--- /dev/null
+From 381685868efb48ba05622ea307149c7708d8774b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Oct 2023 13:10:41 -0700
+Subject: dccp: Call security_inet_conn_request() after setting IPv4 addresses.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit fa2df45af13091f76b89adb84a28f13818d5d631 ]
+
+Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child
+sockets") introduced security_inet_conn_request() in some functions
+where reqsk is allocated. The hook is added just after the allocation,
+so reqsk's IPv4 remote address was not initialised then.
+
+However, SELinux/Smack started to read it in netlbl_req_setattr()
+after the cited commits.
+
+This bug was partially fixed by commit 284904aa7946 ("lsm: Relocate
+the IPv4 security_inet_conn_request() hooks").
+
+This patch fixes the last bug in DCCPv4.
+
+Fixes: 389fb800ac8b ("netlabel: Label incoming TCP connections correctly in SELinux")
+Fixes: 07feee8f812f ("netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dccp/ipv4.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
+index 892fbd1f650da..5281ac3260f6f 100644
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -612,9 +612,6 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
+ if (dccp_parse_options(sk, dreq, skb))
+ goto drop_and_free;
+
+- if (security_inet_conn_request(sk, skb, req))
+- goto drop_and_free;
+-
+ ireq = inet_rsk(req);
+ sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr);
+ sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr);
+@@ -622,6 +619,9 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
+ ireq->ireq_family = AF_INET;
+ ireq->ir_iif = sk->sk_bound_dev_if;
+
++ if (security_inet_conn_request(sk, skb, req))
++ goto drop_and_free;
++
+ /*
+ * Step 3: Process LISTEN state
+ *
+--
+2.42.0
+
--- /dev/null
+From d61c5670d499d6a1fe64da7d59d106d5e4b45d37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Oct 2023 13:10:42 -0700
+Subject: dccp/tcp: Call security_inet_conn_request() after setting IPv6
+ addresses.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 23be1e0e2a83a8543214d2599a31d9a2185a796b ]
+
+Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child
+sockets") introduced security_inet_conn_request() in some functions
+where reqsk is allocated. The hook is added just after the allocation,
+so reqsk's IPv6 remote address was not initialised then.
+
+However, SELinux/Smack started to read it in netlbl_req_setattr()
+after commit e1adea927080 ("calipso: Allow request sockets to be
+relabelled by the lsm.").
+
+Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request()
+hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was
+not supported at that time. Finally, the same issue was introduced again
+in IPv6.
+
+Let's apply the same fix on DCCPv6 and TCPv6.
+
+Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dccp/ipv6.c | 6 +++---
+ net/ipv6/syncookies.c | 7 ++++---
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
+index 9b8c6cf0e5eee..72ceefbf23120 100644
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -349,15 +349,15 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
+ if (dccp_parse_options(sk, dreq, skb))
+ goto drop_and_free;
+
+- if (security_inet_conn_request(sk, skb, req))
+- goto drop_and_free;
+-
+ ireq = inet_rsk(req);
+ ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
+ ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
+ ireq->ireq_family = AF_INET6;
+ ireq->ir_mark = inet_request_mark(sk, skb);
+
++ if (security_inet_conn_request(sk, skb, req))
++ goto drop_and_free;
++
+ if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
+ np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
+ np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
+diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
+index ca291e342900c..ab073ac3d7ace 100644
+--- a/net/ipv6/syncookies.c
++++ b/net/ipv6/syncookies.c
+@@ -184,14 +184,15 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
+ treq->af_specific = &tcp_request_sock_ipv6_ops;
+ treq->tfo_listener = false;
+
+- if (security_inet_conn_request(sk, skb, req))
+- goto out_free;
+-
+ req->mss = mss;
+ ireq->ir_rmt_port = th->source;
+ ireq->ir_num = ntohs(th->dest);
+ ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
+ ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
++
++ if (security_inet_conn_request(sk, skb, req))
++ goto out_free;
++
+ if (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) ||
+ np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
+ np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
+--
+2.42.0
+
--- /dev/null
+From 3e79df4a633309b4f9e37ce966e762b80c39a752 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Oct 2023 02:53:36 +0000
+Subject: Input: synaptics-rmi4 - fix use after free in
+ rmi_unregister_function()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit eb988e46da2e4eae89f5337e047ce372fe33d5b1 ]
+
+The put_device() calls rmi_release_function() which frees "fn" so the
+dereference on the next line "fn->num_of_irqs" is a use after free.
+Move the put_device() to the end to fix this.
+
+Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/706efd36-7561-42f3-adfa-dd1d0bd4f5a1@moroto.mountain
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/rmi4/rmi_bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/rmi4/rmi_bus.c b/drivers/input/rmi4/rmi_bus.c
+index bd0d5ff01b08f..02408487b4423 100644
+--- a/drivers/input/rmi4/rmi_bus.c
++++ b/drivers/input/rmi4/rmi_bus.c
+@@ -279,11 +279,11 @@ void rmi_unregister_function(struct rmi_function *fn)
+
+ device_del(&fn->dev);
+ of_node_put(fn->dev.of_node);
+- put_device(&fn->dev);
+
+ for (i = 0; i < fn->num_of_irqs; i++)
+ irq_dispose_mapping(fn->irq[i]);
+
++ put_device(&fn->dev);
+ }
+
+ /**
+--
+2.42.0
+
--- /dev/null
+From 81f75739a333c75f600b9e9e814baa3577eb142b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Oct 2023 19:42:38 -0400
+Subject: llc: verify mac len before reading mac header
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 7b3ba18703a63f6fd487183b9262b08e5632da1b ]
+
+LLC reads the mac header with eth_hdr without verifying that the skb
+has an Ethernet header.
+
+Syzbot was able to enter llc_rcv on a tun device. Tun can insert
+packets without mac len and with user configurable skb->protocol
+(passing a tun_pi header when not configuring IFF_NO_PI).
+
+ BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
+ BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
+ llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
+ llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
+ llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218
+ __netif_receive_skb_one_core net/core/dev.c:5523 [inline]
+ __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
+ netif_receive_skb_internal net/core/dev.c:5723 [inline]
+ netif_receive_skb+0x58/0x660 net/core/dev.c:5782
+ tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
+ tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002
+
+Add a mac_len test before all three eth_hdr(skb) calls under net/llc.
+
+There are further uses in include/net/llc_pdu.h. All these are
+protected by a test skb->protocol == ETH_P_802_2. Which does not
+protect against this tun scenario.
+
+But the mac_len test added in this patch in llc_fixup_skb will
+indirectly protect those too. That is called from llc_rcv before any
+other LLC code.
+
+It is tempting to just add a blanket mac_len check in llc_rcv, but
+not sure whether that could break valid LLC paths that do not assume
+an Ethernet header. 802.2 LLC may be used on top of non-802.3
+protocols in principle. The below referenced commit shows that used
+to, on top of Token Ring.
+
+At least one of the three eth_hdr uses goes back to before the start
+of git history. But the one that syzbot exercises is introduced in
+this commit. That commit is old enough (2008), that effectively all
+stable kernels should receive this.
+
+Fixes: f83f1768f833 ("[LLC]: skb allocation size for responses")
+Reported-by: syzbot+a8c7be6dee0de1b669cc@syzkaller.appspotmail.com
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20231025234251.3796495-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/llc/llc_input.c | 10 ++++++++--
+ net/llc/llc_s_ac.c | 3 +++
+ net/llc/llc_station.c | 3 +++
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
+index f9e801cc50f5e..f4fb309185ced 100644
+--- a/net/llc/llc_input.c
++++ b/net/llc/llc_input.c
+@@ -127,8 +127,14 @@ static inline int llc_fixup_skb(struct sk_buff *skb)
+ skb->transport_header += llc_len;
+ skb_pull(skb, llc_len);
+ if (skb->protocol == htons(ETH_P_802_2)) {
+- __be16 pdulen = eth_hdr(skb)->h_proto;
+- s32 data_size = ntohs(pdulen) - llc_len;
++ __be16 pdulen;
++ s32 data_size;
++
++ if (skb->mac_len < ETH_HLEN)
++ return 0;
++
++ pdulen = eth_hdr(skb)->h_proto;
++ data_size = ntohs(pdulen) - llc_len;
+
+ if (data_size < 0 ||
+ !pskb_may_pull(skb, data_size))
+diff --git a/net/llc/llc_s_ac.c b/net/llc/llc_s_ac.c
+index 9fa3342c7a829..df26557a02448 100644
+--- a/net/llc/llc_s_ac.c
++++ b/net/llc/llc_s_ac.c
+@@ -153,6 +153,9 @@ int llc_sap_action_send_test_r(struct llc_sap *sap, struct sk_buff *skb)
+ int rc = 1;
+ u32 data_size;
+
++ if (skb->mac_len < ETH_HLEN)
++ return 1;
++
+ llc_pdu_decode_sa(skb, mac_da);
+ llc_pdu_decode_da(skb, mac_sa);
+ llc_pdu_decode_ssap(skb, &dsap);
+diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c
+index c29170e767a8c..64e2c67e16ba3 100644
+--- a/net/llc/llc_station.c
++++ b/net/llc/llc_station.c
+@@ -77,6 +77,9 @@ static int llc_station_ac_send_test_r(struct sk_buff *skb)
+ u32 data_size;
+ struct sk_buff *nskb;
+
++ if (skb->mac_len < ETH_HLEN)
++ goto out;
++
+ /* The test request command is type U (llc_len = 3) */
+ data_size = ntohs(eth_hdr(skb)->h_proto) - 3;
+ nskb = llc_alloc_frame(NULL, skb->dev, LLC_PDU_TYPE_U, data_size);
+--
+2.42.0
+
--- /dev/null
+From bcd2912edad5acd8890074d4f025a91d51c019bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Oct 2023 16:50:14 -0400
+Subject: net: r8169: Disable multicast filter for RTL8168H and RTL8107E
+
+From: Patrick Thompson <ptf@google.com>
+
+[ Upstream commit efa5f1311c4998e9e6317c52bc5ee93b3a0f36df ]
+
+RTL8168H and RTL8107E ethernet adapters erroneously filter unicast
+eapol packets unless allmulti is enabled. These devices correspond to
+RTL_GIGA_MAC_VER_46 and VER_48. Add an exception for VER_46 and VER_48
+in the same way that VER_35 has an exception.
+
+Fixes: 6e1d0b898818 ("r8169:add support for RTL8168H and RTL8107E")
+Signed-off-by: Patrick Thompson <ptf@google.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://lore.kernel.org/r/20231030205031.177855-1-ptf@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 2a59087364808..69d01b68cf6b7 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4626,7 +4626,9 @@ static void rtl_set_rx_mode(struct net_device *dev)
+ rx_mode |= AcceptAllPhys;
+ } else if (netdev_mc_count(dev) > MC_FILTER_LIMIT ||
+ dev->flags & IFF_ALLMULTI ||
+- tp->mac_version == RTL_GIGA_MAC_VER_35) {
++ tp->mac_version == RTL_GIGA_MAC_VER_35 ||
++ tp->mac_version == RTL_GIGA_MAC_VER_46 ||
++ tp->mac_version == RTL_GIGA_MAC_VER_48) {
+ /* accept all multicasts */
+ } else if (netdev_mc_empty(dev)) {
+ rx_mode &= ~AcceptMulticast;
+--
+2.42.0
+
--- /dev/null
+From 4f124bee513e45ec5b3452314080be37b1dea1f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Nov 2023 14:07:38 +0800
+Subject: net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
+
+From: D. Wythe <alibuda@linux.alibaba.com>
+
+[ Upstream commit 5211c9729484c923f8d2e06bd29f9322cc42bb8f ]
+
+Considering scenario:
+
+ smc_cdc_rx_handler
+__smc_release
+ sock_set_flag
+smc_close_active()
+sock_set_flag
+
+__set_bit(DEAD) __set_bit(DONE)
+
+Dues to __set_bit is not atomic, the DEAD or DONE might be lost.
+if the DEAD flag lost, the state SMC_CLOSED will be never be reached
+in smc_close_passive_work:
+
+if (sock_flag(sk, SOCK_DEAD) &&
+ smc_close_sent_any_close(conn)) {
+ sk->sk_state = SMC_CLOSED;
+} else {
+ /* just shutdown, but not yet closed locally */
+ sk->sk_state = SMC_APPFINCLOSEWAIT;
+}
+
+Replace sock_set_flags or __set_bit to set_bit will fix this problem.
+Since set_bit is atomic.
+
+Fixes: b38d732477e4 ("smc: socket closing and linkgroup cleanup")
+Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 4 ++--
+ net/smc/smc.h | 5 +++++
+ net/smc/smc_cdc.c | 2 +-
+ net/smc/smc_close.c | 2 +-
+ 4 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 6b30bec54b624..ad0ac657fe12c 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -141,7 +141,7 @@ static int smc_release(struct socket *sock)
+
+ if (!smc->use_fallback) {
+ rc = smc_close_active(smc);
+- sock_set_flag(sk, SOCK_DEAD);
++ smc_sock_set_flag(sk, SOCK_DEAD);
+ sk->sk_shutdown |= SHUTDOWN_MASK;
+ } else {
+ if (sk->sk_state != SMC_LISTEN && sk->sk_state != SMC_INIT)
+@@ -852,7 +852,7 @@ static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc)
+ if (new_clcsock)
+ sock_release(new_clcsock);
+ new_sk->sk_state = SMC_CLOSED;
+- sock_set_flag(new_sk, SOCK_DEAD);
++ smc_sock_set_flag(new_sk, SOCK_DEAD);
+ sock_put(new_sk); /* final */
+ *new_smc = NULL;
+ goto out;
+diff --git a/net/smc/smc.h b/net/smc/smc.h
+index adbdf195eb085..c3b0e1e3f505d 100644
+--- a/net/smc/smc.h
++++ b/net/smc/smc.h
+@@ -268,4 +268,9 @@ static inline bool using_ipsec(struct smc_sock *smc)
+ struct sock *smc_accept_dequeue(struct sock *parent, struct socket *new_sock);
+ void smc_close_non_accepted(struct sock *sk);
+
++static inline void smc_sock_set_flag(struct sock *sk, enum sock_flags flag)
++{
++ set_bit(flag, &sk->sk_flags);
++}
++
+ #endif /* __SMC_H */
+diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c
+index 333e4353498f8..c657fd29ff5d0 100644
+--- a/net/smc/smc_cdc.c
++++ b/net/smc/smc_cdc.c
+@@ -304,7 +304,7 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc,
+ smc->sk.sk_shutdown |= RCV_SHUTDOWN;
+ if (smc->clcsock && smc->clcsock->sk)
+ smc->clcsock->sk->sk_shutdown |= RCV_SHUTDOWN;
+- sock_set_flag(&smc->sk, SOCK_DONE);
++ smc_sock_set_flag(&smc->sk, SOCK_DONE);
+ sock_hold(&smc->sk); /* sock_put in close_work */
+ if (!schedule_work(&conn->close_work))
+ sock_put(&smc->sk);
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index cac0773f5ebd9..4ea28ec7ad135 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -164,7 +164,7 @@ static void smc_close_active_abort(struct smc_sock *smc)
+ break;
+ }
+
+- sock_set_flag(sk, SOCK_DEAD);
++ smc_sock_set_flag(sk, SOCK_DEAD);
+ sk->sk_state_change(sk);
+ }
+
+--
+2.42.0
+
--- /dev/null
+From d120c8370a609dfe9ea110e7b1c9aad12d3510de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Feb 2019 15:56:15 +0100
+Subject: net/smc: postpone release of clcsock
+
+From: Ursula Braun <ubraun@linux.ibm.com>
+
+[ Upstream commit b03faa1fafc8018295401dc558bdc76362d860a4 ]
+
+According to RFC7609 (http://www.rfc-editor.org/info/rfc7609)
+first the SMC-R connection is shut down and then the normal TCP
+connection FIN processing drives cleanup of the internal TCP connection.
+The unconditional release of the clcsock during active socket closing
+has to be postponed if the peer has not yet signalled socket closing.
+
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 5211c9729484 ("net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 33 +++++++++++++++++----------------
+ net/smc/smc_close.c | 7 ++++++-
+ 2 files changed, 23 insertions(+), 17 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index dcd00b514c3f9..6f342f6cc4876 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -143,32 +143,33 @@ static int smc_release(struct socket *sock)
+ rc = smc_close_active(smc);
+ sock_set_flag(sk, SOCK_DEAD);
+ sk->sk_shutdown |= SHUTDOWN_MASK;
+- }
+-
+- sk->sk_prot->unhash(sk);
+-
+- if (smc->clcsock) {
+- if (smc->use_fallback && sk->sk_state == SMC_LISTEN) {
++ } else {
++ if (sk->sk_state != SMC_LISTEN && sk->sk_state != SMC_INIT)
++ sock_put(sk); /* passive closing */
++ if (sk->sk_state == SMC_LISTEN) {
+ /* wake up clcsock accept */
+ rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
+ }
+- mutex_lock(&smc->clcsock_release_lock);
+- sock_release(smc->clcsock);
+- smc->clcsock = NULL;
+- mutex_unlock(&smc->clcsock_release_lock);
+- }
+- if (smc->use_fallback) {
+- if (sk->sk_state != SMC_LISTEN && sk->sk_state != SMC_INIT)
+- sock_put(sk); /* passive closing */
+ sk->sk_state = SMC_CLOSED;
+ sk->sk_state_change(sk);
+ }
+
++ sk->sk_prot->unhash(sk);
++
++ if (sk->sk_state == SMC_CLOSED) {
++ if (smc->clcsock) {
++ mutex_lock(&smc->clcsock_release_lock);
++ sock_release(smc->clcsock);
++ smc->clcsock = NULL;
++ mutex_unlock(&smc->clcsock_release_lock);
++ }
++ if (!smc->use_fallback)
++ smc_conn_free(&smc->conn);
++ }
++
+ /* detach socket */
+ sock_orphan(sk);
+ sock->sk = NULL;
+- if (!smc->use_fallback && sk->sk_state == SMC_CLOSED)
+- smc_conn_free(&smc->conn);
+ release_sock(sk);
+
+ sock_put(sk); /* final sock_put */
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index 092696d738c00..3e7858793d485 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -415,8 +415,13 @@ static void smc_close_passive_work(struct work_struct *work)
+ if (old_state != sk->sk_state) {
+ sk->sk_state_change(sk);
+ if ((sk->sk_state == SMC_CLOSED) &&
+- (sock_flag(sk, SOCK_DEAD) || !sk->sk_socket))
++ (sock_flag(sk, SOCK_DEAD) || !sk->sk_socket)) {
+ smc_conn_free(conn);
++ if (smc->clcsock) {
++ sock_release(smc->clcsock);
++ smc->clcsock = NULL;
++ }
++ }
+ }
+ release_sock(sk);
+ sock_put(sk); /* sock_hold done by schedulers of close_work */
+--
+2.42.0
+
--- /dev/null
+From d22709c558721a5d95c7e9de0c123c3c17ceada0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2019 11:17:30 +0200
+Subject: net/smc: wait for pending work before clcsock release_sock
+
+From: Karsten Graul <kgraul@linux.ibm.com>
+
+[ Upstream commit fd57770dd198f5b2ddd5b9e6bf282cf98d63adb9 ]
+
+When the clcsock is already released using sock_release() and a pending
+smc_listen_work accesses the clcsock than that will fail. Solve this
+by canceling and waiting for the work to complete first. Because the
+work holds the sock_lock it must make sure that the lock is not hold
+before the new helper smc_clcsock_release() is invoked. And before the
+smc_listen_work starts working check if the parent listen socket is
+still valid, otherwise stop the work early.
+
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 5211c9729484 ("net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 14 ++++++++------
+ net/smc/smc_close.c | 25 +++++++++++++++++++++----
+ net/smc/smc_close.h | 1 +
+ 3 files changed, 30 insertions(+), 10 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 6f342f6cc4876..6b30bec54b624 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -158,10 +158,9 @@ static int smc_release(struct socket *sock)
+
+ if (sk->sk_state == SMC_CLOSED) {
+ if (smc->clcsock) {
+- mutex_lock(&smc->clcsock_release_lock);
+- sock_release(smc->clcsock);
+- smc->clcsock = NULL;
+- mutex_unlock(&smc->clcsock_release_lock);
++ release_sock(sk);
++ smc_clcsock_release(smc);
++ lock_sock(sk);
+ }
+ if (!smc->use_fallback)
+ smc_conn_free(&smc->conn);
+@@ -1014,13 +1013,13 @@ static void smc_listen_out(struct smc_sock *new_smc)
+ struct smc_sock *lsmc = new_smc->listen_smc;
+ struct sock *newsmcsk = &new_smc->sk;
+
+- lock_sock_nested(&lsmc->sk, SINGLE_DEPTH_NESTING);
+ if (lsmc->sk.sk_state == SMC_LISTEN) {
++ lock_sock_nested(&lsmc->sk, SINGLE_DEPTH_NESTING);
+ smc_accept_enqueue(&lsmc->sk, newsmcsk);
++ release_sock(&lsmc->sk);
+ } else { /* no longer listening */
+ smc_close_non_accepted(newsmcsk);
+ }
+- release_sock(&lsmc->sk);
+
+ /* Wake up accept */
+ lsmc->sk.sk_data_ready(&lsmc->sk);
+@@ -1216,6 +1215,9 @@ static void smc_listen_work(struct work_struct *work)
+ int rc = 0;
+ u8 ibport;
+
++ if (new_smc->listen_smc->sk.sk_state != SMC_LISTEN)
++ return smc_listen_out_err(new_smc);
++
+ if (new_smc->use_fallback) {
+ smc_listen_out_connected(new_smc);
+ return;
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index 3e7858793d485..cac0773f5ebd9 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -21,6 +21,22 @@
+
+ #define SMC_CLOSE_WAIT_LISTEN_CLCSOCK_TIME (5 * HZ)
+
++/* release the clcsock that is assigned to the smc_sock */
++void smc_clcsock_release(struct smc_sock *smc)
++{
++ struct socket *tcp;
++
++ if (smc->listen_smc && current_work() != &smc->smc_listen_work)
++ cancel_work_sync(&smc->smc_listen_work);
++ mutex_lock(&smc->clcsock_release_lock);
++ if (smc->clcsock) {
++ tcp = smc->clcsock;
++ smc->clcsock = NULL;
++ sock_release(tcp);
++ }
++ mutex_unlock(&smc->clcsock_release_lock);
++}
++
+ static void smc_close_cleanup_listen(struct sock *parent)
+ {
+ struct sock *sk;
+@@ -331,6 +347,7 @@ static void smc_close_passive_work(struct work_struct *work)
+ close_work);
+ struct smc_sock *smc = container_of(conn, struct smc_sock, conn);
+ struct smc_cdc_conn_state_flags *rxflags;
++ bool release_clcsock = false;
+ struct sock *sk = &smc->sk;
+ int old_state;
+
+@@ -417,13 +434,13 @@ static void smc_close_passive_work(struct work_struct *work)
+ if ((sk->sk_state == SMC_CLOSED) &&
+ (sock_flag(sk, SOCK_DEAD) || !sk->sk_socket)) {
+ smc_conn_free(conn);
+- if (smc->clcsock) {
+- sock_release(smc->clcsock);
+- smc->clcsock = NULL;
+- }
++ if (smc->clcsock)
++ release_clcsock = true;
+ }
+ }
+ release_sock(sk);
++ if (release_clcsock)
++ smc_clcsock_release(smc);
+ sock_put(sk); /* sock_hold done by schedulers of close_work */
+ }
+
+diff --git a/net/smc/smc_close.h b/net/smc/smc_close.h
+index 19eb6a211c23c..e0e3b5df25d24 100644
+--- a/net/smc/smc_close.h
++++ b/net/smc/smc_close.h
+@@ -23,5 +23,6 @@ void smc_close_wake_tx_prepared(struct smc_sock *smc);
+ int smc_close_active(struct smc_sock *smc);
+ int smc_close_shutdown_write(struct smc_sock *smc);
+ void smc_close_init(struct smc_sock *smc);
++void smc_clcsock_release(struct smc_sock *smc);
+
+ #endif /* SMC_CLOSE_H */
+--
+2.42.0
+
--- /dev/null
+From 7d8c0562c7eeac71e0cb1bc90955fbdb98e5293a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Nov 2023 11:56:00 -0800
+Subject: netfilter: xt_recent: fix (increase) ipv6 literal buffer length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <zenczykowski@gmail.com>
+
+[ Upstream commit 7b308feb4fd2d1c06919445c65c8fbf8e9fd1781 ]
+
+in6_pton() supports 'low-32-bit dot-decimal representation'
+(this is useful with DNS64/NAT64 networks for example):
+
+ # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:1.2.3.4 > /proc/self/net/xt_recent/DEFAULT
+ # cat /proc/self/net/xt_recent/DEFAULT
+ src=aaaa:bbbb:cccc:dddd:eeee:ffff:0102:0304 ttl: 0 last_seen: 9733848829 oldest_pkt: 1 9733848829
+
+but the provided buffer is too short:
+
+ # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:255.255.255.255 > /proc/self/net/xt_recent/DEFAULT
+ -bash: echo: write error: Invalid argument
+
+Fixes: 079aa88fe717 ("netfilter: xt_recent: IPv6 support")
+Signed-off-by: Maciej Żenczykowski <zenczykowski@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_recent.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
+index cb58bc7ae30d3..2dbf92346a7e5 100644
+--- a/net/netfilter/xt_recent.c
++++ b/net/netfilter/xt_recent.c
+@@ -566,7 +566,7 @@ recent_mt_proc_write(struct file *file, const char __user *input,
+ {
+ struct recent_table *t = PDE_DATA(file_inode(file));
+ struct recent_entry *e;
+- char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:5afe:c0de")];
++ char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:255.255.255.255")];
+ const char *c = buf;
+ union nf_inet_addr addr = {};
+ u_int16_t family;
+--
+2.42.0
+
--- /dev/null
+From ed7b681bb9ee7f3abe837321d259d22b6e8be596 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 10:54:14 -0700
+Subject: pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Florian Fainelli <florian.fainelli@broadcom.com>
+
+[ Upstream commit e9bc4411548aaa738905d37851a0146c16b3bb21 ]
+
+The suspend/resume functions currently utilize
+clk_disable()/clk_enable() respectively which may be no-ops with certain
+clock providers such as SCMI. Fix this to use clk_disable_unprepare()
+and clk_prepare_enable() respectively as we should.
+
+Fixes: 3a9f5957020f ("pwm: Add Broadcom BCM7038 PWM controller support")
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-brcmstb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pwm/pwm-brcmstb.c b/drivers/pwm/pwm-brcmstb.c
+index 8063cffa1c960..5d7842a62d594 100644
+--- a/drivers/pwm/pwm-brcmstb.c
++++ b/drivers/pwm/pwm-brcmstb.c
+@@ -307,7 +307,7 @@ static int brcmstb_pwm_suspend(struct device *dev)
+ {
+ struct brcmstb_pwm *p = dev_get_drvdata(dev);
+
+- clk_disable(p->clk);
++ clk_disable_unprepare(p->clk);
+
+ return 0;
+ }
+@@ -316,7 +316,7 @@ static int brcmstb_pwm_resume(struct device *dev)
+ {
+ struct brcmstb_pwm *p = dev_get_drvdata(dev);
+
+- clk_enable(p->clk);
++ clk_prepare_enable(p->clk);
+
+ return 0;
+ }
+--
+2.42.0
+
--- /dev/null
+From b47cefe5ec054279ffa143f22c2a834fd30d4324 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Nov 2020 19:24:29 +0100
+Subject: pwm: sti: Avoid conditional gotos
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thierry Reding <thierry.reding@gmail.com>
+
+[ Upstream commit fd3ae02bb66f091e55f363d32eca7b4039977bf5 ]
+
+Using gotos for conditional code complicates this code significantly.
+Convert the code to simple conditional blocks to increase readability.
+
+Suggested-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Stable-dep-of: 2d6812b41e0d ("pwm: sti: Reduce number of allocations and drop usage of chip_data")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-sti.c | 48 ++++++++++++++++++++-----------------------
+ 1 file changed, 22 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/pwm/pwm-sti.c b/drivers/pwm/pwm-sti.c
+index 2b7c31c9d1ab2..f413b41dc69d8 100644
+--- a/drivers/pwm/pwm-sti.c
++++ b/drivers/pwm/pwm-sti.c
+@@ -599,38 +599,34 @@ static int sti_pwm_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
+- if (!cdata->pwm_num_devs)
+- goto skip_pwm;
+-
+- pc->pwm_clk = of_clk_get_by_name(dev->of_node, "pwm");
+- if (IS_ERR(pc->pwm_clk)) {
+- dev_err(dev, "failed to get PWM clock\n");
+- return PTR_ERR(pc->pwm_clk);
+- }
++ if (cdata->pwm_num_devs) {
++ pc->pwm_clk = of_clk_get_by_name(dev->of_node, "pwm");
++ if (IS_ERR(pc->pwm_clk)) {
++ dev_err(dev, "failed to get PWM clock\n");
++ return PTR_ERR(pc->pwm_clk);
++ }
+
+- ret = clk_prepare(pc->pwm_clk);
+- if (ret) {
+- dev_err(dev, "failed to prepare clock\n");
+- return ret;
++ ret = clk_prepare(pc->pwm_clk);
++ if (ret) {
++ dev_err(dev, "failed to prepare clock\n");
++ return ret;
++ }
+ }
+
+-skip_pwm:
+- if (!cdata->cpt_num_devs)
+- goto skip_cpt;
+-
+- pc->cpt_clk = of_clk_get_by_name(dev->of_node, "capture");
+- if (IS_ERR(pc->cpt_clk)) {
+- dev_err(dev, "failed to get PWM capture clock\n");
+- return PTR_ERR(pc->cpt_clk);
+- }
++ if (cdata->cpt_num_devs) {
++ pc->cpt_clk = of_clk_get_by_name(dev->of_node, "capture");
++ if (IS_ERR(pc->cpt_clk)) {
++ dev_err(dev, "failed to get PWM capture clock\n");
++ return PTR_ERR(pc->cpt_clk);
++ }
+
+- ret = clk_prepare(pc->cpt_clk);
+- if (ret) {
+- dev_err(dev, "failed to prepare clock\n");
+- return ret;
++ ret = clk_prepare(pc->cpt_clk);
++ if (ret) {
++ dev_err(dev, "failed to prepare clock\n");
++ return ret;
++ }
+ }
+
+-skip_cpt:
+ pc->chip.dev = dev;
+ pc->chip.ops = &sti_pwm_ops;
+ pc->chip.base = -1;
+--
+2.42.0
+
--- /dev/null
+From f19753c15a801e93ecad0fba3f4ba40598d14ab4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jul 2023 10:06:48 +0200
+Subject: pwm: sti: Reduce number of allocations and drop usage of chip_data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 2d6812b41e0d832919d72c72ebddf361df53ba1b ]
+
+Instead of using one allocation per capture channel, use a single one. Also
+store it in driver data instead of chip data.
+
+This has several advantages:
+
+ - driver data isn't cleared when pwm_put() is called
+ - Reduces memory fragmentation
+
+Also register the pwm chip only after the per capture channel data is
+initialized as the capture callback relies on this initialization and it
+might be called even before pwmchip_add() returns.
+
+It would be still better to have struct sti_pwm_compat_data and the
+per-channel data struct sti_cpt_ddata in a single memory chunk, but that's
+not easily possible because the number of capture channels isn't known yet
+when the driver data struct is allocated.
+
+Fixes: e926b12c611c ("pwm: Clear chip_data in pwm_put()")
+Reported-by: George Stark <gnstark@sberdevices.ru>
+Fixes: c97267ae831d ("pwm: sti: Add PWM capture callback")
+Link: https://lore.kernel.org/r/20230705080650.2353391-7-u.kleine-koenig@pengutronix.de
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-sti.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/pwm/pwm-sti.c b/drivers/pwm/pwm-sti.c
+index f413b41dc69d8..059650d8118e0 100644
+--- a/drivers/pwm/pwm-sti.c
++++ b/drivers/pwm/pwm-sti.c
+@@ -83,6 +83,7 @@ struct sti_pwm_compat_data {
+ unsigned int cpt_num_devs;
+ unsigned int max_pwm_cnt;
+ unsigned int max_prescale;
++ struct sti_cpt_ddata *ddata;
+ };
+
+ struct sti_pwm_chip {
+@@ -318,7 +319,7 @@ static int sti_pwm_capture(struct pwm_chip *chip, struct pwm_device *pwm,
+ {
+ struct sti_pwm_chip *pc = to_sti_pwmchip(chip);
+ struct sti_pwm_compat_data *cdata = pc->cdata;
+- struct sti_cpt_ddata *ddata = pwm_get_chip_data(pwm);
++ struct sti_cpt_ddata *ddata = &cdata->ddata[pwm->hwpwm];
+ struct device *dev = pc->dev;
+ unsigned int effective_ticks;
+ unsigned long long high, low;
+@@ -421,7 +422,7 @@ static irqreturn_t sti_pwm_interrupt(int irq, void *data)
+ while (cpt_int_stat) {
+ devicenum = ffs(cpt_int_stat) - 1;
+
+- ddata = pwm_get_chip_data(&pc->chip.pwms[devicenum]);
++ ddata = &pc->cdata->ddata[devicenum];
+
+ /*
+ * Capture input:
+@@ -625,6 +626,10 @@ static int sti_pwm_probe(struct platform_device *pdev)
+ dev_err(dev, "failed to prepare clock\n");
+ return ret;
+ }
++
++ cdata->ddata = devm_kzalloc(dev, cdata->cpt_num_devs * sizeof(*cdata->ddata), GFP_KERNEL);
++ if (!cdata->ddata)
++ return -ENOMEM;
+ }
+
+ pc->chip.dev = dev;
+@@ -632,24 +637,18 @@ static int sti_pwm_probe(struct platform_device *pdev)
+ pc->chip.base = -1;
+ pc->chip.npwm = pc->cdata->pwm_num_devs;
+
+- ret = pwmchip_add(&pc->chip);
+- if (ret < 0) {
+- clk_unprepare(pc->pwm_clk);
+- clk_unprepare(pc->cpt_clk);
+- return ret;
+- }
+-
+ for (i = 0; i < cdata->cpt_num_devs; i++) {
+- struct sti_cpt_ddata *ddata;
+-
+- ddata = devm_kzalloc(dev, sizeof(*ddata), GFP_KERNEL);
+- if (!ddata)
+- return -ENOMEM;
++ struct sti_cpt_ddata *ddata = &cdata->ddata[i];
+
+ init_waitqueue_head(&ddata->wait);
+ mutex_init(&ddata->lock);
++ }
+
+- pwm_set_chip_data(&pc->chip.pwms[i], ddata);
++ ret = pwmchip_add(&pc->chip);
++ if (ret < 0) {
++ clk_unprepare(pc->pwm_clk);
++ clk_unprepare(pc->cpt_clk);
++ return ret;
+ }
+
+ platform_set_drvdata(pdev, pc);
+--
+2.42.0
+
--- /dev/null
+From 4665552afcf6462286649e4818f3b4fb3c7c5525 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2019 23:34:45 +0200
+Subject: r8169: improve rtl_set_rx_mode
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 81cd17a4121d7dc7cad28e51251f31ff12b1de2b ]
+
+This patch improves and simplifies rtl_set_rx_mode a little.
+No functional change intended.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: efa5f1311c49 ("net: r8169: Disable multicast filter for RTL8168H and RTL8107E")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 52 ++++++++++-------------
+ 1 file changed, 22 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 92875a935eb13..2a59087364808 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -66,7 +66,7 @@
+
+ /* Maximum number of multicast addresses to filter (vs. Rx-all-multicast).
+ The RTL chips use a 64 element hash table based on the Ethernet CRC. */
+-static const int multicast_filter_limit = 32;
++#define MC_FILTER_LIMIT 32
+
+ #define TX_DMA_BURST 7 /* Maximum PCI burst, '7' is unlimited */
+ #define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */
+@@ -4614,54 +4614,46 @@ static void rtl8169_set_magic_reg(struct rtl8169_private *tp, unsigned mac_versi
+
+ static void rtl_set_rx_mode(struct net_device *dev)
+ {
++ u32 rx_mode = AcceptBroadcast | AcceptMyPhys | AcceptMulticast;
++ /* Multicast hash filter */
++ u32 mc_filter[2] = { 0xffffffff, 0xffffffff };
+ struct rtl8169_private *tp = netdev_priv(dev);
+- u32 mc_filter[2]; /* Multicast hash filter */
+- int rx_mode;
+- u32 tmp = 0;
++ u32 tmp;
+
+ if (dev->flags & IFF_PROMISC) {
+ /* Unconditionally log net taps. */
+ netif_notice(tp, link, dev, "Promiscuous mode enabled\n");
+- rx_mode =
+- AcceptBroadcast | AcceptMulticast | AcceptMyPhys |
+- AcceptAllPhys;
+- mc_filter[1] = mc_filter[0] = 0xffffffff;
+- } else if ((netdev_mc_count(dev) > multicast_filter_limit) ||
+- (dev->flags & IFF_ALLMULTI)) {
+- /* Too many to filter perfectly -- accept all multicasts. */
+- rx_mode = AcceptBroadcast | AcceptMulticast | AcceptMyPhys;
+- mc_filter[1] = mc_filter[0] = 0xffffffff;
++ rx_mode |= AcceptAllPhys;
++ } else if (netdev_mc_count(dev) > MC_FILTER_LIMIT ||
++ dev->flags & IFF_ALLMULTI ||
++ tp->mac_version == RTL_GIGA_MAC_VER_35) {
++ /* accept all multicasts */
++ } else if (netdev_mc_empty(dev)) {
++ rx_mode &= ~AcceptMulticast;
+ } else {
+ struct netdev_hw_addr *ha;
+
+- rx_mode = AcceptBroadcast | AcceptMyPhys;
+ mc_filter[1] = mc_filter[0] = 0;
+ netdev_for_each_mc_addr(ha, dev) {
+- int bit_nr = ether_crc(ETH_ALEN, ha->addr) >> 26;
+- mc_filter[bit_nr >> 5] |= 1 << (bit_nr & 31);
+- rx_mode |= AcceptMulticast;
++ u32 bit_nr = ether_crc(ETH_ALEN, ha->addr) >> 26;
++ mc_filter[bit_nr >> 5] |= BIT(bit_nr & 31);
++ }
++
++ if (tp->mac_version > RTL_GIGA_MAC_VER_06) {
++ tmp = mc_filter[0];
++ mc_filter[0] = swab32(mc_filter[1]);
++ mc_filter[1] = swab32(tmp);
+ }
+ }
+
+ if (dev->features & NETIF_F_RXALL)
+ rx_mode |= (AcceptErr | AcceptRunt);
+
+- tmp = (RTL_R32(tp, RxConfig) & ~RX_CONFIG_ACCEPT_MASK) | rx_mode;
+-
+- if (tp->mac_version > RTL_GIGA_MAC_VER_06) {
+- u32 data = mc_filter[0];
+-
+- mc_filter[0] = swab32(mc_filter[1]);
+- mc_filter[1] = swab32(data);
+- }
+-
+- if (tp->mac_version == RTL_GIGA_MAC_VER_35)
+- mc_filter[1] = mc_filter[0] = 0xffffffff;
+-
+ RTL_W32(tp, MAR0 + 4, mc_filter[1]);
+ RTL_W32(tp, MAR0 + 0, mc_filter[0]);
+
+- RTL_W32(tp, RxConfig, tmp);
++ tmp = RTL_R32(tp, RxConfig);
++ RTL_W32(tp, RxConfig, (tmp & ~RX_CONFIG_ACCEPT_MASK) | rx_mode);
+ }
+
+ static void rtl_hw_start(struct rtl8169_private *tp)
+--
+2.42.0
+
--- /dev/null
+From 63651b496cb36afa612516d817aa57805c05db0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Nov 2023 23:43:36 +0100
+Subject: r8169: respect userspace disabling IFF_MULTICAST
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 8999ce4cfc87e61b4143ec2e7b93d8e92e11fa7f ]
+
+So far we ignore the setting of IFF_MULTICAST. Fix this and clear bit
+AcceptMulticast if IFF_MULTICAST isn't set.
+
+Note: Based on the implementations I've seen it doesn't seem to be 100% clear
+what a driver is supposed to do if IFF_ALLMULTI is set but IFF_MULTICAST
+is not. This patch is based on the understanding that IFF_MULTICAST has
+precedence.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://lore.kernel.org/r/4a57ba02-d52d-4369-9f14-3565e6c1f7dc@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 69d01b68cf6b7..d6b01f34cfa4f 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4624,6 +4624,8 @@ static void rtl_set_rx_mode(struct net_device *dev)
+ /* Unconditionally log net taps. */
+ netif_notice(tp, link, dev, "Promiscuous mode enabled\n");
+ rx_mode |= AcceptAllPhys;
++ } else if (!(dev->flags & IFF_MULTICAST)) {
++ rx_mode &= ~AcceptMulticast;
+ } else if (netdev_mc_count(dev) > MC_FILTER_LIMIT ||
+ dev->flags & IFF_ALLMULTI ||
+ tp->mac_version == RTL_GIGA_MAC_VER_35 ||
+--
+2.42.0
+
media-bttv-fix-use-after-free-error-due-to-btv-timeo.patch
media-s3c-camif-avoid-inappropriate-kfree.patch
media-dvb-usb-v2-af9035-fix-missing-unlock.patch
+pwm-sti-avoid-conditional-gotos.patch
+pwm-sti-reduce-number-of-allocations-and-drop-usage-.patch
+pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch
+input-synaptics-rmi4-fix-use-after-free-in-rmi_unreg.patch
+llc-verify-mac-len-before-reading-mac-header.patch
+tipc-change-nla_policy-for-bearer-related-names-to-n.patch
+dccp-call-security_inet_conn_request-after-setting-i.patch
+dccp-tcp-call-security_inet_conn_request-after-setti.patch
+r8169-improve-rtl_set_rx_mode.patch
+net-r8169-disable-multicast-filter-for-rtl8168h-and-.patch
+net-smc-postpone-release-of-clcsock.patch
+net-smc-wait-for-pending-work-before-clcsock-release.patch
+net-smc-fix-dangling-sock-under-state-smc_appfinclos.patch
+tg3-power-down-device-only-on-system_power_off.patch
+r8169-respect-userspace-disabling-iff_multicast.patch
+netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch
--- /dev/null
+From b2f03e4dc631dc6cf850251451c5bc5942eccc60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Nov 2023 13:50:29 +0200
+Subject: tg3: power down device only on SYSTEM_POWER_OFF
+
+From: George Shuklin <george.shuklin@gmail.com>
+
+[ Upstream commit 9fc3bc7643341dc5be7d269f3d3dbe441d8d7ac3 ]
+
+Dell R650xs servers hangs on reboot if tg3 driver calls
+tg3_power_down.
+
+This happens only if network adapters (BCM5720 for R650xs) were
+initialized using SNP (e.g. by booting ipxe.efi).
+
+The actual problem is on Dell side, but this fix allows servers
+to come back alive after reboot.
+
+Signed-off-by: George Shuklin <george.shuklin@gmail.com>
+Fixes: 2ca1c94ce0b6 ("tg3: Disable tg3 device on system reboot to avoid triggering AER")
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Link: https://lore.kernel.org/r/20231103115029.83273-1-george.shuklin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/tg3.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index 43b83a3a28049..f0b5c8a4d29f5 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -18217,7 +18217,8 @@ static void tg3_shutdown(struct pci_dev *pdev)
+ if (netif_running(dev))
+ dev_close(dev);
+
+- tg3_power_down(tp);
++ if (system_state == SYSTEM_POWER_OFF)
++ tg3_power_down(tp);
+
+ rtnl_unlock();
+
+--
+2.42.0
+
--- /dev/null
+From ea964a6d49cee65f948734fbd3b6a5d236c846ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Oct 2023 16:55:40 +0900
+Subject: tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 19b3f72a41a8751e26bffc093bb7e1cef29ad579 ]
+
+syzbot reported the following uninit-value access issue [1]:
+
+=====================================================
+BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]
+BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756
+ strlen lib/string.c:418 [inline]
+ strstr+0xb8/0x2f0 lib/string.c:756
+ tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
+ genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066
+ netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545
+ genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075
+ netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
+ netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368
+ netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ sock_sendmsg net/socket.c:753 [inline]
+ ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
+ __sys_sendmsg net/socket.c:2624 [inline]
+ __do_sys_sendmsg net/socket.c:2633 [inline]
+ __se_sys_sendmsg net/socket.c:2631 [inline]
+ __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Uninit was created at:
+ slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
+ slab_alloc_node mm/slub.c:3478 [inline]
+ kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559
+ __alloc_skb+0x318/0x740 net/core/skbuff.c:650
+ alloc_skb include/linux/skbuff.h:1286 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]
+ netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ sock_sendmsg net/socket.c:753 [inline]
+ ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
+ __sys_sendmsg net/socket.c:2624 [inline]
+ __do_sys_sendmsg net/socket.c:2633 [inline]
+ __se_sys_sendmsg net/socket.c:2631 [inline]
+ __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+TIPC bearer-related names including link names must be null-terminated
+strings. If a link name which is not null-terminated is passed through
+netlink, strstr() and similar functions can cause buffer overrun. This
+causes the above issue.
+
+This patch changes the nla_policy for bearer-related names from NLA_STRING
+to NLA_NUL_STRING. This resolves the issue by ensuring that only
+null-terminated strings are accepted as bearer-related names.
+
+syzbot reported similar uninit-value issue related to bearer names [2]. The
+root cause of this issue is that a non-null-terminated bearer name was
+passed. This patch also resolved this issue.
+
+Fixes: 7be57fc69184 ("tipc: add link get/dump to new netlink api")
+Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api")
+Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 [1]
+Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51 [2]
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20231030075540.3784537-1-syoshida@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/netlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
+index 9b36163d951eb..bf11d57ef3aea 100644
+--- a/net/tipc/netlink.c
++++ b/net/tipc/netlink.c
+@@ -87,7 +87,7 @@ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
+
+ const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = {
+ [TIPC_NLA_LINK_UNSPEC] = { .type = NLA_UNSPEC },
+- [TIPC_NLA_LINK_NAME] = { .type = NLA_STRING,
++ [TIPC_NLA_LINK_NAME] = { .type = NLA_NUL_STRING,
+ .len = TIPC_MAX_LINK_NAME },
+ [TIPC_NLA_LINK_MTU] = { .type = NLA_U32 },
+ [TIPC_NLA_LINK_BROADCAST] = { .type = NLA_FLAG },
+@@ -116,7 +116,7 @@ const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = {
+
+ const struct nla_policy tipc_nl_bearer_policy[TIPC_NLA_BEARER_MAX + 1] = {
+ [TIPC_NLA_BEARER_UNSPEC] = { .type = NLA_UNSPEC },
+- [TIPC_NLA_BEARER_NAME] = { .type = NLA_STRING,
++ [TIPC_NLA_BEARER_NAME] = { .type = NLA_NUL_STRING,
+ .len = TIPC_MAX_BEARER_NAME },
+ [TIPC_NLA_BEARER_PROP] = { .type = NLA_NESTED },
+ [TIPC_NLA_BEARER_DOMAIN] = { .type = NLA_U32 }
+--
+2.42.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
