--- /dev/null
+From e7dd4a4a477117acab24a7ef08e9ae0f8715238b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 13:42:16 +0200
+Subject: ASoC: meson: axg-card: make links nonatomic
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit e138233e56e9829e65b6293887063a1a3ccb2d68 ]
+
+Non atomic operations need to be performed in the trigger callback
+of the TDM interfaces. Those are BEs but what matters is the nonatomic
+flag of the FE in the DPCM context. Just set nonatomic for everything so,
+at least, it is clear.
+
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20211020114217.133153-2-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-card.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/meson/axg-card.c b/sound/soc/meson/axg-card.c
+index 7126344017fa6..36a004192b562 100644
+--- a/sound/soc/meson/axg-card.c
++++ b/sound/soc/meson/axg-card.c
+@@ -568,6 +568,7 @@ static int axg_card_add_link(struct snd_soc_card *card, struct device_node *np,
+
+ dai_link->cpus = cpu;
+ dai_link->num_cpus = 1;
++ dai_link->nonatomic = true;
+
+ ret = axg_card_parse_dai(card, np, &dai_link->cpus->of_node,
+ &dai_link->cpus->dai_name);
+--
+2.43.0
+
--- /dev/null
+From bd47aa017fbf8cc0dd54f1f8013caabe04878dc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 13:42:17 +0200
+Subject: ASoC: meson: axg-tdm-interface: manage formatters in trigger
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit bf5e4887eeddb48480568466536aa08ec7f179a5 ]
+
+So far, the formatters have been reset/enabled using the .prepare()
+callback. This was done in this callback because walking the formatters use
+a mutex so it could not be done in .trigger(), which is atomic by default.
+
+It turns out there is a problem on capture path of the AXG series.
+The FIFO may get out of sync with the TDM decoder if the IP are not enabled
+in a specific order. The FIFO must be enabled before the formatter starts
+producing data. IOW, we must deal with FE before the BE. The .prepare()
+callback is called on the BEs before the FE so it is not OK for the AXG.
+
+The .trigger() callback order can be configured, and it deals with the FE
+before the BEs by default. To solve our problem, we just need to start and
+stop the formatters from the .trigger() callback. It is OK do so now that
+the links have been made 'nonatomic' in the card driver.
+
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20211020114217.133153-3-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-tdm-interface.c | 26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c
+index 34aff050caf25..dc2fe9e2baadd 100644
+--- a/sound/soc/meson/axg-tdm-interface.c
++++ b/sound/soc/meson/axg-tdm-interface.c
+@@ -351,13 +351,29 @@ static int axg_tdm_iface_hw_free(struct snd_pcm_substream *substream,
+ return 0;
+ }
+
+-static int axg_tdm_iface_prepare(struct snd_pcm_substream *substream,
++static int axg_tdm_iface_trigger(struct snd_pcm_substream *substream,
++ int cmd,
+ struct snd_soc_dai *dai)
+ {
+- struct axg_tdm_stream *ts = snd_soc_dai_get_dma_data(dai, substream);
++ struct axg_tdm_stream *ts =
++ snd_soc_dai_get_dma_data(dai, substream);
++
++ switch (cmd) {
++ case SNDRV_PCM_TRIGGER_START:
++ case SNDRV_PCM_TRIGGER_RESUME:
++ case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
++ axg_tdm_stream_start(ts);
++ break;
++ case SNDRV_PCM_TRIGGER_SUSPEND:
++ case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
++ case SNDRV_PCM_TRIGGER_STOP:
++ axg_tdm_stream_stop(ts);
++ break;
++ default:
++ return -EINVAL;
++ }
+
+- /* Force all attached formatters to update */
+- return axg_tdm_stream_reset(ts);
++ return 0;
+ }
+
+ static int axg_tdm_iface_remove_dai(struct snd_soc_dai *dai)
+@@ -397,8 +413,8 @@ static const struct snd_soc_dai_ops axg_tdm_iface_ops = {
+ .set_fmt = axg_tdm_iface_set_fmt,
+ .startup = axg_tdm_iface_startup,
+ .hw_params = axg_tdm_iface_hw_params,
+- .prepare = axg_tdm_iface_prepare,
+ .hw_free = axg_tdm_iface_hw_free,
++ .trigger = axg_tdm_iface_trigger,
+ };
+
+ /* TDM Backend DAIs */
+--
+2.43.0
+
--- /dev/null
+From d0760b92647face49ad542650d7ee669f41f01a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 21:44:19 +0700
+Subject: bna: ensure the copied buf is NUL terminated
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+[ Upstream commit 8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f ]
+
+Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from
+userspace to that buffer. Later, we use sscanf on this buffer but we don't
+ensure that the string is terminated inside the buffer, this can lead to
+OOB read when using sscanf. Fix this issue by using memdup_user_nul
+instead of memdup_user.
+
+Fixes: 7afc5dbde091 ("bna: Add debugfs interface.")
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-2-f1f1b53a10f4@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
+index 04ad0f2b9677e..777f0d7e48192 100644
+--- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
++++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
+@@ -312,7 +312,7 @@ bnad_debugfs_write_regrd(struct file *file, const char __user *buf,
+ void *kern_buf;
+
+ /* Copy the user space buf */
+- kern_buf = memdup_user(buf, nbytes);
++ kern_buf = memdup_user_nul(buf, nbytes);
+ if (IS_ERR(kern_buf))
+ return PTR_ERR(kern_buf);
+
+@@ -372,7 +372,7 @@ bnad_debugfs_write_regwr(struct file *file, const char __user *buf,
+ void *kern_buf;
+
+ /* Copy the user space buf */
+- kern_buf = memdup_user(buf, nbytes);
++ kern_buf = memdup_user_nul(buf, nbytes);
+ if (IS_ERR(kern_buf))
+ return PTR_ERR(kern_buf);
+
+--
+2.43.0
+
--- /dev/null
+From b48181f49cf695e8c3c67945390afa872f5455e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Apr 2024 20:24:18 +0200
+Subject: net: bridge: fix multicast-to-unicast with fraglist GSO
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 59c878cbcdd80ed39315573b3511d0acfd3501b5 ]
+
+Calling skb_copy on a SKB_GSO_FRAGLIST skb is not valid, since it returns
+an invalid linearized skb. This code only needs to change the ethernet
+header, so pskb_copy is the right function to call here.
+
+Fixes: 6db6f0eae605 ("bridge: multicast to unicast")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_forward.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
+index 4f8eb83976f10..0a1ca20f719da 100644
+--- a/net/bridge/br_forward.c
++++ b/net/bridge/br_forward.c
+@@ -253,7 +253,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb,
+ if (skb->dev == p->dev && ether_addr_equal(src, addr))
+ return;
+
+- skb = skb_copy(skb, GFP_ATOMIC);
++ skb = pskb_copy(skb, GFP_ATOMIC);
+ if (!skb) {
+ DEV_STATS_INC(dev, tx_dropped);
+ return;
+--
+2.43.0
+
--- /dev/null
+From 057ea81f0556e5bcd5f0aba207a1d2bf187e80cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2019 01:12:58 +0100
+Subject: net: dsa: mv88e6xxx: Add number of MACs in the ATU
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+[ Upstream commit d9ea56206c4df77175321874544eb4ca48c0bac8 ]
+
+For each supported switch, add an entry to the info structure for the
+number of MACs which can be stored in the ATU. This will later be used
+to export the ATU as a devlink resource, and indicate its occupancy,
+how full the ATU is.
+
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: b9a61c20179f ("net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 25 +++++++++++++++++++++++++
+ drivers/net/dsa/mv88e6xxx/chip.h | 6 ++++++
+ 2 files changed, 31 insertions(+)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index c1655e5952220..9ee144c117267 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -4200,6 +4200,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6097,
+ .name = "Marvell 88E6085",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 10,
+ .num_internal_phys = 5,
+ .max_vid = 4095,
+@@ -4222,6 +4223,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6095,
+ .name = "Marvell 88E6095/88E6095F",
+ .num_databases = 256,
++ .num_macs = 8192,
+ .num_ports = 11,
+ .num_internal_phys = 0,
+ .max_vid = 4095,
+@@ -4242,6 +4244,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6097,
+ .name = "Marvell 88E6097/88E6097F",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 11,
+ .num_internal_phys = 8,
+ .max_vid = 4095,
+@@ -4264,6 +4267,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6165,
+ .name = "Marvell 88E6123",
+ .num_databases = 4096,
++ .num_macs = 1024,
+ .num_ports = 3,
+ .num_internal_phys = 5,
+ .max_vid = 4095,
+@@ -4286,6 +4290,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6185,
+ .name = "Marvell 88E6131",
+ .num_databases = 256,
++ .num_macs = 8192,
+ .num_ports = 8,
+ .num_internal_phys = 0,
+ .max_vid = 4095,
+@@ -4306,6 +4311,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6341,
+ .name = "Marvell 88E6141",
+ .num_databases = 4096,
++ .num_macs = 2048,
+ .num_ports = 6,
+ .num_internal_phys = 5,
+ .num_gpio = 11,
+@@ -4329,6 +4335,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6165,
+ .name = "Marvell 88E6161",
+ .num_databases = 4096,
++ .num_macs = 1024,
+ .num_ports = 6,
+ .num_internal_phys = 5,
+ .max_vid = 4095,
+@@ -4352,6 +4359,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6165,
+ .name = "Marvell 88E6165",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 6,
+ .num_internal_phys = 0,
+ .max_vid = 4095,
+@@ -4375,6 +4383,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6351,
+ .name = "Marvell 88E6171",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 7,
+ .num_internal_phys = 5,
+ .max_vid = 4095,
+@@ -4397,6 +4406,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6352,
+ .name = "Marvell 88E6172",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 7,
+ .num_internal_phys = 5,
+ .num_gpio = 15,
+@@ -4420,6 +4430,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6351,
+ .name = "Marvell 88E6175",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 7,
+ .num_internal_phys = 5,
+ .max_vid = 4095,
+@@ -4442,6 +4453,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6352,
+ .name = "Marvell 88E6176",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 7,
+ .num_internal_phys = 5,
+ .num_gpio = 15,
+@@ -4465,6 +4477,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6185,
+ .name = "Marvell 88E6185",
+ .num_databases = 256,
++ .num_macs = 8192,
+ .num_ports = 10,
+ .num_internal_phys = 0,
+ .max_vid = 4095,
+@@ -4485,6 +4498,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6390,
+ .name = "Marvell 88E6190",
+ .num_databases = 4096,
++ .num_macs = 16384,
+ .num_ports = 11, /* 10 + Z80 */
+ .num_internal_phys = 9,
+ .num_gpio = 16,
+@@ -4508,6 +4522,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6390,
+ .name = "Marvell 88E6190X",
+ .num_databases = 4096,
++ .num_macs = 16384,
+ .num_ports = 11, /* 10 + Z80 */
+ .num_internal_phys = 9,
+ .num_gpio = 16,
+@@ -4531,6 +4546,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6390,
+ .name = "Marvell 88E6191",
+ .num_databases = 4096,
++ .num_macs = 16384,
+ .num_ports = 11, /* 10 + Z80 */
+ .num_internal_phys = 9,
+ .max_vid = 8191,
+@@ -4581,6 +4597,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6352,
+ .name = "Marvell 88E6240",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 7,
+ .num_internal_phys = 5,
+ .num_gpio = 15,
+@@ -4651,6 +4668,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6320,
+ .name = "Marvell 88E6320",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 7,
+ .num_internal_phys = 5,
+ .num_gpio = 15,
+@@ -4675,6 +4693,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6320,
+ .name = "Marvell 88E6321",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 7,
+ .num_internal_phys = 5,
+ .num_gpio = 15,
+@@ -4698,6 +4717,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6341,
+ .name = "Marvell 88E6341",
+ .num_databases = 4096,
++ .num_macs = 2048,
+ .num_internal_phys = 5,
+ .num_ports = 6,
+ .num_gpio = 11,
+@@ -4722,6 +4742,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6351,
+ .name = "Marvell 88E6350",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 7,
+ .num_internal_phys = 5,
+ .max_vid = 4095,
+@@ -4744,6 +4765,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6351,
+ .name = "Marvell 88E6351",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 7,
+ .num_internal_phys = 5,
+ .max_vid = 4095,
+@@ -4766,6 +4788,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6352,
+ .name = "Marvell 88E6352",
+ .num_databases = 4096,
++ .num_macs = 8192,
+ .num_ports = 7,
+ .num_internal_phys = 5,
+ .num_gpio = 15,
+@@ -4789,6 +4812,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6390,
+ .name = "Marvell 88E6390",
+ .num_databases = 4096,
++ .num_macs = 16384,
+ .num_ports = 11, /* 10 + Z80 */
+ .num_internal_phys = 9,
+ .num_gpio = 16,
+@@ -4812,6 +4836,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .family = MV88E6XXX_FAMILY_6390,
+ .name = "Marvell 88E6390X",
+ .num_databases = 4096,
++ .num_macs = 16384,
+ .num_ports = 11, /* 10 + Z80 */
+ .num_internal_phys = 9,
+ .num_gpio = 16,
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.h b/drivers/net/dsa/mv88e6xxx/chip.h
+index e9b1a1ac9a8e2..24dd73be37040 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.h
++++ b/drivers/net/dsa/mv88e6xxx/chip.h
+@@ -94,6 +94,7 @@ struct mv88e6xxx_info {
+ u16 prod_num;
+ const char *name;
+ unsigned int num_databases;
++ unsigned int num_macs;
+ unsigned int num_ports;
+ unsigned int num_internal_phys;
+ unsigned int num_gpio;
+@@ -609,6 +610,11 @@ static inline unsigned int mv88e6xxx_num_databases(struct mv88e6xxx_chip *chip)
+ return chip->info->num_databases;
+ }
+
++static inline unsigned int mv88e6xxx_num_macs(struct mv88e6xxx_chip *chip)
++{
++ return chip->info->num_macs;
++}
++
+ static inline unsigned int mv88e6xxx_num_ports(struct mv88e6xxx_chip *chip)
+ {
+ return chip->info->num_ports;
+--
+2.43.0
+
--- /dev/null
+From fe33209042c49a87b128d008c2c3788e7b599e19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 15:38:32 +0200
+Subject: net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+[ Upstream commit b9a61c20179fda7bdfe2c1210aa72451991ab81a ]
+
+The Topaz family (88E6141 and 88E6341) only support 256 Forwarding
+Information Tables.
+
+Fixes: a75961d0ebfd ("net: dsa: mv88e6xxx: Add support for ethernet switch 88E6341")
+Fixes: 1558727a1c1b ("net: dsa: mv88e6xxx: Add support for ethernet switch 88E6141")
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20240429133832.9547-1-kabel@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index 9ee144c117267..81e6227cc8758 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -4310,7 +4310,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .prod_num = MV88E6XXX_PORT_SWITCH_ID_PROD_6141,
+ .family = MV88E6XXX_FAMILY_6341,
+ .name = "Marvell 88E6141",
+- .num_databases = 4096,
++ .num_databases = 256,
+ .num_macs = 2048,
+ .num_ports = 6,
+ .num_internal_phys = 5,
+@@ -4716,7 +4716,7 @@ static const struct mv88e6xxx_info mv88e6xxx_table[] = {
+ .prod_num = MV88E6XXX_PORT_SWITCH_ID_PROD_6341,
+ .family = MV88E6XXX_FAMILY_6341,
+ .name = "Marvell 88E6341",
+- .num_databases = 4096,
++ .num_databases = 256,
+ .num_macs = 2048,
+ .num_internal_phys = 5,
+ .num_ports = 6,
+--
+2.43.0
+
--- /dev/null
+From dbb91a698082fc8c9e811399364deab39fecca19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 19:11:10 +0200
+Subject: net l2tp: drop flow hash on forward
+
+From: David Bauer <mail@david-bauer.net>
+
+[ Upstream commit 42f853b42899d9b445763b55c3c8adc72be0f0e1 ]
+
+Drop the flow-hash of the skb when forwarding to the L2TP netdev.
+
+This avoids the L2TP qdisc from using the flow-hash from the outer
+packet, which is identical for every flow within the tunnel.
+
+This does not affect every platform but is specific for the ethernet
+driver. It depends on the platform including L4 information in the
+flow-hash.
+
+One such example is the Mediatek Filogic MT798x family of networking
+processors.
+
+Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
+Acked-by: James Chapman <jchapman@katalix.com>
+Signed-off-by: David Bauer <mail@david-bauer.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240424171110.13701-1-mail@david-bauer.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_eth.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
+index d3b520b9b2c9d..2c5853597aa90 100644
+--- a/net/l2tp/l2tp_eth.c
++++ b/net/l2tp/l2tp_eth.c
+@@ -149,6 +149,9 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
+ /* checksums verified by L2TP */
+ skb->ip_summed = CHECKSUM_NONE;
+
++ /* drop outer flow-hash */
++ skb_clear_hash(skb);
++
+ skb_dst_drop(skb);
+ nf_reset_ct(skb);
+
+--
+2.43.0
+
--- /dev/null
+From dbc461879f2594946190b2ac85a04fd6cdebd9e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 09:12:25 +0000
+Subject: net: qede: use return from qede_parse_flow_attr() for flow_spec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+
+[ Upstream commit 27b44414a34b108c5a37cd5b4894f606061d86e7 ]
+
+In qede_flow_spec_to_rule(), when calling
+qede_parse_flow_attr() then the return code
+was only used for a non-zero check, and then
+-EINVAL was returned.
+
+qede_parse_flow_attr() can currently fail with:
+* -EINVAL
+* -EOPNOTSUPP
+* -EPROTONOSUPPORT
+
+This patch changes the code to use the actual
+return code, not just return -EINVAL.
+
+The blaimed commit introduced qede_flow_spec_to_rule(),
+and this call to qede_parse_flow_attr(), it looks
+like it just duplicated how it was already used.
+
+Only compile tested.
+
+Fixes: 37c5d3efd7f8 ("qede: use ethtool_rx_flow_rule() to remove duplicated parser code")
+Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_filter.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_filter.c b/drivers/net/ethernet/qlogic/qede/qede_filter.c
+index 5041994bf03fb..31223de0c766e 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c
+@@ -2079,10 +2079,9 @@ static int qede_flow_spec_to_rule(struct qede_dev *edev,
+ if (IS_ERR(flow))
+ return PTR_ERR(flow);
+
+- if (qede_parse_flow_attr(edev, proto, flow->rule, t)) {
+- err = -EINVAL;
++ err = qede_parse_flow_attr(edev, proto, flow->rule, t);
++ if (err)
+ goto err_out;
+- }
+
+ /* Make sure location is valid and filter isn't already set */
+ err = qede_flow_spec_validate(edev, &flow->rule->action, t,
+--
+2.43.0
+
--- /dev/null
+From 86c80920e2093e21738b596e87d2d7f6e19d1276 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 19:35:49 -0700
+Subject: nsh: Restore skb->{protocol,data,mac_header} for outer header in
+ nsh_gso_segment().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 4b911a9690d72641879ea6d13cce1de31d346d79 ]
+
+syzbot triggered various splats (see [0] and links) by a crafted GSO
+packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:
+
+ ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP
+
+NSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner
+protocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls
+skb_mac_gso_segment() to invoke inner protocol GSO handlers.
+
+nsh_gso_segment() does the following for the original skb before
+calling skb_mac_gso_segment()
+
+ 1. reset skb->network_header
+ 2. save the original skb->{mac_heaeder,mac_len} in a local variable
+ 3. pull the NSH header
+ 4. resets skb->mac_header
+ 5. set up skb->mac_len and skb->protocol for the inner protocol.
+
+and does the following for the segmented skb
+
+ 6. set ntohs(ETH_P_NSH) to skb->protocol
+ 7. push the NSH header
+ 8. restore skb->mac_header
+ 9. set skb->mac_header + mac_len to skb->network_header
+ 10. restore skb->mac_len
+
+There are two problems in 6-7 and 8-9.
+
+ (a)
+ After 6 & 7, skb->data points to the NSH header, so the outer header
+ (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.
+
+ Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),
+ skb_pull() in the first nsh_gso_segment() will make skb->data point
+ to the middle of the outer NSH or Ethernet header because the Ethernet
+ header is not pulled by the second nsh_gso_segment().
+
+ (b)
+ While restoring skb->{mac_header,network_header} in 8 & 9,
+ nsh_gso_segment() does not assume that the data in the linear
+ buffer is shifted.
+
+ However, udp6_ufo_fragment() could shift the data and change
+ skb->mac_header accordingly as demonstrated by syzbot.
+
+ If this happens, even the restored skb->mac_header points to
+ the middle of the outer header.
+
+It seems nsh_gso_segment() has never worked with outer headers so far.
+
+At the end of nsh_gso_segment(), the outer header must be restored for
+the segmented skb, instead of the NSH header.
+
+To do that, let's calculate the outer header position relatively from
+the inner header and set skb->{data,mac_header,protocol} properly.
+
+[0]:
+BUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
+BUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+BUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
+ ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
+ ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+ ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
+ ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222
+ __netdev_start_xmit include/linux/netdevice.h:4989 [inline]
+ netdev_start_xmit include/linux/netdevice.h:5003 [inline]
+ xmit_one net/core/dev.c:3547 [inline]
+ dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563
+ __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351
+ dev_queue_xmit include/linux/netdevice.h:3171 [inline]
+ packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
+ packet_snd net/packet/af_packet.c:3081 [inline]
+ packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ __sys_sendto+0x735/0xa10 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:3819 [inline]
+ slab_alloc_node mm/slub.c:3860 [inline]
+ __do_kmalloc_node mm/slub.c:3980 [inline]
+ __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001
+ kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
+ __alloc_skb+0x352/0x790 net/core/skbuff.c:651
+ skb_segment+0x20aa/0x7080 net/core/skbuff.c:4647
+ udp6_ufo_fragment+0xcab/0x1150 net/ipv6/udp_offload.c:109
+ ipv6_gso_segment+0x14be/0x2ca0 net/ipv6/ip6_offload.c:152
+ skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
+ nsh_gso_segment+0x6f4/0xf70 net/nsh/nsh.c:108
+ skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
+ __skb_gso_segment+0x4b0/0x730 net/core/gso.c:124
+ skb_gso_segment include/net/gso.h:83 [inline]
+ validate_xmit_skb+0x107f/0x1930 net/core/dev.c:3628
+ __dev_queue_xmit+0x1f28/0x51c0 net/core/dev.c:4343
+ dev_queue_xmit include/linux/netdevice.h:3171 [inline]
+ packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
+ packet_snd net/packet/af_packet.c:3081 [inline]
+ packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ __sys_sendto+0x735/0xa10 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+CPU: 1 PID: 5101 Comm: syz-executor421 Not tainted 6.8.0-rc5-syzkaller-00297-gf2e367d6ad3b #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
+
+Fixes: c411ed854584 ("nsh: add GSO support")
+Reported-and-tested-by: syzbot+42a0dc856239de4de60e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=42a0dc856239de4de60e
+Reported-and-tested-by: syzbot+c298c9f0e46a3c86332b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c298c9f0e46a3c86332b
+Link: https://lore.kernel.org/netdev/20240415222041.18537-1-kuniyu@amazon.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20240424023549.21862-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nsh/nsh.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
+index 0f23e5e8e03eb..3e0fc71d95a14 100644
+--- a/net/nsh/nsh.c
++++ b/net/nsh/nsh.c
+@@ -76,13 +76,15 @@ EXPORT_SYMBOL_GPL(nsh_pop);
+ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
+ netdev_features_t features)
+ {
++ unsigned int outer_hlen, mac_len, nsh_len;
+ struct sk_buff *segs = ERR_PTR(-EINVAL);
+ u16 mac_offset = skb->mac_header;
+- unsigned int nsh_len, mac_len;
+- __be16 proto;
++ __be16 outer_proto, proto;
+
+ skb_reset_network_header(skb);
+
++ outer_proto = skb->protocol;
++ outer_hlen = skb_mac_header_len(skb);
+ mac_len = skb->mac_len;
+
+ if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN)))
+@@ -112,10 +114,10 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
+ }
+
+ for (skb = segs; skb; skb = skb->next) {
+- skb->protocol = htons(ETH_P_NSH);
+- __skb_push(skb, nsh_len);
+- skb->mac_header = mac_offset;
+- skb->network_header = skb->mac_header + mac_len;
++ skb->protocol = outer_proto;
++ __skb_push(skb, nsh_len + outer_hlen);
++ skb_reset_mac_header(skb);
++ skb_set_network_header(skb, outer_hlen);
+ skb->mac_len = mac_len;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From e18ec87e1ba28300a42810cdc72787df67b20288 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 13:42:20 +0200
+Subject: s390/mm: Fix clearing storage keys for huge pages
+
+From: Claudio Imbrenda <imbrenda@linux.ibm.com>
+
+[ Upstream commit 412050af2ea39407fe43324b0be4ab641530ce88 ]
+
+The function __storage_key_init_range() expects the end address to be
+the first byte outside the range to be initialized. I.e. end - start
+should be the size of the area to be initialized.
+
+The current code works because __storage_key_init_range() will still loop
+over every page in the range, but it is slower than using sske_frame().
+
+Fixes: 3afdfca69870 ("s390/mm: Clear skeys for newly mapped huge guest pmds")
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Link: https://lore.kernel.org/r/20240416114220.28489-3-imbrenda@linux.ibm.com
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/hugetlbpage.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/mm/hugetlbpage.c b/arch/s390/mm/hugetlbpage.c
+index ff8234bca56cd..6b688e3498c01 100644
+--- a/arch/s390/mm/hugetlbpage.c
++++ b/arch/s390/mm/hugetlbpage.c
+@@ -146,7 +146,7 @@ static void clear_huge_pte_skeys(struct mm_struct *mm, unsigned long rste)
+ }
+
+ if (!test_and_set_bit(PG_arch_1, &page->flags))
+- __storage_key_init_range(paddr, paddr + size - 1);
++ __storage_key_init_range(paddr, paddr + size);
+ }
+
+ void set_huge_pte_at(struct mm_struct *mm, unsigned long addr,
+--
+2.43.0
+
--- /dev/null
+From 14d9120e5659eb42cc3a1fd3d98bcb6004fcf429 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 13:42:19 +0200
+Subject: s390/mm: Fix storage key clearing for guest huge pages
+
+From: Claudio Imbrenda <imbrenda@linux.ibm.com>
+
+[ Upstream commit 843c3280686fc1a83d89ee1e0b5599c9f6b09d0c ]
+
+The function __storage_key_init_range() expects the end address to be
+the first byte outside the range to be initialized. I.e. end - start
+should be the size of the area to be initialized.
+
+The current code works because __storage_key_init_range() will still loop
+over every page in the range, but it is slower than using sske_frame().
+
+Fixes: 964c2c05c9f3 ("s390/mm: Clear huge page storage keys on enable_skey")
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Link: https://lore.kernel.org/r/20240416114220.28489-2-imbrenda@linux.ibm.com
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/gmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c
+index 19ee8355b2a7f..5c41d1ab2a622 100644
+--- a/arch/s390/mm/gmap.c
++++ b/arch/s390/mm/gmap.c
+@@ -2610,7 +2610,7 @@ static int __s390_enable_skey_hugetlb(pte_t *pte, unsigned long addr,
+ return 0;
+
+ start = pmd_val(*pmd) & HPAGE_MASK;
+- end = start + HPAGE_SIZE - 1;
++ end = start + HPAGE_SIZE;
+ __storage_key_init_range(start, end);
+ set_bit(PG_arch_1, &page->flags);
+ cond_resched();
+--
+2.43.0
+
nfs-handle-error-of-rpc_proc_register-in-nfs_net_ini.patch
power-rt9455-hide-unused-rt9455_boost_voltage_values.patch
pinctrl-devicetree-fix-refcount-leak-in-pinctrl_dt_t.patch
+s390-mm-fix-storage-key-clearing-for-guest-huge-page.patch
+s390-mm-fix-clearing-storage-keys-for-huge-pages.patch
+bna-ensure-the-copied-buf-is-nul-terminated.patch
+nsh-restore-skb-protocol-data-mac_header-for-outer-h.patch
+net-l2tp-drop-flow-hash-on-forward.patch
+net-qede-use-return-from-qede_parse_flow_attr-for-fl.patch
+asoc-meson-axg-card-make-links-nonatomic.patch
+asoc-meson-axg-tdm-interface-manage-formatters-in-tr.patch
+net-dsa-mv88e6xxx-add-number-of-macs-in-the-atu.patch
+net-dsa-mv88e6xxx-fix-number-of-databases-for-88e614.patch
+net-bridge-fix-multicast-to-unicast-with-fraglist-gs.patch
+tipc-fix-a-possible-memleak-in-tipc_buf_append.patch
--- /dev/null
+From fc27150c316b4b6424b243ebf44324a6b17bdb44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Apr 2024 10:03:38 -0400
+Subject: tipc: fix a possible memleak in tipc_buf_append
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 97bf6f81b29a8efaf5d0983251a7450e5794370d ]
+
+__skb_linearize() doesn't free the skb when it fails, so move
+'*buf = NULL' after __skb_linearize(), so that the skb can be
+freed on the err path.
+
+Fixes: b7df21cf1b79 ("tipc: skb_linearize the head skb when reassembling msgs")
+Reported-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Link: https://lore.kernel.org/r/90710748c29a1521efac4f75ea01b3b7e61414cf.1714485818.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/msg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/msg.c b/net/tipc/msg.c
+index e4ea942873d49..c04fcf71d74d6 100644
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -140,9 +140,9 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
+ if (fragid == FIRST_FRAGMENT) {
+ if (unlikely(head))
+ goto err;
+- *buf = NULL;
+ if (skb_has_frag_list(frag) && __skb_linearize(frag))
+ goto err;
++ *buf = NULL;
+ frag = skb_unshare(frag, GFP_ATOMIC);
+ if (unlikely(!frag))
+ goto err;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
