--- /dev/null
+From bfde39e7d0b2636130b23e9a6a3d69b94dbc70d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2024 13:31:55 -0800
+Subject: ionic: Fix netdev notifier unregister on failure
+
+From: Brett Creeley <brett.creeley@amd.com>
+
+[ Upstream commit 9590d32e090ea2751e131ae5273859ca22f5ac14 ]
+
+If register_netdev() fails, then the driver leaks the netdev notifier.
+Fix this by calling ionic_lif_unregister() on register_netdev()
+failure. This will also call ionic_lif_unregister_phc() if it has
+already been registered.
+
+Fixes: 30b87ab4c0b3 ("ionic: remove lif list concept")
+Signed-off-by: Brett Creeley <brett.creeley@amd.com>
+Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20241212213157.12212-2-shannon.nelson@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+index 910d8973a4b0..cdc3c55fab6a 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+@@ -3514,8 +3514,8 @@ int ionic_lif_register(struct ionic_lif *lif)
+ /* only register LIF0 for now */
+ err = register_netdev(lif->netdev);
+ if (err) {
+- dev_err(lif->ionic->dev, "Cannot register net device, aborting\n");
+- ionic_lif_unregister_phc(lif);
++ dev_err(lif->ionic->dev, "Cannot register net device: %d, aborting\n", err);
++ ionic_lif_unregister(lif);
+ return err;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 7a11827db0e083e842449f2d61623ec5ba02855f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2024 13:31:57 -0800
+Subject: ionic: use ee->offset when returning sprom data
+
+From: Shannon Nelson <shannon.nelson@amd.com>
+
+[ Upstream commit b096d62ba1323391b2db98b7704e2468cf3b1588 ]
+
+Some calls into ionic_get_module_eeprom() don't use a single
+full buffer size, but instead multiple calls with an offset.
+Teach our driver to use the offset correctly so we can
+respond appropriately to the caller.
+
+Fixes: 4d03e00a2140 ("ionic: Add initial ethtool support")
+Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20241212213157.12212-4-shannon.nelson@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
+index 2fa116c3694c..8d459d563416 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
+@@ -861,8 +861,8 @@ static int ionic_get_module_eeprom(struct net_device *netdev,
+ len = min_t(u32, sizeof(xcvr->sprom), ee->len);
+
+ do {
+- memcpy(data, xcvr->sprom, len);
+- memcpy(tbuf, xcvr->sprom, len);
++ memcpy(data, &xcvr->sprom[ee->offset], len);
++ memcpy(tbuf, &xcvr->sprom[ee->offset], len);
+
+ /* Let's make sure we got a consistent copy */
+ if (!memcmp(data, tbuf, len))
+--
+2.39.5
+
--- /dev/null
+From bf5ec0a480e35b994333e13d3654b9fac80f03cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Dec 2024 10:49:12 +0900
+Subject: net: ethernet: bgmac-platform: fix an OF node reference leak
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit 0cb2c504d79e7caa3abade3f466750c82ad26f01 ]
+
+The OF node obtained by of_parse_phandle() is not freed. Call
+of_node_put() to balance the refcount.
+
+This bug was found by an experimental static analysis tool that I am
+developing.
+
+Fixes: 1676aba5ef7e ("net: ethernet: bgmac: device tree phy enablement")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241214014912.2810315-1-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bgmac-platform.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bgmac-platform.c b/drivers/net/ethernet/broadcom/bgmac-platform.c
+index b4381cd41979..3f4e8bac40c1 100644
+--- a/drivers/net/ethernet/broadcom/bgmac-platform.c
++++ b/drivers/net/ethernet/broadcom/bgmac-platform.c
+@@ -171,6 +171,7 @@ static int platform_phy_connect(struct bgmac *bgmac)
+ static int bgmac_probe(struct platform_device *pdev)
+ {
+ struct device_node *np = pdev->dev.of_node;
++ struct device_node *phy_node;
+ struct bgmac *bgmac;
+ struct resource *regs;
+ int ret;
+@@ -236,7 +237,9 @@ static int bgmac_probe(struct platform_device *pdev)
+ bgmac->cco_ctl_maskset = platform_bgmac_cco_ctl_maskset;
+ bgmac->get_bus_clock = platform_bgmac_get_bus_clock;
+ bgmac->cmn_maskset32 = platform_bgmac_cmn_maskset32;
+- if (of_parse_phandle(np, "phy-handle", 0)) {
++ phy_node = of_parse_phandle(np, "phy-handle", 0);
++ if (phy_node) {
++ of_node_put(phy_node);
+ bgmac->phy_connect = platform_phy_connect;
+ } else {
+ bgmac->phy_connect = bgmac_phy_connect_direct;
+--
+2.39.5
+
--- /dev/null
+From 2d32ff09a773ca9e80cc8ec24c7107dba0eb4fb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2024 17:28:11 +0300
+Subject: net: hinic: Fix cleanup in create_rxqs/txqs()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7203d10e93b6e6e1d19481ef7907de6a9133a467 ]
+
+There is a check for NULL at the start of create_txqs() and
+create_rxqs() which tess if "nic_dev->txqs" is non-NULL. The
+intention is that if the device is already open and the queues
+are already created then we don't create them a second time.
+
+However, the bug is that if we have an error in the create_txqs()
+then the pointer doesn't get set back to NULL. The NULL check
+at the start of the function will say that it's already open when
+it's not and the device can't be used.
+
+Set ->txqs back to NULL on cleanup on error.
+
+Fixes: c3e79baf1b03 ("net-next/hinic: Add logical Txq and Rxq")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/0cc98faf-a0ed-4565-a55b-0fa2734bc205@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/huawei/hinic/hinic_main.c b/drivers/net/ethernet/huawei/hinic/hinic_main.c
+index 92fba9a0c371..a65b20bafcb0 100644
+--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c
++++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c
+@@ -172,6 +172,7 @@ static int create_txqs(struct hinic_dev *nic_dev)
+ hinic_sq_dbgfs_uninit(nic_dev);
+
+ devm_kfree(&netdev->dev, nic_dev->txqs);
++ nic_dev->txqs = NULL;
+ return err;
+ }
+
+@@ -268,6 +269,7 @@ static int create_rxqs(struct hinic_dev *nic_dev)
+ hinic_rq_dbgfs_uninit(nic_dev);
+
+ devm_kfree(&netdev->dev, nic_dev->rxqs);
++ nic_dev->rxqs = NULL;
+ return err;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From ff84e61010bd4ff86729995b707e438e63812f30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2024 12:51:06 +0900
+Subject: net: mdiobus: fix an OF node reference leak
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit 572af9f284669d31d9175122bbef9bc62cea8ded ]
+
+fwnode_find_mii_timestamper() calls of_parse_phandle_with_fixed_args()
+but does not decrement the refcount of the obtained OF node. Add an
+of_node_put() call before returning from the function.
+
+This bug was detected by an experimental static analysis tool that I am
+developing.
+
+Fixes: bc1bee3b87ee ("net: mdiobus: Introduce fwnode_mdiobus_register_phy()")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20241218035106.1436405-1-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/fwnode_mdio.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c
+index 2c47efdae73b..92f931fc903e 100644
+--- a/drivers/net/mdio/fwnode_mdio.c
++++ b/drivers/net/mdio/fwnode_mdio.c
+@@ -17,6 +17,7 @@ MODULE_LICENSE("GPL");
+ static struct mii_timestamper *
+ fwnode_find_mii_timestamper(struct fwnode_handle *fwnode)
+ {
++ struct mii_timestamper *mii_ts;
+ struct of_phandle_args arg;
+ int err;
+
+@@ -30,10 +31,16 @@ fwnode_find_mii_timestamper(struct fwnode_handle *fwnode)
+ else if (err)
+ return ERR_PTR(err);
+
+- if (arg.args_count != 1)
+- return ERR_PTR(-EINVAL);
++ if (arg.args_count != 1) {
++ mii_ts = ERR_PTR(-EINVAL);
++ goto put_node;
++ }
++
++ mii_ts = register_mii_timestamper(arg.np, arg.args[0]);
+
+- return register_mii_timestamper(arg.np, arg.args[0]);
++put_node:
++ of_node_put(arg.np);
++ return mii_ts;
+ }
+
+ int fwnode_mdiobus_phy_device_register(struct mii_bus *mdio,
+--
+2.39.5
+
--- /dev/null
+From 77a7fa5da0804f4cf3b3bd3c79d916bdd4cdadcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 17:21:18 +0800
+Subject: net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving
+ proposal msg
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit a29e220d3c8edbf0e1beb0f028878a4a85966556 ]
+
+When receiving proposal msg in server, the field iparea_offset
+and the field ipv6_prefixes_cnt in proposal msg are from the
+remote client and can not be fully trusted. Especially the
+field iparea_offset, once exceed the max value, there has the
+chance to access wrong address, and crash may happen.
+
+This patch checks iparea_offset and ipv6_prefixes_cnt before using them.
+
+Fixes: e7b7a64a8493 ("smc: support variable CLC proposal messages")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 6 +++++-
+ net/smc/smc_clc.c | 4 ++++
+ net/smc/smc_clc.h | 6 +++++-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index fb299dbc0c26..ef0f264932e1 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1632,6 +1632,8 @@ static int smc_listen_prfx_check(struct smc_sock *new_smc,
+ if (pclc->hdr.typev1 == SMC_TYPE_N)
+ return 0;
+ pclc_prfx = smc_clc_proposal_get_prefix(pclc);
++ if (!pclc_prfx)
++ return -EPROTO;
+ if (smc_clc_prfx_match(newclcsock, pclc_prfx))
+ return SMC_CLC_DECL_DIFFPREFIX;
+
+@@ -1797,7 +1799,9 @@ static void smc_find_ism_v1_device_serv(struct smc_sock *new_smc,
+ int rc = 0;
+
+ /* check if ISM V1 is available */
+- if (!(ini->smcd_version & SMC_V1) || !smcd_indicated(ini->smc_type_v1))
++ if (!(ini->smcd_version & SMC_V1) ||
++ !smcd_indicated(ini->smc_type_v1) ||
++ !pclc_smcd)
+ goto not_found;
+ ini->is_smcd = true; /* prepare ISM check */
+ ini->ism_peer_gid[0] = ntohll(pclc_smcd->ism.gid);
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index 6ec1ebe878ae..035e8135ea49 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -49,6 +49,10 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc)
+
+ v2_ext = smc_get_clc_v2_ext(pclc);
+ pclc_prfx = smc_clc_proposal_get_prefix(pclc);
++ if (!pclc_prfx ||
++ pclc_prfx->ipv6_prefixes_cnt > SMC_CLC_MAX_V6_PREFIX)
++ return false;
++
+ if (hdr->version == SMC_V1) {
+ if (hdr->typev1 == SMC_TYPE_N)
+ return false;
+diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
+index 32d37f7b70f2..986dcd5db3ed 100644
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -264,8 +264,12 @@ struct smc_clc_msg_decline { /* clc decline message */
+ static inline struct smc_clc_msg_proposal_prefix *
+ smc_clc_proposal_get_prefix(struct smc_clc_msg_proposal *pclc)
+ {
++ u16 offset = ntohs(pclc->iparea_offset);
++
++ if (offset > sizeof(struct smc_clc_msg_smcd))
++ return NULL;
+ return (struct smc_clc_msg_proposal_prefix *)
+- ((u8 *)pclc + sizeof(*pclc) + ntohs(pclc->iparea_offset));
++ ((u8 *)pclc + sizeof(*pclc) + offset);
+ }
+
+ static inline bool smcr_indicated(int smc_type)
+--
+2.39.5
+
--- /dev/null
+From 048ca86e3d803d22a6cce94aff44829608a03820 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 17:21:21 +0800
+Subject: net/smc: check return value of sock_recvmsg when draining clc data
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit c5b8ee5022a19464783058dc6042e8eefa34e8cd ]
+
+When receiving clc msg, the field length in smc_clc_msg_hdr indicates the
+length of msg should be received from network and the value should not be
+fully trusted as it is from the network. Once the value of length exceeds
+the value of buflen in function smc_clc_wait_msg it may run into deadloop
+when trying to drain the remaining data exceeding buflen.
+
+This patch checks the return value of sock_recvmsg when draining data in
+case of deadloop in draining.
+
+Fixes: fb4f79264c0f ("net/smc: tolerate future SMCD versions")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_clc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index 035e8135ea49..52a0ba939c91 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -427,6 +427,11 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
+ SMC_CLC_RECV_BUF_LEN : datlen;
+ iov_iter_kvec(&msg.msg_iter, READ, &vec, 1, recvlen);
+ len = sock_recvmsg(smc->clcsock, &msg, krflags);
++ if (len < recvlen) {
++ smc->sk.sk_err = EPROTO;
++ reason_code = -EPROTO;
++ goto out;
++ }
+ datlen -= len;
+ }
+ if (clcm->type == SMC_CLC_DECLINE) {
+--
+2.39.5
+
--- /dev/null
+From 18aaa50b91ff8e97b808a42c2486fc6e746b01d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 17:21:20 +0800
+Subject: net/smc: check smcd_v2_ext_offset when receiving proposal msg
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit 9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad ]
+
+When receiving proposal msg in server, the field smcd_v2_ext_offset in
+proposal msg is from the remote client and can not be fully trusted.
+Once the value of smcd_v2_ext_offset exceed the max value, there has
+the chance to access wrong address, and crash may happen.
+
+This patch checks the value of smcd_v2_ext_offset before using it.
+
+Fixes: 5c21c4ccafe8 ("net/smc: determine accepted ISM devices")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_clc.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
+index 986dcd5db3ed..78a94b9122b6 100644
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -311,9 +311,15 @@ smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop)
+ static inline struct smc_clc_smcd_v2_extension *
+ smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext)
+ {
++ u16 max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_smcd_v2_ext) -
++ offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) -
++ offsetof(struct smc_clc_v2_extension, hdr) -
++ offsetofend(struct smc_clnt_opts_area_hdr, smcd_v2_ext_offset);
++
+ if (!prop_v2ext)
+ return NULL;
+- if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset))
++ if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) ||
++ ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) > max_offset)
+ return NULL;
+
+ return (struct smc_clc_smcd_v2_extension *)
+--
+2.39.5
+
--- /dev/null
+From 3ff9ddc227ccf58485c63f572c430bb3b4b8bcb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 17:21:17 +0800
+Subject: net/smc: check sndbuf_space again after NOSPACE flag is set in
+ smc_poll
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit 679e9ddcf90dbdf98aaaa71a492454654b627bcb ]
+
+When application sending data more than sndbuf_space, there have chances
+application will sleep in epoll_wait, and will never be wakeup again. This
+is caused by a race between smc_poll and smc_cdc_tx_handler.
+
+application tasklet
+smc_tx_sendmsg(len > sndbuf_space) |
+epoll_wait for EPOLL_OUT,timeout=0 |
+ smc_poll |
+ if (!smc->conn.sndbuf_space) |
+ | smc_cdc_tx_handler
+ | atomic_add sndbuf_space
+ | smc_tx_sndbuf_nonfull
+ | if (!test_bit SOCK_NOSPACE)
+ | do not sk_write_space;
+ set_bit SOCK_NOSPACE; |
+ return mask=0; |
+
+Application will sleep in epoll_wait as smc_poll returns 0. And
+smc_cdc_tx_handler will not call sk_write_space because the SOCK_NOSPACE
+has not be set. If there is no inflight cdc msg, sk_write_space will not be
+called any more, and application will sleep in epoll_wait forever.
+So check sndbuf_space again after NOSPACE flag is set to break the race.
+
+Fixes: 8dce2786a290 ("net/smc: smc_poll improvements")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Suggested-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 4019f2dc9dee..fb299dbc0c26 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -2355,6 +2355,13 @@ static __poll_t smc_poll(struct file *file, struct socket *sock,
+ } else {
+ sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk);
+ set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
++
++ if (sk->sk_state != SMC_INIT) {
++ /* Race breaker the same way as tcp_poll(). */
++ smp_mb__after_atomic();
++ if (atomic_read(&smc->conn.sndbuf_space))
++ mask |= EPOLLOUT | EPOLLWRNORM;
++ }
+ }
+ if (atomic_read(&smc->conn.bytes_to_rcv))
+ mask |= EPOLLIN | EPOLLRDNORM;
+--
+2.39.5
+
--- /dev/null
+From 12b1661b6b4162c5ecbd69b9587e94d77b388f70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2024 17:25:18 +0000
+Subject: netdevsim: prevent bad user input in nsim_dev_health_break_write()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ee76746387f6233bdfa93d7406990f923641568f ]
+
+If either a zero count or a large one is provided, kernel can crash.
+
+Fixes: 82c93a87bf8b ("netdevsim: implement couple of testing devlink health reporters")
+Reported-by: syzbot+ea40e4294e58b0292f74@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/675c6862.050a0220.37aaf.00b1.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Joe Damato <jdamato@fastly.com>
+Link: https://patch.msgid.link/20241213172518.2415666-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netdevsim/health.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/netdevsim/health.c b/drivers/net/netdevsim/health.c
+index 04aebdf85747..c9306506b741 100644
+--- a/drivers/net/netdevsim/health.c
++++ b/drivers/net/netdevsim/health.c
+@@ -235,6 +235,8 @@ static ssize_t nsim_dev_health_break_write(struct file *file,
+ char *break_msg;
+ int err;
+
++ if (count == 0 || count > PAGE_SIZE)
++ return -EINVAL;
+ break_msg = memdup_user_nul(data, count);
+ if (IS_ERR(break_msg))
+ return PTR_ERR(break_msg);
+--
+2.39.5
+
--- /dev/null
+From 8afc24fde00b00bd01163077cfa70e79cc4f4993 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2024 20:56:55 +0100
+Subject: netfilter: ipset: Fix for recursive locking warning
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 70b6f46a4ed8bd56c85ffff22df91e20e8c85e33 ]
+
+With CONFIG_PROVE_LOCKING, when creating a set of type bitmap:ip, adding
+it to a set of type list:set and populating it from iptables SET target
+triggers a kernel warning:
+
+| WARNING: possible recursive locking detected
+| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted
+| --------------------------------------------
+| ping/4018 is trying to acquire lock:
+| ffff8881094a6848 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set]
+|
+| but task is already holding lock:
+| ffff88811034c048 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set]
+
+This is a false alarm: ipset does not allow nested list:set type, so the
+loop in list_set_kadd() can never encounter the outer set itself. No
+other set type supports embedded sets, so this is the only case to
+consider.
+
+To avoid the false report, create a distinct lock class for list:set
+type ipset locks.
+
+Fixes: f830837f0eed ("netfilter: ipset: list:set set type support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_list_set.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
+index 902ff2f3bc72..5cc35b553a04 100644
+--- a/net/netfilter/ipset/ip_set_list_set.c
++++ b/net/netfilter/ipset/ip_set_list_set.c
+@@ -611,6 +611,8 @@ init_list_set(struct net *net, struct ip_set *set, u32 size)
+ return true;
+ }
+
++static struct lock_class_key list_set_lockdep_key;
++
+ static int
+ list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
+ u32 flags)
+@@ -627,6 +629,7 @@ list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
+ if (size < IP_SET_LIST_MIN_SIZE)
+ size = IP_SET_LIST_MIN_SIZE;
+
++ lockdep_set_class(&set->lock, &list_set_lockdep_key);
+ set->variant = &set_variant;
+ set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem),
+ __alignof__(struct set_elem));
+--
+2.39.5
+
usb-dwc2-gadget-don-t-write-invalid-mapped-sg-entrie.patch
i2c-pnx-fix-timeout-in-wait-functions.patch
erofs-fix-incorrect-symlink-detection-in-fast-symlin.patch
+net-smc-check-sndbuf_space-again-after-nospace-flag-.patch
+net-smc-check-iparea_offset-and-ipv6_prefixes_cnt-wh.patch
+net-smc-check-smcd_v2_ext_offset-when-receiving-prop.patch
+net-smc-check-return-value-of-sock_recvmsg-when-drai.patch
+netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch
+ionic-fix-netdev-notifier-unregister-on-failure.patch
+ionic-use-ee-offset-when-returning-sprom-data.patch
+net-hinic-fix-cleanup-in-create_rxqs-txqs.patch
+net-ethernet-bgmac-platform-fix-an-of-node-reference.patch
+netfilter-ipset-fix-for-recursive-locking-warning.patch
+net-mdiobus-fix-an-of-node-reference-leak.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
