresponding to the 'Fixes:'
+tag is invalid. For more information, see link [1].
+
+This will result in the loss of Crashkernel data in /proc/iomem, and kdump
+failed:
+
+```
+Memory for crashkernel is not reserved
+Please reserve memory by passing"crashkernel=Y@X" parameter to kernel
+Then try to loading kdump kernel
+```
+
+After revert, kdump works fine. Tested on QEMU riscv.
+
+Link: https://lore.kernel.org/linux-riscv/ZSiQRDGLZk7lpakE@MiWiFi-R3L-srv [1]
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Chen Jiahao <chenjiahao16@huawei.com>
+Signed-off-by: Mingzheng Xing <xingmingzheng@iscas.ac.cn>
+Acked-by: Baoquan He <bhe@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/setup.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/arch/riscv/kernel/setup.c
++++ b/arch/riscv/kernel/setup.c
+@@ -173,6 +173,19 @@ static void __init init_resources(void)
+ 	if (ret < 0)
+ 		goto error;
+ 
++#ifdef CONFIG_KEXEC_CORE
++	if (crashk_res.start != crashk_res.end) {
++		ret = add_resource(&iomem_resource, &crashk_res);
++		if (ret < 0)
++			goto error;
++	}
++	if (crashk_low_res.start != crashk_low_res.end) {
++		ret = add_resource(&iomem_resource, &crashk_low_res);
++		if (ret < 0)
++			goto error;
++	}
++#endif
++
+ #ifdef CONFIG_CRASH_DUMP
+ 	if (elfcorehdr_size > 0) {
+ 		elfcorehdr_res.start = elfcorehdr_addr;
diff --git a/queue-6.6/series b/queue-6.6/series
index da02179439..e6be43675e 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -177,3 +177,10 @@ sched-eevdf-always-update-v-if-se-on_rq-when-reweigh.patch
 sched-eevdf-fix-miscalculation-in-reweight_entity-wh.patch
 sched-eevdf-prevent-vlag-from-going-out-of-bounds-in.patch
 i2c-smbus-fix-null-function-pointer-dereference.patch
+phy-qcom-qmp-combo-fix-vco-div-offset-on-v5_5nm-and-v6.patch
+ovl-fix-memory-leak-in-ovl_parse_param.patch
+revert-riscv-kdump-fix-crashkernel-reserving-problem-on-risc-v.patch
+macsec-enable-devices-to-advertise-whether-they-update-sk_buff-md_dst-during-offloads.patch
+macsec-detect-if-rx-skb-is-macsec-related-for-offloading-devices-that-update-md_dst.patch
+net-mlx5e-advertise-mlx5-ethernet-driver-updates-sk_buff-md_dst-for-macsec.patch
+bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch