--- /dev/null
+From 08e94dd671f1cf66d7c8791d504ecf41c85a776f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 May 2022 17:28:11 +0800
+Subject: bpf, riscv: Support riscv jit to provide bpf_line_info
+
+From: Pu Lehui <pulehui@huawei.com>
+
+[ Upstream commit 3cb70413041fdf028fa1ba3986fd0c6aec9e3dcb ]
+
+Add support for riscv jit to provide bpf_line_info. We need to
+consider the prologue offset in ctx->offset, but unlike x86 and
+arm64, ctx->offset of riscv does not provide an extra slot for
+the prologue, so here we just calculate the len of prologue and
+add it to ctx->offset at the end. Both RV64 and RV32 have been
+tested.
+
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20220530092815.1112406-3-pulehui@huawei.com
+Stable-dep-of: c56fb2aab235 ("riscv, bpf: Fix inconsistent JIT image generation")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit.h | 1 +
+ arch/riscv/net/bpf_jit_core.c | 8 +++++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/riscv/net/bpf_jit.h b/arch/riscv/net/bpf_jit.h
+index 75c1e99968675..ab0cd6d10ccf3 100644
+--- a/arch/riscv/net/bpf_jit.h
++++ b/arch/riscv/net/bpf_jit.h
+@@ -69,6 +69,7 @@ struct rv_jit_context {
+ struct bpf_prog *prog;
+ u16 *insns; /* RV insns */
+ int ninsns;
++ int body_len;
+ int epilogue_offset;
+ int *offset; /* BPF to RV */
+ unsigned long flags;
+diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c
+index 5d247198c30d3..750b15c319d5d 100644
+--- a/arch/riscv/net/bpf_jit_core.c
++++ b/arch/riscv/net/bpf_jit_core.c
+@@ -43,7 +43,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ {
+ bool tmp_blinded = false, extra_pass = false;
+ struct bpf_prog *tmp, *orig_prog = prog;
+- int pass = 0, prev_ninsns = 0, i;
++ int pass = 0, prev_ninsns = 0, prologue_len, i;
+ struct rv_jit_data *jit_data;
+ struct rv_jit_context *ctx;
+ unsigned int image_size = 0;
+@@ -95,6 +95,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ prog = orig_prog;
+ goto out_offset;
+ }
++ ctx->body_len = ctx->ninsns;
+ bpf_jit_build_prologue(ctx);
+ ctx->epilogue_offset = ctx->ninsns;
+ bpf_jit_build_epilogue(ctx);
+@@ -154,6 +155,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+
+ if (!prog->is_func || extra_pass) {
+ bpf_jit_binary_lock_ro(jit_data->header);
++ prologue_len = ctx->epilogue_offset - ctx->body_len;
++ for (i = 0; i < prog->len; i++)
++ ctx->offset[i] = ninsns_rvoff(prologue_len +
++ ctx->offset[i]);
++ bpf_prog_fill_jited_linfo(prog, ctx->offset);
+ out_offset:
+ kfree(ctx->offset);
+ kfree(jit_data);
+--
+2.39.2
+
--- /dev/null
+From 31d7ebc306aee8cd050979655f24bf30429400b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jun 2023 08:22:02 -0300
+Subject: drm/panel: simple: Add connector_type for innolux_at043tn24
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit 2c56a751845ddfd3078ebe79981aaaa182629163 ]
+
+The innolux at043tn24 display is a parallel LCD. Pass the 'connector_type'
+information to avoid the following warning:
+
+panel-simple panel: Specify missing connector_type
+
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Fixes: 41bcceb4de9c ("drm/panel: simple: Add support for Innolux AT043TN24")
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230620112202.654981-1-festevam@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index b0b92f436879a..ffda99c204356 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -2091,6 +2091,7 @@ static const struct panel_desc innolux_at043tn24 = {
+ .height = 54,
+ },
+ .bus_format = MEDIA_BUS_FMT_RGB888_1X24,
++ .connector_type = DRM_MODE_CONNECTOR_DPI,
+ .bus_flags = DRM_BUS_FLAG_DE_HIGH | DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE,
+ };
+
+--
+2.39.2
+
--- /dev/null
+From 0b1bddd8f52eb2d2c5215e3046b6c2ca1b3442f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jun 2023 22:16:02 +0200
+Subject: drm/panel: simple: Add Powertip PH800480T013 drm_display_mode flags
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 1c519980aced3da1fae37c1339cf43b24eccdee7 ]
+
+Add missing drm_display_mode DRM_MODE_FLAG_NVSYNC | DRM_MODE_FLAG_NHSYNC
+flags. Those are used by various bridges in the pipeline to correctly
+configure its sync signals polarity.
+
+Fixes: d69de69f2be1 ("drm/panel: simple: Add Powertip PH800480T013 panel")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230615201602.565948-1-marex@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index ffda99c204356..7b69f81444ebd 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -3153,6 +3153,7 @@ static const struct drm_display_mode powertip_ph800480t013_idf02_mode = {
+ .vsync_start = 480 + 49,
+ .vsync_end = 480 + 49 + 2,
+ .vtotal = 480 + 49 + 2 + 22,
++ .flags = DRM_MODE_FLAG_NVSYNC | DRM_MODE_FLAG_NHSYNC,
+ };
+
+ static const struct panel_desc powertip_ph800480t013_idf02 = {
+--
+2.39.2
+
--- /dev/null
+From ab418c2e4ce893c2f6c065ff11c691b4fa2419ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jul 2023 17:34:10 +0800
+Subject: erofs: avoid infinite loop in z_erofs_do_read_page() when reading
+ beyond EOF
+
+From: Chunhai Guo <guochunhai@vivo.com>
+
+[ Upstream commit 8191213a5835b0317c5e4d0d337ae1ae00c75253 ]
+
+z_erofs_do_read_page() may loop infinitely due to the inappropriate
+truncation in the below statement. Since the offset is 64 bits and min_t()
+truncates the result to 32 bits. The solution is to replace unsigned int
+with a 64-bit type, such as erofs_off_t.
+ cur = end - min_t(unsigned int, offset + end - map->m_la, end);
+
+ - For example:
+ - offset = 0x400160000
+ - end = 0x370
+ - map->m_la = 0x160370
+ - offset + end - map->m_la = 0x400000000
+ - offset + end - map->m_la = 0x00000000 (truncated as unsigned int)
+ - Expected result:
+ - cur = 0
+ - Actual result:
+ - cur = 0x370
+
+Signed-off-by: Chunhai Guo <guochunhai@vivo.com>
+Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Link: https://lore.kernel.org/r/20230710093410.44071-1-guochunhai@vivo.com
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zdata.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
+index 8cb2cf612e49b..9cff927382599 100644
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -629,7 +629,7 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe,
+ tight &= (clt->mode >= COLLECT_PRIMARY_HOOKED &&
+ clt->mode != COLLECT_PRIMARY_FOLLOWED_NOINPLACE);
+
+- cur = end - min_t(unsigned int, offset + end - map->m_la, end);
++ cur = end - min_t(erofs_off_t, offset + end - map->m_la, end);
+ if (!(map->m_flags & EROFS_MAP_MAPPED)) {
+ zero_user_segment(page, cur, end);
+ goto next_part;
+--
+2.39.2
+
--- /dev/null
+From 16788fe6a3213dc782c2135f0e2e7ba48ec48d54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jul 2023 12:41:28 +0800
+Subject: gve: Set default duplex configuration to full
+
+From: Junfeng Guo <junfeng.guo@intel.com>
+
+[ Upstream commit 0503efeadbf6bb8bf24397613a73b67e665eac5f ]
+
+Current duplex mode was unset in the driver, resulting in the default
+parameter being set to 0, which corresponds to half duplex. It might
+mislead users to have incorrect expectation about the driver's
+transmission capabilities.
+Set the default duplex configuration to full, as the driver runs in
+full duplex mode at this point.
+
+Fixes: 7e074d5a76ca ("gve: Enable Link Speed Reporting in the driver.")
+Signed-off-by: Junfeng Guo <junfeng.guo@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Message-ID: <20230706044128.2726747-1-junfeng.guo@intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_ethtool.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_ethtool.c b/drivers/net/ethernet/google/gve/gve_ethtool.c
+index e0449cc24fbdb..cbfd007449351 100644
+--- a/drivers/net/ethernet/google/gve/gve_ethtool.c
++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c
+@@ -516,6 +516,9 @@ static int gve_get_link_ksettings(struct net_device *netdev,
+ err = gve_adminq_report_link_speed(priv);
+
+ cmd->base.speed = priv->link_speed;
++
++ cmd->base.duplex = DUPLEX_FULL;
++
+ return err;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From fd4812e25f97d7173396b96409ed2a2b0b4ed5df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jul 2023 18:43:27 -0700
+Subject: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in
+ icmp6_dev().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 2aaa8a15de73874847d62eb595c6683bface80fd ]
+
+With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that
+has the link-local address as src and dst IP and will be forwarded to
+an external IP in the IPv6 Ext Hdr.
+
+For example, the script below generates a packet whose src IP is the
+link-local address and dst is updated to 11::.
+
+ # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done
+ # python3
+ >>> from socket import *
+ >>> from scapy.all import *
+ >>>
+ >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456"
+ >>>
+ >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)
+ >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1)
+ >>>
+ >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)
+ >>> sk.sendto(bytes(pkt), (DST_ADDR, 0))
+
+For such a packet, we call ip6_route_input() to look up a route for the
+next destination in these three functions depending on the header type.
+
+ * ipv6_rthdr_rcv()
+ * ipv6_rpl_srh_rcv()
+ * ipv6_srh_rcv()
+
+If no route is found, ip6_null_entry is set to skb, and the following
+dst_input(skb) calls ip6_pkt_drop().
+
+Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev
+as the input device is the loopback interface. Then, we have to check if
+skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref
+for ip6_null_entry.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+ PF: supervisor read access in kernel mode
+ PF: error_code(0x0000) - not-present page
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP PTI
+CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)
+Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01
+RSP: 0018:ffffc90000003c70 EFLAGS: 00000286
+RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0
+RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18
+RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001
+R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10
+R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0
+FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0
+PKRU: 55555554
+Call Trace:
+ <IRQ>
+ ip6_pkt_drop (net/ipv6/route.c:4513)
+ ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)
+ ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))
+ ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)
+ __netif_receive_skb_one_core (net/core/dev.c:5455)
+ process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)
+ __napi_poll (net/core/dev.c:6460)
+ net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)
+ __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
+ do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip (kernel/softirq.c:381)
+ __dev_queue_xmit (net/core/dev.c:4231)
+ ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)
+ rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)
+ sock_sendmsg (net/socket.c:725 net/socket.c:748)
+ __sys_sendto (net/socket.c:2134)
+ __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)
+ do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+RIP: 0033:0x7f9dc751baea
+Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
+RSP: 002b:00007ffe98712c38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007ffe98712cf8 RCX: 00007f9dc751baea
+RDX: 0000000000000060 RSI: 00007f9dc6460b90 RDI: 0000000000000003
+RBP: 00007f9dc56e8be0 R08: 00007ffe98712d70 R09: 000000000000001c
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f9dc6af5d1b
+ </TASK>
+Modules linked in:
+CR2: 0000000000000000
+ ---[ end trace 0000000000000000 ]---
+RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)
+Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01
+RSP: 0018:ffffc90000003c70 EFLAGS: 00000286
+RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0
+RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18
+RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001
+R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10
+R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0
+FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0
+PKRU: 55555554
+Kernel panic - not syncing: Fatal exception in interrupt
+Kernel Offset: disabled
+
+Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address")
+Reported-by: Wang Yufen <wangyufen@huawei.com>
+Closes: https://lore.kernel.org/netdev/c41403a9-c2f6-3b7e-0c96-e1901e605cd0@huawei.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/icmp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+index fd1f896115c1e..d01165bb6a32b 100644
+--- a/net/ipv6/icmp.c
++++ b/net/ipv6/icmp.c
+@@ -429,7 +429,10 @@ static struct net_device *icmp6_dev(const struct sk_buff *skb)
+ if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) {
+ const struct rt6_info *rt6 = skb_rt6_info(skb);
+
+- if (rt6)
++ /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.),
++ * and ip6_null_entry could be set to skb if no route is found.
++ */
++ if (rt6 && rt6->rt6i_idev)
+ dev = rt6->rt6i_idev->dev;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 28e19afbca0fa1e531bf500dfb1772f86514af4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jun 2023 16:07:14 +0200
+Subject: igc: Fix inserting of empty frame for launchtime
+
+From: Florian Kauer <florian.kauer@linutronix.de>
+
+[ Upstream commit 0bcc62858d6ba62cbade957d69745e6adeed5f3d ]
+
+The insertion of an empty frame was introduced with
+commit db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit")
+in order to ensure that the current cycle has at least one packet if
+there is some packet to be scheduled for the next cycle.
+
+However, the current implementation does not properly check if
+a packet is already scheduled for the current cycle. Currently,
+an empty packet is always inserted if and only if
+txtime >= end_of_cycle && txtime > last_tx_cycle
+but since last_tx_cycle is always either the end of the current
+cycle (end_of_cycle) or the end of a previous cycle, the
+second part (txtime > last_tx_cycle) is always true unless
+txtime == last_tx_cycle.
+
+What actually needs to be checked here is if the last_tx_cycle
+was already written within the current cycle, so an empty frame
+should only be inserted if and only if
+txtime >= end_of_cycle && end_of_cycle > last_tx_cycle.
+
+This patch does not only avoid an unnecessary insertion, but it
+can actually be harmful to insert an empty packet if packets
+are already scheduled in the current cycle, because it can lead
+to a situation where the empty packet is actually processed
+as the first packet in the upcoming cycle shifting the packet
+with the first_flag even one cycle into the future, finally leading
+to a TX hang.
+
+The TX hang can be reproduced on a i225 with:
+
+ sudo tc qdisc replace dev enp1s0 parent root handle 100 taprio \
+ num_tc 1 \
+ map 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \
+ queues 1@0 \
+ base-time 0 \
+ sched-entry S 01 300000 \
+ flags 0x1 \
+ txtime-delay 500000 \
+ clockid CLOCK_TAI
+ sudo tc qdisc replace dev enp1s0 parent 100:1 etf \
+ clockid CLOCK_TAI \
+ delta 500000 \
+ offload \
+ skip_sock_check
+
+and traffic generator
+
+ sudo trafgen -i traffic.cfg -o enp1s0 --cpp -n0 -q -t1400ns
+
+with traffic.cfg
+
+ #define ETH_P_IP 0x0800
+
+ {
+ /* Ethernet Header */
+ 0x30, 0x1f, 0x9a, 0xd0, 0xf0, 0x0e, # MAC Dest - adapt as needed
+ 0x24, 0x5e, 0xbe, 0x57, 0x2e, 0x36, # MAC Src - adapt as needed
+ const16(ETH_P_IP),
+
+ /* IPv4 Header */
+ 0b01000101, 0, # IPv4 version, IHL, TOS
+ const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))
+ const16(2), # IPv4 ident
+ 0b01000000, 0, # IPv4 flags, fragmentation off
+ 64, # IPv4 TTL
+ 17, # Protocol UDP
+ csumip(14, 33), # IPv4 checksum
+
+ /* UDP Header */
+ 10, 0, 48, 1, # IP Src - adapt as needed
+ 10, 0, 48, 10, # IP Dest - adapt as needed
+ const16(5555), # UDP Src Port
+ const16(6666), # UDP Dest Port
+ const16(1008), # UDP length (UDP header 8 bytes + payload length)
+ csumudp(14, 34), # UDP checksum
+
+ /* Payload */
+ fill('W', 1000),
+ }
+
+and the observed message with that is for example
+
+ igc 0000:01:00.0 enp1s0: Detected Tx Unit Hang
+ Tx Queue <0>
+ TDH <32>
+ TDT <3c>
+ next_to_use <3c>
+ next_to_clean <32>
+ buffer_info[next_to_clean]
+ time_stamp <ffff26a8>
+ next_to_watch <00000000632a1828>
+ jiffies <ffff27f8>
+ desc.status <1048000>
+
+Fixes: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit")
+Signed-off-by: Florian Kauer <florian.kauer@linutronix.de>
+Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 051b1048eb41b..631ce793fb2ec 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -918,7 +918,7 @@ static __le32 igc_tx_launchtime(struct igc_ring *ring, ktime_t txtime,
+ *first_flag = true;
+ ring->last_ff_cycle = baset_est;
+
+- if (ktime_compare(txtime, ring->last_tx_cycle) > 0)
++ if (ktime_compare(end_of_cycle, ring->last_tx_cycle) > 0)
+ *insert_empty = true;
+ }
+ }
+--
+2.39.2
+
--- /dev/null
+From 5bd9a05d5faa13c4939b72db846ba1a409b9bc39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jun 2023 16:07:13 +0200
+Subject: igc: Fix launchtime before start of cycle
+
+From: Florian Kauer <florian.kauer@linutronix.de>
+
+[ Upstream commit c1bca9ac0bcb355be11354c2e68bc7bf31f5ac5a ]
+
+It is possible (verified on a running system) that frames are processed
+by igc_tx_launchtime with a txtime before the start of the cycle
+(baset_est).
+
+However, the result of txtime - baset_est is written into a u32,
+leading to a wrap around to a positive number. The following
+launchtime > 0 check will only branch to executing launchtime = 0
+if launchtime is already 0.
+
+Fix it by using a s32 before checking launchtime > 0.
+
+Fixes: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit")
+Signed-off-by: Florian Kauer <florian.kauer@linutronix.de>
+Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 2b51ee87a2def..051b1048eb41b 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -905,7 +905,7 @@ static __le32 igc_tx_launchtime(struct igc_ring *ring, ktime_t txtime,
+ ktime_t base_time = adapter->base_time;
+ ktime_t now = ktime_get_clocktai();
+ ktime_t baset_est, end_of_cycle;
+- u32 launchtime;
++ s32 launchtime;
+ s64 n;
+
+ n = div64_s64(ktime_sub_ns(now, base_time), cycle_time);
+--
+2.39.2
+
--- /dev/null
+From 2db76a308aa7625f060b0945befbf2f97128673c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 May 2023 08:18:12 +0800
+Subject: igc: Remove delay during TX ring configuration
+
+From: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+
+[ Upstream commit cca28ceac7c7857bc2d313777017585aef00bcc4 ]
+
+Remove unnecessary delay during the TX ring configuration.
+This will cause delay, especially during link down and
+link up activity.
+
+Furthermore, old SKUs like as I225 will call the reset_adapter
+to reset the controller during TSN mode Gate Control List (GCL)
+setting. This will add more time to the configuration of the
+real-time use case.
+
+It doesn't mentioned about this delay in the Software User Manual.
+It might have been ported from legacy code I210 in the past.
+
+Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings")
+Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Acked-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index a15e4b6d7fa40..2b51ee87a2def 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -600,7 +600,6 @@ static void igc_configure_tx_ring(struct igc_adapter *adapter,
+ /* disable the queue */
+ wr32(IGC_TXDCTL(reg_idx), 0);
+ wrfl();
+- mdelay(10);
+
+ wr32(IGC_TDLEN(reg_idx),
+ ring->count * sizeof(union igc_adv_tx_desc));
+--
+2.39.2
+
--- /dev/null
+From b8e41a5723d033d84e74fa79a056bb31a3ed303b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jun 2023 11:09:01 -0700
+Subject: igc: set TP bit in 'supported' and 'advertising' fields of
+ ethtool_link_ksettings
+
+From: Prasad Koya <prasad@arista.com>
+
+[ Upstream commit 9ac3fc2f42e5ffa1e927dcbffb71b15fa81459e2 ]
+
+set TP bit in the 'supported' and 'advertising' fields. i225/226 parts
+only support twisted pair copper.
+
+Fixes: 8c5ad0dae93c ("igc: Add ethtool support")
+Signed-off-by: Prasad Koya <prasad@arista.com>
+Acked-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+index da259cd59adda..d28ac3a025ab1 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c
++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+@@ -1673,6 +1673,8 @@ static int igc_ethtool_get_link_ksettings(struct net_device *netdev,
+ /* twisted pair */
+ cmd->base.port = PORT_TP;
+ cmd->base.phy_address = hw->phy.addr;
++ ethtool_link_ksettings_add_link_mode(cmd, supported, TP);
++ ethtool_link_ksettings_add_link_mode(cmd, advertising, TP);
+
+ /* advertising link modes */
+ if (hw->phy.autoneg_advertised & ADVERTISE_10_HALF)
+--
+2.39.2
+
--- /dev/null
+From d882c5c49b84da8cf2d6039045449ef7fb0316bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jul 2023 11:20:06 -0700
+Subject: ionic: remove WARN_ON to prevent panic_on_warn
+
+From: Nitya Sunkad <nitya.sunkad@amd.com>
+
+[ Upstream commit abfb2a58a5377ebab717d4362d6180f901b6e5c1 ]
+
+Remove unnecessary early code development check and the WARN_ON
+that it uses. The irq alloc and free paths have long been
+cleaned up and this check shouldn't have stuck around so long.
+
+Fixes: 77ceb68e29cc ("ionic: Add notifyq support")
+Signed-off-by: Nitya Sunkad <nitya.sunkad@amd.com>
+Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_lif.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+index fcd4213c99b83..098772601df8c 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+@@ -433,11 +433,6 @@ static void ionic_qcqs_free(struct ionic_lif *lif)
+ static void ionic_link_qcq_interrupts(struct ionic_qcq *src_qcq,
+ struct ionic_qcq *n_qcq)
+ {
+- if (WARN_ON(n_qcq->flags & IONIC_QCQ_F_INTR)) {
+- ionic_intr_free(n_qcq->cq.lif->ionic, n_qcq->intr.index);
+- n_qcq->flags &= ~IONIC_QCQ_F_INTR;
+- }
+-
+ n_qcq->intr.vector = src_qcq->intr.vector;
+ n_qcq->intr.index = src_qcq->intr.index;
+ }
+--
+2.39.2
+
--- /dev/null
+From 07fc730e8fffd463605d4bd1de5a3366e57fae89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jul 2023 14:59:10 +0800
+Subject: ipv6/addrconf: fix a potential refcount underflow for idev
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 06a0716949c22e2aefb648526580671197151acc ]
+
+Now in addrconf_mod_rs_timer(), reference idev depends on whether
+rs_timer is not pending. Then modify rs_timer timeout.
+
+There is a time gap in [1], during which if the pending rs_timer
+becomes not pending. It will miss to hold idev, but the rs_timer
+is activated. Thus rs_timer callback function addrconf_rs_timer()
+will be executed and put idev later without holding idev. A refcount
+underflow issue for idev can be caused by this.
+
+ if (!timer_pending(&idev->rs_timer))
+ in6_dev_hold(idev);
+ <--------------[1]
+ mod_timer(&idev->rs_timer, jiffies + when);
+
+To fix the issue, hold idev if mod_timer() return 0.
+
+Fixes: b7b1bfce0bb6 ("ipv6: split duplicate address detection and router solicitation timer")
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index ed1e5bfc97b31..d5d10496b4aef 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -314,9 +314,8 @@ static void addrconf_del_dad_work(struct inet6_ifaddr *ifp)
+ static void addrconf_mod_rs_timer(struct inet6_dev *idev,
+ unsigned long when)
+ {
+- if (!timer_pending(&idev->rs_timer))
++ if (!mod_timer(&idev->rs_timer, jiffies + when))
+ in6_dev_hold(idev);
+- mod_timer(&idev->rs_timer, jiffies + when);
+ }
+
+ static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp,
+--
+2.39.2
+
--- /dev/null
+From ed50cac1312221bd55775880bbadd85707d48851 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jul 2023 08:53:25 +0200
+Subject: net: bgmac: postpone turning IRQs off to avoid SoC hangs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit e7731194fdf085f46d58b1adccfddbd0dfee4873 ]
+
+Turning IRQs off is done by accessing Ethernet controller registers.
+That can't be done until device's clock is enabled. It results in a SoC
+hang otherwise.
+
+This bug remained unnoticed for years as most bootloaders keep all
+Ethernet interfaces turned on. It seems to only affect a niche SoC
+family BCM47189. It has two Ethernet controllers but CFE bootloader uses
+only the first one.
+
+Fixes: 34322615cbaa ("net: bgmac: Mask interrupts during probe")
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c
+index bb999e67d7736..ab8ee93316354 100644
+--- a/drivers/net/ethernet/broadcom/bgmac.c
++++ b/drivers/net/ethernet/broadcom/bgmac.c
+@@ -1492,8 +1492,6 @@ int bgmac_enet_probe(struct bgmac *bgmac)
+
+ bgmac->in_init = true;
+
+- bgmac_chip_intrs_off(bgmac);
+-
+ net_dev->irq = bgmac->irq;
+ SET_NETDEV_DEV(net_dev, bgmac->dev);
+ dev_set_drvdata(bgmac->dev, bgmac);
+@@ -1511,6 +1509,8 @@ int bgmac_enet_probe(struct bgmac *bgmac)
+ */
+ bgmac_clk_enable(bgmac, 0);
+
++ bgmac_chip_intrs_off(bgmac);
++
+ /* This seems to be fixing IRQ by assigning OOB #6 to the core */
+ if (!(bgmac->feature_flags & BGMAC_FEAT_IDM_MASK)) {
+ if (bgmac->feature_flags & BGMAC_FEAT_IRQ_ID_OOB_6)
+--
+2.39.2
+
--- /dev/null
+From 4fab9166cfad1448f3e5a54a365ade31178e240e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jun 2023 09:32:10 +0200
+Subject: net/mlx5e: Check for NOT_READY flag state after locking
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+[ Upstream commit 65e64640e97c0f223e77f9ea69b5a46186b93470 ]
+
+Currently the check for NOT_READY flag is performed before obtaining the
+necessary lock. This opens a possibility for race condition when the flow
+is concurrently removed from unready_flows list by the workqueue task,
+which causes a double-removal from the list and a crash[0]. Fix the issue
+by moving the flag check inside the section protected by
+uplink_priv->unready_flows_lock mutex.
+
+[0]:
+[44376.389654] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP
+[44376.391665] CPU: 7 PID: 59123 Comm: tc Not tainted 6.4.0-rc4+ #1
+[44376.392984] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+[44376.395342] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]
+[44376.396857] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06
+[44376.399167] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246
+[44376.399680] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00
+[44376.400337] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0
+[44376.401001] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001
+[44376.401663] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000
+[44376.402342] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000
+[44376.402999] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000
+[44376.403787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[44376.404343] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0
+[44376.405004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[44376.405665] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[44376.406339] Call Trace:
+[44376.406651] <TASK>
+[44376.406939] ? die_addr+0x33/0x90
+[44376.407311] ? exc_general_protection+0x192/0x390
+[44376.407795] ? asm_exc_general_protection+0x22/0x30
+[44376.408292] ? mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]
+[44376.408876] __mlx5e_tc_del_fdb_peer_flow+0xbc/0xe0 [mlx5_core]
+[44376.409482] mlx5e_tc_del_flow+0x42/0x210 [mlx5_core]
+[44376.410055] mlx5e_flow_put+0x25/0x50 [mlx5_core]
+[44376.410529] mlx5e_delete_flower+0x24b/0x350 [mlx5_core]
+[44376.411043] tc_setup_cb_reoffload+0x22/0x80
+[44376.411462] fl_reoffload+0x261/0x2f0 [cls_flower]
+[44376.411907] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]
+[44376.412481] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core]
+[44376.413044] tcf_block_playback_offloads+0x76/0x170
+[44376.413497] tcf_block_unbind+0x7b/0xd0
+[44376.413881] tcf_block_setup+0x17d/0x1c0
+[44376.414269] tcf_block_offload_cmd.isra.0+0xf1/0x130
+[44376.414725] tcf_block_offload_unbind+0x43/0x70
+[44376.415153] __tcf_block_put+0x82/0x150
+[44376.415532] ingress_destroy+0x22/0x30 [sch_ingress]
+[44376.415986] qdisc_destroy+0x3b/0xd0
+[44376.416343] qdisc_graft+0x4d0/0x620
+[44376.416706] tc_get_qdisc+0x1c9/0x3b0
+[44376.417074] rtnetlink_rcv_msg+0x29c/0x390
+[44376.419978] ? rep_movs_alternative+0x3a/0xa0
+[44376.420399] ? rtnl_calcit.isra.0+0x120/0x120
+[44376.420813] netlink_rcv_skb+0x54/0x100
+[44376.421192] netlink_unicast+0x1f6/0x2c0
+[44376.421573] netlink_sendmsg+0x232/0x4a0
+[44376.421980] sock_sendmsg+0x38/0x60
+[44376.422328] ____sys_sendmsg+0x1d0/0x1e0
+[44376.422709] ? copy_msghdr_from_user+0x6d/0xa0
+[44376.423127] ___sys_sendmsg+0x80/0xc0
+[44376.423495] ? ___sys_recvmsg+0x8b/0xc0
+[44376.423869] __sys_sendmsg+0x51/0x90
+[44376.424226] do_syscall_64+0x3d/0x90
+[44376.424587] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+[44376.425046] RIP: 0033:0x7f045134f887
+[44376.425403] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
+[44376.426914] RSP: 002b:00007ffd63a82b98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[44376.427592] RAX: ffffffffffffffda RBX: 000000006481955f RCX: 00007f045134f887
+[44376.428195] RDX: 0000000000000000 RSI: 00007ffd63a82c00 RDI: 0000000000000003
+[44376.428796] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
+[44376.429404] R10: 00007f0451208708 R11: 0000000000000246 R12: 0000000000000001
+[44376.430039] R13: 0000000000409980 R14: 000000000047e538 R15: 0000000000485400
+[44376.430644] </TASK>
+[44376.430907] Modules linked in: mlx5_ib mlx5_core act_mirred act_tunnel_key cls_flower vxlan dummy sch_ingress openvswitch nsh rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_g
+ss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: mlx5_core]
+[44376.433936] ---[ end trace 0000000000000000 ]---
+[44376.434373] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core]
+[44376.434951] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06
+[44376.436452] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246
+[44376.436924] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00
+[44376.437530] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0
+[44376.438179] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001
+[44376.438786] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000
+[44376.439393] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000
+[44376.439998] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000
+[44376.440714] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[44376.441225] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0
+[44376.441843] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[44376.442471] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: ad86755b18d5 ("net/mlx5e: Protect unready flows with dedicated lock")
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 16846442717dc..c6a81a51530d2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -1334,7 +1334,8 @@ static void remove_unready_flow(struct mlx5e_tc_flow *flow)
+ uplink_priv = &rpriv->uplink_priv;
+
+ mutex_lock(&uplink_priv->unready_flows_lock);
+- unready_flow_del(flow);
++ if (flow_flag_test(flow, NOT_READY))
++ unready_flow_del(flow);
+ mutex_unlock(&uplink_priv->unready_flows_lock);
+ }
+
+@@ -1475,8 +1476,7 @@ static void mlx5e_tc_del_fdb_flow(struct mlx5e_priv *priv,
+
+ mlx5e_put_flow_tunnel_id(flow);
+
+- if (flow_flag_test(flow, NOT_READY))
+- remove_unready_flow(flow);
++ remove_unready_flow(flow);
+
+ if (mlx5e_is_offloaded_flow(flow)) {
+ if (flow_flag_test(flow, SLOW))
+--
+2.39.2
+
--- /dev/null
+From 51c1d01a8df6ae61c3421a1b34f59d4ff6474735 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jun 2023 08:59:34 +0800
+Subject: net/mlx5e: fix double free in mlx5e_destroy_flow_table
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 884abe45a9014d0de2e6edb0630dfd64f23f1d1b ]
+
+In function accel_fs_tcp_create_groups(), when the ft->g memory is
+successfully allocated but the 'in' memory fails to be allocated, the
+memory pointed to by ft->g is released once. And in function
+accel_fs_tcp_create_table, mlx5e_destroy_flow_table is called to release
+the memory pointed to by ft->g again. This will cause double free problem.
+
+Fixes: c062d52ac24c ("net/mlx5e: Receive flow steering framework for accelerated TCP flows")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c
+index e51f60b55daa4..2da90f6649d17 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c
+@@ -194,6 +194,7 @@ static int accel_fs_tcp_create_groups(struct mlx5e_flow_table *ft,
+ in = kvzalloc(inlen, GFP_KERNEL);
+ if (!in || !ft->g) {
+ kfree(ft->g);
++ ft->g = NULL;
+ kvfree(in);
+ return -ENOMEM;
+ }
+--
+2.39.2
+
--- /dev/null
+From 8d474071fb65277ad4a185d716e67d58a5603536 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jul 2023 07:37:12 +0200
+Subject: net: mvneta: fix txq_map in case of txq_number==1
+
+From: Klaus Kudielka <klaus.kudielka@gmail.com>
+
+[ Upstream commit 21327f81db6337c8843ce755b01523c7d3df715b ]
+
+If we boot with mvneta.txq_number=1, the txq_map is set incorrectly:
+MVNETA_CPU_TXQ_ACCESS(1) refers to TX queue 1, but only TX queue 0 is
+initialized. Fix this.
+
+Fixes: 50bf8cb6fc9c ("net: mvneta: Configure XPS support")
+Signed-off-by: Klaus Kudielka <klaus.kudielka@gmail.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Link: https://lore.kernel.org/r/20230705053712.3914-1-klaus.kudielka@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index f5567d485e91a..3656a3937eca6 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -1471,7 +1471,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp)
+ */
+ if (txq_number == 1)
+ txq_map = (cpu == pp->rxq_def) ?
+- MVNETA_CPU_TXQ_ACCESS(1) : 0;
++ MVNETA_CPU_TXQ_ACCESS(0) : 0;
+
+ } else {
+ txq_map = MVNETA_CPU_TXQ_ACCESS_ALL_MASK;
+@@ -4165,7 +4165,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp)
+ */
+ if (txq_number == 1)
+ txq_map = (cpu == elected_cpu) ?
+- MVNETA_CPU_TXQ_ACCESS(1) : 0;
++ MVNETA_CPU_TXQ_ACCESS(0) : 0;
+ else
+ txq_map = mvreg_read(pp, MVNETA_CPU_MAP(cpu)) &
+ MVNETA_CPU_TXQ_ACCESS_ALL_MASK;
+--
+2.39.2
+
--- /dev/null
+From 26aa2d34f0d6c8d867b7723dbaeb20226317bd4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jul 2023 10:11:10 +0200
+Subject: net: prevent skb corruption on frag list segmentation
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit c329b261afe71197d9da83c1f18eb45a7e97e089 ]
+
+Ian reported several skb corruptions triggered by rx-gro-list,
+collecting different oops alike:
+
+[ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0
+[ 62.631083] #PF: supervisor read access in kernel mode
+[ 62.636312] #PF: error_code(0x0000) - not-present page
+[ 62.641541] PGD 0 P4D 0
+[ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364
+[ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022
+[ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858
+./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261
+net/ipv4/udp_offload.c:277)
+[ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246
+[ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000
+[ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4
+[ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9
+[ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2
+[ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9
+[ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000)
+knlGS:0000000000000000
+[ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0
+[ 62.749948] Call Trace:
+[ 62.752498] <TASK>
+[ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398)
+[ 62.787605] skb_mac_gso_segment (net/core/gro.c:141)
+[ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2))
+[ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862
+net/core/dev.c:3659)
+[ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710)
+[ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330)
+[ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210)
+net/netfilter/core.c:626)
+[ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55)
+[ 62.825652] maybe_deliver (net/bridge/br_forward.c:193)
+[ 62.829420] br_flood (net/bridge/br_forward.c:233)
+[ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215)
+[ 62.837403] br_handle_frame (net/bridge/br_input.c:298
+net/bridge/br_input.c:416)
+[ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387)
+[ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570)
+[ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638
+net/core/dev.c:5727)
+[ 62.876795] napi_complete_done (./include/linux/list.h:37
+./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067)
+[ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191)
+[ 62.893534] __napi_poll (net/core/dev.c:6498)
+[ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89
+net/core/dev.c:6640)
+[ 62.905276] kthread (kernel/kthread.c:379)
+[ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314)
+[ 62.917119] </TASK>
+
+In the critical scenario, rx-gro-list GRO-ed packets are fed, via a
+bridge, both to the local input path and to an egress device (tun).
+
+The segmentation of such packets unsafely writes to the cloned skbs
+with shared heads.
+
+This change addresses the issue by uncloning as needed the
+to-be-segmented skbs.
+
+Reported-by: Ian Kumlien <ian.kumlien@gmail.com>
+Tested-by: Ian Kumlien <ian.kumlien@gmail.com>
+Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skbuff.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index e203172b9b9e7..b10285d06a2ca 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3685,6 +3685,11 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
+
+ skb_push(skb, -skb_network_offset(skb) + offset);
+
++ /* Ensure the head is writeable before touching the shared info */
++ err = skb_unclone(skb, GFP_ATOMIC);
++ if (err)
++ goto err_linearize;
++
+ skb_shinfo(skb)->frag_list = NULL;
+
+ while (list_skb) {
+--
+2.39.2
+
--- /dev/null
+From a5dfedd80251cd7f449b05be9ca3bfee01513642 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jul 2023 12:15:30 -0400
+Subject: net/sched: cls_fw: Fix improper refcount update leads to
+ use-after-free
+
+From: M A Ramdhan <ramdhan@starlabs.sg>
+
+[ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ]
+
+In the event of a failure in tcf_change_indev(), fw_set_parms() will
+immediately return an error after incrementing or decrementing
+reference counter in tcf_bind_filter(). If attacker can control
+reference counter to zero and make reference freed, leading to
+use after free.
+
+In order to prevent this, move the point of possible failure above the
+point where the TC_FW_CLASSID is handled.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
+Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
+Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_fw.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
+index ec945294626a8..41f0898a5a565 100644
+--- a/net/sched/cls_fw.c
++++ b/net/sched/cls_fw.c
+@@ -210,11 +210,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
+ if (err < 0)
+ return err;
+
+- if (tb[TCA_FW_CLASSID]) {
+- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
+- tcf_bind_filter(tp, &f->res, base);
+- }
+-
+ if (tb[TCA_FW_INDEV]) {
+ int ret;
+ ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack);
+@@ -231,6 +226,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
+ } else if (head->mask != 0xFFFFFFFF)
+ return err;
+
++ if (tb[TCA_FW_CLASSID]) {
++ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
++ tcf_bind_filter(tp, &f->res, base);
++ }
++
+ return 0;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 1b7c76fe6d9b400849874bef849242b3832a3ed2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jul 2023 10:08:09 +0300
+Subject: net/sched: flower: Ensure both minimum and maximum ports are
+ specified
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit d3f87278bcb80bd7f9519669d928b43320363d4f ]
+
+The kernel does not currently validate that both the minimum and maximum
+ports of a port range are specified. This can lead user space to think
+that a filter matching on a port range was successfully added, when in
+fact it was not. For example, with a patched (buggy) iproute2 that only
+sends the minimum port, the following commands do not return an error:
+
+ # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp src_port 100-200 action pass
+
+ # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp dst_port 100-200 action pass
+
+ # tc filter show dev swp1 ingress
+ filter protocol ip pref 1 flower chain 0
+ filter protocol ip pref 1 flower chain 0 handle 0x1
+ eth_type ipv4
+ ip_proto udp
+ not_in_hw
+ action order 1: gact action pass
+ random type none pass val 0
+ index 1 ref 1 bind 1
+
+ filter protocol ip pref 1 flower chain 0 handle 0x2
+ eth_type ipv4
+ ip_proto udp
+ not_in_hw
+ action order 1: gact action pass
+ random type none pass val 0
+ index 2 ref 1 bind 1
+
+Fix by returning an error unless both ports are specified:
+
+ # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp src_port 100-200 action pass
+ Error: Both min and max source ports must be specified.
+ We have an error talking to the kernel
+
+ # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp dst_port 100-200 action pass
+ Error: Both min and max destination ports must be specified.
+ We have an error talking to the kernel
+
+Fixes: 5c72299fba9d ("net: sched: cls_flower: Classify packets using port ranges")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_flower.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
+index caf1a05bfbde4..dcf21d99f132c 100644
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -778,6 +778,16 @@ static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key,
+ TCA_FLOWER_KEY_PORT_SRC_MAX, &mask->tp_range.tp_max.src,
+ TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_max.src));
+
++ if (mask->tp_range.tp_min.dst != mask->tp_range.tp_max.dst) {
++ NL_SET_ERR_MSG(extack,
++ "Both min and max destination ports must be specified");
++ return -EINVAL;
++ }
++ if (mask->tp_range.tp_min.src != mask->tp_range.tp_max.src) {
++ NL_SET_ERR_MSG(extack,
++ "Both min and max source ports must be specified");
++ return -EINVAL;
++ }
+ if (mask->tp_range.tp_min.dst && mask->tp_range.tp_max.dst &&
+ ntohs(key->tp_range.tp_max.dst) <=
+ ntohs(key->tp_range.tp_min.dst)) {
+--
+2.39.2
+
--- /dev/null
+From 138f6a37f75054e68b1ab8f84c79d3580fbbbba5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jul 2023 23:16:34 -0300
+Subject: net/sched: make psched_mtu() RTNL-less safe
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+[ Upstream commit 150e33e62c1fa4af5aaab02776b6c3812711d478 ]
+
+Eric Dumazet says[1]:
+-------
+Speaking of psched_mtu(), I see that net/sched/sch_pie.c is using it
+without holding RTNL, so dev->mtu can be changed underneath.
+KCSAN could issue a warning.
+-------
+
+Annotate dev->mtu with READ_ONCE() so KCSAN don't issue a warning.
+
+[1] https://lore.kernel.org/all/CANn89iJoJO5VtaJ-2=_d2aOQhb0Xw8iBT_Cxqp2HyuS-zj6azw@mail.gmail.com/
+
+v1 -> v2: Fix commit message
+
+Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme")
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230711021634.561598-1-pctammela@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/pkt_sched.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h
+index ba781e0aaf566..e186b2bd8c860 100644
+--- a/include/net/pkt_sched.h
++++ b/include/net/pkt_sched.h
+@@ -136,7 +136,7 @@ extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1];
+ */
+ static inline unsigned int psched_mtu(const struct net_device *dev)
+ {
+- return dev->mtu + dev->hard_header_len;
++ return READ_ONCE(dev->mtu) + dev->hard_header_len;
+ }
+
+ static inline struct net *qdisc_net(struct Qdisc *q)
+--
+2.39.2
+
--- /dev/null
+From f2f7cbdad43b636ff9da4a90f187be4aeb8562b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jul 2023 18:01:02 -0300
+Subject: net/sched: sch_qfq: account for stab overhead in qfq_enqueue
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+[ Upstream commit 3e337087c3b5805fe0b8a46ba622a962880b5d64 ]
+
+Lion says:
+-------
+In the QFQ scheduler a similar issue to CVE-2023-31436
+persists.
+
+Consider the following code in net/sched/sch_qfq.c:
+
+static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+ struct sk_buff **to_free)
+{
+ unsigned int len = qdisc_pkt_len(skb), gso_segs;
+
+ // ...
+
+ if (unlikely(cl->agg->lmax < len)) {
+ pr_debug("qfq: increasing maxpkt from %u to %u for class %u",
+ cl->agg->lmax, len, cl->common.classid);
+ err = qfq_change_agg(sch, cl, cl->agg->class_weight, len);
+ if (err) {
+ cl->qstats.drops++;
+ return qdisc_drop(skb, sch, to_free);
+ }
+
+ // ...
+
+ }
+
+Similarly to CVE-2023-31436, "lmax" is increased without any bounds
+checks according to the packet length "len". Usually this would not
+impose a problem because packet sizes are naturally limited.
+
+This is however not the actual packet length, rather the
+"qdisc_pkt_len(skb)" which might apply size transformations according to
+"struct qdisc_size_table" as created by "qdisc_get_stab()" in
+net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc.
+
+A user may choose virtually any size using such a table.
+
+As a result the same issue as in CVE-2023-31436 can occur, allowing heap
+out-of-bounds read / writes in the kmalloc-8192 cache.
+-------
+
+We can create the issue with the following commands:
+
+tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \
+overhead 999999999 linklayer ethernet qfq
+tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k
+tc filter add dev $DEV parent 1: matchall classid 1:1
+ping -I $DEV 1.1.1.2
+
+This is caused by incorrectly assuming that qdisc_pkt_len() returns a
+length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: Lion <nnamrec@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 975e444f2d820..616d1798cfef6 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -381,8 +381,13 @@ static int qfq_change_agg(struct Qdisc *sch, struct qfq_class *cl, u32 weight,
+ u32 lmax)
+ {
+ struct qfq_sched *q = qdisc_priv(sch);
+- struct qfq_aggregate *new_agg = qfq_find_agg(q, lmax, weight);
++ struct qfq_aggregate *new_agg;
+
++ /* 'lmax' can range from [QFQ_MIN_LMAX, pktlen + stab overhead] */
++ if (lmax > QFQ_MAX_LMAX)
++ return -EINVAL;
++
++ new_agg = qfq_find_agg(q, lmax, weight);
+ if (new_agg == NULL) { /* create new aggregate */
+ new_agg = kzalloc(sizeof(*new_agg), GFP_ATOMIC);
+ if (new_agg == NULL)
+--
+2.39.2
+
--- /dev/null
+From 53538e9ed4bd86297de2fe1e408f4b207ed8b82d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Apr 2023 12:56:11 -0300
+Subject: net/sched: sch_qfq: refactor parsing of netlink parameters
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+[ Upstream commit 25369891fcef373540f8b4e0b3bccf77a04490d5 ]
+
+Two parameters can be transformed into netlink policies and
+validated while parsing the netlink message.
+
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 3e337087c3b5 ("net/sched: sch_qfq: account for stab overhead in qfq_enqueue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index cad7deacf60a4..975e444f2d820 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -113,6 +113,7 @@
+
+ #define QFQ_MTU_SHIFT 16 /* to support TSO/GSO */
+ #define QFQ_MIN_LMAX 512 /* see qfq_slot_insert */
++#define QFQ_MAX_LMAX (1UL << QFQ_MTU_SHIFT)
+
+ #define QFQ_MAX_AGG_CLASSES 8 /* max num classes per aggregate allowed */
+
+@@ -214,9 +215,14 @@ static struct qfq_class *qfq_find_class(struct Qdisc *sch, u32 classid)
+ return container_of(clc, struct qfq_class, common);
+ }
+
++static struct netlink_range_validation lmax_range = {
++ .min = QFQ_MIN_LMAX,
++ .max = QFQ_MAX_LMAX,
++};
++
+ static const struct nla_policy qfq_policy[TCA_QFQ_MAX + 1] = {
+- [TCA_QFQ_WEIGHT] = { .type = NLA_U32 },
+- [TCA_QFQ_LMAX] = { .type = NLA_U32 },
++ [TCA_QFQ_WEIGHT] = NLA_POLICY_RANGE(NLA_U32, 1, QFQ_MAX_WEIGHT),
++ [TCA_QFQ_LMAX] = NLA_POLICY_FULL_RANGE(NLA_U32, &lmax_range),
+ };
+
+ /*
+@@ -408,17 +414,13 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+ }
+
+ err = nla_parse_nested_deprecated(tb, TCA_QFQ_MAX, tca[TCA_OPTIONS],
+- qfq_policy, NULL);
++ qfq_policy, extack);
+ if (err < 0)
+ return err;
+
+- if (tb[TCA_QFQ_WEIGHT]) {
++ if (tb[TCA_QFQ_WEIGHT])
+ weight = nla_get_u32(tb[TCA_QFQ_WEIGHT]);
+- if (!weight || weight > (1UL << QFQ_MAX_WSHIFT)) {
+- pr_notice("qfq: invalid weight %u\n", weight);
+- return -EINVAL;
+- }
+- } else
++ else
+ weight = 1;
+
+ if (tb[TCA_QFQ_LMAX])
+@@ -426,11 +428,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+ else
+ lmax = psched_mtu(qdisc_dev(sch));
+
+- if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) {
+- pr_notice("qfq: invalid max length %u\n", lmax);
+- return -EINVAL;
+- }
+-
+ inv_w = ONE_FP / weight;
+ weight = ONE_FP / inv_w;
+
+--
+2.39.2
+
--- /dev/null
+From a372d451f1e494f60eb06515981309299843c920 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jul 2023 11:52:26 +0300
+Subject: netdevsim: fix uninitialized data in nsim_dev_trap_fa_cookie_write()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit f72207a5c0dbaaf6921cf9a6c0d2fd0bc249ea78 ]
+
+The simple_write_to_buffer() function is designed to handle partial
+writes. It returns negatives on error, otherwise it returns the number
+of bytes that were able to be copied. This code doesn't check the
+return properly. We only know that the first byte is written, the rest
+of the buffer might be uninitialized.
+
+There is no need to use the simple_write_to_buffer() function.
+Partial writes are prohibited by the "if (*ppos != 0)" check at the
+start of the function. Just use memdup_user() and copy the whole
+buffer.
+
+Fixes: d3cbb907ae57 ("netdevsim: add ACL trap reporting cookie as a metadata")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://lore.kernel.org/r/7c1f950b-3a7d-4252-82a6-876e53078ef7@moroto.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netdevsim/dev.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
+index 9bbecf4d159b4..bcf354719745c 100644
+--- a/drivers/net/netdevsim/dev.c
++++ b/drivers/net/netdevsim/dev.c
+@@ -149,13 +149,10 @@ static ssize_t nsim_dev_trap_fa_cookie_write(struct file *file,
+ cookie_len = (count - 1) / 2;
+ if ((count - 1) % 2)
+ return -EINVAL;
+- buf = kmalloc(count, GFP_KERNEL | __GFP_NOWARN);
+- if (!buf)
+- return -ENOMEM;
+
+- ret = simple_write_to_buffer(buf, count, ppos, data, count);
+- if (ret < 0)
+- goto free_buf;
++ buf = memdup_user(data, count);
++ if (IS_ERR(buf))
++ return PTR_ERR(buf);
+
+ fa_cookie = kmalloc(sizeof(*fa_cookie) + cookie_len,
+ GFP_KERNEL | __GFP_NOWARN);
+--
+2.39.2
+
--- /dev/null
+From acb70e7fad57fad2b84b9cef5f7abdbafd1deea1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Nov 2022 09:43:09 +0000
+Subject: NTB: amd: Fix error handling in amd_ntb_pci_driver_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 98af0a33c1101c29b3ce4f0cf4715fd927c717f9 ]
+
+A problem about ntb_hw_amd create debugfs failed is triggered with the
+following log given:
+
+ [ 618.431232] AMD(R) PCI-E Non-Transparent Bridge Driver 1.0
+ [ 618.433284] debugfs: Directory 'ntb_hw_amd' with parent '/' already present!
+
+The reason is that amd_ntb_pci_driver_init() returns pci_register_driver()
+directly without checking its return value, if pci_register_driver()
+failed, it returns without destroy the newly created debugfs, resulting
+the debugfs of ntb_hw_amd can never be created later.
+
+ amd_ntb_pci_driver_init()
+ debugfs_create_dir() # create debugfs directory
+ pci_register_driver()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without destroy debugfs directory
+
+Fix by removing debugfs when pci_register_driver() returns error.
+
+Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/amd/ntb_hw_amd.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c
+index 71428d8cbcfc5..ac401ad7884a6 100644
+--- a/drivers/ntb/hw/amd/ntb_hw_amd.c
++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c
+@@ -1344,12 +1344,17 @@ static struct pci_driver amd_ntb_pci_driver = {
+
+ static int __init amd_ntb_pci_driver_init(void)
+ {
++ int ret;
+ pr_info("%s %s\n", NTB_DESC, NTB_VER);
+
+ if (debugfs_initialized())
+ debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL);
+
+- return pci_register_driver(&amd_ntb_pci_driver);
++ ret = pci_register_driver(&amd_ntb_pci_driver);
++ if (ret)
++ debugfs_remove_recursive(debugfs_dir);
++
++ return ret;
+ }
+ module_init(amd_ntb_pci_driver_init);
+
+--
+2.39.2
+
--- /dev/null
+From 901c9a0805498149af8ac8ca51b1ca8cba34d3d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Nov 2022 09:43:01 +0000
+Subject: ntb: idt: Fix error handling in idt_pci_driver_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit c012968259b451dc4db407f2310fe131eaefd800 ]
+
+A problem about ntb_hw_idt create debugfs failed is triggered with the
+following log given:
+
+ [ 1236.637636] IDT PCI-E Non-Transparent Bridge Driver 2.0
+ [ 1236.639292] debugfs: Directory 'ntb_hw_idt' with parent '/' already present!
+
+The reason is that idt_pci_driver_init() returns pci_register_driver()
+directly without checking its return value, if pci_register_driver()
+failed, it returns without destroy the newly created debugfs, resulting
+the debugfs of ntb_hw_idt can never be created later.
+
+ idt_pci_driver_init()
+ debugfs_create_dir() # create debugfs directory
+ pci_register_driver()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without destroy debugfs directory
+
+Fix by removing debugfs when pci_register_driver() returns error.
+
+Fixes: bf2a952d31d2 ("NTB: Add IDT 89HPESxNTx PCIe-switches support")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/idt/ntb_hw_idt.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c
+index d54261f508519..99711dd0b6e8e 100644
+--- a/drivers/ntb/hw/idt/ntb_hw_idt.c
++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c
+@@ -2902,6 +2902,7 @@ static struct pci_driver idt_pci_driver = {
+
+ static int __init idt_pci_driver_init(void)
+ {
++ int ret;
+ pr_info("%s %s\n", NTB_DESC, NTB_VER);
+
+ /* Create the top DebugFS directory if the FS is initialized */
+@@ -2909,7 +2910,11 @@ static int __init idt_pci_driver_init(void)
+ dbgfs_topdir = debugfs_create_dir(KBUILD_MODNAME, NULL);
+
+ /* Register the NTB hardware driver to handle the PCI device */
+- return pci_register_driver(&idt_pci_driver);
++ ret = pci_register_driver(&idt_pci_driver);
++ if (ret)
++ debugfs_remove_recursive(dbgfs_topdir);
++
++ return ret;
+ }
+ module_init(idt_pci_driver_init);
+
+--
+2.39.2
+
--- /dev/null
+From f716610f915b3ea672a36b1d2b7d9c5077b6ef2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Nov 2022 09:43:22 +0000
+Subject: ntb: intel: Fix error handling in intel_ntb_pci_driver_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 4c3c796aca02883ad35bb117468938cc4022ca41 ]
+
+A problem about ntb_hw_intel create debugfs failed is triggered with the
+following log given:
+
+ [ 273.112733] Intel(R) PCI-E Non-Transparent Bridge Driver 2.0
+ [ 273.115342] debugfs: Directory 'ntb_hw_intel' with parent '/' already present!
+
+The reason is that intel_ntb_pci_driver_init() returns
+pci_register_driver() directly without checking its return value, if
+pci_register_driver() failed, it returns without destroy the newly created
+debugfs, resulting the debugfs of ntb_hw_intel can never be created later.
+
+ intel_ntb_pci_driver_init()
+ debugfs_create_dir() # create debugfs directory
+ pci_register_driver()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without destroy debugfs directory
+
+Fix by removing debugfs when pci_register_driver() returns error.
+
+Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Acked-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/intel/ntb_hw_gen1.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c
+index 093dd20057b92..4f1add57d81de 100644
+--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c
++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c
+@@ -2068,12 +2068,17 @@ static struct pci_driver intel_ntb_pci_driver = {
+
+ static int __init intel_ntb_pci_driver_init(void)
+ {
++ int ret;
+ pr_info("%s %s\n", NTB_DESC, NTB_VER);
+
+ if (debugfs_initialized())
+ debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL);
+
+- return pci_register_driver(&intel_ntb_pci_driver);
++ ret = pci_register_driver(&intel_ntb_pci_driver);
++ if (ret)
++ debugfs_remove_recursive(debugfs_dir);
++
++ return ret;
+ }
+ module_init(intel_ntb_pci_driver_init);
+
+--
+2.39.2
+
--- /dev/null
+From 8b3f4f715a23299487155e9d8bd3d2eb1e0c320c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 11:32:44 +0800
+Subject: NTB: ntb_tool: Add check for devm_kcalloc
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 2790143f09938776a3b4f69685b380bae8fd06c7 ]
+
+As the devm_kcalloc may return NULL pointer,
+it should be better to add check for the return
+value, as same as the others.
+
+Fixes: 7f46c8b3a552 ("NTB: ntb_tool: Add full multi-port NTB API support")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/test/ntb_tool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c
+index 5ee0afa621a95..eeeb4b1c97d2c 100644
+--- a/drivers/ntb/test/ntb_tool.c
++++ b/drivers/ntb/test/ntb_tool.c
+@@ -998,6 +998,8 @@ static int tool_init_mws(struct tool_ctx *tc)
+ tc->peers[pidx].outmws =
+ devm_kcalloc(&tc->ntb->dev, tc->peers[pidx].outmw_cnt,
+ sizeof(*tc->peers[pidx].outmws), GFP_KERNEL);
++ if (tc->peers[pidx].outmws == NULL)
++ return -ENOMEM;
+
+ for (widx = 0; widx < tc->peers[pidx].outmw_cnt; widx++) {
+ tc->peers[pidx].outmws[widx].pidx = pidx;
+--
+2.39.2
+
--- /dev/null
+From 38ff45890011895a2d3548a48689e979c73e0e5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 23:19:17 +0800
+Subject: NTB: ntb_transport: fix possible memory leak while device_register()
+ fails
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 8623ccbfc55d962e19a3537652803676ad7acb90 ]
+
+If device_register() returns error, the name allocated by
+dev_set_name() need be freed. As comment of device_register()
+says, it should use put_device() to give up the reference in
+the error path. So fix this by calling put_device(), then the
+name can be freed in kobject_cleanup(), and client_dev is freed
+in ntb_transport_client_release().
+
+Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/ntb_transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
+index 4a02561cfb965..d18cb44765603 100644
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -412,7 +412,7 @@ int ntb_transport_register_client_dev(char *device_name)
+
+ rc = device_register(dev);
+ if (rc) {
+- kfree(client_dev);
++ put_device(dev);
+ goto err;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 90f48bef4f8592b123adc792884d4b154d75b5b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jul 2023 17:26:20 +0800
+Subject: nvme-pci: fix DMA direction of unmapping integrity data
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit b8f6446b6853768cb99e7c201bddce69ca60c15e ]
+
+DMA direction should be taken in dma_unmap_page() for unmapping integrity
+data.
+
+Fix this DMA direction, and reported in Guangwu's test.
+
+Reported-by: Guangwu Zhang <guazhang@redhat.com>
+Fixes: 4aedb705437f ("nvme-pci: split metadata handling from nvme_map_data / nvme_unmap_data")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index c47512da9872a..3aaead9b3a570 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -968,7 +968,8 @@ static void nvme_pci_complete_rq(struct request *req)
+
+ if (blk_integrity_rq(req))
+ dma_unmap_page(dev->dev, iod->meta_dma,
+- rq_integrity_vec(req)->bv_len, rq_data_dir(req));
++ rq_integrity_vec(req)->bv_len, rq_dma_dir(req));
++
+ if (blk_rq_nr_phys_segments(req))
+ nvme_unmap_data(dev, req);
+ nvme_complete_rq(req);
+--
+2.39.2
+
--- /dev/null
+From 0933ab92bd2131f9808f5c3297b0767d3cb65a9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jun 2023 18:11:54 +0300
+Subject: platform/x86: wmi: Break possible infinite loop when parsing GUID
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 028e6e204ace1f080cfeacd72c50397eb8ae8883 ]
+
+The while-loop may break on one of the two conditions, either ID string
+is empty or GUID matches. The second one, may never be reached if the
+parsed string is not correct GUID. In such a case the loop will never
+advance to check the next ID.
+
+Break possible infinite loop by factoring out guid_parse_and_compare()
+helper which may be moved to the generic header for everyone later on
+and preventing from similar mistake in the future.
+
+Interestingly that firstly it appeared when WMI was turned into a bus
+driver, but later when duplicated GUIDs were checked, the while-loop
+has been replaced by for-loop and hence no mistake made again.
+
+Fixes: a48e23385fcf ("platform/x86: wmi: add context pointer field to struct wmi_device_id")
+Fixes: 844af950da94 ("platform/x86: wmi: Turn WMI into a bus driver")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20230621151155.78279-1-andriy.shevchenko@linux.intel.com
+Tested-by: Armin Wolf <W_Armin@gmx.de>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/wmi.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
+index 5e4c03f7db7c0..567c28705cb1b 100644
+--- a/drivers/platform/x86/wmi.c
++++ b/drivers/platform/x86/wmi.c
+@@ -130,6 +130,16 @@ static bool find_guid(const char *guid_string, struct wmi_block **out)
+ return false;
+ }
+
++static bool guid_parse_and_compare(const char *string, const guid_t *guid)
++{
++ guid_t guid_input;
++
++ if (guid_parse(string, &guid_input))
++ return false;
++
++ return guid_equal(&guid_input, guid);
++}
++
+ static const void *find_guid_context(struct wmi_block *wblock,
+ struct wmi_driver *wdriver)
+ {
+@@ -142,11 +152,7 @@ static const void *find_guid_context(struct wmi_block *wblock,
+
+ id = wdriver->id_table;
+ while (*id->guid_string) {
+- guid_t guid_input;
+-
+- if (guid_parse(id->guid_string, &guid_input))
+- continue;
+- if (guid_equal(&wblock->gblock.guid, &guid_input))
++ if (guid_parse_and_compare(id->guid_string, &wblock->gblock.guid))
+ return id->context;
+ id++;
+ }
+@@ -804,11 +810,7 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver)
+ return 0;
+
+ while (*id->guid_string) {
+- guid_t driver_guid;
+-
+- if (WARN_ON(guid_parse(id->guid_string, &driver_guid)))
+- continue;
+- if (guid_equal(&driver_guid, &wblock->gblock.guid))
++ if (guid_parse_and_compare(id->guid_string, &wblock->gblock.guid))
+ return 1;
+
+ id++;
+--
+2.39.2
+
--- /dev/null
+From 2b2a2dfecf816da3761256e2e96ac17431e4840c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Sep 2021 17:56:10 +0000
+Subject: platform/x86: wmi: move variables
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Barnabás Pőcze <pobrn@protonmail.com>
+
+[ Upstream commit f5431bf1e6781e876bdc8ae10fb1e7da6f1aa9b5 ]
+
+Move some variables in order to keep them
+in the narrowest possible scope.
+
+Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
+Link: https://lore.kernel.org/r/20210904175450.156801-22-pobrn@protonmail.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/wmi.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
+index 18c4080d4a71e..5e4c03f7db7c0 100644
+--- a/drivers/platform/x86/wmi.c
++++ b/drivers/platform/x86/wmi.c
+@@ -134,7 +134,6 @@ static const void *find_guid_context(struct wmi_block *wblock,
+ struct wmi_driver *wdriver)
+ {
+ const struct wmi_device_id *id;
+- guid_t guid_input;
+
+ if (wblock == NULL || wdriver == NULL)
+ return NULL;
+@@ -143,6 +142,8 @@ static const void *find_guid_context(struct wmi_block *wblock,
+
+ id = wdriver->id_table;
+ while (*id->guid_string) {
++ guid_t guid_input;
++
+ if (guid_parse(id->guid_string, &guid_input))
+ continue;
+ if (guid_equal(&wblock->gblock.guid, &guid_input))
+@@ -615,7 +616,6 @@ acpi_status wmi_get_event_data(u32 event, struct acpi_buffer *out)
+ {
+ struct acpi_object_list input;
+ union acpi_object params[1];
+- struct guid_block *gblock;
+ struct wmi_block *wblock;
+
+ input.count = 1;
+@@ -624,7 +624,7 @@ acpi_status wmi_get_event_data(u32 event, struct acpi_buffer *out)
+ params[0].integer.value = event;
+
+ list_for_each_entry(wblock, &wmi_block_list, list) {
+- gblock = &wblock->gblock;
++ struct guid_block *gblock = &wblock->gblock;
+
+ if ((gblock->flags & ACPI_WMI_EVENT) &&
+ (gblock->notify_id == event))
+@@ -1281,12 +1281,11 @@ acpi_wmi_ec_space_handler(u32 function, acpi_physical_address address,
+ static void acpi_wmi_notify_handler(acpi_handle handle, u32 event,
+ void *context)
+ {
+- struct guid_block *block;
+ struct wmi_block *wblock;
+ bool found_it = false;
+
+ list_for_each_entry(wblock, &wmi_block_list, list) {
+- block = &wblock->gblock;
++ struct guid_block *block = &wblock->gblock;
+
+ if (wblock->acpi_device->handle == handle &&
+ (block->flags & ACPI_WMI_EVENT) &&
+--
+2.39.2
+
--- /dev/null
+From 8f06216a815ddd37f9408c5f4f4167c790cc507e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Sep 2021 17:55:16 +0000
+Subject: platform/x86: wmi: remove unnecessary argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Barnabás Pőcze <pobrn@protonmail.com>
+
+[ Upstream commit 84eacf7e6413d5e2d2f4f9dddf9216c18a3631cf ]
+
+The GUID block is available for `wmi_create_device()`
+through `wblock->gblock`. Use that consistently in
+the function instead of using a mix of `gblock` and
+`wblock->gblock`.
+
+Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
+Link: https://lore.kernel.org/r/20210904175450.156801-8-pobrn@protonmail.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/wmi.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
+index 1f80b26281628..9a6dc2717e1d4 100644
+--- a/drivers/platform/x86/wmi.c
++++ b/drivers/platform/x86/wmi.c
+@@ -1042,7 +1042,6 @@ static const struct device_type wmi_type_data = {
+ };
+
+ static int wmi_create_device(struct device *wmi_bus_dev,
+- const struct guid_block *gblock,
+ struct wmi_block *wblock,
+ struct acpi_device *device)
+ {
+@@ -1050,12 +1049,12 @@ static int wmi_create_device(struct device *wmi_bus_dev,
+ char method[5];
+ int result;
+
+- if (gblock->flags & ACPI_WMI_EVENT) {
++ if (wblock->gblock.flags & ACPI_WMI_EVENT) {
+ wblock->dev.dev.type = &wmi_type_event;
+ goto out_init;
+ }
+
+- if (gblock->flags & ACPI_WMI_METHOD) {
++ if (wblock->gblock.flags & ACPI_WMI_METHOD) {
+ wblock->dev.dev.type = &wmi_type_method;
+ mutex_init(&wblock->char_mutex);
+ goto out_init;
+@@ -1105,7 +1104,7 @@ static int wmi_create_device(struct device *wmi_bus_dev,
+ wblock->dev.dev.bus = &wmi_bus_type;
+ wblock->dev.dev.parent = wmi_bus_dev;
+
+- dev_set_name(&wblock->dev.dev, "%pUL", gblock->guid);
++ dev_set_name(&wblock->dev.dev, "%pUL", wblock->gblock.guid);
+
+ device_initialize(&wblock->dev.dev);
+
+@@ -1197,7 +1196,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device)
+ wblock->acpi_device = device;
+ wblock->gblock = gblock[i];
+
+- retval = wmi_create_device(wmi_bus_dev, &gblock[i], wblock, device);
++ retval = wmi_create_device(wmi_bus_dev, wblock, device);
+ if (retval) {
+ kfree(wblock);
+ continue;
+--
+2.39.2
+
--- /dev/null
+From 41fd3e4cb930244953bc634c695a4d13fc02655a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Sep 2021 17:55:39 +0000
+Subject: platform/x86: wmi: use guid_t and guid_equal()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Barnabás Pőcze <pobrn@protonmail.com>
+
+[ Upstream commit 67f472fdacf4a691b1c3c20c27800b23ce31e2de ]
+
+Instead of hard-coding a 16 long byte array,
+use the available `guid_t` type and related methods.
+
+Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
+Link: https://lore.kernel.org/r/20210904175450.156801-15-pobrn@protonmail.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/wmi.c | 34 +++++++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
+index 9a6dc2717e1d4..18c4080d4a71e 100644
+--- a/drivers/platform/x86/wmi.c
++++ b/drivers/platform/x86/wmi.c
+@@ -40,7 +40,7 @@ MODULE_LICENSE("GPL");
+ static LIST_HEAD(wmi_block_list);
+
+ struct guid_block {
+- char guid[16];
++ guid_t guid;
+ union {
+ char object_id[2];
+ struct {
+@@ -121,7 +121,7 @@ static bool find_guid(const char *guid_string, struct wmi_block **out)
+ list_for_each_entry(wblock, &wmi_block_list, list) {
+ block = &wblock->gblock;
+
+- if (memcmp(block->guid, &guid_input, 16) == 0) {
++ if (guid_equal(&block->guid, &guid_input)) {
+ if (out)
+ *out = wblock;
+ return true;
+@@ -145,7 +145,7 @@ static const void *find_guid_context(struct wmi_block *wblock,
+ while (*id->guid_string) {
+ if (guid_parse(id->guid_string, &guid_input))
+ continue;
+- if (!memcmp(wblock->gblock.guid, &guid_input, 16))
++ if (guid_equal(&wblock->gblock.guid, &guid_input))
+ return id->context;
+ id++;
+ }
+@@ -457,7 +457,7 @@ EXPORT_SYMBOL_GPL(wmi_set_block);
+
+ static void wmi_dump_wdg(const struct guid_block *g)
+ {
+- pr_info("%pUL:\n", g->guid);
++ pr_info("%pUL:\n", &g->guid);
+ if (g->flags & ACPI_WMI_EVENT)
+ pr_info("\tnotify_id: 0x%02X\n", g->notify_id);
+ else
+@@ -539,7 +539,7 @@ wmi_notify_handler handler, void *data)
+ list_for_each_entry(block, &wmi_block_list, list) {
+ acpi_status wmi_status;
+
+- if (memcmp(block->gblock.guid, &guid_input, 16) == 0) {
++ if (guid_equal(&block->gblock.guid, &guid_input)) {
+ if (block->handler &&
+ block->handler != wmi_notify_debug)
+ return AE_ALREADY_ACQUIRED;
+@@ -579,7 +579,7 @@ acpi_status wmi_remove_notify_handler(const char *guid)
+ list_for_each_entry(block, &wmi_block_list, list) {
+ acpi_status wmi_status;
+
+- if (memcmp(block->gblock.guid, &guid_input, 16) == 0) {
++ if (guid_equal(&block->gblock.guid, &guid_input)) {
+ if (!block->handler ||
+ block->handler == wmi_notify_debug)
+ return AE_NULL_ENTRY;
+@@ -685,7 +685,7 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
+ {
+ struct wmi_block *wblock = dev_to_wblock(dev);
+
+- return sprintf(buf, "wmi:%pUL\n", wblock->gblock.guid);
++ return sprintf(buf, "wmi:%pUL\n", &wblock->gblock.guid);
+ }
+ static DEVICE_ATTR_RO(modalias);
+
+@@ -694,7 +694,7 @@ static ssize_t guid_show(struct device *dev, struct device_attribute *attr,
+ {
+ struct wmi_block *wblock = dev_to_wblock(dev);
+
+- return sprintf(buf, "%pUL\n", wblock->gblock.guid);
++ return sprintf(buf, "%pUL\n", &wblock->gblock.guid);
+ }
+ static DEVICE_ATTR_RO(guid);
+
+@@ -777,10 +777,10 @@ static int wmi_dev_uevent(struct device *dev, struct kobj_uevent_env *env)
+ {
+ struct wmi_block *wblock = dev_to_wblock(dev);
+
+- if (add_uevent_var(env, "MODALIAS=wmi:%pUL", wblock->gblock.guid))
++ if (add_uevent_var(env, "MODALIAS=wmi:%pUL", &wblock->gblock.guid))
+ return -ENOMEM;
+
+- if (add_uevent_var(env, "WMI_GUID=%pUL", wblock->gblock.guid))
++ if (add_uevent_var(env, "WMI_GUID=%pUL", &wblock->gblock.guid))
+ return -ENOMEM;
+
+ return 0;
+@@ -808,7 +808,7 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver)
+
+ if (WARN_ON(guid_parse(id->guid_string, &driver_guid)))
+ continue;
+- if (!memcmp(&driver_guid, wblock->gblock.guid, 16))
++ if (guid_equal(&driver_guid, &wblock->gblock.guid))
+ return 1;
+
+ id++;
+@@ -1104,7 +1104,7 @@ static int wmi_create_device(struct device *wmi_bus_dev,
+ wblock->dev.dev.bus = &wmi_bus_type;
+ wblock->dev.dev.parent = wmi_bus_dev;
+
+- dev_set_name(&wblock->dev.dev, "%pUL", wblock->gblock.guid);
++ dev_set_name(&wblock->dev.dev, "%pUL", &wblock->gblock.guid);
+
+ device_initialize(&wblock->dev.dev);
+
+@@ -1124,12 +1124,12 @@ static void wmi_free_devices(struct acpi_device *device)
+ }
+ }
+
+-static bool guid_already_parsed(struct acpi_device *device, const u8 *guid)
++static bool guid_already_parsed(struct acpi_device *device, const guid_t *guid)
+ {
+ struct wmi_block *wblock;
+
+ list_for_each_entry(wblock, &wmi_block_list, list) {
+- if (memcmp(wblock->gblock.guid, guid, 16) == 0) {
++ if (guid_equal(&wblock->gblock.guid, guid)) {
+ /*
+ * Because we historically didn't track the relationship
+ * between GUIDs and ACPI nodes, we don't know whether
+@@ -1184,7 +1184,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device)
+ * case yet, so for now, we'll just ignore the duplicate
+ * for device creation.
+ */
+- if (guid_already_parsed(device, gblock[i].guid))
++ if (guid_already_parsed(device, &gblock[i].guid))
+ continue;
+
+ wblock = kzalloc(sizeof(struct wmi_block), GFP_KERNEL);
+@@ -1221,7 +1221,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device)
+ retval = device_add(&wblock->dev.dev);
+ if (retval) {
+ dev_err(wmi_bus_dev, "failed to register %pUL\n",
+- wblock->gblock.guid);
++ &wblock->gblock.guid);
+ if (debug_event)
+ wmi_method_enable(wblock, 0);
+ list_del(&wblock->list);
+@@ -1335,7 +1335,7 @@ static void acpi_wmi_notify_handler(acpi_handle handle, u32 event,
+ }
+
+ if (debug_event)
+- pr_info("DEBUG Event GUID: %pUL\n", wblock->gblock.guid);
++ pr_info("DEBUG Event GUID: %pUL\n", &wblock->gblock.guid);
+
+ acpi_bus_generate_netlink_event(
+ wblock->acpi_device->pnp.device_class,
+--
+2.39.2
+
--- /dev/null
+From 4050c9f9f0d0ac97014d29d95259e3be1ebede8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 02:25:21 +0800
+Subject: riscv: bpf: Avoid breaking W^X
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+[ Upstream commit fc8504765ec5e812135b8ccafca7101069a0c6d8 ]
+
+We allocate Non-executable pages, then call bpf_jit_binary_lock_ro()
+to enable executable permission after mapping them read-only. This is
+to prepare for STRICT_MODULE_RWX in following patch.
+
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Stable-dep-of: c56fb2aab235 ("riscv, bpf: Fix inconsistent JIT image generation")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c
+index e295c9eed9e93..5d247198c30d3 100644
+--- a/arch/riscv/net/bpf_jit_core.c
++++ b/arch/riscv/net/bpf_jit_core.c
+@@ -153,6 +153,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ bpf_flush_icache(jit_data->header, ctx->insns + ctx->ninsns);
+
+ if (!prog->is_func || extra_pass) {
++ bpf_jit_binary_lock_ro(jit_data->header);
+ out_offset:
+ kfree(ctx->offset);
+ kfree(jit_data);
+@@ -170,7 +171,7 @@ void *bpf_jit_alloc_exec(unsigned long size)
+ {
+ return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START,
+ BPF_JIT_REGION_END, GFP_KERNEL,
+- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
++ PAGE_KERNEL, 0, NUMA_NO_NODE,
+ __builtin_return_address(0));
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 1630d20fd0e8a85705dd35377dedae41556087dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jul 2023 09:41:31 +0200
+Subject: riscv, bpf: Fix inconsistent JIT image generation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn@rivosinc.com>
+
+[ Upstream commit c56fb2aab23505bb7160d06097c8de100b82b851 ]
+
+In order to generate the prologue and epilogue, the BPF JIT needs to
+know which registers that are clobbered. Therefore, the during
+pre-final passes, the prologue is generated after the body of the
+program body-prologue-epilogue. Then, in the final pass, a proper
+prologue-body-epilogue JITted image is generated.
+
+This scheme has worked most of the time. However, for some large
+programs with many jumps, e.g. the test_kmod.sh BPF selftest with
+hardening enabled (blinding constants), this has shown to be
+incorrect. For the final pass, when the proper prologue-body-epilogue
+is generated, the image has not converged. This will lead to that the
+final image will have incorrect jump offsets. The following is an
+excerpt from an incorrect image:
+
+ | ...
+ | 3b8: 00c50663 beq a0,a2,3c4 <.text+0x3c4>
+ | 3bc: 0020e317 auipc t1,0x20e
+ | 3c0: 49630067 jalr zero,1174(t1) # 20e852 <.text+0x20e852>
+ | ...
+ | 20e84c: 8796 c.mv a5,t0
+ | 20e84e: 6422 c.ldsp s0,8(sp) # Epilogue start
+ | 20e850: 6141 c.addi16sp sp,16
+ | 20e852: 853e c.mv a0,a5 # Incorrect jump target
+ | 20e854: 8082 c.jr ra
+
+The image has shrunk, and the epilogue offset is incorrect in the
+final pass.
+
+Correct the problem by always generating proper prologue-body-epilogue
+outputs, which means that the first pass will only generate the body
+to track what registers that are touched.
+
+Fixes: 2353ecc6f91f ("bpf, riscv: add BPF JIT for RV64G")
+Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20230710074131.19596-1-bjorn@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit.h | 6 +++---
+ arch/riscv/net/bpf_jit_core.c | 19 +++++++++++++------
+ 2 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/arch/riscv/net/bpf_jit.h b/arch/riscv/net/bpf_jit.h
+index ab0cd6d10ccf3..ef336fe160044 100644
+--- a/arch/riscv/net/bpf_jit.h
++++ b/arch/riscv/net/bpf_jit.h
+@@ -69,7 +69,7 @@ struct rv_jit_context {
+ struct bpf_prog *prog;
+ u16 *insns; /* RV insns */
+ int ninsns;
+- int body_len;
++ int prologue_len;
+ int epilogue_offset;
+ int *offset; /* BPF to RV */
+ unsigned long flags;
+@@ -215,8 +215,8 @@ static inline int rv_offset(int insn, int off, struct rv_jit_context *ctx)
+ int from, to;
+
+ off++; /* BPF branch is from PC+1, RV is from PC */
+- from = (insn > 0) ? ctx->offset[insn - 1] : 0;
+- to = (insn + off > 0) ? ctx->offset[insn + off - 1] : 0;
++ from = (insn > 0) ? ctx->offset[insn - 1] : ctx->prologue_len;
++ to = (insn + off > 0) ? ctx->offset[insn + off - 1] : ctx->prologue_len;
+ return ninsns_rvoff(to - from);
+ }
+
+diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c
+index 750b15c319d5d..ef17bc8055d4c 100644
+--- a/arch/riscv/net/bpf_jit_core.c
++++ b/arch/riscv/net/bpf_jit_core.c
+@@ -43,7 +43,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ {
+ bool tmp_blinded = false, extra_pass = false;
+ struct bpf_prog *tmp, *orig_prog = prog;
+- int pass = 0, prev_ninsns = 0, prologue_len, i;
++ int pass = 0, prev_ninsns = 0, i;
+ struct rv_jit_data *jit_data;
+ struct rv_jit_context *ctx;
+ unsigned int image_size = 0;
+@@ -83,6 +83,12 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ prog = orig_prog;
+ goto out_offset;
+ }
++
++ if (build_body(ctx, extra_pass, NULL)) {
++ prog = orig_prog;
++ goto out_offset;
++ }
++
+ for (i = 0; i < prog->len; i++) {
+ prev_ninsns += 32;
+ ctx->offset[i] = prev_ninsns;
+@@ -91,12 +97,15 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ for (i = 0; i < NR_JIT_ITERATIONS; i++) {
+ pass++;
+ ctx->ninsns = 0;
++
++ bpf_jit_build_prologue(ctx);
++ ctx->prologue_len = ctx->ninsns;
++
+ if (build_body(ctx, extra_pass, ctx->offset)) {
+ prog = orig_prog;
+ goto out_offset;
+ }
+- ctx->body_len = ctx->ninsns;
+- bpf_jit_build_prologue(ctx);
++
+ ctx->epilogue_offset = ctx->ninsns;
+ bpf_jit_build_epilogue(ctx);
+
+@@ -155,10 +164,8 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+
+ if (!prog->is_func || extra_pass) {
+ bpf_jit_binary_lock_ro(jit_data->header);
+- prologue_len = ctx->epilogue_offset - ctx->body_len;
+ for (i = 0; i < prog->len; i++)
+- ctx->offset[i] = ninsns_rvoff(prologue_len +
+- ctx->offset[i]);
++ ctx->offset[i] = ninsns_rvoff(ctx->offset[i]);
+ bpf_prog_fill_jited_linfo(prog, ctx->offset);
+ out_offset:
+ kfree(ctx->offset);
+--
+2.39.2
+
--- /dev/null
+From 6d498f474443359b0bee68babcd44efc6cf38cbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 02:24:54 +0800
+Subject: riscv: bpf: Move bpf_jit_alloc_exec() and bpf_jit_free_exec() to core
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+[ Upstream commit 1d27d854425faec98f352cf88ec3e2a8844429a4 ]
+
+We will drop the executable permissions of the code pages from the
+mapping at allocation time soon. Move bpf_jit_alloc_exec() and
+bpf_jit_free_exec() to bpf_jit_core.c so that they can be shared by
+both RV64I and RV32I.
+
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Acked-by: Luke Nelson <luke.r.nels@gmail.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Stable-dep-of: c56fb2aab235 ("riscv, bpf: Fix inconsistent JIT image generation")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit_comp64.c | 13 -------------
+ arch/riscv/net/bpf_jit_core.c | 13 +++++++++++++
+ 2 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
+index c113ae818b14e..053dc83e323b6 100644
+--- a/arch/riscv/net/bpf_jit_comp64.c
++++ b/arch/riscv/net/bpf_jit_comp64.c
+@@ -1144,16 +1144,3 @@ void bpf_jit_build_epilogue(struct rv_jit_context *ctx)
+ {
+ __build_epilogue(false, ctx);
+ }
+-
+-void *bpf_jit_alloc_exec(unsigned long size)
+-{
+- return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START,
+- BPF_JIT_REGION_END, GFP_KERNEL,
+- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
+- __builtin_return_address(0));
+-}
+-
+-void bpf_jit_free_exec(void *addr)
+-{
+- return vfree(addr);
+-}
+diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c
+index cbf7d2414886e..e295c9eed9e93 100644
+--- a/arch/riscv/net/bpf_jit_core.c
++++ b/arch/riscv/net/bpf_jit_core.c
+@@ -165,3 +165,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ tmp : orig_prog);
+ return prog;
+ }
++
++void *bpf_jit_alloc_exec(unsigned long size)
++{
++ return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START,
++ BPF_JIT_REGION_END, GFP_KERNEL,
++ PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
++ __builtin_return_address(0));
++}
++
++void bpf_jit_free_exec(void *addr)
++{
++ return vfree(addr);
++}
+--
+2.39.2
+
--- /dev/null
+From 5804ed9cd312ce0843bff3fc159ae27613447512 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jun 2023 13:58:47 +0300
+Subject: scsi: qla2xxx: Fix error code in qla2x00_start_sp()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit e579b007eff3ff8d29d59d16214cd85fb9e573f7 ]
+
+This should be negative -EAGAIN instead of positive. The callers treat
+non-zero error codes the same so it doesn't really impact runtime beyond
+some trivial differences to debug output.
+
+Fixes: 80676d054e5a ("scsi: qla2xxx: Fix session cleanup hang")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/49866d28-4cfe-47b0-842b-78f110e61aab@moroto.mountain
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_iocb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
+index e54cc2a761dd4..f0af76c3de7e3 100644
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -3713,7 +3713,7 @@ qla2x00_start_sp(srb_t *sp)
+ spin_lock_irqsave(qp->qp_lock_ptr, flags);
+ pkt = __qla2x00_alloc_iocbs(sp->qpair, sp);
+ if (!pkt) {
+- rval = EAGAIN;
++ rval = -EAGAIN;
+ ql_log(ql_log_warn, vha, 0x700c,
+ "qla2x00_alloc_iocbs failed.\n");
+ goto done;
+--
+2.39.2
+
rcu-tasks-mark-trc_reader_nesting-data-races.patch
rcu-tasks-mark-trc_reader_special.b.need_qs-data-races.patch
rcu-tasks-simplify-trc_read_check_handler-atomic-operations.patch
+drm-panel-simple-add-connector_type-for-innolux_at04.patch
+drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch
+igc-remove-delay-during-tx-ring-configuration.patch
+net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch
+net-mlx5e-check-for-not_ready-flag-state-after-locki.patch
+igc-set-tp-bit-in-supported-and-advertising-fields-o.patch
+scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch
+net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch
+net-sched-cls_fw-fix-improper-refcount-update-leads-.patch
+gve-set-default-duplex-configuration-to-full.patch
+ionic-remove-warn_on-to-prevent-panic_on_warn.patch
+net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch
+net-prevent-skb-corruption-on-frag-list-segmentation.patch
+icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch
+udp6-fix-udp6_ehashfn-typo.patch
+ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch
+ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch
+ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch
+ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch
+ntb-ntb_tool-add-check-for-devm_kcalloc.patch
+ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch
+platform-x86-wmi-remove-unnecessary-argument.patch
+platform-x86-wmi-use-guid_t-and-guid_equal.patch
+platform-x86-wmi-move-variables.patch
+platform-x86-wmi-break-possible-infinite-loop-when-p.patch
+igc-fix-launchtime-before-start-of-cycle.patch
+igc-fix-inserting-of-empty-frame-for-launchtime.patch
+riscv-bpf-move-bpf_jit_alloc_exec-and-bpf_jit_free_e.patch
+riscv-bpf-avoid-breaking-w-x.patch
+bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch
+riscv-bpf-fix-inconsistent-jit-image-generation.patch
+erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch
+wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch
+net-sched-flower-ensure-both-minimum-and-maximum-por.patch
+netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch
+net-sched-make-psched_mtu-rtnl-less-safe.patch
+net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch
+net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch
+nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch
--- /dev/null
+From 279a8ca0c53b60a63609bd8055b756cfb4af296a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jul 2023 08:29:58 +0000
+Subject: udp6: fix udp6_ehashfn() typo
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 51d03e2f2203e76ed02d33fb5ffbb5fc85ffaf54 ]
+
+Amit Klein reported that udp6_ehash_secret was initialized but never used.
+
+Fixes: 1bbdceef1e53 ("inet: convert inet_ehash_secret and ipv6_hash_secret to net_get_random_once")
+Reported-by: Amit Klein <aksecurity@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Cc: David Ahern <dsahern@kernel.org>
+Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/udp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 19c0721399d9e..788bb19f32e99 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -87,7 +87,7 @@ static u32 udp6_ehashfn(const struct net *net,
+ fhash = __ipv6_addr_jhash(faddr, udp_ipv6_hash_secret);
+
+ return __inet6_ehashfn(lhash, lport, fhash, fport,
+- udp_ipv6_hash_secret + net_hash_mix(net));
++ udp6_ehash_secret + net_hash_mix(net));
+ }
+
+ int udp_v6_get_port(struct sock *sk, unsigned short snum)
+--
+2.39.2
+
--- /dev/null
+From dae3b37a715c8a9b65c38b1aadefc8cf0152d738 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Jul 2023 06:31:54 -0700
+Subject: wifi: airo: avoid uninitialized warning in airo_get_rate()
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 9373771aaed17f5c2c38485f785568abe3a9f8c1 ]
+
+Quieten a gcc (11.3.0) build error or warning by checking the function
+call status and returning -EBUSY if the function call failed.
+This is similar to what several other wireless drivers do for the
+SIOCGIWRATE ioctl call when there is a locking problem.
+
+drivers/net/wireless/cisco/airo.c: error: 'status_rid.currentXmitRate' is used uninitialized [-Werror=uninitialized]
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/39abf2c7-24a-f167-91da-ed4c5435d1c4@linux-m68k.org
+Link: https://lore.kernel.org/r/20230709133154.26206-1-rdunlap@infradead.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/cisco/airo.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
+index 8c9c6bfbaeee7..aa1d12f6f5c3b 100644
+--- a/drivers/net/wireless/cisco/airo.c
++++ b/drivers/net/wireless/cisco/airo.c
+@@ -6150,8 +6150,11 @@ static int airo_get_rate(struct net_device *dev,
+ {
+ struct airo_info *local = dev->ml_priv;
+ StatusRid status_rid; /* Card status info */
++ int ret;
+
+- readStatusRid(local, &status_rid, 1);
++ ret = readStatusRid(local, &status_rid, 1);
++ if (ret)
++ return -EBUSY;
+
+ vwrq->value = le16_to_cpu(status_rid.currentXmitRate) * 500000;
+ /* If more than one rate, set auto */
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
