Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

8 files changed, 715 insertions, 0 deletions

diff --git a/queue-5.4/dm-integrity-fix-out-of-range-warning.patch b/queue-5.4/dm-integrity-fix-out-of-range-warning.patch
new file mode 100644
index 0000000000..ba62749ea7
--- /dev/null
+++ b/queue-5.4/dm-integrity-fix-out-of-range-warning.patch
@@ -0,0 +1,47 @@
+From c95a4bcb7b39f8b05318780bc0df962bece964ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Mar 2024 15:30:39 +0100
+Subject: dm integrity: fix out-of-range warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 8e91c2342351e0f5ef6c0a704384a7f6fc70c3b2 ]
+
+Depending on the value of CONFIG_HZ, clang complains about a pointless
+comparison:
+
+drivers/md/dm-integrity.c:4085:12: error: result of comparison of
+                        constant 42949672950 with expression of type
+                        'unsigned int' is always false
+                        [-Werror,-Wtautological-constant-out-of-range-compare]
+                        if (val >= (uint64_t)UINT_MAX * 1000 / HZ) {
+
+As the check remains useful for other configurations, shut up the
+warning by adding a second type cast to uint64_t.
+
+Fixes: 468dfca38b1a ("dm integrity: add a bitmap mode")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Justin Stitt <justinstitt@google.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-integrity.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
+index f3246f7407d61..4b634633b4a5e 100644
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -3755,7 +3755,7 @@ static int dm_integrity_ctr(struct dm_target *ti, unsigned argc, char **argv)
+ 		} else if (sscanf(opt_string, "sectors_per_bit:%llu%c", &llval, &dummy) == 1) {
+ 			log2_sectors_per_bitmap_bit = !llval ? 0 : __ilog2_u64(llval);
+ 		} else if (sscanf(opt_string, "bitmap_flush_interval:%u%c", &val, &dummy) == 1) {
+-			if (val >= (uint64_t)UINT_MAX * 1000 / HZ) {
++			if ((uint64_t)val >= (uint64_t)UINT_MAX * 1000 / HZ) {
+ 				r = -EINVAL;
+ 				ti->error = "Invalid bitmap_flush_interval argument";
+ 				goto bad;
+-- 
+2.43.0
+
diff --git a/queue-5.4/ixgbe-avoid-sleeping-allocation-in-ixgbe_ipsec_vf_ad.patch b/queue-5.4/ixgbe-avoid-sleeping-allocation-in-ixgbe_ipsec_vf_ad.patch
new file mode 100644
index 0000000000..8a0fa24b7d
--- /dev/null
+++ b/queue-5.4/ixgbe-avoid-sleeping-allocation-in-ixgbe_ipsec_vf_ad.patch
@@ -0,0 +1,75 @@
+From af643bae0299f8f1c1f9eea36caf788a0bfea3ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 17:02:02 +0100
+Subject: ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa()
+
+From: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+
+[ Upstream commit aec806fb4afba5fe80b09e29351379a4292baa43 ]
+
+Change kzalloc() flags used in ixgbe_ipsec_vf_add_sa() to GFP_ATOMIC, to
+avoid sleeping in IRQ context.
+
+Dan Carpenter, with the help of Smatch, has found following issue:
+The patch eda0333ac293: "ixgbe: add VF IPsec management" from Aug 13,
+2018 (linux-next), leads to the following Smatch static checker
+warning: drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c:917 ixgbe_ipsec_vf_add_sa()
+	warn: sleeping in IRQ context
+
+The call tree that Smatch is worried about is:
+ixgbe_msix_other() <- IRQ handler
+-> ixgbe_msg_task()
+   -> ixgbe_rcv_msg_from_vf()
+      -> ixgbe_ipsec_vf_add_sa()
+
+Fixes: eda0333ac293 ("ixgbe: add VF IPsec management")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/intel-wired-lan/db31a0b0-4d9f-4e6b-aed8-88266eb5665c@moroto.mountain
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+index 5799b434165e0..bd2b0f4466c64 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+@@ -909,7 +909,13 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
+ 		goto err_out;
+ 	}
+ 
+-	xs = kzalloc(sizeof(*xs), GFP_KERNEL);
++	algo = xfrm_aead_get_byname(aes_gcm_name, IXGBE_IPSEC_AUTH_BITS, 1);
++	if (unlikely(!algo)) {
++		err = -ENOENT;
++		goto err_out;
++	}
++
++	xs = kzalloc(sizeof(*xs), GFP_ATOMIC);
+ 	if (unlikely(!xs)) {
+ 		err = -ENOMEM;
+ 		goto err_out;
+@@ -925,14 +931,8 @@ int ixgbe_ipsec_vf_add_sa(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
+ 		memcpy(&xs->id.daddr.a4, sam->addr, sizeof(xs->id.daddr.a4));
+ 	xs->xso.dev = adapter->netdev;
+ 
+-	algo = xfrm_aead_get_byname(aes_gcm_name, IXGBE_IPSEC_AUTH_BITS, 1);
+-	if (unlikely(!algo)) {
+-		err = -ENOENT;
+-		goto err_xs;
+-	}
+-
+ 	aead_len = sizeof(*xs->aead) + IXGBE_IPSEC_KEY_BITS / 8;
+-	xs->aead = kzalloc(aead_len, GFP_KERNEL);
++	xs->aead = kzalloc(aead_len, GFP_ATOMIC);
+ 	if (unlikely(!xs->aead)) {
+ 		err = -ENOMEM;
+ 		goto err_xs;
+-- 
+2.43.0
+
diff --git a/queue-5.4/nfc-nci-fix-uninit-value-in-nci_dev_up-and-nci_ntf_p.patch b/queue-5.4/nfc-nci-fix-uninit-value-in-nci_dev_up-and-nci_ntf_p.patch
new file mode 100644
index 0000000000..75d522663f
--- /dev/null
+++ b/queue-5.4/nfc-nci-fix-uninit-value-in-nci_dev_up-and-nci_ntf_p.patch
@@ -0,0 +1,53 @@
+From a41e9545fd4c784af0767cd6dfe6996a548d32d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Mar 2024 09:54:10 +0900
+Subject: nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
+
+From: Ryosuke Yasuoka <ryasuoka@redhat.com>
+
+[ Upstream commit d24b03535e5eb82e025219c2f632b485409c898f ]
+
+syzbot reported the following uninit-value access issue [1][2]:
+
+nci_rx_work() parses and processes received packet. When the payload
+length is zero, each message type handler reads uninitialized payload
+and KMSAN detects this issue. The receipt of a packet with a zero-size
+payload is considered unexpected, and therefore, such packets should be
+silently discarded.
+
+This patch resolved this issue by checking payload size before calling
+each message type handler codes.
+
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Reported-and-tested-by: syzbot+7ea9413ea6749baf5574@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+29b5ca705d2e0f4a44d2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=7ea9413ea6749baf5574 [1]
+Closes: https://syzkaller.appspot.com/bug?extid=29b5ca705d2e0f4a44d2 [2]
+Signed-off-by: Ryosuke Yasuoka <ryasuoka@redhat.com>
+Reviewed-by: Jeremy Cline <jeremy@jcline.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index cb2193dec7129..701c3752bda09 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1499,6 +1499,11 @@ static void nci_rx_work(struct work_struct *work)
+ 		nfc_send_to_raw_sock(ndev->nfc_dev, skb,
+ 				     RAW_PAYLOAD_NCI, NFC_DIRECTION_RX);
+ 
++		if (!nci_plen(skb->data)) {
++			kfree_skb(skb);
++			break;
++		}
++
+ 		/* Process frame */
+ 		switch (nci_mt(skb->data)) {
+ 		case NCI_MT_RSP_PKT:
+-- 
+2.43.0
+
diff --git a/queue-5.4/scsi-libsas-add-a-helper-sas_get_sas_addr_and_dev_ty.patch b/queue-5.4/scsi-libsas-add-a-helper-sas_get_sas_addr_and_dev_ty.patch
new file mode 100644
index 0000000000..cd53ae1825
--- /dev/null
+++ b/queue-5.4/scsi-libsas-add-a-helper-sas_get_sas_addr_and_dev_ty.patch
@@ -0,0 +1,62 @@
+From ef0d8f9db4d00b22a968c7a95002183fccb8728e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 14:14:12 +0000
+Subject: scsi: libsas: Add a helper sas_get_sas_addr_and_dev_type()
+
+From: Xingui Yang <yangxingui@huawei.com>
+
+[ Upstream commit a57345279fd311ba679b8083feb0eec5272c7729 ]
+
+Add a helper to get attached_sas_addr and device type from disc_resp.
+
+Suggested-by: John Garry <john.g.garry@oracle.com>
+Signed-off-by: Xingui Yang <yangxingui@huawei.com>
+Link: https://lore.kernel.org/r/20240307141413.48049-2-yangxingui@huawei.com
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 8e68a458bcf5 ("scsi: libsas: Fix disk not being scanned in after being removed")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index 09a78db60ac55..91902799b7352 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -1672,6 +1672,16 @@ int sas_discover_root_expander(struct domain_device *dev)
+ 
+ /* ---------- Domain revalidation ---------- */
+ 
++static void sas_get_sas_addr_and_dev_type(struct smp_disc_resp *disc_resp,
++					  u8 *sas_addr,
++					  enum sas_device_type *type)
++{
++	memcpy(sas_addr, disc_resp->disc.attached_sas_addr, SAS_ADDR_SIZE);
++	*type = to_dev_type(&disc_resp->disc);
++	if (*type == SAS_PHY_UNUSED)
++		memset(sas_addr, 0, SAS_ADDR_SIZE);
++}
++
+ static int sas_get_phy_discover(struct domain_device *dev,
+ 				int phy_id, struct smp_disc_resp *disc_resp)
+ {
+@@ -1725,13 +1735,8 @@ static int sas_get_phy_attached_dev(struct domain_device *dev, int phy_id,
+ 		return -ENOMEM;
+ 
+ 	res = sas_get_phy_discover(dev, phy_id, disc_resp);
+-	if (res == 0) {
+-		memcpy(sas_addr, disc_resp->disc.attached_sas_addr,
+-		       SAS_ADDR_SIZE);
+-		*type = to_dev_type(&disc_resp->disc);
+-		if (*type == 0)
+-			memset(sas_addr, 0, SAS_ADDR_SIZE);
+-	}
++	if (res == 0)
++		sas_get_sas_addr_and_dev_type(disc_resp, sas_addr, type);
+ 	kfree(disc_resp);
+ 	return res;
+ }
+-- 
+2.43.0
+
diff --git a/queue-5.4/scsi-libsas-fix-disk-not-being-scanned-in-after-bein.patch b/queue-5.4/scsi-libsas-fix-disk-not-being-scanned-in-after-bein.patch
new file mode 100644
index 0000000000..727198440c
--- /dev/null
+++ b/queue-5.4/scsi-libsas-fix-disk-not-being-scanned-in-after-bein.patch
@@ -0,0 +1,116 @@
+From 4f65b7d8406529393017ab6273d143b5aee829ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 14:14:13 +0000
+Subject: scsi: libsas: Fix disk not being scanned in after being removed
+
+From: Xingui Yang <yangxingui@huawei.com>
+
+[ Upstream commit 8e68a458bcf5b5cb9c3624598bae28f08251601f ]
+
+As of commit d8649fc1c5e4 ("scsi: libsas: Do discovery on empty PHY to
+update PHY info"), do discovery will send a new SMP_DISCOVER and update
+phy->phy_change_count. We found that if the disk is reconnected and phy
+change_count changes at this time, the disk scanning process will not be
+triggered.
+
+Therefore, call sas_set_ex_phy() to update the PHY info with the results of
+the last query. And because the previous phy info will be used when calling
+sas_unregister_devs_sas_addr(), sas_unregister_devs_sas_addr() should be
+called before sas_set_ex_phy().
+
+Fixes: d8649fc1c5e4 ("scsi: libsas: Do discovery on empty PHY to update PHY info")
+Signed-off-by: Xingui Yang <yangxingui@huawei.com>
+Link: https://lore.kernel.org/r/20240307141413.48049-3-yangxingui@huawei.com
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 32 ++++++++++++++++++++----------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index 91902799b7352..cf1df38a189c5 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -1998,6 +1998,7 @@ static int sas_rediscover_dev(struct domain_device *dev, int phy_id,
+ 	struct expander_device *ex = &dev->ex_dev;
+ 	struct ex_phy *phy = &ex->ex_phy[phy_id];
+ 	enum sas_device_type type = SAS_PHY_UNUSED;
++	struct smp_disc_resp *disc_resp;
+ 	u8 sas_addr[SAS_ADDR_SIZE];
+ 	char msg[80] = "";
+ 	int res;
+@@ -2009,33 +2010,41 @@ static int sas_rediscover_dev(struct domain_device *dev, int phy_id,
+ 		 SAS_ADDR(dev->sas_addr), phy_id, msg);
+ 
+ 	memset(sas_addr, 0, SAS_ADDR_SIZE);
+-	res = sas_get_phy_attached_dev(dev, phy_id, sas_addr, &type);
++	disc_resp = alloc_smp_resp(DISCOVER_RESP_SIZE);
++	if (!disc_resp)
++		return -ENOMEM;
++
++	res = sas_get_phy_discover(dev, phy_id, disc_resp);
+ 	switch (res) {
+ 	case SMP_RESP_NO_PHY:
+ 		phy->phy_state = PHY_NOT_PRESENT;
+ 		sas_unregister_devs_sas_addr(dev, phy_id, last);
+-		return res;
++		goto out_free_resp;
+ 	case SMP_RESP_PHY_VACANT:
+ 		phy->phy_state = PHY_VACANT;
+ 		sas_unregister_devs_sas_addr(dev, phy_id, last);
+-		return res;
++		goto out_free_resp;
+ 	case SMP_RESP_FUNC_ACC:
+ 		break;
+ 	case -ECOMM:
+ 		break;
+ 	default:
+-		return res;
++		goto out_free_resp;
+ 	}
+ 
++	if (res == 0)
++		sas_get_sas_addr_and_dev_type(disc_resp, sas_addr, &type);
++
+ 	if ((SAS_ADDR(sas_addr) == 0) || (res == -ECOMM)) {
+ 		phy->phy_state = PHY_EMPTY;
+ 		sas_unregister_devs_sas_addr(dev, phy_id, last);
+ 		/*
+-		 * Even though the PHY is empty, for convenience we discover
+-		 * the PHY to update the PHY info, like negotiated linkrate.
++		 * Even though the PHY is empty, for convenience we update
++		 * the PHY info, like negotiated linkrate.
+ 		 */
+-		sas_ex_phy_discover(dev, phy_id);
+-		return res;
++		if (res == 0)
++			sas_set_ex_phy(dev, phy_id, disc_resp);
++		goto out_free_resp;
+ 	} else if (SAS_ADDR(sas_addr) == SAS_ADDR(phy->attached_sas_addr) &&
+ 		   dev_type_flutter(type, phy->attached_dev_type)) {
+ 		struct domain_device *ata_dev = sas_ex_to_ata(dev, phy_id);
+@@ -2047,7 +2056,7 @@ static int sas_rediscover_dev(struct domain_device *dev, int phy_id,
+ 			action = ", needs recovery";
+ 		pr_debug("ex %016llx phy%02d broadcast flutter%s\n",
+ 			 SAS_ADDR(dev->sas_addr), phy_id, action);
+-		return res;
++		goto out_free_resp;
+ 	}
+ 
+ 	/* we always have to delete the old device when we went here */
+@@ -2056,7 +2065,10 @@ static int sas_rediscover_dev(struct domain_device *dev, int phy_id,
+ 		SAS_ADDR(phy->attached_sas_addr));
+ 	sas_unregister_devs_sas_addr(dev, phy_id, last);
+ 
+-	return sas_discover_new(dev, phy_id);
++	res = sas_discover_new(dev, phy_id);
++out_free_resp:
++	kfree(disc_resp);
++	return res;
+ }
+ 
+ /**
+-- 
+2.43.0
+
diff --git a/queue-5.4/scsi-libsas-introduce-struct-smp_disc_resp.patch b/queue-5.4/scsi-libsas-introduce-struct-smp_disc_resp.patch
new file mode 100644
index 0000000000..43c0d748f0
--- /dev/null
+++ b/queue-5.4/scsi-libsas-introduce-struct-smp_disc_resp.patch
@@ -0,0 +1,217 @@
+From 7d999ec184189bfbd157a086f5e863bc7cff1439 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jun 2022 11:24:54 +0900
+Subject: scsi: libsas: Introduce struct smp_disc_resp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+[ Upstream commit c3752f44604f3bc4f3ce6e169fa32d16943ff70b ]
+
+When compiling with gcc 12, several warnings are thrown by gcc when
+compiling drivers/scsi/libsas/sas_expander.c, e.g.:
+
+In function ‘sas_get_phy_change_count’,
+    inlined from ‘sas_find_bcast_phy.constprop’ at
+drivers/scsi/libsas/sas_expander.c:1737:9:
+drivers/scsi/libsas/sas_expander.c:1697:39: warning: array subscript
+‘struct smp_resp[0]’ is partly outside array bounds of ‘unsigned
+char[56]’ [-Warray-bounds]
+ 1697 |                 *pcc = disc_resp->disc.change_count;
+      |                        ~~~~~~~~~~~~~~~^~~~~~~~~~~~~
+
+This is due to the use of the struct smp_resp to aggregate all possible
+response types using a union but allocating a response buffer with a size
+exactly equal to the size of the response type needed. This leads to access
+to fields of struct smp_resp from an allocated memory area that is smaller
+than the size of struct smp_resp.
+
+Fix this by defining struct smp_disc_resp for sas discovery operations.
+Since this structure and the generic struct smp_resp are identical for
+the little endian and big endian archs, move the definition of these
+structures at the end of include/scsi/sas.h to avoid repeating their
+definition.
+
+Link: https://lore.kernel.org/r/20220609022456.409087-2-damien.lemoal@opensource.wdc.com
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 8e68a458bcf5 ("scsi: libsas: Fix disk not being scanned in after being removed")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 32 +++++++++++++-----------------
+ include/scsi/sas.h                 | 28 +++++++++++---------------
+ 2 files changed, 26 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index 173f91ae38f02..09a78db60ac55 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -192,13 +192,13 @@ static enum sas_device_type to_dev_type(struct discover_resp *dr)
+ 		return dr->attached_dev_type;
+ }
+ 
+-static void sas_set_ex_phy(struct domain_device *dev, int phy_id, void *rsp)
++static void sas_set_ex_phy(struct domain_device *dev, int phy_id,
++			   struct smp_disc_resp *disc_resp)
+ {
+ 	enum sas_device_type dev_type;
+ 	enum sas_linkrate linkrate;
+ 	u8 sas_addr[SAS_ADDR_SIZE];
+-	struct smp_resp *resp = rsp;
+-	struct discover_resp *dr = &resp->disc;
++	struct discover_resp *dr = &disc_resp->disc;
+ 	struct sas_ha_struct *ha = dev->port->ha;
+ 	struct expander_device *ex = &dev->ex_dev;
+ 	struct ex_phy *phy = &ex->ex_phy[phy_id];
+@@ -215,7 +215,7 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, void *rsp)
+ 		BUG_ON(!phy->phy);
+ 	}
+ 
+-	switch (resp->result) {
++	switch (disc_resp->result) {
+ 	case SMP_RESP_PHY_VACANT:
+ 		phy->phy_state = PHY_VACANT;
+ 		break;
+@@ -364,12 +364,13 @@ struct domain_device *sas_ex_to_ata(struct domain_device *ex_dev, int phy_id)
+ }
+ 
+ #define DISCOVER_REQ_SIZE  16
+-#define DISCOVER_RESP_SIZE 56
++#define DISCOVER_RESP_SIZE sizeof(struct smp_disc_resp)
+ 
+ static int sas_ex_phy_discover_helper(struct domain_device *dev, u8 *disc_req,
+-				      u8 *disc_resp, int single)
++				      struct smp_disc_resp *disc_resp,
++				      int single)
+ {
+-	struct discover_resp *dr;
++	struct discover_resp *dr = &disc_resp->disc;
+ 	int res;
+ 
+ 	disc_req[9] = single;
+@@ -378,7 +379,6 @@ static int sas_ex_phy_discover_helper(struct domain_device *dev, u8 *disc_req,
+ 			       disc_resp, DISCOVER_RESP_SIZE);
+ 	if (res)
+ 		return res;
+-	dr = &((struct smp_resp *)disc_resp)->disc;
+ 	if (memcmp(dev->sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE) == 0) {
+ 		pr_notice("Found loopback topology, just ignore it!\n");
+ 		return 0;
+@@ -392,7 +392,7 @@ int sas_ex_phy_discover(struct domain_device *dev, int single)
+ 	struct expander_device *ex = &dev->ex_dev;
+ 	int  res = 0;
+ 	u8   *disc_req;
+-	u8   *disc_resp;
++	struct smp_disc_resp *disc_resp;
+ 
+ 	disc_req = alloc_smp_req(DISCOVER_REQ_SIZE);
+ 	if (!disc_req)
+@@ -1673,7 +1673,7 @@ int sas_discover_root_expander(struct domain_device *dev)
+ /* ---------- Domain revalidation ---------- */
+ 
+ static int sas_get_phy_discover(struct domain_device *dev,
+-				int phy_id, struct smp_resp *disc_resp)
++				int phy_id, struct smp_disc_resp *disc_resp)
+ {
+ 	int res;
+ 	u8 *disc_req;
+@@ -1689,10 +1689,8 @@ static int sas_get_phy_discover(struct domain_device *dev,
+ 			       disc_resp, DISCOVER_RESP_SIZE);
+ 	if (res)
+ 		goto out;
+-	else if (disc_resp->result != SMP_RESP_FUNC_ACC) {
++	if (disc_resp->result != SMP_RESP_FUNC_ACC)
+ 		res = disc_resp->result;
+-		goto out;
+-	}
+ out:
+ 	kfree(disc_req);
+ 	return res;
+@@ -1702,7 +1700,7 @@ static int sas_get_phy_change_count(struct domain_device *dev,
+ 				    int phy_id, int *pcc)
+ {
+ 	int res;
+-	struct smp_resp *disc_resp;
++	struct smp_disc_resp *disc_resp;
+ 
+ 	disc_resp = alloc_smp_resp(DISCOVER_RESP_SIZE);
+ 	if (!disc_resp)
+@@ -1720,19 +1718,17 @@ static int sas_get_phy_attached_dev(struct domain_device *dev, int phy_id,
+ 				    u8 *sas_addr, enum sas_device_type *type)
+ {
+ 	int res;
+-	struct smp_resp *disc_resp;
+-	struct discover_resp *dr;
++	struct smp_disc_resp *disc_resp;
+ 
+ 	disc_resp = alloc_smp_resp(DISCOVER_RESP_SIZE);
+ 	if (!disc_resp)
+ 		return -ENOMEM;
+-	dr = &disc_resp->disc;
+ 
+ 	res = sas_get_phy_discover(dev, phy_id, disc_resp);
+ 	if (res == 0) {
+ 		memcpy(sas_addr, disc_resp->disc.attached_sas_addr,
+ 		       SAS_ADDR_SIZE);
+-		*type = to_dev_type(dr);
++		*type = to_dev_type(&disc_resp->disc);
+ 		if (*type == 0)
+ 			memset(sas_addr, 0, SAS_ADDR_SIZE);
+ 	}
+diff --git a/include/scsi/sas.h b/include/scsi/sas.h
+index a5d8ae49198cb..d9a09ca957594 100644
+--- a/include/scsi/sas.h
++++ b/include/scsi/sas.h
+@@ -460,18 +460,6 @@ struct report_phy_sata_resp {
+ 	__be32 crc;
+ } __attribute__ ((packed));
+ 
+-struct smp_resp {
+-	u8    frame_type;
+-	u8    function;
+-	u8    result;
+-	u8    reserved;
+-	union {
+-		struct report_general_resp  rg;
+-		struct discover_resp        disc;
+-		struct report_phy_sata_resp rps;
+-	};
+-} __attribute__ ((packed));
+-
+ #elif defined(__BIG_ENDIAN_BITFIELD)
+ struct sas_identify_frame {
+ 	/* Byte 0 */
+@@ -691,6 +679,18 @@ struct report_phy_sata_resp {
+ 	__be32 crc;
+ } __attribute__ ((packed));
+ 
++#else
++#error "Bitfield order not defined!"
++#endif
++
++struct smp_disc_resp {
++	u8    frame_type;
++	u8    function;
++	u8    result;
++	u8    reserved;
++	struct discover_resp disc;
++} __attribute__ ((packed));
++
+ struct smp_resp {
+ 	u8    frame_type;
+ 	u8    function;
+@@ -703,8 +703,4 @@ struct smp_resp {
+ 	};
+ } __attribute__ ((packed));
+ 
+-#else
+-#error "Bitfield order not defined!"
+-#endif
+-
+ #endif /* _SAS_H_ */
+-- 
+2.43.0
+
diff --git a/queue-5.4/series b/queue-5.4/series
index f3c6022f54..fcd14c0326 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -126,3 +126,10 @@ scsi-qla2xxx-fix-command-flush-on-cable-pull.patch
 x86-cpu-enable-stibp-on-amd-if-automatic-ibrs-is-enabled.patch
 scsi-lpfc-correct-size-for-wqe-for-memset.patch
 usb-core-fix-deadlock-in-usb_deauthorize_interface.patch
+scsi-libsas-introduce-struct-smp_disc_resp.patch
+scsi-libsas-add-a-helper-sas_get_sas_addr_and_dev_ty.patch
+scsi-libsas-fix-disk-not-being-scanned-in-after-bein.patch
+nfc-nci-fix-uninit-value-in-nci_dev_up-and-nci_ntf_p.patch
+ixgbe-avoid-sleeping-allocation-in-ixgbe_ipsec_vf_ad.patch
+tcp-properly-terminate-timers-for-kernel-sockets.patch
+dm-integrity-fix-out-of-range-warning.patch
diff --git a/queue-5.4/tcp-properly-terminate-timers-for-kernel-sockets.patch b/queue-5.4/tcp-properly-terminate-timers-for-kernel-sockets.patch
new file mode 100644
index 0000000000..2a6fc69669
--- /dev/null
+++ b/queue-5.4/tcp-properly-terminate-timers-for-kernel-sockets.patch
@@ -0,0 +1,138 @@
+From 73d3fdae1c00ffcdda8e12c222100df6f5980d83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Mar 2024 13:57:32 +0000
+Subject: tcp: properly terminate timers for kernel sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada ]
+
+We had various syzbot reports about tcp timers firing after
+the corresponding netns has been dismantled.
+
+Fortunately Josef Bacik could trigger the issue more often,
+and could test a patch I wrote two years ago.
+
+When TCP sockets are closed, we call inet_csk_clear_xmit_timers()
+to 'stop' the timers.
+
+inet_csk_clear_xmit_timers() can be called from any context,
+including when socket lock is held.
+This is the reason it uses sk_stop_timer(), aka del_timer().
+This means that ongoing timers might finish much later.
+
+For user sockets, this is fine because each running timer
+holds a reference on the socket, and the user socket holds
+a reference on the netns.
+
+For kernel sockets, we risk that the netns is freed before
+timer can complete, because kernel sockets do not hold
+reference on the netns.
+
+This patch adds inet_csk_clear_xmit_timers_sync() function
+that using sk_stop_timer_sync() to make sure all timers
+are terminated before the kernel socket is released.
+Modules using kernel sockets close them in their netns exit()
+handler.
+
+Also add sock_not_owned_by_me() helper to get LOCKDEP
+support : inet_csk_clear_xmit_timers_sync() must not be called
+while socket lock is held.
+
+It is very possible we can revert in the future commit
+3a58f13a881e ("net: rds: acquire refcount on TCP sockets")
+which attempted to solve the issue in rds only.
+(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)
+
+We probably can remove the check_net() tests from
+tcp_out_of_resources() and __tcp_close() in the future.
+
+Reported-by: Josef Bacik <josef@toxicpanda.com>
+Closes: https://lore.kernel.org/netdev/20240314210740.GA2823176@perftesting/
+Fixes: 26abe14379f8 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
+Fixes: 8a68173691f0 ("net: sk_clone_lock() should only do get_net() if the parent is not a kernel socket")
+Link: https://lore.kernel.org/bpf/CANn89i+484ffqb93aQm1N-tjxxvb3WDKX0EbD7318RwRgsatjw@mail.gmail.com/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Josef Bacik <josef@toxicpanda.com>
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Link: https://lore.kernel.org/r/20240322135732.1535772-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/inet_connection_sock.h |  1 +
+ include/net/sock.h                 |  7 +++++++
+ net/ipv4/inet_connection_sock.c    | 14 ++++++++++++++
+ net/ipv4/tcp.c                     |  2 ++
+ 4 files changed, 24 insertions(+)
+
+diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
+index 13792c0ef46e3..180ff3ca823a9 100644
+--- a/include/net/inet_connection_sock.h
++++ b/include/net/inet_connection_sock.h
+@@ -176,6 +176,7 @@ void inet_csk_init_xmit_timers(struct sock *sk,
+ 			       void (*delack_handler)(struct timer_list *),
+ 			       void (*keepalive_handler)(struct timer_list *));
+ void inet_csk_clear_xmit_timers(struct sock *sk);
++void inet_csk_clear_xmit_timers_sync(struct sock *sk);
+ 
+ static inline void inet_csk_schedule_ack(struct sock *sk)
+ {
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 5293f2b65fb55..8d592df7251f8 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1605,6 +1605,13 @@ static inline void sock_owned_by_me(const struct sock *sk)
+ #endif
+ }
+ 
++static inline void sock_not_owned_by_me(const struct sock *sk)
++{
++#ifdef CONFIG_LOCKDEP
++	WARN_ON_ONCE(lockdep_sock_is_held(sk) && debug_locks);
++#endif
++}
++
+ static inline bool sock_owned_by_user(const struct sock *sk)
+ {
+ 	sock_owned_by_me(sk);
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index 374a0c3f39cc1..091999dbef335 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -560,6 +560,20 @@ void inet_csk_clear_xmit_timers(struct sock *sk)
+ }
+ EXPORT_SYMBOL(inet_csk_clear_xmit_timers);
+ 
++void inet_csk_clear_xmit_timers_sync(struct sock *sk)
++{
++	struct inet_connection_sock *icsk = inet_csk(sk);
++
++	/* ongoing timer handlers need to acquire socket lock. */
++	sock_not_owned_by_me(sk);
++
++	icsk->icsk_pending = icsk->icsk_ack.pending = 0;
++
++	sk_stop_timer_sync(sk, &icsk->icsk_retransmit_timer);
++	sk_stop_timer_sync(sk, &icsk->icsk_delack_timer);
++	sk_stop_timer_sync(sk, &sk->sk_timer);
++}
++
+ void inet_csk_delete_keepalive_timer(struct sock *sk)
+ {
+ 	sk_stop_timer(sk, &sk->sk_timer);
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 8ebcff40bc5ac..ca7863f722187 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2529,6 +2529,8 @@ void tcp_close(struct sock *sk, long timeout)
+ 	lock_sock(sk);
+ 	__tcp_close(sk, timeout);
+ 	release_sock(sk);
++	if (!sk->sk_net_refcnt)
++		inet_csk_clear_xmit_timers_sync(sk);
+ 	sock_put(sk);
+ }
+ EXPORT_SYMBOL(tcp_close);
+-- 
+2.43.0
+