]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 6.7
authorSasha Levin <sashal@kernel.org>
Fri, 8 Mar 2024 17:00:16 +0000 (12:00 -0500)
committerSasha Levin <sashal@kernel.org>
Fri, 8 Mar 2024 17:00:16 +0000 (12:00 -0500)
Signed-off-by: Sasha Levin <sashal@kernel.org>
49 files changed:
queue-6.7/bpf-check-bpf_func_state-callback_depth-when-pruning.patch [new file with mode: 0644]
queue-6.7/cpumap-zero-initialise-xdp_rxq_info-struct-before-ru.patch [new file with mode: 0644]
queue-6.7/erofs-apply-proper-vma-alignment-for-memory-mapped-f.patch [new file with mode: 0644]
queue-6.7/geneve-make-sure-to-pull-inner-header-in-geneve_rx.patch [new file with mode: 0644]
queue-6.7/i40e-disable-napi-right-after-disabling-irqs-when-ha.patch [new file with mode: 0644]
queue-6.7/ice-fix-uninitialized-dplls-mutex-usage.patch [new file with mode: 0644]
queue-6.7/ice-reconfig-host-after-changing-msi-x-on-vf.patch [new file with mode: 0644]
queue-6.7/ice-reorder-disabling-irq-and-napi-in-ice_qp_dis.patch [new file with mode: 0644]
queue-6.7/ice-replace-ice_vf_recreate_vsi-with-ice_vf_reconfig.patch [new file with mode: 0644]
queue-6.7/ice-virtchnl-stop-pretending-to-support-rss-over-aq-.patch [new file with mode: 0644]
queue-6.7/idpf-disable-local-bh-when-scheduling-napi-for-marke.patch [new file with mode: 0644]
queue-6.7/igc-avoid-returning-frame-twice-in-xdp_redirect.patch [new file with mode: 0644]
queue-6.7/ixgbe-dis-en-able-irqs-in-ixgbe_txrx_ring_-dis-en-ab.patch [new file with mode: 0644]
queue-6.7/net-dsa-microchip-fix-register-write-order-in-ksz8_i.patch [new file with mode: 0644]
queue-6.7/net-ice-fix-potential-null-pointer-dereference-in-ic.patch [new file with mode: 0644]
queue-6.7/net-ipv6-avoid-possible-uaf-in-ip6_route_mpath_notif.patch [new file with mode: 0644]
queue-6.7/net-lan78xx-fix-runtime-pm-count-underflow-on-link-s.patch [new file with mode: 0644]
queue-6.7/net-mlx5-check-capability-for-fw_reset.patch [new file with mode: 0644]
queue-6.7/net-mlx5-e-switch-change-flow-rule-destination-check.patch [new file with mode: 0644]
queue-6.7/net-mlx5-fix-fw-reporter-diagnose-output.patch [new file with mode: 0644]
queue-6.7/net-mlx5e-change-the-warning-when-ignore_flow_level-.patch [new file with mode: 0644]
queue-6.7/net-mlx5e-fix-macsec-state-loss-upon-state-update-in.patch [new file with mode: 0644]
queue-6.7/net-mlx5e-switch-to-using-_bh-variant-of-of-spinlock.patch [new file with mode: 0644]
queue-6.7/net-mlx5e-use-a-memory-barrier-to-enforce-ptp-wq-xmi.patch [new file with mode: 0644]
queue-6.7/net-pds_core-fix-possible-double-free-in-error-handl.patch [new file with mode: 0644]
queue-6.7/net-rds-fix-warning-in-rds_conn_connect_if_down.patch [new file with mode: 0644]
queue-6.7/net-sparx5-fix-use-after-free-inside-sparx5_del_mact.patch [new file with mode: 0644]
queue-6.7/netfilter-nf_conntrack_h323-add-protection-for-bmp-l.patch [new file with mode: 0644]
queue-6.7/netfilter-nft_ct-fix-l3num-expectations-with-inet-ps.patch [new file with mode: 0644]
queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_default_.patch [new file with mode: 0644]
queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_link_fai.patch [new file with mode: 0644]
queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_obsolesc.patch [new file with mode: 0644]
queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_routing_.patch [new file with mode: 0644]
queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch [new file with mode: 0644]
queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-14703 [new file with mode: 0644]
queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19245 [new file with mode: 0644]
queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19389 [new file with mode: 0644]
queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-24045 [new file with mode: 0644]
queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-8430 [new file with mode: 0644]
queue-6.7/netrom-fix-data-races-around-sysctl_net_busy_read.patch [new file with mode: 0644]
queue-6.7/netrom-fix-data-races-around-sysctl_netrom_network_t.patch [new file with mode: 0644]
queue-6.7/revert-net-mlx5-block-entering-switchdev-mode-with-n.patch [new file with mode: 0644]
queue-6.7/revert-net-mlx5e-check-the-number-of-elements-before.patch [new file with mode: 0644]
queue-6.7/selftests-bpf-fix-up-xdp-bonding-test-wrt-feature-fl.patch [new file with mode: 0644]
queue-6.7/series
queue-6.7/tracing-net_sched-fix-tracepoints-that-save-qdisc_de.patch [new file with mode: 0644]
queue-6.7/xdp-bonding-fix-feature-flags-when-there-are-no-slav.patch [new file with mode: 0644]
queue-6.7/xfrm-clear-low-order-bits-of-flowi4_tos-in-decode_se.patch [new file with mode: 0644]
queue-6.7/xfrm-pass-udp-encapsulation-in-tx-packet-offload.patch [new file with mode: 0644]

diff --git a/queue-6.7/bpf-check-bpf_func_state-callback_depth-when-pruning.patch b/queue-6.7/bpf-check-bpf_func_state-callback_depth-when-pruning.patch
new file mode 100644 (file)
index 0000000..f64dd9d
--- /dev/null
@@ -0,0 +1,125 @@
+From 25f06944c5c6722539dd95d697e6bda8aa68b7fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Feb 2024 17:41:20 +0200
+Subject: bpf: check bpf_func_state->callback_depth when pruning states
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit e9a8e5a587ca55fec6c58e4881742705d45bee54 ]
+
+When comparing current and cached states verifier should consider
+bpf_func_state->callback_depth. Current state cannot be pruned against
+cached state, when current states has more iterations left compared to
+cached state. Current state has more iterations left when it's
+callback_depth is smaller.
+
+Below is an example illustrating this bug, minimized from mailing list
+discussion [0] (assume that BPF_F_TEST_STATE_FREQ is set).
+The example is not a safe program: if loop_cb point (1) is followed by
+loop_cb point (2), then division by zero is possible at point (4).
+
+    struct ctx {
+       __u64 a;
+       __u64 b;
+       __u64 c;
+    };
+
+    static void loop_cb(int i, struct ctx *ctx)
+    {
+       /* assume that generated code is "fallthrough-first":
+        * if ... == 1 goto
+        * if ... == 2 goto
+        * <default>
+        */
+       switch (bpf_get_prandom_u32()) {
+       case 1:  /* 1 */ ctx->a = 42; return 0; break;
+       case 2:  /* 2 */ ctx->b = 42; return 0; break;
+       default: /* 3 */ ctx->c = 42; return 0; break;
+       }
+    }
+
+    SEC("tc")
+    __failure
+    __flag(BPF_F_TEST_STATE_FREQ)
+    int test(struct __sk_buff *skb)
+    {
+       struct ctx ctx = { 7, 7, 7 };
+
+       bpf_loop(2, loop_cb, &ctx, 0);              /* 0 */
+       /* assume generated checks are in-order: .a first */
+       if (ctx.a == 42 && ctx.b == 42 && ctx.c == 7)
+               asm volatile("r0 /= 0;":::"r0");    /* 4 */
+       return 0;
+    }
+
+Prior to this commit verifier built the following checkpoint tree for
+this example:
+
+ .------------------------------------- Checkpoint / State name
+ |    .-------------------------------- Code point number
+ |    |   .---------------------------- Stack state {ctx.a,ctx.b,ctx.c}
+ |    |   |        .------------------- Callback depth in frame #0
+ v    v   v        v
+   - (0) {7P,7P,7},depth=0
+     - (3) {7P,7P,7},depth=1
+       - (0) {7P,7P,42},depth=1
+         - (3) {7P,7,42},depth=2
+           - (0) {7P,7,42},depth=2      loop terminates because of depth limit
+             - (4) {7P,7,42},depth=0    predicted false, ctx.a marked precise
+             - (6) exit
+(a)      - (2) {7P,7,42},depth=2
+           - (0) {7P,42,42},depth=2     loop terminates because of depth limit
+             - (4) {7P,42,42},depth=0   predicted false, ctx.a marked precise
+             - (6) exit
+(b)      - (1) {7P,7P,42},depth=2
+           - (0) {42P,7P,42},depth=2    loop terminates because of depth limit
+             - (4) {42P,7P,42},depth=0  predicted false, ctx.{a,b} marked precise
+             - (6) exit
+     - (2) {7P,7,7},depth=1             considered safe, pruned using checkpoint (a)
+(c)  - (1) {7P,7P,7},depth=1            considered safe, pruned using checkpoint (b)
+
+Here checkpoint (b) has callback_depth of 2, meaning that it would
+never reach state {42,42,7}.
+While checkpoint (c) has callback_depth of 1, and thus
+could yet explore the state {42,42,7} if not pruned prematurely.
+This commit makes forbids such premature pruning,
+allowing verifier to explore states sub-tree starting at (c):
+
+(c)  - (1) {7,7,7P},depth=1
+       - (0) {42P,7,7P},depth=1
+         ...
+         - (2) {42,7,7},depth=2
+           - (0) {42,42,7},depth=2      loop terminates because of depth limit
+             - (4) {42,42,7},depth=0    predicted true, ctx.{a,b,c} marked precise
+               - (5) division by zero
+
+[0] https://lore.kernel.org/bpf/9b251840-7cb8-4d17-bd23-1fc8071d8eef@linux.dev/
+
+Fixes: bb124da69c47 ("bpf: keep track of max number of bpf_loop callback iterations")
+Suggested-by: Yonghong Song <yonghong.song@linux.dev>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/r/20240222154121.6991-2-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index e215413c79a52..9698e93d48c6e 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -16686,6 +16686,9 @@ static bool func_states_equal(struct bpf_verifier_env *env, struct bpf_func_stat
+ {
+       int i;
++      if (old->callback_depth > cur->callback_depth)
++              return false;
++
+       for (i = 0; i < MAX_BPF_REG; i++)
+               if (!regsafe(env, &old->regs[i], &cur->regs[i],
+                            &env->idmap_scratch, exact))
+-- 
+2.43.0
+
diff --git a/queue-6.7/cpumap-zero-initialise-xdp_rxq_info-struct-before-ru.patch b/queue-6.7/cpumap-zero-initialise-xdp_rxq_info-struct-before-ru.patch
new file mode 100644 (file)
index 0000000..b7a3adb
--- /dev/null
@@ -0,0 +1,49 @@
+From 41e06213f1b82baed86bda84c78674c6d3d60c49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 22:31:32 +0100
+Subject: cpumap: Zero-initialise xdp_rxq_info struct before running XDP
+ program
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 2487007aa3b9fafbd2cb14068f49791ce1d7ede5 ]
+
+When running an XDP program that is attached to a cpumap entry, we don't
+initialise the xdp_rxq_info data structure being used in the xdp_buff
+that backs the XDP program invocation. Tobias noticed that this leads to
+random values being returned as the xdp_md->rx_queue_index value for XDP
+programs running in a cpumap.
+
+This means we're basically returning the contents of the uninitialised
+memory, which is bad. Fix this by zero-initialising the rxq data
+structure before running the XDP program.
+
+Fixes: 9216477449f3 ("bpf: cpumap: Add the possibility to attach an eBPF program to cpumap")
+Reported-by: Tobias Böhm <tobias@aibor.de>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20240305213132.11955-1-toke@redhat.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/cpumap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c
+index 8a0bb80fe48a3..ef82ffc90cbe9 100644
+--- a/kernel/bpf/cpumap.c
++++ b/kernel/bpf/cpumap.c
+@@ -178,7 +178,7 @@ static int cpu_map_bpf_prog_run_xdp(struct bpf_cpu_map_entry *rcpu,
+                                   void **frames, int n,
+                                   struct xdp_cpumap_stats *stats)
+ {
+-      struct xdp_rxq_info rxq;
++      struct xdp_rxq_info rxq = {};
+       struct xdp_buff xdp;
+       int i, nframes = 0;
+-- 
+2.43.0
+
diff --git a/queue-6.7/erofs-apply-proper-vma-alignment-for-memory-mapped-f.patch b/queue-6.7/erofs-apply-proper-vma-alignment-for-memory-mapped-f.patch
new file mode 100644 (file)
index 0000000..a88c1a7
--- /dev/null
@@ -0,0 +1,47 @@
+From ec1a3ca7247d5682d8dffdd506bbda903eed98af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Mar 2024 13:31:38 +0800
+Subject: erofs: apply proper VMA alignment for memory mapped files on THP
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 4127caee89612a84adedd78c9453089138cd5afe ]
+
+There are mainly two reasons that thp_get_unmapped_area() should be
+used for EROFS as other filesystems:
+
+ - It's needed to enable PMD mappings as a FSDAX filesystem, see
+   commit 74d2fad1334d ("thp, dax: add thp_get_unmapped_area for pmd
+   mappings");
+
+ - It's useful together with large folios and
+   CONFIG_READ_ONLY_THP_FOR_FS which enable THPs for mmapped files
+   (e.g. shared libraries) even without FSDAX.  See commit 1854bc6e2420
+   ("mm/readahead: Align file mappings for non-DAX").
+
+Fixes: 06252e9ce05b ("erofs: dax support for non-tailpacking regular file")
+Fixes: ce529cc25b18 ("erofs: enable large folios for iomap mode")
+Fixes: e6687b89225e ("erofs: enable large folios for fscache mode")
+Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20240306053138.2240206-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/data.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/erofs/data.c b/fs/erofs/data.c
+index c98aeda8abb21..3d9721b3faa81 100644
+--- a/fs/erofs/data.c
++++ b/fs/erofs/data.c
+@@ -447,5 +447,6 @@ const struct file_operations erofs_file_fops = {
+       .llseek         = generic_file_llseek,
+       .read_iter      = erofs_file_read_iter,
+       .mmap           = erofs_file_mmap,
++      .get_unmapped_area = thp_get_unmapped_area,
+       .splice_read    = filemap_splice_read,
+ };
+-- 
+2.43.0
+
diff --git a/queue-6.7/geneve-make-sure-to-pull-inner-header-in-geneve_rx.patch b/queue-6.7/geneve-make-sure-to-pull-inner-header-in-geneve_rx.patch
new file mode 100644 (file)
index 0000000..2e855c9
--- /dev/null
@@ -0,0 +1,139 @@
+From 43a2e4429cd9b599deb53a290a3454ca750e5e34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Feb 2024 13:11:52 +0000
+Subject: geneve: make sure to pull inner header in geneve_rx()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 1ca1ba465e55b9460e4e75dec9fff31e708fec74 ]
+
+syzbot triggered a bug in geneve_rx() [1]
+
+Issue is similar to the one I fixed in commit 8d975c15c0cd
+("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
+
+We have to save skb->network_header in a temporary variable
+in order to be able to recompute the network_header pointer
+after a pskb_inet_may_pull() call.
+
+pskb_inet_may_pull() makes sure the needed headers are in skb->head.
+
+[1]
+BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
+ BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
+ BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
+  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
+  geneve_rx drivers/net/geneve.c:279 [inline]
+  geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
+  udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
+  udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
+  udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
+  __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
+  udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
+  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
+  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
+  NF_HOOK include/linux/netfilter.h:314 [inline]
+  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
+  dst_input include/net/dst.h:461 [inline]
+  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
+  NF_HOOK include/linux/netfilter.h:314 [inline]
+  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
+  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
+  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
+  process_backlog+0x480/0x8b0 net/core/dev.c:5976
+  __napi_poll+0xe3/0x980 net/core/dev.c:6576
+  napi_poll net/core/dev.c:6645 [inline]
+  net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
+  __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
+  do_softirq+0x9a/0xf0 kernel/softirq.c:454
+  __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
+  local_bh_enable include/linux/bottom_half.h:33 [inline]
+  rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
+  __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
+  dev_queue_xmit include/linux/netdevice.h:3171 [inline]
+  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
+  packet_snd net/packet/af_packet.c:3081 [inline]
+  packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
+  sock_sendmsg_nosec net/socket.c:730 [inline]
+  __sock_sendmsg net/socket.c:745 [inline]
+  __sys_sendto+0x735/0xa10 net/socket.c:2191
+  __do_sys_sendto net/socket.c:2203 [inline]
+  __se_sys_sendto net/socket.c:2199 [inline]
+  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
+  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Uninit was created at:
+  slab_post_alloc_hook mm/slub.c:3819 [inline]
+  slab_alloc_node mm/slub.c:3860 [inline]
+  kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
+  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
+  __alloc_skb+0x352/0x790 net/core/skbuff.c:651
+  alloc_skb include/linux/skbuff.h:1296 [inline]
+  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
+  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
+  packet_alloc_skb net/packet/af_packet.c:2930 [inline]
+  packet_snd net/packet/af_packet.c:3024 [inline]
+  packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
+  sock_sendmsg_nosec net/socket.c:730 [inline]
+  __sock_sendmsg net/socket.c:745 [inline]
+  __sys_sendto+0x735/0xa10 net/socket.c:2191
+  __do_sys_sendto net/socket.c:2203 [inline]
+  __se_sys_sendto net/socket.c:2199 [inline]
+  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
+  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
+Reported-and-tested-by: syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/geneve.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
+index acd9c615d1f4f..356da958ee81b 100644
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -221,7 +221,7 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs,
+       struct genevehdr *gnvh = geneve_hdr(skb);
+       struct metadata_dst *tun_dst = NULL;
+       unsigned int len;
+-      int err = 0;
++      int nh, err = 0;
+       void *oiph;
+       if (ip_tunnel_collect_metadata() || gs->collect_md) {
+@@ -272,9 +272,23 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs,
+               skb->pkt_type = PACKET_HOST;
+       }
+-      oiph = skb_network_header(skb);
++      /* Save offset of outer header relative to skb->head,
++       * because we are going to reset the network header to the inner header
++       * and might change skb->head.
++       */
++      nh = skb_network_header(skb) - skb->head;
++
+       skb_reset_network_header(skb);
++      if (!pskb_inet_may_pull(skb)) {
++              DEV_STATS_INC(geneve->dev, rx_length_errors);
++              DEV_STATS_INC(geneve->dev, rx_errors);
++              goto drop;
++      }
++
++      /* Get the outer header. */
++      oiph = skb->head + nh;
++
+       if (geneve_get_sk_family(gs) == AF_INET)
+               err = IP_ECN_decapsulate(oiph, skb);
+ #if IS_ENABLED(CONFIG_IPV6)
+-- 
+2.43.0
+
diff --git a/queue-6.7/i40e-disable-napi-right-after-disabling-irqs-when-ha.patch b/queue-6.7/i40e-disable-napi-right-after-disabling-irqs-when-ha.patch
new file mode 100644 (file)
index 0000000..5e5a8db
--- /dev/null
@@ -0,0 +1,41 @@
+From a712e06f8aa230de51b4dd38e48c55c0df1f1e30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 22:45:52 +0100
+Subject: i40e: disable NAPI right after disabling irqs when handling xsk_pool
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit d562b11c1eac7d73f4c778b4cbe5468f86b1f20d ]
+
+Disable NAPI before shutting down queues that this particular NAPI
+contains so that the order of actions in i40e_queue_pair_disable()
+mirrors what we do in i40e_queue_pair_enable().
+
+Fixes: 123cecd427b6 ("i40e: added queue pair disable/enable functions")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index d9716bcec81bb..b0dc0fc6b1359 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -13629,9 +13629,9 @@ int i40e_queue_pair_disable(struct i40e_vsi *vsi, int queue_pair)
+               return err;
+       i40e_queue_pair_disable_irq(vsi, queue_pair);
++      i40e_queue_pair_toggle_napi(vsi, queue_pair, false /* off */);
+       err = i40e_queue_pair_toggle_rings(vsi, queue_pair, false /* off */);
+       i40e_clean_rx_ring(vsi->rx_rings[queue_pair]);
+-      i40e_queue_pair_toggle_napi(vsi, queue_pair, false /* off */);
+       i40e_queue_pair_clean_rings(vsi, queue_pair);
+       i40e_queue_pair_reset_stats(vsi, queue_pair);
+-- 
+2.43.0
+
diff --git a/queue-6.7/ice-fix-uninitialized-dplls-mutex-usage.patch b/queue-6.7/ice-fix-uninitialized-dplls-mutex-usage.patch
new file mode 100644 (file)
index 0000000..1dd730d
--- /dev/null
@@ -0,0 +1,115 @@
+From 7d022f23402f63c9542f53ae2ee44ce6e17350a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 14:37:08 +0100
+Subject: ice: fix uninitialized dplls mutex usage
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 9224fc86f1776193650a33a275cac628952f80a9 ]
+
+The pf->dplls.lock mutex is initialized too late, after its first use.
+Move it to the top of ice_dpll_init.
+Note that the "err_exit" error path destroys the mutex. And the mutex is
+the last thing destroyed in ice_dpll_deinit.
+This fixes the following warning with CONFIG_DEBUG_MUTEXES:
+
+ ice 0000:10:00.0: The DDP package was successfully loaded: ICE OS Default Package version 1.3.36.0
+ ice 0000:10:00.0: 252.048 Gb/s available PCIe bandwidth (16.0 GT/s PCIe x16 link)
+ ice 0000:10:00.0: PTP init successful
+ ------------[ cut here ]------------
+ DEBUG_LOCKS_WARN_ON(lock->magic != lock)
+ WARNING: CPU: 0 PID: 410 at kernel/locking/mutex.c:587 __mutex_lock+0x773/0xd40
+ Modules linked in: crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic ice(+) nvme nvme_c>
+ CPU: 0 PID: 410 Comm: kworker/0:4 Not tainted 6.8.0-rc5+ #3
+ Hardware name: HPE ProLiant DL110 Gen10 Plus/ProLiant DL110 Gen10 Plus, BIOS U56 10/19/2023
+ Workqueue: events work_for_cpu_fn
+ RIP: 0010:__mutex_lock+0x773/0xd40
+ Code: c0 0f 84 1d f9 ff ff 44 8b 35 0d 9c 69 01 45 85 f6 0f 85 0d f9 ff ff 48 c7 c6 12 a2 a9 85 48 c7 c7 12 f1 a>
+ RSP: 0018:ff7eb1a3417a7ae0 EFLAGS: 00010286
+ RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
+ RDX: 0000000000000002 RSI: ffffffff85ac2bff RDI: 00000000ffffffff
+ RBP: ff7eb1a3417a7b80 R08: 0000000000000000 R09: 00000000ffffbfff
+ R10: ff7eb1a3417a7978 R11: ff32b80f7fd2e568 R12: 0000000000000000
+ R13: 0000000000000000 R14: 0000000000000000 R15: ff32b7f02c50e0d8
+ FS:  0000000000000000(0000) GS:ff32b80efe800000(0000) knlGS:0000000000000000
+ CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000055b5852cc000 CR3: 000000003c43a004 CR4: 0000000000771ef0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+  <TASK>
+  ? __warn+0x84/0x170
+  ? __mutex_lock+0x773/0xd40
+  ? report_bug+0x1c7/0x1d0
+  ? prb_read_valid+0x1b/0x30
+  ? handle_bug+0x42/0x70
+  ? exc_invalid_op+0x18/0x70
+  ? asm_exc_invalid_op+0x1a/0x20
+  ? __mutex_lock+0x773/0xd40
+  ? rcu_is_watching+0x11/0x50
+  ? __kmalloc_node_track_caller+0x346/0x490
+  ? ice_dpll_lock_status_get+0x28/0x50 [ice]
+  ? __pfx_ice_dpll_lock_status_get+0x10/0x10 [ice]
+  ? ice_dpll_lock_status_get+0x28/0x50 [ice]
+  ice_dpll_lock_status_get+0x28/0x50 [ice]
+  dpll_device_get_one+0x14f/0x2e0
+  dpll_device_event_send+0x7d/0x150
+  dpll_device_register+0x124/0x180
+  ice_dpll_init_dpll+0x7b/0xd0 [ice]
+  ice_dpll_init+0x224/0xa40 [ice]
+  ? _dev_info+0x70/0x90
+  ice_load+0x468/0x690 [ice]
+  ice_probe+0x75b/0xa10 [ice]
+  ? _raw_spin_unlock_irqrestore+0x4f/0x80
+  ? process_one_work+0x1a3/0x500
+  local_pci_probe+0x47/0xa0
+  work_for_cpu_fn+0x17/0x30
+  process_one_work+0x20d/0x500
+  worker_thread+0x1df/0x3e0
+  ? __pfx_worker_thread+0x10/0x10
+  kthread+0x103/0x140
+  ? __pfx_kthread+0x10/0x10
+  ret_from_fork+0x31/0x50
+  ? __pfx_kthread+0x10/0x10
+  ret_from_fork_asm+0x1b/0x30
+  </TASK>
+ irq event stamp: 125197
+ hardirqs last  enabled at (125197): [<ffffffff8416409d>] finish_task_switch.isra.0+0x12d/0x3d0
+ hardirqs last disabled at (125196): [<ffffffff85134044>] __schedule+0xea4/0x19f0
+ softirqs last  enabled at (105334): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60
+ softirqs last disabled at (105332): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60
+ ---[ end trace 0000000000000000 ]---
+
+Fixes: d7999f5ea64b ("ice: implement dpll interface to control cgu")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_dpll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_dpll.c b/drivers/net/ethernet/intel/ice/ice_dpll.c
+index 2b657d43c769d..68b894bb68fe7 100644
+--- a/drivers/net/ethernet/intel/ice/ice_dpll.c
++++ b/drivers/net/ethernet/intel/ice/ice_dpll.c
+@@ -2146,6 +2146,7 @@ void ice_dpll_init(struct ice_pf *pf)
+       struct ice_dplls *d = &pf->dplls;
+       int err = 0;
++      mutex_init(&d->lock);
+       err = ice_dpll_init_info(pf, cgu);
+       if (err)
+               goto err_exit;
+@@ -2158,7 +2159,6 @@ void ice_dpll_init(struct ice_pf *pf)
+       err = ice_dpll_init_pins(pf, cgu);
+       if (err)
+               goto deinit_pps;
+-      mutex_init(&d->lock);
+       if (cgu) {
+               err = ice_dpll_init_worker(pf);
+               if (err)
+-- 
+2.43.0
+
diff --git a/queue-6.7/ice-reconfig-host-after-changing-msi-x-on-vf.patch b/queue-6.7/ice-reconfig-host-after-changing-msi-x-on-vf.patch
new file mode 100644 (file)
index 0000000..ff7cb7d
--- /dev/null
@@ -0,0 +1,74 @@
+From e7ab55ab02ec6a922224370267537d40f10a81b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 07:40:24 +0100
+Subject: ice: reconfig host after changing MSI-X on VF
+
+From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+
+[ Upstream commit 4035c72dc1ba81a96f94de84dfd5409056c1d9c9 ]
+
+During VSI reconfiguration filters and VSI config which is set in
+ice_vf_init_host_cfg() are lost. Recall the host configuration function
+to restore them.
+
+Without this config VF on which MSI-X amount was changed might had a
+connection problems.
+
+Fixes: 4d38cb44bd32 ("ice: manage VFs MSI-X using resource tracking")
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sriov.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c
+index c4caa9df473b5..cd61928700211 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sriov.c
++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c
+@@ -1074,6 +1074,7 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+       struct ice_pf *pf = pci_get_drvdata(pdev);
+       u16 prev_msix, prev_queues, queues;
+       bool needs_rebuild = false;
++      struct ice_vsi *vsi;
+       struct ice_vf *vf;
+       int id;
+@@ -1108,6 +1109,10 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+       if (!vf)
+               return -ENOENT;
++      vsi = ice_get_vf_vsi(vf);
++      if (!vsi)
++              return -ENOENT;
++
+       prev_msix = vf->num_msix;
+       prev_queues = vf->num_vf_qs;
+@@ -1128,7 +1133,7 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+       if (vf->first_vector_idx < 0)
+               goto unroll;
+-      if (ice_vf_reconfig_vsi(vf)) {
++      if (ice_vf_reconfig_vsi(vf) || ice_vf_init_host_cfg(vf, vsi)) {
+               /* Try to rebuild with previous values */
+               needs_rebuild = true;
+               goto unroll;
+@@ -1154,8 +1159,10 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+       if (vf->first_vector_idx < 0)
+               return -EINVAL;
+-      if (needs_rebuild)
++      if (needs_rebuild) {
+               ice_vf_reconfig_vsi(vf);
++              ice_vf_init_host_cfg(vf, vsi);
++      }
+       ice_ena_vf_mappings(vf);
+       ice_put_vf(vf);
+-- 
+2.43.0
+
diff --git a/queue-6.7/ice-reorder-disabling-irq-and-napi-in-ice_qp_dis.patch b/queue-6.7/ice-reorder-disabling-irq-and-napi-in-ice_qp_dis.patch
new file mode 100644 (file)
index 0000000..e809a6b
--- /dev/null
@@ -0,0 +1,74 @@
+From c39a00d000fa65286f529d62e2a0b4e1bf50f68a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 22:45:53 +0100
+Subject: ice: reorder disabling IRQ and NAPI in ice_qp_dis
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 99099c6bc75a30b76bb5d6774a0509ab6f06af05 ]
+
+ice_qp_dis() currently does things in very mixed way. Tx is stopped
+before disabling IRQ on related queue vector, then it takes care of
+disabling Rx and finally NAPI is disabled.
+
+Let us start with disabling IRQs in the first place followed by turning
+off NAPI. Then it is safe to handle queues.
+
+One subtle change on top of that is that even though ice_qp_ena() looks
+more sane, clear ICE_CFG_BUSY as the last thing there.
+
+Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_xsk.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c
+index f3663b3f6390e..0fd5551b108ce 100644
+--- a/drivers/net/ethernet/intel/ice/ice_xsk.c
++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c
+@@ -179,6 +179,10 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx)
+                       return -EBUSY;
+               usleep_range(1000, 2000);
+       }
++
++      ice_qvec_dis_irq(vsi, rx_ring, q_vector);
++      ice_qvec_toggle_napi(vsi, q_vector, false);
++
+       netif_tx_stop_queue(netdev_get_tx_queue(vsi->netdev, q_idx));
+       ice_fill_txq_meta(vsi, tx_ring, &txq_meta);
+@@ -195,13 +199,10 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx)
+               if (err)
+                       return err;
+       }
+-      ice_qvec_dis_irq(vsi, rx_ring, q_vector);
+-
+       err = ice_vsi_ctrl_one_rx_ring(vsi, false, q_idx, true);
+       if (err)
+               return err;
+-      ice_qvec_toggle_napi(vsi, q_vector, false);
+       ice_qp_clean_rings(vsi, q_idx);
+       ice_qp_reset_stats(vsi, q_idx);
+@@ -259,11 +260,11 @@ static int ice_qp_ena(struct ice_vsi *vsi, u16 q_idx)
+       if (err)
+               return err;
+-      clear_bit(ICE_CFG_BUSY, vsi->state);
+       ice_qvec_toggle_napi(vsi, q_vector, true);
+       ice_qvec_ena_irq(vsi, q_vector);
+       netif_tx_start_queue(netdev_get_tx_queue(vsi->netdev, q_idx));
++      clear_bit(ICE_CFG_BUSY, vsi->state);
+       return 0;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.7/ice-replace-ice_vf_recreate_vsi-with-ice_vf_reconfig.patch b/queue-6.7/ice-replace-ice_vf_recreate_vsi-with-ice_vf_reconfig.patch
new file mode 100644 (file)
index 0000000..5eee72f
--- /dev/null
@@ -0,0 +1,203 @@
+From 1b98f7361596b239329ae98943448c160645aae8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 11:42:15 -0800
+Subject: ice: replace ice_vf_recreate_vsi() with ice_vf_reconfig_vsi()
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 2a2cb4c6c18130e9f14d2e39deb75590744d98ef ]
+
+The ice_vf_create_vsi() function and its VF ops helper introduced by commit
+a4c785e8162e ("ice: convert vf_ops .vsi_rebuild to .create_vsi") are used
+during an individual VF reset to re-create the VSI. This was done in order
+to ensure that the VSI gets properly reconfigured within the hardware.
+
+This is somewhat heavy handed as we completely release the VSI memory and
+structure, and then create a new VSI. This can also potentially force a
+change of the VSI index as we will re-use the first open slot in the VSI
+array which may not be the same.
+
+As part of implementing devlink reload, commit 6624e780a577 ("ice: split
+ice_vsi_setup into smaller functions") split VSI setup into smaller
+functions, introducing both ice_vsi_cfg() and ice_vsi_decfg() which can be
+used to configure or deconfigure an existing software VSI structure.
+
+Rather than completely removing the VSI and adding a new one using the
+.create_vsi() VF operation, simply use ice_vsi_decfg() to remove the
+current configuration. Save the VSI type and then call ice_vsi_cfg() to
+reconfigure the VSI as the same type that it was before.
+
+The existing reset logic assumes that all hardware filters will be removed,
+so also call ice_fltr_remove_all() before re-configuring the VSI.
+
+This new operation does not re-create the VSI, so rename it to
+ice_vf_reconfig_vsi().
+
+The new approach can safely share the exact same flow for both SR-IOV VFs
+as well as the Scalable IOV VFs being worked on. This uses less code and is
+a better abstraction over fully deleting the VSI and adding a new one.
+
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Petr Oros <poros@redhat.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 4035c72dc1ba ("ice: reconfig host after changing MSI-X on VF")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sriov.c    | 24 ++-----------
+ drivers/net/ethernet/intel/ice/ice_vf_lib.c   | 35 +++++++++++++------
+ drivers/net/ethernet/intel/ice/ice_vf_lib.h   |  1 -
+ .../ethernet/intel/ice/ice_vf_lib_private.h   |  1 +
+ 4 files changed, 28 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c
+index e1494f24f661d..c4caa9df473b5 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sriov.c
++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c
+@@ -762,24 +762,6 @@ static void ice_sriov_clear_reset_trigger(struct ice_vf *vf)
+       ice_flush(hw);
+ }
+-/**
+- * ice_sriov_create_vsi - Create a new VSI for a VF
+- * @vf: VF to create the VSI for
+- *
+- * This is called by ice_vf_recreate_vsi to create the new VSI after the old
+- * VSI has been released.
+- */
+-static int ice_sriov_create_vsi(struct ice_vf *vf)
+-{
+-      struct ice_vsi *vsi;
+-
+-      vsi = ice_vf_vsi_setup(vf);
+-      if (!vsi)
+-              return -ENOMEM;
+-
+-      return 0;
+-}
+-
+ /**
+  * ice_sriov_post_vsi_rebuild - tasks to do after the VF's VSI have been rebuilt
+  * @vf: VF to perform tasks on
+@@ -799,7 +781,6 @@ static const struct ice_vf_ops ice_sriov_vf_ops = {
+       .poll_reset_status = ice_sriov_poll_reset_status,
+       .clear_reset_trigger = ice_sriov_clear_reset_trigger,
+       .irq_close = NULL,
+-      .create_vsi = ice_sriov_create_vsi,
+       .post_vsi_rebuild = ice_sriov_post_vsi_rebuild,
+ };
+@@ -1147,8 +1128,7 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+       if (vf->first_vector_idx < 0)
+               goto unroll;
+-      ice_vf_vsi_release(vf);
+-      if (vf->vf_ops->create_vsi(vf)) {
++      if (ice_vf_reconfig_vsi(vf)) {
+               /* Try to rebuild with previous values */
+               needs_rebuild = true;
+               goto unroll;
+@@ -1175,7 +1155,7 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+               return -EINVAL;
+       if (needs_rebuild)
+-              vf->vf_ops->create_vsi(vf);
++              ice_vf_reconfig_vsi(vf);
+       ice_ena_vf_mappings(vf);
+       ice_put_vf(vf);
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+index b7ae099521566..88e3cd09f8d0c 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+@@ -248,29 +248,44 @@ static void ice_vf_pre_vsi_rebuild(struct ice_vf *vf)
+ }
+ /**
+- * ice_vf_recreate_vsi - Release and re-create the VF's VSI
+- * @vf: VF to recreate the VSI for
++ * ice_vf_reconfig_vsi - Reconfigure a VF VSI with the device
++ * @vf: VF to reconfigure the VSI for
+  *
+- * This is only called when a single VF is being reset (i.e. VVF, VFLR, host
+- * VF configuration change, etc)
++ * This is called when a single VF is being reset (i.e. VVF, VFLR, host VF
++ * configuration change, etc).
+  *
+- * It releases and then re-creates a new VSI.
++ * It brings the VSI down and then reconfigures it with the hardware.
+  */
+-static int ice_vf_recreate_vsi(struct ice_vf *vf)
++int ice_vf_reconfig_vsi(struct ice_vf *vf)
+ {
++      struct ice_vsi *vsi = ice_get_vf_vsi(vf);
++      struct ice_vsi_cfg_params params = {};
+       struct ice_pf *pf = vf->pf;
+       int err;
+-      ice_vf_vsi_release(vf);
++      if (WARN_ON(!vsi))
++              return -EINVAL;
++
++      params = ice_vsi_to_params(vsi);
++      params.flags = ICE_VSI_FLAG_NO_INIT;
+-      err = vf->vf_ops->create_vsi(vf);
++      ice_vsi_decfg(vsi);
++      ice_fltr_remove_all(vsi);
++
++      err = ice_vsi_cfg(vsi, &params);
+       if (err) {
+               dev_err(ice_pf_to_dev(pf),
+-                      "Failed to recreate the VF%u's VSI, error %d\n",
++                      "Failed to reconfigure the VF%u's VSI, error %d\n",
+                       vf->vf_id, err);
+               return err;
+       }
++      /* Update the lan_vsi_num field since it might have been changed. The
++       * PF lan_vsi_idx number remains the same so we don't need to change
++       * that.
++       */
++      vf->lan_vsi_num = vsi->vsi_num;
++
+       return 0;
+ }
+@@ -929,7 +944,7 @@ int ice_reset_vf(struct ice_vf *vf, u32 flags)
+       ice_vf_pre_vsi_rebuild(vf);
+-      if (ice_vf_recreate_vsi(vf)) {
++      if (ice_vf_reconfig_vsi(vf)) {
+               dev_err(dev, "Failed to release and setup the VF%u's VSI\n",
+                       vf->vf_id);
+               err = -EFAULT;
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.h b/drivers/net/ethernet/intel/ice/ice_vf_lib.h
+index 93c774f2f4376..6b41e0f3d37ed 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.h
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.h
+@@ -62,7 +62,6 @@ struct ice_vf_ops {
+       bool (*poll_reset_status)(struct ice_vf *vf);
+       void (*clear_reset_trigger)(struct ice_vf *vf);
+       void (*irq_close)(struct ice_vf *vf);
+-      int (*create_vsi)(struct ice_vf *vf);
+       void (*post_vsi_rebuild)(struct ice_vf *vf);
+ };
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h b/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h
+index 0c7e77c0a09fa..91ba7fe0eaee1 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h
+@@ -23,6 +23,7 @@
+ #warning "Only include ice_vf_lib_private.h in CONFIG_PCI_IOV virtualization files"
+ #endif
++int ice_vf_reconfig_vsi(struct ice_vf *vf);
+ void ice_initialize_vf_entry(struct ice_vf *vf);
+ void ice_dis_vf_qs(struct ice_vf *vf);
+ int ice_check_vf_init(struct ice_vf *vf);
+-- 
+2.43.0
+
diff --git a/queue-6.7/ice-virtchnl-stop-pretending-to-support-rss-over-aq-.patch b/queue-6.7/ice-virtchnl-stop-pretending-to-support-rss-over-aq-.patch
new file mode 100644 (file)
index 0000000..bbb16ff
--- /dev/null
@@ -0,0 +1,95 @@
+From 2958563b0ea05bdf0c107c3e6da92f87792ee7e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 13:51:58 -0800
+Subject: ice: virtchnl: stop pretending to support RSS over AQ or registers
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 2652b99e43403dc464f3648483ffb38e48872fe4 ]
+
+The E800 series hardware uses the same iAVF driver as older devices,
+including the virtchnl negotiation scheme.
+
+This negotiation scheme includes a mechanism to determine what type of RSS
+should be supported, including RSS over PF virtchnl messages, RSS over
+firmware AdminQ messages, and RSS via direct register access.
+
+The PF driver will always prefer VIRTCHNL_VF_OFFLOAD_RSS_PF if its
+supported by the VF driver. However, if an older VF driver is loaded, it
+may request only VIRTCHNL_VF_OFFLOAD_RSS_REG or VIRTCHNL_VF_OFFLOAD_RSS_AQ.
+
+The ice driver happily agrees to support these methods. Unfortunately, the
+underlying hardware does not support these mechanisms. The E800 series VFs
+don't have the appropriate registers for RSS_REG. The mailbox queue used by
+VFs for VF to PF communication blocks messages which do not have the
+VF-to-PF opcode.
+
+Stop lying to the VF that it could support RSS over AdminQ or registers, as
+these interfaces do not work when the hardware is operating on an E800
+series device.
+
+In practice this is unlikely to be hit by any normal user. The iAVF driver
+has supported RSS over PF virtchnl commands since 2016, and always defaults
+to using RSS_PF if possible.
+
+In principle, nothing actually stops the existing VF from attempting to
+access the registers or send an AQ command. However a properly coded VF
+will check the capability flags and will report a more useful error if it
+detects a case where the driver does not support the RSS offloads that it
+does.
+
+Fixes: 1071a8358a28 ("ice: Implement virtchnl commands for AVF support")
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Alan Brady <alan.brady@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_virtchnl.c           | 9 +--------
+ drivers/net/ethernet/intel/ice/ice_virtchnl_allowlist.c | 2 --
+ 2 files changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.c b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+index 8872f7a4f4320..d6348f20822e8 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+@@ -440,7 +440,6 @@ static int ice_vc_get_vf_res_msg(struct ice_vf *vf, u8 *msg)
+               vf->driver_caps = *(u32 *)msg;
+       else
+               vf->driver_caps = VIRTCHNL_VF_OFFLOAD_L2 |
+-                                VIRTCHNL_VF_OFFLOAD_RSS_REG |
+                                 VIRTCHNL_VF_OFFLOAD_VLAN;
+       vfres->vf_cap_flags = VIRTCHNL_VF_OFFLOAD_L2;
+@@ -453,14 +452,8 @@ static int ice_vc_get_vf_res_msg(struct ice_vf *vf, u8 *msg)
+       vfres->vf_cap_flags |= ice_vc_get_vlan_caps(hw, vf, vsi,
+                                                   vf->driver_caps);
+-      if (vf->driver_caps & VIRTCHNL_VF_OFFLOAD_RSS_PF) {
++      if (vf->driver_caps & VIRTCHNL_VF_OFFLOAD_RSS_PF)
+               vfres->vf_cap_flags |= VIRTCHNL_VF_OFFLOAD_RSS_PF;
+-      } else {
+-              if (vf->driver_caps & VIRTCHNL_VF_OFFLOAD_RSS_AQ)
+-                      vfres->vf_cap_flags |= VIRTCHNL_VF_OFFLOAD_RSS_AQ;
+-              else
+-                      vfres->vf_cap_flags |= VIRTCHNL_VF_OFFLOAD_RSS_REG;
+-      }
+       if (vf->driver_caps & VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC)
+               vfres->vf_cap_flags |= VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC;
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_allowlist.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_allowlist.c
+index 7d547fa616fa6..588b77f1a4bf6 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_allowlist.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_allowlist.c
+@@ -13,8 +13,6 @@
+  * - opcodes needed by VF when caps are activated
+  *
+  * Caps that don't use new opcodes (no opcodes should be allowed):
+- * - VIRTCHNL_VF_OFFLOAD_RSS_AQ
+- * - VIRTCHNL_VF_OFFLOAD_RSS_REG
+  * - VIRTCHNL_VF_OFFLOAD_WB_ON_ITR
+  * - VIRTCHNL_VF_OFFLOAD_CRC
+  * - VIRTCHNL_VF_OFFLOAD_RX_POLLING
+-- 
+2.43.0
+
diff --git a/queue-6.7/idpf-disable-local-bh-when-scheduling-napi-for-marke.patch b/queue-6.7/idpf-disable-local-bh-when-scheduling-napi-for-marke.patch
new file mode 100644 (file)
index 0000000..8167fa3
--- /dev/null
@@ -0,0 +1,57 @@
+From 9f585b98c5fb027c982c9e5b9c67aa5b0288446f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Feb 2024 16:42:43 -0800
+Subject: idpf: disable local BH when scheduling napi for marker packets
+
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+
+[ Upstream commit 330068589389ccae3452db15ecacc3e147ac9c1c ]
+
+Fix softirq's not being handled during napi_schedule() call when
+receiving marker packets for queue disable by disabling local bottom
+half.
+
+The issue can be seen on ifdown:
+NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
+
+Using ftrace to catch the failing scenario:
+ifconfig   [003] d.... 22739.830624: softirq_raise: vec=3 [action=NET_RX]
+<idle>-0   [003] ..s.. 22739.831357: softirq_entry: vec=3 [action=NET_RX]
+
+No interrupt and CPU is idle.
+
+After the patch when disabling local BH before calling napi_schedule:
+ifconfig   [003] d.... 22993.928336: softirq_raise: vec=3 [action=NET_RX]
+ifconfig   [003] ..s1. 22993.928337: softirq_entry: vec=3 [action=NET_RX]
+
+Fixes: c2d548cad150 ("idpf: add TX splitq napi poll support")
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
+Signed-off-by: Alan Brady <alan.brady@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Krishneil Singh <krishneil.k.singh@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+index 2c1b051fdc0d4..b0c52f17848f6 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+@@ -2087,8 +2087,10 @@ int idpf_send_disable_queues_msg(struct idpf_vport *vport)
+               set_bit(__IDPF_Q_POLL_MODE, vport->txqs[i]->flags);
+       /* schedule the napi to receive all the marker packets */
++      local_bh_disable();
+       for (i = 0; i < vport->num_q_vectors; i++)
+               napi_schedule(&vport->q_vectors[i].napi);
++      local_bh_enable();
+       return idpf_wait_for_marker_event(vport);
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.7/igc-avoid-returning-frame-twice-in-xdp_redirect.patch b/queue-6.7/igc-avoid-returning-frame-twice-in-xdp_redirect.patch
new file mode 100644 (file)
index 0000000..0f75cc9
--- /dev/null
@@ -0,0 +1,169 @@
+From 58d473bcfce4561f5e851db64c272e21ab0d38e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 10:08:43 +0100
+Subject: igc: avoid returning frame twice in XDP_REDIRECT
+
+From: Florian Kauer <florian.kauer@linutronix.de>
+
+[ Upstream commit ef27f655b438bed4c83680e4f01e1cde2739854b ]
+
+When a frame can not be transmitted in XDP_REDIRECT
+(e.g. due to a full queue), it is necessary to free
+it by calling xdp_return_frame_rx_napi.
+
+However, this is the responsibility of the caller of
+the ndo_xdp_xmit (see for example bq_xmit_all in
+kernel/bpf/devmap.c) and thus calling it inside
+igc_xdp_xmit (which is the ndo_xdp_xmit of the igc
+driver) as well will lead to memory corruption.
+
+In fact, bq_xmit_all expects that it can return all
+frames after the last successfully transmitted one.
+Therefore, break for the first not transmitted frame,
+but do not call xdp_return_frame_rx_napi in igc_xdp_xmit.
+This is equally implemented in other Intel drivers
+such as the igb.
+
+There are two alternatives to this that were rejected:
+1. Return num_frames as all the frames would have been
+   transmitted and release them inside igc_xdp_xmit.
+   While it might work technically, it is not what
+   the return value is meant to represent (i.e. the
+   number of SUCCESSFULLY transmitted packets).
+2. Rework kernel/bpf/devmap.c and all drivers to
+   support non-consecutively dropped packets.
+   Besides being complex, it likely has a negative
+   performance impact without a significant gain
+   since it is anyway unlikely that the next frame
+   can be transmitted if the previous one was dropped.
+
+The memory corruption can be reproduced with
+the following script which leads to a kernel panic
+after a few seconds.  It basically generates more
+traffic than a i225 NIC can transmit and pushes it
+via XDP_REDIRECT from a virtual interface to the
+physical interface where frames get dropped.
+
+   #!/bin/bash
+   INTERFACE=enp4s0
+   INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`
+
+   sudo ip link add dev veth1 type veth peer name veth2
+   sudo ip link set up $INTERFACE
+   sudo ip link set up veth1
+   sudo ip link set up veth2
+
+   cat << EOF > redirect.bpf.c
+
+   SEC("prog")
+   int redirect(struct xdp_md *ctx)
+   {
+       return bpf_redirect($INTERFACE_IDX, 0);
+   }
+
+   char _license[] SEC("license") = "GPL";
+   EOF
+   clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o
+   sudo ip link set veth2 xdp obj redirect.bpf.o
+
+   cat << EOF > pass.bpf.c
+
+   SEC("prog")
+   int pass(struct xdp_md *ctx)
+   {
+       return XDP_PASS;
+   }
+
+   char _license[] SEC("license") = "GPL";
+   EOF
+   clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o
+   sudo ip link set $INTERFACE xdp obj pass.bpf.o
+
+   cat << EOF > trafgen.cfg
+
+   {
+     /* Ethernet Header */
+     0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+     const16(ETH_P_IP),
+
+     /* IPv4 Header */
+     0b01000101, 0,   # IPv4 version, IHL, TOS
+     const16(1028),   # IPv4 total length (UDP length + 20 bytes (IP header))
+     const16(2),      # IPv4 ident
+     0b01000000, 0,   # IPv4 flags, fragmentation off
+     64,              # IPv4 TTL
+     17,              # Protocol UDP
+     csumip(14, 33),  # IPv4 checksum
+
+     /* UDP Header */
+     10,  0, 1, 1,    # IP Src - adapt as needed
+     10,  0, 1, 2,    # IP Dest - adapt as needed
+     const16(6666),   # UDP Src Port
+     const16(6666),   # UDP Dest Port
+     const16(1008),   # UDP length (UDP header 8 bytes + payload length)
+     csumudp(14, 34), # UDP checksum
+
+     /* Payload */
+     fill('W', 1000),
+   }
+   EOF
+
+   sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp
+
+Fixes: 4ff320361092 ("igc: Add support for XDP_REDIRECT action")
+Signed-off-by: Florian Kauer <florian.kauer@linutronix.de>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index e9bb403bbacf9..58ffddc6419ad 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -6489,7 +6489,7 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames,
+       int cpu = smp_processor_id();
+       struct netdev_queue *nq;
+       struct igc_ring *ring;
+-      int i, drops;
++      int i, nxmit;
+       if (unlikely(!netif_carrier_ok(dev)))
+               return -ENETDOWN;
+@@ -6505,16 +6505,15 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames,
+       /* Avoid transmit queue timeout since we share it with the slow path */
+       txq_trans_cond_update(nq);
+-      drops = 0;
++      nxmit = 0;
+       for (i = 0; i < num_frames; i++) {
+               int err;
+               struct xdp_frame *xdpf = frames[i];
+               err = igc_xdp_init_tx_descriptor(ring, xdpf);
+-              if (err) {
+-                      xdp_return_frame_rx_napi(xdpf);
+-                      drops++;
+-              }
++              if (err)
++                      break;
++              nxmit++;
+       }
+       if (flags & XDP_XMIT_FLUSH)
+@@ -6522,7 +6521,7 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames,
+       __netif_tx_unlock(nq);
+-      return num_frames - drops;
++      return nxmit;
+ }
+ static void igc_trigger_rxtxq_interrupt(struct igc_adapter *adapter,
+-- 
+2.43.0
+
diff --git a/queue-6.7/ixgbe-dis-en-able-irqs-in-ixgbe_txrx_ring_-dis-en-ab.patch b/queue-6.7/ixgbe-dis-en-able-irqs-in-ixgbe_txrx_ring_-dis-en-ab.patch
new file mode 100644 (file)
index 0000000..74772f3
--- /dev/null
@@ -0,0 +1,138 @@
+From 84548024e72a6db64634577aee5ae88553586524 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 22:45:51 +0100
+Subject: ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit cbf996f52c4e658b3fb4349a869a62fd2d4c3c1c ]
+
+Currently routines that are supposed to toggle state of ring pair do not
+take care of associated interrupt with queue vector that these rings
+belong to. This causes funky issues such as dead interface due to irq
+misconfiguration, as per Pavel's report from Closes: tag.
+
+Add a function responsible for disabling single IRQ in EIMC register and
+call this as a very first thing when disabling ring pair during xsk_pool
+setup. For enable let's reuse ixgbe_irq_enable_queues(). Besides this,
+disable/enable NAPI as first/last thing when dealing with closing or
+opening ring pair that xsk_pool is being configured on.
+
+Reported-by: Pavel Vazharov <pavel@x3me.net>
+Closes: https://lore.kernel.org/netdev/CAJEV1ijxNyPTwASJER1bcZzS9nMoZJqfR86nu_3jFFVXzZQ4NA@mail.gmail.com/
+Fixes: 024aa5800f32 ("ixgbe: added Rx/Tx ring disable/enable functions")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 56 ++++++++++++++++---
+ 1 file changed, 49 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 6a3f633406c4b..ce234e76ea236 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -2939,8 +2939,8 @@ static void ixgbe_check_lsc(struct ixgbe_adapter *adapter)
+ static inline void ixgbe_irq_enable_queues(struct ixgbe_adapter *adapter,
+                                          u64 qmask)
+ {
+-      u32 mask;
+       struct ixgbe_hw *hw = &adapter->hw;
++      u32 mask;
+       switch (hw->mac.type) {
+       case ixgbe_mac_82598EB:
+@@ -10524,6 +10524,44 @@ static void ixgbe_reset_rxr_stats(struct ixgbe_ring *rx_ring)
+       memset(&rx_ring->rx_stats, 0, sizeof(rx_ring->rx_stats));
+ }
++/**
++ * ixgbe_irq_disable_single - Disable single IRQ vector
++ * @adapter: adapter structure
++ * @ring: ring index
++ **/
++static void ixgbe_irq_disable_single(struct ixgbe_adapter *adapter, u32 ring)
++{
++      struct ixgbe_hw *hw = &adapter->hw;
++      u64 qmask = BIT_ULL(ring);
++      u32 mask;
++
++      switch (adapter->hw.mac.type) {
++      case ixgbe_mac_82598EB:
++              mask = qmask & IXGBE_EIMC_RTX_QUEUE;
++              IXGBE_WRITE_REG(&adapter->hw, IXGBE_EIMC, mask);
++              break;
++      case ixgbe_mac_82599EB:
++      case ixgbe_mac_X540:
++      case ixgbe_mac_X550:
++      case ixgbe_mac_X550EM_x:
++      case ixgbe_mac_x550em_a:
++              mask = (qmask & 0xFFFFFFFF);
++              if (mask)
++                      IXGBE_WRITE_REG(hw, IXGBE_EIMS_EX(0), mask);
++              mask = (qmask >> 32);
++              if (mask)
++                      IXGBE_WRITE_REG(hw, IXGBE_EIMS_EX(1), mask);
++              break;
++      default:
++              break;
++      }
++      IXGBE_WRITE_FLUSH(&adapter->hw);
++      if (adapter->flags & IXGBE_FLAG_MSIX_ENABLED)
++              synchronize_irq(adapter->msix_entries[ring].vector);
++      else
++              synchronize_irq(adapter->pdev->irq);
++}
++
+ /**
+  * ixgbe_txrx_ring_disable - Disable Rx/Tx/XDP Tx rings
+  * @adapter: adapter structure
+@@ -10540,6 +10578,11 @@ void ixgbe_txrx_ring_disable(struct ixgbe_adapter *adapter, int ring)
+       tx_ring = adapter->tx_ring[ring];
+       xdp_ring = adapter->xdp_ring[ring];
++      ixgbe_irq_disable_single(adapter, ring);
++
++      /* Rx/Tx/XDP Tx share the same napi context. */
++      napi_disable(&rx_ring->q_vector->napi);
++
+       ixgbe_disable_txr(adapter, tx_ring);
+       if (xdp_ring)
+               ixgbe_disable_txr(adapter, xdp_ring);
+@@ -10548,9 +10591,6 @@ void ixgbe_txrx_ring_disable(struct ixgbe_adapter *adapter, int ring)
+       if (xdp_ring)
+               synchronize_rcu();
+-      /* Rx/Tx/XDP Tx share the same napi context. */
+-      napi_disable(&rx_ring->q_vector->napi);
+-
+       ixgbe_clean_tx_ring(tx_ring);
+       if (xdp_ring)
+               ixgbe_clean_tx_ring(xdp_ring);
+@@ -10578,9 +10618,6 @@ void ixgbe_txrx_ring_enable(struct ixgbe_adapter *adapter, int ring)
+       tx_ring = adapter->tx_ring[ring];
+       xdp_ring = adapter->xdp_ring[ring];
+-      /* Rx/Tx/XDP Tx share the same napi context. */
+-      napi_enable(&rx_ring->q_vector->napi);
+-
+       ixgbe_configure_tx_ring(adapter, tx_ring);
+       if (xdp_ring)
+               ixgbe_configure_tx_ring(adapter, xdp_ring);
+@@ -10589,6 +10626,11 @@ void ixgbe_txrx_ring_enable(struct ixgbe_adapter *adapter, int ring)
+       clear_bit(__IXGBE_TX_DISABLED, &tx_ring->state);
+       if (xdp_ring)
+               clear_bit(__IXGBE_TX_DISABLED, &xdp_ring->state);
++
++      /* Rx/Tx/XDP Tx share the same napi context. */
++      napi_enable(&rx_ring->q_vector->napi);
++      ixgbe_irq_enable_queues(adapter, BIT_ULL(ring));
++      IXGBE_WRITE_FLUSH(&adapter->hw);
+ }
+ /**
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-dsa-microchip-fix-register-write-order-in-ksz8_i.patch b/queue-6.7/net-dsa-microchip-fix-register-write-order-in-ksz8_i.patch
new file mode 100644 (file)
index 0000000..b90c0c8
--- /dev/null
@@ -0,0 +1,61 @@
+From b3b8141c29989b67d3f87263614c32f40e0cbc5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:41:35 +0100
+Subject: net: dsa: microchip: fix register write order in ksz8_ind_write8()
+
+From: Tobias Jakobi (Compleo) <tobias.jakobi.compleo@gmail.com>
+
+[ Upstream commit b7fb7729c94fb2d23c79ff44f7a2da089c92d81c ]
+
+This bug was noticed while re-implementing parts of the kernel
+driver in userspace using spidev. The goal was to enable some
+of the errata workarounds that Microchip describes in their
+errata sheet [1].
+
+Both the errata sheet and the regular datasheet of e.g. the KSZ8795
+imply that you need to do this for indirect register accesses:
+- write a 16-bit value to a control register pair (this value
+  consists of the indirect register table, and the offset inside
+  the table)
+- either read or write an 8-bit value from the data storage
+  register (indicated by REG_IND_BYTE in the kernel)
+
+The current implementation has the order swapped. It can be
+proven, by reading back some indirect register with known content
+(the EEE register modified in ksz8_handle_global_errata() is one of
+these), that this implementation does not work.
+
+Private discussion with Oleksij Rempel of Pengutronix has revealed
+that the workaround was apparantly never tested on actual hardware.
+
+[1] https://ww1.microchip.com/downloads/aemDocuments/documents/OTH/ProductDocuments/Errata/KSZ87xx-Errata-DS80000687C.pdf
+
+Signed-off-by: Tobias Jakobi (Compleo) <tobias.jakobi.compleo@gmail.com>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Fixes: 7b6e6235b664 ("net: dsa: microchip: ksz8795: handle eee specif erratum")
+Link: https://lore.kernel.org/r/20240304154135.161332-1-tobias.jakobi.compleo@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8795.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
+index 4bf4d67557dcf..9048d1f196110 100644
+--- a/drivers/net/dsa/microchip/ksz8795.c
++++ b/drivers/net/dsa/microchip/ksz8795.c
+@@ -49,9 +49,9 @@ static int ksz8_ind_write8(struct ksz_device *dev, u8 table, u16 addr, u8 data)
+       mutex_lock(&dev->alu_mutex);
+       ctrl_addr = IND_ACC_TABLE(table) | addr;
+-      ret = ksz_write8(dev, regs[REG_IND_BYTE], data);
++      ret = ksz_write16(dev, regs[REG_IND_CTRL_0], ctrl_addr);
+       if (!ret)
+-              ret = ksz_write16(dev, regs[REG_IND_CTRL_0], ctrl_addr);
++              ret = ksz_write8(dev, regs[REG_IND_BYTE], data);
+       mutex_unlock(&dev->alu_mutex);
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-ice-fix-potential-null-pointer-dereference-in-ic.patch b/queue-6.7/net-ice-fix-potential-null-pointer-dereference-in-ic.patch
new file mode 100644 (file)
index 0000000..b912477
--- /dev/null
@@ -0,0 +1,40 @@
+From c228972863e13249563296356366df5e99d30f36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 18:54:48 +0300
+Subject: net: ice: Fix potential NULL pointer dereference in
+ ice_bridge_setlink()
+
+From: Rand Deeb <rand.sec96@gmail.com>
+
+[ Upstream commit 06e456a05d669ca30b224b8ed962421770c1496c ]
+
+The function ice_bridge_setlink() may encounter a NULL pointer dereference
+if nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently
+in nla_for_each_nested(). To address this issue, add a check to ensure that
+br_spec is not NULL before proceeding with the nested attribute iteration.
+
+Fixes: b1edc14a3fbf ("ice: Implement ice_bridge_getlink and ice_bridge_setlink")
+Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index adfdea1e2805a..a9cca2d24120a 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -7800,6 +7800,8 @@ ice_bridge_setlink(struct net_device *dev, struct nlmsghdr *nlh,
+       pf_sw = pf->first_sw;
+       /* find the attribute in the netlink message */
+       br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC);
++      if (!br_spec)
++              return -EINVAL;
+       nla_for_each_nested(attr, br_spec, rem) {
+               __u16 mode;
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-ipv6-avoid-possible-uaf-in-ip6_route_mpath_notif.patch b/queue-6.7/net-ipv6-avoid-possible-uaf-in-ip6_route_mpath_notif.patch
new file mode 100644 (file)
index 0000000..758022f
--- /dev/null
@@ -0,0 +1,258 @@
+From d16e225e08f3e0e9ada6c673bc9ec21db18e309e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Mar 2024 14:48:00 +0000
+Subject: net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 685f7d531264599b3f167f1e94bbd22f120e5fab ]
+
+syzbot found another use-after-free in ip6_route_mpath_notify() [1]
+
+Commit f7225172f25a ("net/ipv6: prevent use after free in
+ip6_route_mpath_notify") was not able to fix the root cause.
+
+We need to defer the fib6_info_release() calls after
+ip6_route_mpath_notify(), in the cleanup phase.
+
+[1]
+BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0
+Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037
+
+CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
+Call Trace:
+ <TASK>
+  __dump_stack lib/dump_stack.c:88 [inline]
+  dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
+  print_address_description mm/kasan/report.c:377 [inline]
+  print_report+0x167/0x540 mm/kasan/report.c:488
+  kasan_report+0x142/0x180 mm/kasan/report.c:601
+ rt6_fill_node+0x1460/0x1ac0
+  inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184
+  ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]
+  ip6_route_multipath_add net/ipv6/route.c:5404 [inline]
+  inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517
+  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597
+  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
+  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
+  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
+  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
+  sock_sendmsg_nosec net/socket.c:730 [inline]
+  __sock_sendmsg+0x221/0x270 net/socket.c:745
+  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
+  ___sys_sendmsg net/socket.c:2638 [inline]
+  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
+ do_syscall_64+0xf9/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+RIP: 0033:0x7f73dd87dda9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9
+RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
+RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858
+ </TASK>
+
+Allocated by task 23037:
+  kasan_save_stack mm/kasan/common.c:47 [inline]
+  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+  poison_kmalloc_redzone mm/kasan/common.c:372 [inline]
+  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389
+  kasan_kmalloc include/linux/kasan.h:211 [inline]
+  __do_kmalloc_node mm/slub.c:3981 [inline]
+  __kmalloc+0x22e/0x490 mm/slub.c:3994
+  kmalloc include/linux/slab.h:594 [inline]
+  kzalloc include/linux/slab.h:711 [inline]
+  fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155
+  ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758
+  ip6_route_multipath_add net/ipv6/route.c:5298 [inline]
+  inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517
+  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597
+  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
+  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
+  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
+  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
+  sock_sendmsg_nosec net/socket.c:730 [inline]
+  __sock_sendmsg+0x221/0x270 net/socket.c:745
+  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
+  ___sys_sendmsg net/socket.c:2638 [inline]
+  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
+ do_syscall_64+0xf9/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+
+Freed by task 16:
+  kasan_save_stack mm/kasan/common.c:47 [inline]
+  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+  kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640
+  poison_slab_object+0xa6/0xe0 mm/kasan/common.c:241
+  __kasan_slab_free+0x34/0x70 mm/kasan/common.c:257
+  kasan_slab_free include/linux/kasan.h:184 [inline]
+  slab_free_hook mm/slub.c:2121 [inline]
+  slab_free mm/slub.c:4299 [inline]
+  kfree+0x14a/0x380 mm/slub.c:4409
+  rcu_do_batch kernel/rcu/tree.c:2190 [inline]
+  rcu_core+0xd76/0x1810 kernel/rcu/tree.c:2465
+  __do_softirq+0x2bb/0x942 kernel/softirq.c:553
+
+Last potentially related work creation:
+  kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
+  __kasan_record_aux_stack+0xae/0x100 mm/kasan/generic.c:586
+  __call_rcu_common kernel/rcu/tree.c:2715 [inline]
+  call_rcu+0x167/0xa80 kernel/rcu/tree.c:2829
+  fib6_info_release include/net/ip6_fib.h:341 [inline]
+  ip6_route_multipath_add net/ipv6/route.c:5344 [inline]
+  inet6_rtm_newroute+0x114d/0x2300 net/ipv6/route.c:5517
+  rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597
+  netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
+  netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
+  netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
+  netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
+  sock_sendmsg_nosec net/socket.c:730 [inline]
+  __sock_sendmsg+0x221/0x270 net/socket.c:745
+  ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
+  ___sys_sendmsg net/socket.c:2638 [inline]
+  __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
+ do_syscall_64+0xf9/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+
+The buggy address belongs to the object at ffff88809a07fc00
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 100 bytes inside of
+ freed 512-byte region [ffff88809a07fc00, ffff88809a07fe00)
+
+The buggy address belongs to the physical page:
+page:ffffea0002681f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9a07c
+head:ffffea0002681f00 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
+page_type: 0xffffffff()
+raw: 00fff00000000840 ffff888014c41c80 dead000000000122 0000000000000000
+raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 23028, tgid 23027 (syz-executor.4), ts 2340253595219, free_ts 2339107097036
+  set_page_owner include/linux/page_owner.h:31 [inline]
+  post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533
+  prep_new_page mm/page_alloc.c:1540 [inline]
+  get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311
+  __alloc_pages+0x255/0x680 mm/page_alloc.c:4567
+  __alloc_pages_node include/linux/gfp.h:238 [inline]
+  alloc_pages_node include/linux/gfp.h:261 [inline]
+  alloc_slab_page+0x5f/0x160 mm/slub.c:2190
+  allocate_slab mm/slub.c:2354 [inline]
+  new_slab+0x84/0x2f0 mm/slub.c:2407
+  ___slab_alloc+0xd17/0x13e0 mm/slub.c:3540
+  __slab_alloc mm/slub.c:3625 [inline]
+  __slab_alloc_node mm/slub.c:3678 [inline]
+  slab_alloc_node mm/slub.c:3850 [inline]
+  __do_kmalloc_node mm/slub.c:3980 [inline]
+  __kmalloc+0x2e0/0x490 mm/slub.c:3994
+  kmalloc include/linux/slab.h:594 [inline]
+  kzalloc include/linux/slab.h:711 [inline]
+  new_dir fs/proc/proc_sysctl.c:956 [inline]
+  get_subdir fs/proc/proc_sysctl.c:1000 [inline]
+  sysctl_mkdir_p fs/proc/proc_sysctl.c:1295 [inline]
+  __register_sysctl_table+0xb30/0x1440 fs/proc/proc_sysctl.c:1376
+  neigh_sysctl_register+0x416/0x500 net/core/neighbour.c:3859
+  devinet_sysctl_register+0xaf/0x1f0 net/ipv4/devinet.c:2644
+  inetdev_init+0x296/0x4d0 net/ipv4/devinet.c:286
+  inetdev_event+0x338/0x15c0 net/ipv4/devinet.c:1555
+  notifier_call_chain+0x18f/0x3b0 kernel/notifier.c:93
+  call_netdevice_notifiers_extack net/core/dev.c:1987 [inline]
+  call_netdevice_notifiers net/core/dev.c:2001 [inline]
+  register_netdevice+0x15b2/0x1a20 net/core/dev.c:10340
+  br_dev_newlink+0x27/0x100 net/bridge/br_netlink.c:1563
+  rtnl_newlink_create net/core/rtnetlink.c:3497 [inline]
+  __rtnl_newlink net/core/rtnetlink.c:3717 [inline]
+  rtnl_newlink+0x158f/0x20a0 net/core/rtnetlink.c:3730
+page last free pid 11583 tgid 11583 stack trace:
+  reset_page_owner include/linux/page_owner.h:24 [inline]
+  free_pages_prepare mm/page_alloc.c:1140 [inline]
+  free_unref_page_prepare+0x968/0xa90 mm/page_alloc.c:2346
+  free_unref_page+0x37/0x3f0 mm/page_alloc.c:2486
+  kasan_depopulate_vmalloc_pte+0x74/0x90 mm/kasan/shadow.c:415
+  apply_to_pte_range mm/memory.c:2619 [inline]
+  apply_to_pmd_range mm/memory.c:2663 [inline]
+  apply_to_pud_range mm/memory.c:2699 [inline]
+  apply_to_p4d_range mm/memory.c:2735 [inline]
+  __apply_to_page_range+0x8ec/0xe40 mm/memory.c:2769
+  kasan_release_vmalloc+0x9a/0xb0 mm/kasan/shadow.c:532
+  __purge_vmap_area_lazy+0x163f/0x1a10 mm/vmalloc.c:1770
+  drain_vmap_area_work+0x40/0xd0 mm/vmalloc.c:1804
+  process_one_work kernel/workqueue.c:2633 [inline]
+  process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
+  worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
+  kthread+0x2ef/0x390 kernel/kthread.c:388
+  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+  ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
+
+Memory state around the buggy address:
+ ffff88809a07fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88809a07fb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff88809a07fc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                                                       ^
+ ffff88809a07fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88809a07fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 3b1137fe7482 ("net: ipv6: Change notifications for multipath add to RTA_MULTIPATH")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20240303144801.702646-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 21 +++++++--------------
+ 1 file changed, 7 insertions(+), 14 deletions(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index ea1dec8448fce..ef815ba583a8f 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5332,19 +5332,7 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
+       err_nh = NULL;
+       list_for_each_entry(nh, &rt6_nh_list, next) {
+               err = __ip6_ins_rt(nh->fib6_info, info, extack);
+-              fib6_info_release(nh->fib6_info);
+-
+-              if (!err) {
+-                      /* save reference to last route successfully inserted */
+-                      rt_last = nh->fib6_info;
+-
+-                      /* save reference to first route for notification */
+-                      if (!rt_notif)
+-                              rt_notif = nh->fib6_info;
+-              }
+-              /* nh->fib6_info is used or freed at this point, reset to NULL*/
+-              nh->fib6_info = NULL;
+               if (err) {
+                       if (replace && nhn)
+                               NL_SET_ERR_MSG_MOD(extack,
+@@ -5352,6 +5340,12 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
+                       err_nh = nh;
+                       goto add_errout;
+               }
++              /* save reference to last route successfully inserted */
++              rt_last = nh->fib6_info;
++
++              /* save reference to first route for notification */
++              if (!rt_notif)
++                      rt_notif = nh->fib6_info;
+               /* Because each route is added like a single route we remove
+                * these flags after the first nexthop: if there is a collision,
+@@ -5412,8 +5406,7 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
+ cleanup:
+       list_for_each_entry_safe(nh, nh_safe, &rt6_nh_list, next) {
+-              if (nh->fib6_info)
+-                      fib6_info_release(nh->fib6_info);
++              fib6_info_release(nh->fib6_info);
+               list_del(&nh->next);
+               kfree(nh);
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-lan78xx-fix-runtime-pm-count-underflow-on-link-s.patch b/queue-6.7/net-lan78xx-fix-runtime-pm-count-underflow-on-link-s.patch
new file mode 100644 (file)
index 0000000..26f80ad
--- /dev/null
@@ -0,0 +1,45 @@
+From 862ebd8c92f0458437e7717cc6ac576fb9d91a7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 13:45:17 +0100
+Subject: net: lan78xx: fix runtime PM count underflow on link stop
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 1eecc7ab82c42133b748e1895275942a054a7f67 ]
+
+Current driver has some asymmetry in the runtime PM calls. On lan78xx_open()
+it will call usb_autopm_get() and unconditionally usb_autopm_put(). And
+on lan78xx_stop() it will call only usb_autopm_put(). So far, it was
+working only because this driver do not activate autosuspend by default,
+so it was visible only by warning "Runtime PM usage count underflow!".
+
+Since, with current driver, we can't use runtime PM with active link,
+execute lan78xx_open()->usb_autopm_put() only in error case. Otherwise,
+keep ref counting high as long as interface is open.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index a2dde84499fdd..f0fb9cd1ff56c 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -3137,7 +3137,8 @@ static int lan78xx_open(struct net_device *net)
+ done:
+       mutex_unlock(&dev->dev_mutex);
+-      usb_autopm_put_interface(dev->intf);
++      if (ret < 0)
++              usb_autopm_put_interface(dev->intf);
+       return ret;
+ }
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-mlx5-check-capability-for-fw_reset.patch b/queue-6.7/net-mlx5-check-capability-for-fw_reset.patch
new file mode 100644 (file)
index 0000000..3401b3f
--- /dev/null
@@ -0,0 +1,129 @@
+From 5e933e4b0a882e9134c1ddc3ff8dce95fe20eda5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jan 2024 20:43:58 +0200
+Subject: net/mlx5: Check capability for fw_reset
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit 5e6107b499f3fc4748109e1d87fd9603b34f1e0d ]
+
+Functions which can't access MFRL (Management Firmware Reset Level)
+register, have no use of fw_reset structures or events. Remove fw_reset
+structures allocation and registration for fw reset events notifications
+for these functions.
+
+Having the devlink param enable_remote_dev_reset on functions that don't
+have this capability is misleading as these functions are not allowed to
+influence the reset flow. Hence, this patch removes this parameter for
+such functions.
+
+In addition, return not supported on devlink reload action fw_activate
+for these functions.
+
+Fixes: 38b9f903f22b ("net/mlx5: Handle sync reset request event")
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Aya Levin <ayal@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/devlink.c |  6 +++++
+ .../ethernet/mellanox/mlx5/core/fw_reset.c    | 22 +++++++++++++++++--
+ include/linux/mlx5/mlx5_ifc.h                 |  4 +++-
+ 3 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
+index 3e064234f6fe9..98d4306929f3e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
+@@ -157,6 +157,12 @@ static int mlx5_devlink_reload_down(struct devlink *devlink, bool netns_change,
+               return -EOPNOTSUPP;
+       }
++      if (action == DEVLINK_RELOAD_ACTION_FW_ACTIVATE &&
++          !dev->priv.fw_reset) {
++              NL_SET_ERR_MSG_MOD(extack, "FW activate is unsupported for this function");
++              return -EOPNOTSUPP;
++      }
++
+       if (mlx5_core_is_pf(dev) && pci_num_vf(pdev))
+               NL_SET_ERR_MSG_MOD(extack, "reload while VFs are present is unfavorable");
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+index c4e19d627da21..3a9cdf79403ae 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+@@ -679,19 +679,30 @@ void mlx5_fw_reset_events_start(struct mlx5_core_dev *dev)
+ {
+       struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset;
++      if (!fw_reset)
++              return;
++
+       MLX5_NB_INIT(&fw_reset->nb, fw_reset_event_notifier, GENERAL_EVENT);
+       mlx5_eq_notifier_register(dev, &fw_reset->nb);
+ }
+ void mlx5_fw_reset_events_stop(struct mlx5_core_dev *dev)
+ {
+-      mlx5_eq_notifier_unregister(dev, &dev->priv.fw_reset->nb);
++      struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset;
++
++      if (!fw_reset)
++              return;
++
++      mlx5_eq_notifier_unregister(dev, &fw_reset->nb);
+ }
+ void mlx5_drain_fw_reset(struct mlx5_core_dev *dev)
+ {
+       struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset;
++      if (!fw_reset)
++              return;
++
+       set_bit(MLX5_FW_RESET_FLAGS_DROP_NEW_REQUESTS, &fw_reset->reset_flags);
+       cancel_work_sync(&fw_reset->fw_live_patch_work);
+       cancel_work_sync(&fw_reset->reset_request_work);
+@@ -709,9 +720,13 @@ static const struct devlink_param mlx5_fw_reset_devlink_params[] = {
+ int mlx5_fw_reset_init(struct mlx5_core_dev *dev)
+ {
+-      struct mlx5_fw_reset *fw_reset = kzalloc(sizeof(*fw_reset), GFP_KERNEL);
++      struct mlx5_fw_reset *fw_reset;
+       int err;
++      if (!MLX5_CAP_MCAM_REG(dev, mfrl))
++              return 0;
++
++      fw_reset = kzalloc(sizeof(*fw_reset), GFP_KERNEL);
+       if (!fw_reset)
+               return -ENOMEM;
+       fw_reset->wq = create_singlethread_workqueue("mlx5_fw_reset_events");
+@@ -747,6 +762,9 @@ void mlx5_fw_reset_cleanup(struct mlx5_core_dev *dev)
+ {
+       struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset;
++      if (!fw_reset)
++              return;
++
+       devl_params_unregister(priv_to_devlink(dev),
+                              mlx5_fw_reset_devlink_params,
+                              ARRAY_SIZE(mlx5_fw_reset_devlink_params));
+diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
+index 77cd2e13724e7..bfc8320fb46cb 100644
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -10215,7 +10215,9 @@ struct mlx5_ifc_mcam_access_reg_bits {
+       u8         regs_63_to_46[0x12];
+       u8         mrtc[0x1];
+-      u8         regs_44_to_32[0xd];
++      u8         regs_44_to_41[0x4];
++      u8         mfrl[0x1];
++      u8         regs_39_to_32[0x8];
+       u8         regs_31_to_10[0x16];
+       u8         mtmp[0x1];
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-mlx5-e-switch-change-flow-rule-destination-check.patch b/queue-6.7/net-mlx5-e-switch-change-flow-rule-destination-check.patch
new file mode 100644 (file)
index 0000000..647228e
--- /dev/null
@@ -0,0 +1,78 @@
+From 36efe37c461c4f3701e1ced4e1014478334b4d8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jan 2024 01:27:47 +0000
+Subject: net/mlx5: E-switch, Change flow rule destination checking
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 85ea2c5c5ef5f24fe6e6e7028ddd90be1cb5d27e ]
+
+The checking in the cited commit is not accurate. In the common case,
+VF destination is internal, and uplink destination is external.
+However, uplink destination with packet reformat is considered as
+internal because firmware uses LB+hairpin to support it. Update the
+checking so header rewrite rules with both internal and external
+destinations are not allowed.
+
+Fixes: e0e22d59b47a ("net/mlx5: E-switch, Add checking for flow rule destinations")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/eswitch_offloads.c     | 23 +++++++++++--------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index 14b3bd3c5e2f7..baaae628b0a0f 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -535,21 +535,26 @@ esw_src_port_rewrite_supported(struct mlx5_eswitch *esw)
+ }
+ static bool
+-esw_dests_to_vf_pf_vports(struct mlx5_flow_destination *dests, int max_dest)
++esw_dests_to_int_external(struct mlx5_flow_destination *dests, int max_dest)
+ {
+-      bool vf_dest = false, pf_dest = false;
++      bool internal_dest = false, external_dest = false;
+       int i;
+       for (i = 0; i < max_dest; i++) {
+-              if (dests[i].type != MLX5_FLOW_DESTINATION_TYPE_VPORT)
++              if (dests[i].type != MLX5_FLOW_DESTINATION_TYPE_VPORT &&
++                  dests[i].type != MLX5_FLOW_DESTINATION_TYPE_UPLINK)
+                       continue;
+-              if (dests[i].vport.num == MLX5_VPORT_UPLINK)
+-                      pf_dest = true;
++              /* Uplink dest is external, but considered as internal
++               * if there is reformat because firmware uses LB+hairpin to support it.
++               */
++              if (dests[i].vport.num == MLX5_VPORT_UPLINK &&
++                  !(dests[i].vport.flags & MLX5_FLOW_DEST_VPORT_REFORMAT_ID))
++                      external_dest = true;
+               else
+-                      vf_dest = true;
++                      internal_dest = true;
+-              if (vf_dest && pf_dest)
++              if (internal_dest && external_dest)
+                       return true;
+       }
+@@ -695,9 +700,9 @@ mlx5_eswitch_add_offloaded_rule(struct mlx5_eswitch *esw,
+               /* Header rewrite with combined wire+loopback in FDB is not allowed */
+               if ((flow_act.action & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR) &&
+-                  esw_dests_to_vf_pf_vports(dest, i)) {
++                  esw_dests_to_int_external(dest, i)) {
+                       esw_warn(esw->dev,
+-                               "FDB: Header rewrite with forwarding to both PF and VF is not allowed\n");
++                               "FDB: Header rewrite with forwarding to both internal and external dests is not allowed\n");
+                       rule = ERR_PTR(-EINVAL);
+                       goto err_esw_get;
+               }
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-mlx5-fix-fw-reporter-diagnose-output.patch b/queue-6.7/net-mlx5-fix-fw-reporter-diagnose-output.patch
new file mode 100644 (file)
index 0000000..e4822ca
--- /dev/null
@@ -0,0 +1,45 @@
+From 25804644171ec00b8f8759f4ea5125285bba5a2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jan 2024 20:13:34 +0200
+Subject: net/mlx5: Fix fw reporter diagnose output
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit ac8082a3c7a158640a2c493ec437dd9da881a6a7 ]
+
+Restore fw reporter diagnose to print the syndrome even if it is zero.
+Following the cited commit, in this case (syndrome == 0) command returns no
+output at all.
+
+This fix restores command output in case syndrome is cleared:
+$ devlink health diagnose pci/0000:82:00.0 reporter fw
+    Syndrome: 0
+
+Fixes: d17f98bf7cc9 ("net/mlx5: devlink health: use retained error fmsg API")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/health.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/health.c b/drivers/net/ethernet/mellanox/mlx5/core/health.c
+index 8ff6dc9bc8033..b5c709bba1553 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c
+@@ -452,10 +452,10 @@ mlx5_fw_reporter_diagnose(struct devlink_health_reporter *reporter,
+       struct health_buffer __iomem *h = health->health;
+       u8 synd = ioread8(&h->synd);
++      devlink_fmsg_u8_pair_put(fmsg, "Syndrome", synd);
+       if (!synd)
+               return 0;
+-      devlink_fmsg_u8_pair_put(fmsg, "Syndrome", synd);
+       devlink_fmsg_string_pair_put(fmsg, "Description", hsynd_str(synd));
+       return 0;
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-mlx5e-change-the-warning-when-ignore_flow_level-.patch b/queue-6.7/net-mlx5e-change-the-warning-when-ignore_flow_level-.patch
new file mode 100644 (file)
index 0000000..81f1e4d
--- /dev/null
@@ -0,0 +1,42 @@
+From 16083daad7e19fdc74002d7b0c116b81043ea7bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Dec 2023 01:47:05 +0000
+Subject: net/mlx5e: Change the warning when ignore_flow_level is not supported
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit dd238b702064b21d25b4fc39a19699319746d655 ]
+
+Downgrade the print from mlx5_core_warn() to mlx5_core_dbg(), as it
+is just a statement of fact that firmware doesn't support ignore flow
+level.
+
+And change the wording to "firmware flow level support is missing", to
+make it more accurate.
+
+Fixes: ae2ee3be99a8 ("net/mlx5: CT: Remove warning of ignore_flow_level support for VFs")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Suggested-by: Elliott, Robert (Servers) <elliott@hpe.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c
+index 86bf007fd05b7..b500cc2c9689d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c
+@@ -37,7 +37,7 @@ mlx5e_tc_post_act_init(struct mlx5e_priv *priv, struct mlx5_fs_chains *chains,
+       if (!MLX5_CAP_FLOWTABLE_TYPE(priv->mdev, ignore_flow_level, table_type)) {
+               if (priv->mdev->coredev_type == MLX5_COREDEV_PF)
+-                      mlx5_core_warn(priv->mdev, "firmware level support is missing\n");
++                      mlx5_core_dbg(priv->mdev, "firmware flow level support is missing\n");
+               err = -EOPNOTSUPP;
+               goto err_check;
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-mlx5e-fix-macsec-state-loss-upon-state-update-in.patch b/queue-6.7/net-mlx5e-fix-macsec-state-loss-upon-state-update-in.patch
new file mode 100644 (file)
index 0000000..e404b36
--- /dev/null
@@ -0,0 +1,213 @@
+From 48e66d4c37aa9b64e306889d193f9ca03bbf6a0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 17:03:03 +0200
+Subject: net/mlx5e: Fix MACsec state loss upon state update in offload path
+
+From: Emeel Hakim <ehakim@nvidia.com>
+
+[ Upstream commit a71f2147b64941efee156bfda54fd6461d0f95df ]
+
+The packet number attribute of the SA is incremented by the device rather
+than the software stack when enabling hardware offload. Because the packet
+number attribute is managed by the hardware, the software has no insight
+into the value of the packet number attribute actually written by the
+device.
+
+Previously when MACsec offload was enabled, the hardware object for
+handling the offload was destroyed when the SA was disabled. Re-enabling
+the SA would lead to a new hardware object being instantiated. This new
+hardware object would not have any recollection of the correct packet
+number for the SA. Instead, destroy the flow steering rule when
+deactivating the SA and recreate it upon reactivation, preserving the
+original hardware object.
+
+Fixes: 8ff0ac5be144 ("net/mlx5: Add MACsec offload Tx command support")
+Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en_accel/macsec.c      | 82 ++++++++++++-------
+ 1 file changed, 51 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+index d4ebd87431145..b2cabd6ab86cb 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+@@ -310,9 +310,9 @@ static void mlx5e_macsec_destroy_object(struct mlx5_core_dev *mdev, u32 macsec_o
+       mlx5_cmd_exec(mdev, in, sizeof(in), out, sizeof(out));
+ }
+-static void mlx5e_macsec_cleanup_sa(struct mlx5e_macsec *macsec,
+-                                  struct mlx5e_macsec_sa *sa,
+-                                  bool is_tx, struct net_device *netdev, u32 fs_id)
++static void mlx5e_macsec_cleanup_sa_fs(struct mlx5e_macsec *macsec,
++                                     struct mlx5e_macsec_sa *sa, bool is_tx,
++                                     struct net_device *netdev, u32 fs_id)
+ {
+       int action =  (is_tx) ?  MLX5_ACCEL_MACSEC_ACTION_ENCRYPT :
+                                MLX5_ACCEL_MACSEC_ACTION_DECRYPT;
+@@ -322,20 +322,49 @@ static void mlx5e_macsec_cleanup_sa(struct mlx5e_macsec *macsec,
+       mlx5_macsec_fs_del_rule(macsec->mdev->macsec_fs, sa->macsec_rule, action, netdev,
+                               fs_id);
+-      mlx5e_macsec_destroy_object(macsec->mdev, sa->macsec_obj_id);
+       sa->macsec_rule = NULL;
+ }
++static void mlx5e_macsec_cleanup_sa(struct mlx5e_macsec *macsec,
++                                  struct mlx5e_macsec_sa *sa, bool is_tx,
++                                  struct net_device *netdev, u32 fs_id)
++{
++      mlx5e_macsec_cleanup_sa_fs(macsec, sa, is_tx, netdev, fs_id);
++      mlx5e_macsec_destroy_object(macsec->mdev, sa->macsec_obj_id);
++}
++
++static int mlx5e_macsec_init_sa_fs(struct macsec_context *ctx,
++                                 struct mlx5e_macsec_sa *sa, bool encrypt,
++                                 bool is_tx, u32 *fs_id)
++{
++      struct mlx5e_priv *priv = macsec_netdev_priv(ctx->netdev);
++      struct mlx5_macsec_fs *macsec_fs = priv->mdev->macsec_fs;
++      struct mlx5_macsec_rule_attrs rule_attrs;
++      union mlx5_macsec_rule *macsec_rule;
++
++      rule_attrs.macsec_obj_id = sa->macsec_obj_id;
++      rule_attrs.sci = sa->sci;
++      rule_attrs.assoc_num = sa->assoc_num;
++      rule_attrs.action = (is_tx) ? MLX5_ACCEL_MACSEC_ACTION_ENCRYPT :
++                                    MLX5_ACCEL_MACSEC_ACTION_DECRYPT;
++
++      macsec_rule = mlx5_macsec_fs_add_rule(macsec_fs, ctx, &rule_attrs, fs_id);
++      if (!macsec_rule)
++              return -ENOMEM;
++
++      sa->macsec_rule = macsec_rule;
++
++      return 0;
++}
++
+ static int mlx5e_macsec_init_sa(struct macsec_context *ctx,
+                               struct mlx5e_macsec_sa *sa,
+                               bool encrypt, bool is_tx, u32 *fs_id)
+ {
+       struct mlx5e_priv *priv = macsec_netdev_priv(ctx->netdev);
+       struct mlx5e_macsec *macsec = priv->macsec;
+-      struct mlx5_macsec_rule_attrs rule_attrs;
+       struct mlx5_core_dev *mdev = priv->mdev;
+       struct mlx5_macsec_obj_attrs obj_attrs;
+-      union mlx5_macsec_rule *macsec_rule;
+       int err;
+       obj_attrs.next_pn = sa->next_pn;
+@@ -357,20 +386,12 @@ static int mlx5e_macsec_init_sa(struct macsec_context *ctx,
+       if (err)
+               return err;
+-      rule_attrs.macsec_obj_id = sa->macsec_obj_id;
+-      rule_attrs.sci = sa->sci;
+-      rule_attrs.assoc_num = sa->assoc_num;
+-      rule_attrs.action = (is_tx) ? MLX5_ACCEL_MACSEC_ACTION_ENCRYPT :
+-                                    MLX5_ACCEL_MACSEC_ACTION_DECRYPT;
+-
+-      macsec_rule = mlx5_macsec_fs_add_rule(mdev->macsec_fs, ctx, &rule_attrs, fs_id);
+-      if (!macsec_rule) {
+-              err = -ENOMEM;
+-              goto destroy_macsec_object;
++      if (sa->active) {
++              err = mlx5e_macsec_init_sa_fs(ctx, sa, encrypt, is_tx, fs_id);
++              if (err)
++                      goto destroy_macsec_object;
+       }
+-      sa->macsec_rule = macsec_rule;
+-
+       return 0;
+ destroy_macsec_object:
+@@ -526,9 +547,7 @@ static int mlx5e_macsec_add_txsa(struct macsec_context *ctx)
+               goto destroy_sa;
+       macsec_device->tx_sa[assoc_num] = tx_sa;
+-      if (!secy->operational ||
+-          assoc_num != tx_sc->encoding_sa ||
+-          !tx_sa->active)
++      if (!secy->operational)
+               goto out;
+       err = mlx5e_macsec_init_sa(ctx, tx_sa, tx_sc->encrypt, true, NULL);
+@@ -595,7 +614,7 @@ static int mlx5e_macsec_upd_txsa(struct macsec_context *ctx)
+               goto out;
+       if (ctx_tx_sa->active) {
+-              err = mlx5e_macsec_init_sa(ctx, tx_sa, tx_sc->encrypt, true, NULL);
++              err = mlx5e_macsec_init_sa_fs(ctx, tx_sa, tx_sc->encrypt, true, NULL);
+               if (err)
+                       goto out;
+       } else {
+@@ -604,7 +623,7 @@ static int mlx5e_macsec_upd_txsa(struct macsec_context *ctx)
+                       goto out;
+               }
+-              mlx5e_macsec_cleanup_sa(macsec, tx_sa, true, ctx->secy->netdev, 0);
++              mlx5e_macsec_cleanup_sa_fs(macsec, tx_sa, true, ctx->secy->netdev, 0);
+       }
+ out:
+       mutex_unlock(&macsec->lock);
+@@ -1030,8 +1049,9 @@ static int mlx5e_macsec_del_rxsa(struct macsec_context *ctx)
+               goto out;
+       }
+-      mlx5e_macsec_cleanup_sa(macsec, rx_sa, false, ctx->secy->netdev,
+-                              rx_sc->sc_xarray_element->fs_id);
++      if (rx_sa->active)
++              mlx5e_macsec_cleanup_sa(macsec, rx_sa, false, ctx->secy->netdev,
++                                      rx_sc->sc_xarray_element->fs_id);
+       mlx5_destroy_encryption_key(macsec->mdev, rx_sa->enc_key_id);
+       kfree(rx_sa);
+       rx_sc->rx_sa[assoc_num] = NULL;
+@@ -1112,8 +1132,8 @@ static int macsec_upd_secy_hw_address(struct macsec_context *ctx,
+                       if (!rx_sa || !rx_sa->macsec_rule)
+                               continue;
+-                      mlx5e_macsec_cleanup_sa(macsec, rx_sa, false, ctx->secy->netdev,
+-                                              rx_sc->sc_xarray_element->fs_id);
++                      mlx5e_macsec_cleanup_sa_fs(macsec, rx_sa, false, ctx->secy->netdev,
++                                                 rx_sc->sc_xarray_element->fs_id);
+               }
+       }
+@@ -1124,8 +1144,8 @@ static int macsec_upd_secy_hw_address(struct macsec_context *ctx,
+                               continue;
+                       if (rx_sa->active) {
+-                              err = mlx5e_macsec_init_sa(ctx, rx_sa, true, false,
+-                                                         &rx_sc->sc_xarray_element->fs_id);
++                              err = mlx5e_macsec_init_sa_fs(ctx, rx_sa, true, false,
++                                                            &rx_sc->sc_xarray_element->fs_id);
+                               if (err)
+                                       goto out;
+                       }
+@@ -1178,7 +1198,7 @@ static int mlx5e_macsec_upd_secy(struct macsec_context *ctx)
+               if (!tx_sa)
+                       continue;
+-              mlx5e_macsec_cleanup_sa(macsec, tx_sa, true, ctx->secy->netdev, 0);
++              mlx5e_macsec_cleanup_sa_fs(macsec, tx_sa, true, ctx->secy->netdev, 0);
+       }
+       for (i = 0; i < MACSEC_NUM_AN; ++i) {
+@@ -1187,7 +1207,7 @@ static int mlx5e_macsec_upd_secy(struct macsec_context *ctx)
+                       continue;
+               if (tx_sa->assoc_num == tx_sc->encoding_sa && tx_sa->active) {
+-                      err = mlx5e_macsec_init_sa(ctx, tx_sa, tx_sc->encrypt, true, NULL);
++                      err = mlx5e_macsec_init_sa_fs(ctx, tx_sa, tx_sc->encrypt, true, NULL);
+                       if (err)
+                               goto out;
+               }
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-mlx5e-switch-to-using-_bh-variant-of-of-spinlock.patch b/queue-6.7/net-mlx5e-switch-to-using-_bh-variant-of-of-spinlock.patch
new file mode 100644 (file)
index 0000000..324fbca
--- /dev/null
@@ -0,0 +1,71 @@
+From bbab7fcf4835750265288e9840537d5db7a7beda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Feb 2024 15:09:34 -0800
+Subject: net/mlx5e: Switch to using _bh variant of of spinlock API in port
+ timestamping NAPI poll context
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+[ Upstream commit 90502d433c0e7e5483745a574cb719dd5d05b10c ]
+
+The NAPI poll context is a softirq context. Do not use normal spinlock API
+in this context to prevent concurrency issues.
+
+Fixes: 3178308ad4ca ("net/mlx5e: Make tx_port_ts logic resilient to out-of-order CQEs")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+CC: Vadim Fedorenko <vadfed@meta.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
+index 803035d4e5976..15d97c685ad33 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
+@@ -42,9 +42,9 @@ mlx5e_ptp_port_ts_cqe_list_add(struct mlx5e_ptp_port_ts_cqe_list *list, u8 metad
+       WARN_ON_ONCE(tracker->inuse);
+       tracker->inuse = true;
+-      spin_lock(&list->tracker_list_lock);
++      spin_lock_bh(&list->tracker_list_lock);
+       list_add_tail(&tracker->entry, &list->tracker_list_head);
+-      spin_unlock(&list->tracker_list_lock);
++      spin_unlock_bh(&list->tracker_list_lock);
+ }
+ static void
+@@ -54,9 +54,9 @@ mlx5e_ptp_port_ts_cqe_list_remove(struct mlx5e_ptp_port_ts_cqe_list *list, u8 me
+       WARN_ON_ONCE(!tracker->inuse);
+       tracker->inuse = false;
+-      spin_lock(&list->tracker_list_lock);
++      spin_lock_bh(&list->tracker_list_lock);
+       list_del(&tracker->entry);
+-      spin_unlock(&list->tracker_list_lock);
++      spin_unlock_bh(&list->tracker_list_lock);
+ }
+ void mlx5e_ptpsq_track_metadata(struct mlx5e_ptpsq *ptpsq, u8 metadata)
+@@ -155,7 +155,7 @@ static void mlx5e_ptpsq_mark_ts_cqes_undelivered(struct mlx5e_ptpsq *ptpsq,
+       struct mlx5e_ptp_metadata_map *metadata_map = &ptpsq->metadata_map;
+       struct mlx5e_ptp_port_ts_cqe_tracker *pos, *n;
+-      spin_lock(&cqe_list->tracker_list_lock);
++      spin_lock_bh(&cqe_list->tracker_list_lock);
+       list_for_each_entry_safe(pos, n, &cqe_list->tracker_list_head, entry) {
+               struct sk_buff *skb =
+                       mlx5e_ptp_metadata_map_lookup(metadata_map, pos->metadata_id);
+@@ -170,7 +170,7 @@ static void mlx5e_ptpsq_mark_ts_cqes_undelivered(struct mlx5e_ptpsq *ptpsq,
+               pos->inuse = false;
+               list_del(&pos->entry);
+       }
+-      spin_unlock(&cqe_list->tracker_list_lock);
++      spin_unlock_bh(&cqe_list->tracker_list_lock);
+ }
+ #define PTP_WQE_CTR2IDX(val) ((val) & ptpsq->ts_cqe_ctr_mask)
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-mlx5e-use-a-memory-barrier-to-enforce-ptp-wq-xmi.patch b/queue-6.7/net-mlx5e-use-a-memory-barrier-to-enforce-ptp-wq-xmi.patch
new file mode 100644 (file)
index 0000000..45c45cb
--- /dev/null
@@ -0,0 +1,44 @@
+From d2051c4859b0c6e12d23b728273d867371b91bc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Feb 2024 13:12:28 -0800
+Subject: net/mlx5e: Use a memory barrier to enforce PTP WQ xmit submission
+ tracking occurs after populating the metadata_map
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+[ Upstream commit b7cf07586c40f926063d4d09f7de28ff82f62b2a ]
+
+Just simply reordering the functions mlx5e_ptp_metadata_map_put and
+mlx5e_ptpsq_track_metadata in the mlx5e_txwqe_complete context is not good
+enough since both the compiler and CPU are free to reorder these two
+functions. If reordering does occur, the issue that was supposedly fixed by
+7e3f3ba97e6c ("net/mlx5e: Track xmit submission to PTP WQ after populating
+metadata map") will be seen. This will lead to NULL pointer dereferences in
+mlx5e_ptpsq_mark_ts_cqes_undelivered in the NAPI polling context due to the
+tracking list being populated before the metadata map.
+
+Fixes: 7e3f3ba97e6c ("net/mlx5e: Track xmit submission to PTP WQ after populating metadata map")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+CC: Vadim Fedorenko <vadfed@meta.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+index f0b506e562df3..1ead69c5f5fa3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+@@ -401,6 +401,8 @@ mlx5e_txwqe_complete(struct mlx5e_txqsq *sq, struct sk_buff *skb,
+               mlx5e_skb_cb_hwtstamp_init(skb);
+               mlx5e_ptp_metadata_map_put(&sq->ptpsq->metadata_map, skb,
+                                          metadata_index);
++              /* ensure skb is put on metadata_map before tracking the index */
++              wmb();
+               mlx5e_ptpsq_track_metadata(sq->ptpsq, metadata_index);
+               if (!netif_tx_queue_stopped(sq->txq) &&
+                   mlx5e_ptpsq_metadata_freelist_empty(sq->ptpsq)) {
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-pds_core-fix-possible-double-free-in-error-handl.patch b/queue-6.7/net-pds_core-fix-possible-double-free-in-error-handl.patch
new file mode 100644 (file)
index 0000000..eba7fd5
--- /dev/null
@@ -0,0 +1,63 @@
+From 57cee79c539de4031ea4b2e3b9b1112a91a9a594 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Mar 2024 18:57:14 +0800
+Subject: net: pds_core: Fix possible double free in error handling path
+
+From: Yongzhi Liu <hyperlyzcs@gmail.com>
+
+[ Upstream commit ba18deddd6d502da71fd6b6143c53042271b82bd ]
+
+When auxiliary_device_add() returns error and then calls
+auxiliary_device_uninit(), Callback function pdsc_auxbus_dev_release
+calls kfree(padev) to free memory. We shouldn't call kfree(padev)
+again in the error handling path.
+
+Fix this by cleaning up the redundant kfree() and putting
+the error handling back to where the errors happened.
+
+Fixes: 4569cce43bc6 ("pds_core: add auxiliary_bus devices")
+Signed-off-by: Yongzhi Liu <hyperlyzcs@gmail.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
+Link: https://lore.kernel.org/r/20240306105714.20597-1-hyperlyzcs@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/pds_core/auxbus.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/pds_core/auxbus.c b/drivers/net/ethernet/amd/pds_core/auxbus.c
+index 11c23a7f3172d..fd1a5149c0031 100644
+--- a/drivers/net/ethernet/amd/pds_core/auxbus.c
++++ b/drivers/net/ethernet/amd/pds_core/auxbus.c
+@@ -160,23 +160,19 @@ static struct pds_auxiliary_dev *pdsc_auxbus_dev_register(struct pdsc *cf,
+       if (err < 0) {
+               dev_warn(cf->dev, "auxiliary_device_init of %s failed: %pe\n",
+                        name, ERR_PTR(err));
+-              goto err_out;
++              kfree(padev);
++              return ERR_PTR(err);
+       }
+       err = auxiliary_device_add(aux_dev);
+       if (err) {
+               dev_warn(cf->dev, "auxiliary_device_add of %s failed: %pe\n",
+                        name, ERR_PTR(err));
+-              goto err_out_uninit;
++              auxiliary_device_uninit(aux_dev);
++              return ERR_PTR(err);
+       }
+       return padev;
+-
+-err_out_uninit:
+-      auxiliary_device_uninit(aux_dev);
+-err_out:
+-      kfree(padev);
+-      return ERR_PTR(err);
+ }
+ int pdsc_auxbus_dev_del(struct pdsc *cf, struct pdsc *pf)
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-rds-fix-warning-in-rds_conn_connect_if_down.patch b/queue-6.7/net-rds-fix-warning-in-rds_conn_connect_if_down.patch
new file mode 100644 (file)
index 0000000..ac54a7d
--- /dev/null
@@ -0,0 +1,57 @@
+From 0a00619071cdb32d8a2fa9572137192de1608428 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 08:13:08 +0800
+Subject: net/rds: fix WARNING in rds_conn_connect_if_down
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit c055fc00c07be1f0df7375ab0036cebd1106ed38 ]
+
+If connection isn't established yet, get_mr() will fail, trigger connection after
+get_mr().
+
+Fixes: 584a8279a44a ("RDS: RDMA: return appropriate error on rdma map failures")
+Reported-and-tested-by: syzbot+d4faee732755bba9838e@syzkaller.appspotmail.com
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/rdma.c | 3 +++
+ net/rds/send.c | 6 +-----
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/net/rds/rdma.c b/net/rds/rdma.c
+index fba82d36593ad..a4e3c5de998be 100644
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -301,6 +301,9 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
+                       kfree(sg);
+               }
+               ret = PTR_ERR(trans_private);
++              /* Trigger connection so that its ready for the next retry */
++              if (ret == -ENODEV)
++                      rds_conn_connect_if_down(cp->cp_conn);
+               goto out;
+       }
+diff --git a/net/rds/send.c b/net/rds/send.c
+index 5e57a1581dc60..2899def23865f 100644
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -1313,12 +1313,8 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+       /* Parse any control messages the user may have included. */
+       ret = rds_cmsg_send(rs, rm, msg, &allocated_mr, &vct);
+-      if (ret) {
+-              /* Trigger connection so that its ready for the next retry */
+-              if (ret ==  -EAGAIN)
+-                      rds_conn_connect_if_down(conn);
++      if (ret)
+               goto out;
+-      }
+       if (rm->rdma.op_active && !conn->c_trans->xmit_rdma) {
+               printk_ratelimited(KERN_NOTICE "rdma_op %p conn xmit_rdma %p\n",
+-- 
+2.43.0
+
diff --git a/queue-6.7/net-sparx5-fix-use-after-free-inside-sparx5_del_mact.patch b/queue-6.7/net-sparx5-fix-use-after-free-inside-sparx5_del_mact.patch
new file mode 100644 (file)
index 0000000..105c81c
--- /dev/null
@@ -0,0 +1,46 @@
+From 1baba682df91ba355195a7e8e66e737c60f62dcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 09:06:08 +0100
+Subject: net: sparx5: Fix use after free inside sparx5_del_mact_entry
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 89d72d4125e94aa3c2140fedd97ce07ba9e37674 ]
+
+Based on the static analyzis of the code it looks like when an entry
+from the MAC table was removed, the entry was still used after being
+freed. More precise the vid of the mac_entry was used after calling
+devm_kfree on the mac_entry.
+The fix consists in first using the vid of the mac_entry to delete the
+entry from the HW and after that to free it.
+
+Fixes: b37a1bae742f ("net: sparx5: add mactable support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240301080608.3053468-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
+index 4af285918ea2a..75868b3f548ec 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
+@@ -347,10 +347,10 @@ int sparx5_del_mact_entry(struct sparx5 *sparx5,
+                                list) {
+               if ((vid == 0 || mact_entry->vid == vid) &&
+                   ether_addr_equal(addr, mact_entry->mac)) {
++                      sparx5_mact_forget(sparx5, addr, mact_entry->vid);
++
+                       list_del(&mact_entry->list);
+                       devm_kfree(sparx5->dev, mact_entry);
+-
+-                      sparx5_mact_forget(sparx5, addr, mact_entry->vid);
+               }
+       }
+       mutex_unlock(&sparx5->mact_lock);
+-- 
+2.43.0
+
diff --git a/queue-6.7/netfilter-nf_conntrack_h323-add-protection-for-bmp-l.patch b/queue-6.7/netfilter-nf_conntrack_h323-add-protection-for-bmp-l.patch
new file mode 100644 (file)
index 0000000..bead5e5
--- /dev/null
@@ -0,0 +1,71 @@
+From b7b945e9c0710ed88b8afcf8e83e471a52a864f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 11:38:55 +0000
+Subject: netfilter: nf_conntrack_h323: Add protection for bmp length out of
+ range
+
+From: Lena Wang <lena.wang@mediatek.com>
+
+[ Upstream commit 767146637efc528b5e3d31297df115e85a2fd362 ]
+
+UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts
+that are out of bounds for their data type.
+
+vmlinux   get_bitmap(b=75) + 712
+<net/netfilter/nf_conntrack_h323_asn1.c:0>
+vmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956
+<net/netfilter/nf_conntrack_h323_asn1.c:592>
+vmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216
+<net/netfilter/nf_conntrack_h323_asn1.c:814>
+vmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812
+<net/netfilter/nf_conntrack_h323_asn1.c:576>
+vmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216
+<net/netfilter/nf_conntrack_h323_asn1.c:814>
+vmlinux   DecodeRasMessage() + 304
+<net/netfilter/nf_conntrack_h323_asn1.c:833>
+vmlinux   ras_help() + 684
+<net/netfilter/nf_conntrack_h323_main.c:1728>
+vmlinux   nf_confirm() + 188
+<net/netfilter/nf_conntrack_proto.c:137>
+
+Due to abnormal data in skb->data, the extension bitmap length
+exceeds 32 when decoding ras message then uses the length to make
+a shift operation. It will change into negative after several loop.
+UBSAN load could detect a negative shift as an undefined behaviour
+and reports exception.
+So we add the protection to avoid the length exceeding 32. Or else
+it will return out of range error and stop decoding.
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Signed-off-by: Lena Wang <lena.wang@mediatek.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index e697a824b0018..540d97715bd23 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -533,6 +533,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
+       /* Get fields bitmap */
+       if (nf_h323_error_boundary(bs, 0, f->sz))
+               return H323_ERROR_BOUND;
++      if (f->sz > 32)
++              return H323_ERROR_RANGE;
+       bmp = get_bitmap(bs, f->sz);
+       if (base)
+               *(unsigned int *)base = bmp;
+@@ -589,6 +591,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
+       bmp2_len = get_bits(bs, 7) + 1;
+       if (nf_h323_error_boundary(bs, 0, bmp2_len))
+               return H323_ERROR_BOUND;
++      if (bmp2_len > 32)
++              return H323_ERROR_RANGE;
+       bmp2 = get_bitmap(bs, bmp2_len);
+       bmp |= bmp2 >> f->sz;
+       if (base)
+-- 
+2.43.0
+
diff --git a/queue-6.7/netfilter-nft_ct-fix-l3num-expectations-with-inet-ps.patch b/queue-6.7/netfilter-nft_ct-fix-l3num-expectations-with-inet-ps.patch
new file mode 100644 (file)
index 0000000..7dac372
--- /dev/null
@@ -0,0 +1,62 @@
+From 38ecdf389a4179141e1b4953381b8e75af164461 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 13:38:15 +0100
+Subject: netfilter: nft_ct: fix l3num expectations with inet pseudo family
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 99993789966a6eb4f1295193dc543686899892d3 ]
+
+Following is rejected but should be allowed:
+
+table inet t {
+        ct expectation exp1 {
+                [..]
+                l3proto ip
+
+Valid combos are:
+table ip t, l3proto ip
+table ip6 t, l3proto ip6
+table inet t, l3proto ip OR l3proto ip6
+
+Disallow inet pseudeo family, the l3num must be a on-wire protocol known
+to conntrack.
+
+Retain NFPROTO_INET case to make it clear its rejected
+intentionally rather as oversight.
+
+Fixes: 8059918a1377 ("netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index bfd3e5a14dab6..255640013ab84 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -1256,14 +1256,13 @@ static int nft_ct_expect_obj_init(const struct nft_ctx *ctx,
+       switch (priv->l3num) {
+       case NFPROTO_IPV4:
+       case NFPROTO_IPV6:
+-              if (priv->l3num != ctx->family)
+-                      return -EINVAL;
++              if (priv->l3num == ctx->family || ctx->family == NFPROTO_INET)
++                      break;
+-              fallthrough;
+-      case NFPROTO_INET:
+-              break;
++              return -EINVAL;
++      case NFPROTO_INET: /* tuple.src.l3num supports NFPROTO_IPV4/6 only */
+       default:
+-              return -EOPNOTSUPP;
++              return -EAFNOSUPPORT;
+       }
+       priv->l4proto = nla_get_u8(tb[NFTA_CT_EXPECT_L4PROTO]);
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_default_.patch b/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_default_.patch
new file mode 100644 (file)
index 0000000..eb07227
--- /dev/null
@@ -0,0 +1,36 @@
+From 231fe0faba60538b324f2775edf07cb4fb48861b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:35 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_default_path_quality
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 958d6145a6d9ba9e075c921aead8753fb91c9101 ]
+
+We need to protect the reader reading sysctl_netrom_default_path_quality
+because the value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
+index baea3cbd76ca5..6f709fdffc11f 100644
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -153,7 +153,7 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic,
+               nr_neigh->digipeat = NULL;
+               nr_neigh->ax25     = NULL;
+               nr_neigh->dev      = dev;
+-              nr_neigh->quality  = sysctl_netrom_default_path_quality;
++              nr_neigh->quality  = READ_ONCE(sysctl_netrom_default_path_quality);
+               nr_neigh->locked   = 0;
+               nr_neigh->count    = 0;
+               nr_neigh->number   = nr_neigh_no++;
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_link_fai.patch b/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_link_fai.patch
new file mode 100644 (file)
index 0000000..1c6e177
--- /dev/null
@@ -0,0 +1,36 @@
+From a67fe576222ec374952c25ce460a5df3841a003c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:45 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_link_fails_count
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit bc76645ebdd01be9b9994dac39685a3d0f6f7985 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
+index 89e12e6eea2ef..70480869ad1c5 100644
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -728,7 +728,7 @@ void nr_link_failed(ax25_cb *ax25, int reason)
+       nr_neigh->ax25 = NULL;
+       ax25_cb_put(ax25);
+-      if (++nr_neigh->failed < sysctl_netrom_link_fails_count) {
++      if (++nr_neigh->failed < READ_ONCE(sysctl_netrom_link_fails_count)) {
+               nr_neigh_put(nr_neigh);
+               return;
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_obsolesc.patch b/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_obsolesc.patch
new file mode 100644 (file)
index 0000000..e69ca1e
--- /dev/null
@@ -0,0 +1,37 @@
+From b37907ea4440b11bac31b0bd553380ecb72098c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:36 +0800
+Subject: netrom: Fix a data-race around
+ sysctl_netrom_obsolescence_count_initialiser
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit cfd9f4a740f772298308b2e6070d2c744fb5cf79 ]
+
+We need to protect the reader reading the sysctl value
+because the value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
+index 6f709fdffc11f..b8ddd8048f352 100644
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -766,7 +766,7 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+       if (ax25 != NULL) {
+               ret = nr_add_node(nr_src, "", &ax25->dest_addr, ax25->digipeat,
+                                 ax25->ax25_dev->dev, 0,
+-                                sysctl_netrom_obsolescence_count_initialiser);
++                                READ_ONCE(sysctl_netrom_obsolescence_count_initialiser));
+               if (ret)
+                       return ret;
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_routing_.patch b/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_routing_.patch
new file mode 100644 (file)
index 0000000..84805f9
--- /dev/null
@@ -0,0 +1,36 @@
+From 38e3276aeb02e26bbf4e3b3c88a4d91f6ec46da6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:44 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_routing_control
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit b5dffcb8f71bdd02a4e5799985b51b12f4eeaf76 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
+index b8ddd8048f352..89e12e6eea2ef 100644
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -780,7 +780,7 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+               return ret;
+       }
+-      if (!sysctl_netrom_routing_control && ax25 != NULL)
++      if (!READ_ONCE(sysctl_netrom_routing_control) && ax25 != NULL)
+               return 0;
+       /* Its Time-To-Live has expired */
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch b/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch
new file mode 100644 (file)
index 0000000..7bd3caa
--- /dev/null
@@ -0,0 +1,36 @@
+From ce770e17aa646e3e4ef856065abab092455c7a0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:38 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_transport_timeout
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 60a7a152abd494ed4f69098cf0f322e6bb140612 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 0eed00184adf4..4d0e0834d527b 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -453,7 +453,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+       nr_init_timers(sk);
+       nr->t1     =
+-              msecs_to_jiffies(sysctl_netrom_transport_timeout);
++              msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_timeout));
+       nr->t2     =
+               msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay);
+       nr->n2     =
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-14703 b/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-14703
new file mode 100644 (file)
index 0000000..1ff9640
--- /dev/null
@@ -0,0 +1,36 @@
+From d5b25cba9e15eb8f940e24f15f139f3335d2d5ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:39 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit e799299aafed417cc1f32adccb2a0e5268b3f6d5 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 4d0e0834d527b..312fc745db7ff 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -457,7 +457,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+       nr->t2     =
+               msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay);
+       nr->n2     =
+-              msecs_to_jiffies(sysctl_netrom_transport_maximum_tries);
++              msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries));
+       nr->t4     =
+               msecs_to_jiffies(sysctl_netrom_transport_busy_delay);
+       nr->idle   =
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19245 b/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19245
new file mode 100644 (file)
index 0000000..5e5959d
--- /dev/null
@@ -0,0 +1,37 @@
+From dfa81ea8bedf5816090ff2cf28af14cbf821c99b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:42 +0800
+Subject: netrom: Fix a data-race around
+ sysctl_netrom_transport_requested_window_size
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit a2e706841488f474c06e9b33f71afc947fb3bf56 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 10eee02ef99ed..e65418fb9d882 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -462,7 +462,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+               msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay));
+       nr->idle   =
+               msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout);
+-      nr->window = sysctl_netrom_transport_requested_window_size;
++      nr->window = READ_ONCE(sysctl_netrom_transport_requested_window_size);
+       nr->bpqext = 1;
+       nr->state  = NR_STATE_0;
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19389 b/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19389
new file mode 100644 (file)
index 0000000..3a2f5a1
--- /dev/null
@@ -0,0 +1,37 @@
+From 5e002f7597baca2e6b2debd471b71ddb809c9f24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:40 +0800
+Subject: netrom: Fix a data-race around
+ sysctl_netrom_transport_acknowledge_delay
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 806f462ba9029d41aadf8ec93f2f99c5305deada ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 312fc745db7ff..8ada0da3c0e08 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -455,7 +455,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+       nr->t1     =
+               msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_timeout));
+       nr->t2     =
+-              msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay);
++              msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_acknowledge_delay));
+       nr->n2     =
+               msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries));
+       nr->t4     =
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-24045 b/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-24045
new file mode 100644 (file)
index 0000000..4829186
--- /dev/null
@@ -0,0 +1,36 @@
+From bb96e97f483d7314e5a00924ed8c517489068057 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:41 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_transport_busy_delay
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 43547d8699439a67b78d6bb39015113f7aa360fd ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 8ada0da3c0e08..10eee02ef99ed 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -459,7 +459,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+       nr->n2     =
+               msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries));
+       nr->t4     =
+-              msecs_to_jiffies(sysctl_netrom_transport_busy_delay);
++              msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay));
+       nr->idle   =
+               msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout);
+       nr->window = sysctl_netrom_transport_requested_window_size;
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-8430 b/queue-6.7/netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-8430
new file mode 100644 (file)
index 0000000..d1f4dad
--- /dev/null
@@ -0,0 +1,37 @@
+From b0f2fb0ec3eb8991aabe712fadf652ff761e2d72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:43 +0800
+Subject: netrom: Fix a data-race around
+ sysctl_netrom_transport_no_activity_timeout
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit f99b494b40431f0ca416859f2345746199398e2b ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index e65418fb9d882..1671be042ffef 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -461,7 +461,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+       nr->t4     =
+               msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay));
+       nr->idle   =
+-              msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout);
++              msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_no_activity_timeout));
+       nr->window = READ_ONCE(sysctl_netrom_transport_requested_window_size);
+       nr->bpqext = 1;
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-data-races-around-sysctl_net_busy_read.patch b/queue-6.7/netrom-fix-data-races-around-sysctl_net_busy_read.patch
new file mode 100644 (file)
index 0000000..bc834e2
--- /dev/null
@@ -0,0 +1,68 @@
+From 9a6fb46087221f616bd451dc96b8326399ec69fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:46 +0800
+Subject: netrom: Fix data-races around sysctl_net_busy_read
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit d380ce70058a4ccddc3e5f5c2063165dc07672c6 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ net/netrom/nr_in.c     | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 1671be042ffef..104a80b75477f 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -954,7 +954,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
+                * G8PZT's Xrouter which is sending packets with command type 7
+                * as an extension of the protocol.
+                */
+-              if (sysctl_netrom_reset_circuit &&
++              if (READ_ONCE(sysctl_netrom_reset_circuit) &&
+                   (frametype != NR_RESET || flags != 0))
+                       nr_transmit_reset(skb, 1);
+diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c
+index 2f084b6f69d7e..97944db6b5ac6 100644
+--- a/net/netrom/nr_in.c
++++ b/net/netrom/nr_in.c
+@@ -97,7 +97,7 @@ static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
+               break;
+       case NR_RESET:
+-              if (sysctl_netrom_reset_circuit)
++              if (READ_ONCE(sysctl_netrom_reset_circuit))
+                       nr_disconnect(sk, ECONNRESET);
+               break;
+@@ -128,7 +128,7 @@ static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
+               break;
+       case NR_RESET:
+-              if (sysctl_netrom_reset_circuit)
++              if (READ_ONCE(sysctl_netrom_reset_circuit))
+                       nr_disconnect(sk, ECONNRESET);
+               break;
+@@ -262,7 +262,7 @@ static int nr_state3_machine(struct sock *sk, struct sk_buff *skb, int frametype
+               break;
+       case NR_RESET:
+-              if (sysctl_netrom_reset_circuit)
++              if (READ_ONCE(sysctl_netrom_reset_circuit))
+                       nr_disconnect(sk, ECONNRESET);
+               break;
+-- 
+2.43.0
+
diff --git a/queue-6.7/netrom-fix-data-races-around-sysctl_netrom_network_t.patch b/queue-6.7/netrom-fix-data-races-around-sysctl_netrom_network_t.patch
new file mode 100644 (file)
index 0000000..c8e84a0
--- /dev/null
@@ -0,0 +1,74 @@
+From f14cc1db8087dee7cb21f0fa0c8191460e81541b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:37 +0800
+Subject: netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 119cae5ea3f9e35cdada8e572cc067f072fa825a ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_dev.c  | 2 +-
+ net/netrom/nr_out.c  | 2 +-
+ net/netrom/nr_subr.c | 5 +++--
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/netrom/nr_dev.c b/net/netrom/nr_dev.c
+index 3aaac4a22b387..2c34389c3ce6f 100644
+--- a/net/netrom/nr_dev.c
++++ b/net/netrom/nr_dev.c
+@@ -81,7 +81,7 @@ static int nr_header(struct sk_buff *skb, struct net_device *dev,
+       buff[6] |= AX25_SSSID_SPARE;
+       buff    += AX25_ADDR_LEN;
+-      *buff++ = sysctl_netrom_network_ttl_initialiser;
++      *buff++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);
+       *buff++ = NR_PROTO_IP;
+       *buff++ = NR_PROTO_IP;
+diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c
+index 44929657f5b71..5e531394a724b 100644
+--- a/net/netrom/nr_out.c
++++ b/net/netrom/nr_out.c
+@@ -204,7 +204,7 @@ void nr_transmit_buffer(struct sock *sk, struct sk_buff *skb)
+       dptr[6] |= AX25_SSSID_SPARE;
+       dptr += AX25_ADDR_LEN;
+-      *dptr++ = sysctl_netrom_network_ttl_initialiser;
++      *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);
+       if (!nr_route_frame(skb, NULL)) {
+               kfree_skb(skb);
+diff --git a/net/netrom/nr_subr.c b/net/netrom/nr_subr.c
+index e2d2af924cff4..c3bbd5880850b 100644
+--- a/net/netrom/nr_subr.c
++++ b/net/netrom/nr_subr.c
+@@ -182,7 +182,8 @@ void nr_write_internal(struct sock *sk, int frametype)
+               *dptr++ = nr->my_id;
+               *dptr++ = frametype;
+               *dptr++ = nr->window;
+-              if (nr->bpqext) *dptr++ = sysctl_netrom_network_ttl_initialiser;
++              if (nr->bpqext)
++                      *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);
+               break;
+       case NR_DISCREQ:
+@@ -236,7 +237,7 @@ void __nr_transmit_reply(struct sk_buff *skb, int mine, unsigned char cmdflags)
+       dptr[6] |= AX25_SSSID_SPARE;
+       dptr += AX25_ADDR_LEN;
+-      *dptr++ = sysctl_netrom_network_ttl_initialiser;
++      *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);
+       if (mine) {
+               *dptr++ = 0;
+-- 
+2.43.0
+
diff --git a/queue-6.7/revert-net-mlx5-block-entering-switchdev-mode-with-n.patch b/queue-6.7/revert-net-mlx5-block-entering-switchdev-mode-with-n.patch
new file mode 100644 (file)
index 0000000..3d0ca23
--- /dev/null
@@ -0,0 +1,67 @@
+From c04dd2fa27e7d6ef233fed0967193158c45e93e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 04:49:54 +0300
+Subject: Revert "net/mlx5: Block entering switchdev mode with ns
+ inconsistency"
+
+From: Gavin Li <gavinl@nvidia.com>
+
+[ Upstream commit 8deeefb24786ea7950b37bde4516b286c877db00 ]
+
+This reverts commit 662404b24a4c4d839839ed25e3097571f5938b9b.
+The revert is required due to the suspicion it is not good for anything
+and cause crash.
+
+Fixes: 662404b24a4c ("net/mlx5e: Block entering switchdev mode with ns inconsistency")
+Signed-off-by: Gavin Li <gavinl@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/eswitch_offloads.c     | 23 -------------------
+ 1 file changed, 23 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index b0455134c98ef..14b3bd3c5e2f7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -3658,22 +3658,6 @@ static int esw_inline_mode_to_devlink(u8 mlx5_mode, u8 *mode)
+       return 0;
+ }
+-static bool esw_offloads_devlink_ns_eq_netdev_ns(struct devlink *devlink)
+-{
+-      struct mlx5_core_dev *dev = devlink_priv(devlink);
+-      struct net *devl_net, *netdev_net;
+-      bool ret = false;
+-
+-      mutex_lock(&dev->mlx5e_res.uplink_netdev_lock);
+-      if (dev->mlx5e_res.uplink_netdev) {
+-              netdev_net = dev_net(dev->mlx5e_res.uplink_netdev);
+-              devl_net = devlink_net(devlink);
+-              ret = net_eq(devl_net, netdev_net);
+-      }
+-      mutex_unlock(&dev->mlx5e_res.uplink_netdev_lock);
+-      return ret;
+-}
+-
+ int mlx5_eswitch_block_mode(struct mlx5_core_dev *dev)
+ {
+       struct mlx5_eswitch *esw = dev->priv.eswitch;
+@@ -3718,13 +3702,6 @@ int mlx5_devlink_eswitch_mode_set(struct devlink *devlink, u16 mode,
+       if (esw_mode_from_devlink(mode, &mlx5_mode))
+               return -EINVAL;
+-      if (mode == DEVLINK_ESWITCH_MODE_SWITCHDEV &&
+-          !esw_offloads_devlink_ns_eq_netdev_ns(devlink)) {
+-              NL_SET_ERR_MSG_MOD(extack,
+-                                 "Can't change E-Switch mode to switchdev when netdev net namespace has diverged from the devlink's.");
+-              return -EPERM;
+-      }
+-
+       mlx5_lag_disable_change(esw->dev);
+       err = mlx5_esw_try_lock(esw);
+       if (err < 0) {
+-- 
+2.43.0
+
diff --git a/queue-6.7/revert-net-mlx5e-check-the-number-of-elements-before.patch b/queue-6.7/revert-net-mlx5e-check-the-number-of-elements-before.patch
new file mode 100644 (file)
index 0000000..bcb5389
--- /dev/null
@@ -0,0 +1,37 @@
+From 776b37d1583a1cafb65b2ae0bdaf9e06a5edff59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 17:07:08 -0800
+Subject: Revert "net/mlx5e: Check the number of elements before walk TC
+ rhashtable"
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit b7bbd698c90591546d22093181e266785f08c18b ]
+
+This reverts commit 4e25b661f484df54b6751b65f9ea2434a3b67539.
+
+This Commit was mistakenly applied by pulling the wrong tag, remove it.
+
+Fixes: 4e25b661f484 ("net/mlx5e: Check the number of elements before walk TC rhashtable")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c
+index 190f10aba1702..5a0047bdcb510 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c
+@@ -152,7 +152,7 @@ void mlx5_esw_ipsec_restore_dest_uplink(struct mlx5_core_dev *mdev)
+       xa_for_each(&esw->offloads.vport_reps, i, rep) {
+               rpriv = rep->rep_data[REP_ETH].priv;
+-              if (!rpriv || !rpriv->netdev || !atomic_read(&rpriv->tc_ht.nelems))
++              if (!rpriv || !rpriv->netdev)
+                       continue;
+               rhashtable_walk_enter(&rpriv->tc_ht, &iter);
+-- 
+2.43.0
+
diff --git a/queue-6.7/selftests-bpf-fix-up-xdp-bonding-test-wrt-feature-fl.patch b/queue-6.7/selftests-bpf-fix-up-xdp-bonding-test-wrt-feature-fl.patch
new file mode 100644 (file)
index 0000000..5ccb5e3
--- /dev/null
@@ -0,0 +1,71 @@
+From 8ae27a29170c08031359c3e6cfbc8d9eb5a2b65c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 10:08:29 +0100
+Subject: selftests/bpf: Fix up xdp bonding test wrt feature flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 0bfc0336e1348883fdab4689f0c8c56458f36dd8 ]
+
+Adjust the XDP feature flags for the bond device when no bond slave
+devices are attached. After 9b0ed890ac2a ("bonding: do not report
+NETDEV_XDP_ACT_XSK_ZEROCOPY"), the empty bond device must report 0
+as flags instead of NETDEV_XDP_ACT_MASK.
+
+  # ./vmtest.sh -- ./test_progs -t xdp_bond
+  [...]
+  [    3.983311] bond1 (unregistering): (slave veth1_1): Releasing backup interface
+  [    3.995434] bond1 (unregistering): Released all slaves
+  [    4.022311] bond2: (slave veth2_1): Releasing backup interface
+  #507/1   xdp_bonding/xdp_bonding_attach:OK
+  #507/2   xdp_bonding/xdp_bonding_nested:OK
+  #507/3   xdp_bonding/xdp_bonding_features:OK
+  #507/4   xdp_bonding/xdp_bonding_roundrobin:OK
+  #507/5   xdp_bonding/xdp_bonding_activebackup:OK
+  #507/6   xdp_bonding/xdp_bonding_xor_layer2:OK
+  #507/7   xdp_bonding/xdp_bonding_xor_layer23:OK
+  #507/8   xdp_bonding/xdp_bonding_xor_layer34:OK
+  #507/9   xdp_bonding/xdp_bonding_redirect_multi:OK
+  #507     xdp_bonding:OK
+  Summary: 1/9 PASSED, 0 SKIPPED, 0 FAILED
+  [    4.185255] bond2 (unregistering): Released all slaves
+  [...]
+
+Fixes: 9b0ed890ac2a ("bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Message-ID: <20240305090829.17131-2-daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/xdp_bonding.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c b/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c
+index c3b45745cbccd..6d8b54124cb35 100644
+--- a/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c
++++ b/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c
+@@ -511,7 +511,7 @@ static void test_xdp_bonding_features(struct skeletons *skeletons)
+       if (!ASSERT_OK(err, "bond bpf_xdp_query"))
+               goto out;
+-      if (!ASSERT_EQ(query_opts.feature_flags, NETDEV_XDP_ACT_MASK,
++      if (!ASSERT_EQ(query_opts.feature_flags, 0,
+                      "bond query_opts.feature_flags"))
+               goto out;
+@@ -601,7 +601,7 @@ static void test_xdp_bonding_features(struct skeletons *skeletons)
+       if (!ASSERT_OK(err, "bond bpf_xdp_query"))
+               goto out;
+-      ASSERT_EQ(query_opts.feature_flags, NETDEV_XDP_ACT_MASK,
++      ASSERT_EQ(query_opts.feature_flags, 0,
+                 "bond query_opts.feature_flags");
+ out:
+       bpf_link__destroy(link);
+-- 
+2.43.0
+
index 6b07d27fa29fb5fed523e854f66d978811187ff6..7e1815c38b093e697983a510113f97dadda3e2c9 100644 (file)
@@ -6,3 +6,51 @@ soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch
 dt-bindings-dma-fsl-edma-add-fsl-edma.h-to-prevent-h.patch
 dmaengine-fsl-edma-utilize-common-dt-binding-header-.patch
 dmaengine-fsl-edma-correct-max_segment_size-setting.patch
+xfrm-clear-low-order-bits-of-flowi4_tos-in-decode_se.patch
+xfrm-pass-udp-encapsulation-in-tx-packet-offload.patch
+net-lan78xx-fix-runtime-pm-count-underflow-on-link-s.patch
+ixgbe-dis-en-able-irqs-in-ixgbe_txrx_ring_-dis-en-ab.patch
+i40e-disable-napi-right-after-disabling-irqs-when-ha.patch
+ice-reorder-disabling-irq-and-napi-in-ice_qp_dis.patch
+ice-replace-ice_vf_recreate_vsi-with-ice_vf_reconfig.patch
+ice-reconfig-host-after-changing-msi-x-on-vf.patch
+revert-net-mlx5-block-entering-switchdev-mode-with-n.patch
+revert-net-mlx5e-check-the-number-of-elements-before.patch
+net-mlx5-e-switch-change-flow-rule-destination-check.patch
+net-mlx5-fix-fw-reporter-diagnose-output.patch
+net-mlx5-check-capability-for-fw_reset.patch
+net-mlx5e-change-the-warning-when-ignore_flow_level-.patch
+net-mlx5e-fix-macsec-state-loss-upon-state-update-in.patch
+net-mlx5e-use-a-memory-barrier-to-enforce-ptp-wq-xmi.patch
+net-mlx5e-switch-to-using-_bh-variant-of-of-spinlock.patch
+tracing-net_sched-fix-tracepoints-that-save-qdisc_de.patch
+geneve-make-sure-to-pull-inner-header-in-geneve_rx.patch
+net-sparx5-fix-use-after-free-inside-sparx5_del_mact.patch
+idpf-disable-local-bh-when-scheduling-napi-for-marke.patch
+ice-virtchnl-stop-pretending-to-support-rss-over-aq-.patch
+net-ice-fix-potential-null-pointer-dereference-in-ic.patch
+ice-fix-uninitialized-dplls-mutex-usage.patch
+igc-avoid-returning-frame-twice-in-xdp_redirect.patch
+net-ipv6-avoid-possible-uaf-in-ip6_route_mpath_notif.patch
+bpf-check-bpf_func_state-callback_depth-when-pruning.patch
+xdp-bonding-fix-feature-flags-when-there-are-no-slav.patch
+selftests-bpf-fix-up-xdp-bonding-test-wrt-feature-fl.patch
+cpumap-zero-initialise-xdp_rxq_info-struct-before-ru.patch
+net-dsa-microchip-fix-register-write-order-in-ksz8_i.patch
+net-rds-fix-warning-in-rds_conn_connect_if_down.patch
+netfilter-nft_ct-fix-l3num-expectations-with-inet-ps.patch
+netfilter-nf_conntrack_h323-add-protection-for-bmp-l.patch
+erofs-apply-proper-vma-alignment-for-memory-mapped-f.patch
+netrom-fix-a-data-race-around-sysctl_netrom_default_.patch
+netrom-fix-a-data-race-around-sysctl_netrom_obsolesc.patch
+netrom-fix-data-races-around-sysctl_netrom_network_t.patch
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-14703
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19389
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-24045
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19245
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-8430
+netrom-fix-a-data-race-around-sysctl_netrom_routing_.patch
+netrom-fix-a-data-race-around-sysctl_netrom_link_fai.patch
+netrom-fix-data-races-around-sysctl_net_busy_read.patch
+net-pds_core-fix-possible-double-free-in-error-handl.patch
diff --git a/queue-6.7/tracing-net_sched-fix-tracepoints-that-save-qdisc_de.patch b/queue-6.7/tracing-net_sched-fix-tracepoints-that-save-qdisc_de.patch
new file mode 100644 (file)
index 0000000..b26dee1
--- /dev/null
@@ -0,0 +1,92 @@
+From 43b3fc090ec435352fde617f0583632af7dac6d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Feb 2024 14:34:44 -0500
+Subject: tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+[ Upstream commit 51270d573a8d9dd5afdc7934de97d66c0e14b5fd ]
+
+I'm updating __assign_str() and will be removing the second parameter. To
+make sure that it does not break anything, I make sure that it matches the
+__string() field, as that is where the string is actually going to be
+saved in. To make sure there's nothing that breaks, I added a WARN_ON() to
+make sure that what was used in __string() is the same that is used in
+__assign_str().
+
+In doing this change, an error was triggered as __assign_str() now expects
+the string passed in to be a char * value. I instead had the following
+warning:
+
+include/trace/events/qdisc.h: In function ‘trace_event_raw_event_qdisc_reset’:
+include/trace/events/qdisc.h:91:35: error: passing argument 1 of 'strcmp' from incompatible pointer type [-Werror=incompatible-pointer-types]
+   91 |                 __assign_str(dev, qdisc_dev(q));
+
+That's because the qdisc_enqueue() and qdisc_reset() pass in qdisc_dev(q)
+to __assign_str() and to __string(). But that function returns a pointer
+to struct net_device and not a string.
+
+It appears that these events are just saving the pointer as a string and
+then reading it as a string as well.
+
+Use qdisc_dev(q)->name to save the device instead.
+
+Fixes: a34dac0b90552 ("net_sched: add tracepoints for qdisc_reset() and qdisc_destroy()")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/qdisc.h | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/include/trace/events/qdisc.h b/include/trace/events/qdisc.h
+index a3995925cb057..1f4258308b967 100644
+--- a/include/trace/events/qdisc.h
++++ b/include/trace/events/qdisc.h
+@@ -81,14 +81,14 @@ TRACE_EVENT(qdisc_reset,
+       TP_ARGS(q),
+       TP_STRUCT__entry(
+-              __string(       dev,            qdisc_dev(q)    )
+-              __string(       kind,           q->ops->id      )
+-              __field(        u32,            parent          )
+-              __field(        u32,            handle          )
++              __string(       dev,            qdisc_dev(q)->name      )
++              __string(       kind,           q->ops->id              )
++              __field(        u32,            parent                  )
++              __field(        u32,            handle                  )
+       ),
+       TP_fast_assign(
+-              __assign_str(dev, qdisc_dev(q));
++              __assign_str(dev, qdisc_dev(q)->name);
+               __assign_str(kind, q->ops->id);
+               __entry->parent = q->parent;
+               __entry->handle = q->handle;
+@@ -106,14 +106,14 @@ TRACE_EVENT(qdisc_destroy,
+       TP_ARGS(q),
+       TP_STRUCT__entry(
+-              __string(       dev,            qdisc_dev(q)    )
+-              __string(       kind,           q->ops->id      )
+-              __field(        u32,            parent          )
+-              __field(        u32,            handle          )
++              __string(       dev,            qdisc_dev(q)->name      )
++              __string(       kind,           q->ops->id              )
++              __field(        u32,            parent                  )
++              __field(        u32,            handle                  )
+       ),
+       TP_fast_assign(
+-              __assign_str(dev, qdisc_dev(q));
++              __assign_str(dev, qdisc_dev(q)->name);
+               __assign_str(kind, q->ops->id);
+               __entry->parent = q->parent;
+               __entry->handle = q->handle;
+-- 
+2.43.0
+
diff --git a/queue-6.7/xdp-bonding-fix-feature-flags-when-there-are-no-slav.patch b/queue-6.7/xdp-bonding-fix-feature-flags-when-there-are-no-slav.patch
new file mode 100644 (file)
index 0000000..e66fb36
--- /dev/null
@@ -0,0 +1,60 @@
+From 822e696a3853d19db35d8337a39aca3874f2196a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 10:08:28 +0100
+Subject: xdp, bonding: Fix feature flags when there are no slave devs anymore
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit f267f262815033452195f46c43b572159262f533 ]
+
+Commit 9b0ed890ac2a ("bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY")
+changed the driver from reporting everything as supported before a device
+was bonded into having the driver report that no XDP feature is supported
+until a real device is bonded as it seems to be more truthful given
+eventually real underlying devices decide what XDP features are supported.
+
+The change however did not take into account when all slave devices get
+removed from the bond device. In this case after 9b0ed890ac2a, the driver
+keeps reporting a feature mask of 0x77, that is, NETDEV_XDP_ACT_MASK &
+~NETDEV_XDP_ACT_XSK_ZEROCOPY whereas it should have reported a feature
+mask of 0.
+
+Fix it by resetting XDP feature flags in the same way as if no XDP program
+is attached to the bond device. This was uncovered by the XDP bond selftest
+which let BPF CI fail. After adjusting the starting masks on the latter
+to 0 instead of NETDEV_XDP_ACT_MASK the test passes again together with
+this fix.
+
+Fixes: 9b0ed890ac2a ("bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Magnus Karlsson <magnus.karlsson@intel.com>
+Cc: Prashant Batra <prbatra.mail@gmail.com>
+Cc: Toke Høiland-Jørgensen <toke@redhat.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Message-ID: <20240305090829.17131-1-daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 6cf7f364704e8..b094c48bebc30 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1811,7 +1811,7 @@ void bond_xdp_set_features(struct net_device *bond_dev)
+       ASSERT_RTNL();
+-      if (!bond_xdp_check(bond)) {
++      if (!bond_xdp_check(bond) || !bond_has_slaves(bond)) {
+               xdp_clear_features_flag(bond_dev);
+               return;
+       }
+-- 
+2.43.0
+
diff --git a/queue-6.7/xfrm-clear-low-order-bits-of-flowi4_tos-in-decode_se.patch b/queue-6.7/xfrm-clear-low-order-bits-of-flowi4_tos-in-decode_se.patch
new file mode 100644 (file)
index 0000000..9703f9e
--- /dev/null
@@ -0,0 +1,42 @@
+From 750f3ca207c7a0624684933ae7122f255dc14afa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jan 2024 16:06:32 +0100
+Subject: xfrm: Clear low order bits of ->flowi4_tos in decode_session4().
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 1982a2a02c9197436d4a8ea12f66bafab53f16a0 ]
+
+Commit 23e7b1bfed61 ("xfrm: Don't accidentally set RTO_ONLINK in
+decode_session4()") fixed a problem where decode_session4() could
+erroneously set the RTO_ONLINK flag for IPv4 route lookups. This
+problem was reintroduced when decode_session4() was modified to
+use the flow dissector.
+
+Fix this by clearing again the two low order bits of ->flowi4_tos.
+Found by code inspection, compile tested only.
+
+Fixes: 7a0207094f1b ("xfrm: policy: replace session decode with flow dissector")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index c13dc3ef79107..e69d588caa0c6 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3416,7 +3416,7 @@ decode_session4(const struct xfrm_flow_keys *flkeys, struct flowi *fl, bool reve
+       }
+       fl4->flowi4_proto = flkeys->basic.ip_proto;
+-      fl4->flowi4_tos = flkeys->ip.tos;
++      fl4->flowi4_tos = flkeys->ip.tos & ~INET_ECN_MASK;
+ }
+ #if IS_ENABLED(CONFIG_IPV6)
+-- 
+2.43.0
+
diff --git a/queue-6.7/xfrm-pass-udp-encapsulation-in-tx-packet-offload.patch b/queue-6.7/xfrm-pass-udp-encapsulation-in-tx-packet-offload.patch
new file mode 100644 (file)
index 0000000..89f9ea3
--- /dev/null
@@ -0,0 +1,39 @@
+From 03fa082e4d4c4a6d6906dd8bf45bf5ddeef84088 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jan 2024 00:13:54 -0800
+Subject: xfrm: Pass UDP encapsulation in TX packet offload
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 983a73da1f996faee9997149eb05b12fa7bd8cbf ]
+
+In addition to citied commit in Fixes line, allow UDP encapsulation in
+TX path too.
+
+Fixes: 89edf40220be ("xfrm: Support UDP encapsulation in packet offload mode")
+CC: Steffen Klassert <steffen.klassert@secunet.com>
+Reported-by: Mike Yu <yumike@google.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
+index 3784534c91855..653e51ae39648 100644
+--- a/net/xfrm/xfrm_device.c
++++ b/net/xfrm/xfrm_device.c
+@@ -407,7 +407,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
+       struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
+       struct net_device *dev = x->xso.dev;
+-      if (!x->type_offload || x->encap)
++      if (!x->type_offload)
+               return false;
+       if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET ||
+-- 
+2.43.0
+