--- /dev/null
+From 9dd4f4626495f9f03387ac0a6b0e82d49761134c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 11:21:37 -0400
+Subject: Bluetooth: btusb: Don't fail external suspend requests
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 610712298b11b2914be00b35abe9326b5dbb62c8 ]
+
+Commit 4e0a1d8b0675
+("Bluetooth: btusb: Don't suspend when there are connections")
+introduces a check for connections to prevent auto-suspend but that
+actually ignored the fact the .suspend callback can be called for
+external suspend requests which
+Documentation/driver-api/usb/power-management.rst states the following:
+
+ 'External suspend calls should never be allowed to fail in this way,
+ only autosuspend calls. The driver can tell them apart by applying
+ the :c:func:`PMSG_IS_AUTO` macro to the message argument to the
+ ``suspend`` method; it will return True for internal PM events
+ (autosuspend) and False for external PM events.'
+
+In addition to that align system suspend with USB suspend by using
+hci_suspend_dev since otherwise the stack would be expecting events
+such as advertising reports which may not be delivered while the
+transport is suspended.
+
+Fixes: 4e0a1d8b0675 ("Bluetooth: btusb: Don't suspend when there are connections")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Tested-by: Kiran K <kiran.k@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 93dbeb8b348d5..a1e9b052bc847 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -4092,16 +4092,29 @@ static void btusb_disconnect(struct usb_interface *intf)
+ static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
+ {
+ struct btusb_data *data = usb_get_intfdata(intf);
++ int err;
+
+ BT_DBG("intf %p", intf);
+
+- /* Don't suspend if there are connections */
+- if (hci_conn_count(data->hdev))
++ /* Don't auto-suspend if there are connections; external suspend calls
++ * shall never fail.
++ */
++ if (PMSG_IS_AUTO(message) && hci_conn_count(data->hdev))
+ return -EBUSY;
+
+ if (data->suspend_count++)
+ return 0;
+
++ /* Notify Host stack to suspend; this has to be done before stopping
++ * the traffic since the hci_suspend_dev itself may generate some
++ * traffic.
++ */
++ err = hci_suspend_dev(data->hdev);
++ if (err) {
++ data->suspend_count--;
++ return err;
++ }
++
+ spin_lock_irq(&data->txlock);
+ if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {
+ set_bit(BTUSB_SUSPENDING, &data->flags);
+@@ -4109,6 +4122,7 @@ static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
+ } else {
+ spin_unlock_irq(&data->txlock);
+ data->suspend_count--;
++ hci_resume_dev(data->hdev);
+ return -EBUSY;
+ }
+
+@@ -4229,6 +4243,8 @@ static int btusb_resume(struct usb_interface *intf)
+ spin_unlock_irq(&data->txlock);
+ schedule_work(&data->work);
+
++ hci_resume_dev(data->hdev);
++
+ return 0;
+
+ failed:
+--
+2.43.0
+
--- /dev/null
+From 1b3de264d47720edf08a0591758c5c006f4922e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 13:26:21 -0400
+Subject: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 08d1914293dae38350b8088980e59fbc699a72fe ]
+
+rfcomm_sk_state_change attempts to use sock_lock so it must never be
+called with it locked but rfcomm_sock_ioctl always attempt to lock it
+causing the following trace:
+
+======================================================
+WARNING: possible circular locking dependency detected
+6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
+------------------------------------------------------
+syz-executor386/5093 is trying to acquire lock:
+ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline]
+ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73
+
+but task is already holding lock:
+ffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491
+
+Reported-by: syzbot+d7ce59b06b3eb14fd218@syzkaller.appspotmail.com
+Tested-by: syzbot+d7ce59b06b3eb14fd218@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=d7ce59b06b3eb14fd218
+Fixes: 3241ad820dbb ("[Bluetooth] Add timestamp support to L2CAP, RFCOMM and SCO")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/rfcomm/sock.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 37d63d768afb8..f48250e3f2e10 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -865,9 +865,7 @@ static int rfcomm_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned lon
+
+ if (err == -ENOIOCTLCMD) {
+ #ifdef CONFIG_BT_RFCOMM_TTY
+- lock_sock(sk);
+ err = rfcomm_dev_ioctl(sk, cmd, (void __user *) arg);
+- release_sock(sk);
+ #else
+ err = -EOPNOTSUPP;
+ #endif
+--
+2.43.0
+
--- /dev/null
+From 85d34a6d1e437a5c6bf63c09083fe496d118259f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 11:47:34 -0700
+Subject: bridge: Handle error of rtnl_register_module().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit cba5e43b0b757734b1e79f624d93a71435e31136 ]
+
+Since introduced, br_vlan_rtnl_init() has been ignoring the returned
+value of rtnl_register_module(), which could fail silently.
+
+Handling the error allows users to view a module as an all-or-nothing
+thing in terms of the rtnetlink functionality. This prevents syzkaller
+from reporting spurious errors from its tests, where OOM often occurs
+and module is automatically loaded.
+
+Let's handle the errors by rtnl_register_many().
+
+Fixes: 8dcea187088b ("net: bridge: vlan: add rtm definitions and dump support")
+Fixes: f26b296585dc ("net: bridge: vlan: add new rtm message support")
+Fixes: adb3ce9bcb0f ("net: bridge: vlan: add del rtm message support")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netlink.c | 6 +++++-
+ net/bridge/br_private.h | 5 +++--
+ net/bridge/br_vlan.c | 19 +++++++++----------
+ 3 files changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
+index f17dbac7d8284..6b97ae47f8552 100644
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -1920,7 +1920,10 @@ int __init br_netlink_init(void)
+ {
+ int err;
+
+- br_vlan_rtnl_init();
++ err = br_vlan_rtnl_init();
++ if (err)
++ goto out;
++
+ rtnl_af_register(&br_af_ops);
+
+ err = rtnl_link_register(&br_link_ops);
+@@ -1931,6 +1934,7 @@ int __init br_netlink_init(void)
+
+ out_af:
+ rtnl_af_unregister(&br_af_ops);
++out:
+ return err;
+ }
+
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index d4bedc87b1d8f..041f6e571a209 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -1571,7 +1571,7 @@ void br_vlan_get_stats(const struct net_bridge_vlan *v,
+ void br_vlan_port_event(struct net_bridge_port *p, unsigned long event);
+ int br_vlan_bridge_event(struct net_device *dev, unsigned long event,
+ void *ptr);
+-void br_vlan_rtnl_init(void);
++int br_vlan_rtnl_init(void);
+ void br_vlan_rtnl_uninit(void);
+ void br_vlan_notify(const struct net_bridge *br,
+ const struct net_bridge_port *p,
+@@ -1802,8 +1802,9 @@ static inline int br_vlan_bridge_event(struct net_device *dev,
+ return 0;
+ }
+
+-static inline void br_vlan_rtnl_init(void)
++static inline int br_vlan_rtnl_init(void)
+ {
++ return 0;
+ }
+
+ static inline void br_vlan_rtnl_uninit(void)
+diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
+index 9c2fffb827ab1..89f51ea4cabec 100644
+--- a/net/bridge/br_vlan.c
++++ b/net/bridge/br_vlan.c
+@@ -2296,19 +2296,18 @@ static int br_vlan_rtm_process(struct sk_buff *skb, struct nlmsghdr *nlh,
+ return err;
+ }
+
+-void br_vlan_rtnl_init(void)
++static const struct rtnl_msg_handler br_vlan_rtnl_msg_handlers[] = {
++ {THIS_MODULE, PF_BRIDGE, RTM_NEWVLAN, br_vlan_rtm_process, NULL, 0},
++ {THIS_MODULE, PF_BRIDGE, RTM_DELVLAN, br_vlan_rtm_process, NULL, 0},
++ {THIS_MODULE, PF_BRIDGE, RTM_GETVLAN, NULL, br_vlan_rtm_dump, 0},
++};
++
++int br_vlan_rtnl_init(void)
+ {
+- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_GETVLAN, NULL,
+- br_vlan_rtm_dump, 0);
+- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_NEWVLAN,
+- br_vlan_rtm_process, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_DELVLAN,
+- br_vlan_rtm_process, NULL, 0);
++ return rtnl_register_many(br_vlan_rtnl_msg_handlers);
+ }
+
+ void br_vlan_rtnl_uninit(void)
+ {
+- rtnl_unregister(PF_BRIDGE, RTM_GETVLAN);
+- rtnl_unregister(PF_BRIDGE, RTM_NEWVLAN);
+- rtnl_unregister(PF_BRIDGE, RTM_DELVLAN);
++ rtnl_unregister_many(br_vlan_rtnl_msg_handlers);
+ }
+--
+2.43.0
+
--- /dev/null
+From e4b7c01228e53d6336e8b9baddabf93dec2f6dad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 15:02:56 +0100
+Subject: btrfs: zoned: fix missing RCU locking in error message when loading
+ zone info
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit fe4cd7ed128fe82ab9fe4f9fc8a73d4467699787 ]
+
+At btrfs_load_zone_info() we have an error path that is dereferencing
+the name of a device which is a RCU string but we are not holding a RCU
+read lock, which is incorrect.
+
+Fix this by using btrfs_err_in_rcu() instead of btrfs_err().
+
+The problem is there since commit 08e11a3db098 ("btrfs: zoned: load zone's
+allocation offset"), back then at btrfs_load_block_group_zone_info() but
+then later on that code was factored out into the helper
+btrfs_load_zone_info() by commit 09a46725cc84 ("btrfs: zoned: factor out
+per-zone logic from btrfs_load_block_group_zone_info").
+
+Fixes: 08e11a3db098 ("btrfs: zoned: load zone's allocation offset")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/zoned.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/zoned.c b/fs/btrfs/zoned.c
+index 047e3337852e1..ff02fd44fb7cd 100644
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -1352,7 +1352,7 @@ static int btrfs_load_zone_info(struct btrfs_fs_info *fs_info, int zone_idx,
+ switch (zone.cond) {
+ case BLK_ZONE_COND_OFFLINE:
+ case BLK_ZONE_COND_READONLY:
+- btrfs_err(fs_info,
++ btrfs_err_in_rcu(fs_info,
+ "zoned: offline/readonly zone %llu on device %s (devid %llu)",
+ (info->physical >> device->zone_info->zone_size_shift),
+ rcu_str_deref(device->name), device->devid);
+--
+2.43.0
+
--- /dev/null
+From 08f3cfe5ca8930e459cc69d14bad0de95f68559e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2024 19:49:45 +0200
+Subject: drm/fbdev-dma: Only cleanup deferred I/O if necessary
+
+From: Janne Grunau <j@jannau.net>
+
+[ Upstream commit fcddc71ec7ecf15b4df3c41288c9cf0b8e886111 ]
+
+Commit 5a498d4d06d6 ("drm/fbdev-dma: Only install deferred I/O if
+necessary") initializes deferred I/O only if it is used.
+drm_fbdev_dma_fb_destroy() however calls fb_deferred_io_cleanup()
+unconditionally with struct fb_info.fbdefio == NULL. KASAN with the
+out-of-tree Apple silicon display driver posts following warning from
+__flush_work() of a random struct work_struct instead of the expected
+NULL pointer derefs.
+
+[ 22.053799] ------------[ cut here ]------------
+[ 22.054832] WARNING: CPU: 2 PID: 1 at kernel/workqueue.c:4177 __flush_work+0x4d8/0x580
+[ 22.056597] Modules linked in: uhid bnep uinput nls_ascii ip6_tables ip_tables i2c_dev loop fuse dm_multipath nfnetlink zram hid_magicmouse btrfs xor xor_neon brcmfmac_wcc raid6_pq hci_bcm4377 bluetooth brcmfmac hid_apple brcmutil nvmem_spmi_mfd simple_mfd_spmi dockchannel_hid cfg80211 joydev regmap_spmi nvme_apple ecdh_generic ecc macsmc_hid rfkill dwc3 appledrm snd_soc_macaudio macsmc_power nvme_core apple_isp phy_apple_atc apple_sart apple_rtkit_helper apple_dockchannel tps6598x macsmc_hwmon snd_soc_cs42l84 videobuf2_v4l2 spmi_apple_controller nvmem_apple_efuses videobuf2_dma_sg apple_z2 videobuf2_memops spi_nor panel_summit videobuf2_common asahi videodev pwm_apple apple_dcp snd_soc_apple_mca apple_admac spi_apple clk_apple_nco i2c_pasemi_platform snd_pcm_dmaengine mc i2c_pasemi_core mux_core ofpart adpdrm drm_dma_helper apple_dart apple_soc_cpufreq leds_pwm phram
+[ 22.073768] CPU: 2 UID: 0 PID: 1 Comm: systemd-shutdow Not tainted 6.11.2-asahi+ #asahi-dev
+[ 22.075612] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)
+[ 22.077032] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+[ 22.078567] pc : __flush_work+0x4d8/0x580
+[ 22.079471] lr : __flush_work+0x54/0x580
+[ 22.080345] sp : ffffc000836ef820
+[ 22.081089] x29: ffffc000836ef880 x28: 0000000000000000 x27: ffff80002ddb7128
+[ 22.082678] x26: dfffc00000000000 x25: 1ffff000096f0c57 x24: ffffc00082d3e358
+[ 22.084263] x23: ffff80004b7862b8 x22: dfffc00000000000 x21: ffff80005aa1d470
+[ 22.085855] x20: ffff80004b786000 x19: ffff80004b7862a0 x18: 0000000000000000
+[ 22.087439] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000005
+[ 22.089030] x14: 1ffff800106ddf0a x13: 0000000000000000 x12: 0000000000000000
+[ 22.090618] x11: ffffb800106ddf0f x10: dfffc00000000000 x9 : 1ffff800106ddf0e
+[ 22.092206] x8 : 0000000000000000 x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000001
+[ 22.093790] x5 : ffffc000836ef728 x4 : 0000000000000000 x3 : 0000000000000020
+[ 22.095368] x2 : 0000000000000008 x1 : 00000000000000aa x0 : 0000000000000000
+[ 22.096955] Call trace:
+[ 22.097505] __flush_work+0x4d8/0x580
+[ 22.098330] flush_delayed_work+0x80/0xb8
+[ 22.099231] fb_deferred_io_cleanup+0x3c/0x130
+[ 22.100217] drm_fbdev_dma_fb_destroy+0x6c/0xe0 [drm_dma_helper]
+[ 22.101559] unregister_framebuffer+0x210/0x2f0
+[ 22.102575] drm_fb_helper_unregister_info+0x48/0x60
+[ 22.103683] drm_fbdev_dma_client_unregister+0x4c/0x80 [drm_dma_helper]
+[ 22.105147] drm_client_dev_unregister+0x1cc/0x230
+[ 22.106217] drm_dev_unregister+0x58/0x570
+[ 22.107125] apple_drm_unbind+0x50/0x98 [appledrm]
+[ 22.108199] component_del+0x1f8/0x3a8
+[ 22.109042] dcp_platform_shutdown+0x24/0x38 [apple_dcp]
+[ 22.110357] platform_shutdown+0x70/0x90
+[ 22.111219] device_shutdown+0x368/0x4d8
+[ 22.112095] kernel_restart+0x6c/0x1d0
+[ 22.112946] __arm64_sys_reboot+0x1c8/0x328
+[ 22.113868] invoke_syscall+0x78/0x1a8
+[ 22.114703] do_el0_svc+0x124/0x1a0
+[ 22.115498] el0_svc+0x3c/0xe0
+[ 22.116181] el0t_64_sync_handler+0x70/0xc0
+[ 22.117110] el0t_64_sync+0x190/0x198
+[ 22.117931] ---[ end trace 0000000000000000 ]---
+
+Signed-off-by: Janne Grunau <j@jannau.net>
+Fixes: 5a498d4d06d6 ("drm/fbdev-dma: Only install deferred I/O if necessary")
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/ZwLNuZL-8Gh5UUQb@robin
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_fbdev_dma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_fbdev_dma.c b/drivers/gpu/drm/drm_fbdev_dma.c
+index b0602c4f36283..51c2d742d1998 100644
+--- a/drivers/gpu/drm/drm_fbdev_dma.c
++++ b/drivers/gpu/drm/drm_fbdev_dma.c
+@@ -50,7 +50,8 @@ static void drm_fbdev_dma_fb_destroy(struct fb_info *info)
+ if (!fb_helper->dev)
+ return;
+
+- fb_deferred_io_cleanup(info);
++ if (info->fbdefio)
++ fb_deferred_io_cleanup(info);
+ drm_fb_helper_fini(fb_helper);
+
+ drm_client_buffer_vunmap(fb_helper->buffer);
+--
+2.43.0
+
--- /dev/null
+From f4c14b24d6b43e09b0ec837a4af92b8fbfbdc6a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jul 2024 14:38:22 +1000
+Subject: drm/nouveau: pass cli to nouveau_channel_new() instead of drm+device
+
+From: Ben Skeggs <bskeggs@nvidia.com>
+
+[ Upstream commit 5cca41ac70e5877383ed925bd017884c37edf09b ]
+
+Both of these are stored in nouveau_cli already, and also allows the
+removal of some void casts.
+
+Signed-off-by: Ben Skeggs <bskeggs@nvidia.com>
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240726043828.58966-32-bskeggs@nvidia.com
+Stable-dep-of: 04e0481526e3 ("nouveau/dmem: Fix privileged error in copy engine channel")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/dispnv04/crtc.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_abi16.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_bo.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_chan.c | 21 +++++++++++----------
+ drivers/gpu/drm/nouveau/nouveau_chan.h | 3 ++-
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 4 ++--
+ 6 files changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/dispnv04/crtc.c b/drivers/gpu/drm/nouveau/dispnv04/crtc.c
+index 4310ad71870b1..8fed62e002fea 100644
+--- a/drivers/gpu/drm/nouveau/dispnv04/crtc.c
++++ b/drivers/gpu/drm/nouveau/dispnv04/crtc.c
+@@ -1157,7 +1157,7 @@ nv04_crtc_page_flip(struct drm_crtc *crtc, struct drm_framebuffer *fb,
+ chan = drm->channel;
+ if (!chan)
+ return -ENODEV;
+- cli = (void *)chan->user.client;
++ cli = chan->cli;
+ push = chan->chan.push;
+
+ s = kzalloc(sizeof(*s), GFP_KERNEL);
+diff --git a/drivers/gpu/drm/nouveau/nouveau_abi16.c b/drivers/gpu/drm/nouveau/nouveau_abi16.c
+index d56909071de66..0dd38e73676da 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_abi16.c
++++ b/drivers/gpu/drm/nouveau/nouveau_abi16.c
+@@ -356,7 +356,7 @@ nouveau_abi16_ioctl_channel_alloc(ABI16_IOCTL_ARGS)
+ list_add(&chan->head, &abi16->channels);
+
+ /* create channel object and initialise dma and fence management */
+- ret = nouveau_channel_new(drm, device, false, runm, init->fb_ctxdma_handle,
++ ret = nouveau_channel_new(cli, false, runm, init->fb_ctxdma_handle,
+ init->tt_ctxdma_handle, &chan->chan);
+ if (ret)
+ goto done;
+diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c
+index 70fb003a66669..933356e938903 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_bo.c
++++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
+@@ -859,7 +859,7 @@ nouveau_bo_move_m2mf(struct ttm_buffer_object *bo, int evict,
+ {
+ struct nouveau_drm *drm = nouveau_bdev(bo->bdev);
+ struct nouveau_channel *chan = drm->ttm.chan;
+- struct nouveau_cli *cli = (void *)chan->user.client;
++ struct nouveau_cli *cli = chan->cli;
+ struct nouveau_fence *fence;
+ int ret;
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.c b/drivers/gpu/drm/nouveau/nouveau_chan.c
+index 7c97b28868076..cee36b1efd391 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_chan.c
++++ b/drivers/gpu/drm/nouveau/nouveau_chan.c
+@@ -52,7 +52,7 @@ static int
+ nouveau_channel_killed(struct nvif_event *event, void *repv, u32 repc)
+ {
+ struct nouveau_channel *chan = container_of(event, typeof(*chan), kill);
+- struct nouveau_cli *cli = (void *)chan->user.client;
++ struct nouveau_cli *cli = chan->cli;
+
+ NV_PRINTK(warn, cli, "channel %d killed!\n", chan->chid);
+
+@@ -66,7 +66,7 @@ int
+ nouveau_channel_idle(struct nouveau_channel *chan)
+ {
+ if (likely(chan && chan->fence && !atomic_read(&chan->killed))) {
+- struct nouveau_cli *cli = (void *)chan->user.client;
++ struct nouveau_cli *cli = chan->cli;
+ struct nouveau_fence *fence = NULL;
+ int ret;
+
+@@ -142,10 +142,11 @@ nouveau_channel_wait(struct nvif_push *push, u32 size)
+ }
+
+ static int
+-nouveau_channel_prep(struct nouveau_drm *drm, struct nvif_device *device,
++nouveau_channel_prep(struct nouveau_cli *cli,
+ u32 size, struct nouveau_channel **pchan)
+ {
+- struct nouveau_cli *cli = (void *)device->object.client;
++ struct nouveau_drm *drm = cli->drm;
++ struct nvif_device *device = &cli->device;
+ struct nv_dma_v0 args = {};
+ struct nouveau_channel *chan;
+ u32 target;
+@@ -155,6 +156,7 @@ nouveau_channel_prep(struct nouveau_drm *drm, struct nvif_device *device,
+ if (!chan)
+ return -ENOMEM;
+
++ chan->cli = cli;
+ chan->device = device;
+ chan->drm = drm;
+ chan->vmm = nouveau_cli_vmm(cli);
+@@ -254,7 +256,7 @@ nouveau_channel_prep(struct nouveau_drm *drm, struct nvif_device *device,
+ }
+
+ static int
+-nouveau_channel_ctor(struct nouveau_drm *drm, struct nvif_device *device, bool priv, u64 runm,
++nouveau_channel_ctor(struct nouveau_cli *cli, bool priv, u64 runm,
+ struct nouveau_channel **pchan)
+ {
+ const struct nvif_mclass hosts[] = {
+@@ -279,7 +281,7 @@ nouveau_channel_ctor(struct nouveau_drm *drm, struct nvif_device *device, bool p
+ struct nvif_chan_v0 chan;
+ char name[TASK_COMM_LEN+16];
+ } args;
+- struct nouveau_cli *cli = (void *)device->object.client;
++ struct nvif_device *device = &cli->device;
+ struct nouveau_channel *chan;
+ const u64 plength = 0x10000;
+ const u64 ioffset = plength;
+@@ -298,7 +300,7 @@ nouveau_channel_ctor(struct nouveau_drm *drm, struct nvif_device *device, bool p
+ size = ioffset + ilength;
+
+ /* allocate dma push buffer */
+- ret = nouveau_channel_prep(drm, device, size, &chan);
++ ret = nouveau_channel_prep(cli, size, &chan);
+ *pchan = chan;
+ if (ret)
+ return ret;
+@@ -493,13 +495,12 @@ nouveau_channel_init(struct nouveau_channel *chan, u32 vram, u32 gart)
+ }
+
+ int
+-nouveau_channel_new(struct nouveau_drm *drm, struct nvif_device *device,
++nouveau_channel_new(struct nouveau_cli *cli,
+ bool priv, u64 runm, u32 vram, u32 gart, struct nouveau_channel **pchan)
+ {
+- struct nouveau_cli *cli = (void *)device->object.client;
+ int ret;
+
+- ret = nouveau_channel_ctor(drm, device, priv, runm, pchan);
++ ret = nouveau_channel_ctor(cli, priv, runm, pchan);
+ if (ret) {
+ NV_PRINTK(dbg, cli, "channel create, %d\n", ret);
+ return ret;
+diff --git a/drivers/gpu/drm/nouveau/nouveau_chan.h b/drivers/gpu/drm/nouveau/nouveau_chan.h
+index 5de2ef4e98c2b..260febd634ee2 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_chan.h
++++ b/drivers/gpu/drm/nouveau/nouveau_chan.h
+@@ -12,6 +12,7 @@ struct nouveau_channel {
+ struct nvif_push *push;
+ } chan;
+
++ struct nouveau_cli *cli;
+ struct nvif_device *device;
+ struct nouveau_drm *drm;
+ struct nouveau_vmm *vmm;
+@@ -62,7 +63,7 @@ struct nouveau_channel {
+ int nouveau_channels_init(struct nouveau_drm *);
+ void nouveau_channels_fini(struct nouveau_drm *);
+
+-int nouveau_channel_new(struct nouveau_drm *, struct nvif_device *, bool priv, u64 runm,
++int nouveau_channel_new(struct nouveau_cli *, bool priv, u64 runm,
+ u32 vram, u32 gart, struct nouveau_channel **);
+ void nouveau_channel_del(struct nouveau_channel **);
+ int nouveau_channel_idle(struct nouveau_channel *);
+diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
+index a58c31089613e..88413b5c8684a 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
+@@ -356,7 +356,7 @@ nouveau_accel_ce_init(struct nouveau_drm *drm)
+ return;
+ }
+
+- ret = nouveau_channel_new(drm, device, false, runm, NvDmaFB, NvDmaTT, &drm->cechan);
++ ret = nouveau_channel_new(&drm->client, false, runm, NvDmaFB, NvDmaTT, &drm->cechan);
+ if (ret)
+ NV_ERROR(drm, "failed to create ce channel, %d\n", ret);
+ }
+@@ -384,7 +384,7 @@ nouveau_accel_gr_init(struct nouveau_drm *drm)
+ return;
+ }
+
+- ret = nouveau_channel_new(drm, device, false, runm, NvDmaFB, NvDmaTT, &drm->channel);
++ ret = nouveau_channel_new(&drm->client, false, runm, NvDmaFB, NvDmaTT, &drm->channel);
+ if (ret) {
+ NV_ERROR(drm, "failed to create kernel channel, %d\n", ret);
+ nouveau_accel_gr_fini(drm);
+--
+2.43.0
+
--- /dev/null
+From 1412933ab50d3a65df7aa668086d680f7dcc021c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 16:06:21 -0700
+Subject: drm/xe: Make wedged_mode debugfs writable
+
+From: Matt Roper <matthew.d.roper@intel.com>
+
+[ Upstream commit 1badf482816417dca71f8120b4c540cdc82aa03c ]
+
+The intent of this debugfs entry is to allow modification of wedging
+behavior, either from IGT tests or during manual debug; it should be
+marked as writable to properly reflect this. In practice this hasn't
+caused a problem because we always access wedged_mode as root, which
+ignores file permissions, but it's still misleading to have the entry
+incorrectly marked as RO.
+
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Fixes: 6b8ef44cc0a9 ("drm/xe: Introduce the wedged_mode debugfs")
+Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
+Reviewed-by: Gustavo Sousa <gustavo.sousa@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241002230620.1249258-2-matthew.d.roper@intel.com
+(cherry picked from commit 93d93813422758f6c99289de446b19184019ef5a)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_debugfs.c b/drivers/gpu/drm/xe/xe_debugfs.c
+index 1011e5d281fa9..c87e6bca64d86 100644
+--- a/drivers/gpu/drm/xe/xe_debugfs.c
++++ b/drivers/gpu/drm/xe/xe_debugfs.c
+@@ -190,7 +190,7 @@ void xe_debugfs_register(struct xe_device *xe)
+ debugfs_create_file("forcewake_all", 0400, root, xe,
+ &forcewake_all_fops);
+
+- debugfs_create_file("wedged_mode", 0400, root, xe,
++ debugfs_create_file("wedged_mode", 0600, root, xe,
+ &wedged_mode_fops);
+
+ for (mem_type = XE_PL_VRAM0; mem_type <= XE_PL_VRAM1; ++mem_type) {
+--
+2.43.0
+
--- /dev/null
+From f8628c41906de5248f15c372db600dde0063c4e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2024 13:49:18 -0700
+Subject: drm/xe: Restore GT freq on GSC load error
+
+From: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+
+[ Upstream commit 3fd76be868ae5c7e9f905f3bcc2ce0e3d8f5aa08 ]
+
+As part of a Wa_22019338487, ensure that GT freq is restored
+even when GSC reload is not successful.
+
+Fixes: 3b1592fb7835 ("drm/xe/lnl: Apply Wa_22019338487")
+
+Signed-off-by: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240925204918.1989574-1-vinay.belgaumkar@intel.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit 491418a258322bbd7f045e36884d2849b673f23d)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_gt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_gt.c b/drivers/gpu/drm/xe/xe_gt.c
+index cb9df15e71376..0062a5e4d5fac 100644
+--- a/drivers/gpu/drm/xe/xe_gt.c
++++ b/drivers/gpu/drm/xe/xe_gt.c
+@@ -874,7 +874,9 @@ int xe_gt_sanitize_freq(struct xe_gt *gt)
+ int ret = 0;
+
+ if ((!xe_uc_fw_is_available(>->uc.gsc.fw) ||
+- xe_uc_fw_is_loaded(>->uc.gsc.fw)) && XE_WA(gt, 22019338487))
++ xe_uc_fw_is_loaded(>->uc.gsc.fw) ||
++ xe_uc_fw_is_in_error_state(>->uc.gsc.fw)) &&
++ XE_WA(gt, 22019338487))
+ ret = xe_guc_pc_restore_stashed_freq(>->uc.guc.pc);
+
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From 000a7891941b62e172800bc27784b21c6bcdeca9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Sep 2024 09:49:17 +0300
+Subject: e1000e: change I219 (19) devices to ADP
+
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+
+[ Upstream commit 9d9e5347b035412daa844f884b94a05bac94f864 ]
+
+Sporadic issues, such as PHY access loss, have been observed on I219 (19)
+devices. It was found that these devices have hardware more closely
+related to ADP than MTP and the issues were caused by taking MTP-specific
+flows.
+
+Change the MAC and board types of these devices from MTP to ADP to
+correctly reflect the LAN hardware, and flows, of these devices.
+
+Fixes: db2d737d63c5 ("e1000e: Separate MTP board type from ADP")
+Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/hw.h | 4 ++--
+ drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/hw.h b/drivers/net/ethernet/intel/e1000e/hw.h
+index 4b6e7536170ab..fc8ed38aa0955 100644
+--- a/drivers/net/ethernet/intel/e1000e/hw.h
++++ b/drivers/net/ethernet/intel/e1000e/hw.h
+@@ -108,8 +108,8 @@ struct e1000_hw;
+ #define E1000_DEV_ID_PCH_RPL_I219_V22 0x0DC8
+ #define E1000_DEV_ID_PCH_MTP_I219_LM18 0x550A
+ #define E1000_DEV_ID_PCH_MTP_I219_V18 0x550B
+-#define E1000_DEV_ID_PCH_MTP_I219_LM19 0x550C
+-#define E1000_DEV_ID_PCH_MTP_I219_V19 0x550D
++#define E1000_DEV_ID_PCH_ADP_I219_LM19 0x550C
++#define E1000_DEV_ID_PCH_ADP_I219_V19 0x550D
+ #define E1000_DEV_ID_PCH_LNP_I219_LM20 0x550E
+ #define E1000_DEV_ID_PCH_LNP_I219_V20 0x550F
+ #define E1000_DEV_ID_PCH_LNP_I219_LM21 0x5510
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index f103249b12fac..07e9033463582 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -7899,10 +7899,10 @@ static const struct pci_device_id e1000_pci_tbl[] = {
+ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ADP_I219_V17), board_pch_adp },
+ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_RPL_I219_LM22), board_pch_adp },
+ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_RPL_I219_V22), board_pch_adp },
++ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ADP_I219_LM19), board_pch_adp },
++ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ADP_I219_V19), board_pch_adp },
+ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_MTP_I219_LM18), board_pch_mtp },
+ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_MTP_I219_V18), board_pch_mtp },
+- { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_MTP_I219_LM19), board_pch_mtp },
+- { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_MTP_I219_V19), board_pch_mtp },
+ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_LNP_I219_LM20), board_pch_mtp },
+ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_LNP_I219_V20), board_pch_mtp },
+ { PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_LNP_I219_LM21), board_pch_mtp },
+--
+2.43.0
+
--- /dev/null
+From 932384b2211c96d6c998a08d61741c6296572c35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 16:14:44 +0800
+Subject: gpio: aspeed: Add the flush write to ensure the write complete.
+
+From: Billy Tsai <billy_tsai@aspeedtech.com>
+
+[ Upstream commit 1bb5a99e1f3fd27accb804aa0443a789161f843c ]
+
+Performing a dummy read ensures that the register write operation is fully
+completed, mitigating any potential bus delays that could otherwise impact
+the frequency of bitbang usage. E.g., if the JTAG application uses GPIO to
+control the JTAG pins (TCK, TMS, TDI, TDO, and TRST), and the application
+sets the TCK clock to 1 MHz, the GPIO's high/low transitions will rely on
+a delay function to ensure the clock frequency does not exceed 1 MHz.
+However, this can lead to rapid toggling of the GPIO because the write
+operation is POSTed and does not wait for a bus acknowledgment.
+
+Fixes: 361b79119a4b ("gpio: Add Aspeed driver")
+Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
+Link: https://lore.kernel.org/r/20241008081450.1490955-2-billy_tsai@aspeedtech.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-aspeed.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c
+index 04c03402db6dd..98551b7f6de2e 100644
+--- a/drivers/gpio/gpio-aspeed.c
++++ b/drivers/gpio/gpio-aspeed.c
+@@ -406,6 +406,8 @@ static void __aspeed_gpio_set(struct gpio_chip *gc, unsigned int offset,
+ gpio->dcache[GPIO_BANK(offset)] = reg;
+
+ iowrite32(reg, addr);
++ /* Flush write */
++ ioread32(addr);
+ }
+
+ static void aspeed_gpio_set(struct gpio_chip *gc, unsigned int offset,
+--
+2.43.0
+
--- /dev/null
+From 7c87502cba29e25c9dc742ca616ea072a933b047 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 16:14:45 +0800
+Subject: gpio: aspeed: Use devm_clk api to manage clock source
+
+From: Billy Tsai <billy_tsai@aspeedtech.com>
+
+[ Upstream commit a6191a3d18119184237f4ee600039081ad992320 ]
+
+Replace of_clk_get with devm_clk_get_enabled to manage the clock source.
+
+Fixes: 5ae4cb94b313 ("gpio: aspeed: Add debounce support")
+Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
+Link: https://lore.kernel.org/r/20241008081450.1490955-3-billy_tsai@aspeedtech.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-aspeed.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c
+index 98551b7f6de2e..ea40ad43a79ba 100644
+--- a/drivers/gpio/gpio-aspeed.c
++++ b/drivers/gpio/gpio-aspeed.c
+@@ -1193,7 +1193,7 @@ static int __init aspeed_gpio_probe(struct platform_device *pdev)
+ if (!gpio_id)
+ return -EINVAL;
+
+- gpio->clk = of_clk_get(pdev->dev.of_node, 0);
++ gpio->clk = devm_clk_get_enabled(&pdev->dev, NULL);
+ if (IS_ERR(gpio->clk)) {
+ dev_warn(&pdev->dev,
+ "Failed to get clock from devicetree, debouncing disabled\n");
+--
+2.43.0
+
--- /dev/null
+From 22b18b7c83b4dff9a59dc8b182a7c4246ed9ad22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 11:12:19 +0200
+Subject: i40e: Fix macvlan leak by synchronizing access to mac_filter_hash
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit dac6c7b3d33756d6ce09f00a96ea2ecd79fae9fb ]
+
+This patch addresses a macvlan leak issue in the i40e driver caused by
+concurrent access to vsi->mac_filter_hash. The leak occurs when multiple
+threads attempt to modify the mac_filter_hash simultaneously, leading to
+inconsistent state and potential memory leaks.
+
+To fix this, we now wrap the calls to i40e_del_mac_filter() and zeroing
+vf->default_lan_addr.addr with spin_lock/unlock_bh(&vsi->mac_filter_hash_lock),
+ensuring atomic operations and preventing concurrent access.
+
+Additionally, we add lockdep_assert_held(&vsi->mac_filter_hash_lock) in
+i40e_add_mac_filter() to help catch similar issues in the future.
+
+Reproduction steps:
+1. Spawn VFs and configure port vlan on them.
+2. Trigger concurrent macvlan operations (e.g., adding and deleting
+ portvlan and/or mac filters).
+3. Observe the potential memory leak and inconsistent state in the
+ mac_filter_hash.
+
+This synchronization ensures the integrity of the mac_filter_hash and prevents
+the described leak.
+
+Fixes: fed0d9f13266 ("i40e: Fix VF's MAC Address change on VM")
+Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index cbcfada7b357a..f7d4b5f79422b 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -1734,6 +1734,7 @@ struct i40e_mac_filter *i40e_add_mac_filter(struct i40e_vsi *vsi,
+ struct hlist_node *h;
+ int bkt;
+
++ lockdep_assert_held(&vsi->mac_filter_hash_lock);
+ if (vsi->info.pvid)
+ return i40e_add_filter(vsi, macaddr,
+ le16_to_cpu(vsi->info.pvid));
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 662622f01e312..dfa785e39458d 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -2213,8 +2213,10 @@ static int i40e_vc_get_vf_resources_msg(struct i40e_vf *vf, u8 *msg)
+ vfres->vsi_res[0].qset_handle
+ = le16_to_cpu(vsi->info.qs_handle[0]);
+ if (!(vf->driver_caps & VIRTCHNL_VF_OFFLOAD_USO) && !vf->pf_set_mac) {
++ spin_lock_bh(&vsi->mac_filter_hash_lock);
+ i40e_del_mac_filter(vsi, vf->default_lan_addr.addr);
+ eth_zero_addr(vf->default_lan_addr.addr);
++ spin_unlock_bh(&vsi->mac_filter_hash_lock);
+ }
+ ether_addr_copy(vfres->vsi_res[0].default_mac_addr,
+ vf->default_lan_addr.addr);
+--
+2.43.0
+
--- /dev/null
+From 6cb72395621a963cf3ed79dc9059edc4381f3e98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 14:57:06 +0200
+Subject: ice: clear port vlan config during reset
+
+From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+
+[ Upstream commit d019b1a9128d65956f04679ec2bb8b0800f13358 ]
+
+Since commit 2a2cb4c6c181 ("ice: replace ice_vf_recreate_vsi() with
+ice_vf_reconfig_vsi()") VF VSI is only reconfigured instead of
+recreated. The context configuration from previous setting is still the
+same. If any of the config needs to be cleared it needs to be cleared
+explicitly.
+
+Previously there was assumption that port vlan will be cleared
+automatically. Now, when VSI is only reconfigured we have to do it in the
+code.
+
+Not clearing port vlan configuration leads to situation when the driver
+VSI config is different than the VSI config in HW. Traffic can't be
+passed after setting and clearing port vlan, because of invalid VSI
+config in HW.
+
+Example reproduction:
+> ip a a dev $(VF) $(VF_IP_ADDRESS)
+> ip l s dev $(VF) up
+> ping $(VF_IP_ADDRESS)
+ping is working fine here
+> ip link set eth5 vf 0 vlan 100
+> ip link set eth5 vf 0 vlan 0
+> ping $(VF_IP_ADDRESS)
+ping isn't working
+
+Fixes: 2a2cb4c6c181 ("ice: replace ice_vf_recreate_vsi() with ice_vf_reconfig_vsi()")
+Signed-off-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Tested-by: Piotr Tyda <piotr.tyda@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_vf_lib.c | 7 +++
+ .../net/ethernet/intel/ice/ice_vsi_vlan_lib.c | 57 +++++++++++++++++++
+ .../net/ethernet/intel/ice/ice_vsi_vlan_lib.h | 1 +
+ 3 files changed, 65 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+index 5635e9da2212b..9fe2a309c5ffa 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+@@ -335,6 +335,13 @@ static int ice_vf_rebuild_host_vlan_cfg(struct ice_vf *vf, struct ice_vsi *vsi)
+
+ err = vlan_ops->add_vlan(vsi, &vf->port_vlan_info);
+ } else {
++ /* clear possible previous port vlan config */
++ err = ice_vsi_clear_port_vlan(vsi);
++ if (err) {
++ dev_err(dev, "failed to clear port VLAN via VSI parameters for VF %u, error %d\n",
++ vf->vf_id, err);
++ return err;
++ }
+ err = ice_vsi_add_vlan_zero(vsi);
+ }
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_vsi_vlan_lib.c b/drivers/net/ethernet/intel/ice/ice_vsi_vlan_lib.c
+index 6e8f2aab60801..5291f2888ef89 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vsi_vlan_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_vsi_vlan_lib.c
+@@ -787,3 +787,60 @@ int ice_vsi_clear_outer_port_vlan(struct ice_vsi *vsi)
+ kfree(ctxt);
+ return err;
+ }
++
++int ice_vsi_clear_port_vlan(struct ice_vsi *vsi)
++{
++ struct ice_hw *hw = &vsi->back->hw;
++ struct ice_vsi_ctx *ctxt;
++ int err;
++
++ ctxt = kzalloc(sizeof(*ctxt), GFP_KERNEL);
++ if (!ctxt)
++ return -ENOMEM;
++
++ ctxt->info = vsi->info;
++
++ ctxt->info.port_based_outer_vlan = 0;
++ ctxt->info.port_based_inner_vlan = 0;
++
++ ctxt->info.inner_vlan_flags =
++ FIELD_PREP(ICE_AQ_VSI_INNER_VLAN_TX_MODE_M,
++ ICE_AQ_VSI_INNER_VLAN_TX_MODE_ALL);
++ if (ice_is_dvm_ena(hw)) {
++ ctxt->info.inner_vlan_flags |=
++ FIELD_PREP(ICE_AQ_VSI_INNER_VLAN_EMODE_M,
++ ICE_AQ_VSI_INNER_VLAN_EMODE_NOTHING);
++ ctxt->info.outer_vlan_flags =
++ FIELD_PREP(ICE_AQ_VSI_OUTER_VLAN_TX_MODE_M,
++ ICE_AQ_VSI_OUTER_VLAN_TX_MODE_ALL);
++ ctxt->info.outer_vlan_flags |=
++ FIELD_PREP(ICE_AQ_VSI_OUTER_TAG_TYPE_M,
++ ICE_AQ_VSI_OUTER_TAG_VLAN_8100);
++ ctxt->info.outer_vlan_flags |=
++ ICE_AQ_VSI_OUTER_VLAN_EMODE_NOTHING <<
++ ICE_AQ_VSI_OUTER_VLAN_EMODE_S;
++ }
++
++ ctxt->info.sw_flags2 &= ~ICE_AQ_VSI_SW_FLAG_RX_VLAN_PRUNE_ENA;
++ ctxt->info.valid_sections =
++ cpu_to_le16(ICE_AQ_VSI_PROP_OUTER_TAG_VALID |
++ ICE_AQ_VSI_PROP_VLAN_VALID |
++ ICE_AQ_VSI_PROP_SW_VALID);
++
++ err = ice_update_vsi(hw, vsi->idx, ctxt, NULL);
++ if (err) {
++ dev_err(ice_pf_to_dev(vsi->back), "update VSI for clearing port based VLAN failed, err %d aq_err %s\n",
++ err, ice_aq_str(hw->adminq.sq_last_status));
++ } else {
++ vsi->info.port_based_outer_vlan =
++ ctxt->info.port_based_outer_vlan;
++ vsi->info.port_based_inner_vlan =
++ ctxt->info.port_based_inner_vlan;
++ vsi->info.outer_vlan_flags = ctxt->info.outer_vlan_flags;
++ vsi->info.inner_vlan_flags = ctxt->info.inner_vlan_flags;
++ vsi->info.sw_flags2 = ctxt->info.sw_flags2;
++ }
++
++ kfree(ctxt);
++ return err;
++}
+diff --git a/drivers/net/ethernet/intel/ice/ice_vsi_vlan_lib.h b/drivers/net/ethernet/intel/ice/ice_vsi_vlan_lib.h
+index f0d84d11bd5b1..12b227621a7dd 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vsi_vlan_lib.h
++++ b/drivers/net/ethernet/intel/ice/ice_vsi_vlan_lib.h
+@@ -36,5 +36,6 @@ int ice_vsi_ena_outer_insertion(struct ice_vsi *vsi, u16 tpid);
+ int ice_vsi_dis_outer_insertion(struct ice_vsi *vsi);
+ int ice_vsi_set_outer_port_vlan(struct ice_vsi *vsi, struct ice_vlan *vlan);
+ int ice_vsi_clear_outer_port_vlan(struct ice_vsi *vsi);
++int ice_vsi_clear_port_vlan(struct ice_vsi *vsi);
+
+ #endif /* _ICE_VSI_VLAN_LIB_H_ */
+--
+2.43.0
+
--- /dev/null
+From ce5f3d3e6a0dd23de15beeddcdabcc83a710d128 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 10:54:28 +0200
+Subject: ice: disallow DPLL_PIN_STATE_SELECTABLE for dpll output pins
+
+From: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+
+[ Upstream commit afe6e30e7701979f536f8fbf6fdef7212441f61a ]
+
+Currently the user may request DPLL_PIN_STATE_SELECTABLE for an output
+pin, and this would actually set the DISCONNECTED state instead.
+
+It doesn't make any sense. SELECTABLE is valid only in case of input pins
+(on AUTOMATIC type dpll), where dpll itself would select best valid input.
+For the output pin only CONNECTED/DISCONNECTED are expected.
+
+Fixes: d7999f5ea64b ("ice: implement dpll interface to control cgu")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_dpll.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_dpll.c b/drivers/net/ethernet/intel/ice/ice_dpll.c
+index e92be6f130a3d..3d20c3b232aa9 100644
+--- a/drivers/net/ethernet/intel/ice/ice_dpll.c
++++ b/drivers/net/ethernet/intel/ice/ice_dpll.c
+@@ -651,6 +651,8 @@ ice_dpll_output_state_set(const struct dpll_pin *pin, void *pin_priv,
+ struct ice_dpll_pin *p = pin_priv;
+ struct ice_dpll *d = dpll_priv;
+
++ if (state == DPLL_PIN_STATE_SELECTABLE)
++ return -EINVAL;
+ if (!enable && p->state[d->dpll_idx] == DPLL_PIN_STATE_DISCONNECTED)
+ return 0;
+
+--
+2.43.0
+
--- /dev/null
+From 4307b9dc238d4a73971ad1da7c12a4786ab7e6ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 12:04:23 +0200
+Subject: ice: Fix entering Safe Mode
+
+From: Marcin Szycik <marcin.szycik@linux.intel.com>
+
+[ Upstream commit b972060a47780aa2d46441e06b354156455cc877 ]
+
+If DDP package is missing or corrupted, the driver should enter Safe Mode.
+Instead, an error is returned and probe fails.
+
+To fix this, don't exit init if ice_init_ddp_config() returns an error.
+
+Repro:
+* Remove or rename DDP package (/lib/firmware/intel/ice/ddp/ice.pkg)
+* Load ice
+
+Fixes: cc5776fe1832 ("ice: Enable switching default Tx scheduler topology")
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Marcin Szycik <marcin.szycik@linux.intel.com>
+Reviewed-by: Brett Creeley <brett.creeley@amd.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index a06dcf8367db0..5bd0d7252081c 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -4779,14 +4779,12 @@ int ice_init_dev(struct ice_pf *pf)
+ ice_init_feature_support(pf);
+
+ err = ice_init_ddp_config(hw, pf);
+- if (err)
+- return err;
+
+ /* if ice_init_ddp_config fails, ICE_FLAG_ADV_FEATURES bit won't be
+ * set in pf->state, which will cause ice_is_safe_mode to return
+ * true
+ */
+- if (ice_is_safe_mode(pf)) {
++ if (err || ice_is_safe_mode(pf)) {
+ /* we already got function/device capabilities but these don't
+ * reflect what the driver needs to do in safe mode. Instead of
+ * adding conditional logic everywhere to ignore these
+--
+2.43.0
+
--- /dev/null
+From 3a7ef8b9fbce1bc68a6135a05560fa800f9153e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2024 17:15:40 +0200
+Subject: ice: Fix increasing MSI-X on VF
+
+From: Marcin Szycik <marcin.szycik@linux.intel.com>
+
+[ Upstream commit bce9af1b030bf59d51bbabf909a3ef164787e44e ]
+
+Increasing MSI-X value on a VF leads to invalid memory operations. This
+is caused by not reallocating some arrays.
+
+Reproducer:
+ modprobe ice
+ echo 0 > /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe
+ echo 1 > /sys/bus/pci/devices/$PF_PCI/sriov_numvfs
+ echo 17 > /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count
+
+Default MSI-X is 16, so 17 and above triggers this issue.
+
+KASAN reports:
+
+ BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
+ Read of size 8 at addr ffff8888b937d180 by task bash/28433
+ (...)
+
+ Call Trace:
+ (...)
+ ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
+ kasan_report+0xed/0x120
+ ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
+ ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
+ ice_vsi_cfg_def+0x3360/0x4770 [ice]
+ ? mutex_unlock+0x83/0xd0
+ ? __pfx_ice_vsi_cfg_def+0x10/0x10 [ice]
+ ? __pfx_ice_remove_vsi_lkup_fltr+0x10/0x10 [ice]
+ ice_vsi_cfg+0x7f/0x3b0 [ice]
+ ice_vf_reconfig_vsi+0x114/0x210 [ice]
+ ice_sriov_set_msix_vec_count+0x3d0/0x960 [ice]
+ sriov_vf_msix_count_store+0x21c/0x300
+ (...)
+
+ Allocated by task 28201:
+ (...)
+ ice_vsi_cfg_def+0x1c8e/0x4770 [ice]
+ ice_vsi_cfg+0x7f/0x3b0 [ice]
+ ice_vsi_setup+0x179/0xa30 [ice]
+ ice_sriov_configure+0xcaa/0x1520 [ice]
+ sriov_numvfs_store+0x212/0x390
+ (...)
+
+To fix it, use ice_vsi_rebuild() instead of ice_vf_reconfig_vsi(). This
+causes the required arrays to be reallocated taking the new queue count
+into account (ice_vsi_realloc_stat_arrays()). Set req_txq and req_rxq
+before ice_vsi_rebuild(), so that realloc uses the newly set queue
+count.
+
+Additionally, ice_vsi_rebuild() does not remove VSI filters
+(ice_fltr_remove_all()), so ice_vf_init_host_cfg() is no longer
+necessary.
+
+Reported-by: Jacob Keller <jacob.e.keller@intel.com>
+Fixes: 2a2cb4c6c181 ("ice: replace ice_vf_recreate_vsi() with ice_vf_reconfig_vsi()")
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Signed-off-by: Marcin Szycik <marcin.szycik@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sriov.c | 11 ++++++++---
+ drivers/net/ethernet/intel/ice/ice_vf_lib.c | 2 +-
+ drivers/net/ethernet/intel/ice/ice_vf_lib_private.h | 1 -
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c
+index 55ef33208456a..78ca6ddc3d03f 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sriov.c
++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c
+@@ -1119,7 +1119,10 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+ if (vf->first_vector_idx < 0)
+ goto unroll;
+
+- if (ice_vf_reconfig_vsi(vf) || ice_vf_init_host_cfg(vf, vsi)) {
++ vsi->req_txq = queues;
++ vsi->req_rxq = queues;
++
++ if (ice_vsi_rebuild(vsi, ICE_VSI_FLAG_NO_INIT)) {
+ /* Try to rebuild with previous values */
+ needs_rebuild = true;
+ goto unroll;
+@@ -1146,8 +1149,10 @@ int ice_sriov_set_msix_vec_count(struct pci_dev *vf_dev, int msix_vec_count)
+ return -EINVAL;
+
+ if (needs_rebuild) {
+- ice_vf_reconfig_vsi(vf);
+- ice_vf_init_host_cfg(vf, vsi);
++ vsi->req_txq = prev_queues;
++ vsi->req_rxq = prev_queues;
++
++ ice_vsi_rebuild(vsi, ICE_VSI_FLAG_NO_INIT);
+ }
+
+ ice_ena_vf_mappings(vf);
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+index 9fe2a309c5ffa..f8fbd49e23105 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+@@ -256,7 +256,7 @@ static void ice_vf_pre_vsi_rebuild(struct ice_vf *vf)
+ *
+ * It brings the VSI down and then reconfigures it with the hardware.
+ */
+-int ice_vf_reconfig_vsi(struct ice_vf *vf)
++static int ice_vf_reconfig_vsi(struct ice_vf *vf)
+ {
+ struct ice_vsi *vsi = ice_get_vf_vsi(vf);
+ struct ice_pf *pf = vf->pf;
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h b/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h
+index 91ba7fe0eaee1..0c7e77c0a09fa 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib_private.h
+@@ -23,7 +23,6 @@
+ #warning "Only include ice_vf_lib_private.h in CONFIG_PCI_IOV virtualization files"
+ #endif
+
+-int ice_vf_reconfig_vsi(struct ice_vf *vf);
+ void ice_initialize_vf_entry(struct ice_vf *vf);
+ void ice_dis_vf_qs(struct ice_vf *vf);
+ int ice_check_vf_init(struct ice_vf *vf);
+--
+2.43.0
+
--- /dev/null
+From 32fbd8af05bfb4576b5660880320b9bbd9ca97a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 15:57:21 +0200
+Subject: ice: fix memleak in ice_init_tx_topology()
+
+From: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+
+[ Upstream commit c188afdc36113760873ec78cbc036f6b05f77621 ]
+
+Fix leak of the FW blob (DDP pkg).
+
+Make ice_cfg_tx_topo() const-correct, so ice_init_tx_topology() can avoid
+copying whole FW blob. Copy just the topology section, and only when
+needed. Reuse the buffer allocated for the read of the current topology.
+
+This was found by kmemleak, with the following trace for each PF:
+ [<ffffffff8761044d>] kmemdup_noprof+0x1d/0x50
+ [<ffffffffc0a0a480>] ice_init_ddp_config+0x100/0x220 [ice]
+ [<ffffffffc0a0da7f>] ice_init_dev+0x6f/0x200 [ice]
+ [<ffffffffc0a0dc49>] ice_init+0x29/0x560 [ice]
+ [<ffffffffc0a10c1d>] ice_probe+0x21d/0x310 [ice]
+
+Constify ice_cfg_tx_topo() @buf parameter.
+This cascades further down to few more functions.
+
+Fixes: cc5776fe1832 ("ice: Enable switching default Tx scheduler topology")
+CC: Larysa Zaremba <larysa.zaremba@intel.com>
+CC: Jacob Keller <jacob.e.keller@intel.com>
+CC: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com>
+CC: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ddp.c | 58 +++++++++++------------
+ drivers/net/ethernet/intel/ice/ice_ddp.h | 4 +-
+ drivers/net/ethernet/intel/ice/ice_main.c | 8 +---
+ 3 files changed, 31 insertions(+), 39 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ddp.c b/drivers/net/ethernet/intel/ice/ice_ddp.c
+index f182179529b7d..6b60b7c4de093 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ddp.c
++++ b/drivers/net/ethernet/intel/ice/ice_ddp.c
+@@ -31,7 +31,7 @@ static const struct ice_tunnel_type_scan tnls[] = {
+ * Verifies various attributes of the package file, including length, format
+ * version, and the requirement of at least one segment.
+ */
+-static enum ice_ddp_state ice_verify_pkg(struct ice_pkg_hdr *pkg, u32 len)
++static enum ice_ddp_state ice_verify_pkg(const struct ice_pkg_hdr *pkg, u32 len)
+ {
+ u32 seg_count;
+ u32 i;
+@@ -57,13 +57,13 @@ static enum ice_ddp_state ice_verify_pkg(struct ice_pkg_hdr *pkg, u32 len)
+ /* all segments must fit within length */
+ for (i = 0; i < seg_count; i++) {
+ u32 off = le32_to_cpu(pkg->seg_offset[i]);
+- struct ice_generic_seg_hdr *seg;
++ const struct ice_generic_seg_hdr *seg;
+
+ /* segment header must fit */
+ if (len < off + sizeof(*seg))
+ return ICE_DDP_PKG_INVALID_FILE;
+
+- seg = (struct ice_generic_seg_hdr *)((u8 *)pkg + off);
++ seg = (void *)pkg + off;
+
+ /* segment body must fit */
+ if (len < off + le32_to_cpu(seg->seg_size))
+@@ -119,13 +119,13 @@ static enum ice_ddp_state ice_chk_pkg_version(struct ice_pkg_ver *pkg_ver)
+ *
+ * This helper function validates a buffer's header.
+ */
+-static struct ice_buf_hdr *ice_pkg_val_buf(struct ice_buf *buf)
++static const struct ice_buf_hdr *ice_pkg_val_buf(const struct ice_buf *buf)
+ {
+- struct ice_buf_hdr *hdr;
++ const struct ice_buf_hdr *hdr;
+ u16 section_count;
+ u16 data_end;
+
+- hdr = (struct ice_buf_hdr *)buf->buf;
++ hdr = (const struct ice_buf_hdr *)buf->buf;
+ /* verify data */
+ section_count = le16_to_cpu(hdr->section_count);
+ if (section_count < ICE_MIN_S_COUNT || section_count > ICE_MAX_S_COUNT)
+@@ -165,8 +165,8 @@ static struct ice_buf_table *ice_find_buf_table(struct ice_seg *ice_seg)
+ * unexpected value has been detected (for example an invalid section count or
+ * an invalid buffer end value).
+ */
+-static struct ice_buf_hdr *ice_pkg_enum_buf(struct ice_seg *ice_seg,
+- struct ice_pkg_enum *state)
++static const struct ice_buf_hdr *ice_pkg_enum_buf(struct ice_seg *ice_seg,
++ struct ice_pkg_enum *state)
+ {
+ if (ice_seg) {
+ state->buf_table = ice_find_buf_table(ice_seg);
+@@ -1800,9 +1800,9 @@ int ice_update_pkg(struct ice_hw *hw, struct ice_buf *bufs, u32 count)
+ * success it returns a pointer to the segment header, otherwise it will
+ * return NULL.
+ */
+-static struct ice_generic_seg_hdr *
++static const struct ice_generic_seg_hdr *
+ ice_find_seg_in_pkg(struct ice_hw *hw, u32 seg_type,
+- struct ice_pkg_hdr *pkg_hdr)
++ const struct ice_pkg_hdr *pkg_hdr)
+ {
+ u32 i;
+
+@@ -1813,11 +1813,9 @@ ice_find_seg_in_pkg(struct ice_hw *hw, u32 seg_type,
+
+ /* Search all package segments for the requested segment type */
+ for (i = 0; i < le32_to_cpu(pkg_hdr->seg_count); i++) {
+- struct ice_generic_seg_hdr *seg;
++ const struct ice_generic_seg_hdr *seg;
+
+- seg = (struct ice_generic_seg_hdr
+- *)((u8 *)pkg_hdr +
+- le32_to_cpu(pkg_hdr->seg_offset[i]));
++ seg = (void *)pkg_hdr + le32_to_cpu(pkg_hdr->seg_offset[i]);
+
+ if (le32_to_cpu(seg->seg_type) == seg_type)
+ return seg;
+@@ -2354,12 +2352,12 @@ ice_get_set_tx_topo(struct ice_hw *hw, u8 *buf, u16 buf_size,
+ *
+ * Return: zero when update was successful, negative values otherwise.
+ */
+-int ice_cfg_tx_topo(struct ice_hw *hw, u8 *buf, u32 len)
++int ice_cfg_tx_topo(struct ice_hw *hw, const void *buf, u32 len)
+ {
+- u8 *current_topo, *new_topo = NULL;
+- struct ice_run_time_cfg_seg *seg;
+- struct ice_buf_hdr *section;
+- struct ice_pkg_hdr *pkg_hdr;
++ u8 *new_topo = NULL, *topo __free(kfree) = NULL;
++ const struct ice_run_time_cfg_seg *seg;
++ const struct ice_buf_hdr *section;
++ const struct ice_pkg_hdr *pkg_hdr;
+ enum ice_ddp_state state;
+ u16 offset, size = 0;
+ u32 reg = 0;
+@@ -2375,15 +2373,13 @@ int ice_cfg_tx_topo(struct ice_hw *hw, u8 *buf, u32 len)
+ return -EOPNOTSUPP;
+ }
+
+- current_topo = kzalloc(ICE_AQ_MAX_BUF_LEN, GFP_KERNEL);
+- if (!current_topo)
++ topo = kzalloc(ICE_AQ_MAX_BUF_LEN, GFP_KERNEL);
++ if (!topo)
+ return -ENOMEM;
+
+- /* Get the current Tx topology */
+- status = ice_get_set_tx_topo(hw, current_topo, ICE_AQ_MAX_BUF_LEN, NULL,
+- &flags, false);
+-
+- kfree(current_topo);
++ /* Get the current Tx topology flags */
++ status = ice_get_set_tx_topo(hw, topo, ICE_AQ_MAX_BUF_LEN, NULL, &flags,
++ false);
+
+ if (status) {
+ ice_debug(hw, ICE_DBG_INIT, "Get current topology is failed\n");
+@@ -2419,7 +2415,7 @@ int ice_cfg_tx_topo(struct ice_hw *hw, u8 *buf, u32 len)
+ goto update_topo;
+ }
+
+- pkg_hdr = (struct ice_pkg_hdr *)buf;
++ pkg_hdr = (const struct ice_pkg_hdr *)buf;
+ state = ice_verify_pkg(pkg_hdr, len);
+ if (state) {
+ ice_debug(hw, ICE_DBG_INIT, "Failed to verify pkg (err: %d)\n",
+@@ -2428,7 +2424,7 @@ int ice_cfg_tx_topo(struct ice_hw *hw, u8 *buf, u32 len)
+ }
+
+ /* Find runtime configuration segment */
+- seg = (struct ice_run_time_cfg_seg *)
++ seg = (const struct ice_run_time_cfg_seg *)
+ ice_find_seg_in_pkg(hw, SEGMENT_TYPE_ICE_RUN_TIME_CFG, pkg_hdr);
+ if (!seg) {
+ ice_debug(hw, ICE_DBG_INIT, "5 layer topology segment is missing\n");
+@@ -2461,8 +2457,10 @@ int ice_cfg_tx_topo(struct ice_hw *hw, u8 *buf, u32 len)
+ return -EIO;
+ }
+
+- /* Get the new topology buffer */
+- new_topo = ((u8 *)section) + offset;
++ /* Get the new topology buffer, reuse current topo copy mem */
++ static_assert(ICE_PKG_BUF_SIZE == ICE_AQ_MAX_BUF_LEN);
++ new_topo = topo;
++ memcpy(new_topo, (u8 *)section + offset, size);
+
+ update_topo:
+ /* Acquire global lock to make sure that set topology issued
+diff --git a/drivers/net/ethernet/intel/ice/ice_ddp.h b/drivers/net/ethernet/intel/ice/ice_ddp.h
+index 622543f08b431..00840e5a10779 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ddp.h
++++ b/drivers/net/ethernet/intel/ice/ice_ddp.h
+@@ -430,7 +430,7 @@ struct ice_pkg_enum {
+ u32 buf_idx;
+
+ u32 type;
+- struct ice_buf_hdr *buf;
++ const struct ice_buf_hdr *buf;
+ u32 sect_idx;
+ void *sect;
+ u32 sect_type;
+@@ -454,6 +454,6 @@ u16 ice_pkg_buf_get_active_sections(struct ice_buf_build *bld);
+ void *ice_pkg_enum_section(struct ice_seg *ice_seg, struct ice_pkg_enum *state,
+ u32 sect_type);
+
+-int ice_cfg_tx_topo(struct ice_hw *hw, u8 *buf, u32 len);
++int ice_cfg_tx_topo(struct ice_hw *hw, const void *buf, u32 len);
+
+ #endif
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index ea780d468579f..a06dcf8367db0 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -4548,16 +4548,10 @@ ice_init_tx_topology(struct ice_hw *hw, const struct firmware *firmware)
+ u8 num_tx_sched_layers = hw->num_tx_sched_layers;
+ struct ice_pf *pf = hw->back;
+ struct device *dev;
+- u8 *buf_copy;
+ int err;
+
+ dev = ice_pf_to_dev(pf);
+- /* ice_cfg_tx_topo buf argument is not a constant,
+- * so we have to make a copy
+- */
+- buf_copy = kmemdup(firmware->data, firmware->size, GFP_KERNEL);
+-
+- err = ice_cfg_tx_topo(hw, buf_copy, firmware->size);
++ err = ice_cfg_tx_topo(hw, firmware->data, firmware->size);
+ if (!err) {
+ if (hw->num_tx_sched_layers > num_tx_sched_layers)
+ dev_info(dev, "Tx scheduling layers switching feature disabled\n");
+--
+2.43.0
+
--- /dev/null
+From 8488625ac0898ab999eabd820ddc19d5d56abe16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 12:04:24 +0200
+Subject: ice: Fix netif_is_ice() in Safe Mode
+
+From: Marcin Szycik <marcin.szycik@linux.intel.com>
+
+[ Upstream commit 8e60dbcbaaa177dacef55a61501790e201bf8c88 ]
+
+netif_is_ice() works by checking the pointer to netdev ops. However, it
+only checks for the default ice_netdev_ops, not ice_netdev_safe_mode_ops,
+so in Safe Mode it always returns false, which is unintuitive. While it
+doesn't look like netif_is_ice() is currently being called anywhere in Safe
+Mode, this could change and potentially lead to unexpected behaviour.
+
+Fixes: df006dd4b1dc ("ice: Add initial support framework for LAG")
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Marcin Szycik <marcin.szycik@linux.intel.com>
+Reviewed-by: Brett Creeley <brett.creeley@amd.com>
+Tested-by: Sujai Buvaneswaran <sujai.buvaneswaran@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 5bd0d7252081c..39f89cb590cf2 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -86,7 +86,8 @@ ice_indr_setup_tc_cb(struct net_device *netdev, struct Qdisc *sch,
+
+ bool netif_is_ice(const struct net_device *dev)
+ {
+- return dev && (dev->netdev_ops == &ice_netdev_ops);
++ return dev && (dev->netdev_ops == &ice_netdev_ops ||
++ dev->netdev_ops == &ice_netdev_safe_mode_ops);
+ }
+
+ /**
+--
+2.43.0
+
--- /dev/null
+From 7d2637c2d89be7deff26bad9a7d356575e2f8a6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 14:02:56 -0400
+Subject: ice: fix VLAN replay after reset
+
+From: Dave Ertman <david.m.ertman@intel.com>
+
+[ Upstream commit 0eae2c136cb624e4050092feb59f18159b4f2512 ]
+
+There is a bug currently when there are more than one VLAN defined
+and any reset that affects the PF is initiated, after the reset rebuild
+no traffic will pass on any VLAN but the last one created.
+
+This is caused by the iteration though the VLANs during replay each
+clearing the vsi_map bitmap of the VSI that is being replayed. The
+problem is that during rhe replay, the pointer to the vsi_map bitmap
+is used by each successive vlan to determine if it should be replayed
+on this VSI.
+
+The logic was that the replay of the VLAN would replace the bit in the map
+before the next VLAN would iterate through. But, since the replay copies
+the old bitmap pointer to filt_replay_rules and creates a new one for the
+recreated VLANS, it does not do this, and leaves the old bitmap broken
+to be used to replay the remaining VLANs.
+
+Since the old bitmap will be cleaned up in post replay cleanup, there is
+no need to alter it and break following VLAN replay, so don't clear the
+bit.
+
+Fixes: 334cb0626de1 ("ice: Implement VSI replay framework")
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_switch.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_switch.c b/drivers/net/ethernet/intel/ice/ice_switch.c
+index 79d91e95358ca..0e740342e2947 100644
+--- a/drivers/net/ethernet/intel/ice/ice_switch.c
++++ b/drivers/net/ethernet/intel/ice/ice_switch.c
+@@ -6322,8 +6322,6 @@ ice_replay_vsi_fltr(struct ice_hw *hw, u16 vsi_handle, u8 recp_id,
+ if (!itr->vsi_list_info ||
+ !test_bit(vsi_handle, itr->vsi_list_info->vsi_map))
+ continue;
+- /* Clearing it so that the logic can add it back */
+- clear_bit(vsi_handle, itr->vsi_list_info->vsi_map);
+ f_entry.fltr_info.vsi_handle = vsi_handle;
+ f_entry.fltr_info.fltr_act = ICE_FWD_TO_VSI;
+ /* update the src in case it is VSI num */
+--
+2.43.0
+
--- /dev/null
+From f8709d9978527571b178f361909bf3efb75ecc03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2024 14:38:01 +0200
+Subject: ice: Flush FDB entries before reset
+
+From: Wojciech Drewek <wojciech.drewek@intel.com>
+
+[ Upstream commit fbcb968a98ac0b71f5a2bda2751d7a32d201f90d ]
+
+Triggering the reset while in switchdev mode causes
+errors[1]. Rules are already removed by this time
+because switch content is flushed in case of the reset.
+This means that rules were deleted from HW but SW
+still thinks they exist so when we get
+SWITCHDEV_FDB_DEL_TO_DEVICE notification we try to
+delete not existing rule.
+
+We can avoid these errors by clearing the rules
+early in the reset flow before they are removed from HW.
+Switchdev API will get notified that the rule was removed
+so we won't get SWITCHDEV_FDB_DEL_TO_DEVICE notification.
+Remove unnecessary ice_clear_sw_switch_recipes.
+
+[1]
+ice 0000:01:00.0: Failed to delete FDB forward rule, err: -2
+ice 0000:01:00.0: Failed to delete FDB guard rule, err: -2
+
+Fixes: 7c945a1a8e5f ("ice: Switchdev FDB events support")
+Reviewed-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
+Signed-off-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Tested-by: Sujai Buvaneswaran <sujai.buvaneswaran@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/ice/ice_eswitch_br.c | 5 +++-
+ .../net/ethernet/intel/ice/ice_eswitch_br.h | 1 +
+ drivers/net/ethernet/intel/ice/ice_main.c | 24 +++----------------
+ 3 files changed, 8 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch_br.c b/drivers/net/ethernet/intel/ice/ice_eswitch_br.c
+index f5aceb32bf4dd..cccb7ddf61c97 100644
+--- a/drivers/net/ethernet/intel/ice/ice_eswitch_br.c
++++ b/drivers/net/ethernet/intel/ice/ice_eswitch_br.c
+@@ -582,10 +582,13 @@ ice_eswitch_br_switchdev_event(struct notifier_block *nb,
+ return NOTIFY_DONE;
+ }
+
+-static void ice_eswitch_br_fdb_flush(struct ice_esw_br *bridge)
++void ice_eswitch_br_fdb_flush(struct ice_esw_br *bridge)
+ {
+ struct ice_esw_br_fdb_entry *entry, *tmp;
+
++ if (!bridge)
++ return;
++
+ list_for_each_entry_safe(entry, tmp, &bridge->fdb_list, list)
+ ice_eswitch_br_fdb_entry_notify_and_cleanup(bridge, entry);
+ }
+diff --git a/drivers/net/ethernet/intel/ice/ice_eswitch_br.h b/drivers/net/ethernet/intel/ice/ice_eswitch_br.h
+index c15c7344d7f85..66a2c804338f0 100644
+--- a/drivers/net/ethernet/intel/ice/ice_eswitch_br.h
++++ b/drivers/net/ethernet/intel/ice/ice_eswitch_br.h
+@@ -117,5 +117,6 @@ void
+ ice_eswitch_br_offloads_deinit(struct ice_pf *pf);
+ int
+ ice_eswitch_br_offloads_init(struct ice_pf *pf);
++void ice_eswitch_br_fdb_flush(struct ice_esw_br *bridge);
+
+ #endif /* _ICE_ESWITCH_BR_H_ */
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 39f89cb590cf2..03b72c0e043a7 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -520,25 +520,6 @@ static void ice_pf_dis_all_vsi(struct ice_pf *pf, bool locked)
+ pf->vf_agg_node[node].num_vsis = 0;
+ }
+
+-/**
+- * ice_clear_sw_switch_recipes - clear switch recipes
+- * @pf: board private structure
+- *
+- * Mark switch recipes as not created in sw structures. There are cases where
+- * rules (especially advanced rules) need to be restored, either re-read from
+- * hardware or added again. For example after the reset. 'recp_created' flag
+- * prevents from doing that and need to be cleared upfront.
+- */
+-static void ice_clear_sw_switch_recipes(struct ice_pf *pf)
+-{
+- struct ice_sw_recipe *recp;
+- u8 i;
+-
+- recp = pf->hw.switch_info->recp_list;
+- for (i = 0; i < ICE_MAX_NUM_RECIPES; i++)
+- recp[i].recp_created = false;
+-}
+-
+ /**
+ * ice_prepare_for_reset - prep for reset
+ * @pf: board private structure
+@@ -575,8 +556,9 @@ ice_prepare_for_reset(struct ice_pf *pf, enum ice_reset_req reset_type)
+ mutex_unlock(&pf->vfs.table_lock);
+
+ if (ice_is_eswitch_mode_switchdev(pf)) {
+- if (reset_type != ICE_RESET_PFR)
+- ice_clear_sw_switch_recipes(pf);
++ rtnl_lock();
++ ice_eswitch_br_fdb_flush(pf->eswitch.br_offloads->bridge);
++ rtnl_unlock();
+ }
+
+ /* release ADQ specific HW and SW resources */
+--
+2.43.0
+
--- /dev/null
+From fd00e7fb955d2a5ce1f8010575b00b2f15a72772 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 12:14:01 +0200
+Subject: ice: set correct dst VSI in only LAN filters
+
+From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+
+[ Upstream commit 839e3f9bee425c90a0423d14b102a42fe6635c73 ]
+
+The filters set that will reproduce the problem:
+$ tc filter add dev $VF0_PR ingress protocol arp prio 0 flower \
+ skip_sw dst_mac ff:ff:ff:ff:ff:ff action mirred egress \
+ redirect dev $PF0
+$ tc filter add dev $VF0_PR ingress protocol arp prio 0 flower \
+ skip_sw dst_mac ff:ff:ff:ff:ff:ff src_mac 52:54:00:00:00:10 \
+ action mirred egress mirror dev $VF1_PR
+
+Expected behaviour is to set all broadcast from VF0 to the LAN. If the
+src_mac match the value from filters, send packet to LAN and to VF1.
+
+In this case both LAN_EN and LB_EN flags in switch is set in case of
+packet matching both filters. As dst VSI for the only LAN enable bit is
+PF VSI, the packet is being seen on PF. To fix this change dst VSI to
+the source VSI. It will block receiving any packet even when LB_EN is
+set by switch, because local loopback is clear on VF VSI during normal
+operation.
+
+Side note: if the second filters action is redirect instead of mirror
+LAN_EN is clear, because switch is AND-ing LAN_EN from each matched
+filters and OR-ing LB_EN.
+
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Fixes: 73b483b79029 ("ice: Manage act flags for switchdev offloads")
+Signed-off-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Sujai Buvaneswaran <sujai.buvaneswaran@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_tc_lib.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_tc_lib.c b/drivers/net/ethernet/intel/ice/ice_tc_lib.c
+index e6923f8121a99..ea39b999a0d00 100644
+--- a/drivers/net/ethernet/intel/ice/ice_tc_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_tc_lib.c
+@@ -819,6 +819,17 @@ ice_eswitch_add_tc_fltr(struct ice_vsi *vsi, struct ice_tc_flower_fltr *fltr)
+ rule_info.sw_act.flag |= ICE_FLTR_TX;
+ rule_info.sw_act.src = vsi->idx;
+ rule_info.flags_info.act = ICE_SINGLE_ACT_LAN_ENABLE;
++ /* This is a specific case. The destination VSI index is
++ * overwritten by the source VSI index. This type of filter
++ * should allow the packet to go to the LAN, not to the
++ * VSI passed here. It should set LAN_EN bit only. However,
++ * the VSI must be a valid one. Setting source VSI index
++ * here is safe. Even if the result from switch is set LAN_EN
++ * and LB_EN (which normally will pass the packet to this VSI)
++ * packet won't be seen on the VSI, because local loopback is
++ * turned off.
++ */
++ rule_info.sw_act.vsi_handle = vsi->idx;
+ } else {
+ /* VF to VF */
+ rule_info.sw_act.flag |= ICE_FLTR_TX;
+--
+2.43.0
+
--- /dev/null
+From 87b83758fd4bd4f5e9c6b210b1a81024adad8ac7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 15:06:01 -0600
+Subject: igb: Do not bring the device up after non-fatal error
+
+From: Mohamed Khalfella <mkhalfella@purestorage.com>
+
+[ Upstream commit 330a699ecbfc9c26ec92c6310686da1230b4e7eb ]
+
+Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal")
+changed igb_io_error_detected() to ignore non-fatal pcie errors in order
+to avoid hung task that can happen when igb_down() is called multiple
+times. This caused an issue when processing transient non-fatal errors.
+igb_io_resume(), which is called after igb_io_error_detected(), assumes
+that device is brought down by igb_io_error_detected() if the interface
+is up. This resulted in panic with stacktrace below.
+
+[ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down
+[ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0
+[ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID)
+[ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000
+[ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000
+[ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message
+[ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported.
+[ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message
+[ T292] pcieport 0000:00:1c.5: AER: broadcast resume message
+[ T292] ------------[ cut here ]------------
+[ T292] kernel BUG at net/core/dev.c:6539!
+[ T292] invalid opcode: 0000 [#1] PREEMPT SMP
+[ T292] RIP: 0010:napi_enable+0x37/0x40
+[ T292] Call Trace:
+[ T292] <TASK>
+[ T292] ? die+0x33/0x90
+[ T292] ? do_trap+0xdc/0x110
+[ T292] ? napi_enable+0x37/0x40
+[ T292] ? do_error_trap+0x70/0xb0
+[ T292] ? napi_enable+0x37/0x40
+[ T292] ? napi_enable+0x37/0x40
+[ T292] ? exc_invalid_op+0x4e/0x70
+[ T292] ? napi_enable+0x37/0x40
+[ T292] ? asm_exc_invalid_op+0x16/0x20
+[ T292] ? napi_enable+0x37/0x40
+[ T292] igb_up+0x41/0x150
+[ T292] igb_io_resume+0x25/0x70
+[ T292] report_resume+0x54/0x70
+[ T292] ? report_frozen_detected+0x20/0x20
+[ T292] pci_walk_bus+0x6c/0x90
+[ T292] ? aer_print_port_info+0xa0/0xa0
+[ T292] pcie_do_recovery+0x22f/0x380
+[ T292] aer_process_err_devices+0x110/0x160
+[ T292] aer_isr+0x1c1/0x1e0
+[ T292] ? disable_irq_nosync+0x10/0x10
+[ T292] irq_thread_fn+0x1a/0x60
+[ T292] irq_thread+0xe3/0x1a0
+[ T292] ? irq_set_affinity_notifier+0x120/0x120
+[ T292] ? irq_affinity_notify+0x100/0x100
+[ T292] kthread+0xe2/0x110
+[ T292] ? kthread_complete_and_exit+0x20/0x20
+[ T292] ret_from_fork+0x2d/0x50
+[ T292] ? kthread_complete_and_exit+0x20/0x20
+[ T292] ret_from_fork_asm+0x11/0x20
+[ T292] </TASK>
+
+To fix this issue igb_io_resume() checks if the interface is running and
+the device is not down this means igb_io_error_detected() did not bring
+the device down and there is no need to bring it up.
+
+Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
+Reviewed-by: Yuanyuan Zhong <yzhong@purestorage.com>
+Fixes: 004d25060c78 ("igb: Fix igb_down hung on surprise removal")
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 1ef4cb871452a..f1d0881687233 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -9651,6 +9651,10 @@ static void igb_io_resume(struct pci_dev *pdev)
+ struct igb_adapter *adapter = netdev_priv(netdev);
+
+ if (netif_running(netdev)) {
++ if (!test_bit(__IGB_DOWN, &adapter->state)) {
++ dev_dbg(&pdev->dev, "Resuming from non-fatal error, do nothing.\n");
++ return;
++ }
+ if (igb_up(adapter)) {
+ dev_err(&pdev->dev, "igb_up failed after reset\n");
+ return;
+--
+2.43.0
+
--- /dev/null
+From 7df744c880b414229c808a36235aabe2e431ce39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 11:47:35 -0700
+Subject: mctp: Handle error of rtnl_register_module().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit d51705614f668254cc5def7490df76f9680b4659 ]
+
+Since introduced, mctp has been ignoring the returned value of
+rtnl_register_module(), which could fail silently.
+
+Handling the error allows users to view a module as an all-or-nothing
+thing in terms of the rtnetlink functionality. This prevents syzkaller
+from reporting spurious errors from its tests, where OOM often occurs
+and module is automatically loaded.
+
+Let's handle the errors by rtnl_register_many().
+
+Fixes: 583be982d934 ("mctp: Add device handling and netlink interface")
+Fixes: 831119f88781 ("mctp: Add neighbour netlink interface")
+Fixes: 06d2f4c583a7 ("mctp: Add netlink route management")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Jeremy Kerr <jk@codeconstruct.com.au>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mctp.h | 2 +-
+ net/mctp/af_mctp.c | 6 +++++-
+ net/mctp/device.c | 30 ++++++++++++++++++------------
+ net/mctp/neigh.c | 31 +++++++++++++++++++------------
+ net/mctp/route.c | 33 +++++++++++++++++++++++----------
+ 5 files changed, 66 insertions(+), 36 deletions(-)
+
+diff --git a/include/net/mctp.h b/include/net/mctp.h
+index 7b17c52e8ce2a..28d59ae94ca3b 100644
+--- a/include/net/mctp.h
++++ b/include/net/mctp.h
+@@ -295,7 +295,7 @@ void mctp_neigh_remove_dev(struct mctp_dev *mdev);
+ int mctp_routes_init(void);
+ void mctp_routes_exit(void);
+
+-void mctp_device_init(void);
++int mctp_device_init(void);
+ void mctp_device_exit(void);
+
+ #endif /* __NET_MCTP_H */
+diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
+index de52a9191da0e..75f4790d99623 100644
+--- a/net/mctp/af_mctp.c
++++ b/net/mctp/af_mctp.c
+@@ -753,10 +753,14 @@ static __init int mctp_init(void)
+ if (rc)
+ goto err_unreg_routes;
+
+- mctp_device_init();
++ rc = mctp_device_init();
++ if (rc)
++ goto err_unreg_neigh;
+
+ return 0;
+
++err_unreg_neigh:
++ mctp_neigh_exit();
+ err_unreg_routes:
+ mctp_routes_exit();
+ err_unreg_proto:
+diff --git a/net/mctp/device.c b/net/mctp/device.c
+index acb97b2574289..85cc5f31f1e7c 100644
+--- a/net/mctp/device.c
++++ b/net/mctp/device.c
+@@ -524,25 +524,31 @@ static struct notifier_block mctp_dev_nb = {
+ .priority = ADDRCONF_NOTIFY_PRIORITY,
+ };
+
+-void __init mctp_device_init(void)
++static const struct rtnl_msg_handler mctp_device_rtnl_msg_handlers[] = {
++ {THIS_MODULE, PF_MCTP, RTM_NEWADDR, mctp_rtm_newaddr, NULL, 0},
++ {THIS_MODULE, PF_MCTP, RTM_DELADDR, mctp_rtm_deladdr, NULL, 0},
++ {THIS_MODULE, PF_MCTP, RTM_GETADDR, NULL, mctp_dump_addrinfo, 0},
++};
++
++int __init mctp_device_init(void)
+ {
+- register_netdevice_notifier(&mctp_dev_nb);
++ int err;
+
+- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_GETADDR,
+- NULL, mctp_dump_addrinfo, 0);
+- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_NEWADDR,
+- mctp_rtm_newaddr, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_DELADDR,
+- mctp_rtm_deladdr, NULL, 0);
++ register_netdevice_notifier(&mctp_dev_nb);
+ rtnl_af_register(&mctp_af_ops);
++
++ err = rtnl_register_many(mctp_device_rtnl_msg_handlers);
++ if (err) {
++ rtnl_af_unregister(&mctp_af_ops);
++ unregister_netdevice_notifier(&mctp_dev_nb);
++ }
++
++ return err;
+ }
+
+ void __exit mctp_device_exit(void)
+ {
++ rtnl_unregister_many(mctp_device_rtnl_msg_handlers);
+ rtnl_af_unregister(&mctp_af_ops);
+- rtnl_unregister(PF_MCTP, RTM_DELADDR);
+- rtnl_unregister(PF_MCTP, RTM_NEWADDR);
+- rtnl_unregister(PF_MCTP, RTM_GETADDR);
+-
+ unregister_netdevice_notifier(&mctp_dev_nb);
+ }
+diff --git a/net/mctp/neigh.c b/net/mctp/neigh.c
+index ffa0f9e0983fb..590f642413e4e 100644
+--- a/net/mctp/neigh.c
++++ b/net/mctp/neigh.c
+@@ -322,22 +322,29 @@ static struct pernet_operations mctp_net_ops = {
+ .exit = mctp_neigh_net_exit,
+ };
+
++static const struct rtnl_msg_handler mctp_neigh_rtnl_msg_handlers[] = {
++ {THIS_MODULE, PF_MCTP, RTM_NEWNEIGH, mctp_rtm_newneigh, NULL, 0},
++ {THIS_MODULE, PF_MCTP, RTM_DELNEIGH, mctp_rtm_delneigh, NULL, 0},
++ {THIS_MODULE, PF_MCTP, RTM_GETNEIGH, NULL, mctp_rtm_getneigh, 0},
++};
++
+ int __init mctp_neigh_init(void)
+ {
+- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_NEWNEIGH,
+- mctp_rtm_newneigh, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_DELNEIGH,
+- mctp_rtm_delneigh, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_GETNEIGH,
+- NULL, mctp_rtm_getneigh, 0);
+-
+- return register_pernet_subsys(&mctp_net_ops);
++ int err;
++
++ err = register_pernet_subsys(&mctp_net_ops);
++ if (err)
++ return err;
++
++ err = rtnl_register_many(mctp_neigh_rtnl_msg_handlers);
++ if (err)
++ unregister_pernet_subsys(&mctp_net_ops);
++
++ return err;
+ }
+
+-void __exit mctp_neigh_exit(void)
++void mctp_neigh_exit(void)
+ {
++ rtnl_unregister_many(mctp_neigh_rtnl_msg_handlers);
+ unregister_pernet_subsys(&mctp_net_ops);
+- rtnl_unregister(PF_MCTP, RTM_GETNEIGH);
+- rtnl_unregister(PF_MCTP, RTM_DELNEIGH);
+- rtnl_unregister(PF_MCTP, RTM_NEWNEIGH);
+ }
+diff --git a/net/mctp/route.c b/net/mctp/route.c
+index eefd7834d9a00..597e9cf5aa644 100644
+--- a/net/mctp/route.c
++++ b/net/mctp/route.c
+@@ -1474,26 +1474,39 @@ static struct pernet_operations mctp_net_ops = {
+ .exit = mctp_routes_net_exit,
+ };
+
++static const struct rtnl_msg_handler mctp_route_rtnl_msg_handlers[] = {
++ {THIS_MODULE, PF_MCTP, RTM_NEWROUTE, mctp_newroute, NULL, 0},
++ {THIS_MODULE, PF_MCTP, RTM_DELROUTE, mctp_delroute, NULL, 0},
++ {THIS_MODULE, PF_MCTP, RTM_GETROUTE, NULL, mctp_dump_rtinfo, 0},
++};
++
+ int __init mctp_routes_init(void)
+ {
++ int err;
++
+ dev_add_pack(&mctp_packet_type);
+
+- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_GETROUTE,
+- NULL, mctp_dump_rtinfo, 0);
+- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_NEWROUTE,
+- mctp_newroute, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_DELROUTE,
+- mctp_delroute, NULL, 0);
++ err = register_pernet_subsys(&mctp_net_ops);
++ if (err)
++ goto err_pernet;
++
++ err = rtnl_register_many(mctp_route_rtnl_msg_handlers);
++ if (err)
++ goto err_rtnl;
+
+- return register_pernet_subsys(&mctp_net_ops);
++ return 0;
++
++err_rtnl:
++ unregister_pernet_subsys(&mctp_net_ops);
++err_pernet:
++ dev_remove_pack(&mctp_packet_type);
++ return err;
+ }
+
+ void mctp_routes_exit(void)
+ {
++ rtnl_unregister_many(mctp_route_rtnl_msg_handlers);
+ unregister_pernet_subsys(&mctp_net_ops);
+- rtnl_unregister(PF_MCTP, RTM_DELROUTE);
+- rtnl_unregister(PF_MCTP, RTM_NEWROUTE);
+- rtnl_unregister(PF_MCTP, RTM_GETROUTE);
+ dev_remove_pack(&mctp_packet_type);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 9e5ce1ebbaac27457d5858b85c30a233eb644bd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 11:47:36 -0700
+Subject: mpls: Handle error of rtnl_register_module().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 5be2062e3080e3ff6707816caa445ec0c6eaacf7 ]
+
+Since introduced, mpls_init() has been ignoring the returned
+value of rtnl_register_module(), which could fail silently.
+
+Handling the error allows users to view a module as an all-or-nothing
+thing in terms of the rtnetlink functionality. This prevents syzkaller
+from reporting spurious errors from its tests, where OOM often occurs
+and module is automatically loaded.
+
+Let's handle the errors by rtnl_register_many().
+
+Fixes: 03c0566542f4 ("mpls: Netlink commands to add, remove, and dump routes")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mpls/af_mpls.c | 32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
+index 0e6c94a8c2bc6..4f6836677e40b 100644
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -2730,6 +2730,15 @@ static struct rtnl_af_ops mpls_af_ops __read_mostly = {
+ .get_stats_af_size = mpls_get_stats_af_size,
+ };
+
++static const struct rtnl_msg_handler mpls_rtnl_msg_handlers[] __initdata_or_module = {
++ {THIS_MODULE, PF_MPLS, RTM_NEWROUTE, mpls_rtm_newroute, NULL, 0},
++ {THIS_MODULE, PF_MPLS, RTM_DELROUTE, mpls_rtm_delroute, NULL, 0},
++ {THIS_MODULE, PF_MPLS, RTM_GETROUTE, mpls_getroute, mpls_dump_routes, 0},
++ {THIS_MODULE, PF_MPLS, RTM_GETNETCONF,
++ mpls_netconf_get_devconf, mpls_netconf_dump_devconf,
++ RTNL_FLAG_DUMP_UNLOCKED},
++};
++
+ static int __init mpls_init(void)
+ {
+ int err;
+@@ -2748,24 +2757,25 @@ static int __init mpls_init(void)
+
+ rtnl_af_register(&mpls_af_ops);
+
+- rtnl_register_module(THIS_MODULE, PF_MPLS, RTM_NEWROUTE,
+- mpls_rtm_newroute, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_MPLS, RTM_DELROUTE,
+- mpls_rtm_delroute, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_MPLS, RTM_GETROUTE,
+- mpls_getroute, mpls_dump_routes, 0);
+- rtnl_register_module(THIS_MODULE, PF_MPLS, RTM_GETNETCONF,
+- mpls_netconf_get_devconf,
+- mpls_netconf_dump_devconf,
+- RTNL_FLAG_DUMP_UNLOCKED);
+- err = ipgre_tunnel_encap_add_mpls_ops();
++ err = rtnl_register_many(mpls_rtnl_msg_handlers);
+ if (err)
++ goto out_unregister_rtnl_af;
++
++ err = ipgre_tunnel_encap_add_mpls_ops();
++ if (err) {
+ pr_err("Can't add mpls over gre tunnel ops\n");
++ goto out_unregister_rtnl;
++ }
+
+ err = 0;
+ out:
+ return err;
+
++out_unregister_rtnl:
++ rtnl_unregister_many(mpls_rtnl_msg_handlers);
++out_unregister_rtnl_af:
++ rtnl_af_unregister(&mpls_af_ops);
++ dev_remove_pack(&mpls_packet_type);
+ out_unregister_pernet:
+ unregister_pernet_subsys(&mpls_net_ops);
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From bf8b85f2a40fef933fc666dbc347a14d02162627 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 14:31:10 +0000
+Subject: net: do not delay dst_entries_add() in dst_release()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ac888d58869bb99753e7652be19a151df9ecb35d ]
+
+dst_entries_add() uses per-cpu data that might be freed at netns
+dismantle from ip6_route_net_exit() calling dst_entries_destroy()
+
+Before ip6_route_net_exit() can be called, we release all
+the dsts associated with this netns, via calls to dst_release(),
+which waits an rcu grace period before calling dst_destroy()
+
+dst_entries_add() use in dst_destroy() is racy, because
+dst_entries_destroy() could have been called already.
+
+Decrementing the number of dsts must happen sooner.
+
+Notes:
+
+1) in CONFIG_XFRM case, dst_destroy() can call
+ dst_release_immediate(child), this might also cause UAF
+ if the child does not have DST_NOCOUNT set.
+ IPSEC maintainers might take a look and see how to address this.
+
+2) There is also discussion about removing this count of dst,
+ which might happen in future kernels.
+
+Fixes: f88649721268 ("ipv4: fix dst race in sk_dst_get()")
+Closes: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnkjaL=w@mail.gmail.com/T/
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Xin Long <lucien.xin@gmail.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dst.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/net/core/dst.c b/net/core/dst.c
+index 95f533844f17f..9552a90d4772d 100644
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -109,9 +109,6 @@ static void dst_destroy(struct dst_entry *dst)
+ child = xdst->child;
+ }
+ #endif
+- if (!(dst->flags & DST_NOCOUNT))
+- dst_entries_add(dst->ops, -1);
+-
+ if (dst->ops->destroy)
+ dst->ops->destroy(dst);
+ netdev_put(dst->dev, &dst->dev_tracker);
+@@ -159,17 +156,27 @@ void dst_dev_put(struct dst_entry *dst)
+ }
+ EXPORT_SYMBOL(dst_dev_put);
+
++static void dst_count_dec(struct dst_entry *dst)
++{
++ if (!(dst->flags & DST_NOCOUNT))
++ dst_entries_add(dst->ops, -1);
++}
++
+ void dst_release(struct dst_entry *dst)
+ {
+- if (dst && rcuref_put(&dst->__rcuref))
++ if (dst && rcuref_put(&dst->__rcuref)) {
++ dst_count_dec(dst);
+ call_rcu_hurry(&dst->rcu_head, dst_destroy_rcu);
++ }
+ }
+ EXPORT_SYMBOL(dst_release);
+
+ void dst_release_immediate(struct dst_entry *dst)
+ {
+- if (dst && rcuref_put(&dst->__rcuref))
++ if (dst && rcuref_put(&dst->__rcuref)) {
++ dst_count_dec(dst);
+ dst_destroy(dst);
++ }
+ }
+ EXPORT_SYMBOL(dst_release_immediate);
+
+--
+2.43.0
+
--- /dev/null
+From 9527998908dc3fb1628057e7c35280dc0d2d4c2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 10:47:20 +0200
+Subject: net: dsa: b53: allow lower MTUs on BCM5325/5365
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit e4b294f88a32438baf31762441f3dd1c996778be ]
+
+While BCM5325/5365 do not support jumbo frames, they do support slightly
+oversized frames, so do not error out if requesting a supported MTU for
+them.
+
+Fixes: 6ae5834b983a ("net: dsa: b53: add MTU configuration support")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index e8b20bfa8b83e..5b83f9b6cdac3 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -2258,7 +2258,7 @@ static int b53_change_mtu(struct dsa_switch *ds, int port, int mtu)
+ bool allow_10_100;
+
+ if (is5325(dev) || is5365(dev))
+- return -EOPNOTSUPP;
++ return 0;
+
+ if (!dsa_is_cpu_port(ds, port))
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 7554295c6680ddda78e992400fa9e3df5cb59336 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 10:47:17 +0200
+Subject: net: dsa: b53: fix jumbo frame mtu check
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 42fb3acf6826c6764ba79feb6e15229b43fd2f9f ]
+
+JMS_MIN_SIZE is the full ethernet frame length, while mtu is just the
+data payload size. Comparing these two meant that mtus between 1500 and
+1518 did not trigger enabling jumbo frames.
+
+So instead compare the set mtu ETH_DATA_LEN, which is equal to
+JMS_MIN_SIZE - ETH_HLEN - ETH_FCS_LEN;
+
+Also do a check that the requested mtu is actually greater than the
+minimum length, else we do not need to enable jumbo frames.
+
+In practice this only introduced a very small range of mtus that did not
+work properly. Newer chips allow 2000 byte large frames by default, and
+older chips allow 1536 bytes long, which is equivalent to an mtu of
+1514. So effectivly only mtus of 1515~1517 were broken.
+
+Fixes: 6ae5834b983a ("net: dsa: b53: add MTU configuration support")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 0783fc121bbbf..57df00ad9dd4c 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -2259,7 +2259,7 @@ static int b53_change_mtu(struct dsa_switch *ds, int port, int mtu)
+ if (!dsa_is_cpu_port(ds, port))
+ return 0;
+
+- enable_jumbo = (mtu >= JMS_MIN_SIZE);
++ enable_jumbo = (mtu > ETH_DATA_LEN);
+ allow_10_100 = (dev->chip_id == BCM583XX_DEVICE_ID);
+
+ return b53_set_jumbo(dev, enable_jumbo, allow_10_100);
+--
+2.43.0
+
--- /dev/null
+From 612e5c15f4195223d6b4528f0ef692e1a1a65126 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 10:47:21 +0200
+Subject: net: dsa: b53: fix jumbo frames on 10/100 ports
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 2f3dcd0d39affe5b9ba1c351ce0e270c8bdd5109 ]
+
+All modern chips support and need the 10_100 bit set for supporting jumbo
+frames on 10/100 ports, so instead of enabling it only for 583XX enable
+it for everything except bcm63xx, where the bit is writeable, but does
+nothing.
+
+Tested on BCM53115, where jumbo frames were dropped at 10/100 speeds
+without the bit set.
+
+Fixes: 6ae5834b983a ("net: dsa: b53: add MTU configuration support")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 5b83f9b6cdac3..c39cb119e760d 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -2264,7 +2264,7 @@ static int b53_change_mtu(struct dsa_switch *ds, int port, int mtu)
+ return 0;
+
+ enable_jumbo = (mtu > ETH_DATA_LEN);
+- allow_10_100 = (dev->chip_id == BCM583XX_DEVICE_ID);
++ allow_10_100 = !is63xx(dev);
+
+ return b53_set_jumbo(dev, enable_jumbo, allow_10_100);
+ }
+--
+2.43.0
+
--- /dev/null
+From cf59b7609b3972e08da03672e3a35c65cf80fa37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 10:47:18 +0200
+Subject: net: dsa: b53: fix max MTU for 1g switches
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 680a8217dc00dc7e7da57888b3c053289b60eb2b ]
+
+JMS_MAX_SIZE is the ethernet frame length, not the MTU, which is payload
+without ethernet headers.
+
+According to the datasheets maximum supported frame length for most
+gigabyte swithes is 9720 bytes, so convert that to the expected MTU when
+using VLAN tagged frames.
+
+Fixes: 6ae5834b983a ("net: dsa: b53: add MTU configuration support")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 57df00ad9dd4c..6fed3eb15ad9b 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -27,6 +27,7 @@
+ #include <linux/phylink.h>
+ #include <linux/etherdevice.h>
+ #include <linux/if_bridge.h>
++#include <linux/if_vlan.h>
+ #include <net/dsa.h>
+
+ #include "b53_regs.h"
+@@ -224,6 +225,8 @@ static const struct b53_mib_desc b53_mibs_58xx[] = {
+
+ #define B53_MIBS_58XX_SIZE ARRAY_SIZE(b53_mibs_58xx)
+
++#define B53_MAX_MTU (9720 - ETH_HLEN - VLAN_HLEN - ETH_FCS_LEN)
++
+ static int b53_do_vlan_op(struct b53_device *dev, u8 op)
+ {
+ unsigned int i;
+@@ -2267,7 +2270,7 @@ static int b53_change_mtu(struct dsa_switch *ds, int port, int mtu)
+
+ static int b53_get_max_mtu(struct dsa_switch *ds, int port)
+ {
+- return JMS_MAX_SIZE;
++ return B53_MAX_MTU;
+ }
+
+ static const struct phylink_mac_ops b53_phylink_mac_ops = {
+--
+2.43.0
+
--- /dev/null
+From 1717019d72348fb6a783e71c42937573496111e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 10:47:19 +0200
+Subject: net: dsa: b53: fix max MTU for BCM5325/BCM5365
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit ca8c1f71c10193c270f772d70d34b15ad765d6a8 ]
+
+BCM5325/BCM5365 do not support jumbo frames, so we should not report a
+jumbo frame mtu for them. But they do support so called "oversized"
+frames up to 1536 bytes long by default, so report an appropriate MTU.
+
+Fixes: 6ae5834b983a ("net: dsa: b53: add MTU configuration support")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 6fed3eb15ad9b..e8b20bfa8b83e 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -225,6 +225,7 @@ static const struct b53_mib_desc b53_mibs_58xx[] = {
+
+ #define B53_MIBS_58XX_SIZE ARRAY_SIZE(b53_mibs_58xx)
+
++#define B53_MAX_MTU_25 (1536 - ETH_HLEN - VLAN_HLEN - ETH_FCS_LEN)
+ #define B53_MAX_MTU (9720 - ETH_HLEN - VLAN_HLEN - ETH_FCS_LEN)
+
+ static int b53_do_vlan_op(struct b53_device *dev, u8 op)
+@@ -2270,6 +2271,11 @@ static int b53_change_mtu(struct dsa_switch *ds, int port, int mtu)
+
+ static int b53_get_max_mtu(struct dsa_switch *ds, int port)
+ {
++ struct b53_device *dev = ds->priv;
++
++ if (is5325(dev) || is5365(dev))
++ return B53_MAX_MTU_25;
++
+ return B53_MAX_MTU;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3fff6be07bbf51191c835cecf6b37455805d1b49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 12:43:20 +0300
+Subject: net: dsa: refuse cross-chip mirroring operations
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 8c924369cb56c3054dca504c2c9c3eb208272865 ]
+
+In case of a tc mirred action from one switch to another, the behavior
+is not correct. We simply tell the source switch driver to program a
+mirroring entry towards mirror->to_local_port = to_dp->index, but it is
+not even guaranteed that the to_dp belongs to the same switch as dp.
+
+For proper cross-chip support, we would need to go through the
+cross-chip notifier layer in switch.c, program the entry on cascade
+ports, and introduce new, explicit API for cross-chip mirroring, given
+that intermediary switches should have introspection into the DSA tags
+passed through the cascade port (and not just program a port mirror on
+the entire cascade port). None of that exists today.
+
+Reject what is not implemented so that user space is not misled into
+thinking it works.
+
+Fixes: f50f212749e8 ("net: dsa: Add plumbing for port mirroring")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20241008094320.3340980-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/user.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/net/dsa/user.c b/net/dsa/user.c
+index f5adfa1d978a2..ac34d5d1deb09 100644
+--- a/net/dsa/user.c
++++ b/net/dsa/user.c
+@@ -1392,6 +1392,14 @@ dsa_user_add_cls_matchall_mirred(struct net_device *dev,
+ if (!dsa_user_dev_check(act->dev))
+ return -EOPNOTSUPP;
+
++ to_dp = dsa_user_to_port(act->dev);
++
++ if (dp->ds != to_dp->ds) {
++ NL_SET_ERR_MSG_MOD(extack,
++ "Cross-chip mirroring not implemented");
++ return -EOPNOTSUPP;
++ }
++
+ mall_tc_entry = kzalloc(sizeof(*mall_tc_entry), GFP_KERNEL);
+ if (!mall_tc_entry)
+ return -ENOMEM;
+@@ -1399,9 +1407,6 @@ dsa_user_add_cls_matchall_mirred(struct net_device *dev,
+ mall_tc_entry->cookie = cls->cookie;
+ mall_tc_entry->type = DSA_PORT_MALL_MIRROR;
+ mirror = &mall_tc_entry->mirror;
+-
+- to_dp = dsa_user_to_port(act->dev);
+-
+ mirror->to_local_port = to_dp->index;
+ mirror->ingress = ingress;
+
+--
+2.43.0
+
--- /dev/null
+From d206949ca047b3e95082b9c68c453dd23379b137 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 17:02:06 +0300
+Subject: net: dsa: sja1105: fix reception from VLAN-unaware bridges
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 1f9fc48fd302be3311186152225ef195e6139d7a ]
+
+The blamed commit introduced an unexpected regression in the sja1105
+driver. Packets from VLAN-unaware bridge ports get received correctly,
+but the protocol stack can't seem to decode them properly.
+
+For ds->untag_bridge_pvid users (thus also sja1105), the blamed commit
+did introduce a functional change: dsa_switch_rcv() used to call
+dsa_untag_bridge_pvid(), which looked like this:
+
+ err = br_vlan_get_proto(br, &proto);
+ if (err)
+ return skb;
+
+ /* Move VLAN tag from data to hwaccel */
+ if (!skb_vlan_tag_present(skb) && skb->protocol == htons(proto)) {
+ skb = skb_vlan_untag(skb);
+ if (!skb)
+ return NULL;
+ }
+
+and now it calls dsa_software_vlan_untag() which has just this:
+
+ /* Move VLAN tag from data to hwaccel */
+ if (!skb_vlan_tag_present(skb)) {
+ skb = skb_vlan_untag(skb);
+ if (!skb)
+ return NULL;
+ }
+
+thus lacks any skb->protocol == bridge VLAN protocol check. That check
+is deferred until a later check for skb->vlan_proto (in the hwaccel area).
+
+The new code is problematic because, for VLAN-untagged packets,
+skb_vlan_untag() blindly takes the 4 bytes starting with the EtherType
+and turns them into a hwaccel VLAN tag. This is what breaks the protocol
+stack.
+
+It would be tempting to "make it work as before" and only call
+skb_vlan_untag() for those packets with the skb->protocol actually
+representing a VLAN.
+
+But the premise of the newly introduced dsa_software_vlan_untag() core
+function is not wrong. Drivers set ds->untag_bridge_pvid or
+ds->untag_vlan_aware_bridge_pvid presumably because they send all
+traffic to the CPU reception path as VLAN-tagged. So why should we spend
+any additional CPU cycles assuming that the packet may be VLAN-untagged?
+And why does the sja1105 driver opt into ds->untag_bridge_pvid if it
+doesn't always deliver packets to the CPU as VLAN-tagged?
+
+The answer to the latter question is indeed more interesting: it doesn't
+need to. This got done in commit 884be12f8566 ("net: dsa: sja1105: add
+support for imprecise RX"), because I thought it would be needed, but I
+didn't realize that it doesn't actually make a difference.
+
+As explained in the commit message of the blamed patch, ds->untag_bridge_pvid
+only makes a difference in the VLAN-untagged receive path of a bridge port.
+However, in that operating mode, tag_sja1105.c makes use of VLAN tags
+with the ETH_P_SJA1105 TPID, and it decodes and consumes these VLAN tags
+as if they were DSA tags (aka tag_8021q operation). Even if commit
+884be12f8566 ("net: dsa: sja1105: add support for imprecise RX") added
+this logic in sja1105_bridge_vlan_add():
+
+ /* Always install bridge VLANs as egress-tagged on the CPU port. */
+ if (dsa_is_cpu_port(ds, port))
+ flags = 0;
+
+that was for _bridge_ VLANs, which are _not_ committed to hardware
+in VLAN-unaware mode (aka the mode where ds->untag_bridge_pvid does
+anything at all). Even prior to that change, the tag_8021q VLANs
+were always installed as egress-tagged on the CPU port, see
+dsa_switch_tag_8021q_vlan_add():
+
+ u16 flags = 0; // egress-tagged, non-PVID
+
+ if (dsa_port_is_user(dp))
+ flags |= BRIDGE_VLAN_INFO_UNTAGGED |
+ BRIDGE_VLAN_INFO_PVID;
+
+ err = dsa_port_do_tag_8021q_vlan_add(dp, info->vid,
+ flags);
+ if (err)
+ return err;
+
+Whether the sja1105 driver needs the new flag, ds->untag_vlan_aware_bridge_pvid,
+rather than ds->untag_bridge_pvid, is a separate discussion. To fix the
+current bug in VLAN-unaware bridge mode, I would argue that the sja1105
+driver should not request something it doesn't need, rather than
+complicating the core DSA helper. Whereas before the blamed commit, this
+setting was harmless, now it has caused breakage.
+
+Fixes: 93e4649efa96 ("net: dsa: provide a software untagging function on RX for VLAN-aware bridges")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20241001140206.50933-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index c7282ce3d11c5..6eec3be855716 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -3164,7 +3164,6 @@ static int sja1105_setup(struct dsa_switch *ds)
+ * TPID is ETH_P_SJA1105, and the VLAN ID is the port pvid.
+ */
+ ds->vlan_filtering_is_global = true;
+- ds->untag_bridge_pvid = true;
+ ds->fdb_isolation = true;
+ ds->max_num_bridges = DSA_TAG_8021Q_MAX_NUM_BRIDGES;
+
+--
+2.43.0
+
--- /dev/null
+From 5c2cf5645c6162bb12f2129e690c44fc3eee5156 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2024 20:53:15 +0200
+Subject: net: ethernet: adi: adin1110: Fix some error handling path in
+ adin1110_read_fifo()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 83211ae1640516accae645de82f5a0a142676897 ]
+
+If 'frame_size' is too small or if 'round_len' is an error code, it is
+likely that an error code should be returned to the caller.
+
+Actually, 'ret' is likely to be 0, so if one of these sanity checks fails,
+'success' is returned.
+
+Return -EINVAL instead.
+
+Fixes: bc93e19d088b ("net: ethernet: adi: Add ADIN1110 support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://patch.msgid.link/8ff73b40f50d8fa994a454911b66adebce8da266.1727981562.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/adi/adin1110.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c
+index 0713f1e2c7f38..bf2e513295bb7 100644
+--- a/drivers/net/ethernet/adi/adin1110.c
++++ b/drivers/net/ethernet/adi/adin1110.c
+@@ -318,11 +318,11 @@ static int adin1110_read_fifo(struct adin1110_port_priv *port_priv)
+ * from the ADIN1110 frame header.
+ */
+ if (frame_size < ADIN1110_FRAME_HEADER_LEN + ADIN1110_FEC_LEN)
+- return ret;
++ return -EINVAL;
+
+ round_len = adin1110_round_len(frame_size);
+ if (round_len < 0)
+- return ret;
++ return -EINVAL;
+
+ frame_size_no_fcs = frame_size - ADIN1110_FRAME_HEADER_LEN - ADIN1110_FEC_LEN;
+ memset(priv->data, 0, ADIN1110_RD_HEADER_LEN);
+--
+2.43.0
+
--- /dev/null
+From 3e7231707f84d2f6e606483117d1ab76c0e38551 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 16:30:50 -0700
+Subject: net: ibm: emac: mal: add dcr_unmap to _remove
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 080ddc22f3b0a58500f87e8e865aabbf96495eea ]
+
+It's done in probe so it should be undone here.
+
+Fixes: 1d3bb996481e ("Device tree aware EMAC driver")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Reviewed-by: Breno Leitao <leitao@debian.org>
+Link: https://patch.msgid.link/20241008233050.9422-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/emac/mal.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/ibm/emac/mal.c b/drivers/net/ethernet/ibm/emac/mal.c
+index 0c5e22d14372a..99d5f83f7c60b 100644
+--- a/drivers/net/ethernet/ibm/emac/mal.c
++++ b/drivers/net/ethernet/ibm/emac/mal.c
+@@ -742,6 +742,8 @@ static void mal_remove(struct platform_device *ofdev)
+
+ free_netdev(mal->dummy_dev);
+
++ dcr_unmap(mal->dcr_host, 0x100);
++
+ dma_free_coherent(&ofdev->dev,
+ sizeof(struct mal_descriptor) *
+ (NUM_TX_BUFF * mal->num_tx_chans +
+--
+2.43.0
+
--- /dev/null
+From 3b04af1c4b577de0c6d5423cebe784d2056aec4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 16:57:11 -0700
+Subject: net: ibm: emac: mal: fix wrong goto
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit 08c8acc9d8f3f70d62dd928571368d5018206490 ]
+
+dcr_map is called in the previous if and therefore needs to be unmapped.
+
+Fixes: 1ff0fcfcb1a6 ("ibm_newemac: Fix new MAL feature handling")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Link: https://patch.msgid.link/20241007235711.5714-1-rosenp@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/emac/mal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ibm/emac/mal.c b/drivers/net/ethernet/ibm/emac/mal.c
+index d92dd9c83031e..0c5e22d14372a 100644
+--- a/drivers/net/ethernet/ibm/emac/mal.c
++++ b/drivers/net/ethernet/ibm/emac/mal.c
+@@ -578,7 +578,7 @@ static int mal_probe(struct platform_device *ofdev)
+ printk(KERN_ERR "%pOF: Support for 405EZ not enabled!\n",
+ ofdev->dev.of_node);
+ err = -ENODEV;
+- goto fail;
++ goto fail_unmap;
+ #endif
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 1ff626a095d2098504b19808d53d58629b434619 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 02:43:24 -0700
+Subject: net: netconsole: fix wrong warning
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit d94785bb46b6167382b1de3290eccc91fa98df53 ]
+
+A warning is triggered when there is insufficient space in the buffer
+for userdata. However, this is not an issue since userdata will be sent
+in the next iteration.
+
+Current warning message:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 13 PID: 3013042 at drivers/net/netconsole.c:1122 write_ext_msg+0x3b6/0x3d0
+ ? write_ext_msg+0x3b6/0x3d0
+ console_flush_all+0x1e9/0x330
+
+The code incorrectly issues a warning when this_chunk is zero, which is
+a valid scenario. The warning should only be triggered when this_chunk
+is negative.
+
+Fixes: 1ec9daf95093 ("net: netconsole: append userdata to fragmented netconsole messages")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241008094325.896208-1-leitao@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netconsole.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
+index 9c09293b52588..3e68f7a6e0abe 100644
+--- a/drivers/net/netconsole.c
++++ b/drivers/net/netconsole.c
+@@ -1118,8 +1118,14 @@ static void send_ext_msg_udp(struct netconsole_target *nt, const char *msg,
+
+ this_chunk = min(userdata_len - sent_userdata,
+ MAX_PRINT_CHUNK - preceding_bytes);
+- if (WARN_ON_ONCE(this_chunk <= 0))
++ if (WARN_ON_ONCE(this_chunk < 0))
++ /* this_chunk could be zero if all the previous
++ * message used all the buffer. This is not a
++ * problem, userdata will be sent in the next
++ * iteration
++ */
+ return;
++
+ memcpy(buf + this_header + this_offset,
+ userdata + sent_userdata,
+ this_chunk);
+--
+2.43.0
+
--- /dev/null
+From 222184688ef38e3fb2bb9575024a71818cbf6418 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 15:46:25 -0700
+Subject: net: phy: aquantia: AQR115c fix up PMA capabilities
+
+From: Abhishek Chauhan <quic_abchauha@quicinc.com>
+
+[ Upstream commit 17cbfcdd85f6c93b2e9565d61110ad0b90440436 ]
+
+AQR115c reports incorrect PMA capabilities which includes
+10G/5G and also incorrectly disables capabilities like autoneg
+and 10Mbps support.
+
+AQR115c as per the Marvell databook supports speeds up to 2.5Gbps
+with autonegotiation.
+
+Fixes: 0ebc581f8a4b ("net: phy: aquantia: add support for aqr115c")
+Link: https://lore.kernel.org/all/20240913011635.1286027-1-quic_abchauha@quicinc.com/T/
+Signed-off-by: Abhishek Chauhan <quic_abchauha@quicinc.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://patch.msgid.link/20241001224626.2400222-2-quic_abchauha@quicinc.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/aquantia/aquantia_main.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/net/phy/aquantia/aquantia_main.c b/drivers/net/phy/aquantia/aquantia_main.c
+index 4d156d406bab9..1bb39664a5cb1 100644
+--- a/drivers/net/phy/aquantia/aquantia_main.c
++++ b/drivers/net/phy/aquantia/aquantia_main.c
+@@ -731,6 +731,19 @@ static int aqr113c_fill_interface_modes(struct phy_device *phydev)
+ return aqr107_fill_interface_modes(phydev);
+ }
+
++static int aqr115c_get_features(struct phy_device *phydev)
++{
++ unsigned long *supported = phydev->supported;
++
++ /* PHY supports speeds up to 2.5G with autoneg. PMA capabilities
++ * are not useful.
++ */
++ linkmode_or(supported, supported, phy_gbit_features);
++ linkmode_set_bit(ETHTOOL_LINK_MODE_2500baseT_Full_BIT, supported);
++
++ return 0;
++}
++
+ static int aqr113c_config_init(struct phy_device *phydev)
+ {
+ int ret;
+@@ -1046,6 +1059,7 @@ static struct phy_driver aqr_driver[] = {
+ .get_sset_count = aqr107_get_sset_count,
+ .get_strings = aqr107_get_strings,
+ .get_stats = aqr107_get_stats,
++ .get_features = aqr115c_get_features,
+ .link_change_notify = aqr107_link_change_notify,
+ .led_brightness_set = aqr_phy_led_brightness_set,
+ .led_hw_is_supported = aqr_phy_led_hw_is_supported,
+--
+2.43.0
+
--- /dev/null
+From ed6d6ebc2d98d4bdc705a27fbb527ca867ddb14b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 15:46:26 -0700
+Subject: net: phy: aquantia: remove usage of phy_set_max_speed
+
+From: Abhishek Chauhan <quic_abchauha@quicinc.com>
+
+[ Upstream commit 8f61d73306c62e3c0e368cf6051330f4593415f6 ]
+
+Remove the use of phy_set_max_speed in phy driver as the
+function is mainly used in MAC driver to set the max
+speed.
+
+Instead use get_features to fix up Phy PMA capabilities for
+AQR111, AQR111B0, AQR114C and AQCS109
+
+Fixes: 038ba1dc4e54 ("net: phy: aquantia: add AQR111 and AQR111B0 PHY ID")
+Fixes: 0974f1f03b07 ("net: phy: aquantia: remove false 5G and 10G speed ability for AQCS109")
+Fixes: c278ec644377 ("net: phy: aquantia: add support for AQR114C PHY ID")
+Link: https://lore.kernel.org/all/20240913011635.1286027-1-quic_abchauha@quicinc.com/T/
+Signed-off-by: Abhishek Chauhan <quic_abchauha@quicinc.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://patch.msgid.link/20241001224626.2400222-3-quic_abchauha@quicinc.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/aquantia/aquantia_main.c | 37 ++++++++++++------------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/phy/aquantia/aquantia_main.c b/drivers/net/phy/aquantia/aquantia_main.c
+index 1bb39664a5cb1..c33a5ef34ba03 100644
+--- a/drivers/net/phy/aquantia/aquantia_main.c
++++ b/drivers/net/phy/aquantia/aquantia_main.c
+@@ -537,12 +537,6 @@ static int aqcs109_config_init(struct phy_device *phydev)
+ if (!ret)
+ aqr107_chip_info(phydev);
+
+- /* AQCS109 belongs to a chip family partially supporting 10G and 5G.
+- * PMA speed ability bits are the same for all members of the family,
+- * AQCS109 however supports speeds up to 2.5G only.
+- */
+- phy_set_max_speed(phydev, SPEED_2500);
+-
+ return aqr107_set_downshift(phydev, MDIO_AN_VEND_PROV_DOWNSHIFT_DFLT);
+ }
+
+@@ -744,6 +738,18 @@ static int aqr115c_get_features(struct phy_device *phydev)
+ return 0;
+ }
+
++static int aqr111_get_features(struct phy_device *phydev)
++{
++ /* PHY supports speeds up to 5G with autoneg. PMA capabilities
++ * are not useful.
++ */
++ aqr115c_get_features(phydev);
++ linkmode_set_bit(ETHTOOL_LINK_MODE_5000baseT_Full_BIT,
++ phydev->supported);
++
++ return 0;
++}
++
+ static int aqr113c_config_init(struct phy_device *phydev)
+ {
+ int ret;
+@@ -780,15 +786,6 @@ static int aqr107_probe(struct phy_device *phydev)
+ return aqr_hwmon_probe(phydev);
+ }
+
+-static int aqr111_config_init(struct phy_device *phydev)
+-{
+- /* AQR111 reports supporting speed up to 10G,
+- * however only speeds up to 5G are supported.
+- */
+- phy_set_max_speed(phydev, SPEED_5000);
+-
+- return aqr107_config_init(phydev);
+-}
+
+ static struct phy_driver aqr_driver[] = {
+ {
+@@ -866,6 +863,7 @@ static struct phy_driver aqr_driver[] = {
+ .get_sset_count = aqr107_get_sset_count,
+ .get_strings = aqr107_get_strings,
+ .get_stats = aqr107_get_stats,
++ .get_features = aqr115c_get_features,
+ .link_change_notify = aqr107_link_change_notify,
+ .led_brightness_set = aqr_phy_led_brightness_set,
+ .led_hw_is_supported = aqr_phy_led_hw_is_supported,
+@@ -878,7 +876,7 @@ static struct phy_driver aqr_driver[] = {
+ .name = "Aquantia AQR111",
+ .probe = aqr107_probe,
+ .get_rate_matching = aqr107_get_rate_matching,
+- .config_init = aqr111_config_init,
++ .config_init = aqr107_config_init,
+ .config_aneg = aqr_config_aneg,
+ .config_intr = aqr_config_intr,
+ .handle_interrupt = aqr_handle_interrupt,
+@@ -890,6 +888,7 @@ static struct phy_driver aqr_driver[] = {
+ .get_sset_count = aqr107_get_sset_count,
+ .get_strings = aqr107_get_strings,
+ .get_stats = aqr107_get_stats,
++ .get_features = aqr111_get_features,
+ .link_change_notify = aqr107_link_change_notify,
+ .led_brightness_set = aqr_phy_led_brightness_set,
+ .led_hw_is_supported = aqr_phy_led_hw_is_supported,
+@@ -902,7 +901,7 @@ static struct phy_driver aqr_driver[] = {
+ .name = "Aquantia AQR111B0",
+ .probe = aqr107_probe,
+ .get_rate_matching = aqr107_get_rate_matching,
+- .config_init = aqr111_config_init,
++ .config_init = aqr107_config_init,
+ .config_aneg = aqr_config_aneg,
+ .config_intr = aqr_config_intr,
+ .handle_interrupt = aqr_handle_interrupt,
+@@ -914,6 +913,7 @@ static struct phy_driver aqr_driver[] = {
+ .get_sset_count = aqr107_get_sset_count,
+ .get_strings = aqr107_get_strings,
+ .get_stats = aqr107_get_stats,
++ .get_features = aqr111_get_features,
+ .link_change_notify = aqr107_link_change_notify,
+ .led_brightness_set = aqr_phy_led_brightness_set,
+ .led_hw_is_supported = aqr_phy_led_hw_is_supported,
+@@ -1023,7 +1023,7 @@ static struct phy_driver aqr_driver[] = {
+ .name = "Aquantia AQR114C",
+ .probe = aqr107_probe,
+ .get_rate_matching = aqr107_get_rate_matching,
+- .config_init = aqr111_config_init,
++ .config_init = aqr107_config_init,
+ .config_aneg = aqr_config_aneg,
+ .config_intr = aqr_config_intr,
+ .handle_interrupt = aqr_handle_interrupt,
+@@ -1035,6 +1035,7 @@ static struct phy_driver aqr_driver[] = {
+ .get_sset_count = aqr107_get_sset_count,
+ .get_strings = aqr107_get_strings,
+ .get_stats = aqr107_get_stats,
++ .get_features = aqr111_get_features,
+ .link_change_notify = aqr107_link_change_notify,
+ .led_brightness_set = aqr_phy_led_brightness_set,
+ .led_hw_is_supported = aqr_phy_led_hw_is_supported,
+--
+2.43.0
+
--- /dev/null
+From 201b9dfc7833219780fd58e6447f351ba3036148 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2024 21:03:21 +0200
+Subject: net: phy: bcm84881: Fix some error handling paths
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 9234a2549cb6ac038bec36cc7c084218e9575513 ]
+
+If phy_read_mmd() fails, the error code stored in 'bmsr' should be returned
+instead of 'val' which is likely to be 0.
+
+Fixes: 75f4d8d10e01 ("net: phy: add Broadcom BCM84881 PHY driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://patch.msgid.link/3e1755b0c40340d00e089d6adae5bca2f8c79e53.1727982168.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/bcm84881.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/phy/bcm84881.c b/drivers/net/phy/bcm84881.c
+index f1d47c2640585..97da3aee49422 100644
+--- a/drivers/net/phy/bcm84881.c
++++ b/drivers/net/phy/bcm84881.c
+@@ -132,7 +132,7 @@ static int bcm84881_aneg_done(struct phy_device *phydev)
+
+ bmsr = phy_read_mmd(phydev, MDIO_MMD_AN, MDIO_AN_C22 + MII_BMSR);
+ if (bmsr < 0)
+- return val;
++ return bmsr;
+
+ return !!(val & MDIO_AN_STAT1_COMPLETE) &&
+ !!(bmsr & BMSR_ANEGCOMPLETE);
+@@ -158,7 +158,7 @@ static int bcm84881_read_status(struct phy_device *phydev)
+
+ bmsr = phy_read_mmd(phydev, MDIO_MMD_AN, MDIO_AN_C22 + MII_BMSR);
+ if (bmsr < 0)
+- return val;
++ return bmsr;
+
+ phydev->autoneg_complete = !!(val & MDIO_AN_STAT1_COMPLETE) &&
+ !!(bmsr & BMSR_ANEGCOMPLETE);
+--
+2.43.0
+
--- /dev/null
+From 8f66def7f96ed250650de6f39aeed8a8d71c7d91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 18:18:07 +0200
+Subject: net: phy: dp83869: fix memory corruption when enabling fiber
+
+From: Ingo van Lil <inguin@gmx.de>
+
+[ Upstream commit a842e443ca8184f2dc82ab307b43a8b38defd6a5 ]
+
+When configuring the fiber port, the DP83869 PHY driver incorrectly
+calls linkmode_set_bit() with a bit mask (1 << 10) rather than a bit
+number (10). This corrupts some other memory location -- in case of
+arm64 the priv pointer in the same structure.
+
+Since the advertising flags are updated from supported at the end of the
+function the incorrect line isn't needed at all and can be removed.
+
+Fixes: a29de52ba2a1 ("net: dp83869: Add ability to advertise Fiber connection")
+Signed-off-by: Ingo van Lil <inguin@gmx.de>
+Reviewed-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20241002161807.440378-1-inguin@gmx.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/dp83869.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/phy/dp83869.c b/drivers/net/phy/dp83869.c
+index d7aaefb5226b6..5f056d7db83ee 100644
+--- a/drivers/net/phy/dp83869.c
++++ b/drivers/net/phy/dp83869.c
+@@ -645,7 +645,6 @@ static int dp83869_configure_fiber(struct phy_device *phydev,
+ phydev->supported);
+
+ linkmode_set_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, phydev->supported);
+- linkmode_set_bit(ADVERTISED_FIBRE, phydev->advertising);
+
+ if (dp83869->mode == DP83869_RGMII_1000_BASE) {
+ linkmode_set_bit(ETHTOOL_LINK_MODE_1000baseX_Full_BIT,
+--
+2.43.0
+
--- /dev/null
+From b747cf6a43d96e86220d16b9416f501e1f1645fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 14:17:05 +0200
+Subject: net: pse-pd: Fix enabled status mismatch
+
+From: Kory Maincent <kory.maincent@bootlin.com>
+
+[ Upstream commit dda3529d2e84e2ee7b97158c9cdf5e10308f37bc ]
+
+PSE controllers like the TPS23881 can forcefully turn off their
+configuration state. In such cases, the is_enabled() and get_status()
+callbacks will report the PSE as disabled, while admin_state_enabled
+will show it as enabled. This mismatch can lead the user to attempt
+to enable it, but no action is taken as admin_state_enabled remains set.
+
+The solution is to disable the PSE before enabling it, ensuring the
+actual status matches admin_state_enabled.
+
+Fixes: d83e13761d5b ("net: pse-pd: Use regulator framework within PSE framework")
+Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20241002121706.246143-1-kory.maincent@bootlin.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/pse-pd/pse_core.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/net/pse-pd/pse_core.c b/drivers/net/pse-pd/pse_core.c
+index 4f032b16a8a0a..f8e6854781e6e 100644
+--- a/drivers/net/pse-pd/pse_core.c
++++ b/drivers/net/pse-pd/pse_core.c
+@@ -785,6 +785,17 @@ static int pse_ethtool_c33_set_config(struct pse_control *psec,
+ */
+ switch (config->c33_admin_control) {
+ case ETHTOOL_C33_PSE_ADMIN_STATE_ENABLED:
++ /* We could have mismatch between admin_state_enabled and
++ * state reported by regulator_is_enabled. This can occur when
++ * the PI is forcibly turn off by the controller. Call
++ * regulator_disable on that case to fix the counters state.
++ */
++ if (psec->pcdev->pi[psec->id].admin_state_enabled &&
++ !regulator_is_enabled(psec->ps)) {
++ err = regulator_disable(psec->ps);
++ if (err)
++ break;
++ }
+ if (!psec->pcdev->pi[psec->id].admin_state_enabled)
+ err = regulator_enable(psec->ps);
+ break;
+--
+2.43.0
+
--- /dev/null
+From 5a87e674967ddda0570074c3d9f820cddbbf59f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 18:41:30 +0000
+Subject: net/sched: accept TCA_STAB only for root qdisc
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3cb7cf1540ddff5473d6baeb530228d19bc97b8a ]
+
+Most qdiscs maintain their backlog using qdisc_pkt_len(skb)
+on the assumption it is invariant between the enqueue()
+and dequeue() handlers.
+
+Unfortunately syzbot can crash a host rather easily using
+a TBF + SFQ combination, with an STAB on SFQ [1]
+
+We can't support TCA_STAB on arbitrary level, this would
+require to maintain per-qdisc storage.
+
+[1]
+[ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 88.798611] #PF: supervisor read access in kernel mode
+[ 88.799014] #PF: error_code(0x0000) - not-present page
+[ 88.799506] PGD 0 P4D 0
+[ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI
+[ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117
+[ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
+[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00
+All code
+========
+ 0: 0f b7 50 12 movzwl 0x12(%rax),%edx
+ 4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax
+ b: 00
+ c: 48 89 d6 mov %rdx,%rsi
+ f: 48 29 d0 sub %rdx,%rax
+ 12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx
+ 19: 48 c1 e0 03 shl $0x3,%rax
+ 1d: 48 01 c2 add %rax,%rdx
+ 20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx)
+ 25: 7e c0 jle 0xffffffffffffffe7
+ 27: 48 8b 3a mov (%rdx),%rdi
+ 2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction
+ 2d: 4c 89 02 mov %r8,(%rdx)
+ 30: 49 89 50 08 mov %rdx,0x8(%r8)
+ 34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi)
+ 3b: 00
+ 3c: 48 rex.W
+ 3d: c7 .byte 0xc7
+ 3e: 07 (bad)
+ ...
+
+Code starting with the faulting instruction
+===========================================
+ 0: 4c 8b 07 mov (%rdi),%r8
+ 3: 4c 89 02 mov %r8,(%rdx)
+ 6: 49 89 50 08 mov %rdx,0x8(%r8)
+ a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi)
+ 11: 00
+ 12: 48 rex.W
+ 13: c7 .byte 0xc7
+ 14: 07 (bad)
+ ...
+[ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206
+[ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800
+[ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000
+[ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f
+[ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140
+[ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac
+[ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000
+[ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0
+[ 88.808165] Call Trace:
+[ 88.808459] <TASK>
+[ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
+[ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715)
+[ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
+[ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
+[ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
+[ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq
+[ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_generic.c:1036)
+[ 88.810950] tbf_reset (./include/linux/timekeeping.h:169 net/sched/sch_tbf.c:334) sch_tbf
+[ 88.811208] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_generic.c:1036)
+[ 88.811484] netif_set_real_num_tx_queues (./include/linux/spinlock.h:396 ./include/net/sch_generic.h:768 net/core/dev.c:2958)
+[ 88.811870] __tun_detach (drivers/net/tun.c:590 drivers/net/tun.c:673)
+[ 88.812271] tun_chr_close (drivers/net/tun.c:702 drivers/net/tun.c:3517)
+[ 88.812505] __fput (fs/file_table.c:432 (discriminator 1))
+[ 88.812735] task_work_run (kernel/task_work.c:230)
+[ 88.813016] do_exit (kernel/exit.c:940)
+[ 88.813372] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4))
+[ 88.813639] ? handle_mm_fault (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/memcontrol.h:1022 ./include/linux/memcontrol.h:1045 ./include/linux/memcontrol.h:1052 mm/memory.c:5928 mm/memory.c:6088)
+[ 88.813867] do_group_exit (kernel/exit.c:1070)
+[ 88.814138] __x64_sys_exit_group (kernel/exit.c:1099)
+[ 88.814490] x64_sys_call (??:?)
+[ 88.814791] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
+[ 88.815012] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+[ 88.815495] RIP: 0033:0x7f44560f1975
+
+Fixes: 175f9c1bba9b ("net_sched: Add size table for qdiscs")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://patch.msgid.link/20241007184130.3960565-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 1 -
+ net/sched/sch_api.c | 7 ++++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index 79edd5b5e3c91..5d74fa7e694cc 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -848,7 +848,6 @@ static inline void qdisc_calculate_pkt_len(struct sk_buff *skb,
+ static inline int qdisc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+ struct sk_buff **to_free)
+ {
+- qdisc_calculate_pkt_len(skb, sch);
+ return sch->enqueue(skb, sch, to_free);
+ }
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 74afc210527d2..2eefa47838799 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -593,7 +593,6 @@ void __qdisc_calculate_pkt_len(struct sk_buff *skb,
+ pkt_len = 1;
+ qdisc_skb_cb(skb)->pkt_len = pkt_len;
+ }
+-EXPORT_SYMBOL(__qdisc_calculate_pkt_len);
+
+ void qdisc_warn_nonwc(const char *txt, struct Qdisc *qdisc)
+ {
+@@ -1201,6 +1200,12 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent,
+ return -EINVAL;
+ }
+
++ if (new &&
++ !(parent->flags & TCQ_F_MQROOT) &&
++ rcu_access_pointer(new->stab)) {
++ NL_SET_ERR_MSG(extack, "STAB not supported on a non root");
++ return -EINVAL;
++ }
+ err = cops->graft(parent, cl, new, &old, extack);
+ if (err)
+ return err;
+--
+2.43.0
+
--- /dev/null
+From 4b4d4a0d8312e2198c8b2c8c55ee9d0ab2998eff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 14:55:16 +0800
+Subject: net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC
+
+From: D. Wythe <alibuda@linux.alibaba.com>
+
+[ Upstream commit 6fd27ea183c208e478129a85e11d880fc70040f2 ]
+
+Eric report a panic on IPPROTO_SMC, and give the facts
+that when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too.
+
+Bug: Unable to handle kernel NULL pointer dereference at virtual address
+0000000000000000
+Mem abort info:
+ESR = 0x0000000086000005
+EC = 0x21: IABT (current EL), IL = 32 bits
+SET = 0, FnV = 0
+EA = 0, S1PTW = 0
+FSC = 0x05: level 1 translation fault
+user pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000
+[0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,
+pud=0000000000000000
+Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted
+6.11.0-rc7-syzkaller-g5f5673607153 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine,
+BIOS Google 08/06/2024
+pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : 0x0
+lr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910
+sp : ffff80009b887a90
+x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000
+x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00
+x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000
+x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee
+x17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001
+x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003
+x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1
+x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f
+x5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000
+x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000
+Call trace:
+0x0
+netlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000
+smack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593
+smack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973
+security_socket_post_create+0x94/0xd4 security/security.c:4425
+__sock_create+0x4c8/0x884 net/socket.c:1587
+sock_create net/socket.c:1622 [inline]
+__sys_socket_create net/socket.c:1659 [inline]
+__sys_socket+0x134/0x340 net/socket.c:1706
+__do_sys_socket net/socket.c:1720 [inline]
+__se_sys_socket net/socket.c:1718 [inline]
+__arm64_sys_socket+0x7c/0x94 net/socket.c:1718
+__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
+el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
+do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
+el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
+el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
+el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
+Code: ???????? ???????? ???????? ???????? (????????)
+---[ end trace 0000000000000000 ]---
+
+This patch add a toy implementation that performs a simple return to
+prevent such panic. This is because MSS can be set in sock_create_kern
+or smc_setsockopt, similar to how it's done in AF_SMC. However, for
+AF_SMC, there is currently no way to synchronize MSS within
+__sys_connect_file. This toy implementation lays the groundwork for us
+to support such feature for IPPROTO_SMC in the future.
+
+Fixes: d25a92ccae6b ("net/smc: Introduce IPPROTO_SMC")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Link: https://patch.msgid.link/1728456916-67035-1-git-send-email-alibuda@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_inet.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c
+index a5b2041600f95..a944e7dcb8b96 100644
+--- a/net/smc/smc_inet.c
++++ b/net/smc/smc_inet.c
+@@ -108,12 +108,23 @@ static struct inet_protosw smc_inet6_protosw = {
+ };
+ #endif /* CONFIG_IPV6 */
+
++static unsigned int smc_sync_mss(struct sock *sk, u32 pmtu)
++{
++ /* No need pass it through to clcsock, mss can always be set by
++ * sock_create_kern or smc_setsockopt.
++ */
++ return 0;
++}
++
+ static int smc_inet_init_sock(struct sock *sk)
+ {
+ struct net *net = sock_net(sk);
+
+ /* init common smc sock */
+ smc_sk_init(net, sk, IPPROTO_SMC);
++
++ inet_csk(sk)->icsk_sync_mss = smc_sync_mss;
++
+ /* create clcsock */
+ return smc_create_clcsk(net, sk, sk->sk_family);
+ }
+--
+2.43.0
+
--- /dev/null
+From 046ac30f4f8db5728b1b93c59b677dd2ff6ef60b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 11:11:24 +0530
+Subject: net: ti: icssg-prueth: Fix race condition for VLAN table access
+
+From: MD Danish Anwar <danishanwar@ti.com>
+
+[ Upstream commit ff8ee11e778520c5716b7f165d2c7ce14d6a068b ]
+
+The VLAN table is a shared memory between the two ports/slices
+in a ICSSG cluster and this may lead to race condition when the
+common code paths for both ports are executed in different CPUs.
+
+Fix the race condition access by locking the shared memory access
+
+Fixes: 487f7323f39a ("net: ti: icssg-prueth: Add helper functions to configure FDB")
+Signed-off-by: MD Danish Anwar <danishanwar@ti.com>
+Reviewed-by: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/icssg/icssg_config.c | 2 ++
+ drivers/net/ethernet/ti/icssg/icssg_prueth.c | 1 +
+ drivers/net/ethernet/ti/icssg/icssg_prueth.h | 2 ++
+ 3 files changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/ti/icssg/icssg_config.c b/drivers/net/ethernet/ti/icssg/icssg_config.c
+index dae52a83a3786..5be020d0887ac 100644
+--- a/drivers/net/ethernet/ti/icssg/icssg_config.c
++++ b/drivers/net/ethernet/ti/icssg/icssg_config.c
+@@ -733,6 +733,7 @@ void icssg_vtbl_modify(struct prueth_emac *emac, u8 vid, u8 port_mask,
+ u8 fid_c1;
+
+ tbl = prueth->vlan_tbl;
++ spin_lock(&prueth->vtbl_lock);
+ fid_c1 = tbl[vid].fid_c1;
+
+ /* FID_C1: bit0..2 port membership mask,
+@@ -748,6 +749,7 @@ void icssg_vtbl_modify(struct prueth_emac *emac, u8 vid, u8 port_mask,
+ }
+
+ tbl[vid].fid_c1 = fid_c1;
++ spin_unlock(&prueth->vtbl_lock);
+ }
+ EXPORT_SYMBOL_GPL(icssg_vtbl_modify);
+
+diff --git a/drivers/net/ethernet/ti/icssg/icssg_prueth.c b/drivers/net/ethernet/ti/icssg/icssg_prueth.c
+index e3451beed3238..33cb3590a5cde 100644
+--- a/drivers/net/ethernet/ti/icssg/icssg_prueth.c
++++ b/drivers/net/ethernet/ti/icssg/icssg_prueth.c
+@@ -1262,6 +1262,7 @@ static int prueth_probe(struct platform_device *pdev)
+ icss_iep_init_fw(prueth->iep1);
+ }
+
++ spin_lock_init(&prueth->vtbl_lock);
+ /* setup netdev interfaces */
+ if (eth0_node) {
+ ret = prueth_netdev_init(prueth, eth0_node);
+diff --git a/drivers/net/ethernet/ti/icssg/icssg_prueth.h b/drivers/net/ethernet/ti/icssg/icssg_prueth.h
+index f678d656a3ed3..4d1c895dacdb6 100644
+--- a/drivers/net/ethernet/ti/icssg/icssg_prueth.h
++++ b/drivers/net/ethernet/ti/icssg/icssg_prueth.h
+@@ -282,6 +282,8 @@ struct prueth {
+ bool is_switchmode_supported;
+ unsigned char switch_id[MAX_PHYS_ITEM_ID_LEN];
+ int default_vlan;
++ /** @vtbl_lock: Lock for vtbl in shared memory */
++ spinlock_t vtbl_lock;
+ };
+
+ struct emac_tx_ts_response {
+--
+2.43.0
+
--- /dev/null
+From 7b73e89f9caa489dca2db093821e938fc6224b7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 08:43:59 -0700
+Subject: netfilter: br_netfilter: fix panic with metadata_dst skb
+
+From: Andy Roulin <aroulin@nvidia.com>
+
+[ Upstream commit f9ff7665cd128012868098bbd07e28993e314fdb ]
+
+Fix a kernel panic in the br_netfilter module when sending untagged
+traffic via a VxLAN device.
+This happens during the check for fragmentation in br_nf_dev_queue_xmit.
+
+It is dependent on:
+1) the br_netfilter module being loaded;
+2) net.bridge.bridge-nf-call-iptables set to 1;
+3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port;
+4) untagged frames with size higher than the VxLAN MTU forwarded/flooded
+
+When forwarding the untagged packet to the VxLAN bridge port, before
+the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and
+changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type
+of dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL.
+
+Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check
+for frames that needs to be fragmented: frames with higher MTU than the
+VxLAN device end up calling br_nf_ip_fragment, which in turns call
+ip_skb_dst_mtu.
+
+The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst
+with valid dst->dev, thus the crash.
+
+This case was never supported in the first place, so drop the packet
+instead.
+
+PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data.
+[ 176.291791] Unable to handle kernel NULL pointer dereference at
+virtual address 0000000000000110
+[ 176.292101] Mem abort info:
+[ 176.292184] ESR = 0x0000000096000004
+[ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 176.292530] SET = 0, FnV = 0
+[ 176.292709] EA = 0, S1PTW = 0
+[ 176.292862] FSC = 0x04: level 0 translation fault
+[ 176.293013] Data abort info:
+[ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+[ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000
+[ 176.294166] [0000000000000110] pgd=0000000000000000,
+p4d=0000000000000000
+[ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
+[ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth
+br_netfilter bridge stp llc ipv6 crct10dif_ce
+[ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted
+6.8.0-rc3-g5b3fbd61b9d1 #2
+[ 176.296314] Hardware name: linux,dummy-virt (DT)
+[ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS
+BTYPE=--)
+[ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]
+[ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter]
+[ 176.297636] sp : ffff800080003630
+[ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27:
+ffff6828c49ad9f8
+[ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24:
+00000000000003e8
+[ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21:
+ffff6828c3b16d28
+[ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18:
+0000000000000014
+[ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15:
+0000000095744632
+[ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12:
+ffffb7e137926a70
+[ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 :
+0000000000000000
+[ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 :
+f20e0100bebafeca
+[ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 :
+0000000000000000
+[ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 :
+ffff6828c7f918f0
+[ 176.300889] Call trace:
+[ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]
+[ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter]
+[ 176.301703] nf_hook_slow+0x48/0x124
+[ 176.302060] br_forward_finish+0xc8/0xe8 [bridge]
+[ 176.302371] br_nf_hook_thresh+0x124/0x134 [br_netfilter]
+[ 176.302605] br_nf_forward_finish+0x118/0x22c [br_netfilter]
+[ 176.302824] br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter]
+[ 176.303136] br_nf_forward+0x2b8/0x4e0 [br_netfilter]
+[ 176.303359] nf_hook_slow+0x48/0x124
+[ 176.303803] __br_forward+0xc4/0x194 [bridge]
+[ 176.304013] br_flood+0xd4/0x168 [bridge]
+[ 176.304300] br_handle_frame_finish+0x1d4/0x5c4 [bridge]
+[ 176.304536] br_nf_hook_thresh+0x124/0x134 [br_netfilter]
+[ 176.304978] br_nf_pre_routing_finish+0x29c/0x494 [br_netfilter]
+[ 176.305188] br_nf_pre_routing+0x250/0x524 [br_netfilter]
+[ 176.305428] br_handle_frame+0x244/0x3cc [bridge]
+[ 176.305695] __netif_receive_skb_core.constprop.0+0x33c/0xecc
+[ 176.306080] __netif_receive_skb_one_core+0x40/0x8c
+[ 176.306197] __netif_receive_skb+0x18/0x64
+[ 176.306369] process_backlog+0x80/0x124
+[ 176.306540] __napi_poll+0x38/0x17c
+[ 176.306636] net_rx_action+0x124/0x26c
+[ 176.306758] __do_softirq+0x100/0x26c
+[ 176.307051] ____do_softirq+0x10/0x1c
+[ 176.307162] call_on_irq_stack+0x24/0x4c
+[ 176.307289] do_softirq_own_stack+0x1c/0x2c
+[ 176.307396] do_softirq+0x54/0x6c
+[ 176.307485] __local_bh_enable_ip+0x8c/0x98
+[ 176.307637] __dev_queue_xmit+0x22c/0xd28
+[ 176.307775] neigh_resolve_output+0xf4/0x1a0
+[ 176.308018] ip_finish_output2+0x1c8/0x628
+[ 176.308137] ip_do_fragment+0x5b4/0x658
+[ 176.308279] ip_fragment.constprop.0+0x48/0xec
+[ 176.308420] __ip_finish_output+0xa4/0x254
+[ 176.308593] ip_finish_output+0x34/0x130
+[ 176.308814] ip_output+0x6c/0x108
+[ 176.308929] ip_send_skb+0x50/0xf0
+[ 176.309095] ip_push_pending_frames+0x30/0x54
+[ 176.309254] raw_sendmsg+0x758/0xaec
+[ 176.309568] inet_sendmsg+0x44/0x70
+[ 176.309667] __sys_sendto+0x110/0x178
+[ 176.309758] __arm64_sys_sendto+0x28/0x38
+[ 176.309918] invoke_syscall+0x48/0x110
+[ 176.310211] el0_svc_common.constprop.0+0x40/0xe0
+[ 176.310353] do_el0_svc+0x1c/0x28
+[ 176.310434] el0_svc+0x34/0xb4
+[ 176.310551] el0t_64_sync_handler+0x120/0x12c
+[ 176.310690] el0t_64_sync+0x190/0x194
+[ 176.311066] Code: f9402e61 79402aa2 927ff821 f9400023 (f9408860)
+[ 176.315743] ---[ end trace 0000000000000000 ]---
+[ 176.316060] Kernel panic - not syncing: Oops: Fatal exception in
+interrupt
+[ 176.316371] Kernel Offset: 0x37e0e3000000 from 0xffff800080000000
+[ 176.316564] PHYS_OFFSET: 0xffff97d780000000
+[ 176.316782] CPU features: 0x0,88000203,3c020000,0100421b
+[ 176.317210] Memory Limit: none
+[ 176.317527] ---[ end Kernel panic - not syncing: Oops: Fatal
+Exception in interrupt ]---\
+
+Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths")
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Andy Roulin <aroulin@nvidia.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20241001154400.22787-2-aroulin@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 8f9c19d992ac5..d5aada7bad571 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -33,6 +33,7 @@
+ #include <net/ip.h>
+ #include <net/ipv6.h>
+ #include <net/addrconf.h>
++#include <net/dst_metadata.h>
+ #include <net/route.h>
+ #include <net/netfilter/br_netfilter.h>
+ #include <net/netns/generic.h>
+@@ -878,6 +879,10 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
+ return br_dev_queue_push_xmit(net, sk, skb);
+ }
+
++ /* Fragmentation on metadata/template dst is not supported */
++ if (unlikely(!skb_valid_dst(skb)))
++ goto drop;
++
+ /* This is wrong! We should preserve the original fragment
+ * boundaries by preserving frag_list rather than refragmenting.
+ */
+--
+2.43.0
+
--- /dev/null
+From a18e12ab6a5e717104f0b1fb53adab3bdb098b8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 09:19:02 +0200
+Subject: netfilter: fib: check correct rtable in vrf setups
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 05ef7055debc804e8083737402127975e7244fc4 ]
+
+We need to init l3mdev unconditionally, else main routing table is searched
+and incorrect result is returned unless strict (iif keyword) matching is
+requested.
+
+Next patch adds a selftest for this.
+
+Fixes: 2a8a7c0eaa87 ("netfilter: nft_fib: Fix for rpath check with VRF devices")
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1761
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/netfilter/nft_fib_ipv4.c | 4 +---
+ net/ipv6/netfilter/nft_fib_ipv6.c | 5 +++--
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c
+index 9eee535c64dd4..ba233fdd81886 100644
+--- a/net/ipv4/netfilter/nft_fib_ipv4.c
++++ b/net/ipv4/netfilter/nft_fib_ipv4.c
+@@ -66,6 +66,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ .flowi4_scope = RT_SCOPE_UNIVERSE,
+ .flowi4_iif = LOOPBACK_IFINDEX,
+ .flowi4_uid = sock_net_uid(nft_net(pkt), NULL),
++ .flowi4_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)),
+ };
+ const struct net_device *oif;
+ const struct net_device *found;
+@@ -84,9 +85,6 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ else
+ oif = NULL;
+
+- if (priv->flags & NFTA_FIB_F_IIF)
+- fl4.flowi4_l3mdev = l3mdev_master_ifindex_rcu(oif);
+-
+ if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
+ nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
+ nft_fib_store_result(dest, priv, nft_in(pkt));
+diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
+index 36dc14b34388c..c9f1634b3838a 100644
+--- a/net/ipv6/netfilter/nft_fib_ipv6.c
++++ b/net/ipv6/netfilter/nft_fib_ipv6.c
+@@ -41,8 +41,6 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv,
+ if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) {
+ lookup_flags |= RT6_LOOKUP_F_IFACE;
+ fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev);
+- } else if (priv->flags & NFTA_FIB_F_IIF) {
+- fl6->flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev);
+ }
+
+ if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST)
+@@ -75,6 +73,8 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
+ else if (priv->flags & NFTA_FIB_F_OIF)
+ dev = nft_out(pkt);
+
++ fl6.flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev);
++
+ nft_fib6_flowi_init(&fl6, priv, pkt, dev, iph);
+
+ if (dev && nf_ipv6_chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
+@@ -165,6 +165,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ .flowi6_iif = LOOPBACK_IFINDEX,
+ .flowi6_proto = pkt->tprot,
+ .flowi6_uid = sock_net_uid(nft_net(pkt), NULL),
++ .flowi6_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)),
+ };
+ struct rt6_info *rt;
+ int lookup_flags;
+--
+2.43.0
+
--- /dev/null
+From de58042ef9e7b1885e35c0c6e1b5a7c2cf63a037 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 11:28:16 +0200
+Subject: netfilter: xtables: avoid NFPROTO_UNSPEC where needed
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 0bfcb7b71e735560077a42847f69597ec7dcc326 ]
+
+syzbot managed to call xt_cluster match via ebtables:
+
+ WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780
+ [..]
+ ebt_do_table+0x174b/0x2a40
+
+Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet
+processing. As this is only useful to restrict locally terminating
+TCP/UDP traffic, register this for ipv4 and ipv6 family only.
+
+Pablo points out that this is a general issue, direct users of the
+set/getsockopt interface can call into targets/matches that were only
+intended for use with ip(6)tables.
+
+Check all UNSPEC matches and targets for similar issues:
+
+- matches and targets are fine except if they assume skb_network_header()
+ is valid -- this is only true when called from inet layer: ip(6) stack
+ pulls the ip/ipv6 header into linear data area.
+- targets that return XT_CONTINUE or other xtables verdicts must be
+ restricted too, they are incompatbile with the ebtables traverser, e.g.
+ EBT_CONTINUE is a completely different value than XT_CONTINUE.
+
+Most matches/targets are changed to register for NFPROTO_IPV4/IPV6, as
+they are provided for use by ip(6)tables.
+
+The MARK target is also used by arptables, so register for NFPROTO_ARP too.
+
+While at it, bail out if connbytes fails to enable the corresponding
+conntrack family.
+
+This change passes the selftests in iptables.git.
+
+Reported-by: syzbot+256c348558aa5cf611a9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netfilter-devel/66fec2e2.050a0220.9ec68.0047.GAE@google.com/
+Fixes: 0269ea493734 ("netfilter: xtables: add cluster match")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Co-developed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_CHECKSUM.c | 33 ++++++----
+ net/netfilter/xt_CLASSIFY.c | 16 ++++-
+ net/netfilter/xt_CONNSECMARK.c | 36 +++++++----
+ net/netfilter/xt_CT.c | 106 +++++++++++++++++++++------------
+ net/netfilter/xt_IDLETIMER.c | 59 ++++++++++++------
+ net/netfilter/xt_LED.c | 39 ++++++++----
+ net/netfilter/xt_NFLOG.c | 36 +++++++----
+ net/netfilter/xt_RATEEST.c | 39 ++++++++----
+ net/netfilter/xt_SECMARK.c | 27 ++++++++-
+ net/netfilter/xt_TRACE.c | 35 +++++++----
+ net/netfilter/xt_addrtype.c | 15 ++++-
+ net/netfilter/xt_cluster.c | 33 ++++++----
+ net/netfilter/xt_connbytes.c | 4 +-
+ net/netfilter/xt_connlimit.c | 39 ++++++++----
+ net/netfilter/xt_connmark.c | 28 ++++++++-
+ net/netfilter/xt_mark.c | 42 +++++++++----
+ 16 files changed, 422 insertions(+), 165 deletions(-)
+
+diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
+index c8a639f561684..9d99f5a3d1764 100644
+--- a/net/netfilter/xt_CHECKSUM.c
++++ b/net/netfilter/xt_CHECKSUM.c
+@@ -63,24 +63,37 @@ static int checksum_tg_check(const struct xt_tgchk_param *par)
+ return 0;
+ }
+
+-static struct xt_target checksum_tg_reg __read_mostly = {
+- .name = "CHECKSUM",
+- .family = NFPROTO_UNSPEC,
+- .target = checksum_tg,
+- .targetsize = sizeof(struct xt_CHECKSUM_info),
+- .table = "mangle",
+- .checkentry = checksum_tg_check,
+- .me = THIS_MODULE,
++static struct xt_target checksum_tg_reg[] __read_mostly = {
++ {
++ .name = "CHECKSUM",
++ .family = NFPROTO_IPV4,
++ .target = checksum_tg,
++ .targetsize = sizeof(struct xt_CHECKSUM_info),
++ .table = "mangle",
++ .checkentry = checksum_tg_check,
++ .me = THIS_MODULE,
++ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "CHECKSUM",
++ .family = NFPROTO_IPV6,
++ .target = checksum_tg,
++ .targetsize = sizeof(struct xt_CHECKSUM_info),
++ .table = "mangle",
++ .checkentry = checksum_tg_check,
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static int __init checksum_tg_init(void)
+ {
+- return xt_register_target(&checksum_tg_reg);
++ return xt_register_targets(checksum_tg_reg, ARRAY_SIZE(checksum_tg_reg));
+ }
+
+ static void __exit checksum_tg_exit(void)
+ {
+- xt_unregister_target(&checksum_tg_reg);
++ xt_unregister_targets(checksum_tg_reg, ARRAY_SIZE(checksum_tg_reg));
+ }
+
+ module_init(checksum_tg_init);
+diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
+index 0accac98dea78..0ae8d8a1216e1 100644
+--- a/net/netfilter/xt_CLASSIFY.c
++++ b/net/netfilter/xt_CLASSIFY.c
+@@ -38,9 +38,9 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
+ {
+ .name = "CLASSIFY",
+ .revision = 0,
+- .family = NFPROTO_UNSPEC,
++ .family = NFPROTO_IPV4,
+ .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
+- (1 << NF_INET_POST_ROUTING),
++ (1 << NF_INET_POST_ROUTING),
+ .target = classify_tg,
+ .targetsize = sizeof(struct xt_classify_target_info),
+ .me = THIS_MODULE,
+@@ -54,6 +54,18 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
+ .targetsize = sizeof(struct xt_classify_target_info),
+ .me = THIS_MODULE,
+ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "CLASSIFY",
++ .revision = 0,
++ .family = NFPROTO_IPV6,
++ .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
++ (1 << NF_INET_POST_ROUTING),
++ .target = classify_tg,
++ .targetsize = sizeof(struct xt_classify_target_info),
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static int __init classify_tg_init(void)
+diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
+index 76acecf3e757a..1494b3ee30e11 100644
+--- a/net/netfilter/xt_CONNSECMARK.c
++++ b/net/netfilter/xt_CONNSECMARK.c
+@@ -114,25 +114,39 @@ static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par)
+ nf_ct_netns_put(par->net, par->family);
+ }
+
+-static struct xt_target connsecmark_tg_reg __read_mostly = {
+- .name = "CONNSECMARK",
+- .revision = 0,
+- .family = NFPROTO_UNSPEC,
+- .checkentry = connsecmark_tg_check,
+- .destroy = connsecmark_tg_destroy,
+- .target = connsecmark_tg,
+- .targetsize = sizeof(struct xt_connsecmark_target_info),
+- .me = THIS_MODULE,
++static struct xt_target connsecmark_tg_reg[] __read_mostly = {
++ {
++ .name = "CONNSECMARK",
++ .revision = 0,
++ .family = NFPROTO_IPV4,
++ .checkentry = connsecmark_tg_check,
++ .destroy = connsecmark_tg_destroy,
++ .target = connsecmark_tg,
++ .targetsize = sizeof(struct xt_connsecmark_target_info),
++ .me = THIS_MODULE,
++ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "CONNSECMARK",
++ .revision = 0,
++ .family = NFPROTO_IPV6,
++ .checkentry = connsecmark_tg_check,
++ .destroy = connsecmark_tg_destroy,
++ .target = connsecmark_tg,
++ .targetsize = sizeof(struct xt_connsecmark_target_info),
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static int __init connsecmark_tg_init(void)
+ {
+- return xt_register_target(&connsecmark_tg_reg);
++ return xt_register_targets(connsecmark_tg_reg, ARRAY_SIZE(connsecmark_tg_reg));
+ }
+
+ static void __exit connsecmark_tg_exit(void)
+ {
+- xt_unregister_target(&connsecmark_tg_reg);
++ xt_unregister_targets(connsecmark_tg_reg, ARRAY_SIZE(connsecmark_tg_reg));
+ }
+
+ module_init(connsecmark_tg_init);
+diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
+index 2be2f7a7b60f4..3ba94c34297cf 100644
+--- a/net/netfilter/xt_CT.c
++++ b/net/netfilter/xt_CT.c
+@@ -313,10 +313,30 @@ static void xt_ct_tg_destroy_v1(const struct xt_tgdtor_param *par)
+ xt_ct_tg_destroy(par, par->targinfo);
+ }
+
++static unsigned int
++notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
++{
++ /* Previously seen (loopback)? Ignore. */
++ if (skb->_nfct != 0)
++ return XT_CONTINUE;
++
++ nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
++
++ return XT_CONTINUE;
++}
++
+ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
++ {
++ .name = "NOTRACK",
++ .revision = 0,
++ .family = NFPROTO_IPV4,
++ .target = notrack_tg,
++ .table = "raw",
++ .me = THIS_MODULE,
++ },
+ {
+ .name = "CT",
+- .family = NFPROTO_UNSPEC,
++ .family = NFPROTO_IPV4,
+ .targetsize = sizeof(struct xt_ct_target_info),
+ .usersize = offsetof(struct xt_ct_target_info, ct),
+ .checkentry = xt_ct_tg_check_v0,
+@@ -327,7 +347,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
+ },
+ {
+ .name = "CT",
+- .family = NFPROTO_UNSPEC,
++ .family = NFPROTO_IPV4,
+ .revision = 1,
+ .targetsize = sizeof(struct xt_ct_target_info_v1),
+ .usersize = offsetof(struct xt_ct_target_info, ct),
+@@ -339,7 +359,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
+ },
+ {
+ .name = "CT",
+- .family = NFPROTO_UNSPEC,
++ .family = NFPROTO_IPV4,
+ .revision = 2,
+ .targetsize = sizeof(struct xt_ct_target_info_v1),
+ .usersize = offsetof(struct xt_ct_target_info, ct),
+@@ -349,49 +369,61 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
+ .table = "raw",
+ .me = THIS_MODULE,
+ },
+-};
+-
+-static unsigned int
+-notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
+-{
+- /* Previously seen (loopback)? Ignore. */
+- if (skb->_nfct != 0)
+- return XT_CONTINUE;
+-
+- nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
+-
+- return XT_CONTINUE;
+-}
+-
+-static struct xt_target notrack_tg_reg __read_mostly = {
+- .name = "NOTRACK",
+- .revision = 0,
+- .family = NFPROTO_UNSPEC,
+- .target = notrack_tg,
+- .table = "raw",
+- .me = THIS_MODULE,
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "NOTRACK",
++ .revision = 0,
++ .family = NFPROTO_IPV6,
++ .target = notrack_tg,
++ .table = "raw",
++ .me = THIS_MODULE,
++ },
++ {
++ .name = "CT",
++ .family = NFPROTO_IPV6,
++ .targetsize = sizeof(struct xt_ct_target_info),
++ .usersize = offsetof(struct xt_ct_target_info, ct),
++ .checkentry = xt_ct_tg_check_v0,
++ .destroy = xt_ct_tg_destroy_v0,
++ .target = xt_ct_target_v0,
++ .table = "raw",
++ .me = THIS_MODULE,
++ },
++ {
++ .name = "CT",
++ .family = NFPROTO_IPV6,
++ .revision = 1,
++ .targetsize = sizeof(struct xt_ct_target_info_v1),
++ .usersize = offsetof(struct xt_ct_target_info, ct),
++ .checkentry = xt_ct_tg_check_v1,
++ .destroy = xt_ct_tg_destroy_v1,
++ .target = xt_ct_target_v1,
++ .table = "raw",
++ .me = THIS_MODULE,
++ },
++ {
++ .name = "CT",
++ .family = NFPROTO_IPV6,
++ .revision = 2,
++ .targetsize = sizeof(struct xt_ct_target_info_v1),
++ .usersize = offsetof(struct xt_ct_target_info, ct),
++ .checkentry = xt_ct_tg_check_v2,
++ .destroy = xt_ct_tg_destroy_v1,
++ .target = xt_ct_target_v1,
++ .table = "raw",
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static int __init xt_ct_tg_init(void)
+ {
+- int ret;
+-
+- ret = xt_register_target(¬rack_tg_reg);
+- if (ret < 0)
+- return ret;
+-
+- ret = xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
+- if (ret < 0) {
+- xt_unregister_target(¬rack_tg_reg);
+- return ret;
+- }
+- return 0;
++ return xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
+ }
+
+ static void __exit xt_ct_tg_exit(void)
+ {
+ xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
+- xt_unregister_target(¬rack_tg_reg);
+ }
+
+ module_init(xt_ct_tg_init);
+diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
+index db720efa811d5..f8b25b6f5da73 100644
+--- a/net/netfilter/xt_IDLETIMER.c
++++ b/net/netfilter/xt_IDLETIMER.c
+@@ -458,28 +458,49 @@ static void idletimer_tg_destroy_v1(const struct xt_tgdtor_param *par)
+
+ static struct xt_target idletimer_tg[] __read_mostly = {
+ {
+- .name = "IDLETIMER",
+- .family = NFPROTO_UNSPEC,
+- .target = idletimer_tg_target,
+- .targetsize = sizeof(struct idletimer_tg_info),
+- .usersize = offsetof(struct idletimer_tg_info, timer),
+- .checkentry = idletimer_tg_checkentry,
+- .destroy = idletimer_tg_destroy,
+- .me = THIS_MODULE,
++ .name = "IDLETIMER",
++ .family = NFPROTO_IPV4,
++ .target = idletimer_tg_target,
++ .targetsize = sizeof(struct idletimer_tg_info),
++ .usersize = offsetof(struct idletimer_tg_info, timer),
++ .checkentry = idletimer_tg_checkentry,
++ .destroy = idletimer_tg_destroy,
++ .me = THIS_MODULE,
+ },
+ {
+- .name = "IDLETIMER",
+- .family = NFPROTO_UNSPEC,
+- .revision = 1,
+- .target = idletimer_tg_target_v1,
+- .targetsize = sizeof(struct idletimer_tg_info_v1),
+- .usersize = offsetof(struct idletimer_tg_info_v1, timer),
+- .checkentry = idletimer_tg_checkentry_v1,
+- .destroy = idletimer_tg_destroy_v1,
+- .me = THIS_MODULE,
++ .name = "IDLETIMER",
++ .family = NFPROTO_IPV4,
++ .revision = 1,
++ .target = idletimer_tg_target_v1,
++ .targetsize = sizeof(struct idletimer_tg_info_v1),
++ .usersize = offsetof(struct idletimer_tg_info_v1, timer),
++ .checkentry = idletimer_tg_checkentry_v1,
++ .destroy = idletimer_tg_destroy_v1,
++ .me = THIS_MODULE,
+ },
+-
+-
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "IDLETIMER",
++ .family = NFPROTO_IPV6,
++ .target = idletimer_tg_target,
++ .targetsize = sizeof(struct idletimer_tg_info),
++ .usersize = offsetof(struct idletimer_tg_info, timer),
++ .checkentry = idletimer_tg_checkentry,
++ .destroy = idletimer_tg_destroy,
++ .me = THIS_MODULE,
++ },
++ {
++ .name = "IDLETIMER",
++ .family = NFPROTO_IPV6,
++ .revision = 1,
++ .target = idletimer_tg_target_v1,
++ .targetsize = sizeof(struct idletimer_tg_info_v1),
++ .usersize = offsetof(struct idletimer_tg_info_v1, timer),
++ .checkentry = idletimer_tg_checkentry_v1,
++ .destroy = idletimer_tg_destroy_v1,
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static struct class *idletimer_tg_class;
+diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
+index 36c9720ad8d6d..f7b0286d106ac 100644
+--- a/net/netfilter/xt_LED.c
++++ b/net/netfilter/xt_LED.c
+@@ -175,26 +175,41 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par)
+ kfree(ledinternal);
+ }
+
+-static struct xt_target led_tg_reg __read_mostly = {
+- .name = "LED",
+- .revision = 0,
+- .family = NFPROTO_UNSPEC,
+- .target = led_tg,
+- .targetsize = sizeof(struct xt_led_info),
+- .usersize = offsetof(struct xt_led_info, internal_data),
+- .checkentry = led_tg_check,
+- .destroy = led_tg_destroy,
+- .me = THIS_MODULE,
++static struct xt_target led_tg_reg[] __read_mostly = {
++ {
++ .name = "LED",
++ .revision = 0,
++ .family = NFPROTO_IPV4,
++ .target = led_tg,
++ .targetsize = sizeof(struct xt_led_info),
++ .usersize = offsetof(struct xt_led_info, internal_data),
++ .checkentry = led_tg_check,
++ .destroy = led_tg_destroy,
++ .me = THIS_MODULE,
++ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "LED",
++ .revision = 0,
++ .family = NFPROTO_IPV6,
++ .target = led_tg,
++ .targetsize = sizeof(struct xt_led_info),
++ .usersize = offsetof(struct xt_led_info, internal_data),
++ .checkentry = led_tg_check,
++ .destroy = led_tg_destroy,
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static int __init led_tg_init(void)
+ {
+- return xt_register_target(&led_tg_reg);
++ return xt_register_targets(led_tg_reg, ARRAY_SIZE(led_tg_reg));
+ }
+
+ static void __exit led_tg_exit(void)
+ {
+- xt_unregister_target(&led_tg_reg);
++ xt_unregister_targets(led_tg_reg, ARRAY_SIZE(led_tg_reg));
+ }
+
+ module_init(led_tg_init);
+diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
+index e660c3710a109..d80abd6ccaf8f 100644
+--- a/net/netfilter/xt_NFLOG.c
++++ b/net/netfilter/xt_NFLOG.c
+@@ -64,25 +64,39 @@ static void nflog_tg_destroy(const struct xt_tgdtor_param *par)
+ nf_logger_put(par->family, NF_LOG_TYPE_ULOG);
+ }
+
+-static struct xt_target nflog_tg_reg __read_mostly = {
+- .name = "NFLOG",
+- .revision = 0,
+- .family = NFPROTO_UNSPEC,
+- .checkentry = nflog_tg_check,
+- .destroy = nflog_tg_destroy,
+- .target = nflog_tg,
+- .targetsize = sizeof(struct xt_nflog_info),
+- .me = THIS_MODULE,
++static struct xt_target nflog_tg_reg[] __read_mostly = {
++ {
++ .name = "NFLOG",
++ .revision = 0,
++ .family = NFPROTO_IPV4,
++ .checkentry = nflog_tg_check,
++ .destroy = nflog_tg_destroy,
++ .target = nflog_tg,
++ .targetsize = sizeof(struct xt_nflog_info),
++ .me = THIS_MODULE,
++ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "NFLOG",
++ .revision = 0,
++ .family = NFPROTO_IPV4,
++ .checkentry = nflog_tg_check,
++ .destroy = nflog_tg_destroy,
++ .target = nflog_tg,
++ .targetsize = sizeof(struct xt_nflog_info),
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static int __init nflog_tg_init(void)
+ {
+- return xt_register_target(&nflog_tg_reg);
++ return xt_register_targets(nflog_tg_reg, ARRAY_SIZE(nflog_tg_reg));
+ }
+
+ static void __exit nflog_tg_exit(void)
+ {
+- xt_unregister_target(&nflog_tg_reg);
++ xt_unregister_targets(nflog_tg_reg, ARRAY_SIZE(nflog_tg_reg));
+ }
+
+ module_init(nflog_tg_init);
+diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
+index 80f6624e23554..4f49cfc278312 100644
+--- a/net/netfilter/xt_RATEEST.c
++++ b/net/netfilter/xt_RATEEST.c
+@@ -179,16 +179,31 @@ static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par)
+ xt_rateest_put(par->net, info->est);
+ }
+
+-static struct xt_target xt_rateest_tg_reg __read_mostly = {
+- .name = "RATEEST",
+- .revision = 0,
+- .family = NFPROTO_UNSPEC,
+- .target = xt_rateest_tg,
+- .checkentry = xt_rateest_tg_checkentry,
+- .destroy = xt_rateest_tg_destroy,
+- .targetsize = sizeof(struct xt_rateest_target_info),
+- .usersize = offsetof(struct xt_rateest_target_info, est),
+- .me = THIS_MODULE,
++static struct xt_target xt_rateest_tg_reg[] __read_mostly = {
++ {
++ .name = "RATEEST",
++ .revision = 0,
++ .family = NFPROTO_IPV4,
++ .target = xt_rateest_tg,
++ .checkentry = xt_rateest_tg_checkentry,
++ .destroy = xt_rateest_tg_destroy,
++ .targetsize = sizeof(struct xt_rateest_target_info),
++ .usersize = offsetof(struct xt_rateest_target_info, est),
++ .me = THIS_MODULE,
++ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "RATEEST",
++ .revision = 0,
++ .family = NFPROTO_IPV6,
++ .target = xt_rateest_tg,
++ .checkentry = xt_rateest_tg_checkentry,
++ .destroy = xt_rateest_tg_destroy,
++ .targetsize = sizeof(struct xt_rateest_target_info),
++ .usersize = offsetof(struct xt_rateest_target_info, est),
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static __net_init int xt_rateest_net_init(struct net *net)
+@@ -214,12 +229,12 @@ static int __init xt_rateest_tg_init(void)
+
+ if (err)
+ return err;
+- return xt_register_target(&xt_rateest_tg_reg);
++ return xt_register_targets(xt_rateest_tg_reg, ARRAY_SIZE(xt_rateest_tg_reg));
+ }
+
+ static void __exit xt_rateest_tg_fini(void)
+ {
+- xt_unregister_target(&xt_rateest_tg_reg);
++ xt_unregister_targets(xt_rateest_tg_reg, ARRAY_SIZE(xt_rateest_tg_reg));
+ unregister_pernet_subsys(&xt_rateest_net_ops);
+ }
+
+diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
+index 498a0bf6f0444..5bc5ea505eb9e 100644
+--- a/net/netfilter/xt_SECMARK.c
++++ b/net/netfilter/xt_SECMARK.c
+@@ -157,7 +157,7 @@ static struct xt_target secmark_tg_reg[] __read_mostly = {
+ {
+ .name = "SECMARK",
+ .revision = 0,
+- .family = NFPROTO_UNSPEC,
++ .family = NFPROTO_IPV4,
+ .checkentry = secmark_tg_check_v0,
+ .destroy = secmark_tg_destroy,
+ .target = secmark_tg_v0,
+@@ -167,7 +167,7 @@ static struct xt_target secmark_tg_reg[] __read_mostly = {
+ {
+ .name = "SECMARK",
+ .revision = 1,
+- .family = NFPROTO_UNSPEC,
++ .family = NFPROTO_IPV4,
+ .checkentry = secmark_tg_check_v1,
+ .destroy = secmark_tg_destroy,
+ .target = secmark_tg_v1,
+@@ -175,6 +175,29 @@ static struct xt_target secmark_tg_reg[] __read_mostly = {
+ .usersize = offsetof(struct xt_secmark_target_info_v1, secid),
+ .me = THIS_MODULE,
+ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "SECMARK",
++ .revision = 0,
++ .family = NFPROTO_IPV6,
++ .checkentry = secmark_tg_check_v0,
++ .destroy = secmark_tg_destroy,
++ .target = secmark_tg_v0,
++ .targetsize = sizeof(struct xt_secmark_target_info),
++ .me = THIS_MODULE,
++ },
++ {
++ .name = "SECMARK",
++ .revision = 1,
++ .family = NFPROTO_IPV6,
++ .checkentry = secmark_tg_check_v1,
++ .destroy = secmark_tg_destroy,
++ .target = secmark_tg_v1,
++ .targetsize = sizeof(struct xt_secmark_target_info_v1),
++ .usersize = offsetof(struct xt_secmark_target_info_v1, secid),
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static int __init secmark_tg_init(void)
+diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
+index 5582dce98cae7..f3fa4f11348cd 100644
+--- a/net/netfilter/xt_TRACE.c
++++ b/net/netfilter/xt_TRACE.c
+@@ -29,25 +29,38 @@ trace_tg(struct sk_buff *skb, const struct xt_action_param *par)
+ return XT_CONTINUE;
+ }
+
+-static struct xt_target trace_tg_reg __read_mostly = {
+- .name = "TRACE",
+- .revision = 0,
+- .family = NFPROTO_UNSPEC,
+- .table = "raw",
+- .target = trace_tg,
+- .checkentry = trace_tg_check,
+- .destroy = trace_tg_destroy,
+- .me = THIS_MODULE,
++static struct xt_target trace_tg_reg[] __read_mostly = {
++ {
++ .name = "TRACE",
++ .revision = 0,
++ .family = NFPROTO_IPV4,
++ .table = "raw",
++ .target = trace_tg,
++ .checkentry = trace_tg_check,
++ .destroy = trace_tg_destroy,
++ .me = THIS_MODULE,
++ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "TRACE",
++ .revision = 0,
++ .family = NFPROTO_IPV6,
++ .table = "raw",
++ .target = trace_tg,
++ .checkentry = trace_tg_check,
++ .destroy = trace_tg_destroy,
++ },
++#endif
+ };
+
+ static int __init trace_tg_init(void)
+ {
+- return xt_register_target(&trace_tg_reg);
++ return xt_register_targets(trace_tg_reg, ARRAY_SIZE(trace_tg_reg));
+ }
+
+ static void __exit trace_tg_exit(void)
+ {
+- xt_unregister_target(&trace_tg_reg);
++ xt_unregister_targets(trace_tg_reg, ARRAY_SIZE(trace_tg_reg));
+ }
+
+ module_init(trace_tg_init);
+diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
+index e9b2181e8c425..a770889431071 100644
+--- a/net/netfilter/xt_addrtype.c
++++ b/net/netfilter/xt_addrtype.c
+@@ -208,13 +208,24 @@ static struct xt_match addrtype_mt_reg[] __read_mostly = {
+ },
+ {
+ .name = "addrtype",
+- .family = NFPROTO_UNSPEC,
++ .family = NFPROTO_IPV4,
+ .revision = 1,
+ .match = addrtype_mt_v1,
+ .checkentry = addrtype_mt_checkentry_v1,
+ .matchsize = sizeof(struct xt_addrtype_info_v1),
+ .me = THIS_MODULE
+- }
++ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "addrtype",
++ .family = NFPROTO_IPV6,
++ .revision = 1,
++ .match = addrtype_mt_v1,
++ .checkentry = addrtype_mt_checkentry_v1,
++ .matchsize = sizeof(struct xt_addrtype_info_v1),
++ .me = THIS_MODULE
++ },
++#endif
+ };
+
+ static int __init addrtype_mt_init(void)
+diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
+index a047a545371e1..908fd5f2c3c84 100644
+--- a/net/netfilter/xt_cluster.c
++++ b/net/netfilter/xt_cluster.c
+@@ -146,24 +146,37 @@ static void xt_cluster_mt_destroy(const struct xt_mtdtor_param *par)
+ nf_ct_netns_put(par->net, par->family);
+ }
+
+-static struct xt_match xt_cluster_match __read_mostly = {
+- .name = "cluster",
+- .family = NFPROTO_UNSPEC,
+- .match = xt_cluster_mt,
+- .checkentry = xt_cluster_mt_checkentry,
+- .matchsize = sizeof(struct xt_cluster_match_info),
+- .destroy = xt_cluster_mt_destroy,
+- .me = THIS_MODULE,
++static struct xt_match xt_cluster_match[] __read_mostly = {
++ {
++ .name = "cluster",
++ .family = NFPROTO_IPV4,
++ .match = xt_cluster_mt,
++ .checkentry = xt_cluster_mt_checkentry,
++ .matchsize = sizeof(struct xt_cluster_match_info),
++ .destroy = xt_cluster_mt_destroy,
++ .me = THIS_MODULE,
++ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "cluster",
++ .family = NFPROTO_IPV6,
++ .match = xt_cluster_mt,
++ .checkentry = xt_cluster_mt_checkentry,
++ .matchsize = sizeof(struct xt_cluster_match_info),
++ .destroy = xt_cluster_mt_destroy,
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static int __init xt_cluster_mt_init(void)
+ {
+- return xt_register_match(&xt_cluster_match);
++ return xt_register_matches(xt_cluster_match, ARRAY_SIZE(xt_cluster_match));
+ }
+
+ static void __exit xt_cluster_mt_fini(void)
+ {
+- xt_unregister_match(&xt_cluster_match);
++ xt_unregister_matches(xt_cluster_match, ARRAY_SIZE(xt_cluster_match));
+ }
+
+ MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
+diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
+index 93cb018c3055f..2aabdcea87072 100644
+--- a/net/netfilter/xt_connbytes.c
++++ b/net/netfilter/xt_connbytes.c
+@@ -111,9 +111,11 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
+ return -EINVAL;
+
+ ret = nf_ct_netns_get(par->net, par->family);
+- if (ret < 0)
++ if (ret < 0) {
+ pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
+ par->family);
++ return ret;
++ }
+
+ /*
+ * This filter cannot function correctly unless connection tracking
+diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
+index 5d04ef80a61dc..d1d0fa6c8061e 100644
+--- a/net/netfilter/xt_connlimit.c
++++ b/net/netfilter/xt_connlimit.c
+@@ -106,26 +106,41 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
+ nf_conncount_destroy(par->net, par->family, info->data);
+ }
+
+-static struct xt_match connlimit_mt_reg __read_mostly = {
+- .name = "connlimit",
+- .revision = 1,
+- .family = NFPROTO_UNSPEC,
+- .checkentry = connlimit_mt_check,
+- .match = connlimit_mt,
+- .matchsize = sizeof(struct xt_connlimit_info),
+- .usersize = offsetof(struct xt_connlimit_info, data),
+- .destroy = connlimit_mt_destroy,
+- .me = THIS_MODULE,
++static struct xt_match connlimit_mt_reg[] __read_mostly = {
++ {
++ .name = "connlimit",
++ .revision = 1,
++ .family = NFPROTO_IPV4,
++ .checkentry = connlimit_mt_check,
++ .match = connlimit_mt,
++ .matchsize = sizeof(struct xt_connlimit_info),
++ .usersize = offsetof(struct xt_connlimit_info, data),
++ .destroy = connlimit_mt_destroy,
++ .me = THIS_MODULE,
++ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "connlimit",
++ .revision = 1,
++ .family = NFPROTO_IPV6,
++ .checkentry = connlimit_mt_check,
++ .match = connlimit_mt,
++ .matchsize = sizeof(struct xt_connlimit_info),
++ .usersize = offsetof(struct xt_connlimit_info, data),
++ .destroy = connlimit_mt_destroy,
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static int __init connlimit_mt_init(void)
+ {
+- return xt_register_match(&connlimit_mt_reg);
++ return xt_register_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg));
+ }
+
+ static void __exit connlimit_mt_exit(void)
+ {
+- xt_unregister_match(&connlimit_mt_reg);
++ xt_unregister_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg));
+ }
+
+ module_init(connlimit_mt_init);
+diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
+index ad3c033db64e7..4277084de2e70 100644
+--- a/net/netfilter/xt_connmark.c
++++ b/net/netfilter/xt_connmark.c
+@@ -151,7 +151,7 @@ static struct xt_target connmark_tg_reg[] __read_mostly = {
+ {
+ .name = "CONNMARK",
+ .revision = 1,
+- .family = NFPROTO_UNSPEC,
++ .family = NFPROTO_IPV4,
+ .checkentry = connmark_tg_check,
+ .target = connmark_tg,
+ .targetsize = sizeof(struct xt_connmark_tginfo1),
+@@ -161,13 +161,35 @@ static struct xt_target connmark_tg_reg[] __read_mostly = {
+ {
+ .name = "CONNMARK",
+ .revision = 2,
+- .family = NFPROTO_UNSPEC,
++ .family = NFPROTO_IPV4,
+ .checkentry = connmark_tg_check,
+ .target = connmark_tg_v2,
+ .targetsize = sizeof(struct xt_connmark_tginfo2),
+ .destroy = connmark_tg_destroy,
+ .me = THIS_MODULE,
+- }
++ },
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "CONNMARK",
++ .revision = 1,
++ .family = NFPROTO_IPV6,
++ .checkentry = connmark_tg_check,
++ .target = connmark_tg,
++ .targetsize = sizeof(struct xt_connmark_tginfo1),
++ .destroy = connmark_tg_destroy,
++ .me = THIS_MODULE,
++ },
++ {
++ .name = "CONNMARK",
++ .revision = 2,
++ .family = NFPROTO_IPV6,
++ .checkentry = connmark_tg_check,
++ .target = connmark_tg_v2,
++ .targetsize = sizeof(struct xt_connmark_tginfo2),
++ .destroy = connmark_tg_destroy,
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static struct xt_match connmark_mt_reg __read_mostly = {
+diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
+index 1ad74b5920b53..f76fe04fc9a4e 100644
+--- a/net/netfilter/xt_mark.c
++++ b/net/netfilter/xt_mark.c
+@@ -39,13 +39,35 @@ mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ return ((skb->mark & info->mask) == info->mark) ^ info->invert;
+ }
+
+-static struct xt_target mark_tg_reg __read_mostly = {
+- .name = "MARK",
+- .revision = 2,
+- .family = NFPROTO_UNSPEC,
+- .target = mark_tg,
+- .targetsize = sizeof(struct xt_mark_tginfo2),
+- .me = THIS_MODULE,
++static struct xt_target mark_tg_reg[] __read_mostly = {
++ {
++ .name = "MARK",
++ .revision = 2,
++ .family = NFPROTO_IPV4,
++ .target = mark_tg,
++ .targetsize = sizeof(struct xt_mark_tginfo2),
++ .me = THIS_MODULE,
++ },
++#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)
++ {
++ .name = "MARK",
++ .revision = 2,
++ .family = NFPROTO_ARP,
++ .target = mark_tg,
++ .targetsize = sizeof(struct xt_mark_tginfo2),
++ .me = THIS_MODULE,
++ },
++#endif
++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
++ {
++ .name = "MARK",
++ .revision = 2,
++ .family = NFPROTO_IPV4,
++ .target = mark_tg,
++ .targetsize = sizeof(struct xt_mark_tginfo2),
++ .me = THIS_MODULE,
++ },
++#endif
+ };
+
+ static struct xt_match mark_mt_reg __read_mostly = {
+@@ -61,12 +83,12 @@ static int __init mark_mt_init(void)
+ {
+ int ret;
+
+- ret = xt_register_target(&mark_tg_reg);
++ ret = xt_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
+ if (ret < 0)
+ return ret;
+ ret = xt_register_match(&mark_mt_reg);
+ if (ret < 0) {
+- xt_unregister_target(&mark_tg_reg);
++ xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
+ return ret;
+ }
+ return 0;
+@@ -75,7 +97,7 @@ static int __init mark_mt_init(void)
+ static void __exit mark_mt_exit(void)
+ {
+ xt_unregister_match(&mark_mt_reg);
+- xt_unregister_target(&mark_tg_reg);
++ xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
+ }
+
+ module_init(mark_mt_init);
+--
+2.43.0
+
--- /dev/null
+From 3d86b3c6c500ddff93b85653e2df8f01707c13a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 18:04:03 -0400
+Subject: nfsd: fix possible badness in FREE_STATEID
+
+From: Olga Kornievskaia <okorniev@redhat.com>
+
+[ Upstream commit c88c150a467fcb670a1608e2272beeee3e86df6e ]
+
+When multiple FREE_STATEIDs are sent for the same delegation stateid,
+it can lead to a possible either use-after-free or counter refcount
+underflow errors.
+
+In nfsd4_free_stateid() under the client lock we find a delegation
+stateid, however the code drops the lock before calling nfs4_put_stid(),
+that allows another FREE_STATE to find the stateid again. The first one
+will proceed to then free the stateid which leads to either
+use-after-free or decrementing already zeroed counter.
+
+Fixes: 3f29cc82a84c ("nfsd: split sc_status out of sc_type")
+Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 3837f4e417247..64cf5d7b7a4e2 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -7158,6 +7158,7 @@ nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ switch (s->sc_type) {
+ case SC_TYPE_DELEG:
+ if (s->sc_status & SC_STATUS_REVOKED) {
++ s->sc_status |= SC_STATUS_CLOSED;
+ spin_unlock(&s->sc_lock);
+ dp = delegstateid(s);
+ list_del_init(&dp->dl_recall_lru);
+--
+2.43.0
+
--- /dev/null
+From 16e350ade9ba060aff920403f84b4e8eab82ddf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Sep 2024 14:25:37 -0400
+Subject: NFSD: Mark filecache "down" if init fails
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit dc0d0f885aa422f621bc1c2124133eff566b0bc8 ]
+
+NeilBrown says:
+> The handling of NFSD_FILE_CACHE_UP is strange. nfsd_file_cache_init()
+> sets it, but doesn't clear it on failure. So if nfsd_file_cache_init()
+> fails for some reason, nfsd_file_cache_shutdown() would still try to
+> clean up if it was called.
+
+Reported-by: NeilBrown <neilb@suse.de>
+Fixes: c7b824c3d06c ("NFSD: Replace the "init once" mechanism")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/filecache.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
+index e2e248032bfd0..5583db806b0bc 100644
+--- a/fs/nfsd/filecache.c
++++ b/fs/nfsd/filecache.c
+@@ -719,7 +719,7 @@ nfsd_file_cache_init(void)
+
+ ret = rhltable_init(&nfsd_file_rhltable, &nfsd_file_rhash_params);
+ if (ret)
+- return ret;
++ goto out;
+
+ ret = -ENOMEM;
+ nfsd_file_slab = KMEM_CACHE(nfsd_file, 0);
+@@ -771,6 +771,8 @@ nfsd_file_cache_init(void)
+
+ INIT_DELAYED_WORK(&nfsd_filecache_laundrette, nfsd_file_gc_worker);
+ out:
++ if (ret)
++ clear_bit(NFSD_FILE_CACHE_UP, &nfsd_file_flags);
+ return ret;
+ out_notifier:
+ lease_unregister_notifier(&nfsd_file_lease_notifier);
+--
+2.43.0
+
--- /dev/null
+From 6a64d0925e325df567e5a1b03edf982574c95767 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 09:46:05 +1000
+Subject: nfsd: nfsd_destroy_serv() must call svc_destroy() even if
+ nfsd_startup_net() failed
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 53e4e17557049d7688ca9dadeae80864d40cf0b7 ]
+
+If nfsd_startup_net() fails and so ->nfsd_net_up is false,
+nfsd_destroy_serv() doesn't currently call svc_destroy(). It should.
+
+Fixes: 1e3577a4521e ("SUNRPC: discard sv_refcnt, and svc_get/svc_put")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfssvc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
+index 8103c3c90cd11..58523b4c37de0 100644
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -449,6 +449,9 @@ static void nfsd_shutdown_net(struct net *net)
+ {
+ struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+
++ if (!nn->nfsd_net_up)
++ return;
++ nfsd_export_flush(net);
+ nfs4_state_shutdown_net(net);
+ nfsd_reply_cache_shutdown(nn);
+ nfsd_file_cache_shutdown_net(net);
+@@ -556,11 +559,8 @@ void nfsd_destroy_serv(struct net *net)
+ * other initialization has been done except the rpcb information.
+ */
+ svc_rpcb_cleanup(serv, net);
+- if (!nn->nfsd_net_up)
+- return;
+
+ nfsd_shutdown_net(net);
+- nfsd_export_flush(net);
+ svc_destroy(&serv);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From ecd2a481e178346ffebf21e80eb635d7f7cf1fdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 16:39:30 +0800
+Subject: NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()
+
+From: Yanjun Zhang <zhangyanjun@cestc.cn>
+
+[ Upstream commit a848c29e3486189aaabd5663bc11aea50c5bd144 ]
+
+On the node of an NFS client, some files saved in the mountpoint of the
+NFS server were copied to another location of the same NFS server.
+Accidentally, the nfs42_complete_copies() got a NULL-pointer dereference
+crash with the following syslog:
+
+[232064.838881] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116
+[232064.839360] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116
+[232066.588183] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
+[232066.588586] Mem abort info:
+[232066.588701] ESR = 0x0000000096000007
+[232066.588862] EC = 0x25: DABT (current EL), IL = 32 bits
+[232066.589084] SET = 0, FnV = 0
+[232066.589216] EA = 0, S1PTW = 0
+[232066.589340] FSC = 0x07: level 3 translation fault
+[232066.589559] Data abort info:
+[232066.589683] ISV = 0, ISS = 0x00000007
+[232066.589842] CM = 0, WnR = 0
+[232066.589967] user pgtable: 64k pages, 48-bit VAs, pgdp=00002000956ff400
+[232066.590231] [0000000000000058] pgd=08001100ae100003, p4d=08001100ae100003, pud=08001100ae100003, pmd=08001100b3c00003, pte=0000000000000000
+[232066.590757] Internal error: Oops: 96000007 [#1] SMP
+[232066.590958] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm vhost_net vhost vhost_iotlb tap tun ipt_rpfilter xt_multiport ip_set_hash_ip ip_set_hash_net xfrm_interface xfrm6_tunnel tunnel4 tunnel6 esp4 ah4 wireguard libcurve25519_generic veth xt_addrtype xt_set nf_conntrack_netlink ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_bitmap_port ip_set_hash_ipport dummy ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_filter sch_ingress nfnetlink_cttimeout vport_gre ip_gre ip_tunnel gre vport_geneve geneve vport_vxlan vxlan ip6_udp_tunnel udp_tunnel openvswitch nf_conncount dm_round_robin dm_service_time dm_multipath xt_nat xt_MASQUERADE nft_chain_nat nf_nat xt_mark xt_conntrack xt_comment nft_compat nft_counter nf_tables nfnetlink ocfs2 ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_ssif nbd overlay 8021q garp mrp bonding tls rfkill sunrpc ext4 mbcache jbd2
+[232066.591052] vfat fat cas_cache cas_disk ses enclosure scsi_transport_sas sg acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler ip_tables vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio dm_mirror dm_region_hash dm_log dm_mod nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc fuse xfs libcrc32c ast drm_vram_helper qla2xxx drm_kms_helper syscopyarea crct10dif_ce sysfillrect ghash_ce sysimgblt sha2_ce fb_sys_fops cec sha256_arm64 sha1_ce drm_ttm_helper ttm nvme_fc igb sbsa_gwdt nvme_fabrics drm nvme_core i2c_algo_bit i40e scsi_transport_fc megaraid_sas aes_neon_bs
+[232066.596953] CPU: 6 PID: 4124696 Comm: 10.253.166.125- Kdump: loaded Not tainted 5.15.131-9.cl9_ocfs2.aarch64 #1
+[232066.597356] Hardware name: Great Wall .\x93\x8e...RF6260 V5/GWMSSE2GL1T, BIOS T656FBE_V3.0.18 2024-01-06
+[232066.597721] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[232066.598034] pc : nfs4_reclaim_open_state+0x220/0x800 [nfsv4]
+[232066.598327] lr : nfs4_reclaim_open_state+0x12c/0x800 [nfsv4]
+[232066.598595] sp : ffff8000f568fc70
+[232066.598731] x29: ffff8000f568fc70 x28: 0000000000001000 x27: ffff21003db33000
+[232066.599030] x26: ffff800005521ae0 x25: ffff0100f98fa3f0 x24: 0000000000000001
+[232066.599319] x23: ffff800009920008 x22: ffff21003db33040 x21: ffff21003db33050
+[232066.599628] x20: ffff410172fe9e40 x19: ffff410172fe9e00 x18: 0000000000000000
+[232066.599914] x17: 0000000000000000 x16: 0000000000000004 x15: 0000000000000000
+[232066.600195] x14: 0000000000000000 x13: ffff800008e685a8 x12: 00000000eac0c6e6
+[232066.600498] x11: 0000000000000000 x10: 0000000000000008 x9 : ffff8000054e5828
+[232066.600784] x8 : 00000000ffffffbf x7 : 0000000000000001 x6 : 000000000a9eb14a
+[232066.601062] x5 : 0000000000000000 x4 : ffff70ff8a14a800 x3 : 0000000000000058
+[232066.601348] x2 : 0000000000000001 x1 : 54dce46366daa6c6 x0 : 0000000000000000
+[232066.601636] Call trace:
+[232066.601749] nfs4_reclaim_open_state+0x220/0x800 [nfsv4]
+[232066.601998] nfs4_do_reclaim+0x1b8/0x28c [nfsv4]
+[232066.602218] nfs4_state_manager+0x928/0x10f0 [nfsv4]
+[232066.602455] nfs4_run_state_manager+0x78/0x1b0 [nfsv4]
+[232066.602690] kthread+0x110/0x114
+[232066.602830] ret_from_fork+0x10/0x20
+[232066.602985] Code: 1400000d f9403f20 f9402e61 91016003 (f9402c00)
+[232066.603284] SMP: stopping secondary CPUs
+[232066.606936] Starting crashdump kernel...
+[232066.607146] Bye!
+
+Analysing the vmcore, we know that nfs4_copy_state listed by destination
+nfs_server->ss_copies was added by the field copies in handle_async_copy(),
+and we found a waiting copy process with the stack as:
+PID: 3511963 TASK: ffff710028b47e00 CPU: 0 COMMAND: "cp"
+ #0 [ffff8001116ef740] __switch_to at ffff8000081b92f4
+ #1 [ffff8001116ef760] __schedule at ffff800008dd0650
+ #2 [ffff8001116ef7c0] schedule at ffff800008dd0a00
+ #3 [ffff8001116ef7e0] schedule_timeout at ffff800008dd6aa0
+ #4 [ffff8001116ef860] __wait_for_common at ffff800008dd166c
+ #5 [ffff8001116ef8e0] wait_for_completion_interruptible at ffff800008dd1898
+ #6 [ffff8001116ef8f0] handle_async_copy at ffff8000055142f4 [nfsv4]
+ #7 [ffff8001116ef970] _nfs42_proc_copy at ffff8000055147c8 [nfsv4]
+ #8 [ffff8001116efa80] nfs42_proc_copy at ffff800005514cf0 [nfsv4]
+ #9 [ffff8001116efc50] __nfs4_copy_file_range.constprop.0 at ffff8000054ed694 [nfsv4]
+
+The NULL-pointer dereference was due to nfs42_complete_copies() listed
+the nfs_server->ss_copies by the field ss_copies of nfs4_copy_state.
+So the nfs4_copy_state address ffff0100f98fa3f0 was offset by 0x10 and
+the data accessed through this pointer was also incorrect. Generally,
+the ordered list nfs4_state_owner->so_states indicate open(O_RDWR) or
+open(O_WRITE) states are reclaimed firstly by nfs4_reclaim_open_state().
+When destination state reclaim is failed with NFS_STATE_RECOVERY_FAILED
+and copies are not deleted in nfs_server->ss_copies, the source state
+may be passed to the nfs42_complete_copies() process earlier, resulting
+in this crash scene finally. To solve this issue, we add a list_head
+nfs_server->ss_src_copies for a server-to-server copy specially.
+
+Fixes: 0e65a32c8a56 ("NFS: handle source server reboot")
+Signed-off-by: Yanjun Zhang <zhangyanjun@cestc.cn>
+Reviewed-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/client.c | 1 +
+ fs/nfs/nfs42proc.c | 2 +-
+ fs/nfs/nfs4state.c | 2 +-
+ include/linux/nfs_fs_sb.h | 1 +
+ 4 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/client.c b/fs/nfs/client.c
+index 8286edd6062de..c49d5cce5ce6a 100644
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -983,6 +983,7 @@ struct nfs_server *nfs_alloc_server(void)
+ INIT_LIST_HEAD(&server->layouts);
+ INIT_LIST_HEAD(&server->state_owners_lru);
+ INIT_LIST_HEAD(&server->ss_copies);
++ INIT_LIST_HEAD(&server->ss_src_copies);
+
+ atomic_set(&server->active, 0);
+
+diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
+index 28704f924612c..531c9c20ef1d1 100644
+--- a/fs/nfs/nfs42proc.c
++++ b/fs/nfs/nfs42proc.c
+@@ -218,7 +218,7 @@ static int handle_async_copy(struct nfs42_copy_res *res,
+
+ if (dst_server != src_server) {
+ spin_lock(&src_server->nfs_client->cl_lock);
+- list_add_tail(©->src_copies, &src_server->ss_copies);
++ list_add_tail(©->src_copies, &src_server->ss_src_copies);
+ spin_unlock(&src_server->nfs_client->cl_lock);
+ }
+
+diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
+index 30aba1dedaba6..9795b3591fda7 100644
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1596,7 +1596,7 @@ static void nfs42_complete_copies(struct nfs4_state_owner *sp, struct nfs4_state
+ complete(©->completion);
+ }
+ }
+- list_for_each_entry(copy, &sp->so_server->ss_copies, src_copies) {
++ list_for_each_entry(copy, &sp->so_server->ss_src_copies, src_copies) {
+ if ((test_bit(NFS_CLNT_SRC_SSC_COPY_STATE, &state->flags) &&
+ !nfs4_stateid_match_other(&state->stateid,
+ ©->parent_src_state->stateid)))
+diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
+index 1df86ab98c775..793a4a610db2c 100644
+--- a/include/linux/nfs_fs_sb.h
++++ b/include/linux/nfs_fs_sb.h
+@@ -240,6 +240,7 @@ struct nfs_server {
+ struct list_head layouts;
+ struct list_head delegations;
+ struct list_head ss_copies;
++ struct list_head ss_src_copies;
+
+ unsigned long delegation_gen;
+ unsigned long mig_gen;
+--
+2.43.0
+
--- /dev/null
+From cbfe47f707ff60718cba2eff83efab0187257ae8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 14:59:42 +0300
+Subject: nouveau/dmem: Fix privileged error in copy engine channel
+
+From: Yonatan Maman <Ymaman@Nvidia.com>
+
+[ Upstream commit 04e0481526e30ab8c7e7580033d2f88b7ef2da3f ]
+
+When `nouveau_dmem_copy_one` is called, the following error occurs:
+
+[272146.675156] nouveau 0000:06:00.0: fifo: PBDMA9: 00000004 [HCE_PRIV]
+ch 1 00000300 00003386
+
+This indicates that a copy push command triggered a Host Copy Engine
+Privileged error on channel 1 (Copy Engine channel). To address this
+issue, modify the Copy Engine channel to allow privileged push commands
+
+Fixes: 6de125383a5c ("drm/nouveau/fifo: expose runlist topology info on all chipsets")
+Signed-off-by: Yonatan Maman <Ymaman@Nvidia.com>
+Co-developed-by: Gal Shalom <GalShalom@Nvidia.com>
+Signed-off-by: Gal Shalom <GalShalom@Nvidia.com>
+Reviewed-by: Ben Skeggs <bskeggs@nvidia.com>
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241008115943.990286-2-ymaman@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
+index 88413b5c8684a..bfba4e374df44 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
+@@ -356,7 +356,7 @@ nouveau_accel_ce_init(struct nouveau_drm *drm)
+ return;
+ }
+
+- ret = nouveau_channel_new(&drm->client, false, runm, NvDmaFB, NvDmaTT, &drm->cechan);
++ ret = nouveau_channel_new(&drm->client, true, runm, NvDmaFB, NvDmaTT, &drm->cechan);
+ if (ret)
+ NV_ERROR(drm, "failed to create ce channel, %d\n", ret);
+ }
+--
+2.43.0
+
--- /dev/null
+From 3c5a4e9b4ed8122f2a8365120100365d7bf182cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 11:47:37 -0700
+Subject: phonet: Handle error of rtnl_register_module().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit b5e837c86041bef60f36cf9f20a641a30764379a ]
+
+Before commit addf9b90de22 ("net: rtnetlink: use rcu to free rtnl
+message handlers"), once the first rtnl_register_module() allocated
+rtnl_msg_handlers[PF_PHONET], the following calls never failed.
+
+However, after the commit, rtnl_register_module() could fail silently
+to allocate rtnl_msg_handlers[PF_PHONET][msgtype] and requires error
+handling for each call.
+
+Handling the error allows users to view a module as an all-or-nothing
+thing in terms of the rtnetlink functionality. This prevents syzkaller
+from reporting spurious errors from its tests, where OOM often occurs
+and module is automatically loaded.
+
+Let's use rtnl_register_many() to handle the errors easily.
+
+Fixes: addf9b90de22 ("net: rtnetlink: use rcu to free rtnl message handlers")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Rémi Denis-Courmont <courmisch@gmail.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/phonet/pn_netlink.c | 28 +++++++++++-----------------
+ 1 file changed, 11 insertions(+), 17 deletions(-)
+
+diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c
+index 7008d402499d5..894e5c72d6bff 100644
+--- a/net/phonet/pn_netlink.c
++++ b/net/phonet/pn_netlink.c
+@@ -285,23 +285,17 @@ static int route_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
+ return err;
+ }
+
++static const struct rtnl_msg_handler phonet_rtnl_msg_handlers[] __initdata_or_module = {
++ {THIS_MODULE, PF_PHONET, RTM_NEWADDR, addr_doit, NULL, 0},
++ {THIS_MODULE, PF_PHONET, RTM_DELADDR, addr_doit, NULL, 0},
++ {THIS_MODULE, PF_PHONET, RTM_GETADDR, NULL, getaddr_dumpit, 0},
++ {THIS_MODULE, PF_PHONET, RTM_NEWROUTE, route_doit, NULL, 0},
++ {THIS_MODULE, PF_PHONET, RTM_DELROUTE, route_doit, NULL, 0},
++ {THIS_MODULE, PF_PHONET, RTM_GETROUTE, NULL, route_dumpit,
++ RTNL_FLAG_DUMP_UNLOCKED},
++};
++
+ int __init phonet_netlink_register(void)
+ {
+- int err = rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_NEWADDR,
+- addr_doit, NULL, 0);
+- if (err)
+- return err;
+-
+- /* Further rtnl_register_module() cannot fail */
+- rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_DELADDR,
+- addr_doit, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_GETADDR,
+- NULL, getaddr_dumpit, 0);
+- rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_NEWROUTE,
+- route_doit, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_DELROUTE,
+- route_doit, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_PHONET, RTM_GETROUTE,
+- NULL, route_dumpit, RTNL_FLAG_DUMP_UNLOCKED);
+- return 0;
++ return rtnl_register_many(phonet_rtnl_msg_handlers);
+ }
+--
+2.43.0
+
--- /dev/null
+From e4365c2c541f9e0b843352ca09496ebfc03fb478 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 16:17:58 +0800
+Subject: powercap: intel_rapl_tpmi: Ignore minor version change
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+[ Upstream commit 1d390923974cc233245649cf23833e06b15a9ef7 ]
+
+The hardware definition of every TPMI feature contains a major and minor
+version. When there is a change in the MMIO offset or change in the
+definition of a field, hardware will change major version. For addition
+of new fields without modifying existing MMIO offsets or fields, only
+the minor version is changed.
+
+If the driver has not been updated to recognize a new hardware major
+version, it cannot provide the RAPL interface to users due to possible
+register layout incompatibilities. However, the driver does not need to
+be updated every time the hardware minor version changes because in that
+case it will just miss some new functionality exposed by the hardware.
+
+The current implementation causes the driver to refuse to work for any
+hardware version change which is unnecessarily restrictive.
+
+If there is a minor version mismatch, log an information message and
+continue, but if there is a major version mismatch, log a warning and
+exit (as before).
+
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20240930081801.28502-4-rui.zhang@intel.com
+Fixes: 9eef7f9da928 ("powercap: intel_rapl: Introduce RAPL TPMI interface driver")
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/powercap/intel_rapl_tpmi.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/powercap/intel_rapl_tpmi.c b/drivers/powercap/intel_rapl_tpmi.c
+index 947544e4d229a..0c55a80d01909 100644
+--- a/drivers/powercap/intel_rapl_tpmi.c
++++ b/drivers/powercap/intel_rapl_tpmi.c
+@@ -15,7 +15,8 @@
+ #include <linux/module.h>
+ #include <linux/slab.h>
+
+-#define TPMI_RAPL_VERSION 1
++#define TPMI_RAPL_MAJOR_VERSION 0
++#define TPMI_RAPL_MINOR_VERSION 1
+
+ /* 1 header + 10 registers + 5 reserved. 8 bytes for each. */
+ #define TPMI_RAPL_DOMAIN_SIZE 128
+@@ -154,11 +155,21 @@ static int parse_one_domain(struct tpmi_rapl_package *trp, u32 offset)
+ tpmi_domain_size = tpmi_domain_header >> 16 & 0xff;
+ tpmi_domain_flags = tpmi_domain_header >> 32 & 0xffff;
+
+- if (tpmi_domain_version != TPMI_RAPL_VERSION) {
+- pr_warn(FW_BUG "Unsupported version:%d\n", tpmi_domain_version);
++ if (tpmi_domain_version == TPMI_VERSION_INVALID) {
++ pr_warn(FW_BUG "Invalid version\n");
+ return -ENODEV;
+ }
+
++ if (TPMI_MAJOR_VERSION(tpmi_domain_version) != TPMI_RAPL_MAJOR_VERSION) {
++ pr_warn(FW_BUG "Unsupported major version:%ld\n",
++ TPMI_MAJOR_VERSION(tpmi_domain_version));
++ return -ENODEV;
++ }
++
++ if (TPMI_MINOR_VERSION(tpmi_domain_version) > TPMI_RAPL_MINOR_VERSION)
++ pr_info("Ignore: Unsupported minor version:%ld\n",
++ TPMI_MINOR_VERSION(tpmi_domain_version));
++
+ /* Domain size: in unit of 128 Bytes */
+ if (tpmi_domain_size != 1) {
+ pr_warn(FW_BUG "Invalid Domain size %d\n", tpmi_domain_size);
+--
+2.43.0
+
--- /dev/null
+From 2d78c2e99fa47cbb2e4c01eccfe71f136ba2a7a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 18:58:02 +0000
+Subject: ppp: fix ppp_async_encode() illegal access
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 40dddd4b8bd08a69471efd96107a4e1c73fabefc ]
+
+syzbot reported an issue in ppp_async_encode() [1]
+
+In this case, pppoe_sendmsg() is called with a zero size.
+Then ppp_async_encode() is called with an empty skb.
+
+BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
+ BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
+ ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
+ ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
+ ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634
+ ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]
+ ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304
+ pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
+ sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
+ __release_sock+0x1da/0x330 net/core/sock.c:3072
+ release_sock+0x6b/0x250 net/core/sock.c:3626
+ pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
+ sock_sendmsg_nosec net/socket.c:729 [inline]
+ __sock_sendmsg+0x30f/0x380 net/socket.c:744
+ ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
+ __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
+ __do_sys_sendmmsg net/socket.c:2771 [inline]
+ __se_sys_sendmmsg net/socket.c:2768 [inline]
+ __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
+ x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4092 [inline]
+ slab_alloc_node mm/slub.c:4135 [inline]
+ kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
+ __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
+ alloc_skb include/linux/skbuff.h:1322 [inline]
+ sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
+ pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
+ sock_sendmsg_nosec net/socket.c:729 [inline]
+ __sock_sendmsg+0x30f/0x380 net/socket.c:744
+ ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
+ __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
+ __do_sys_sendmmsg net/socket.c:2771 [inline]
+ __se_sys_sendmmsg net/socket.c:2768 [inline]
+ __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
+ x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+1d121645899e7692f92a@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241009185802.3763282-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_async.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c
+index c33c3db3cc089..18115e255e52f 100644
+--- a/drivers/net/ppp/ppp_async.c
++++ b/drivers/net/ppp/ppp_async.c
+@@ -542,7 +542,7 @@ ppp_async_encode(struct asyncppp *ap)
+ * and 7 (code-reject) must be sent as though no options
+ * had been negotiated.
+ */
+- islcp = proto == PPP_LCP && 1 <= data[2] && data[2] <= 7;
++ islcp = proto == PPP_LCP && count >= 3 && 1 <= data[2] && data[2] <= 7;
+
+ if (i == 0) {
+ if (islcp)
+--
+2.43.0
+
--- /dev/null
+From 4930132313d999ecf8635bd123f9bb19859a110d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 18:36:09 +0200
+Subject: rcu/nocb: Fix rcuog wake-up from offline softirq
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+[ Upstream commit f7345ccc62a4b880cf76458db5f320725f28e400 ]
+
+After a CPU has set itself offline and before it eventually calls
+rcutree_report_cpu_dead(), there are still opportunities for callbacks
+to be enqueued, for example from a softirq. When that happens on NOCB,
+the rcuog wake-up is deferred through an IPI to an online CPU in order
+not to call into the scheduler and risk arming the RT-bandwidth after
+hrtimers have been migrated out and disabled.
+
+But performing a synchronized IPI from a softirq is buggy as reported in
+the following scenario:
+
+ WARNING: CPU: 1 PID: 26 at kernel/smp.c:633 smp_call_function_single
+ Modules linked in: rcutorture torture
+ CPU: 1 UID: 0 PID: 26 Comm: migration/1 Not tainted 6.11.0-rc1-00012-g9139f93209d1 #1
+ Stopper: multi_cpu_stop+0x0/0x320 <- __stop_cpus+0xd0/0x120
+ RIP: 0010:smp_call_function_single
+ <IRQ>
+ swake_up_one_online
+ __call_rcu_nocb_wake
+ __call_rcu_common
+ ? rcu_torture_one_read
+ call_timer_fn
+ __run_timers
+ run_timer_softirq
+ handle_softirqs
+ irq_exit_rcu
+ ? tick_handle_periodic
+ sysvec_apic_timer_interrupt
+ </IRQ>
+
+Fix this with forcing deferred rcuog wake up through the NOCB timer when
+the CPU is offline. The actual wake up will happen from
+rcutree_report_cpu_dead().
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202409231644.4c55582d-lkp@intel.com
+Fixes: 9139f93209d1 ("rcu/nocb: Fix RT throttling hrtimer armed from offline CPU")
+Reviewed-by: "Joel Fernandes (Google)" <joel@joelfernandes.org>
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Neeraj Upadhyay <neeraj.upadhyay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_nocb.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h
+index 2686ba122fa08..3630f712358e4 100644
+--- a/kernel/rcu/tree_nocb.h
++++ b/kernel/rcu/tree_nocb.h
+@@ -569,13 +569,19 @@ static void __call_rcu_nocb_wake(struct rcu_data *rdp, bool was_alldone,
+ rcu_nocb_unlock(rdp);
+ wake_nocb_gp_defer(rdp, RCU_NOCB_WAKE_LAZY,
+ TPS("WakeLazy"));
+- } else if (!irqs_disabled_flags(flags)) {
++ } else if (!irqs_disabled_flags(flags) && cpu_online(rdp->cpu)) {
+ /* ... if queue was empty ... */
+ rcu_nocb_unlock(rdp);
+ wake_nocb_gp(rdp, false);
+ trace_rcu_nocb_wake(rcu_state.name, rdp->cpu,
+ TPS("WakeEmpty"));
+ } else {
++ /*
++ * Don't do the wake-up upfront on fragile paths.
++ * Also offline CPUs can't call swake_up_one_online() from
++ * (soft-)IRQs. Rely on the final deferred wake-up from
++ * rcutree_report_cpu_dead()
++ */
+ rcu_nocb_unlock(rdp);
+ wake_nocb_gp_defer(rdp, RCU_NOCB_WAKE,
+ TPS("WakeEmptyIsDeferred"));
+--
+2.43.0
+
--- /dev/null
+From f92dc28495b9d577bfcaa633858b525685562517 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 07:21:15 -0700
+Subject: Revert "net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled"
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 5546da79e6cc5bb3324bf25688ed05498fd3f86d ]
+
+This reverts commit b514c47ebf41a6536551ed28a05758036e6eca7c.
+
+The commit describes that we don't have to sync the page when
+recycling, and it tries to optimize that case. But we do need
+to sync after allocation. Recycling side should be changed to
+pass the right sync size instead.
+
+Fixes: b514c47ebf41 ("net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled")
+Reported-by: Jon Hunter <jonathanh@nvidia.com>
+Link: https://lore.kernel.org/20241004070846.2502e9ea@kernel.org
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Furong Xu <0x1207@gmail.com>
+Link: https://patch.msgid.link/20241004142115.910876-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 95d3d1081727f..f3a1b179aaeac 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2022,7 +2022,7 @@ static int __alloc_dma_rx_desc_resources(struct stmmac_priv *priv,
+ rx_q->queue_index = queue;
+ rx_q->priv_data = priv;
+
+- pp_params.flags = PP_FLAG_DMA_MAP | (xdp_prog ? PP_FLAG_DMA_SYNC_DEV : 0);
++ pp_params.flags = PP_FLAG_DMA_MAP | PP_FLAG_DMA_SYNC_DEV;
+ pp_params.pool_size = dma_conf->dma_rx_size;
+ num_pages = DIV_ROUND_UP(dma_conf->dma_buf_sz, PAGE_SIZE);
+ pp_params.order = ilog2(num_pages);
+--
+2.43.0
+
--- /dev/null
+From 3a61ee72bc6a844b784c463c48f9cf5a9510acf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 11:47:32 -0700
+Subject: rtnetlink: Add bulk registration helpers for rtnetlink message
+ handlers.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 07cc7b0b942bf55ef1a471470ecda8d2a6a6541f ]
+
+Before commit addf9b90de22 ("net: rtnetlink: use rcu to free rtnl message
+handlers"), once rtnl_msg_handlers[protocol] was allocated, the following
+rtnl_register_module() for the same protocol never failed.
+
+However, after the commit, rtnl_msg_handler[protocol][msgtype] needs to
+be allocated in each rtnl_register_module(), so each call could fail.
+
+Many callers of rtnl_register_module() do not handle the returned error,
+and we need to add many error handlings.
+
+To handle that easily, let's add wrapper functions for bulk registration
+of rtnetlink message handlers.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 78b7b991838a ("vxlan: Handle error of rtnl_register_module().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/rtnetlink.h | 17 +++++++++++++++++
+ net/core/rtnetlink.c | 29 +++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h
+index b45d57b5968af..2d3eb7cb4dfff 100644
+--- a/include/net/rtnetlink.h
++++ b/include/net/rtnetlink.h
+@@ -29,6 +29,15 @@ static inline enum rtnl_kinds rtnl_msgtype_kind(int msgtype)
+ return msgtype & RTNL_KIND_MASK;
+ }
+
++struct rtnl_msg_handler {
++ struct module *owner;
++ int protocol;
++ int msgtype;
++ rtnl_doit_func doit;
++ rtnl_dumpit_func dumpit;
++ int flags;
++};
++
+ void rtnl_register(int protocol, int msgtype,
+ rtnl_doit_func, rtnl_dumpit_func, unsigned int flags);
+ int rtnl_register_module(struct module *owner, int protocol, int msgtype,
+@@ -36,6 +45,14 @@ int rtnl_register_module(struct module *owner, int protocol, int msgtype,
+ int rtnl_unregister(int protocol, int msgtype);
+ void rtnl_unregister_all(int protocol);
+
++int __rtnl_register_many(const struct rtnl_msg_handler *handlers, int n);
++void __rtnl_unregister_many(const struct rtnl_msg_handler *handlers, int n);
++
++#define rtnl_register_many(handlers) \
++ __rtnl_register_many(handlers, ARRAY_SIZE(handlers))
++#define rtnl_unregister_many(handlers) \
++ __rtnl_unregister_many(handlers, ARRAY_SIZE(handlers))
++
+ static inline int rtnl_msg_family(const struct nlmsghdr *nlh)
+ {
+ if (nlmsg_len(nlh) >= sizeof(struct rtgenmsg))
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 73fd7f543fd09..97a38a7e1b2cc 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -384,6 +384,35 @@ void rtnl_unregister_all(int protocol)
+ }
+ EXPORT_SYMBOL_GPL(rtnl_unregister_all);
+
++int __rtnl_register_many(const struct rtnl_msg_handler *handlers, int n)
++{
++ const struct rtnl_msg_handler *handler;
++ int i, err;
++
++ for (i = 0, handler = handlers; i < n; i++, handler++) {
++ err = rtnl_register_internal(handler->owner, handler->protocol,
++ handler->msgtype, handler->doit,
++ handler->dumpit, handler->flags);
++ if (err) {
++ __rtnl_unregister_many(handlers, i);
++ break;
++ }
++ }
++
++ return err;
++}
++EXPORT_SYMBOL_GPL(__rtnl_register_many);
++
++void __rtnl_unregister_many(const struct rtnl_msg_handler *handlers, int n)
++{
++ const struct rtnl_msg_handler *handler;
++ int i;
++
++ for (i = n - 1, handler = handlers + n - 1; i >= 0; i--, handler--)
++ rtnl_unregister(handler->protocol, handler->msgtype);
++}
++EXPORT_SYMBOL_GPL(__rtnl_unregister_many);
++
+ static LIST_HEAD(link_ops);
+
+ static const struct rtnl_link_ops *rtnl_link_ops_get(const char *kind)
+--
+2.43.0
+
--- /dev/null
+From c0ef72a09d18bfa69987460a82e3073fca8d144e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 14:26:59 +0100
+Subject: rxrpc: Fix uninitialised variable in rxrpc_send_data()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 7a310f8d7dfe2d92a1f31ddb5357bfdd97eed273 ]
+
+Fix the uninitialised txb variable in rxrpc_send_data() by moving the code
+that loads it above all the jumps to maybe_error, txb being stored back
+into call->tx_pending right before the normal return.
+
+Fixes: b0f571ecd794 ("rxrpc: Fix locking in rxrpc's sendmsg")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lists.infradead.org/pipermail/linux-afs/2024-October/008896.html
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Link: https://patch.msgid.link/20241001132702.3122709-3-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/sendmsg.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
+index 894b8fa68e5e9..23d18fe5de9f0 100644
+--- a/net/rxrpc/sendmsg.c
++++ b/net/rxrpc/sendmsg.c
+@@ -303,6 +303,11 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
+ sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk);
+
+ reload:
++ txb = call->tx_pending;
++ call->tx_pending = NULL;
++ if (txb)
++ rxrpc_see_txbuf(txb, rxrpc_txbuf_see_send_more);
++
+ ret = -EPIPE;
+ if (sk->sk_shutdown & SEND_SHUTDOWN)
+ goto maybe_error;
+@@ -329,11 +334,6 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
+ goto maybe_error;
+ }
+
+- txb = call->tx_pending;
+- call->tx_pending = NULL;
+- if (txb)
+- rxrpc_see_txbuf(txb, rxrpc_txbuf_see_send_more);
+-
+ do {
+ if (!txb) {
+ size_t remain;
+--
+2.43.0
+
--- /dev/null
+From 066bd2ec020b8973bfc1f361867c57435d30d855 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 12:25:11 -0400
+Subject: sctp: ensure sk_state is set to CLOSED if hashing fails in
+ sctp_listen_start
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 4d5c70e6155d5eae198bade4afeab3c1b15073b6 ]
+
+If hashing fails in sctp_listen_start(), the socket remains in the
+LISTENING state, even though it was not added to the hash table.
+This can lead to a scenario where a socket appears to be listening
+without actually being accessible.
+
+This patch ensures that if the hashing operation fails, the sk_state
+is set back to CLOSED before returning an error.
+
+Note that there is no need to undo the autobind operation if hashing
+fails, as the bind port can still be used for next listen() call on
+the same socket.
+
+Fixes: 76c6d988aeb3 ("sctp: add sock_reuseport for the sock in __sctp_hash_endpoint")
+Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/socket.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 078bcb3858c79..36ee34f483d70 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -8531,6 +8531,7 @@ static int sctp_listen_start(struct sock *sk, int backlog)
+ struct sctp_endpoint *ep = sp->ep;
+ struct crypto_shash *tfm = NULL;
+ char alg[32];
++ int err;
+
+ /* Allocate HMAC for generating cookie. */
+ if (!sp->hmac && sp->sctp_hmac_alg) {
+@@ -8558,18 +8559,25 @@ static int sctp_listen_start(struct sock *sk, int backlog)
+ inet_sk_set_state(sk, SCTP_SS_LISTENING);
+ if (!ep->base.bind_addr.port) {
+ if (sctp_autobind(sk)) {
+- inet_sk_set_state(sk, SCTP_SS_CLOSED);
+- return -EAGAIN;
++ err = -EAGAIN;
++ goto err;
+ }
+ } else {
+ if (sctp_get_port(sk, inet_sk(sk)->inet_num)) {
+- inet_sk_set_state(sk, SCTP_SS_CLOSED);
+- return -EADDRINUSE;
++ err = -EADDRINUSE;
++ goto err;
+ }
+ }
+
+ WRITE_ONCE(sk->sk_max_ack_backlog, backlog);
+- return sctp_hash_endpoint(ep);
++ err = sctp_hash_endpoint(ep);
++ if (err)
++ goto err;
++
++ return 0;
++err:
++ inet_sk_set_state(sk, SCTP_SS_CLOSED);
++ return err;
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 8e1fe567e450551064ae481445f2d45a10ad66a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 14:10:16 +0900
+Subject: selftests: net: no_forwarding: fix VID for $swp2 in
+ one_bridge_two_pvids() test
+
+From: Kacper Ludwinski <kac.ludwinski@icloud.com>
+
+[ Upstream commit 9f49d14ec41ce7be647028d7d34dea727af55272 ]
+
+Currently, the second bridge command overwrites the first one.
+Fix this by adding this VID to the interface behind $swp2.
+
+The one_bridge_two_pvids() test intends to check that there is no
+leakage of traffic between bridge ports which have a single VLAN - the
+PVID VLAN.
+
+Because of a typo, port $swp1 is configured with a PVID twice (second
+command overwrites first), and $swp2 isn't configured at all (and since
+the bridge vlan_default_pvid property is set to 0, this port will not
+have a PVID at all, so it will drop all untagged and priority-tagged
+traffic).
+
+So, instead of testing the configuration that was intended, we are
+testing a different one, where one port has PVID 2 and the other has
+no PVID. This incorrect version of the test should also pass, but is
+ineffective for its purpose, so fix the typo.
+
+This typo has an impact on results of the test,
+potentially leading to wrong conclusions regarding
+the functionality of a network device.
+
+The tests results:
+
+TEST: Switch ports in VLAN-aware bridge with different PVIDs:
+ Unicast non-IP untagged [ OK ]
+ Multicast non-IP untagged [ OK ]
+ Broadcast non-IP untagged [ OK ]
+ Unicast IPv4 untagged [ OK ]
+ Multicast IPv4 untagged [ OK ]
+ Unicast IPv6 untagged [ OK ]
+ Multicast IPv6 untagged [ OK ]
+ Unicast non-IP VID 1 [ OK ]
+ Multicast non-IP VID 1 [ OK ]
+ Broadcast non-IP VID 1 [ OK ]
+ Unicast IPv4 VID 1 [ OK ]
+ Multicast IPv4 VID 1 [ OK ]
+ Unicast IPv6 VID 1 [ OK ]
+ Multicast IPv6 VID 1 [ OK ]
+ Unicast non-IP VID 4094 [ OK ]
+ Multicast non-IP VID 4094 [ OK ]
+ Broadcast non-IP VID 4094 [ OK ]
+ Unicast IPv4 VID 4094 [ OK ]
+ Multicast IPv4 VID 4094 [ OK ]
+ Unicast IPv6 VID 4094 [ OK ]
+ Multicast IPv6 VID 4094 [ OK ]
+
+Fixes: 476a4f05d9b8 ("selftests: forwarding: add a no_forwarding.sh test")
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Kacper Ludwinski <kac.ludwinski@icloud.com>
+Link: https://patch.msgid.link/20241002051016.849-1-kac.ludwinski@icloud.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/forwarding/no_forwarding.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/forwarding/no_forwarding.sh b/tools/testing/selftests/net/forwarding/no_forwarding.sh
+index 9e677aa64a06a..694ece9ba3a74 100755
+--- a/tools/testing/selftests/net/forwarding/no_forwarding.sh
++++ b/tools/testing/selftests/net/forwarding/no_forwarding.sh
+@@ -202,7 +202,7 @@ one_bridge_two_pvids()
+ ip link set $swp2 master br0
+
+ bridge vlan add dev $swp1 vid 1 pvid untagged
+- bridge vlan add dev $swp1 vid 2 pvid untagged
++ bridge vlan add dev $swp2 vid 2 pvid untagged
+
+ run_test "Switch ports in VLAN-aware bridge with different PVIDs"
+
+--
+2.43.0
+
fbcon-fix-a-null-pointer-dereference-issue-in-fbcon_.patch
smb-client-fix-uaf-in-async-decryption.patch
fbdev-sisfb-fix-strbuf-array-overflow.patch
+nfsd-mark-filecache-down-if-init-fails.patch
+nfsd-nfsd_destroy_serv-must-call-svc_destroy-even-if.patch
+ice-set-correct-dst-vsi-in-only-lan-filters.patch
+ice-clear-port-vlan-config-during-reset.patch
+ice-fix-memleak-in-ice_init_tx_topology.patch
+ice-disallow-dpll_pin_state_selectable-for-dpll-outp.patch
+ice-fix-vlan-replay-after-reset.patch
+sunrpc-fix-integer-overflow-in-decode_rc_list.patch
+nfsv4-prevent-null-pointer-dereference-in-nfs42_comp.patch
+net-phy-dp83869-fix-memory-corruption-when-enabling-.patch
+sfc-don-t-invoke-xdp_do_flush-from-netpoll.patch
+net-phy-aquantia-aqr115c-fix-up-pma-capabilities.patch
+net-phy-aquantia-remove-usage-of-phy_set_max_speed.patch
+tcp-fix-to-allow-timestamp-undo-if-no-retransmits-we.patch
+tcp-fix-tcp_enter_recovery-to-zero-retrans_stamp-whe.patch
+tcp-fix-tfo-syn_recv-to-not-zero-retrans_stamp-with-.patch
+rxrpc-fix-uninitialised-variable-in-rxrpc_send_data.patch
+net-dsa-sja1105-fix-reception-from-vlan-unaware-brid.patch
+netfilter-br_netfilter-fix-panic-with-metadata_dst-s.patch
+selftests-net-no_forwarding-fix-vid-for-swp2-in-one_.patch
+net-pse-pd-fix-enabled-status-mismatch.patch
+bluetooth-rfcomm-fix-possible-deadlock-in-rfcomm_sk_.patch
+bluetooth-btusb-don-t-fail-external-suspend-requests.patch
+net-phy-bcm84881-fix-some-error-handling-paths.patch
+nfsd-fix-possible-badness-in-free_stateid.patch
+thermal-intel-int340x-processor-fix-warning-during-m.patch
+revert-net-stmmac-set-pp_flag_dma_sync_dev-only-if-x.patch
+net-ethernet-adi-adin1110-fix-some-error-handling-pa.patch
+net-dsa-b53-fix-jumbo-frame-mtu-check.patch
+net-dsa-b53-fix-max-mtu-for-1g-switches.patch
+net-dsa-b53-fix-max-mtu-for-bcm5325-bcm5365.patch
+net-dsa-b53-allow-lower-mtus-on-bcm5325-5365.patch
+net-dsa-b53-fix-jumbo-frames-on-10-100-ports.patch
+drm-nouveau-pass-cli-to-nouveau_channel_new-instead-.patch
+nouveau-dmem-fix-privileged-error-in-copy-engine-cha.patch
+gpio-aspeed-add-the-flush-write-to-ensure-the-write-.patch
+gpio-aspeed-use-devm_clk-api-to-manage-clock-source.patch
+x86-xen-mark-boot-cpu-of-pv-guest-in-msr_ia32_apicba.patch
+powercap-intel_rapl_tpmi-ignore-minor-version-change.patch
+ice-fix-entering-safe-mode.patch
+ice-fix-netif_is_ice-in-safe-mode.patch
+ice-flush-fdb-entries-before-reset.patch
+ice-fix-increasing-msi-x-on-vf.patch
+i40e-fix-macvlan-leak-by-synchronizing-access-to-mac.patch
+igb-do-not-bring-the-device-up-after-non-fatal-error.patch
+e1000e-change-i219-19-devices-to-adp.patch
+net-sched-accept-tca_stab-only-for-root-qdisc.patch
+drm-xe-restore-gt-freq-on-gsc-load-error.patch
+drm-xe-make-wedged_mode-debugfs-writable.patch
+net-ibm-emac-mal-fix-wrong-goto.patch
+net-ti-icssg-prueth-fix-race-condition-for-vlan-tabl.patch
+btrfs-zoned-fix-missing-rcu-locking-in-error-message.patch
+sctp-ensure-sk_state-is-set-to-closed-if-hashing-fai.patch
+netfilter-xtables-avoid-nfproto_unspec-where-needed.patch
+netfilter-fib-check-correct-rtable-in-vrf-setups.patch
+net-ibm-emac-mal-add-dcr_unmap-to-_remove.patch
+net-dsa-refuse-cross-chip-mirroring-operations.patch
+net-netconsole-fix-wrong-warning.patch
+drm-fbdev-dma-only-cleanup-deferred-i-o-if-necessary.patch
+net-do-not-delay-dst_entries_add-in-dst_release.patch
+rtnetlink-add-bulk-registration-helpers-for-rtnetlin.patch
+vxlan-handle-error-of-rtnl_register_module.patch
+bridge-handle-error-of-rtnl_register_module.patch
+mctp-handle-error-of-rtnl_register_module.patch
+mpls-handle-error-of-rtnl_register_module.patch
+phonet-handle-error-of-rtnl_register_module.patch
+ppp-fix-ppp_async_encode-illegal-access.patch
+net-smc-fix-lacks-of-icsk_syn_mss-with-ipproto_smc.patch
+slip-make-slhc_remember-more-robust-against-maliciou.patch
+rcu-nocb-fix-rcuog-wake-up-from-offline-softirq.patch
+x86-amd_nb-add-new-pci-ids-for-amd-family-1ah-model-.patch
--- /dev/null
+From 74d5045a9a5497d20116195a9a54f9da6fd4d982 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 14:58:37 +0200
+Subject: sfc: Don't invoke xdp_do_flush() from netpoll.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 55e802468e1d38dec8e25a2fdb6078d45b647e8c ]
+
+Yury reported a crash in the sfc driver originated from
+netpoll_send_udp(). The netconsole sends a message and then netpoll
+invokes the driver's NAPI function with a budget of zero. It is
+dedicated to allow driver to free TX resources, that it may have used
+while sending the packet.
+
+In the netpoll case the driver invokes xdp_do_flush() unconditionally,
+leading to crash because bpf_net_context was never assigned.
+
+Invoke xdp_do_flush() only if budget is not zero.
+
+Fixes: 401cb7dae8130 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.")
+Reported-by: Yury Vostrikov <mon@unformed.ru>
+Closes: https://lore.kernel.org/5627f6d1-5491-4462-9d75-bc0612c26a22@app.fastmail.com
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Edward Cree <ecree.xilinx@gmail.com>
+Link: https://patch.msgid.link/20241002125837.utOcRo6Y@linutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/efx_channels.c | 3 ++-
+ drivers/net/ethernet/sfc/siena/efx_channels.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/efx_channels.c b/drivers/net/ethernet/sfc/efx_channels.c
+index c9e17a8208a90..f1723a6fb082b 100644
+--- a/drivers/net/ethernet/sfc/efx_channels.c
++++ b/drivers/net/ethernet/sfc/efx_channels.c
+@@ -1260,7 +1260,8 @@ static int efx_poll(struct napi_struct *napi, int budget)
+
+ spent = efx_process_channel(channel, budget);
+
+- xdp_do_flush();
++ if (budget)
++ xdp_do_flush();
+
+ if (spent < budget) {
+ if (efx_channel_has_rx_queue(channel) &&
+diff --git a/drivers/net/ethernet/sfc/siena/efx_channels.c b/drivers/net/ethernet/sfc/siena/efx_channels.c
+index a7346e965bfe7..d120b3c83ac07 100644
+--- a/drivers/net/ethernet/sfc/siena/efx_channels.c
++++ b/drivers/net/ethernet/sfc/siena/efx_channels.c
+@@ -1285,7 +1285,8 @@ static int efx_poll(struct napi_struct *napi, int budget)
+
+ spent = efx_process_channel(channel, budget);
+
+- xdp_do_flush();
++ if (budget)
++ xdp_do_flush();
+
+ if (spent < budget) {
+ if (efx_channel_has_rx_queue(channel) &&
+--
+2.43.0
+
--- /dev/null
+From 6088f795325fec78aa48ac70a63b19b9ed440aee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 09:11:32 +0000
+Subject: slip: make slhc_remember() more robust against malicious packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c ]
+
+syzbot found that slhc_remember() was missing checks against
+malicious packets [1].
+
+slhc_remember() only checked the size of the packet was at least 20,
+which is not good enough.
+
+We need to make sure the packet includes the IPv4 and TCP header
+that are supposed to be carried.
+
+Add iph and th pointers to make the code more readable.
+
+[1]
+
+BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
+ slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
+ ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455
+ ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]
+ ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212
+ ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327
+ pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
+ sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
+ __release_sock+0x1da/0x330 net/core/sock.c:3072
+ release_sock+0x6b/0x250 net/core/sock.c:3626
+ pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
+ sock_sendmsg_nosec net/socket.c:729 [inline]
+ __sock_sendmsg+0x30f/0x380 net/socket.c:744
+ ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
+ __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
+ __do_sys_sendmmsg net/socket.c:2771 [inline]
+ __se_sys_sendmmsg net/socket.c:2768 [inline]
+ __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
+ x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:4091 [inline]
+ slab_alloc_node mm/slub.c:4134 [inline]
+ kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
+ __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
+ alloc_skb include/linux/skbuff.h:1322 [inline]
+ sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
+ pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
+ sock_sendmsg_nosec net/socket.c:729 [inline]
+ __sock_sendmsg+0x30f/0x380 net/socket.c:744
+ ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
+ __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
+ __do_sys_sendmmsg net/socket.c:2771 [inline]
+ __se_sys_sendmmsg net/socket.c:2768 [inline]
+ __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
+ x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+
+Fixes: b5451d783ade ("slip: Move the SLIP drivers")
+Reported-by: syzbot+2ada1bc857496353be5a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/670646db.050a0220.3f80e.0027.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241009091132.2136321-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/slip/slhc.c | 57 ++++++++++++++++++++++++-----------------
+ 1 file changed, 34 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
+index 18df7ca661981..c3f5759c239ac 100644
+--- a/drivers/net/slip/slhc.c
++++ b/drivers/net/slip/slhc.c
+@@ -643,46 +643,57 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
+ int
+ slhc_remember(struct slcompress *comp, unsigned char *icp, int isize)
+ {
+- struct cstate *cs;
+- unsigned ihl;
+-
++ const struct tcphdr *th;
+ unsigned char index;
++ struct iphdr *iph;
++ struct cstate *cs;
++ unsigned int ihl;
+
+- if(isize < 20) {
+- /* The packet is shorter than a legal IP header */
++ /* The packet is shorter than a legal IP header.
++ * Also make sure isize is positive.
++ */
++ if (isize < (int)sizeof(struct iphdr)) {
++runt:
+ comp->sls_i_runt++;
+- return slhc_toss( comp );
++ return slhc_toss(comp);
+ }
++ iph = (struct iphdr *)icp;
+ /* Peek at the IP header's IHL field to find its length */
+- ihl = icp[0] & 0xf;
+- if(ihl < 20 / 4){
+- /* The IP header length field is too small */
+- comp->sls_i_runt++;
+- return slhc_toss( comp );
+- }
+- index = icp[9];
+- icp[9] = IPPROTO_TCP;
++ ihl = iph->ihl;
++ /* The IP header length field is too small,
++ * or packet is shorter than the IP header followed
++ * by minimal tcp header.
++ */
++ if (ihl < 5 || isize < ihl * 4 + sizeof(struct tcphdr))
++ goto runt;
++
++ index = iph->protocol;
++ iph->protocol = IPPROTO_TCP;
+
+ if (ip_fast_csum(icp, ihl)) {
+ /* Bad IP header checksum; discard */
+ comp->sls_i_badcheck++;
+- return slhc_toss( comp );
++ return slhc_toss(comp);
+ }
+- if(index > comp->rslot_limit) {
++ if (index > comp->rslot_limit) {
+ comp->sls_i_error++;
+ return slhc_toss(comp);
+ }
+-
++ th = (struct tcphdr *)(icp + ihl * 4);
++ if (th->doff < sizeof(struct tcphdr) / 4)
++ goto runt;
++ if (isize < ihl * 4 + th->doff * 4)
++ goto runt;
+ /* Update local state */
+ cs = &comp->rstate[comp->recv_current = index];
+ comp->flags &=~ SLF_TOSS;
+- memcpy(&cs->cs_ip,icp,20);
+- memcpy(&cs->cs_tcp,icp + ihl*4,20);
++ memcpy(&cs->cs_ip, iph, sizeof(*iph));
++ memcpy(&cs->cs_tcp, th, sizeof(*th));
+ if (ihl > 5)
+- memcpy(cs->cs_ipopt, icp + sizeof(struct iphdr), (ihl - 5) * 4);
+- if (cs->cs_tcp.doff > 5)
+- memcpy(cs->cs_tcpopt, icp + ihl*4 + sizeof(struct tcphdr), (cs->cs_tcp.doff - 5) * 4);
+- cs->cs_hsize = ihl*2 + cs->cs_tcp.doff*2;
++ memcpy(cs->cs_ipopt, &iph[1], (ihl - 5) * 4);
++ if (th->doff > 5)
++ memcpy(cs->cs_tcpopt, &th[1], (th->doff - 5) * 4);
++ cs->cs_hsize = ihl*2 + th->doff*2;
+ cs->initialized = true;
+ /* Put headers back on packet
+ * Neither header checksum is recalculated
+--
+2.43.0
+
--- /dev/null
+From 0cc06f4262844cf599ce4c30d8c4dedf810866bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2024 11:50:33 +0300
+Subject: SUNRPC: Fix integer overflow in decode_rc_list()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 6dbf1f341b6b35bcc20ff95b6b315e509f6c5369 ]
+
+The math in "rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t)" could have an
+integer overflow. Add bounds checking on rc_list->rcl_nrefcalls to fix
+that.
+
+Fixes: 4aece6a19cf7 ("nfs41: cb_sequence xdr implementation")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/callback_xdr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
+index 6df77f008d3fa..fdeb0b34a3d39 100644
+--- a/fs/nfs/callback_xdr.c
++++ b/fs/nfs/callback_xdr.c
+@@ -375,6 +375,8 @@ static __be32 decode_rc_list(struct xdr_stream *xdr,
+
+ rc_list->rcl_nrefcalls = ntohl(*p++);
+ if (rc_list->rcl_nrefcalls) {
++ if (unlikely(rc_list->rcl_nrefcalls > xdr->buf->len))
++ goto out;
+ p = xdr_inline_decode(xdr,
+ rc_list->rcl_nrefcalls * 2 * sizeof(uint32_t));
+ if (unlikely(p == NULL))
+--
+2.43.0
+
--- /dev/null
+From 5dd8629a1172aaacad5f465979b2fd111d62d309 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 20:05:16 +0000
+Subject: tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit b41b4cbd9655bcebcce941bef3601db8110335be ]
+
+Fix tcp_enter_recovery() so that if there are no retransmits out then
+we zero retrans_stamp when entering fast recovery. This is necessary
+to fix two buggy behaviors.
+
+Currently a non-zero retrans_stamp value can persist across multiple
+back-to-back loss recovery episodes. This is because we generally only
+clears retrans_stamp if we are completely done with loss recoveries,
+and get to tcp_try_to_open() and find !tcp_any_retrans_done(sk). This
+behavior causes two bugs:
+
+(1) When a loss recovery episode (CA_Loss or CA_Recovery) is followed
+immediately by a new CA_Recovery, the retrans_stamp value can persist
+and can be a time before this new CA_Recovery episode starts. That
+means that timestamp-based undo will be using the wrong retrans_stamp
+(a value that is too old) when comparing incoming TS ecr values to
+retrans_stamp to see if the current fast recovery episode can be
+undone.
+
+(2) If there is a roughly minutes-long sequence of back-to-back fast
+recovery episodes, one after another (e.g. in a shallow-buffered or
+policed bottleneck), where each fast recovery successfully makes
+forward progress and recovers one window of sequence space (but leaves
+at least one retransmit in flight at the end of the recovery),
+followed by several RTOs, then the ETIMEDOUT check may be using the
+wrong retrans_stamp (a value set at the start of the first fast
+recovery in the sequence). This can cause a very premature ETIMEDOUT,
+killing the connection prematurely.
+
+This commit changes the code to zero retrans_stamp when entering fast
+recovery, when this is known to be safe (no retransmits are out in the
+network). That ensures that when starting a fast recovery episode, and
+it is safe to do so, retrans_stamp is set when we send the fast
+retransmit packet. That addresses both bug (1) and bug (2) by ensuring
+that (if no retransmits are out when we start a fast recovery) we use
+the initial fast retransmit of this fast recovery as the time value
+for undo and ETIMEDOUT calculations.
+
+This makes intuitive sense, since the start of a new fast recovery
+episode (in a scenario where no lost packets are out in the network)
+means that the connection has made forward progress since the last RTO
+or fast recovery, and we should thus "restart the clock" used for both
+undo and ETIMEDOUT logic.
+
+Note that if when we start fast recovery there *are* retransmits out
+in the network, there can still be undesirable (1)/(2) issues. For
+example, after this patch we can still have the (1) and (2) problems
+in cases like this:
+
++ round 1: sender sends flight 1
+
++ round 2: sender receives SACKs and enters fast recovery 1,
+ retransmits some packets in flight 1 and then sends some new data as
+ flight 2
+
++ round 3: sender receives some SACKs for flight 2, notes losses, and
+ retransmits some packets to fill the holes in flight 2
+
++ fast recovery has some lost retransmits in flight 1 and continues
+ for one or more rounds sending retransmits for flight 1 and flight 2
+
++ fast recovery 1 completes when snd_una reaches high_seq at end of
+ flight 1
+
++ there are still holes in the SACK scoreboard in flight 2, so we
+ enter fast recovery 2, but some retransmits in the flight 2 sequence
+ range are still in flight (retrans_out > 0), so we can't execute the
+ new retrans_stamp=0 added here to clear retrans_stamp
+
+It's not yet clear how to fix these remaining (1)/(2) issues in an
+efficient way without breaking undo behavior, given that retrans_stamp
+is currently used for undo and ETIMEDOUT. Perhaps the optimal (but
+expensive) strategy would be to set retrans_stamp to the timestamp of
+the earliest outstanding retransmit when entering fast recovery. But
+at least this commit makes things better.
+
+Note that this does not change the semantics of retrans_stamp; it
+simply makes retrans_stamp accurate in some cases where it was not
+before:
+
+(1) Some loss recovery, followed by an immediate entry into a fast
+recovery, where there are no retransmits out when entering the fast
+recovery.
+
+(2) When a TFO server has a SYNACK retransmit that sets retrans_stamp,
+and then the ACK that completes the 3-way handshake has SACK blocks
+that trigger a fast recovery. In this case when entering fast recovery
+we want to zero out the retrans_stamp from the TFO SYNACK retransmit,
+and set the retrans_stamp based on the timestamp of the fast recovery.
+
+We introduce a tcp_retrans_stamp_cleanup() helper, because this
+two-line sequence already appears in 3 places and is about to appear
+in 2 more as a result of this bug fix patch series. Once this bug fix
+patches series in the net branch makes it into the net-next branch
+we'll update the 3 other call sites to use the new helper.
+
+This is a long-standing issue. The Fixes tag below is chosen to be the
+oldest commit at which the patch will apply cleanly, which is from
+Linux v3.5 in 2012.
+
+Fixes: 1fbc340514fc ("tcp: early retransmit: tcp_enter_recovery()")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241001200517.2756803-3-ncardwell.sw@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index e6d73f6131ceb..631e44c344454 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2522,6 +2522,16 @@ static bool tcp_any_retrans_done(const struct sock *sk)
+ return false;
+ }
+
++/* If loss recovery is finished and there are no retransmits out in the
++ * network, then we clear retrans_stamp so that upon the next loss recovery
++ * retransmits_timed_out() and timestamp-undo are using the correct value.
++ */
++static void tcp_retrans_stamp_cleanup(struct sock *sk)
++{
++ if (!tcp_any_retrans_done(sk))
++ tcp_sk(sk)->retrans_stamp = 0;
++}
++
+ static void DBGUNDO(struct sock *sk, const char *msg)
+ {
+ #if FASTRETRANS_DEBUG > 1
+@@ -2889,6 +2899,9 @@ void tcp_enter_recovery(struct sock *sk, bool ece_ack)
+ struct tcp_sock *tp = tcp_sk(sk);
+ int mib_idx;
+
++ /* Start the clock with our fast retransmit, for undo and ETIMEDOUT. */
++ tcp_retrans_stamp_cleanup(sk);
++
+ if (tcp_is_reno(tp))
+ mib_idx = LINUX_MIB_TCPRENORECOVERY;
+ else
+--
+2.43.0
+
--- /dev/null
+From 9b0fa6e2be928e0fc2d169f0fcb80c07795562f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 20:05:17 +0000
+Subject: tcp: fix TFO SYN_RECV to not zero retrans_stamp with retransmits out
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit 27c80efcc20486c82698f05f00e288b44513c86b ]
+
+Fix tcp_rcv_synrecv_state_fastopen() to not zero retrans_stamp
+if retransmits are outstanding.
+
+tcp_fastopen_synack_timer() sets retrans_stamp, so typically we'll
+need to zero retrans_stamp here to prevent spurious
+retransmits_timed_out(). The logic to zero retrans_stamp is from this
+2019 commit:
+
+commit cd736d8b67fb ("tcp: fix retrans timestamp on passive Fast Open")
+
+However, in the corner case where the ACK of our TFO SYNACK carried
+some SACK blocks that caused us to enter TCP_CA_Recovery then that
+non-zero retrans_stamp corresponds to the active fast recovery, and we
+need to leave retrans_stamp with its current non-zero value, for
+correct ETIMEDOUT and undo behavior.
+
+Fixes: cd736d8b67fb ("tcp: fix retrans timestamp on passive Fast Open")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241001200517.2756803-4-ncardwell.sw@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 631e44c344454..889db23bfc05d 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -6677,10 +6677,17 @@ static void tcp_rcv_synrecv_state_fastopen(struct sock *sk)
+ if (inet_csk(sk)->icsk_ca_state == TCP_CA_Loss && !tp->packets_out)
+ tcp_try_undo_recovery(sk);
+
+- /* Reset rtx states to prevent spurious retransmits_timed_out() */
+ tcp_update_rto_time(tp);
+- tp->retrans_stamp = 0;
+ inet_csk(sk)->icsk_retransmits = 0;
++ /* In tcp_fastopen_synack_timer() on the first SYNACK RTO we set
++ * retrans_stamp but don't enter CA_Loss, so in case that happened we
++ * need to zero retrans_stamp here to prevent spurious
++ * retransmits_timed_out(). However, if the ACK of our SYNACK caused us
++ * to enter CA_Recovery then we need to leave retrans_stamp as it was
++ * set entering CA_Recovery, for correct retransmits_timed_out() and
++ * undo behavior.
++ */
++ tcp_retrans_stamp_cleanup(sk);
+
+ /* Once we leave TCP_SYN_RECV or TCP_FIN_WAIT_1,
+ * we no longer need req so release it.
+--
+2.43.0
+
--- /dev/null
+From 76204ed63cc7e29e0eb8510b007b81fa45de3904 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 20:05:15 +0000
+Subject: tcp: fix to allow timestamp undo if no retransmits were sent
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit e37ab7373696e650d3b6262a5b882aadad69bb9e ]
+
+Fix the TCP loss recovery undo logic in tcp_packet_delayed() so that
+it can trigger undo even if TSQ prevents a fast recovery episode from
+reaching tcp_retransmit_skb().
+
+Geumhwan Yu <geumhwan.yu@samsung.com> recently reported that after
+this commit from 2019:
+
+commit bc9f38c8328e ("tcp: avoid unconditional congestion window undo
+on SYN retransmit")
+
+...and before this fix we could have buggy scenarios like the
+following:
+
++ Due to reordering, a TCP connection receives some SACKs and enters a
+ spurious fast recovery.
+
++ TSQ prevents all invocations of tcp_retransmit_skb(), because many
+ skbs are queued in lower layers of the sending machine's network
+ stack; thus tp->retrans_stamp remains 0.
+
++ The connection receives a TCP timestamp ECR value echoing a
+ timestamp before the fast recovery, indicating that the fast
+ recovery was spurious.
+
++ The connection fails to undo the spurious fast recovery because
+ tp->retrans_stamp is 0, and thus tcp_packet_delayed() returns false,
+ due to the new logic in the 2019 commit: commit bc9f38c8328e ("tcp:
+ avoid unconditional congestion window undo on SYN retransmit")
+
+This fix tweaks the logic to be more similar to the
+tcp_packet_delayed() logic before bc9f38c8328e, except that we take
+care not to be fooled by the FLAG_SYN_ACKED code path zeroing out
+tp->retrans_stamp (the bug noted and fixed by Yuchung in
+bc9f38c8328e).
+
+Note that this returns the high-level behavior of tcp_packet_delayed()
+to again match the comment for the function, which says: "Nothing was
+retransmitted or returned timestamp is less than timestamp of the
+first retransmission." Note that this comment is in the original
+2005-04-16 Linux git commit, so this is evidently long-standing
+behavior.
+
+Fixes: bc9f38c8328e ("tcp: avoid unconditional congestion window undo on SYN retransmit")
+Reported-by: Geumhwan Yu <geumhwan.yu@samsung.com>
+Diagnosed-by: Geumhwan Yu <geumhwan.yu@samsung.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241001200517.2756803-2-ncardwell.sw@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index e37488d3453f0..e6d73f6131ceb 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2473,8 +2473,22 @@ static bool tcp_skb_spurious_retrans(const struct tcp_sock *tp,
+ */
+ static inline bool tcp_packet_delayed(const struct tcp_sock *tp)
+ {
+- return tp->retrans_stamp &&
+- tcp_tsopt_ecr_before(tp, tp->retrans_stamp);
++ const struct sock *sk = (const struct sock *)tp;
++
++ if (tp->retrans_stamp &&
++ tcp_tsopt_ecr_before(tp, tp->retrans_stamp))
++ return true; /* got echoed TS before first retransmission */
++
++ /* Check if nothing was retransmitted (retrans_stamp==0), which may
++ * happen in fast recovery due to TSQ. But we ignore zero retrans_stamp
++ * in TCP_SYN_SENT, since when we set FLAG_SYN_ACKED we also clear
++ * retrans_stamp even if we had retransmitted the SYN.
++ */
++ if (!tp->retrans_stamp && /* no record of a retransmit/SYN? */
++ sk->sk_state != TCP_SYN_SENT) /* not the FLAG_SYN_ACKED case? */
++ return true; /* nothing was retransmitted */
++
++ return false;
+ }
+
+ /* Undo procedures. */
+--
+2.43.0
+
--- /dev/null
+From a57d35a14575a02b9ccdcf614af9aaa4749ba0ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 16:17:57 +0800
+Subject: thermal: intel: int340x: processor: Fix warning during module unload
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+[ Upstream commit 99ca0b57e49fb73624eede1c4396d9e3d10ccf14 ]
+
+The processor_thermal driver uses pcim_device_enable() to enable a PCI
+device, which means the device will be automatically disabled on driver
+detach. Thus there is no need to call pci_disable_device() again on it.
+
+With recent PCI device resource management improvements, e.g. commit
+f748a07a0b64 ("PCI: Remove legacy pcim_release()"), this problem is
+exposed and triggers the warining below.
+
+ [ 224.010735] proc_thermal_pci 0000:00:04.0: disabling already-disabled device
+ [ 224.010747] WARNING: CPU: 8 PID: 4442 at drivers/pci/pci.c:2250 pci_disable_device+0xe5/0x100
+ ...
+ [ 224.010844] Call Trace:
+ [ 224.010845] <TASK>
+ [ 224.010847] ? show_regs+0x6d/0x80
+ [ 224.010851] ? __warn+0x8c/0x140
+ [ 224.010854] ? pci_disable_device+0xe5/0x100
+ [ 224.010856] ? report_bug+0x1c9/0x1e0
+ [ 224.010859] ? handle_bug+0x46/0x80
+ [ 224.010862] ? exc_invalid_op+0x1d/0x80
+ [ 224.010863] ? asm_exc_invalid_op+0x1f/0x30
+ [ 224.010867] ? pci_disable_device+0xe5/0x100
+ [ 224.010869] ? pci_disable_device+0xe5/0x100
+ [ 224.010871] ? kfree+0x21a/0x2b0
+ [ 224.010873] pcim_disable_device+0x20/0x30
+ [ 224.010875] devm_action_release+0x16/0x20
+ [ 224.010878] release_nodes+0x47/0xc0
+ [ 224.010880] devres_release_all+0x9f/0xe0
+ [ 224.010883] device_unbind_cleanup+0x12/0x80
+ [ 224.010885] device_release_driver_internal+0x1ca/0x210
+ [ 224.010887] driver_detach+0x4e/0xa0
+ [ 224.010889] bus_remove_driver+0x6f/0xf0
+ [ 224.010890] driver_unregister+0x35/0x60
+ [ 224.010892] pci_unregister_driver+0x44/0x90
+ [ 224.010894] proc_thermal_pci_driver_exit+0x14/0x5f0 [processor_thermal_device_pci]
+ ...
+ [ 224.010921] ---[ end trace 0000000000000000 ]---
+
+Remove the excess pci_disable_device() calls.
+
+Fixes: acd65d5d1cf4 ("thermal/drivers/int340x/processor_thermal: Add PCI MMIO based thermal driver")
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20240930081801.28502-3-rui.zhang@intel.com
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../intel/int340x_thermal/processor_thermal_device_pci.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c b/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c
+index 0066149218702..ba5d36d36fc40 100644
+--- a/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c
++++ b/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c
+@@ -416,7 +416,6 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev, const struct pci_device_
+ if (!pci_info->no_legacy)
+ proc_thermal_remove(proc_priv);
+ proc_thermal_mmio_remove(pdev, proc_priv);
+- pci_disable_device(pdev);
+
+ return ret;
+ }
+@@ -438,7 +437,6 @@ static void proc_thermal_pci_remove(struct pci_dev *pdev)
+ proc_thermal_mmio_remove(pdev, pci_info->proc_priv);
+ if (!pci_info->no_legacy)
+ proc_thermal_remove(proc_priv);
+- pci_disable_device(pdev);
+ }
+
+ #ifdef CONFIG_PM_SLEEP
+--
+2.43.0
+
--- /dev/null
+From 9677b116d7ac036f0a4f940369d6f90a69ac9eae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 11:47:33 -0700
+Subject: vxlan: Handle error of rtnl_register_module().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 78b7b991838a4a6baeaad934addc4db2c5917eb8 ]
+
+Since introduced, vxlan_vnifilter_init() has been ignoring the
+returned value of rtnl_register_module(), which could fail silently.
+
+Handling the error allows users to view a module as an all-or-nothing
+thing in terms of the rtnetlink functionality. This prevents syzkaller
+from reporting spurious errors from its tests, where OOM often occurs
+and module is automatically loaded.
+
+Let's handle the errors by rtnl_register_many().
+
+Fixes: f9c4bb0b245c ("vxlan: vni filtering support on collect metadata device")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 6 +++++-
+ drivers/net/vxlan/vxlan_private.h | 2 +-
+ drivers/net/vxlan/vxlan_vnifilter.c | 19 +++++++++----------
+ 3 files changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index ba59e92ab941d..02919c529dc2d 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -4913,9 +4913,13 @@ static int __init vxlan_init_module(void)
+ if (rc)
+ goto out4;
+
+- vxlan_vnifilter_init();
++ rc = vxlan_vnifilter_init();
++ if (rc)
++ goto out5;
+
+ return 0;
++out5:
++ rtnl_link_unregister(&vxlan_link_ops);
+ out4:
+ unregister_switchdev_notifier(&vxlan_switchdev_notifier_block);
+ out3:
+diff --git a/drivers/net/vxlan/vxlan_private.h b/drivers/net/vxlan/vxlan_private.h
+index b35d96b788437..76a351a997d51 100644
+--- a/drivers/net/vxlan/vxlan_private.h
++++ b/drivers/net/vxlan/vxlan_private.h
+@@ -202,7 +202,7 @@ int vxlan_vni_in_use(struct net *src_net, struct vxlan_dev *vxlan,
+ int vxlan_vnigroup_init(struct vxlan_dev *vxlan);
+ void vxlan_vnigroup_uninit(struct vxlan_dev *vxlan);
+
+-void vxlan_vnifilter_init(void);
++int vxlan_vnifilter_init(void);
+ void vxlan_vnifilter_uninit(void);
+ void vxlan_vnifilter_count(struct vxlan_dev *vxlan, __be32 vni,
+ struct vxlan_vni_node *vninode,
+diff --git a/drivers/net/vxlan/vxlan_vnifilter.c b/drivers/net/vxlan/vxlan_vnifilter.c
+index 9c59d0bf8c3de..d2023e7131bd4 100644
+--- a/drivers/net/vxlan/vxlan_vnifilter.c
++++ b/drivers/net/vxlan/vxlan_vnifilter.c
+@@ -992,19 +992,18 @@ static int vxlan_vnifilter_process(struct sk_buff *skb, struct nlmsghdr *nlh,
+ return err;
+ }
+
+-void vxlan_vnifilter_init(void)
++static const struct rtnl_msg_handler vxlan_vnifilter_rtnl_msg_handlers[] = {
++ {THIS_MODULE, PF_BRIDGE, RTM_GETTUNNEL, NULL, vxlan_vnifilter_dump, 0},
++ {THIS_MODULE, PF_BRIDGE, RTM_NEWTUNNEL, vxlan_vnifilter_process, NULL, 0},
++ {THIS_MODULE, PF_BRIDGE, RTM_DELTUNNEL, vxlan_vnifilter_process, NULL, 0},
++};
++
++int vxlan_vnifilter_init(void)
+ {
+- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_GETTUNNEL, NULL,
+- vxlan_vnifilter_dump, 0);
+- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_NEWTUNNEL,
+- vxlan_vnifilter_process, NULL, 0);
+- rtnl_register_module(THIS_MODULE, PF_BRIDGE, RTM_DELTUNNEL,
+- vxlan_vnifilter_process, NULL, 0);
++ return rtnl_register_many(vxlan_vnifilter_rtnl_msg_handlers);
+ }
+
+ void vxlan_vnifilter_uninit(void)
+ {
+- rtnl_unregister(PF_BRIDGE, RTM_GETTUNNEL);
+- rtnl_unregister(PF_BRIDGE, RTM_NEWTUNNEL);
+- rtnl_unregister(PF_BRIDGE, RTM_DELTUNNEL);
++ rtnl_unregister_many(vxlan_vnifilter_rtnl_msg_handlers);
+ }
+--
+2.43.0
+
--- /dev/null
+From 01663207001efefa5e50e19f1b137a83058aa2ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 14:58:01 +0530
+Subject: x86/amd_nb: Add new PCI IDs for AMD family 1Ah model 60h
+
+From: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+
+[ Upstream commit 59c34008d3bdeef4c8ebc0ed2426109b474334d4 ]
+
+Add new PCI device IDs into the root IDs and miscellaneous IDs lists to
+provide support for the latest generation of AMD 1Ah family 60h processor
+models.
+
+Signed-off-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Link: https://lore.kernel.org/r/20240722092801.3480266-1-Shyam-sundar.S-k@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/amd_nb.c | 3 +++
+ drivers/hwmon/k10temp.c | 1 +
+ include/linux/pci_ids.h | 1 +
+ 3 files changed, 5 insertions(+)
+
+diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c
+index 059e5c16af054..61eadde085114 100644
+--- a/arch/x86/kernel/amd_nb.c
++++ b/arch/x86/kernel/amd_nb.c
+@@ -26,6 +26,7 @@
+ #define PCI_DEVICE_ID_AMD_19H_M70H_ROOT 0x14e8
+ #define PCI_DEVICE_ID_AMD_1AH_M00H_ROOT 0x153a
+ #define PCI_DEVICE_ID_AMD_1AH_M20H_ROOT 0x1507
++#define PCI_DEVICE_ID_AMD_1AH_M60H_ROOT 0x1122
+ #define PCI_DEVICE_ID_AMD_MI200_ROOT 0x14bb
+ #define PCI_DEVICE_ID_AMD_MI300_ROOT 0x14f8
+
+@@ -63,6 +64,7 @@ static const struct pci_device_id amd_root_ids[] = {
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_19H_M70H_ROOT) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M00H_ROOT) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M20H_ROOT) },
++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M60H_ROOT) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_MI200_ROOT) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_MI300_ROOT) },
+ {}
+@@ -95,6 +97,7 @@ static const struct pci_device_id amd_nb_misc_ids[] = {
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_19H_M78H_DF_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M00H_DF_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M20H_DF_F3) },
++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M60H_DF_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_1AH_M70H_DF_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_MI200_DF_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_MI300_DF_F3) },
+diff --git a/drivers/hwmon/k10temp.c b/drivers/hwmon/k10temp.c
+index 543526bac0425..f96b91e433126 100644
+--- a/drivers/hwmon/k10temp.c
++++ b/drivers/hwmon/k10temp.c
+@@ -548,6 +548,7 @@ static const struct pci_device_id k10temp_id_table[] = {
+ { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_19H_M78H_DF_F3) },
+ { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_1AH_M00H_DF_F3) },
+ { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_1AH_M20H_DF_F3) },
++ { PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_1AH_M60H_DF_F3) },
+ { PCI_VDEVICE(HYGON, PCI_DEVICE_ID_AMD_17H_DF_F3) },
+ {}
+ };
+diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
+index 2c94d4004dd50..e4bddb9277956 100644
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -580,6 +580,7 @@
+ #define PCI_DEVICE_ID_AMD_19H_M78H_DF_F3 0x12fb
+ #define PCI_DEVICE_ID_AMD_1AH_M00H_DF_F3 0x12c3
+ #define PCI_DEVICE_ID_AMD_1AH_M20H_DF_F3 0x16fb
++#define PCI_DEVICE_ID_AMD_1AH_M60H_DF_F3 0x124b
+ #define PCI_DEVICE_ID_AMD_1AH_M70H_DF_F3 0x12bb
+ #define PCI_DEVICE_ID_AMD_MI200_DF_F3 0x14d3
+ #define PCI_DEVICE_ID_AMD_MI300_DF_F3 0x152b
+--
+2.43.0
+
--- /dev/null
+From 46c21eeb719b96f822c7bef8acc35b326ac28ae9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 12:22:12 +0200
+Subject: x86/xen: mark boot CPU of PV guest in MSR_IA32_APICBASE
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit bf56c410162dbf2e27906acbdcd904cbbfdba302 ]
+
+Recent topology checks of the x86 boot code uncovered the need for
+PV guests to have the boot cpu marked in the APICBASE MSR.
+
+Fixes: 9d22c96316ac ("x86/topology: Handle bogus ACPI tables correctly")
+Reported-by: Niels Dettenbach <nd@syndicat.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/enlighten_pv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
+index 2c12ae42dc8bd..d6818c6cafda1 100644
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -1032,6 +1032,10 @@ static u64 xen_do_read_msr(unsigned int msr, int *err)
+ switch (msr) {
+ case MSR_IA32_APICBASE:
+ val &= ~X2APIC_ENABLE;
++ if (smp_processor_id() == 0)
++ val |= MSR_IA32_APICBASE_BSP;
++ else
++ val &= ~MSR_IA32_APICBASE_BSP;
+ break;
+ }
+ return val;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
