--- /dev/null
+From 3bdeb8eb5228f50e8e5be24e2be561bc62e92ff0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Nov 2020 18:49:04 +0100
+Subject: ASoC: Fix 7/8 spaces indentation in Kconfig
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 5268e0bf7123c422892fec362f5be2bcae9bbb95 ]
+
+Some entries used 7 or 8 spaces instead if a single TAB.
+
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/20201110174904.3413846-1-geert@linux-m68k.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 6db26f9ea4ed ("ASoC: meson: cards: select SND_DYNAMIC_MINORS")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/Kconfig | 18 +++++++++---------
+ sound/soc/generic/Kconfig | 2 +-
+ sound/soc/intel/boards/Kconfig | 2 +-
+ sound/soc/meson/Kconfig | 2 +-
+ sound/soc/pxa/Kconfig | 14 +++++++-------
+ 5 files changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/sound/soc/codecs/Kconfig b/sound/soc/codecs/Kconfig
+index 04a7070c78e28..a8b9eb6ce2ea8 100644
+--- a/sound/soc/codecs/Kconfig
++++ b/sound/soc/codecs/Kconfig
+@@ -517,7 +517,7 @@ config SND_SOC_AK5558
+ select REGMAP_I2C
+
+ config SND_SOC_ALC5623
+- tristate "Realtek ALC5623 CODEC"
++ tristate "Realtek ALC5623 CODEC"
+ depends on I2C
+
+ config SND_SOC_ALC5632
+@@ -733,7 +733,7 @@ config SND_SOC_JZ4770_CODEC
+ will be called snd-soc-jz4770-codec.
+
+ config SND_SOC_L3
+- tristate
++ tristate
+
+ config SND_SOC_DA7210
+ tristate
+@@ -773,10 +773,10 @@ config SND_SOC_HDMI_CODEC
+ select HDMI
+
+ config SND_SOC_ES7134
+- tristate "Everest Semi ES7134 CODEC"
++ tristate "Everest Semi ES7134 CODEC"
+
+ config SND_SOC_ES7241
+- tristate "Everest Semi ES7241 CODEC"
++ tristate "Everest Semi ES7241 CODEC"
+
+ config SND_SOC_ES8316
+ tristate "Everest Semi ES8316 CODEC"
+@@ -974,10 +974,10 @@ config SND_SOC_PCM186X_SPI
+ select REGMAP_SPI
+
+ config SND_SOC_PCM3008
+- tristate
++ tristate
+
+ config SND_SOC_PCM3060
+- tristate
++ tristate
+
+ config SND_SOC_PCM3060_I2C
+ tristate "Texas Instruments PCM3060 CODEC - I2C"
+@@ -1440,7 +1440,7 @@ config SND_SOC_UDA1334
+ rate) and mute.
+
+ config SND_SOC_UDA134X
+- tristate
++ tristate
+
+ config SND_SOC_UDA1380
+ tristate
+@@ -1765,8 +1765,8 @@ config SND_SOC_MT6660
+ Select M to build this as module.
+
+ config SND_SOC_NAU8540
+- tristate "Nuvoton Technology Corporation NAU85L40 CODEC"
+- depends on I2C
++ tristate "Nuvoton Technology Corporation NAU85L40 CODEC"
++ depends on I2C
+
+ config SND_SOC_NAU8810
+ tristate "Nuvoton Technology Corporation NAU88C10 CODEC"
+diff --git a/sound/soc/generic/Kconfig b/sound/soc/generic/Kconfig
+index a90c3b28bce5f..4cafcf0e2bbfd 100644
+--- a/sound/soc/generic/Kconfig
++++ b/sound/soc/generic/Kconfig
+@@ -1,6 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0-only
+ config SND_SIMPLE_CARD_UTILS
+- tristate
++ tristate
+
+ config SND_SIMPLE_CARD
+ tristate "ASoC Simple sound card support"
+diff --git a/sound/soc/intel/boards/Kconfig b/sound/soc/intel/boards/Kconfig
+index c10c37803c670..dddb672a6d553 100644
+--- a/sound/soc/intel/boards/Kconfig
++++ b/sound/soc/intel/boards/Kconfig
+@@ -552,7 +552,7 @@ config SND_SOC_INTEL_SOUNDWIRE_SOF_MACH
+ select SND_SOC_RT715_SDCA_SDW
+ select SND_SOC_RT5682_SDW
+ select SND_SOC_DMIC
+- help
++ help
+ Add support for Intel SoundWire-based platforms connected to
+ MAX98373, RT700, RT711, RT1308 and RT715
+ If unsure select "N".
+diff --git a/sound/soc/meson/Kconfig b/sound/soc/meson/Kconfig
+index ce0cbdc69b2ec..b93ea33739f29 100644
+--- a/sound/soc/meson/Kconfig
++++ b/sound/soc/meson/Kconfig
+@@ -98,7 +98,7 @@ config SND_MESON_AXG_PDM
+ in the Amlogic AXG SoC family
+
+ config SND_MESON_CARD_UTILS
+- tristate
++ tristate
+
+ config SND_MESON_CODEC_GLUE
+ tristate
+diff --git a/sound/soc/pxa/Kconfig b/sound/soc/pxa/Kconfig
+index 0ac85eada75cb..9d40e8a206d10 100644
+--- a/sound/soc/pxa/Kconfig
++++ b/sound/soc/pxa/Kconfig
+@@ -221,13 +221,13 @@ config SND_PXA2XX_SOC_MIOA701
+ MIO A701.
+
+ config SND_PXA2XX_SOC_IMOTE2
+- tristate "SoC Audio support for IMote 2"
+- depends on SND_PXA2XX_SOC && MACH_INTELMOTE2 && I2C
+- select SND_PXA2XX_SOC_I2S
+- select SND_SOC_WM8940
+- help
+- Say Y if you want to add support for SoC audio on the
+- IMote 2.
++ tristate "SoC Audio support for IMote 2"
++ depends on SND_PXA2XX_SOC && MACH_INTELMOTE2 && I2C
++ select SND_PXA2XX_SOC_I2S
++ select SND_SOC_WM8940
++ help
++ Say Y if you want to add support for SoC audio on the
++ IMote 2.
+
+ config SND_MMP_SOC_BROWNSTONE
+ tristate "SoC Audio support for Marvell Brownstone"
+--
+2.43.0
+
--- /dev/null
+From bad1b472293169ece1716e3a5b2630945e6331ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 13:42:16 +0200
+Subject: ASoC: meson: axg-card: make links nonatomic
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit e138233e56e9829e65b6293887063a1a3ccb2d68 ]
+
+Non atomic operations need to be performed in the trigger callback
+of the TDM interfaces. Those are BEs but what matters is the nonatomic
+flag of the FE in the DPCM context. Just set nonatomic for everything so,
+at least, it is clear.
+
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20211020114217.133153-2-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-card.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/meson/axg-card.c b/sound/soc/meson/axg-card.c
+index 2b77010c2c5ce..cbbaa55d92a66 100644
+--- a/sound/soc/meson/axg-card.c
++++ b/sound/soc/meson/axg-card.c
+@@ -320,6 +320,7 @@ static int axg_card_add_link(struct snd_soc_card *card, struct device_node *np,
+
+ dai_link->cpus = cpu;
+ dai_link->num_cpus = 1;
++ dai_link->nonatomic = true;
+
+ ret = meson_card_parse_dai(card, np, &dai_link->cpus->of_node,
+ &dai_link->cpus->dai_name);
+--
+2.43.0
+
--- /dev/null
+From aedbfd21870fe60f3f71ae3a248934913763512d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 13:42:17 +0200
+Subject: ASoC: meson: axg-tdm-interface: manage formatters in trigger
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit bf5e4887eeddb48480568466536aa08ec7f179a5 ]
+
+So far, the formatters have been reset/enabled using the .prepare()
+callback. This was done in this callback because walking the formatters use
+a mutex so it could not be done in .trigger(), which is atomic by default.
+
+It turns out there is a problem on capture path of the AXG series.
+The FIFO may get out of sync with the TDM decoder if the IP are not enabled
+in a specific order. The FIFO must be enabled before the formatter starts
+producing data. IOW, we must deal with FE before the BE. The .prepare()
+callback is called on the BEs before the FE so it is not OK for the AXG.
+
+The .trigger() callback order can be configured, and it deals with the FE
+before the BEs by default. To solve our problem, we just need to start and
+stop the formatters from the .trigger() callback. It is OK do so now that
+the links have been made 'nonatomic' in the card driver.
+
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20211020114217.133153-3-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-tdm-interface.c | 26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c
+index 60d132ab1ab78..f5145902360de 100644
+--- a/sound/soc/meson/axg-tdm-interface.c
++++ b/sound/soc/meson/axg-tdm-interface.c
+@@ -362,13 +362,29 @@ static int axg_tdm_iface_hw_free(struct snd_pcm_substream *substream,
+ return 0;
+ }
+
+-static int axg_tdm_iface_prepare(struct snd_pcm_substream *substream,
++static int axg_tdm_iface_trigger(struct snd_pcm_substream *substream,
++ int cmd,
+ struct snd_soc_dai *dai)
+ {
+- struct axg_tdm_stream *ts = snd_soc_dai_get_dma_data(dai, substream);
++ struct axg_tdm_stream *ts =
++ snd_soc_dai_get_dma_data(dai, substream);
++
++ switch (cmd) {
++ case SNDRV_PCM_TRIGGER_START:
++ case SNDRV_PCM_TRIGGER_RESUME:
++ case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
++ axg_tdm_stream_start(ts);
++ break;
++ case SNDRV_PCM_TRIGGER_SUSPEND:
++ case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
++ case SNDRV_PCM_TRIGGER_STOP:
++ axg_tdm_stream_stop(ts);
++ break;
++ default:
++ return -EINVAL;
++ }
+
+- /* Force all attached formatters to update */
+- return axg_tdm_stream_reset(ts);
++ return 0;
+ }
+
+ static int axg_tdm_iface_remove_dai(struct snd_soc_dai *dai)
+@@ -408,8 +424,8 @@ static const struct snd_soc_dai_ops axg_tdm_iface_ops = {
+ .set_fmt = axg_tdm_iface_set_fmt,
+ .startup = axg_tdm_iface_startup,
+ .hw_params = axg_tdm_iface_hw_params,
+- .prepare = axg_tdm_iface_prepare,
+ .hw_free = axg_tdm_iface_hw_free,
++ .trigger = axg_tdm_iface_trigger,
+ };
+
+ /* TDM Backend DAIs */
+--
+2.43.0
+
--- /dev/null
+From 89b15d2aadef489da78a39570366d4f9c84591e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 15:41:47 +0200
+Subject: ASoC: meson: cards: select SND_DYNAMIC_MINORS
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 6db26f9ea4edd8a17d39ab3c20111e3ccd704aef ]
+
+Amlogic sound cards do create a lot of pcm interfaces, possibly more than
+8. Some pcm interfaces are internal (like DPCM backends and c2c) and not
+exposed to userspace.
+
+Those interfaces still increase the number passed to snd_find_free_minor(),
+which eventually exceeds 8 causing -EBUSY error on card registration if
+CONFIG_SND_DYNAMIC_MINORS=n and the interface is exposed to userspace.
+
+select CONFIG_SND_DYNAMIC_MINORS for Amlogic cards to avoid the problem.
+
+Fixes: 7864a79f37b5 ("ASoC: meson: add axg sound card support")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20240426134150.3053741-1-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/meson/Kconfig b/sound/soc/meson/Kconfig
+index b93ea33739f29..6458d5dc4902f 100644
+--- a/sound/soc/meson/Kconfig
++++ b/sound/soc/meson/Kconfig
+@@ -99,6 +99,7 @@ config SND_MESON_AXG_PDM
+
+ config SND_MESON_CARD_UTILS
+ tristate
++ select SND_DYNAMIC_MINORS
+
+ config SND_MESON_CODEC_GLUE
+ tristate
+--
+2.43.0
+
--- /dev/null
+From 78cebeaefb5dd483bb3a462d7c1b1453613843fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 21:44:19 +0700
+Subject: bna: ensure the copied buf is NUL terminated
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+[ Upstream commit 8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f ]
+
+Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from
+userspace to that buffer. Later, we use sscanf on this buffer but we don't
+ensure that the string is terminated inside the buffer, this can lead to
+OOB read when using sscanf. Fix this issue by using memdup_user_nul
+instead of memdup_user.
+
+Fixes: 7afc5dbde091 ("bna: Add debugfs interface.")
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-2-f1f1b53a10f4@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
+index 04ad0f2b9677e..777f0d7e48192 100644
+--- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
++++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
+@@ -312,7 +312,7 @@ bnad_debugfs_write_regrd(struct file *file, const char __user *buf,
+ void *kern_buf;
+
+ /* Copy the user space buf */
+- kern_buf = memdup_user(buf, nbytes);
++ kern_buf = memdup_user_nul(buf, nbytes);
+ if (IS_ERR(kern_buf))
+ return PTR_ERR(kern_buf);
+
+@@ -372,7 +372,7 @@ bnad_debugfs_write_regwr(struct file *file, const char __user *buf,
+ void *kern_buf;
+
+ /* Copy the user space buf */
+- kern_buf = memdup_user(buf, nbytes);
++ kern_buf = memdup_user_nul(buf, nbytes);
+ if (IS_ERR(kern_buf))
+ return PTR_ERR(kern_buf);
+
+--
+2.43.0
+
--- /dev/null
+From 6868cc2fb737e61ca99d894b7684617296ef36f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 11:11:47 +0200
+Subject: cxgb4: Properly lock TX queue for the selftest.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 9067eccdd7849dd120d5495dbd5a686fa6ed2c1a ]
+
+The selftest for the driver sends a dummy packet and checks if the
+packet will be received properly as it should be. The regular TX path
+and the selftest can use the same network queue so locking is required
+and was missing in the selftest path. This was addressed in the commit
+cited below.
+Unfortunately locking the TX queue requires BH to be disabled which is
+not the case in selftest path which is invoked in process context.
+Lockdep should be complaining about this.
+
+Use __netif_tx_lock_bh() for TX queue locking.
+
+Fixes: c650e04898072 ("cxgb4: Fix race between loopback and normal Tx path")
+Reported-by: "John B. Wyatt IV" <jwyatt@redhat.com>
+Closes: https://lore.kernel.org/all/Zic0ot5aGgR-V4Ks@thinkpad2021/
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://lore.kernel.org/r/20240429091147.YWAaal4v@linutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/sge.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/sge.c b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+index ccb6bd002b20d..89917dde0e223 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+@@ -2678,12 +2678,12 @@ int cxgb4_selftest_lb_pkt(struct net_device *netdev)
+ lb->loopback = 1;
+
+ q = &adap->sge.ethtxq[pi->first_qset];
+- __netif_tx_lock(q->txq, smp_processor_id());
++ __netif_tx_lock_bh(q->txq);
+
+ reclaim_completed_tx(adap, &q->q, -1, true);
+ credits = txq_avail(&q->q) - ndesc;
+ if (unlikely(credits < 0)) {
+- __netif_tx_unlock(q->txq);
++ __netif_tx_unlock_bh(q->txq);
+ return -ENOMEM;
+ }
+
+@@ -2718,7 +2718,7 @@ int cxgb4_selftest_lb_pkt(struct net_device *netdev)
+ init_completion(&lb->completion);
+ txq_advance(&q->q, ndesc);
+ cxgb4_ring_tx_db(adap, &q->q, ndesc);
+- __netif_tx_unlock(q->txq);
++ __netif_tx_unlock_bh(q->txq);
+
+ /* wait for the pkt to return */
+ ret = wait_for_completion_timeout(&lb->completion, 10 * HZ);
+--
+2.43.0
+
--- /dev/null
+From d69df43cbc38c78ee2a493005315e7ad1603172c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Apr 2024 20:24:18 +0200
+Subject: net: bridge: fix multicast-to-unicast with fraglist GSO
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 59c878cbcdd80ed39315573b3511d0acfd3501b5 ]
+
+Calling skb_copy on a SKB_GSO_FRAGLIST skb is not valid, since it returns
+an invalid linearized skb. This code only needs to change the ethernet
+header, so pskb_copy is the right function to call here.
+
+Fixes: 6db6f0eae605 ("bridge: multicast to unicast")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_forward.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
+index f2ef75c7ccc68..3a70682e63524 100644
+--- a/net/bridge/br_forward.c
++++ b/net/bridge/br_forward.c
+@@ -253,7 +253,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb,
+ if (skb->dev == p->dev && ether_addr_equal(src, addr))
+ return;
+
+- skb = skb_copy(skb, GFP_ATOMIC);
++ skb = pskb_copy(skb, GFP_ATOMIC);
+ if (!skb) {
+ DEV_STATS_INC(dev, tx_dropped);
+ return;
+--
+2.43.0
+
--- /dev/null
+From f99dc00b5934c90c2b22d275254ca777025d3e44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Apr 2024 20:24:19 +0200
+Subject: net: core: reject skb_copy(_expand) for fraglist GSO skbs
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit d091e579b864fa790dd6a0cd537a22c383126681 ]
+
+SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become
+invalid. Return NULL if such an skb is passed to skb_copy or
+skb_copy_expand, in order to prevent a crash on a potential later
+call to skb_gso_segment.
+
+Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skbuff.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 50261f3aec82b..fd53b66f2ca1d 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -1516,11 +1516,17 @@ static inline int skb_alloc_rx_flag(const struct sk_buff *skb)
+
+ struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask)
+ {
+- int headerlen = skb_headroom(skb);
+- unsigned int size = skb_end_offset(skb) + skb->data_len;
+- struct sk_buff *n = __alloc_skb(size, gfp_mask,
+- skb_alloc_rx_flag(skb), NUMA_NO_NODE);
++ struct sk_buff *n;
++ unsigned int size;
++ int headerlen;
++
++ if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
++ return NULL;
+
++ headerlen = skb_headroom(skb);
++ size = skb_end_offset(skb) + skb->data_len;
++ n = __alloc_skb(size, gfp_mask,
++ skb_alloc_rx_flag(skb), NUMA_NO_NODE);
+ if (!n)
+ return NULL;
+
+@@ -1750,12 +1756,17 @@ struct sk_buff *skb_copy_expand(const struct sk_buff *skb,
+ /*
+ * Allocate the copy buffer
+ */
+- struct sk_buff *n = __alloc_skb(newheadroom + skb->len + newtailroom,
+- gfp_mask, skb_alloc_rx_flag(skb),
+- NUMA_NO_NODE);
+- int oldheadroom = skb_headroom(skb);
+ int head_copy_len, head_copy_off;
++ struct sk_buff *n;
++ int oldheadroom;
++
++ if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
++ return NULL;
+
++ oldheadroom = skb_headroom(skb);
++ n = __alloc_skb(newheadroom + skb->len + newtailroom,
++ gfp_mask, skb_alloc_rx_flag(skb),
++ NUMA_NO_NODE);
+ if (!n)
+ return NULL;
+
+--
+2.43.0
+
--- /dev/null
+From 3f2e33009d344f1904dc4f7fade9e99725b92851 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 15:38:32 +0200
+Subject: net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+[ Upstream commit b9a61c20179fda7bdfe2c1210aa72451991ab81a ]
+
+The Topaz family (88E6141 and 88E6341) only support 256 Forwarding
+Information Tables.
+
+Fixes: a75961d0ebfd ("net: dsa: mv88e6xxx: Add support for ethernet switch 88E6341")
+Fixes: 1558727a1c1b ("net: dsa: mv88e6xxx: Add support for ethernet switch 88E6141")
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20240429133832.9547-1-kabel@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index 53fbef9f4ce54..ac56bc175b51b 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -4650,7 +4650,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .prod_num = MV88E6XXX_PORT_SWITCH_ID_PROD_6141,
+ .family = MV88E6XXX_FAMILY_6341,
+ .name = "Marvell 88E6141",
+- .num_databases = 4096,
++ .num_databases = 256,
+ .num_macs = 2048,
+ .num_ports = 6,
+ .num_internal_phys = 5,
+@@ -5056,7 +5056,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .prod_num = MV88E6XXX_PORT_SWITCH_ID_PROD_6341,
+ .family = MV88E6XXX_FAMILY_6341,
+ .name = "Marvell 88E6341",
+- .num_databases = 4096,
++ .num_databases = 256,
+ .num_macs = 2048,
+ .num_internal_phys = 5,
+ .num_ports = 6,
+--
+2.43.0
+
--- /dev/null
+From 773623faf202b0cfa0262308fe01d63cbb715b3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Apr 2024 16:35:55 +0200
+Subject: net: gro: add flush check in udp_gro_receive_segment
+
+From: Richard Gobert <richardbgobert@gmail.com>
+
+[ Upstream commit 5babae777c61aa8a8679d59d3cdc54165ad96d42 ]
+
+GRO-GSO path is supposed to be transparent and as such L3 flush checks are
+relevant to all UDP flows merging in GRO. This patch uses the same logic
+and code from tcp_gro_receive, terminating merge if flush is non zero.
+
+Fixes: e20cf8d3f1f7 ("udp: implement GRO for plain UDP sockets.")
+Signed-off-by: Richard Gobert <richardbgobert@gmail.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp_offload.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
+index 445d8bc30fdd1..a0b569d0085bc 100644
+--- a/net/ipv4/udp_offload.c
++++ b/net/ipv4/udp_offload.c
+@@ -431,6 +431,7 @@ static struct sk_buff *udp_gro_receive_segment(struct list_head *head,
+ struct sk_buff *p;
+ unsigned int ulen;
+ int ret = 0;
++ int flush;
+
+ /* requires non zero csum, for symmetry with GSO */
+ if (!uh->check) {
+@@ -464,13 +465,22 @@ static struct sk_buff *udp_gro_receive_segment(struct list_head *head,
+ return p;
+ }
+
++ flush = NAPI_GRO_CB(p)->flush;
++
++ if (NAPI_GRO_CB(p)->flush_id != 1 ||
++ NAPI_GRO_CB(p)->count != 1 ||
++ !NAPI_GRO_CB(p)->is_atomic)
++ flush |= NAPI_GRO_CB(p)->flush_id;
++ else
++ NAPI_GRO_CB(p)->is_atomic = false;
++
+ /* Terminate the flow on len mismatch or if it grow "too much".
+ * Under small packet flood GRO count could elsewhere grow a lot
+ * leading to excessive truesize values.
+ * On len mismatch merge the first packet shorter than gso_size,
+ * otherwise complete the GRO packet.
+ */
+- if (ulen > ntohs(uh2->len)) {
++ if (ulen > ntohs(uh2->len) || flush) {
+ pp = p;
+ } else {
+ if (NAPI_GRO_CB(skb)->is_flist) {
+--
+2.43.0
+
--- /dev/null
+From 5d1fc842c9951e86b6e543202e70e8cf42441d8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 19:11:10 +0200
+Subject: net l2tp: drop flow hash on forward
+
+From: David Bauer <mail@david-bauer.net>
+
+[ Upstream commit 42f853b42899d9b445763b55c3c8adc72be0f0e1 ]
+
+Drop the flow-hash of the skb when forwarding to the L2TP netdev.
+
+This avoids the L2TP qdisc from using the flow-hash from the outer
+packet, which is identical for every flow within the tunnel.
+
+This does not affect every platform but is specific for the ethernet
+driver. It depends on the platform including L4 information in the
+flow-hash.
+
+One such example is the Mediatek Filogic MT798x family of networking
+processors.
+
+Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
+Acked-by: James Chapman <jchapman@katalix.com>
+Signed-off-by: David Bauer <mail@david-bauer.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240424171110.13701-1-mail@david-bauer.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_eth.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
+index 6cd97c75445c8..9a36e174984cf 100644
+--- a/net/l2tp/l2tp_eth.c
++++ b/net/l2tp/l2tp_eth.c
+@@ -136,6 +136,9 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
+ /* checksums verified by L2TP */
+ skb->ip_summed = CHECKSUM_NONE;
+
++ /* drop outer flow-hash */
++ skb_clear_hash(skb);
++
+ skb_dst_drop(skb);
+ nf_reset_ct(skb);
+
+--
+2.43.0
+
--- /dev/null
+From bd3e569604c2d5ce5d1b5d20c12b6c98ae1a31b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 09:12:23 +0000
+Subject: net: qede: sanitize 'rc' in qede_add_tc_flower_fltr()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+
+[ Upstream commit e25714466abd9d96901b15efddf82c60a38abd86 ]
+
+Explicitly set 'rc' (return code), before jumping to the
+unlock and return path.
+
+By not having any code depend on that 'rc' remains at
+it's initial value of -EINVAL, then we can re-use 'rc' for
+the return code of function calls in subsequent patches.
+
+Only compile tested.
+
+Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: fcee2065a178 ("net: qede: use return from qede_parse_flow_attr() for flower")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_filter.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_filter.c b/drivers/net/ethernet/qlogic/qede/qede_filter.c
+index a2e4dfb5cb44e..ba28381c26bbf 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c
+@@ -1877,8 +1877,8 @@ int qede_add_tc_flower_fltr(struct qede_dev *edev, __be16 proto,
+ struct flow_cls_offload *f)
+ {
+ struct qede_arfs_fltr_node *n;
+- int min_hlen, rc = -EINVAL;
+ struct qede_arfs_tuple t;
++ int min_hlen, rc;
+
+ __qede_lock(edev);
+
+@@ -1888,8 +1888,10 @@ int qede_add_tc_flower_fltr(struct qede_dev *edev, __be16 proto,
+ }
+
+ /* parse flower attribute and prepare filter */
+- if (qede_parse_flow_attr(edev, proto, f->rule, &t))
++ if (qede_parse_flow_attr(edev, proto, f->rule, &t)) {
++ rc = -EINVAL;
+ goto unlock;
++ }
+
+ /* Validate profile mode and number of filters */
+ if ((edev->arfs->filter_count && edev->arfs->mode != t.mode) ||
+@@ -1897,12 +1899,15 @@ int qede_add_tc_flower_fltr(struct qede_dev *edev, __be16 proto,
+ DP_NOTICE(edev,
+ "Filter configuration invalidated, filter mode=0x%x, configured mode=0x%x, filter count=0x%x\n",
+ t.mode, edev->arfs->mode, edev->arfs->filter_count);
++ rc = -EINVAL;
+ goto unlock;
+ }
+
+ /* parse tc actions and get the vf_id */
+- if (qede_parse_actions(edev, &f->rule->action, f->common.extack))
++ if (qede_parse_actions(edev, &f->rule->action, f->common.extack)) {
++ rc = -EINVAL;
+ goto unlock;
++ }
+
+ if (qede_flow_find_fltr(edev, &t)) {
+ rc = -EEXIST;
+--
+2.43.0
+
--- /dev/null
+From 30c579f7d8728dc59b2c775ba18a14e562e72f6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 09:12:26 +0000
+Subject: net: qede: use return from qede_parse_actions()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+
+[ Upstream commit f26f719a36e56381a1f4230e5364e7ad4d485888 ]
+
+When calling qede_parse_actions() then the
+return code was only used for a non-zero check,
+and then -EINVAL was returned.
+
+qede_parse_actions() can currently fail with:
+* -EINVAL
+* -EOPNOTSUPP
+
+This patch changes the code to use the actual
+return code, not just return -EINVAL.
+
+The blaimed commit broke the implicit assumption
+that only -EINVAL would ever be returned.
+
+Only compile tested.
+
+Fixes: 319a1d19471e ("flow_offload: check for basic action hw stats type")
+Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_filter.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_filter.c b/drivers/net/ethernet/qlogic/qede/qede_filter.c
+index 6e2913f2a791a..5f4962d90022e 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c
+@@ -1903,10 +1903,9 @@ int qede_add_tc_flower_fltr(struct qede_dev *edev, __be16 proto,
+ }
+
+ /* parse tc actions and get the vf_id */
+- if (qede_parse_actions(edev, &f->rule->action, f->common.extack)) {
+- rc = -EINVAL;
++ rc = qede_parse_actions(edev, &f->rule->action, f->common.extack);
++ if (rc)
+ goto unlock;
+- }
+
+ if (qede_flow_find_fltr(edev, &t)) {
+ rc = -EEXIST;
+--
+2.43.0
+
--- /dev/null
+From 1cfe0b1b0c0c329838a808f514f0e539918a4038 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 09:12:24 +0000
+Subject: net: qede: use return from qede_parse_flow_attr() for flower
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+
+[ Upstream commit fcee2065a178f78be6fd516302830378b17dba3d ]
+
+In qede_add_tc_flower_fltr(), when calling
+qede_parse_flow_attr() then the return code
+was only used for a non-zero check, and then
+-EINVAL was returned.
+
+qede_parse_flow_attr() can currently fail with:
+* -EINVAL
+* -EOPNOTSUPP
+* -EPROTONOSUPPORT
+
+This patch changes the code to use the actual
+return code, not just return -EINVAL.
+
+The blaimed commit introduced these functions.
+
+Only compile tested.
+
+Fixes: 2ce9c93eaca6 ("qede: Ingress tc flower offload (drop action) support.")
+Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_filter.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_filter.c b/drivers/net/ethernet/qlogic/qede/qede_filter.c
+index ba28381c26bbf..413e8331a0ce6 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c
+@@ -1888,10 +1888,9 @@ int qede_add_tc_flower_fltr(struct qede_dev *edev, __be16 proto,
+ }
+
+ /* parse flower attribute and prepare filter */
+- if (qede_parse_flow_attr(edev, proto, f->rule, &t)) {
+- rc = -EINVAL;
++ rc = qede_parse_flow_attr(edev, proto, f->rule, &t);
++ if (rc)
+ goto unlock;
+- }
+
+ /* Validate profile mode and number of filters */
+ if ((edev->arfs->filter_count && edev->arfs->mode != t.mode) ||
+--
+2.43.0
+
--- /dev/null
+From f12f6b15beb68c227fdca77ca9584edfd01f64d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 09:12:25 +0000
+Subject: net: qede: use return from qede_parse_flow_attr() for flow_spec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+
+[ Upstream commit 27b44414a34b108c5a37cd5b4894f606061d86e7 ]
+
+In qede_flow_spec_to_rule(), when calling
+qede_parse_flow_attr() then the return code
+was only used for a non-zero check, and then
+-EINVAL was returned.
+
+qede_parse_flow_attr() can currently fail with:
+* -EINVAL
+* -EOPNOTSUPP
+* -EPROTONOSUPPORT
+
+This patch changes the code to use the actual
+return code, not just return -EINVAL.
+
+The blaimed commit introduced qede_flow_spec_to_rule(),
+and this call to qede_parse_flow_attr(), it looks
+like it just duplicated how it was already used.
+
+Only compile tested.
+
+Fixes: 37c5d3efd7f8 ("qede: use ethtool_rx_flow_rule() to remove duplicated parser code")
+Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_filter.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_filter.c b/drivers/net/ethernet/qlogic/qede/qede_filter.c
+index 413e8331a0ce6..6e2913f2a791a 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c
+@@ -2011,10 +2011,9 @@ static int qede_flow_spec_to_rule(struct qede_dev *edev,
+ if (IS_ERR(flow))
+ return PTR_ERR(flow);
+
+- if (qede_parse_flow_attr(edev, proto, flow->rule, t)) {
+- err = -EINVAL;
++ err = qede_parse_flow_attr(edev, proto, flow->rule, t);
++ if (err)
+ goto err_out;
+- }
+
+ /* Make sure location is valid and filter isn't already set */
+ err = qede_flow_spec_validate(edev, &flow->rule->action, t,
+--
+2.43.0
+
--- /dev/null
+From cacff426b1c220b1afa46d96cf3f42e1a0925f70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 19:35:49 -0700
+Subject: nsh: Restore skb->{protocol,data,mac_header} for outer header in
+ nsh_gso_segment().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 4b911a9690d72641879ea6d13cce1de31d346d79 ]
+
+syzbot triggered various splats (see [0] and links) by a crafted GSO
+packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:
+
+ ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP
+
+NSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner
+protocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls
+skb_mac_gso_segment() to invoke inner protocol GSO handlers.
+
+nsh_gso_segment() does the following for the original skb before
+calling skb_mac_gso_segment()
+
+ 1. reset skb->network_header
+ 2. save the original skb->{mac_heaeder,mac_len} in a local variable
+ 3. pull the NSH header
+ 4. resets skb->mac_header
+ 5. set up skb->mac_len and skb->protocol for the inner protocol.
+
+and does the following for the segmented skb
+
+ 6. set ntohs(ETH_P_NSH) to skb->protocol
+ 7. push the NSH header
+ 8. restore skb->mac_header
+ 9. set skb->mac_header + mac_len to skb->network_header
+ 10. restore skb->mac_len
+
+There are two problems in 6-7 and 8-9.
+
+ (a)
+ After 6 & 7, skb->data points to the NSH header, so the outer header
+ (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.
+
+ Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),
+ skb_pull() in the first nsh_gso_segment() will make skb->data point
+ to the middle of the outer NSH or Ethernet header because the Ethernet
+ header is not pulled by the second nsh_gso_segment().
+
+ (b)
+ While restoring skb->{mac_header,network_header} in 8 & 9,
+ nsh_gso_segment() does not assume that the data in the linear
+ buffer is shifted.
+
+ However, udp6_ufo_fragment() could shift the data and change
+ skb->mac_header accordingly as demonstrated by syzbot.
+
+ If this happens, even the restored skb->mac_header points to
+ the middle of the outer header.
+
+It seems nsh_gso_segment() has never worked with outer headers so far.
+
+At the end of nsh_gso_segment(), the outer header must be restored for
+the segmented skb, instead of the NSH header.
+
+To do that, let's calculate the outer header position relatively from
+the inner header and set skb->{data,mac_header,protocol} properly.
+
+[0]:
+BUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
+BUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+BUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
+ ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
+ ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+ ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
+ ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222
+ __netdev_start_xmit include/linux/netdevice.h:4989 [inline]
+ netdev_start_xmit include/linux/netdevice.h:5003 [inline]
+ xmit_one net/core/dev.c:3547 [inline]
+ dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563
+ __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351
+ dev_queue_xmit include/linux/netdevice.h:3171 [inline]
+ packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
+ packet_snd net/packet/af_packet.c:3081 [inline]
+ packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ __sys_sendto+0x735/0xa10 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:3819 [inline]
+ slab_alloc_node mm/slub.c:3860 [inline]
+ __do_kmalloc_node mm/slub.c:3980 [inline]
+ __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001
+ kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
+ __alloc_skb+0x352/0x790 net/core/skbuff.c:651
+ skb_segment+0x20aa/0x7080 net/core/skbuff.c:4647
+ udp6_ufo_fragment+0xcab/0x1150 net/ipv6/udp_offload.c:109
+ ipv6_gso_segment+0x14be/0x2ca0 net/ipv6/ip6_offload.c:152
+ skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
+ nsh_gso_segment+0x6f4/0xf70 net/nsh/nsh.c:108
+ skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
+ __skb_gso_segment+0x4b0/0x730 net/core/gso.c:124
+ skb_gso_segment include/net/gso.h:83 [inline]
+ validate_xmit_skb+0x107f/0x1930 net/core/dev.c:3628
+ __dev_queue_xmit+0x1f28/0x51c0 net/core/dev.c:4343
+ dev_queue_xmit include/linux/netdevice.h:3171 [inline]
+ packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
+ packet_snd net/packet/af_packet.c:3081 [inline]
+ packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ __sys_sendto+0x735/0xa10 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+CPU: 1 PID: 5101 Comm: syz-executor421 Not tainted 6.8.0-rc5-syzkaller-00297-gf2e367d6ad3b #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
+
+Fixes: c411ed854584 ("nsh: add GSO support")
+Reported-and-tested-by: syzbot+42a0dc856239de4de60e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=42a0dc856239de4de60e
+Reported-and-tested-by: syzbot+c298c9f0e46a3c86332b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c298c9f0e46a3c86332b
+Link: https://lore.kernel.org/netdev/20240415222041.18537-1-kuniyu@amazon.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20240424023549.21862-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nsh/nsh.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
+index 0f23e5e8e03eb..3e0fc71d95a14 100644
+--- a/net/nsh/nsh.c
++++ b/net/nsh/nsh.c
+@@ -76,13 +76,15 @@ EXPORT_SYMBOL_GPL(nsh_pop);
+ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
+ netdev_features_t features)
+ {
++ unsigned int outer_hlen, mac_len, nsh_len;
+ struct sk_buff *segs = ERR_PTR(-EINVAL);
+ u16 mac_offset = skb->mac_header;
+- unsigned int nsh_len, mac_len;
+- __be16 proto;
++ __be16 outer_proto, proto;
+
+ skb_reset_network_header(skb);
+
++ outer_proto = skb->protocol;
++ outer_hlen = skb_mac_header_len(skb);
+ mac_len = skb->mac_len;
+
+ if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN)))
+@@ -112,10 +114,10 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
+ }
+
+ for (skb = segs; skb; skb = skb->next) {
+- skb->protocol = htons(ETH_P_NSH);
+- __skb_push(skb, nsh_len);
+- skb->mac_header = mac_offset;
+- skb->network_header = skb->mac_header + mac_len;
++ skb->protocol = outer_proto;
++ __skb_push(skb, nsh_len + outer_hlen);
++ skb_reset_mac_header(skb);
++ skb_set_network_header(skb, outer_hlen);
+ skb->mac_len = mac_len;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 549db89f02b86f78fa5175822540f9c9a6883e5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 21:44:23 +0700
+Subject: octeontx2-af: avoid off-by-one read from userspace
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+[ Upstream commit f299ee709fb45036454ca11e90cb2810fe771878 ]
+
+We try to access count + 1 byte from userspace with memdup_user(buffer,
+count + 1). However, the userspace only provides buffer of count bytes and
+only these count bytes are verified to be okay to access. To ensure the
+copied buffer is NUL terminated, we use memdup_user_nul instead.
+
+Fixes: 3a2eb515d136 ("octeontx2-af: Fix an off by one in rvu_dbg_qsize_write()")
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-6-f1f1b53a10f4@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+index 5205796859f6c..d212bab3ddbae 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+@@ -420,12 +420,10 @@ static ssize_t rvu_dbg_qsize_write(struct file *filp,
+ u16 pcifunc;
+ int ret, lf;
+
+- cmd_buf = memdup_user(buffer, count + 1);
++ cmd_buf = memdup_user_nul(buffer, count);
+ if (IS_ERR(cmd_buf))
+ return -ENOMEM;
+
+- cmd_buf[count] = '\0';
+-
+ cmd_buf_tmp = strchr(cmd_buf, '\n');
+ if (cmd_buf_tmp) {
+ *cmd_buf_tmp = '\0';
+--
+2.43.0
+
--- /dev/null
+From 1f3af9390bb0fe8e6cc6021f8aa594356a77b7ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 13:42:20 +0200
+Subject: s390/mm: Fix clearing storage keys for huge pages
+
+From: Claudio Imbrenda <imbrenda@linux.ibm.com>
+
+[ Upstream commit 412050af2ea39407fe43324b0be4ab641530ce88 ]
+
+The function __storage_key_init_range() expects the end address to be
+the first byte outside the range to be initialized. I.e. end - start
+should be the size of the area to be initialized.
+
+The current code works because __storage_key_init_range() will still loop
+over every page in the range, but it is slower than using sske_frame().
+
+Fixes: 3afdfca69870 ("s390/mm: Clear skeys for newly mapped huge guest pmds")
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Link: https://lore.kernel.org/r/20240416114220.28489-3-imbrenda@linux.ibm.com
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/hugetlbpage.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/mm/hugetlbpage.c b/arch/s390/mm/hugetlbpage.c
+index 3b5a4d25ca9b5..0ca46f5d9438f 100644
+--- a/arch/s390/mm/hugetlbpage.c
++++ b/arch/s390/mm/hugetlbpage.c
+@@ -146,7 +146,7 @@ static void clear_huge_pte_skeys(struct mm_struct *mm, unsigned long rste)
+ }
+
+ if (!test_and_set_bit(PG_arch_1, &page->flags))
+- __storage_key_init_range(paddr, paddr + size - 1);
++ __storage_key_init_range(paddr, paddr + size);
+ }
+
+ void set_huge_pte_at(struct mm_struct *mm, unsigned long addr,
+--
+2.43.0
+
--- /dev/null
+From ec1ab8ad743645858313a6c6edf9a89c21302364 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 13:42:19 +0200
+Subject: s390/mm: Fix storage key clearing for guest huge pages
+
+From: Claudio Imbrenda <imbrenda@linux.ibm.com>
+
+[ Upstream commit 843c3280686fc1a83d89ee1e0b5599c9f6b09d0c ]
+
+The function __storage_key_init_range() expects the end address to be
+the first byte outside the range to be initialized. I.e. end - start
+should be the size of the area to be initialized.
+
+The current code works because __storage_key_init_range() will still loop
+over every page in the range, but it is slower than using sske_frame().
+
+Fixes: 964c2c05c9f3 ("s390/mm: Clear huge page storage keys on enable_skey")
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Link: https://lore.kernel.org/r/20240416114220.28489-2-imbrenda@linux.ibm.com
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/gmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
+index b5a60fbb96644..ad4bae2465b19 100644
+--- a/arch/s390/mm/gmap.c
++++ b/arch/s390/mm/gmap.c
+@@ -2627,7 +2627,7 @@ static int __s390_enable_skey_hugetlb(pte_t *pte, unsigned long addr,
+ return 0;
+
+ start = pmd_val(*pmd) & HPAGE_MASK;
+- end = start + HPAGE_SIZE - 1;
++ end = start + HPAGE_SIZE;
+ __storage_key_init_range(start, end);
+ set_bit(PG_arch_1, &page->flags);
+ cond_resched();
+--
+2.43.0
+
--- /dev/null
+From 849655f898735334e1af4cc90c3522a555f0ff73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 17:35:52 +0200
+Subject: s390/vdso: Add CFI for RA register to asm macro vdso_func
+
+From: Jens Remus <jremus@linux.ibm.com>
+
+[ Upstream commit b961ec10b9f9719987470236feb50c967db5a652 ]
+
+The return-address (RA) register r14 is specified as volatile in the
+s390x ELF ABI [1]. Nevertheless proper CFI directives must be provided
+for an unwinder to restore the return address, if the RA register
+value is changed from its value at function entry, as it is the case.
+
+[1]: s390x ELF ABI, https://github.com/IBM/s390x-abi/releases
+
+Fixes: 4bff8cb54502 ("s390: convert to GENERIC_VDSO")
+Signed-off-by: Jens Remus <jremus@linux.ibm.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/dwarf.h | 1 +
+ arch/s390/kernel/vdso64/vdso_user_wrapper.S | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/arch/s390/include/asm/dwarf.h b/arch/s390/include/asm/dwarf.h
+index 4f21ae561e4dd..390906b8e386e 100644
+--- a/arch/s390/include/asm/dwarf.h
++++ b/arch/s390/include/asm/dwarf.h
+@@ -9,6 +9,7 @@
+ #define CFI_DEF_CFA_OFFSET .cfi_def_cfa_offset
+ #define CFI_ADJUST_CFA_OFFSET .cfi_adjust_cfa_offset
+ #define CFI_RESTORE .cfi_restore
++#define CFI_REL_OFFSET .cfi_rel_offset
+
+ #ifdef CONFIG_AS_CFI_VAL_OFFSET
+ #define CFI_VAL_OFFSET .cfi_val_offset
+diff --git a/arch/s390/kernel/vdso64/vdso_user_wrapper.S b/arch/s390/kernel/vdso64/vdso_user_wrapper.S
+index a775d7e528728..2183b8f64d574 100644
+--- a/arch/s390/kernel/vdso64/vdso_user_wrapper.S
++++ b/arch/s390/kernel/vdso64/vdso_user_wrapper.S
+@@ -23,8 +23,10 @@ __kernel_\func:
+ CFI_DEF_CFA_OFFSET (STACK_FRAME_OVERHEAD + WRAPPER_FRAME_SIZE)
+ CFI_VAL_OFFSET 15, -STACK_FRAME_OVERHEAD
+ stg %r14,STACK_FRAME_OVERHEAD(%r15)
++ CFI_REL_OFFSET 14, STACK_FRAME_OVERHEAD
+ brasl %r14,__s390_vdso_\func
+ lg %r14,STACK_FRAME_OVERHEAD(%r15)
++ CFI_RESTORE 14
+ aghi %r15,WRAPPER_FRAME_SIZE
+ CFI_DEF_CFA_OFFSET STACK_FRAME_OVERHEAD
+ CFI_RESTORE 15
+--
+2.43.0
+
power-rt9455-hide-unused-rt9455_boost_voltage_values.patch
pinctrl-devicetree-fix-refcount-leak-in-pinctrl_dt_t.patch
regulator-mt6360-de-capitalize-devicetree-regulator-.patch
+s390-mm-fix-storage-key-clearing-for-guest-huge-page.patch
+s390-mm-fix-clearing-storage-keys-for-huge-pages.patch
+bna-ensure-the-copied-buf-is-nul-terminated.patch
+octeontx2-af-avoid-off-by-one-read-from-userspace.patch
+nsh-restore-skb-protocol-data-mac_header-for-outer-h.patch
+net-l2tp-drop-flow-hash-on-forward.patch
+s390-vdso-add-cfi-for-ra-register-to-asm-macro-vdso_.patch
+net-qede-sanitize-rc-in-qede_add_tc_flower_fltr.patch
+net-qede-use-return-from-qede_parse_flow_attr-for-fl.patch
+net-qede-use-return-from-qede_parse_flow_attr-for-fl.patch-32632
+net-qede-use-return-from-qede_parse_actions.patch
+asoc-meson-axg-card-make-links-nonatomic.patch
+asoc-meson-axg-tdm-interface-manage-formatters-in-tr.patch
+asoc-fix-7-8-spaces-indentation-in-kconfig.patch
+asoc-meson-cards-select-snd_dynamic_minors.patch
+cxgb4-properly-lock-tx-queue-for-the-selftest.patch
+net-dsa-mv88e6xxx-fix-number-of-databases-for-88e614.patch
+net-bridge-fix-multicast-to-unicast-with-fraglist-gs.patch
+net-core-reject-skb_copy-_expand-for-fraglist-gso-sk.patch
+tipc-fix-a-possible-memleak-in-tipc_buf_append.patch
+net-gro-add-flush-check-in-udp_gro_receive_segment.patch
--- /dev/null
+From b9618fc4167a4c68313578ebe1ca9ca361388825 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Apr 2024 10:03:38 -0400
+Subject: tipc: fix a possible memleak in tipc_buf_append
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 97bf6f81b29a8efaf5d0983251a7450e5794370d ]
+
+__skb_linearize() doesn't free the skb when it fails, so move
+'*buf = NULL' after __skb_linearize(), so that the skb can be
+freed on the err path.
+
+Fixes: b7df21cf1b79 ("tipc: skb_linearize the head skb when reassembling msgs")
+Reported-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Link: https://lore.kernel.org/r/90710748c29a1521efac4f75ea01b3b7e61414cf.1714485818.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/msg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/msg.c b/net/tipc/msg.c
+index 91dcf648d32bb..b2b102d6f5819 100644
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -148,9 +148,9 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
+ if (fragid == FIRST_FRAGMENT) {
+ if (unlikely(head))
+ goto err;
+- *buf = NULL;
+ if (skb_has_frag_list(frag) && __skb_linearize(frag))
+ goto err;
++ *buf = NULL;
+ frag = skb_unshare(frag, GFP_ATOMIC);
+ if (unlikely(!frag))
+ goto err;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
