--- /dev/null
+From 25f06944c5c6722539dd95d697e6bda8aa68b7fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Feb 2024 17:41:20 +0200
+Subject: bpf: check bpf_func_state->callback_depth when pruning states
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit e9a8e5a587ca55fec6c58e4881742705d45bee54 ]
+
+When comparing current and cached states verifier should consider
+bpf_func_state->callback_depth. Current state cannot be pruned against
+cached state, when current states has more iterations left compared to
+cached state. Current state has more iterations left when it's
+callback_depth is smaller.
+
+Below is an example illustrating this bug, minimized from mailing list
+discussion [0] (assume that BPF_F_TEST_STATE_FREQ is set).
+The example is not a safe program: if loop_cb point (1) is followed by
+loop_cb point (2), then division by zero is possible at point (4).
+
+ struct ctx {
+ __u64 a;
+ __u64 b;
+ __u64 c;
+ };
+
+ static void loop_cb(int i, struct ctx *ctx)
+ {
+ /* assume that generated code is "fallthrough-first":
+ * if ... == 1 goto
+ * if ... == 2 goto
+ * <default>
+ */
+ switch (bpf_get_prandom_u32()) {
+ case 1: /* 1 */ ctx->a = 42; return 0; break;
+ case 2: /* 2 */ ctx->b = 42; return 0; break;
+ default: /* 3 */ ctx->c = 42; return 0; break;
+ }
+ }
+
+ SEC("tc")
+ __failure
+ __flag(BPF_F_TEST_STATE_FREQ)
+ int test(struct __sk_buff *skb)
+ {
+ struct ctx ctx = { 7, 7, 7 };
+
+ bpf_loop(2, loop_cb, &ctx, 0); /* 0 */
+ /* assume generated checks are in-order: .a first */
+ if (ctx.a == 42 && ctx.b == 42 && ctx.c == 7)
+ asm volatile("r0 /= 0;":::"r0"); /* 4 */
+ return 0;
+ }
+
+Prior to this commit verifier built the following checkpoint tree for
+this example:
+
+ .------------------------------------- Checkpoint / State name
+ | .-------------------------------- Code point number
+ | | .---------------------------- Stack state {ctx.a,ctx.b,ctx.c}
+ | | | .------------------- Callback depth in frame #0
+ v v v v
+ - (0) {7P,7P,7},depth=0
+ - (3) {7P,7P,7},depth=1
+ - (0) {7P,7P,42},depth=1
+ - (3) {7P,7,42},depth=2
+ - (0) {7P,7,42},depth=2 loop terminates because of depth limit
+ - (4) {7P,7,42},depth=0 predicted false, ctx.a marked precise
+ - (6) exit
+(a) - (2) {7P,7,42},depth=2
+ - (0) {7P,42,42},depth=2 loop terminates because of depth limit
+ - (4) {7P,42,42},depth=0 predicted false, ctx.a marked precise
+ - (6) exit
+(b) - (1) {7P,7P,42},depth=2
+ - (0) {42P,7P,42},depth=2 loop terminates because of depth limit
+ - (4) {42P,7P,42},depth=0 predicted false, ctx.{a,b} marked precise
+ - (6) exit
+ - (2) {7P,7,7},depth=1 considered safe, pruned using checkpoint (a)
+(c) - (1) {7P,7P,7},depth=1 considered safe, pruned using checkpoint (b)
+
+Here checkpoint (b) has callback_depth of 2, meaning that it would
+never reach state {42,42,7}.
+While checkpoint (c) has callback_depth of 1, and thus
+could yet explore the state {42,42,7} if not pruned prematurely.
+This commit makes forbids such premature pruning,
+allowing verifier to explore states sub-tree starting at (c):
+
+(c) - (1) {7,7,7P},depth=1
+ - (0) {42P,7,7P},depth=1
+ ...
+ - (2) {42,7,7},depth=2
+ - (0) {42,42,7},depth=2 loop terminates because of depth limit
+ - (4) {42,42,7},depth=0 predicted true, ctx.{a,b,c} marked precise
+ - (5) division by zero
+
+[0] https://lore.kernel.org/bpf/9b251840-7cb8-4d17-bd23-1fc8071d8eef@linux.dev/
+
+Fixes: bb124da69c47 ("bpf: keep track of max number of bpf_loop callback iterations")
+Suggested-by: Yonghong Song <yonghong.song@linux.dev>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/r/20240222154121.6991-2-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index e215413c79a52..9698e93d48c6e 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -16686,6 +16686,9 @@ static bool func_states_equal(struct bpf_verifier_env *env, struct bpf_func_stat
+ {
+ int i;
+
++ if (old->callback_depth > cur->callback_depth)
++ return false;
++
+ for (i = 0; i < MAX_BPF_REG; i++)
+ if (!regsafe(env, &old->regs[i], &cur->regs[i],
+ &env->idmap_scratch, exact))
+--
+2.43.0
+
--- /dev/null
+From 41e06213f1b82baed86bda84c78674c6d3d60c49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 22:31:32 +0100
+Subject: cpumap: Zero-initialise xdp_rxq_info struct before running XDP
+ program
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 2487007aa3b9fafbd2cb14068f49791ce1d7ede5 ]
+
+When running an XDP program that is attached to a cpumap entry, we don't
+initialise the xdp_rxq_info data structure being used in the xdp_buff
+that backs the XDP program invocation. Tobias noticed that this leads to
+random values being returned as the xdp_md->rx_queue_index value for XDP
+programs running in a cpumap.
+
+This means we're basically returning the contents of the uninitialised
+memory, which is bad. Fix this by zero-initialising the rxq data
+structure before running the XDP program.
+
+Fixes: 9216477449f3 ("bpf: cpumap: Add the possibility to attach an eBPF program to cpumap")
+Reported-by: Tobias Böhm <tobias@aibor.de>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20240305213132.11955-1-toke@redhat.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/cpumap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c
+index 8a0bb80fe48a3..ef82ffc90cbe9 100644
+--- a/kernel/bpf/cpumap.c
++++ b/kernel/bpf/cpumap.c
+@@ -178,7 +178,7 @@ static int cpu_map_bpf_prog_run_xdp(struct bpf_cpu_map_entry *rcpu,
+ void **frames, int n,
+ struct xdp_cpumap_stats *stats)
+ {
+- struct xdp_rxq_info rxq;
++ struct xdp_rxq_info rxq = {};
+ struct xdp_buff xdp;
+ int i, nframes = 0;
+
+--
+2.43.0
+
--- /dev/null
+From ec1a3ca7247d5682d8dffdd506bbda903eed98af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Mar 2024 13:31:38 +0800
+Subject: erofs: apply proper VMA alignment for memory mapped files on THP
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 4127caee89612a84adedd78c9453089138cd5afe ]
+
+There are mainly two reasons that thp_get_unmapped_area() should be
+used for EROFS as other filesystems:
+
+ - It's needed to enable PMD mappings as a FSDAX filesystem, see
+ commit 74d2fad1334d ("thp, dax: add thp_get_unmapped_area for pmd
+ mappings");
+
+ - It's useful together with large folios and
+ CONFIG_READ_ONLY_THP_FOR_FS which enable THPs for mmapped files
+ (e.g. shared libraries) even without FSDAX. See commit 1854bc6e2420
+ ("mm/readahead: Align file mappings for non-DAX").
+
+Fixes: 06252e9ce05b ("erofs: dax support for non-tailpacking regular file")
+Fixes: ce529cc25b18 ("erofs: enable large folios for iomap mode")
+Fixes: e6687b89225e ("erofs: enable large folios for fscache mode")
+Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20240306053138.2240206-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/data.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/erofs/data.c b/fs/erofs/data.c
+index c98aeda8abb21..3d9721b3faa81 100644
+--- a/fs/erofs/data.c
++++ b/fs/erofs/data.c
+@@ -447,5 +447,6 @@ const struct file_operations erofs_file_fops = {
+ .llseek = generic_file_llseek,
+ .read_iter = erofs_file_read_iter,
+ .mmap = erofs_file_mmap,
++ .get_unmapped_area = thp_get_unmapped_area,
+ .splice_read = filemap_splice_read,
+ };
+--
+2.43.0
+
--- /dev/null
+From 43a2e4429cd9b599deb53a290a3454ca750e5e34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Feb 2024 13:11:52 +0000
+Subject: geneve: make sure to pull inner header in geneve_rx()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 1ca1ba465e55b9460e4e75dec9fff31e708fec74 ]
+
+syzbot triggered a bug in geneve_rx() [1]
+
+Issue is similar to the one I fixed in commit 8d975c15c0cd
+("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
+
+We have to save skb->network_header in a temporary variable
+in order to be able to recompute the network_header pointer
+after a pskb_inet_may_pull() call.
+
+pskb_inet_may_pull() makes sure the needed headers are in skb->head.
+
+[1]
+BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
+ BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
+ BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
+ IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
+ geneve_rx drivers/net/geneve.c:279 [inline]
+ geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
+ udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
+ udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
+ udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
+ __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
+ udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
+ ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
+ ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
+ NF_HOOK include/linux/netfilter.h:314 [inline]
+ ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
+ dst_input include/net/dst.h:461 [inline]
+ ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
+ NF_HOOK include/linux/netfilter.h:314 [inline]
+ ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
+ __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
+ __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
+ process_backlog+0x480/0x8b0 net/core/dev.c:5976
+ __napi_poll+0xe3/0x980 net/core/dev.c:6576
+ napi_poll net/core/dev.c:6645 [inline]
+ net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
+ __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
+ do_softirq+0x9a/0xf0 kernel/softirq.c:454
+ __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
+ local_bh_enable include/linux/bottom_half.h:33 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
+ __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
+ dev_queue_xmit include/linux/netdevice.h:3171 [inline]
+ packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
+ packet_snd net/packet/af_packet.c:3081 [inline]
+ packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ __sys_sendto+0x735/0xa10 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:3819 [inline]
+ slab_alloc_node mm/slub.c:3860 [inline]
+ kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
+ __alloc_skb+0x352/0x790 net/core/skbuff.c:651
+ alloc_skb include/linux/skbuff.h:1296 [inline]
+ alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
+ sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
+ packet_alloc_skb net/packet/af_packet.c:2930 [inline]
+ packet_snd net/packet/af_packet.c:3024 [inline]
+ packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ __sys_sendto+0x735/0xa10 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
+Reported-and-tested-by: syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/geneve.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
+index acd9c615d1f4f..356da958ee81b 100644
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -221,7 +221,7 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs,
+ struct genevehdr *gnvh = geneve_hdr(skb);
+ struct metadata_dst *tun_dst = NULL;
+ unsigned int len;
+- int err = 0;
++ int nh, err = 0;
+ void *oiph;
+
+ if (ip_tunnel_collect_metadata() || gs->collect_md) {
+@@ -272,9 +272,23 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs,
+ skb->pkt_type = PACKET_HOST;
+ }
+
+- oiph = skb_network_header(skb);
++ /* Save offset of outer header relative to skb->head,
++ * because we are going to reset the network header to the inner header
++ * and might change skb->head.
++ */
++ nh = skb_network_header(skb) - skb->head;
++
+ skb_reset_network_header(skb);
+
++ if (!pskb_inet_may_pull(skb)) {
++ DEV_STATS_INC(geneve->dev, rx_length_errors);
++ DEV_STATS_INC(geneve->dev, rx_errors);
++ goto drop;
++ }
++
++ /* Get the outer header. */
++ oiph = skb->head + nh;
++
+ if (geneve_get_sk_family(gs) == AF_INET)
+ err = IP_ECN_decapsulate(oiph, skb);
+ #if IS_ENABLED(CONFIG_IPV6)
+--
+2.43.0
+
--- /dev/null
+From a712e06f8aa230de51b4dd38e48c55c0df1f1e30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 22:45:52 +0100
+Subject: i40e: disable NAPI right after disabling irqs when handling xsk_pool
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit d562b11c1eac7d73f4c778b4cbe5468f86b1f20d ]
+
+Disable NAPI before shutting down queues that this particular NAPI
+contains so that the order of actions in i40e_queue_pair_disable()
+mirrors what we do in i40e_queue_pair_enable().
+
+Fixes: 123cecd427b6 ("i40e: added queue pair disable/enable functions")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index d9716bcec81bb..b0dc0fc6b1359 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -13629,9 +13629,9 @@ int i40e_queue_pair_disable(struct i40e_vsi *vsi, int queue_pair)
+ return err;
+
+ i40e_queue_pair_disable_irq(vsi, queue_pair);
++ i40e_queue_pair_toggle_napi(vsi, queue_pair, false /* off */);
+ err = i40e_queue_pair_toggle_rings(vsi, queue_pair, false /* off */);
+ i40e_clean_rx_ring(vsi->rx_rings[queue_pair]);
+- i40e_queue_pair_toggle_napi(vsi, queue_pair, false /* off */);
+ i40e_queue_pair_clean_rings(vsi, queue_pair);
+ i40e_queue_pair_reset_stats(vsi, queue_pair);
+
+--
+2.43.0
+
--- /dev/null
+From 7d022f23402f63c9542f53ae2ee44ce6e17350a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 14:37:08 +0100
+Subject: ice: fix uninitialized dplls mutex usage
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 9224fc86f1776193650a33a275cac628952f80a9 ]
+
+The pf->dplls.lock mutex is initialized too late, after its first use.
+Move it to the top of ice_dpll_init.
+Note that the "err_exit" error path destroys the mutex. And the mutex is
+the last thing destroyed in ice_dpll_deinit.
+This fixes the following warning with CONFIG_DEBUG_MUTEXES:
+
+ ice 0000:10:00.0: The DDP package was successfully loaded: ICE OS Default Package version 1.3.36.0
+ ice 0000:10:00.0: 252.048 Gb/s available PCIe bandwidth (16.0 GT/s PCIe x16 link)
+ ice 0000:10:00.0: PTP init successful
+ ------------[ cut here ]------------
+ DEBUG_LOCKS_WARN_ON(lock->magic != lock)
+ WARNING: CPU: 0 PID: 410 at kernel/locking/mutex.c:587 __mutex_lock+0x773/0xd40
+ Modules linked in: crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic ice(+) nvme nvme_c>
+ CPU: 0 PID: 410 Comm: kworker/0:4 Not tainted 6.8.0-rc5+ #3
+ Hardware name: HPE ProLiant DL110 Gen10 Plus/ProLiant DL110 Gen10 Plus, BIOS U56 10/19/2023
+ Workqueue: events work_for_cpu_fn
+ RIP: 0010:__mutex_lock+0x773/0xd40
+ Code: c0 0f 84 1d f9 ff ff 44 8b 35 0d 9c 69 01 45 85 f6 0f 85 0d f9 ff ff 48 c7 c6 12 a2 a9 85 48 c7 c7 12 f1 a>
+ RSP: 0018:ff7eb1a3417a7ae0 EFLAGS: 00010286
+ RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
+ RDX: 0000000000000002 RSI: ffffffff85ac2bff RDI: 00000000ffffffff
+ RBP: ff7eb1a3417a7b80 R08: 0000000000000000 R09: 00000000ffffbfff
+ R10: ff7eb1a3417a7978 R11: ff32b80f7fd2e568 R12: 0000000000000000
+ R13: 0000000000000000 R14: 0000000000000000 R15: ff32b7f02c50e0d8
+ FS: 0000000000000000(0000) GS:ff32b80efe800000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000055b5852cc000 CR3: 000000003c43a004 CR4: 0000000000771ef0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ ? __warn+0x84/0x170
+ ? __mutex_lock+0x773/0xd40
+ ? report_bug+0x1c7/0x1d0
+ ? prb_read_valid+0x1b/0x30
+ ? handle_bug+0x42/0x70
+ ? exc_invalid_op+0x18/0x70
+ ? asm_exc_invalid_op+0x1a/0x20
+ ? __mutex_lock+0x773/0xd40
+ ? rcu_is_watching+0x11/0x50
+ ? __kmalloc_node_track_caller+0x346/0x490
+ ? ice_dpll_lock_status_get+0x28/0x50 [ice]
+ ? __pfx_ice_dpll_lock_status_get+0x10/0x10 [ice]
+ ? ice_dpll_lock_status_get+0x28/0x50 [ice]
+ ice_dpll_lock_status_get+0x28/0x50 [ice]
+ dpll_device_get_one+0x14f/0x2e0
+ dpll_device_event_send+0x7d/0x150
+ dpll_device_register+0x124/0x180
+ ice_dpll_init_dpll+0x7b/0xd0 [ice]
+ ice_dpll_init+0x224/0xa40 [ice]
+ ? _dev_info+0x70/0x90
+ ice_load+0x468/0x690 [ice]
+ ice_probe+0x75b/0xa10 [ice]
+ ? _raw_spin_unlock_irqrestore+0x4f/0x80
+ ? process_one_work+0x1a3/0x500
+ local_pci_probe+0x47/0xa0
+ work_for_cpu_fn+0x17/0x30
+ process_one_work+0x20d/0x500
+ worker_thread+0x1df/0x3e0
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x103/0x140
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x31/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1b/0x30
+ </TASK>
+ irq event stamp: 125197
+ hardirqs last enabled at (125197): [<ffffffff8416409d>] finish_task_switch.isra.0+0x12d/0x3d0
+ hardirqs last disabled at (125196): [<ffffffff85134044>] __schedule+0xea4/0x19f0
+ softirqs last enabled at (105334): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60
+ softirqs last disabled at (105332): [<ffffffff84e1e65a>] napi_get_frags_check+0x1a/0x60
+ ---[ end trace 0000000000000000 ]---
+
+Fixes: d7999f5ea64b ("ice: implement dpll interface to control cgu")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_dpll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_dpll.c b/drivers/net/ethernet/intel/ice/ice_dpll.c
+index 2b657d43c769d..68b894bb68fe7 100644
+--- a/drivers/net/ethernet/intel/ice/ice_dpll.c
++++ b/drivers/net/ethernet/intel/ice/ice_dpll.c
+@@ -2146,6 +2146,7 @@ void ice_dpll_init(struct ice_pf *pf)
+ struct ice_dplls *d = &pf->dplls;
+ int err = 0;
+
++ mutex_init(&d->lock);
+ err = ice_dpll_init_info(pf, cgu);
+ if (err)
+ goto err_exit;
+@@ -2158,7 +2159,6 @@ void ice_dpll_init(struct ice_pf *pf)
+ err = ice_dpll_init_pins(pf, cgu);
+ if (err)
+ goto deinit_pps;
+- mutex_init(&d->lock);
+ if (cgu) {
+ err = ice_dpll_init_worker(pf);
+ if (err)
+--
+2.43.0
+
--- /dev/null
+From e7ab55ab02ec6a922224370267537d40f10a81b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 07:40:24 +0100
+Subject: ice: reconfig host after changing MSI-X on VF
+
+From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+
+[ Upstream commit 4035c72dc1ba81a96f94de84dfd5409056c1d9c9 ]
+
+During VSI reconfiguration filters and VSI config which is set in
+ice_vf_init_host_cfg() are lost. Recall the host configuration function
+to restore them.
+
+Without this config VF on which MSI-X amount was changed might had a
+connection problems.
+
+Fixes: 4d38cb44bd32 ("ice: manage VFs MSI-X using resource tracking")
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sriov.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c
+index c4caa9df473b5..cd61928700211 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sriov.c
++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c
+@@ -1074,6 +1074,7 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+ struct ice_pf *pf = pci_get_drvdata(pdev);
+ u16 prev_msix, prev_queues, queues;
+ bool needs_rebuild = false;
++ struct ice_vsi *vsi;
+ struct ice_vf *vf;
+ int id;
+
+@@ -1108,6 +1109,10 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+ if (!vf)
+ return -ENOENT;
+
++ vsi = ice_get_vf_vsi(vf);
++ if (!vsi)
++ return -ENOENT;
++
+ prev_msix = vf->num_msix;
+ prev_queues = vf->num_vf_qs;
+
+@@ -1128,7 +1133,7 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+ if (vf->first_vector_idx < 0)
+ goto unroll;
+
+- if (ice_vf_reconfig_vsi(vf)) {
++ if (ice_vf_reconfig_vsi(vf) || ice_vf_init_host_cfg(vf, vsi)) {
+ /* Try to rebuild with previous values */
+ needs_rebuild = true;
+ goto unroll;
+@@ -1154,8 +1159,10 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+ if (vf->first_vector_idx < 0)
+ return -EINVAL;
+
+- if (needs_rebuild)
++ if (needs_rebuild) {
+ ice_vf_reconfig_vsi(vf);
++ ice_vf_init_host_cfg(vf, vsi);
++ }
+
+ ice_ena_vf_mappings(vf);
+ ice_put_vf(vf);
+--
+2.43.0
+
--- /dev/null
+From c39a00d000fa65286f529d62e2a0b4e1bf50f68a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 22:45:53 +0100
+Subject: ice: reorder disabling IRQ and NAPI in ice_qp_dis
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 99099c6bc75a30b76bb5d6774a0509ab6f06af05 ]
+
+ice_qp_dis() currently does things in very mixed way. Tx is stopped
+before disabling IRQ on related queue vector, then it takes care of
+disabling Rx and finally NAPI is disabled.
+
+Let us start with disabling IRQs in the first place followed by turning
+off NAPI. Then it is safe to handle queues.
+
+One subtle change on top of that is that even though ice_qp_ena() looks
+more sane, clear ICE_CFG_BUSY as the last thing there.
+
+Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_xsk.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c
+index f3663b3f6390e..0fd5551b108ce 100644
+--- a/drivers/net/ethernet/intel/ice/ice_xsk.c
++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c
+@@ -179,6 +179,10 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx)
+ return -EBUSY;
+ usleep_range(1000, 2000);
+ }
++
++ ice_qvec_dis_irq(vsi, rx_ring, q_vector);
++ ice_qvec_toggle_napi(vsi, q_vector, false);
++
+ netif_tx_stop_queue(netdev_get_tx_queue(vsi->netdev, q_idx));
+
+ ice_fill_txq_meta(vsi, tx_ring, &txq_meta);
+@@ -195,13 +199,10 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx)
+ if (err)
+ return err;
+ }
+- ice_qvec_dis_irq(vsi, rx_ring, q_vector);
+-
+ err = ice_vsi_ctrl_one_rx_ring(vsi, false, q_idx, true);
+ if (err)
+ return err;
+
+- ice_qvec_toggle_napi(vsi, q_vector, false);
+ ice_qp_clean_rings(vsi, q_idx);
+ ice_qp_reset_stats(vsi, q_idx);
+
+@@ -259,11 +260,11 @@ static int ice_qp_ena(struct ice_vsi *vsi, u16 q_idx)
+ if (err)
+ return err;
+
+- clear_bit(ICE_CFG_BUSY, vsi->state);
+ ice_qvec_toggle_napi(vsi, q_vector, true);
+ ice_qvec_ena_irq(vsi, q_vector);
+
+ netif_tx_start_queue(netdev_get_tx_queue(vsi->netdev, q_idx));
++ clear_bit(ICE_CFG_BUSY, vsi->state);
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 1b98f7361596b239329ae98943448c160645aae8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 11:42:15 -0800
+Subject: ice: replace ice_vf_recreate_vsi() with ice_vf_reconfig_vsi()
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 2a2cb4c6c18130e9f14d2e39deb75590744d98ef ]
+
+The ice_vf_create_vsi() function and its VF ops helper introduced by commit
+a4c785e8162e ("ice: convert vf_ops .vsi_rebuild to .create_vsi") are used
+during an individual VF reset to re-create the VSI. This was done in order
+to ensure that the VSI gets properly reconfigured within the hardware.
+
+This is somewhat heavy handed as we completely release the VSI memory and
+structure, and then create a new VSI. This can also potentially force a
+change of the VSI index as we will re-use the first open slot in the VSI
+array which may not be the same.
+
+As part of implementing devlink reload, commit 6624e780a577 ("ice: split
+ice_vsi_setup into smaller functions") split VSI setup into smaller
+functions, introducing both ice_vsi_cfg() and ice_vsi_decfg() which can be
+used to configure or deconfigure an existing software VSI structure.
+
+Rather than completely removing the VSI and adding a new one using the
+.create_vsi() VF operation, simply use ice_vsi_decfg() to remove the
+current configuration. Save the VSI type and then call ice_vsi_cfg() to
+reconfigure the VSI as the same type that it was before.
+
+The existing reset logic assumes that all hardware filters will be removed,
+so also call ice_fltr_remove_all() before re-configuring the VSI.
+
+This new operation does not re-create the VSI, so rename it to
+ice_vf_reconfig_vsi().
+
+The new approach can safely share the exact same flow for both SR-IOV VFs
+as well as the Scalable IOV VFs being worked on. This uses less code and is
+a better abstraction over fully deleting the VSI and adding a new one.
+
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Petr Oros <poros@redhat.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 4035c72dc1ba ("ice: reconfig host after changing MSI-X on VF")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sriov.c | 24 ++-----------
+ drivers/net/ethernet/intel/ice/ice_vf_lib.c | 35 +++++++++++++------
+ drivers/net/ethernet/intel/ice/ice_vf_lib.h | 1 -
+ .../ethernet/intel/ice/ice_vf_lib_private.h | 1 +
+ 4 files changed, 28 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c
+index e1494f24f661d..c4caa9df473b5 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sriov.c
++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c
+@@ -762,24 +762,6 @@ static void ice_sriov_clear_reset_trigger(struct ice_vf *vf)
+ ice_flush(hw);
+ }
+
+-/**
+- * ice_sriov_create_vsi - Create a new VSI for a VF
+- * @vf: VF to create the VSI for
+- *
+- * This is called by ice_vf_recreate_vsi to create the new VSI after the old
+- * VSI has been released.
+- */
+-static int ice_sriov_create_vsi(struct ice_vf *vf)
+-{
+- struct ice_vsi *vsi;
+-
+- vsi = ice_vf_vsi_setup(vf);
+- if (!vsi)
+- return -ENOMEM;
+-
+- return 0;
+-}
+-
+ /**
+ * ice_sriov_post_vsi_rebuild - tasks to do after the VF's VSI have been rebuilt
+ * @vf: VF to perform tasks on
+@@ -799,7 +781,6 @@ static const struct ice_vf_ops ice_sriov_vf_ops = {
+ .poll_reset_status = ice_sriov_poll_reset_status,
+ .clear_reset_trigger = ice_sriov_clear_reset_trigger,
+ .irq_close = NULL,
+- .create_vsi = ice_sriov_create_vsi,
+ .post_vsi_rebuild = ice_sriov_post_vsi_rebuild,
+ };
+
+@@ -1147,8 +1128,7 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+ if (vf->first_vector_idx < 0)
+ goto unroll;
+
+- ice_vf_vsi_release(vf);
+- if (vf->vf_ops->create_vsi(vf)) {
++ if (ice_vf_reconfig_vsi(vf)) {
+ /* Try to rebuild with previous values */
+ needs_rebuild = true;
+ goto unroll;
+@@ -1175,7 +1155,7 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+ return -EINVAL;
+
+ if (needs_rebuild)
+- vf->vf_ops->create_vsi(vf);
++ ice_vf_reconfig_vsi(vf);
+
+ ice_ena_vf_mappings(vf);
+ ice_put_vf(vf);
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+index b7ae099521566..88e3cd09f8d0c 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+@@ -248,29 +248,44 @@ static void ice_vf_pre_vsi_rebuild(struct ice_vf *vf)
+ }
+
+ /**
+- * ice_vf_recreate_vsi - Release and re-create the VF's VSI
+- * @vf: VF to recreate the VSI for
++ * ice_vf_reconfig_vsi - Reconfigure a VF VSI with the device
++ * @vf: VF to reconfigure the VSI for
+ *
+- * This is only called when a single VF is being reset (i.e. VVF, VFLR, host
+- * VF configuration change, etc)
++ * This is called when a single VF is being reset (i.e. VVF, VFLR, host VF
++ * configuration change, etc).
+ *
+- * It releases and then re-creates a new VSI.
++ * It brings the VSI down and then reconfigures it with the hardware.
+ */
+-static int ice_vf_recreate_vsi(struct ice_vf *vf)
++int ice_vf_reconfig_vsi(struct ice_vf *vf)
+ {
++ struct ice_vsi *vsi = ice_get_vf_vsi(vf);
++ struct ice_vsi_cfg_params params = {};
+ struct ice_pf *pf = vf->pf;
+ int err;
+
+- ice_vf_vsi_release(vf);
++ if (WARN_ON(!vsi))
++ return -EINVAL;
++
++ params = ice_vsi_to_params(vsi);
++ params.flags = ICE_VSI_FLAG_NO_INIT;
+
+- err = vf->vf_ops->create_vsi(vf);
++ ice_vsi_decfg(vsi);
++ ice_fltr_remove_all(vsi);
++
++ err = ice_vsi_cfg(vsi, ¶ms);
+ if (err) {
+ dev_err(ice_pf_to_dev(pf),
+- "Failed to recreate the VF%u's VSI, error %d\n",
++ "Failed to reconfigure the VF%u's VSI, error %d\n",
+ vf->vf_id, err);
+ return err;
+ }
+
++ /* Update the lan_vsi_num field since it might have been changed. The
++ * PF lan_vsi_idx number remains the same so we don't need to change
++ * that.
++ */
++ vf->lan_vsi_num = vsi->vsi_num;
++
+ return 0;
+ }
+
+@@ -929,7 +944,7 @@ int ice_reset_vf(struct ice_vf *vf, u32 flags)
+
+ ice_vf_pre_vsi_rebuild(vf);
+
+- if (ice_vf_recreate_vsi(vf)) {
++ if (ice_vf_reconfig_vsi(vf)) {
+ dev_err(dev, "Failed to release and setup the VF%u's VSI\n",
+ vf->vf_id);
+ err = -EFAULT;
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.h b/drivers/net/ethernet/intel/ice/ice_vf_lib.h
+index 93c774f2f4376..6b41e0f3d37ed 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.h
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.h
+@@ -62,7 +62,6 @@ struct ice_vf_ops {
+ bool (*poll_reset_status)(struct ice_vf *vf);
+ void (*clear_reset_trigger)(struct ice_vf *vf);
+ void (*irq_close)(struct ice_vf *vf);
+- int (*create_vsi)(struct ice_vf *vf);
+ void (*post_vsi_rebuild)(struct ice_vf *vf);
+ };
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h b/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h
+index 0c7e77c0a09fa..91ba7fe0eaee1 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h
+@@ -23,6 +23,7 @@
+ #warning "Only include ice_vf_lib_private.h in CONFIG_PCI_IOV virtualization files"
+ #endif
+
++int ice_vf_reconfig_vsi(struct ice_vf *vf);
+ void ice_initialize_vf_entry(struct ice_vf *vf);
+ void ice_dis_vf_qs(struct ice_vf *vf);
+ int ice_check_vf_init(struct ice_vf *vf);
+--
+2.43.0
+
--- /dev/null
+From 2958563b0ea05bdf0c107c3e6da92f87792ee7e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 13:51:58 -0800
+Subject: ice: virtchnl: stop pretending to support RSS over AQ or registers
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 2652b99e43403dc464f3648483ffb38e48872fe4 ]
+
+The E800 series hardware uses the same iAVF driver as older devices,
+including the virtchnl negotiation scheme.
+
+This negotiation scheme includes a mechanism to determine what type of RSS
+should be supported, including RSS over PF virtchnl messages, RSS over
+firmware AdminQ messages, and RSS via direct register access.
+
+The PF driver will always prefer VIRTCHNL_VF_OFFLOAD_RSS_PF if its
+supported by the VF driver. However, if an older VF driver is loaded, it
+may request only VIRTCHNL_VF_OFFLOAD_RSS_REG or VIRTCHNL_VF_OFFLOAD_RSS_AQ.
+
+The ice driver happily agrees to support these methods. Unfortunately, the
+underlying hardware does not support these mechanisms. The E800 series VFs
+don't have the appropriate registers for RSS_REG. The mailbox queue used by
+VFs for VF to PF communication blocks messages which do not have the
+VF-to-PF opcode.
+
+Stop lying to the VF that it could support RSS over AdminQ or registers, as
+these interfaces do not work when the hardware is operating on an E800
+series device.
+
+In practice this is unlikely to be hit by any normal user. The iAVF driver
+has supported RSS over PF virtchnl commands since 2016, and always defaults
+to using RSS_PF if possible.
+
+In principle, nothing actually stops the existing VF from attempting to
+access the registers or send an AQ command. However a properly coded VF
+will check the capability flags and will report a more useful error if it
+detects a case where the driver does not support the RSS offloads that it
+does.
+
+Fixes: 1071a8358a28 ("ice: Implement virtchnl commands for AVF support")
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Alan Brady <alan.brady@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_virtchnl.c | 9 +--------
+ drivers/net/ethernet/intel/ice/ice_virtchnl_allowlist.c | 2 --
+ 2 files changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.c b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+index 8872f7a4f4320..d6348f20822e8 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+@@ -440,7 +440,6 @@ static int ice_vc_get_vf_res_msg(struct ice_vf *vf, u8 *msg)
+ vf->driver_caps = *(u32 *)msg;
+ else
+ vf->driver_caps = VIRTCHNL_VF_OFFLOAD_L2 |
+- VIRTCHNL_VF_OFFLOAD_RSS_REG |
+ VIRTCHNL_VF_OFFLOAD_VLAN;
+
+ vfres->vf_cap_flags = VIRTCHNL_VF_OFFLOAD_L2;
+@@ -453,14 +452,8 @@ static int ice_vc_get_vf_res_msg(struct ice_vf *vf, u8 *msg)
+ vfres->vf_cap_flags |= ice_vc_get_vlan_caps(hw, vf, vsi,
+ vf->driver_caps);
+
+- if (vf->driver_caps & VIRTCHNL_VF_OFFLOAD_RSS_PF) {
++ if (vf->driver_caps & VIRTCHNL_VF_OFFLOAD_RSS_PF)
+ vfres->vf_cap_flags |= VIRTCHNL_VF_OFFLOAD_RSS_PF;
+- } else {
+- if (vf->driver_caps & VIRTCHNL_VF_OFFLOAD_RSS_AQ)
+- vfres->vf_cap_flags |= VIRTCHNL_VF_OFFLOAD_RSS_AQ;
+- else
+- vfres->vf_cap_flags |= VIRTCHNL_VF_OFFLOAD_RSS_REG;
+- }
+
+ if (vf->driver_caps & VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC)
+ vfres->vf_cap_flags |= VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC;
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_allowlist.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_allowlist.c
+index 7d547fa616fa6..588b77f1a4bf6 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_allowlist.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_allowlist.c
+@@ -13,8 +13,6 @@
+ * - opcodes needed by VF when caps are activated
+ *
+ * Caps that don't use new opcodes (no opcodes should be allowed):
+- * - VIRTCHNL_VF_OFFLOAD_RSS_AQ
+- * - VIRTCHNL_VF_OFFLOAD_RSS_REG
+ * - VIRTCHNL_VF_OFFLOAD_WB_ON_ITR
+ * - VIRTCHNL_VF_OFFLOAD_CRC
+ * - VIRTCHNL_VF_OFFLOAD_RX_POLLING
+--
+2.43.0
+
--- /dev/null
+From 9f585b98c5fb027c982c9e5b9c67aa5b0288446f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Feb 2024 16:42:43 -0800
+Subject: idpf: disable local BH when scheduling napi for marker packets
+
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+
+[ Upstream commit 330068589389ccae3452db15ecacc3e147ac9c1c ]
+
+Fix softirq's not being handled during napi_schedule() call when
+receiving marker packets for queue disable by disabling local bottom
+half.
+
+The issue can be seen on ifdown:
+NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!!
+
+Using ftrace to catch the failing scenario:
+ifconfig [003] d.... 22739.830624: softirq_raise: vec=3 [action=NET_RX]
+<idle>-0 [003] ..s.. 22739.831357: softirq_entry: vec=3 [action=NET_RX]
+
+No interrupt and CPU is idle.
+
+After the patch when disabling local BH before calling napi_schedule:
+ifconfig [003] d.... 22993.928336: softirq_raise: vec=3 [action=NET_RX]
+ifconfig [003] ..s1. 22993.928337: softirq_entry: vec=3 [action=NET_RX]
+
+Fixes: c2d548cad150 ("idpf: add TX splitq napi poll support")
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
+Signed-off-by: Alan Brady <alan.brady@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Krishneil Singh <krishneil.k.singh@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+index 2c1b051fdc0d4..b0c52f17848f6 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+@@ -2087,8 +2087,10 @@ int idpf_send_disable_queues_msg(struct idpf_vport *vport)
+ set_bit(__IDPF_Q_POLL_MODE, vport->txqs[i]->flags);
+
+ /* schedule the napi to receive all the marker packets */
++ local_bh_disable();
+ for (i = 0; i < vport->num_q_vectors; i++)
+ napi_schedule(&vport->q_vectors[i].napi);
++ local_bh_enable();
+
+ return idpf_wait_for_marker_event(vport);
+ }
+--
+2.43.0
+
--- /dev/null
+From 58d473bcfce4561f5e851db64c272e21ab0d38e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Feb 2024 10:08:43 +0100
+Subject: igc: avoid returning frame twice in XDP_REDIRECT
+
+From: Florian Kauer <florian.kauer@linutronix.de>
+
+[ Upstream commit ef27f655b438bed4c83680e4f01e1cde2739854b ]
+
+When a frame can not be transmitted in XDP_REDIRECT
+(e.g. due to a full queue), it is necessary to free
+it by calling xdp_return_frame_rx_napi.
+
+However, this is the responsibility of the caller of
+the ndo_xdp_xmit (see for example bq_xmit_all in
+kernel/bpf/devmap.c) and thus calling it inside
+igc_xdp_xmit (which is the ndo_xdp_xmit of the igc
+driver) as well will lead to memory corruption.
+
+In fact, bq_xmit_all expects that it can return all
+frames after the last successfully transmitted one.
+Therefore, break for the first not transmitted frame,
+but do not call xdp_return_frame_rx_napi in igc_xdp_xmit.
+This is equally implemented in other Intel drivers
+such as the igb.
+
+There are two alternatives to this that were rejected:
+1. Return num_frames as all the frames would have been
+ transmitted and release them inside igc_xdp_xmit.
+ While it might work technically, it is not what
+ the return value is meant to represent (i.e. the
+ number of SUCCESSFULLY transmitted packets).
+2. Rework kernel/bpf/devmap.c and all drivers to
+ support non-consecutively dropped packets.
+ Besides being complex, it likely has a negative
+ performance impact without a significant gain
+ since it is anyway unlikely that the next frame
+ can be transmitted if the previous one was dropped.
+
+The memory corruption can be reproduced with
+the following script which leads to a kernel panic
+after a few seconds. It basically generates more
+traffic than a i225 NIC can transmit and pushes it
+via XDP_REDIRECT from a virtual interface to the
+physical interface where frames get dropped.
+
+ #!/bin/bash
+ INTERFACE=enp4s0
+ INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`
+
+ sudo ip link add dev veth1 type veth peer name veth2
+ sudo ip link set up $INTERFACE
+ sudo ip link set up veth1
+ sudo ip link set up veth2
+
+ cat << EOF > redirect.bpf.c
+
+ SEC("prog")
+ int redirect(struct xdp_md *ctx)
+ {
+ return bpf_redirect($INTERFACE_IDX, 0);
+ }
+
+ char _license[] SEC("license") = "GPL";
+ EOF
+ clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o
+ sudo ip link set veth2 xdp obj redirect.bpf.o
+
+ cat << EOF > pass.bpf.c
+
+ SEC("prog")
+ int pass(struct xdp_md *ctx)
+ {
+ return XDP_PASS;
+ }
+
+ char _license[] SEC("license") = "GPL";
+ EOF
+ clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o
+ sudo ip link set $INTERFACE xdp obj pass.bpf.o
+
+ cat << EOF > trafgen.cfg
+
+ {
+ /* Ethernet Header */
+ 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ const16(ETH_P_IP),
+
+ /* IPv4 Header */
+ 0b01000101, 0, # IPv4 version, IHL, TOS
+ const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))
+ const16(2), # IPv4 ident
+ 0b01000000, 0, # IPv4 flags, fragmentation off
+ 64, # IPv4 TTL
+ 17, # Protocol UDP
+ csumip(14, 33), # IPv4 checksum
+
+ /* UDP Header */
+ 10, 0, 1, 1, # IP Src - adapt as needed
+ 10, 0, 1, 2, # IP Dest - adapt as needed
+ const16(6666), # UDP Src Port
+ const16(6666), # UDP Dest Port
+ const16(1008), # UDP length (UDP header 8 bytes + payload length)
+ csumudp(14, 34), # UDP checksum
+
+ /* Payload */
+ fill('W', 1000),
+ }
+ EOF
+
+ sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp
+
+Fixes: 4ff320361092 ("igc: Add support for XDP_REDIRECT action")
+Signed-off-by: Florian Kauer <florian.kauer@linutronix.de>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index e9bb403bbacf9..58ffddc6419ad 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -6489,7 +6489,7 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames,
+ int cpu = smp_processor_id();
+ struct netdev_queue *nq;
+ struct igc_ring *ring;
+- int i, drops;
++ int i, nxmit;
+
+ if (unlikely(!netif_carrier_ok(dev)))
+ return -ENETDOWN;
+@@ -6505,16 +6505,15 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames,
+ /* Avoid transmit queue timeout since we share it with the slow path */
+ txq_trans_cond_update(nq);
+
+- drops = 0;
++ nxmit = 0;
+ for (i = 0; i < num_frames; i++) {
+ int err;
+ struct xdp_frame *xdpf = frames[i];
+
+ err = igc_xdp_init_tx_descriptor(ring, xdpf);
+- if (err) {
+- xdp_return_frame_rx_napi(xdpf);
+- drops++;
+- }
++ if (err)
++ break;
++ nxmit++;
+ }
+
+ if (flags & XDP_XMIT_FLUSH)
+@@ -6522,7 +6521,7 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames,
+
+ __netif_tx_unlock(nq);
+
+- return num_frames - drops;
++ return nxmit;
+ }
+
+ static void igc_trigger_rxtxq_interrupt(struct igc_adapter *adapter,
+--
+2.43.0
+
--- /dev/null
+From 84548024e72a6db64634577aee5ae88553586524 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Feb 2024 22:45:51 +0100
+Subject: ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit cbf996f52c4e658b3fb4349a869a62fd2d4c3c1c ]
+
+Currently routines that are supposed to toggle state of ring pair do not
+take care of associated interrupt with queue vector that these rings
+belong to. This causes funky issues such as dead interface due to irq
+misconfiguration, as per Pavel's report from Closes: tag.
+
+Add a function responsible for disabling single IRQ in EIMC register and
+call this as a very first thing when disabling ring pair during xsk_pool
+setup. For enable let's reuse ixgbe_irq_enable_queues(). Besides this,
+disable/enable NAPI as first/last thing when dealing with closing or
+opening ring pair that xsk_pool is being configured on.
+
+Reported-by: Pavel Vazharov <pavel@x3me.net>
+Closes: https://lore.kernel.org/netdev/CAJEV1ijxNyPTwASJER1bcZzS9nMoZJqfR86nu_3jFFVXzZQ4NA@mail.gmail.com/
+Fixes: 024aa5800f32 ("ixgbe: added Rx/Tx ring disable/enable functions")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 56 ++++++++++++++++---
+ 1 file changed, 49 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 6a3f633406c4b..ce234e76ea236 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -2939,8 +2939,8 @@ static void ixgbe_check_lsc(struct ixgbe_adapter *adapter)
+ static inline void ixgbe_irq_enable_queues(struct ixgbe_adapter *adapter,
+ u64 qmask)
+ {
+- u32 mask;
+ struct ixgbe_hw *hw = &adapter->hw;
++ u32 mask;
+
+ switch (hw->mac.type) {
+ case ixgbe_mac_82598EB:
+@@ -10524,6 +10524,44 @@ static void ixgbe_reset_rxr_stats(struct ixgbe_ring *rx_ring)
+ memset(&rx_ring->rx_stats, 0, sizeof(rx_ring->rx_stats));
+ }
+
++/**
++ * ixgbe_irq_disable_single - Disable single IRQ vector
++ * @adapter: adapter structure
++ * @ring: ring index
++ **/
++static void ixgbe_irq_disable_single(struct ixgbe_adapter *adapter, u32 ring)
++{
++ struct ixgbe_hw *hw = &adapter->hw;
++ u64 qmask = BIT_ULL(ring);
++ u32 mask;
++
++ switch (adapter->hw.mac.type) {
++ case ixgbe_mac_82598EB:
++ mask = qmask & IXGBE_EIMC_RTX_QUEUE;
++ IXGBE_WRITE_REG(&adapter->hw, IXGBE_EIMC, mask);
++ break;
++ case ixgbe_mac_82599EB:
++ case ixgbe_mac_X540:
++ case ixgbe_mac_X550:
++ case ixgbe_mac_X550EM_x:
++ case ixgbe_mac_x550em_a:
++ mask = (qmask & 0xFFFFFFFF);
++ if (mask)
++ IXGBE_WRITE_REG(hw, IXGBE_EIMS_EX(0), mask);
++ mask = (qmask >> 32);
++ if (mask)
++ IXGBE_WRITE_REG(hw, IXGBE_EIMS_EX(1), mask);
++ break;
++ default:
++ break;
++ }
++ IXGBE_WRITE_FLUSH(&adapter->hw);
++ if (adapter->flags & IXGBE_FLAG_MSIX_ENABLED)
++ synchronize_irq(adapter->msix_entries[ring].vector);
++ else
++ synchronize_irq(adapter->pdev->irq);
++}
++
+ /**
+ * ixgbe_txrx_ring_disable - Disable Rx/Tx/XDP Tx rings
+ * @adapter: adapter structure
+@@ -10540,6 +10578,11 @@ void ixgbe_txrx_ring_disable(struct ixgbe_adapter *adapter, int ring)
+ tx_ring = adapter->tx_ring[ring];
+ xdp_ring = adapter->xdp_ring[ring];
+
++ ixgbe_irq_disable_single(adapter, ring);
++
++ /* Rx/Tx/XDP Tx share the same napi context. */
++ napi_disable(&rx_ring->q_vector->napi);
++
+ ixgbe_disable_txr(adapter, tx_ring);
+ if (xdp_ring)
+ ixgbe_disable_txr(adapter, xdp_ring);
+@@ -10548,9 +10591,6 @@ void ixgbe_txrx_ring_disable(struct ixgbe_adapter *adapter, int ring)
+ if (xdp_ring)
+ synchronize_rcu();
+
+- /* Rx/Tx/XDP Tx share the same napi context. */
+- napi_disable(&rx_ring->q_vector->napi);
+-
+ ixgbe_clean_tx_ring(tx_ring);
+ if (xdp_ring)
+ ixgbe_clean_tx_ring(xdp_ring);
+@@ -10578,9 +10618,6 @@ void ixgbe_txrx_ring_enable(struct ixgbe_adapter *adapter, int ring)
+ tx_ring = adapter->tx_ring[ring];
+ xdp_ring = adapter->xdp_ring[ring];
+
+- /* Rx/Tx/XDP Tx share the same napi context. */
+- napi_enable(&rx_ring->q_vector->napi);
+-
+ ixgbe_configure_tx_ring(adapter, tx_ring);
+ if (xdp_ring)
+ ixgbe_configure_tx_ring(adapter, xdp_ring);
+@@ -10589,6 +10626,11 @@ void ixgbe_txrx_ring_enable(struct ixgbe_adapter *adapter, int ring)
+ clear_bit(__IXGBE_TX_DISABLED, &tx_ring->state);
+ if (xdp_ring)
+ clear_bit(__IXGBE_TX_DISABLED, &xdp_ring->state);
++
++ /* Rx/Tx/XDP Tx share the same napi context. */
++ napi_enable(&rx_ring->q_vector->napi);
++ ixgbe_irq_enable_queues(adapter, BIT_ULL(ring));
++ IXGBE_WRITE_FLUSH(&adapter->hw);
+ }
+
+ /**
+--
+2.43.0
+
--- /dev/null
+From b3b8141c29989b67d3f87263614c32f40e0cbc5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:41:35 +0100
+Subject: net: dsa: microchip: fix register write order in ksz8_ind_write8()
+
+From: Tobias Jakobi (Compleo) <tobias.jakobi.compleo@gmail.com>
+
+[ Upstream commit b7fb7729c94fb2d23c79ff44f7a2da089c92d81c ]
+
+This bug was noticed while re-implementing parts of the kernel
+driver in userspace using spidev. The goal was to enable some
+of the errata workarounds that Microchip describes in their
+errata sheet [1].
+
+Both the errata sheet and the regular datasheet of e.g. the KSZ8795
+imply that you need to do this for indirect register accesses:
+- write a 16-bit value to a control register pair (this value
+ consists of the indirect register table, and the offset inside
+ the table)
+- either read or write an 8-bit value from the data storage
+ register (indicated by REG_IND_BYTE in the kernel)
+
+The current implementation has the order swapped. It can be
+proven, by reading back some indirect register with known content
+(the EEE register modified in ksz8_handle_global_errata() is one of
+these), that this implementation does not work.
+
+Private discussion with Oleksij Rempel of Pengutronix has revealed
+that the workaround was apparantly never tested on actual hardware.
+
+[1] https://ww1.microchip.com/downloads/aemDocuments/documents/OTH/ProductDocuments/Errata/KSZ87xx-Errata-DS80000687C.pdf
+
+Signed-off-by: Tobias Jakobi (Compleo) <tobias.jakobi.compleo@gmail.com>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Fixes: 7b6e6235b664 ("net: dsa: microchip: ksz8795: handle eee specif erratum")
+Link: https://lore.kernel.org/r/20240304154135.161332-1-tobias.jakobi.compleo@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8795.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
+index 4bf4d67557dcf..9048d1f196110 100644
+--- a/drivers/net/dsa/microchip/ksz8795.c
++++ b/drivers/net/dsa/microchip/ksz8795.c
+@@ -49,9 +49,9 @@ static int ksz8_ind_write8(struct ksz_device *dev, u8 table, u16 addr, u8 data)
+ mutex_lock(&dev->alu_mutex);
+
+ ctrl_addr = IND_ACC_TABLE(table) | addr;
+- ret = ksz_write8(dev, regs[REG_IND_BYTE], data);
++ ret = ksz_write16(dev, regs[REG_IND_CTRL_0], ctrl_addr);
+ if (!ret)
+- ret = ksz_write16(dev, regs[REG_IND_CTRL_0], ctrl_addr);
++ ret = ksz_write8(dev, regs[REG_IND_BYTE], data);
+
+ mutex_unlock(&dev->alu_mutex);
+
+--
+2.43.0
+
--- /dev/null
+From c228972863e13249563296356366df5e99d30f36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 18:54:48 +0300
+Subject: net: ice: Fix potential NULL pointer dereference in
+ ice_bridge_setlink()
+
+From: Rand Deeb <rand.sec96@gmail.com>
+
+[ Upstream commit 06e456a05d669ca30b224b8ed962421770c1496c ]
+
+The function ice_bridge_setlink() may encounter a NULL pointer dereference
+if nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently
+in nla_for_each_nested(). To address this issue, add a check to ensure that
+br_spec is not NULL before proceeding with the nested attribute iteration.
+
+Fixes: b1edc14a3fbf ("ice: Implement ice_bridge_getlink and ice_bridge_setlink")
+Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index adfdea1e2805a..a9cca2d24120a 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -7800,6 +7800,8 @@ ice_bridge_setlink(struct net_device *dev, struct nlmsghdr *nlh,
+ pf_sw = pf->first_sw;
+ /* find the attribute in the netlink message */
+ br_spec = nlmsg_find_attr(nlh, sizeof(struct ifinfomsg), IFLA_AF_SPEC);
++ if (!br_spec)
++ return -EINVAL;
+
+ nla_for_each_nested(attr, br_spec, rem) {
+ __u16 mode;
+--
+2.43.0
+
--- /dev/null
+From d16e225e08f3e0e9ada6c673bc9ec21db18e309e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Mar 2024 14:48:00 +0000
+Subject: net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 685f7d531264599b3f167f1e94bbd22f120e5fab ]
+
+syzbot found another use-after-free in ip6_route_mpath_notify() [1]
+
+Commit f7225172f25a ("net/ipv6: prevent use after free in
+ip6_route_mpath_notify") was not able to fix the root cause.
+
+We need to defer the fib6_info_release() calls after
+ip6_route_mpath_notify(), in the cleanup phase.
+
+[1]
+BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0
+Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037
+
+CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x167/0x540 mm/kasan/report.c:488
+ kasan_report+0x142/0x180 mm/kasan/report.c:601
+ rt6_fill_node+0x1460/0x1ac0
+ inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184
+ ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]
+ ip6_route_multipath_add net/ipv6/route.c:5404 [inline]
+ inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517
+ rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597
+ netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
+ netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
+ netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
+ netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x221/0x270 net/socket.c:745
+ ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
+ ___sys_sendmsg net/socket.c:2638 [inline]
+ __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
+ do_syscall_64+0xf9/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+RIP: 0033:0x7f73dd87dda9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9
+RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
+RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858
+ </TASK>
+
+Allocated by task 23037:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:372 [inline]
+ __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389
+ kasan_kmalloc include/linux/kasan.h:211 [inline]
+ __do_kmalloc_node mm/slub.c:3981 [inline]
+ __kmalloc+0x22e/0x490 mm/slub.c:3994
+ kmalloc include/linux/slab.h:594 [inline]
+ kzalloc include/linux/slab.h:711 [inline]
+ fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155
+ ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758
+ ip6_route_multipath_add net/ipv6/route.c:5298 [inline]
+ inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517
+ rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597
+ netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
+ netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
+ netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
+ netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x221/0x270 net/socket.c:745
+ ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
+ ___sys_sendmsg net/socket.c:2638 [inline]
+ __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
+ do_syscall_64+0xf9/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+
+Freed by task 16:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640
+ poison_slab_object+0xa6/0xe0 mm/kasan/common.c:241
+ __kasan_slab_free+0x34/0x70 mm/kasan/common.c:257
+ kasan_slab_free include/linux/kasan.h:184 [inline]
+ slab_free_hook mm/slub.c:2121 [inline]
+ slab_free mm/slub.c:4299 [inline]
+ kfree+0x14a/0x380 mm/slub.c:4409
+ rcu_do_batch kernel/rcu/tree.c:2190 [inline]
+ rcu_core+0xd76/0x1810 kernel/rcu/tree.c:2465
+ __do_softirq+0x2bb/0x942 kernel/softirq.c:553
+
+Last potentially related work creation:
+ kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
+ __kasan_record_aux_stack+0xae/0x100 mm/kasan/generic.c:586
+ __call_rcu_common kernel/rcu/tree.c:2715 [inline]
+ call_rcu+0x167/0xa80 kernel/rcu/tree.c:2829
+ fib6_info_release include/net/ip6_fib.h:341 [inline]
+ ip6_route_multipath_add net/ipv6/route.c:5344 [inline]
+ inet6_rtm_newroute+0x114d/0x2300 net/ipv6/route.c:5517
+ rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597
+ netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
+ netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
+ netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
+ netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x221/0x270 net/socket.c:745
+ ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
+ ___sys_sendmsg net/socket.c:2638 [inline]
+ __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
+ do_syscall_64+0xf9/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+
+The buggy address belongs to the object at ffff88809a07fc00
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 100 bytes inside of
+ freed 512-byte region [ffff88809a07fc00, ffff88809a07fe00)
+
+The buggy address belongs to the physical page:
+page:ffffea0002681f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9a07c
+head:ffffea0002681f00 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
+page_type: 0xffffffff()
+raw: 00fff00000000840 ffff888014c41c80 dead000000000122 0000000000000000
+raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 23028, tgid 23027 (syz-executor.4), ts 2340253595219, free_ts 2339107097036
+ set_page_owner include/linux/page_owner.h:31 [inline]
+ post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533
+ prep_new_page mm/page_alloc.c:1540 [inline]
+ get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311
+ __alloc_pages+0x255/0x680 mm/page_alloc.c:4567
+ __alloc_pages_node include/linux/gfp.h:238 [inline]
+ alloc_pages_node include/linux/gfp.h:261 [inline]
+ alloc_slab_page+0x5f/0x160 mm/slub.c:2190
+ allocate_slab mm/slub.c:2354 [inline]
+ new_slab+0x84/0x2f0 mm/slub.c:2407
+ ___slab_alloc+0xd17/0x13e0 mm/slub.c:3540
+ __slab_alloc mm/slub.c:3625 [inline]
+ __slab_alloc_node mm/slub.c:3678 [inline]
+ slab_alloc_node mm/slub.c:3850 [inline]
+ __do_kmalloc_node mm/slub.c:3980 [inline]
+ __kmalloc+0x2e0/0x490 mm/slub.c:3994
+ kmalloc include/linux/slab.h:594 [inline]
+ kzalloc include/linux/slab.h:711 [inline]
+ new_dir fs/proc/proc_sysctl.c:956 [inline]
+ get_subdir fs/proc/proc_sysctl.c:1000 [inline]
+ sysctl_mkdir_p fs/proc/proc_sysctl.c:1295 [inline]
+ __register_sysctl_table+0xb30/0x1440 fs/proc/proc_sysctl.c:1376
+ neigh_sysctl_register+0x416/0x500 net/core/neighbour.c:3859
+ devinet_sysctl_register+0xaf/0x1f0 net/ipv4/devinet.c:2644
+ inetdev_init+0x296/0x4d0 net/ipv4/devinet.c:286
+ inetdev_event+0x338/0x15c0 net/ipv4/devinet.c:1555
+ notifier_call_chain+0x18f/0x3b0 kernel/notifier.c:93
+ call_netdevice_notifiers_extack net/core/dev.c:1987 [inline]
+ call_netdevice_notifiers net/core/dev.c:2001 [inline]
+ register_netdevice+0x15b2/0x1a20 net/core/dev.c:10340
+ br_dev_newlink+0x27/0x100 net/bridge/br_netlink.c:1563
+ rtnl_newlink_create net/core/rtnetlink.c:3497 [inline]
+ __rtnl_newlink net/core/rtnetlink.c:3717 [inline]
+ rtnl_newlink+0x158f/0x20a0 net/core/rtnetlink.c:3730
+page last free pid 11583 tgid 11583 stack trace:
+ reset_page_owner include/linux/page_owner.h:24 [inline]
+ free_pages_prepare mm/page_alloc.c:1140 [inline]
+ free_unref_page_prepare+0x968/0xa90 mm/page_alloc.c:2346
+ free_unref_page+0x37/0x3f0 mm/page_alloc.c:2486
+ kasan_depopulate_vmalloc_pte+0x74/0x90 mm/kasan/shadow.c:415
+ apply_to_pte_range mm/memory.c:2619 [inline]
+ apply_to_pmd_range mm/memory.c:2663 [inline]
+ apply_to_pud_range mm/memory.c:2699 [inline]
+ apply_to_p4d_range mm/memory.c:2735 [inline]
+ __apply_to_page_range+0x8ec/0xe40 mm/memory.c:2769
+ kasan_release_vmalloc+0x9a/0xb0 mm/kasan/shadow.c:532
+ __purge_vmap_area_lazy+0x163f/0x1a10 mm/vmalloc.c:1770
+ drain_vmap_area_work+0x40/0xd0 mm/vmalloc.c:1804
+ process_one_work kernel/workqueue.c:2633 [inline]
+ process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706
+ worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787
+ kthread+0x2ef/0x390 kernel/kthread.c:388
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
+
+Memory state around the buggy address:
+ ffff88809a07fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88809a07fb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff88809a07fc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88809a07fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88809a07fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 3b1137fe7482 ("net: ipv6: Change notifications for multipath add to RTA_MULTIPATH")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20240303144801.702646-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 21 +++++++--------------
+ 1 file changed, 7 insertions(+), 14 deletions(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index ea1dec8448fce..ef815ba583a8f 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5332,19 +5332,7 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
+ err_nh = NULL;
+ list_for_each_entry(nh, &rt6_nh_list, next) {
+ err = __ip6_ins_rt(nh->fib6_info, info, extack);
+- fib6_info_release(nh->fib6_info);
+-
+- if (!err) {
+- /* save reference to last route successfully inserted */
+- rt_last = nh->fib6_info;
+-
+- /* save reference to first route for notification */
+- if (!rt_notif)
+- rt_notif = nh->fib6_info;
+- }
+
+- /* nh->fib6_info is used or freed at this point, reset to NULL*/
+- nh->fib6_info = NULL;
+ if (err) {
+ if (replace && nhn)
+ NL_SET_ERR_MSG_MOD(extack,
+@@ -5352,6 +5340,12 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
+ err_nh = nh;
+ goto add_errout;
+ }
++ /* save reference to last route successfully inserted */
++ rt_last = nh->fib6_info;
++
++ /* save reference to first route for notification */
++ if (!rt_notif)
++ rt_notif = nh->fib6_info;
+
+ /* Because each route is added like a single route we remove
+ * these flags after the first nexthop: if there is a collision,
+@@ -5412,8 +5406,7 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
+
+ cleanup:
+ list_for_each_entry_safe(nh, nh_safe, &rt6_nh_list, next) {
+- if (nh->fib6_info)
+- fib6_info_release(nh->fib6_info);
++ fib6_info_release(nh->fib6_info);
+ list_del(&nh->next);
+ kfree(nh);
+ }
+--
+2.43.0
+
--- /dev/null
+From 862ebd8c92f0458437e7717cc6ac576fb9d91a7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 13:45:17 +0100
+Subject: net: lan78xx: fix runtime PM count underflow on link stop
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 1eecc7ab82c42133b748e1895275942a054a7f67 ]
+
+Current driver has some asymmetry in the runtime PM calls. On lan78xx_open()
+it will call usb_autopm_get() and unconditionally usb_autopm_put(). And
+on lan78xx_stop() it will call only usb_autopm_put(). So far, it was
+working only because this driver do not activate autosuspend by default,
+so it was visible only by warning "Runtime PM usage count underflow!".
+
+Since, with current driver, we can't use runtime PM with active link,
+execute lan78xx_open()->usb_autopm_put() only in error case. Otherwise,
+keep ref counting high as long as interface is open.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index a2dde84499fdd..f0fb9cd1ff56c 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -3137,7 +3137,8 @@ static int lan78xx_open(struct net_device *net)
+ done:
+ mutex_unlock(&dev->dev_mutex);
+
+- usb_autopm_put_interface(dev->intf);
++ if (ret < 0)
++ usb_autopm_put_interface(dev->intf);
+
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 5e933e4b0a882e9134c1ddc3ff8dce95fe20eda5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jan 2024 20:43:58 +0200
+Subject: net/mlx5: Check capability for fw_reset
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit 5e6107b499f3fc4748109e1d87fd9603b34f1e0d ]
+
+Functions which can't access MFRL (Management Firmware Reset Level)
+register, have no use of fw_reset structures or events. Remove fw_reset
+structures allocation and registration for fw reset events notifications
+for these functions.
+
+Having the devlink param enable_remote_dev_reset on functions that don't
+have this capability is misleading as these functions are not allowed to
+influence the reset flow. Hence, this patch removes this parameter for
+such functions.
+
+In addition, return not supported on devlink reload action fw_activate
+for these functions.
+
+Fixes: 38b9f903f22b ("net/mlx5: Handle sync reset request event")
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Aya Levin <ayal@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/devlink.c | 6 +++++
+ .../ethernet/mellanox/mlx5/core/fw_reset.c | 22 +++++++++++++++++--
+ include/linux/mlx5/mlx5_ifc.h | 4 +++-
+ 3 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
+index 3e064234f6fe9..98d4306929f3e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
+@@ -157,6 +157,12 @@ static int mlx5_devlink_reload_down(struct devlink *devlink, bool netns_change,
+ return -EOPNOTSUPP;
+ }
+
++ if (action == DEVLINK_RELOAD_ACTION_FW_ACTIVATE &&
++ !dev->priv.fw_reset) {
++ NL_SET_ERR_MSG_MOD(extack, "FW activate is unsupported for this function");
++ return -EOPNOTSUPP;
++ }
++
+ if (mlx5_core_is_pf(dev) && pci_num_vf(pdev))
+ NL_SET_ERR_MSG_MOD(extack, "reload while VFs are present is unfavorable");
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+index c4e19d627da21..3a9cdf79403ae 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+@@ -679,19 +679,30 @@ void mlx5_fw_reset_events_start(struct mlx5_core_dev *dev)
+ {
+ struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset;
+
++ if (!fw_reset)
++ return;
++
+ MLX5_NB_INIT(&fw_reset->nb, fw_reset_event_notifier, GENERAL_EVENT);
+ mlx5_eq_notifier_register(dev, &fw_reset->nb);
+ }
+
+ void mlx5_fw_reset_events_stop(struct mlx5_core_dev *dev)
+ {
+- mlx5_eq_notifier_unregister(dev, &dev->priv.fw_reset->nb);
++ struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset;
++
++ if (!fw_reset)
++ return;
++
++ mlx5_eq_notifier_unregister(dev, &fw_reset->nb);
+ }
+
+ void mlx5_drain_fw_reset(struct mlx5_core_dev *dev)
+ {
+ struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset;
+
++ if (!fw_reset)
++ return;
++
+ set_bit(MLX5_FW_RESET_FLAGS_DROP_NEW_REQUESTS, &fw_reset->reset_flags);
+ cancel_work_sync(&fw_reset->fw_live_patch_work);
+ cancel_work_sync(&fw_reset->reset_request_work);
+@@ -709,9 +720,13 @@ static const struct devlink_param mlx5_fw_reset_devlink_params[] = {
+
+ int mlx5_fw_reset_init(struct mlx5_core_dev *dev)
+ {
+- struct mlx5_fw_reset *fw_reset = kzalloc(sizeof(*fw_reset), GFP_KERNEL);
++ struct mlx5_fw_reset *fw_reset;
+ int err;
+
++ if (!MLX5_CAP_MCAM_REG(dev, mfrl))
++ return 0;
++
++ fw_reset = kzalloc(sizeof(*fw_reset), GFP_KERNEL);
+ if (!fw_reset)
+ return -ENOMEM;
+ fw_reset->wq = create_singlethread_workqueue("mlx5_fw_reset_events");
+@@ -747,6 +762,9 @@ void mlx5_fw_reset_cleanup(struct mlx5_core_dev *dev)
+ {
+ struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset;
+
++ if (!fw_reset)
++ return;
++
+ devl_params_unregister(priv_to_devlink(dev),
+ mlx5_fw_reset_devlink_params,
+ ARRAY_SIZE(mlx5_fw_reset_devlink_params));
+diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
+index 77cd2e13724e7..bfc8320fb46cb 100644
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -10215,7 +10215,9 @@ struct mlx5_ifc_mcam_access_reg_bits {
+
+ u8 regs_63_to_46[0x12];
+ u8 mrtc[0x1];
+- u8 regs_44_to_32[0xd];
++ u8 regs_44_to_41[0x4];
++ u8 mfrl[0x1];
++ u8 regs_39_to_32[0x8];
+
+ u8 regs_31_to_10[0x16];
+ u8 mtmp[0x1];
+--
+2.43.0
+
--- /dev/null
+From 36efe37c461c4f3701e1ced4e1014478334b4d8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jan 2024 01:27:47 +0000
+Subject: net/mlx5: E-switch, Change flow rule destination checking
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 85ea2c5c5ef5f24fe6e6e7028ddd90be1cb5d27e ]
+
+The checking in the cited commit is not accurate. In the common case,
+VF destination is internal, and uplink destination is external.
+However, uplink destination with packet reformat is considered as
+internal because firmware uses LB+hairpin to support it. Update the
+checking so header rewrite rules with both internal and external
+destinations are not allowed.
+
+Fixes: e0e22d59b47a ("net/mlx5: E-switch, Add checking for flow rule destinations")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/eswitch_offloads.c | 23 +++++++++++--------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index 14b3bd3c5e2f7..baaae628b0a0f 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -535,21 +535,26 @@ esw_src_port_rewrite_supported(struct mlx5_eswitch *esw)
+ }
+
+ static bool
+-esw_dests_to_vf_pf_vports(struct mlx5_flow_destination *dests, int max_dest)
++esw_dests_to_int_external(struct mlx5_flow_destination *dests, int max_dest)
+ {
+- bool vf_dest = false, pf_dest = false;
++ bool internal_dest = false, external_dest = false;
+ int i;
+
+ for (i = 0; i < max_dest; i++) {
+- if (dests[i].type != MLX5_FLOW_DESTINATION_TYPE_VPORT)
++ if (dests[i].type != MLX5_FLOW_DESTINATION_TYPE_VPORT &&
++ dests[i].type != MLX5_FLOW_DESTINATION_TYPE_UPLINK)
+ continue;
+
+- if (dests[i].vport.num == MLX5_VPORT_UPLINK)
+- pf_dest = true;
++ /* Uplink dest is external, but considered as internal
++ * if there is reformat because firmware uses LB+hairpin to support it.
++ */
++ if (dests[i].vport.num == MLX5_VPORT_UPLINK &&
++ !(dests[i].vport.flags & MLX5_FLOW_DEST_VPORT_REFORMAT_ID))
++ external_dest = true;
+ else
+- vf_dest = true;
++ internal_dest = true;
+
+- if (vf_dest && pf_dest)
++ if (internal_dest && external_dest)
+ return true;
+ }
+
+@@ -695,9 +700,9 @@ mlx5_eswitch_add_offloaded_rule(struct mlx5_eswitch *esw,
+
+ /* Header rewrite with combined wire+loopback in FDB is not allowed */
+ if ((flow_act.action & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR) &&
+- esw_dests_to_vf_pf_vports(dest, i)) {
++ esw_dests_to_int_external(dest, i)) {
+ esw_warn(esw->dev,
+- "FDB: Header rewrite with forwarding to both PF and VF is not allowed\n");
++ "FDB: Header rewrite with forwarding to both internal and external dests is not allowed\n");
+ rule = ERR_PTR(-EINVAL);
+ goto err_esw_get;
+ }
+--
+2.43.0
+
--- /dev/null
+From 25804644171ec00b8f8759f4ea5125285bba5a2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jan 2024 20:13:34 +0200
+Subject: net/mlx5: Fix fw reporter diagnose output
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit ac8082a3c7a158640a2c493ec437dd9da881a6a7 ]
+
+Restore fw reporter diagnose to print the syndrome even if it is zero.
+Following the cited commit, in this case (syndrome == 0) command returns no
+output at all.
+
+This fix restores command output in case syndrome is cleared:
+$ devlink health diagnose pci/0000:82:00.0 reporter fw
+ Syndrome: 0
+
+Fixes: d17f98bf7cc9 ("net/mlx5: devlink health: use retained error fmsg API")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/health.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/health.c b/drivers/net/ethernet/mellanox/mlx5/core/health.c
+index 8ff6dc9bc8033..b5c709bba1553 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c
+@@ -452,10 +452,10 @@ mlx5_fw_reporter_diagnose(struct devlink_health_reporter *reporter,
+ struct health_buffer __iomem *h = health->health;
+ u8 synd = ioread8(&h->synd);
+
++ devlink_fmsg_u8_pair_put(fmsg, "Syndrome", synd);
+ if (!synd)
+ return 0;
+
+- devlink_fmsg_u8_pair_put(fmsg, "Syndrome", synd);
+ devlink_fmsg_string_pair_put(fmsg, "Description", hsynd_str(synd));
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 16083daad7e19fdc74002d7b0c116b81043ea7bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Dec 2023 01:47:05 +0000
+Subject: net/mlx5e: Change the warning when ignore_flow_level is not supported
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit dd238b702064b21d25b4fc39a19699319746d655 ]
+
+Downgrade the print from mlx5_core_warn() to mlx5_core_dbg(), as it
+is just a statement of fact that firmware doesn't support ignore flow
+level.
+
+And change the wording to "firmware flow level support is missing", to
+make it more accurate.
+
+Fixes: ae2ee3be99a8 ("net/mlx5: CT: Remove warning of ignore_flow_level support for VFs")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Suggested-by: Elliott, Robert (Servers) <elliott@hpe.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c
+index 86bf007fd05b7..b500cc2c9689d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c
+@@ -37,7 +37,7 @@ mlx5e_tc_post_act_init(struct mlx5e_priv *priv, struct mlx5_fs_chains *chains,
+
+ if (!MLX5_CAP_FLOWTABLE_TYPE(priv->mdev, ignore_flow_level, table_type)) {
+ if (priv->mdev->coredev_type == MLX5_COREDEV_PF)
+- mlx5_core_warn(priv->mdev, "firmware level support is missing\n");
++ mlx5_core_dbg(priv->mdev, "firmware flow level support is missing\n");
+ err = -EOPNOTSUPP;
+ goto err_check;
+ }
+--
+2.43.0
+
--- /dev/null
+From 48e66d4c37aa9b64e306889d193f9ca03bbf6a0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 17:03:03 +0200
+Subject: net/mlx5e: Fix MACsec state loss upon state update in offload path
+
+From: Emeel Hakim <ehakim@nvidia.com>
+
+[ Upstream commit a71f2147b64941efee156bfda54fd6461d0f95df ]
+
+The packet number attribute of the SA is incremented by the device rather
+than the software stack when enabling hardware offload. Because the packet
+number attribute is managed by the hardware, the software has no insight
+into the value of the packet number attribute actually written by the
+device.
+
+Previously when MACsec offload was enabled, the hardware object for
+handling the offload was destroyed when the SA was disabled. Re-enabling
+the SA would lead to a new hardware object being instantiated. This new
+hardware object would not have any recollection of the correct packet
+number for the SA. Instead, destroy the flow steering rule when
+deactivating the SA and recreate it upon reactivation, preserving the
+original hardware object.
+
+Fixes: 8ff0ac5be144 ("net/mlx5: Add MACsec offload Tx command support")
+Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en_accel/macsec.c | 82 ++++++++++++-------
+ 1 file changed, 51 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+index d4ebd87431145..b2cabd6ab86cb 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+@@ -310,9 +310,9 @@ static void mlx5e_macsec_destroy_object(struct mlx5_core_dev *mdev, u32 macsec_o
+ mlx5_cmd_exec(mdev, in, sizeof(in), out, sizeof(out));
+ }
+
+-static void mlx5e_macsec_cleanup_sa(struct mlx5e_macsec *macsec,
+- struct mlx5e_macsec_sa *sa,
+- bool is_tx, struct net_device *netdev, u32 fs_id)
++static void mlx5e_macsec_cleanup_sa_fs(struct mlx5e_macsec *macsec,
++ struct mlx5e_macsec_sa *sa, bool is_tx,
++ struct net_device *netdev, u32 fs_id)
+ {
+ int action = (is_tx) ? MLX5_ACCEL_MACSEC_ACTION_ENCRYPT :
+ MLX5_ACCEL_MACSEC_ACTION_DECRYPT;
+@@ -322,20 +322,49 @@ static void mlx5e_macsec_cleanup_sa(struct mlx5e_macsec *macsec,
+
+ mlx5_macsec_fs_del_rule(macsec->mdev->macsec_fs, sa->macsec_rule, action, netdev,
+ fs_id);
+- mlx5e_macsec_destroy_object(macsec->mdev, sa->macsec_obj_id);
+ sa->macsec_rule = NULL;
+ }
+
++static void mlx5e_macsec_cleanup_sa(struct mlx5e_macsec *macsec,
++ struct mlx5e_macsec_sa *sa, bool is_tx,
++ struct net_device *netdev, u32 fs_id)
++{
++ mlx5e_macsec_cleanup_sa_fs(macsec, sa, is_tx, netdev, fs_id);
++ mlx5e_macsec_destroy_object(macsec->mdev, sa->macsec_obj_id);
++}
++
++static int mlx5e_macsec_init_sa_fs(struct macsec_context *ctx,
++ struct mlx5e_macsec_sa *sa, bool encrypt,
++ bool is_tx, u32 *fs_id)
++{
++ struct mlx5e_priv *priv = macsec_netdev_priv(ctx->netdev);
++ struct mlx5_macsec_fs *macsec_fs = priv->mdev->macsec_fs;
++ struct mlx5_macsec_rule_attrs rule_attrs;
++ union mlx5_macsec_rule *macsec_rule;
++
++ rule_attrs.macsec_obj_id = sa->macsec_obj_id;
++ rule_attrs.sci = sa->sci;
++ rule_attrs.assoc_num = sa->assoc_num;
++ rule_attrs.action = (is_tx) ? MLX5_ACCEL_MACSEC_ACTION_ENCRYPT :
++ MLX5_ACCEL_MACSEC_ACTION_DECRYPT;
++
++ macsec_rule = mlx5_macsec_fs_add_rule(macsec_fs, ctx, &rule_attrs, fs_id);
++ if (!macsec_rule)
++ return -ENOMEM;
++
++ sa->macsec_rule = macsec_rule;
++
++ return 0;
++}
++
+ static int mlx5e_macsec_init_sa(struct macsec_context *ctx,
+ struct mlx5e_macsec_sa *sa,
+ bool encrypt, bool is_tx, u32 *fs_id)
+ {
+ struct mlx5e_priv *priv = macsec_netdev_priv(ctx->netdev);
+ struct mlx5e_macsec *macsec = priv->macsec;
+- struct mlx5_macsec_rule_attrs rule_attrs;
+ struct mlx5_core_dev *mdev = priv->mdev;
+ struct mlx5_macsec_obj_attrs obj_attrs;
+- union mlx5_macsec_rule *macsec_rule;
+ int err;
+
+ obj_attrs.next_pn = sa->next_pn;
+@@ -357,20 +386,12 @@ static int mlx5e_macsec_init_sa(struct macsec_context *ctx,
+ if (err)
+ return err;
+
+- rule_attrs.macsec_obj_id = sa->macsec_obj_id;
+- rule_attrs.sci = sa->sci;
+- rule_attrs.assoc_num = sa->assoc_num;
+- rule_attrs.action = (is_tx) ? MLX5_ACCEL_MACSEC_ACTION_ENCRYPT :
+- MLX5_ACCEL_MACSEC_ACTION_DECRYPT;
+-
+- macsec_rule = mlx5_macsec_fs_add_rule(mdev->macsec_fs, ctx, &rule_attrs, fs_id);
+- if (!macsec_rule) {
+- err = -ENOMEM;
+- goto destroy_macsec_object;
++ if (sa->active) {
++ err = mlx5e_macsec_init_sa_fs(ctx, sa, encrypt, is_tx, fs_id);
++ if (err)
++ goto destroy_macsec_object;
+ }
+
+- sa->macsec_rule = macsec_rule;
+-
+ return 0;
+
+ destroy_macsec_object:
+@@ -526,9 +547,7 @@ static int mlx5e_macsec_add_txsa(struct macsec_context *ctx)
+ goto destroy_sa;
+
+ macsec_device->tx_sa[assoc_num] = tx_sa;
+- if (!secy->operational ||
+- assoc_num != tx_sc->encoding_sa ||
+- !tx_sa->active)
++ if (!secy->operational)
+ goto out;
+
+ err = mlx5e_macsec_init_sa(ctx, tx_sa, tx_sc->encrypt, true, NULL);
+@@ -595,7 +614,7 @@ static int mlx5e_macsec_upd_txsa(struct macsec_context *ctx)
+ goto out;
+
+ if (ctx_tx_sa->active) {
+- err = mlx5e_macsec_init_sa(ctx, tx_sa, tx_sc->encrypt, true, NULL);
++ err = mlx5e_macsec_init_sa_fs(ctx, tx_sa, tx_sc->encrypt, true, NULL);
+ if (err)
+ goto out;
+ } else {
+@@ -604,7 +623,7 @@ static int mlx5e_macsec_upd_txsa(struct macsec_context *ctx)
+ goto out;
+ }
+
+- mlx5e_macsec_cleanup_sa(macsec, tx_sa, true, ctx->secy->netdev, 0);
++ mlx5e_macsec_cleanup_sa_fs(macsec, tx_sa, true, ctx->secy->netdev, 0);
+ }
+ out:
+ mutex_unlock(&macsec->lock);
+@@ -1030,8 +1049,9 @@ static int mlx5e_macsec_del_rxsa(struct macsec_context *ctx)
+ goto out;
+ }
+
+- mlx5e_macsec_cleanup_sa(macsec, rx_sa, false, ctx->secy->netdev,
+- rx_sc->sc_xarray_element->fs_id);
++ if (rx_sa->active)
++ mlx5e_macsec_cleanup_sa(macsec, rx_sa, false, ctx->secy->netdev,
++ rx_sc->sc_xarray_element->fs_id);
+ mlx5_destroy_encryption_key(macsec->mdev, rx_sa->enc_key_id);
+ kfree(rx_sa);
+ rx_sc->rx_sa[assoc_num] = NULL;
+@@ -1112,8 +1132,8 @@ static int macsec_upd_secy_hw_address(struct macsec_context *ctx,
+ if (!rx_sa || !rx_sa->macsec_rule)
+ continue;
+
+- mlx5e_macsec_cleanup_sa(macsec, rx_sa, false, ctx->secy->netdev,
+- rx_sc->sc_xarray_element->fs_id);
++ mlx5e_macsec_cleanup_sa_fs(macsec, rx_sa, false, ctx->secy->netdev,
++ rx_sc->sc_xarray_element->fs_id);
+ }
+ }
+
+@@ -1124,8 +1144,8 @@ static int macsec_upd_secy_hw_address(struct macsec_context *ctx,
+ continue;
+
+ if (rx_sa->active) {
+- err = mlx5e_macsec_init_sa(ctx, rx_sa, true, false,
+- &rx_sc->sc_xarray_element->fs_id);
++ err = mlx5e_macsec_init_sa_fs(ctx, rx_sa, true, false,
++ &rx_sc->sc_xarray_element->fs_id);
+ if (err)
+ goto out;
+ }
+@@ -1178,7 +1198,7 @@ static int mlx5e_macsec_upd_secy(struct macsec_context *ctx)
+ if (!tx_sa)
+ continue;
+
+- mlx5e_macsec_cleanup_sa(macsec, tx_sa, true, ctx->secy->netdev, 0);
++ mlx5e_macsec_cleanup_sa_fs(macsec, tx_sa, true, ctx->secy->netdev, 0);
+ }
+
+ for (i = 0; i < MACSEC_NUM_AN; ++i) {
+@@ -1187,7 +1207,7 @@ static int mlx5e_macsec_upd_secy(struct macsec_context *ctx)
+ continue;
+
+ if (tx_sa->assoc_num == tx_sc->encoding_sa && tx_sa->active) {
+- err = mlx5e_macsec_init_sa(ctx, tx_sa, tx_sc->encrypt, true, NULL);
++ err = mlx5e_macsec_init_sa_fs(ctx, tx_sa, tx_sc->encrypt, true, NULL);
+ if (err)
+ goto out;
+ }
+--
+2.43.0
+
--- /dev/null
+From bbab7fcf4835750265288e9840537d5db7a7beda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Feb 2024 15:09:34 -0800
+Subject: net/mlx5e: Switch to using _bh variant of of spinlock API in port
+ timestamping NAPI poll context
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+[ Upstream commit 90502d433c0e7e5483745a574cb719dd5d05b10c ]
+
+The NAPI poll context is a softirq context. Do not use normal spinlock API
+in this context to prevent concurrency issues.
+
+Fixes: 3178308ad4ca ("net/mlx5e: Make tx_port_ts logic resilient to out-of-order CQEs")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+CC: Vadim Fedorenko <vadfed@meta.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
+index 803035d4e5976..15d97c685ad33 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c
+@@ -42,9 +42,9 @@ mlx5e_ptp_port_ts_cqe_list_add(struct mlx5e_ptp_port_ts_cqe_list *list, u8 metad
+
+ WARN_ON_ONCE(tracker->inuse);
+ tracker->inuse = true;
+- spin_lock(&list->tracker_list_lock);
++ spin_lock_bh(&list->tracker_list_lock);
+ list_add_tail(&tracker->entry, &list->tracker_list_head);
+- spin_unlock(&list->tracker_list_lock);
++ spin_unlock_bh(&list->tracker_list_lock);
+ }
+
+ static void
+@@ -54,9 +54,9 @@ mlx5e_ptp_port_ts_cqe_list_remove(struct mlx5e_ptp_port_ts_cqe_list *list, u8 me
+
+ WARN_ON_ONCE(!tracker->inuse);
+ tracker->inuse = false;
+- spin_lock(&list->tracker_list_lock);
++ spin_lock_bh(&list->tracker_list_lock);
+ list_del(&tracker->entry);
+- spin_unlock(&list->tracker_list_lock);
++ spin_unlock_bh(&list->tracker_list_lock);
+ }
+
+ void mlx5e_ptpsq_track_metadata(struct mlx5e_ptpsq *ptpsq, u8 metadata)
+@@ -155,7 +155,7 @@ static void mlx5e_ptpsq_mark_ts_cqes_undelivered(struct mlx5e_ptpsq *ptpsq,
+ struct mlx5e_ptp_metadata_map *metadata_map = &ptpsq->metadata_map;
+ struct mlx5e_ptp_port_ts_cqe_tracker *pos, *n;
+
+- spin_lock(&cqe_list->tracker_list_lock);
++ spin_lock_bh(&cqe_list->tracker_list_lock);
+ list_for_each_entry_safe(pos, n, &cqe_list->tracker_list_head, entry) {
+ struct sk_buff *skb =
+ mlx5e_ptp_metadata_map_lookup(metadata_map, pos->metadata_id);
+@@ -170,7 +170,7 @@ static void mlx5e_ptpsq_mark_ts_cqes_undelivered(struct mlx5e_ptpsq *ptpsq,
+ pos->inuse = false;
+ list_del(&pos->entry);
+ }
+- spin_unlock(&cqe_list->tracker_list_lock);
++ spin_unlock_bh(&cqe_list->tracker_list_lock);
+ }
+
+ #define PTP_WQE_CTR2IDX(val) ((val) & ptpsq->ts_cqe_ctr_mask)
+--
+2.43.0
+
--- /dev/null
+From d2051c4859b0c6e12d23b728273d867371b91bc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Feb 2024 13:12:28 -0800
+Subject: net/mlx5e: Use a memory barrier to enforce PTP WQ xmit submission
+ tracking occurs after populating the metadata_map
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+[ Upstream commit b7cf07586c40f926063d4d09f7de28ff82f62b2a ]
+
+Just simply reordering the functions mlx5e_ptp_metadata_map_put and
+mlx5e_ptpsq_track_metadata in the mlx5e_txwqe_complete context is not good
+enough since both the compiler and CPU are free to reorder these two
+functions. If reordering does occur, the issue that was supposedly fixed by
+7e3f3ba97e6c ("net/mlx5e: Track xmit submission to PTP WQ after populating
+metadata map") will be seen. This will lead to NULL pointer dereferences in
+mlx5e_ptpsq_mark_ts_cqes_undelivered in the NAPI polling context due to the
+tracking list being populated before the metadata map.
+
+Fixes: 7e3f3ba97e6c ("net/mlx5e: Track xmit submission to PTP WQ after populating metadata map")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+CC: Vadim Fedorenko <vadfed@meta.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+index f0b506e562df3..1ead69c5f5fa3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+@@ -401,6 +401,8 @@ mlx5e_txwqe_complete(struct mlx5e_txqsq *sq, struct sk_buff *skb,
+ mlx5e_skb_cb_hwtstamp_init(skb);
+ mlx5e_ptp_metadata_map_put(&sq->ptpsq->metadata_map, skb,
+ metadata_index);
++ /* ensure skb is put on metadata_map before tracking the index */
++ wmb();
+ mlx5e_ptpsq_track_metadata(sq->ptpsq, metadata_index);
+ if (!netif_tx_queue_stopped(sq->txq) &&
+ mlx5e_ptpsq_metadata_freelist_empty(sq->ptpsq)) {
+--
+2.43.0
+
--- /dev/null
+From 57cee79c539de4031ea4b2e3b9b1112a91a9a594 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Mar 2024 18:57:14 +0800
+Subject: net: pds_core: Fix possible double free in error handling path
+
+From: Yongzhi Liu <hyperlyzcs@gmail.com>
+
+[ Upstream commit ba18deddd6d502da71fd6b6143c53042271b82bd ]
+
+When auxiliary_device_add() returns error and then calls
+auxiliary_device_uninit(), Callback function pdsc_auxbus_dev_release
+calls kfree(padev) to free memory. We shouldn't call kfree(padev)
+again in the error handling path.
+
+Fix this by cleaning up the redundant kfree() and putting
+the error handling back to where the errors happened.
+
+Fixes: 4569cce43bc6 ("pds_core: add auxiliary_bus devices")
+Signed-off-by: Yongzhi Liu <hyperlyzcs@gmail.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
+Link: https://lore.kernel.org/r/20240306105714.20597-1-hyperlyzcs@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/pds_core/auxbus.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/pds_core/auxbus.c b/drivers/net/ethernet/amd/pds_core/auxbus.c
+index 11c23a7f3172d..fd1a5149c0031 100644
+--- a/drivers/net/ethernet/amd/pds_core/auxbus.c
++++ b/drivers/net/ethernet/amd/pds_core/auxbus.c
+@@ -160,23 +160,19 @@ static struct pds_auxiliary_dev *pdsc_auxbus_dev_register(struct pdsc *cf,
+ if (err < 0) {
+ dev_warn(cf->dev, "auxiliary_device_init of %s failed: %pe\n",
+ name, ERR_PTR(err));
+- goto err_out;
++ kfree(padev);
++ return ERR_PTR(err);
+ }
+
+ err = auxiliary_device_add(aux_dev);
+ if (err) {
+ dev_warn(cf->dev, "auxiliary_device_add of %s failed: %pe\n",
+ name, ERR_PTR(err));
+- goto err_out_uninit;
++ auxiliary_device_uninit(aux_dev);
++ return ERR_PTR(err);
+ }
+
+ return padev;
+-
+-err_out_uninit:
+- auxiliary_device_uninit(aux_dev);
+-err_out:
+- kfree(padev);
+- return ERR_PTR(err);
+ }
+
+ int pdsc_auxbus_dev_del(struct pdsc *cf, struct pdsc *pf)
+--
+2.43.0
+
--- /dev/null
+From 0a00619071cdb32d8a2fa9572137192de1608428 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 08:13:08 +0800
+Subject: net/rds: fix WARNING in rds_conn_connect_if_down
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit c055fc00c07be1f0df7375ab0036cebd1106ed38 ]
+
+If connection isn't established yet, get_mr() will fail, trigger connection after
+get_mr().
+
+Fixes: 584a8279a44a ("RDS: RDMA: return appropriate error on rdma map failures")
+Reported-and-tested-by: syzbot+d4faee732755bba9838e@syzkaller.appspotmail.com
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/rdma.c | 3 +++
+ net/rds/send.c | 6 +-----
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/net/rds/rdma.c b/net/rds/rdma.c
+index fba82d36593ad..a4e3c5de998be 100644
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -301,6 +301,9 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
+ kfree(sg);
+ }
+ ret = PTR_ERR(trans_private);
++ /* Trigger connection so that its ready for the next retry */
++ if (ret == -ENODEV)
++ rds_conn_connect_if_down(cp->cp_conn);
+ goto out;
+ }
+
+diff --git a/net/rds/send.c b/net/rds/send.c
+index 5e57a1581dc60..2899def23865f 100644
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -1313,12 +1313,8 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
+
+ /* Parse any control messages the user may have included. */
+ ret = rds_cmsg_send(rs, rm, msg, &allocated_mr, &vct);
+- if (ret) {
+- /* Trigger connection so that its ready for the next retry */
+- if (ret == -EAGAIN)
+- rds_conn_connect_if_down(conn);
++ if (ret)
+ goto out;
+- }
+
+ if (rm->rdma.op_active && !conn->c_trans->xmit_rdma) {
+ printk_ratelimited(KERN_NOTICE "rdma_op %p conn xmit_rdma %p\n",
+--
+2.43.0
+
--- /dev/null
+From 1baba682df91ba355195a7e8e66e737c60f62dcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 09:06:08 +0100
+Subject: net: sparx5: Fix use after free inside sparx5_del_mact_entry
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 89d72d4125e94aa3c2140fedd97ce07ba9e37674 ]
+
+Based on the static analyzis of the code it looks like when an entry
+from the MAC table was removed, the entry was still used after being
+freed. More precise the vid of the mac_entry was used after calling
+devm_kfree on the mac_entry.
+The fix consists in first using the vid of the mac_entry to delete the
+entry from the HW and after that to free it.
+
+Fixes: b37a1bae742f ("net: sparx5: add mactable support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240301080608.3053468-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
+index 4af285918ea2a..75868b3f548ec 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
+@@ -347,10 +347,10 @@ int sparx5_del_mact_entry(struct sparx5 *sparx5,
+ list) {
+ if ((vid == 0 || mact_entry->vid == vid) &&
+ ether_addr_equal(addr, mact_entry->mac)) {
++ sparx5_mact_forget(sparx5, addr, mact_entry->vid);
++
+ list_del(&mact_entry->list);
+ devm_kfree(sparx5->dev, mact_entry);
+-
+- sparx5_mact_forget(sparx5, addr, mact_entry->vid);
+ }
+ }
+ mutex_unlock(&sparx5->mact_lock);
+--
+2.43.0
+
--- /dev/null
+From b7b945e9c0710ed88b8afcf8e83e471a52a864f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 11:38:55 +0000
+Subject: netfilter: nf_conntrack_h323: Add protection for bmp length out of
+ range
+
+From: Lena Wang <lena.wang@mediatek.com>
+
+[ Upstream commit 767146637efc528b5e3d31297df115e85a2fd362 ]
+
+UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts
+that are out of bounds for their data type.
+
+vmlinux get_bitmap(b=75) + 712
+<net/netfilter/nf_conntrack_h323_asn1.c:0>
+vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956
+<net/netfilter/nf_conntrack_h323_asn1.c:592>
+vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216
+<net/netfilter/nf_conntrack_h323_asn1.c:814>
+vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812
+<net/netfilter/nf_conntrack_h323_asn1.c:576>
+vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216
+<net/netfilter/nf_conntrack_h323_asn1.c:814>
+vmlinux DecodeRasMessage() + 304
+<net/netfilter/nf_conntrack_h323_asn1.c:833>
+vmlinux ras_help() + 684
+<net/netfilter/nf_conntrack_h323_main.c:1728>
+vmlinux nf_confirm() + 188
+<net/netfilter/nf_conntrack_proto.c:137>
+
+Due to abnormal data in skb->data, the extension bitmap length
+exceeds 32 when decoding ras message then uses the length to make
+a shift operation. It will change into negative after several loop.
+UBSAN load could detect a negative shift as an undefined behaviour
+and reports exception.
+So we add the protection to avoid the length exceeding 32. Or else
+it will return out of range error and stop decoding.
+
+Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
+Signed-off-by: Lena Wang <lena.wang@mediatek.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_h323_asn1.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
+index e697a824b0018..540d97715bd23 100644
+--- a/net/netfilter/nf_conntrack_h323_asn1.c
++++ b/net/netfilter/nf_conntrack_h323_asn1.c
+@@ -533,6 +533,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
+ /* Get fields bitmap */
+ if (nf_h323_error_boundary(bs, 0, f->sz))
+ return H323_ERROR_BOUND;
++ if (f->sz > 32)
++ return H323_ERROR_RANGE;
+ bmp = get_bitmap(bs, f->sz);
+ if (base)
+ *(unsigned int *)base = bmp;
+@@ -589,6 +591,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
+ bmp2_len = get_bits(bs, 7) + 1;
+ if (nf_h323_error_boundary(bs, 0, bmp2_len))
+ return H323_ERROR_BOUND;
++ if (bmp2_len > 32)
++ return H323_ERROR_RANGE;
+ bmp2 = get_bitmap(bs, bmp2_len);
+ bmp |= bmp2 >> f->sz;
+ if (base)
+--
+2.43.0
+
--- /dev/null
+From 38ecdf389a4179141e1b4953381b8e75af164461 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 13:38:15 +0100
+Subject: netfilter: nft_ct: fix l3num expectations with inet pseudo family
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 99993789966a6eb4f1295193dc543686899892d3 ]
+
+Following is rejected but should be allowed:
+
+table inet t {
+ ct expectation exp1 {
+ [..]
+ l3proto ip
+
+Valid combos are:
+table ip t, l3proto ip
+table ip6 t, l3proto ip6
+table inet t, l3proto ip OR l3proto ip6
+
+Disallow inet pseudeo family, the l3num must be a on-wire protocol known
+to conntrack.
+
+Retain NFPROTO_INET case to make it clear its rejected
+intentionally rather as oversight.
+
+Fixes: 8059918a1377 ("netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index bfd3e5a14dab6..255640013ab84 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -1256,14 +1256,13 @@ static int nft_ct_expect_obj_init(const struct nft_ctx *ctx,
+ switch (priv->l3num) {
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+- if (priv->l3num != ctx->family)
+- return -EINVAL;
++ if (priv->l3num == ctx->family || ctx->family == NFPROTO_INET)
++ break;
+
+- fallthrough;
+- case NFPROTO_INET:
+- break;
++ return -EINVAL;
++ case NFPROTO_INET: /* tuple.src.l3num supports NFPROTO_IPV4/6 only */
+ default:
+- return -EOPNOTSUPP;
++ return -EAFNOSUPPORT;
+ }
+
+ priv->l4proto = nla_get_u8(tb[NFTA_CT_EXPECT_L4PROTO]);
+--
+2.43.0
+
--- /dev/null
+From 231fe0faba60538b324f2775edf07cb4fb48861b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:35 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_default_path_quality
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 958d6145a6d9ba9e075c921aead8753fb91c9101 ]
+
+We need to protect the reader reading sysctl_netrom_default_path_quality
+because the value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
+index baea3cbd76ca5..6f709fdffc11f 100644
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -153,7 +153,7 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic,
+ nr_neigh->digipeat = NULL;
+ nr_neigh->ax25 = NULL;
+ nr_neigh->dev = dev;
+- nr_neigh->quality = sysctl_netrom_default_path_quality;
++ nr_neigh->quality = READ_ONCE(sysctl_netrom_default_path_quality);
+ nr_neigh->locked = 0;
+ nr_neigh->count = 0;
+ nr_neigh->number = nr_neigh_no++;
+--
+2.43.0
+
--- /dev/null
+From a67fe576222ec374952c25ce460a5df3841a003c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:45 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_link_fails_count
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit bc76645ebdd01be9b9994dac39685a3d0f6f7985 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
+index 89e12e6eea2ef..70480869ad1c5 100644
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -728,7 +728,7 @@ void nr_link_failed(ax25_cb *ax25, int reason)
+ nr_neigh->ax25 = NULL;
+ ax25_cb_put(ax25);
+
+- if (++nr_neigh->failed < sysctl_netrom_link_fails_count) {
++ if (++nr_neigh->failed < READ_ONCE(sysctl_netrom_link_fails_count)) {
+ nr_neigh_put(nr_neigh);
+ return;
+ }
+--
+2.43.0
+
--- /dev/null
+From b37907ea4440b11bac31b0bd553380ecb72098c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:36 +0800
+Subject: netrom: Fix a data-race around
+ sysctl_netrom_obsolescence_count_initialiser
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit cfd9f4a740f772298308b2e6070d2c744fb5cf79 ]
+
+We need to protect the reader reading the sysctl value
+because the value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
+index 6f709fdffc11f..b8ddd8048f352 100644
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -766,7 +766,7 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ if (ax25 != NULL) {
+ ret = nr_add_node(nr_src, "", &ax25->dest_addr, ax25->digipeat,
+ ax25->ax25_dev->dev, 0,
+- sysctl_netrom_obsolescence_count_initialiser);
++ READ_ONCE(sysctl_netrom_obsolescence_count_initialiser));
+ if (ret)
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 38e3276aeb02e26bbf4e3b3c88a4d91f6ec46da6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:44 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_routing_control
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit b5dffcb8f71bdd02a4e5799985b51b12f4eeaf76 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
+index b8ddd8048f352..89e12e6eea2ef 100644
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -780,7 +780,7 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ return ret;
+ }
+
+- if (!sysctl_netrom_routing_control && ax25 != NULL)
++ if (!READ_ONCE(sysctl_netrom_routing_control) && ax25 != NULL)
+ return 0;
+
+ /* Its Time-To-Live has expired */
+--
+2.43.0
+
--- /dev/null
+From ce770e17aa646e3e4ef856065abab092455c7a0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:38 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_transport_timeout
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 60a7a152abd494ed4f69098cf0f322e6bb140612 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 0eed00184adf4..4d0e0834d527b 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -453,7 +453,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+ nr_init_timers(sk);
+
+ nr->t1 =
+- msecs_to_jiffies(sysctl_netrom_transport_timeout);
++ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_timeout));
+ nr->t2 =
+ msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay);
+ nr->n2 =
+--
+2.43.0
+
--- /dev/null
+From d5b25cba9e15eb8f940e24f15f139f3335d2d5ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:39 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit e799299aafed417cc1f32adccb2a0e5268b3f6d5 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 4d0e0834d527b..312fc745db7ff 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -457,7 +457,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+ nr->t2 =
+ msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay);
+ nr->n2 =
+- msecs_to_jiffies(sysctl_netrom_transport_maximum_tries);
++ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries));
+ nr->t4 =
+ msecs_to_jiffies(sysctl_netrom_transport_busy_delay);
+ nr->idle =
+--
+2.43.0
+
--- /dev/null
+From dfa81ea8bedf5816090ff2cf28af14cbf821c99b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:42 +0800
+Subject: netrom: Fix a data-race around
+ sysctl_netrom_transport_requested_window_size
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit a2e706841488f474c06e9b33f71afc947fb3bf56 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 10eee02ef99ed..e65418fb9d882 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -462,7 +462,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay));
+ nr->idle =
+ msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout);
+- nr->window = sysctl_netrom_transport_requested_window_size;
++ nr->window = READ_ONCE(sysctl_netrom_transport_requested_window_size);
+
+ nr->bpqext = 1;
+ nr->state = NR_STATE_0;
+--
+2.43.0
+
--- /dev/null
+From 5e002f7597baca2e6b2debd471b71ddb809c9f24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:40 +0800
+Subject: netrom: Fix a data-race around
+ sysctl_netrom_transport_acknowledge_delay
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 806f462ba9029d41aadf8ec93f2f99c5305deada ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 312fc745db7ff..8ada0da3c0e08 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -455,7 +455,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+ nr->t1 =
+ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_timeout));
+ nr->t2 =
+- msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay);
++ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_acknowledge_delay));
+ nr->n2 =
+ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries));
+ nr->t4 =
+--
+2.43.0
+
--- /dev/null
+From bb96e97f483d7314e5a00924ed8c517489068057 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:41 +0800
+Subject: netrom: Fix a data-race around sysctl_netrom_transport_busy_delay
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 43547d8699439a67b78d6bb39015113f7aa360fd ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 8ada0da3c0e08..10eee02ef99ed 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -459,7 +459,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+ nr->n2 =
+ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries));
+ nr->t4 =
+- msecs_to_jiffies(sysctl_netrom_transport_busy_delay);
++ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay));
+ nr->idle =
+ msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout);
+ nr->window = sysctl_netrom_transport_requested_window_size;
+--
+2.43.0
+
--- /dev/null
+From b0f2fb0ec3eb8991aabe712fadf652ff761e2d72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:43 +0800
+Subject: netrom: Fix a data-race around
+ sysctl_netrom_transport_no_activity_timeout
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit f99b494b40431f0ca416859f2345746199398e2b ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index e65418fb9d882..1671be042ffef 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -461,7 +461,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol,
+ nr->t4 =
+ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay));
+ nr->idle =
+- msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout);
++ msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_no_activity_timeout));
+ nr->window = READ_ONCE(sysctl_netrom_transport_requested_window_size);
+
+ nr->bpqext = 1;
+--
+2.43.0
+
--- /dev/null
+From 9a6fb46087221f616bd451dc96b8326399ec69fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:46 +0800
+Subject: netrom: Fix data-races around sysctl_net_busy_read
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit d380ce70058a4ccddc3e5f5c2063165dc07672c6 ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 2 +-
+ net/netrom/nr_in.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 1671be042ffef..104a80b75477f 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -954,7 +954,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
+ * G8PZT's Xrouter which is sending packets with command type 7
+ * as an extension of the protocol.
+ */
+- if (sysctl_netrom_reset_circuit &&
++ if (READ_ONCE(sysctl_netrom_reset_circuit) &&
+ (frametype != NR_RESET || flags != 0))
+ nr_transmit_reset(skb, 1);
+
+diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c
+index 2f084b6f69d7e..97944db6b5ac6 100644
+--- a/net/netrom/nr_in.c
++++ b/net/netrom/nr_in.c
+@@ -97,7 +97,7 @@ static int nr_state1_machine(struct sock *sk, struct sk_buff *skb,
+ break;
+
+ case NR_RESET:
+- if (sysctl_netrom_reset_circuit)
++ if (READ_ONCE(sysctl_netrom_reset_circuit))
+ nr_disconnect(sk, ECONNRESET);
+ break;
+
+@@ -128,7 +128,7 @@ static int nr_state2_machine(struct sock *sk, struct sk_buff *skb,
+ break;
+
+ case NR_RESET:
+- if (sysctl_netrom_reset_circuit)
++ if (READ_ONCE(sysctl_netrom_reset_circuit))
+ nr_disconnect(sk, ECONNRESET);
+ break;
+
+@@ -262,7 +262,7 @@ static int nr_state3_machine(struct sock *sk, struct sk_buff *skb, int frametype
+ break;
+
+ case NR_RESET:
+- if (sysctl_netrom_reset_circuit)
++ if (READ_ONCE(sysctl_netrom_reset_circuit))
+ nr_disconnect(sk, ECONNRESET);
+ break;
+
+--
+2.43.0
+
--- /dev/null
+From f14cc1db8087dee7cb21f0fa0c8191460e81541b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 16:20:37 +0800
+Subject: netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 119cae5ea3f9e35cdada8e572cc067f072fa825a ]
+
+We need to protect the reader reading the sysctl value because the
+value can be changed concurrently.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_dev.c | 2 +-
+ net/netrom/nr_out.c | 2 +-
+ net/netrom/nr_subr.c | 5 +++--
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/netrom/nr_dev.c b/net/netrom/nr_dev.c
+index 3aaac4a22b387..2c34389c3ce6f 100644
+--- a/net/netrom/nr_dev.c
++++ b/net/netrom/nr_dev.c
+@@ -81,7 +81,7 @@ static int nr_header(struct sk_buff *skb, struct net_device *dev,
+ buff[6] |= AX25_SSSID_SPARE;
+ buff += AX25_ADDR_LEN;
+
+- *buff++ = sysctl_netrom_network_ttl_initialiser;
++ *buff++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);
+
+ *buff++ = NR_PROTO_IP;
+ *buff++ = NR_PROTO_IP;
+diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c
+index 44929657f5b71..5e531394a724b 100644
+--- a/net/netrom/nr_out.c
++++ b/net/netrom/nr_out.c
+@@ -204,7 +204,7 @@ void nr_transmit_buffer(struct sock *sk, struct sk_buff *skb)
+ dptr[6] |= AX25_SSSID_SPARE;
+ dptr += AX25_ADDR_LEN;
+
+- *dptr++ = sysctl_netrom_network_ttl_initialiser;
++ *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);
+
+ if (!nr_route_frame(skb, NULL)) {
+ kfree_skb(skb);
+diff --git a/net/netrom/nr_subr.c b/net/netrom/nr_subr.c
+index e2d2af924cff4..c3bbd5880850b 100644
+--- a/net/netrom/nr_subr.c
++++ b/net/netrom/nr_subr.c
+@@ -182,7 +182,8 @@ void nr_write_internal(struct sock *sk, int frametype)
+ *dptr++ = nr->my_id;
+ *dptr++ = frametype;
+ *dptr++ = nr->window;
+- if (nr->bpqext) *dptr++ = sysctl_netrom_network_ttl_initialiser;
++ if (nr->bpqext)
++ *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);
+ break;
+
+ case NR_DISCREQ:
+@@ -236,7 +237,7 @@ void __nr_transmit_reply(struct sk_buff *skb, int mine, unsigned char cmdflags)
+ dptr[6] |= AX25_SSSID_SPARE;
+ dptr += AX25_ADDR_LEN;
+
+- *dptr++ = sysctl_netrom_network_ttl_initialiser;
++ *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);
+
+ if (mine) {
+ *dptr++ = 0;
+--
+2.43.0
+
--- /dev/null
+From c04dd2fa27e7d6ef233fed0967193158c45e93e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 04:49:54 +0300
+Subject: Revert "net/mlx5: Block entering switchdev mode with ns
+ inconsistency"
+
+From: Gavin Li <gavinl@nvidia.com>
+
+[ Upstream commit 8deeefb24786ea7950b37bde4516b286c877db00 ]
+
+This reverts commit 662404b24a4c4d839839ed25e3097571f5938b9b.
+The revert is required due to the suspicion it is not good for anything
+and cause crash.
+
+Fixes: 662404b24a4c ("net/mlx5e: Block entering switchdev mode with ns inconsistency")
+Signed-off-by: Gavin Li <gavinl@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/eswitch_offloads.c | 23 -------------------
+ 1 file changed, 23 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index b0455134c98ef..14b3bd3c5e2f7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -3658,22 +3658,6 @@ static int esw_inline_mode_to_devlink(u8 mlx5_mode, u8 *mode)
+ return 0;
+ }
+
+-static bool esw_offloads_devlink_ns_eq_netdev_ns(struct devlink *devlink)
+-{
+- struct mlx5_core_dev *dev = devlink_priv(devlink);
+- struct net *devl_net, *netdev_net;
+- bool ret = false;
+-
+- mutex_lock(&dev->mlx5e_res.uplink_netdev_lock);
+- if (dev->mlx5e_res.uplink_netdev) {
+- netdev_net = dev_net(dev->mlx5e_res.uplink_netdev);
+- devl_net = devlink_net(devlink);
+- ret = net_eq(devl_net, netdev_net);
+- }
+- mutex_unlock(&dev->mlx5e_res.uplink_netdev_lock);
+- return ret;
+-}
+-
+ int mlx5_eswitch_block_mode(struct mlx5_core_dev *dev)
+ {
+ struct mlx5_eswitch *esw = dev->priv.eswitch;
+@@ -3718,13 +3702,6 @@ int mlx5_devlink_eswitch_mode_set(struct devlink *devlink, u16 mode,
+ if (esw_mode_from_devlink(mode, &mlx5_mode))
+ return -EINVAL;
+
+- if (mode == DEVLINK_ESWITCH_MODE_SWITCHDEV &&
+- !esw_offloads_devlink_ns_eq_netdev_ns(devlink)) {
+- NL_SET_ERR_MSG_MOD(extack,
+- "Can't change E-Switch mode to switchdev when netdev net namespace has diverged from the devlink's.");
+- return -EPERM;
+- }
+-
+ mlx5_lag_disable_change(esw->dev);
+ err = mlx5_esw_try_lock(esw);
+ if (err < 0) {
+--
+2.43.0
+
--- /dev/null
+From 776b37d1583a1cafb65b2ae0bdaf9e06a5edff59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 17:07:08 -0800
+Subject: Revert "net/mlx5e: Check the number of elements before walk TC
+ rhashtable"
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit b7bbd698c90591546d22093181e266785f08c18b ]
+
+This reverts commit 4e25b661f484df54b6751b65f9ea2434a3b67539.
+
+This Commit was mistakenly applied by pulling the wrong tag, remove it.
+
+Fixes: 4e25b661f484 ("net/mlx5e: Check the number of elements before walk TC rhashtable")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c
+index 190f10aba1702..5a0047bdcb510 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c
+@@ -152,7 +152,7 @@ void mlx5_esw_ipsec_restore_dest_uplink(struct mlx5_core_dev *mdev)
+
+ xa_for_each(&esw->offloads.vport_reps, i, rep) {
+ rpriv = rep->rep_data[REP_ETH].priv;
+- if (!rpriv || !rpriv->netdev || !atomic_read(&rpriv->tc_ht.nelems))
++ if (!rpriv || !rpriv->netdev)
+ continue;
+
+ rhashtable_walk_enter(&rpriv->tc_ht, &iter);
+--
+2.43.0
+
--- /dev/null
+From 8ae27a29170c08031359c3e6cfbc8d9eb5a2b65c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 10:08:29 +0100
+Subject: selftests/bpf: Fix up xdp bonding test wrt feature flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 0bfc0336e1348883fdab4689f0c8c56458f36dd8 ]
+
+Adjust the XDP feature flags for the bond device when no bond slave
+devices are attached. After 9b0ed890ac2a ("bonding: do not report
+NETDEV_XDP_ACT_XSK_ZEROCOPY"), the empty bond device must report 0
+as flags instead of NETDEV_XDP_ACT_MASK.
+
+ # ./vmtest.sh -- ./test_progs -t xdp_bond
+ [...]
+ [ 3.983311] bond1 (unregistering): (slave veth1_1): Releasing backup interface
+ [ 3.995434] bond1 (unregistering): Released all slaves
+ [ 4.022311] bond2: (slave veth2_1): Releasing backup interface
+ #507/1 xdp_bonding/xdp_bonding_attach:OK
+ #507/2 xdp_bonding/xdp_bonding_nested:OK
+ #507/3 xdp_bonding/xdp_bonding_features:OK
+ #507/4 xdp_bonding/xdp_bonding_roundrobin:OK
+ #507/5 xdp_bonding/xdp_bonding_activebackup:OK
+ #507/6 xdp_bonding/xdp_bonding_xor_layer2:OK
+ #507/7 xdp_bonding/xdp_bonding_xor_layer23:OK
+ #507/8 xdp_bonding/xdp_bonding_xor_layer34:OK
+ #507/9 xdp_bonding/xdp_bonding_redirect_multi:OK
+ #507 xdp_bonding:OK
+ Summary: 1/9 PASSED, 0 SKIPPED, 0 FAILED
+ [ 4.185255] bond2 (unregistering): Released all slaves
+ [...]
+
+Fixes: 9b0ed890ac2a ("bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Message-ID: <20240305090829.17131-2-daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/xdp_bonding.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c b/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c
+index c3b45745cbccd..6d8b54124cb35 100644
+--- a/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c
++++ b/tools/testing/selftests/bpf/prog_tests/xdp_bonding.c
+@@ -511,7 +511,7 @@ static void test_xdp_bonding_features(struct skeletons *skeletons)
+ if (!ASSERT_OK(err, "bond bpf_xdp_query"))
+ goto out;
+
+- if (!ASSERT_EQ(query_opts.feature_flags, NETDEV_XDP_ACT_MASK,
++ if (!ASSERT_EQ(query_opts.feature_flags, 0,
+ "bond query_opts.feature_flags"))
+ goto out;
+
+@@ -601,7 +601,7 @@ static void test_xdp_bonding_features(struct skeletons *skeletons)
+ if (!ASSERT_OK(err, "bond bpf_xdp_query"))
+ goto out;
+
+- ASSERT_EQ(query_opts.feature_flags, NETDEV_XDP_ACT_MASK,
++ ASSERT_EQ(query_opts.feature_flags, 0,
+ "bond query_opts.feature_flags");
+ out:
+ bpf_link__destroy(link);
+--
+2.43.0
+
dt-bindings-dma-fsl-edma-add-fsl-edma.h-to-prevent-h.patch
dmaengine-fsl-edma-utilize-common-dt-binding-header-.patch
dmaengine-fsl-edma-correct-max_segment_size-setting.patch
+xfrm-clear-low-order-bits-of-flowi4_tos-in-decode_se.patch
+xfrm-pass-udp-encapsulation-in-tx-packet-offload.patch
+net-lan78xx-fix-runtime-pm-count-underflow-on-link-s.patch
+ixgbe-dis-en-able-irqs-in-ixgbe_txrx_ring_-dis-en-ab.patch
+i40e-disable-napi-right-after-disabling-irqs-when-ha.patch
+ice-reorder-disabling-irq-and-napi-in-ice_qp_dis.patch
+ice-replace-ice_vf_recreate_vsi-with-ice_vf_reconfig.patch
+ice-reconfig-host-after-changing-msi-x-on-vf.patch
+revert-net-mlx5-block-entering-switchdev-mode-with-n.patch
+revert-net-mlx5e-check-the-number-of-elements-before.patch
+net-mlx5-e-switch-change-flow-rule-destination-check.patch
+net-mlx5-fix-fw-reporter-diagnose-output.patch
+net-mlx5-check-capability-for-fw_reset.patch
+net-mlx5e-change-the-warning-when-ignore_flow_level-.patch
+net-mlx5e-fix-macsec-state-loss-upon-state-update-in.patch
+net-mlx5e-use-a-memory-barrier-to-enforce-ptp-wq-xmi.patch
+net-mlx5e-switch-to-using-_bh-variant-of-of-spinlock.patch
+tracing-net_sched-fix-tracepoints-that-save-qdisc_de.patch
+geneve-make-sure-to-pull-inner-header-in-geneve_rx.patch
+net-sparx5-fix-use-after-free-inside-sparx5_del_mact.patch
+idpf-disable-local-bh-when-scheduling-napi-for-marke.patch
+ice-virtchnl-stop-pretending-to-support-rss-over-aq-.patch
+net-ice-fix-potential-null-pointer-dereference-in-ic.patch
+ice-fix-uninitialized-dplls-mutex-usage.patch
+igc-avoid-returning-frame-twice-in-xdp_redirect.patch
+net-ipv6-avoid-possible-uaf-in-ip6_route_mpath_notif.patch
+bpf-check-bpf_func_state-callback_depth-when-pruning.patch
+xdp-bonding-fix-feature-flags-when-there-are-no-slav.patch
+selftests-bpf-fix-up-xdp-bonding-test-wrt-feature-fl.patch
+cpumap-zero-initialise-xdp_rxq_info-struct-before-ru.patch
+net-dsa-microchip-fix-register-write-order-in-ksz8_i.patch
+net-rds-fix-warning-in-rds_conn_connect_if_down.patch
+netfilter-nft_ct-fix-l3num-expectations-with-inet-ps.patch
+netfilter-nf_conntrack_h323-add-protection-for-bmp-l.patch
+erofs-apply-proper-vma-alignment-for-memory-mapped-f.patch
+netrom-fix-a-data-race-around-sysctl_netrom_default_.patch
+netrom-fix-a-data-race-around-sysctl_netrom_obsolesc.patch
+netrom-fix-data-races-around-sysctl_netrom_network_t.patch
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-14703
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19389
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-24045
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-19245
+netrom-fix-a-data-race-around-sysctl_netrom_transpor.patch-8430
+netrom-fix-a-data-race-around-sysctl_netrom_routing_.patch
+netrom-fix-a-data-race-around-sysctl_netrom_link_fai.patch
+netrom-fix-data-races-around-sysctl_net_busy_read.patch
+net-pds_core-fix-possible-double-free-in-error-handl.patch
--- /dev/null
+From 43b3fc090ec435352fde617f0583632af7dac6d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Feb 2024 14:34:44 -0500
+Subject: tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+[ Upstream commit 51270d573a8d9dd5afdc7934de97d66c0e14b5fd ]
+
+I'm updating __assign_str() and will be removing the second parameter. To
+make sure that it does not break anything, I make sure that it matches the
+__string() field, as that is where the string is actually going to be
+saved in. To make sure there's nothing that breaks, I added a WARN_ON() to
+make sure that what was used in __string() is the same that is used in
+__assign_str().
+
+In doing this change, an error was triggered as __assign_str() now expects
+the string passed in to be a char * value. I instead had the following
+warning:
+
+include/trace/events/qdisc.h: In function ‘trace_event_raw_event_qdisc_reset’:
+include/trace/events/qdisc.h:91:35: error: passing argument 1 of 'strcmp' from incompatible pointer type [-Werror=incompatible-pointer-types]
+ 91 | __assign_str(dev, qdisc_dev(q));
+
+That's because the qdisc_enqueue() and qdisc_reset() pass in qdisc_dev(q)
+to __assign_str() and to __string(). But that function returns a pointer
+to struct net_device and not a string.
+
+It appears that these events are just saving the pointer as a string and
+then reading it as a string as well.
+
+Use qdisc_dev(q)->name to save the device instead.
+
+Fixes: a34dac0b90552 ("net_sched: add tracepoints for qdisc_reset() and qdisc_destroy()")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/qdisc.h | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/include/trace/events/qdisc.h b/include/trace/events/qdisc.h
+index a3995925cb057..1f4258308b967 100644
+--- a/include/trace/events/qdisc.h
++++ b/include/trace/events/qdisc.h
+@@ -81,14 +81,14 @@ TRACE_EVENT(qdisc_reset,
+ TP_ARGS(q),
+
+ TP_STRUCT__entry(
+- __string( dev, qdisc_dev(q) )
+- __string( kind, q->ops->id )
+- __field( u32, parent )
+- __field( u32, handle )
++ __string( dev, qdisc_dev(q)->name )
++ __string( kind, q->ops->id )
++ __field( u32, parent )
++ __field( u32, handle )
+ ),
+
+ TP_fast_assign(
+- __assign_str(dev, qdisc_dev(q));
++ __assign_str(dev, qdisc_dev(q)->name);
+ __assign_str(kind, q->ops->id);
+ __entry->parent = q->parent;
+ __entry->handle = q->handle;
+@@ -106,14 +106,14 @@ TRACE_EVENT(qdisc_destroy,
+ TP_ARGS(q),
+
+ TP_STRUCT__entry(
+- __string( dev, qdisc_dev(q) )
+- __string( kind, q->ops->id )
+- __field( u32, parent )
+- __field( u32, handle )
++ __string( dev, qdisc_dev(q)->name )
++ __string( kind, q->ops->id )
++ __field( u32, parent )
++ __field( u32, handle )
+ ),
+
+ TP_fast_assign(
+- __assign_str(dev, qdisc_dev(q));
++ __assign_str(dev, qdisc_dev(q)->name);
+ __assign_str(kind, q->ops->id);
+ __entry->parent = q->parent;
+ __entry->handle = q->handle;
+--
+2.43.0
+
--- /dev/null
+From 822e696a3853d19db35d8337a39aca3874f2196a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 10:08:28 +0100
+Subject: xdp, bonding: Fix feature flags when there are no slave devs anymore
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit f267f262815033452195f46c43b572159262f533 ]
+
+Commit 9b0ed890ac2a ("bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY")
+changed the driver from reporting everything as supported before a device
+was bonded into having the driver report that no XDP feature is supported
+until a real device is bonded as it seems to be more truthful given
+eventually real underlying devices decide what XDP features are supported.
+
+The change however did not take into account when all slave devices get
+removed from the bond device. In this case after 9b0ed890ac2a, the driver
+keeps reporting a feature mask of 0x77, that is, NETDEV_XDP_ACT_MASK &
+~NETDEV_XDP_ACT_XSK_ZEROCOPY whereas it should have reported a feature
+mask of 0.
+
+Fix it by resetting XDP feature flags in the same way as if no XDP program
+is attached to the bond device. This was uncovered by the XDP bond selftest
+which let BPF CI fail. After adjusting the starting masks on the latter
+to 0 instead of NETDEV_XDP_ACT_MASK the test passes again together with
+this fix.
+
+Fixes: 9b0ed890ac2a ("bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Magnus Karlsson <magnus.karlsson@intel.com>
+Cc: Prashant Batra <prbatra.mail@gmail.com>
+Cc: Toke Høiland-Jørgensen <toke@redhat.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Message-ID: <20240305090829.17131-1-daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 6cf7f364704e8..b094c48bebc30 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1811,7 +1811,7 @@ void bond_xdp_set_features(struct net_device *bond_dev)
+
+ ASSERT_RTNL();
+
+- if (!bond_xdp_check(bond)) {
++ if (!bond_xdp_check(bond) || !bond_has_slaves(bond)) {
+ xdp_clear_features_flag(bond_dev);
+ return;
+ }
+--
+2.43.0
+
--- /dev/null
+From 750f3ca207c7a0624684933ae7122f255dc14afa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jan 2024 16:06:32 +0100
+Subject: xfrm: Clear low order bits of ->flowi4_tos in decode_session4().
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 1982a2a02c9197436d4a8ea12f66bafab53f16a0 ]
+
+Commit 23e7b1bfed61 ("xfrm: Don't accidentally set RTO_ONLINK in
+decode_session4()") fixed a problem where decode_session4() could
+erroneously set the RTO_ONLINK flag for IPv4 route lookups. This
+problem was reintroduced when decode_session4() was modified to
+use the flow dissector.
+
+Fix this by clearing again the two low order bits of ->flowi4_tos.
+Found by code inspection, compile tested only.
+
+Fixes: 7a0207094f1b ("xfrm: policy: replace session decode with flow dissector")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index c13dc3ef79107..e69d588caa0c6 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3416,7 +3416,7 @@ decode_session4(const struct xfrm_flow_keys *flkeys, struct flowi *fl, bool reve
+ }
+
+ fl4->flowi4_proto = flkeys->basic.ip_proto;
+- fl4->flowi4_tos = flkeys->ip.tos;
++ fl4->flowi4_tos = flkeys->ip.tos & ~INET_ECN_MASK;
+ }
+
+ #if IS_ENABLED(CONFIG_IPV6)
+--
+2.43.0
+
--- /dev/null
+From 03fa082e4d4c4a6d6906dd8bf45bf5ddeef84088 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jan 2024 00:13:54 -0800
+Subject: xfrm: Pass UDP encapsulation in TX packet offload
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 983a73da1f996faee9997149eb05b12fa7bd8cbf ]
+
+In addition to citied commit in Fixes line, allow UDP encapsulation in
+TX path too.
+
+Fixes: 89edf40220be ("xfrm: Support UDP encapsulation in packet offload mode")
+CC: Steffen Klassert <steffen.klassert@secunet.com>
+Reported-by: Mike Yu <yumike@google.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
+index 3784534c91855..653e51ae39648 100644
+--- a/net/xfrm/xfrm_device.c
++++ b/net/xfrm/xfrm_device.c
+@@ -407,7 +407,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
+ struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
+ struct net_device *dev = x->xso.dev;
+
+- if (!x->type_offload || x->encap)
++ if (!x->type_offload)
+ return false;
+
+ if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET ||
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
