--- /dev/null
+From 6014a77f11504d5929fcdc11aca50b3c0d089728 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Nov 2022 10:24:11 +0900
+Subject: af_unix: Get user_ns from in_skb in unix_diag_get_exact().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit b3abe42e94900bdd045c472f9c9be620ba5ce553 ]
+
+Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed
+the root cause: in unix_diag_get_exact(), the newly allocated skb does not
+have sk. [2]
+
+We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to
+sk_diag_fill().
+
+[0]:
+BUG: kernel NULL pointer dereference, address: 0000000000000270
+#PF: supervisor read access in kernel mode
+#PF: error_code(0x0000) - not-present page
+PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0
+Oops: 0000 [#1] PREEMPT SMP
+CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
+RIP: 0010:sk_user_ns include/net/sock.h:920 [inline]
+RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]
+RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170
+Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8
+54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b
+9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d
+RSP: 0018:ffffc90000d67968 EFLAGS: 00010246
+RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d
+RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270
+RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000
+R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800
+R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940
+FS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ unix_diag_get_exact net/unix/diag.c:285 [inline]
+ unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317
+ __sock_diag_cmd net/core/sock_diag.c:235 [inline]
+ sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266
+ netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564
+ sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277
+ netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
+ netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356
+ netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg net/socket.c:734 [inline]
+ ____sys_sendmsg+0x38f/0x500 net/socket.c:2476
+ ___sys_sendmsg net/socket.c:2530 [inline]
+ __sys_sendmsg+0x197/0x230 net/socket.c:2559
+ __do_sys_sendmsg net/socket.c:2568 [inline]
+ __se_sys_sendmsg net/socket.c:2566 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x4697f9
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
+89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
+01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9
+RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
+RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
+R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0
+ </TASK>
+Modules linked in:
+CR2: 0000000000000270
+
+[1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/
+[2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/
+
+Fixes: cae9910e7344 ("net: Add UNIX_DIAG_UID to Netlink UNIX socket diagnostics.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reported-by: Wei Chen <harperchen1110@gmail.com>
+Diagnosed-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/diag.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index 7e7d7f45685a..e534e327a6a5 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -113,14 +113,16 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb)
+ return nla_put(nlskb, UNIX_DIAG_RQLEN, sizeof(rql), &rql);
+ }
+
+-static int sk_diag_dump_uid(struct sock *sk, struct sk_buff *nlskb)
++static int sk_diag_dump_uid(struct sock *sk, struct sk_buff *nlskb,
++ struct user_namespace *user_ns)
+ {
+- uid_t uid = from_kuid_munged(sk_user_ns(nlskb->sk), sock_i_uid(sk));
++ uid_t uid = from_kuid_munged(user_ns, sock_i_uid(sk));
+ return nla_put(nlskb, UNIX_DIAG_UID, sizeof(uid_t), &uid);
+ }
+
+ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_req *req,
+- u32 portid, u32 seq, u32 flags, int sk_ino)
++ struct user_namespace *user_ns,
++ u32 portid, u32 seq, u32 flags, int sk_ino)
+ {
+ struct nlmsghdr *nlh;
+ struct unix_diag_msg *rep;
+@@ -166,7 +168,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r
+ goto out_nlmsg_trim;
+
+ if ((req->udiag_show & UDIAG_SHOW_UID) &&
+- sk_diag_dump_uid(sk, skb))
++ sk_diag_dump_uid(sk, skb, user_ns))
+ goto out_nlmsg_trim;
+
+ nlmsg_end(skb, nlh);
+@@ -178,7 +180,8 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r
+ }
+
+ static int sk_diag_dump(struct sock *sk, struct sk_buff *skb, struct unix_diag_req *req,
+- u32 portid, u32 seq, u32 flags)
++ struct user_namespace *user_ns,
++ u32 portid, u32 seq, u32 flags)
+ {
+ int sk_ino;
+
+@@ -189,7 +192,7 @@ static int sk_diag_dump(struct sock *sk, struct sk_buff *skb, struct unix_diag_r
+ if (!sk_ino)
+ return 0;
+
+- return sk_diag_fill(sk, skb, req, portid, seq, flags, sk_ino);
++ return sk_diag_fill(sk, skb, req, user_ns, portid, seq, flags, sk_ino);
+ }
+
+ static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
+@@ -217,7 +220,7 @@ static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ goto next;
+ if (!(req->udiag_states & (1 << sk->sk_state)))
+ goto next;
+- if (sk_diag_dump(sk, skb, req,
++ if (sk_diag_dump(sk, skb, req, sk_user_ns(skb->sk),
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq,
+ NLM_F_MULTI) < 0)
+@@ -285,7 +288,8 @@ static int unix_diag_get_exact(struct sk_buff *in_skb,
+ if (!rep)
+ goto out;
+
+- err = sk_diag_fill(sk, rep, req, NETLINK_CB(in_skb).portid,
++ err = sk_diag_fill(sk, rep, req, sk_user_ns(NETLINK_CB(in_skb).sk),
++ NETLINK_CB(in_skb).portid,
+ nlh->nlmsg_seq, 0, req->udiag_ino);
+ if (err < 0) {
+ nlmsg_free(rep);
+--
+2.35.1
+
--- /dev/null
+From ad87171b3cee02bf6549470202cf014da959d77e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 23:00:00 +0900
+Subject: block: move CONFIG_BLOCK guard to top Makefile
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 4c928904ff771a8e830773b71a080047365324a5 ]
+
+Every object under block/ depends on CONFIG_BLOCK.
+
+Move the guard to the top Makefile since there is no point to
+descend into block/ if CONFIG_BLOCK=n.
+
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20210927140000.866249-5-masahiroy@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 998b30c3948e ("io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Makefile | 3 ++-
+ block/Makefile | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index bc1cf1200b62..0acea54c2ffd 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1150,7 +1150,8 @@ export MODORDER := $(extmod_prefix)modules.order
+ export MODULES_NSDEPS := $(extmod_prefix)modules.nsdeps
+
+ ifeq ($(KBUILD_EXTMOD),)
+-core-y += kernel/ certs/ mm/ fs/ ipc/ security/ crypto/ block/
++core-y += kernel/ certs/ mm/ fs/ ipc/ security/ crypto/
++core-$(CONFIG_BLOCK) += block/
+
+ vmlinux-dirs := $(patsubst %/,%,$(filter %/, \
+ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
+diff --git a/block/Makefile b/block/Makefile
+index 41aa1ba69c90..74df168729ec 100644
+--- a/block/Makefile
++++ b/block/Makefile
+@@ -3,7 +3,7 @@
+ # Makefile for the kernel block layer
+ #
+
+-obj-$(CONFIG_BLOCK) := bdev.o fops.o bio.o elevator.o blk-core.o blk-sysfs.o \
++obj-y := bdev.o fops.o bio.o elevator.o blk-core.o blk-sysfs.o \
+ blk-flush.o blk-settings.o blk-ioc.o blk-map.o \
+ blk-exec.o blk-merge.o blk-timeout.o \
+ blk-lib.o blk-mq.o blk-mq-tag.o blk-stat.o \
+--
+2.35.1
+
--- /dev/null
+From 60eab57f952b66ce6a7b40b9c870888d9fb41fb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 17:37:26 +0800
+Subject: Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn()
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 747da1308bdd5021409974f9180f0d8ece53d142 ]
+
+hci_get_route() takes reference, we should use hci_dev_put() to release
+it when not need anymore.
+
+Fixes: 6b8d4a6a0314 ("Bluetooth: 6LoWPAN: Use connected oriented channel instead of fixed one")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/6lowpan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
+index fd164a248569..580b0940f067 100644
+--- a/net/bluetooth/6lowpan.c
++++ b/net/bluetooth/6lowpan.c
+@@ -971,6 +971,7 @@ static int get_l2cap_conn(char *buf, bdaddr_t *addr, u8 *addr_type,
+ hci_dev_lock(hdev);
+ hcon = hci_conn_hash_lookup_le(hdev, addr, *addr_type);
+ hci_dev_unlock(hdev);
++ hci_dev_put(hdev);
+
+ if (!hcon)
+ return -ENOENT;
+--
+2.35.1
+
--- /dev/null
+From d2f4660629f716363c8985cf2177cf018046b995 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 17:25:56 +0800
+Subject: Bluetooth: Fix not cleanup led when bt_init fails
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 2f3957c7eb4e07df944169a3e50a4d6790e1c744 ]
+
+bt_init() calls bt_leds_init() to register led, but if it fails later,
+bt_leds_cleanup() is not called to unregister it.
+
+This can cause panic if the argument "bluetooth-power" in text is freed
+and then another led_trigger_register() tries to access it:
+
+BUG: unable to handle page fault for address: ffffffffc06d3bc0
+RIP: 0010:strcmp+0xc/0x30
+ Call Trace:
+ <TASK>
+ led_trigger_register+0x10d/0x4f0
+ led_trigger_register_simple+0x7d/0x100
+ bt_init+0x39/0xf7 [bluetooth]
+ do_one_initcall+0xd0/0x4e0
+
+Fixes: e64c97b53bc6 ("Bluetooth: Add combined LED trigger for controller power")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/af_bluetooth.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
+index 1661979b6a6e..ce744b14d1a9 100644
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -736,7 +736,7 @@ static int __init bt_init(void)
+
+ err = bt_sysfs_init();
+ if (err < 0)
+- return err;
++ goto cleanup_led;
+
+ err = sock_register(&bt_sock_family_ops);
+ if (err)
+@@ -772,6 +772,8 @@ static int __init bt_init(void)
+ sock_unregister(PF_BLUETOOTH);
+ cleanup_sysfs:
+ bt_sysfs_cleanup();
++cleanup_led:
++ bt_leds_cleanup();
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 4aaf80e25b44b456a90db2290a8422cfd9fa5f69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 01:22:01 +0100
+Subject: ca8210: Fix crash by zero initializing data
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+[ Upstream commit 1e24c54da257ab93cff5826be8a793b014a5dc9c ]
+
+The struct cas_control embeds multiple generic SPI structures and we
+have to make sure these structures are initialized to default values.
+This driver does not set all attributes. When using kmalloc before some
+attributes were not initialized and contained random data which caused
+random crashes at bootup.
+
+Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Link: https://lore.kernel.org/r/20221121002201.1339636-1-hauke@hauke-m.de
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/ca8210.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
+index 96592a20c61f..0362917fce7a 100644
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -927,7 +927,7 @@ static int ca8210_spi_transfer(
+
+ dev_dbg(&spi->dev, "%s called\n", __func__);
+
+- cas_ctl = kmalloc(sizeof(*cas_ctl), GFP_ATOMIC);
++ cas_ctl = kzalloc(sizeof(*cas_ctl), GFP_ATOMIC);
+ if (!cas_ctl)
+ return -ENOMEM;
+
+--
+2.35.1
+
--- /dev/null
+From 9cded52bb953e20d12be869f06a6524f5aba416c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 21:22:42 +0100
+Subject: can: esd_usb: Allow REC and TEC to return to zero
+
+From: Frank Jungclaus <frank.jungclaus@esd.eu>
+
+[ Upstream commit 918ee4911f7a41fb4505dff877c1d7f9f64eb43e ]
+
+We don't get any further EVENT from an esd CAN USB device for changes
+on REC or TEC while those counters converge to 0 (with ecc == 0). So
+when handling the "Back to Error Active"-event force txerr = rxerr =
+0, otherwise the berr-counters might stay on values like 95 forever.
+
+Also, to make life easier during the ongoing development a
+netdev_dbg() has been introduced to allow dumping error events send by
+an esd CAN USB device.
+
+Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
+Signed-off-by: Frank Jungclaus <frank.jungclaus@esd.eu>
+Link: https://lore.kernel.org/all/20221130202242.3998219-2-frank.jungclaus@esd.eu
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/esd_usb2.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c
+index c6068a251fbe..9ed048cb07e6 100644
+--- a/drivers/net/can/usb/esd_usb2.c
++++ b/drivers/net/can/usb/esd_usb2.c
+@@ -227,6 +227,10 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv,
+ u8 rxerr = msg->msg.rx.data[2];
+ u8 txerr = msg->msg.rx.data[3];
+
++ netdev_dbg(priv->netdev,
++ "CAN_ERR_EV_EXT: dlc=%#02x state=%02x ecc=%02x rec=%02x tec=%02x\n",
++ msg->msg.rx.dlc, state, ecc, rxerr, txerr);
++
+ skb = alloc_can_err_skb(priv->netdev, &cf);
+ if (skb == NULL) {
+ stats->rx_dropped++;
+@@ -253,6 +257,8 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv,
+ break;
+ default:
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
++ txerr = 0;
++ rxerr = 0;
+ break;
+ }
+ } else {
+--
+2.35.1
+
--- /dev/null
+From 35649cb024b5b55058585b50c19a2b89fbb0345b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 06:15:15 +0000
+Subject: dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and
+ dpaa2_switch_acl_entry_remove()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 4fad22a1281c500f15b172c9d261eff347ca634b ]
+
+The cmd_buff needs to be freed when error happened in
+dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().
+
+Fixes: 1110318d83e8 ("dpaa2-switch: add tc flower hardware offload on ingress traffic")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221205061515.115012-1-yuancan@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
+index cacd454ac696..c39b866e2582 100644
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
+@@ -132,6 +132,7 @@ int dpaa2_switch_acl_entry_add(struct dpaa2_switch_filter_block *filter_block,
+ DMA_TO_DEVICE);
+ if (unlikely(dma_mapping_error(dev, acl_entry_cfg->key_iova))) {
+ dev_err(dev, "DMA mapping failed\n");
++ kfree(cmd_buff);
+ return -EFAULT;
+ }
+
+@@ -142,6 +143,7 @@ int dpaa2_switch_acl_entry_add(struct dpaa2_switch_filter_block *filter_block,
+ DMA_TO_DEVICE);
+ if (err) {
+ dev_err(dev, "dpsw_acl_add_entry() failed %d\n", err);
++ kfree(cmd_buff);
+ return err;
+ }
+
+@@ -172,6 +174,7 @@ dpaa2_switch_acl_entry_remove(struct dpaa2_switch_filter_block *block,
+ DMA_TO_DEVICE);
+ if (unlikely(dma_mapping_error(dev, acl_entry_cfg->key_iova))) {
+ dev_err(dev, "DMA mapping failed\n");
++ kfree(cmd_buff);
+ return -EFAULT;
+ }
+
+@@ -182,6 +185,7 @@ dpaa2_switch_acl_entry_remove(struct dpaa2_switch_filter_block *block,
+ DMA_TO_DEVICE);
+ if (err) {
+ dev_err(dev, "dpsw_acl_remove_entry() failed %d\n", err);
++ kfree(cmd_buff);
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From fa410bddfa2d422c2fad4a3f1b7bf07f348c5446 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 15:35:23 +0100
+Subject: drm: bridge: dw_hdmi: fix preference of RGB modes over YUV420
+
+From: Guillaume BRUN <the.cheaterman@gmail.com>
+
+[ Upstream commit d3d6b1bf85aefe0ebc0624574b3bb62f0693914c ]
+
+Cheap monitors sometimes advertise YUV modes they don't really have
+(HDMI specification mandates YUV support so even monitors without actual
+support will often wrongfully advertise it) which results in YUV matches
+and user forum complaints of a red tint to light colour display areas in
+common desktop environments.
+
+Moving the default RGB fall-back before YUV selection results in RGB
+mode matching in most cases, reducing complaints.
+
+Fixes: 6c3c719936da ("drm/bridge: synopsys: dw-hdmi: add bus format negociation")
+Signed-off-by: Guillaume BRUN <the.cheaterman@gmail.com>
+Tested-by: Christian Hewitt <christianshewitt@gmail.com>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221116143523.2126-1-the.cheaterman@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
+index d3129a3e6ab7..8bb403bc712a 100644
+--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
+@@ -2594,6 +2594,9 @@ static u32 *dw_hdmi_bridge_atomic_get_output_bus_fmts(struct drm_bridge *bridge,
+ * if supported. In any case the default RGB888 format is added
+ */
+
++ /* Default 8bit RGB fallback */
++ output_fmts[i++] = MEDIA_BUS_FMT_RGB888_1X24;
++
+ if (max_bpc >= 16 && info->bpc == 16) {
+ if (info->color_formats & DRM_COLOR_FORMAT_YCRCB444)
+ output_fmts[i++] = MEDIA_BUS_FMT_YUV16_1X48;
+@@ -2627,9 +2630,6 @@ static u32 *dw_hdmi_bridge_atomic_get_output_bus_fmts(struct drm_bridge *bridge,
+ if (info->color_formats & DRM_COLOR_FORMAT_YCRCB444)
+ output_fmts[i++] = MEDIA_BUS_FMT_YUV8_1X24;
+
+- /* Default 8bit RGB fallback */
+- output_fmts[i++] = MEDIA_BUS_FMT_RGB888_1X24;
+-
+ *num_output_fmts = i;
+
+ return output_fmts;
+--
+2.35.1
+
--- /dev/null
+From 5110c887061db969f1bd1a2e30b017dff0521101 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 18:45:58 +0800
+Subject: drm/bridge: ti-sn65dsi86: Fix output polarity setting bug
+
+From: Qiqi Zhang <eddy.zhang@rock-chips.com>
+
+[ Upstream commit 8c115864501fc09932cdfec53d9ec1cde82b4a28 ]
+
+According to the description in ti-sn65dsi86's datasheet:
+
+CHA_HSYNC_POLARITY:
+0 = Active High Pulse. Synchronization signal is high for the sync
+pulse width. (default)
+1 = Active Low Pulse. Synchronization signal is low for the sync
+pulse width.
+
+CHA_VSYNC_POLARITY:
+0 = Active High Pulse. Synchronization signal is high for the sync
+pulse width. (Default)
+1 = Active Low Pulse. Synchronization signal is low for the sync
+pulse width.
+
+We should only set these bits when the polarity is negative.
+
+Fixes: a095f15c00e2 ("drm/bridge: add support for sn65dsi86 bridge driver")
+Signed-off-by: Qiqi Zhang <eddy.zhang@rock-chips.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221125104558.84616-1-eddy.zhang@rock-chips.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ti-sn65dsi86.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+index 45a5f1e48f0e..bbedce0eedda 100644
+--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+@@ -920,9 +920,9 @@ static void ti_sn_bridge_set_video_timings(struct ti_sn65dsi86 *pdata)
+ &pdata->bridge.encoder->crtc->state->adjusted_mode;
+ u8 hsync_polarity = 0, vsync_polarity = 0;
+
+- if (mode->flags & DRM_MODE_FLAG_PHSYNC)
++ if (mode->flags & DRM_MODE_FLAG_NHSYNC)
+ hsync_polarity = CHA_HSYNC_POLARITY;
+- if (mode->flags & DRM_MODE_FLAG_PVSYNC)
++ if (mode->flags & DRM_MODE_FLAG_NVSYNC)
+ vsync_polarity = CHA_VSYNC_POLARITY;
+
+ ti_sn65dsi86_write_u16(pdata, SN_CHA_ACTIVE_LINE_LENGTH_LOW_REG,
+--
+2.35.1
+
--- /dev/null
+From cc09de67144677047f74a7e82e2f9b261d0895c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 23:37:34 +0800
+Subject: drm/vmwgfx: Fix race issue calling pin_user_pages
+
+From: Dawei Li <set_pte_at@outlook.com>
+
+[ Upstream commit ed14d225cc7c842f6d4d5a3009f71a44f5852d09 ]
+
+pin_user_pages() is unsafe without protection of mmap_lock,
+fix it by calling pin_user_pages_fast().
+
+Fixes: 7a7a933edd6c ("drm/vmwgfx: Introduce VMware mks-guest-stats")
+Signed-off-by: Dawei Li <set_pte_at@outlook.com>
+Reviewed-by: Martin Krastev <krastevm@vmware.com>
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/TYWP286MB23193621CB443E1E1959A00BCA3E9@TYWP286MB2319.JPNP286.PROD.OUTLOOK.COM
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+index 47eb3a50dd08..8d2437fa6894 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+@@ -1085,21 +1085,21 @@ int vmw_mksstat_add_ioctl(struct drm_device *dev, void *data,
+ reset_ppn_array(pdesc->strsPPNs, ARRAY_SIZE(pdesc->strsPPNs));
+
+ /* Pin mksGuestStat user pages and store those in the instance descriptor */
+- nr_pinned_stat = pin_user_pages(arg->stat, num_pages_stat, FOLL_LONGTERM, pages_stat, NULL);
++ nr_pinned_stat = pin_user_pages_fast(arg->stat, num_pages_stat, FOLL_LONGTERM, pages_stat);
+ if (num_pages_stat != nr_pinned_stat)
+ goto err_pin_stat;
+
+ for (i = 0; i < num_pages_stat; ++i)
+ pdesc->statPPNs[i] = page_to_pfn(pages_stat[i]);
+
+- nr_pinned_info = pin_user_pages(arg->info, num_pages_info, FOLL_LONGTERM, pages_info, NULL);
++ nr_pinned_info = pin_user_pages_fast(arg->info, num_pages_info, FOLL_LONGTERM, pages_info);
+ if (num_pages_info != nr_pinned_info)
+ goto err_pin_info;
+
+ for (i = 0; i < num_pages_info; ++i)
+ pdesc->infoPPNs[i] = page_to_pfn(pages_info[i]);
+
+- nr_pinned_strs = pin_user_pages(arg->strs, num_pages_strs, FOLL_LONGTERM, pages_strs, NULL);
++ nr_pinned_strs = pin_user_pages_fast(arg->strs, num_pages_strs, FOLL_LONGTERM, pages_strs);
+ if (num_pages_strs != nr_pinned_strs)
+ goto err_pin_strs;
+
+--
+2.35.1
+
--- /dev/null
+From aba64d66dbe459bd26dd5985588b32292721861e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 22:00:00 +0900
+Subject: e1000e: Fix TX dispatch condition
+
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+
+[ Upstream commit eed913f6919e253f35d454b2f115f2a4db2b741a ]
+
+e1000_xmit_frame is expected to stop the queue and dispatch frames to
+hardware if there is not sufficient space for the next frame in the
+buffer, but sometimes it failed to do so because the estimated maximum
+size of frame was wrong. As the consequence, the later invocation of
+e1000_xmit_frame failed with NETDEV_TX_BUSY, and the frame in the buffer
+remained forever, resulting in a watchdog failure.
+
+This change fixes the estimated size by making it match with the
+condition for NETDEV_TX_BUSY. Apparently, the old estimation failed to
+account for the following lines which determines the space requirement
+for not causing NETDEV_TX_BUSY:
+ ```
+ /* reserve a descriptor for the offload context */
+ if ((mss) || (skb->ip_summed == CHECKSUM_PARTIAL))
+ count++;
+ count++;
+
+ count += DIV_ROUND_UP(len, adapter->tx_fifo_limit);
+ ```
+
+This issue was found when running http-stress02 test included in Linux
+Test Project 20220930 on QEMU with the following commandline:
+```
+qemu-system-x86_64 -M q35,accel=kvm -m 8G -smp 8
+ -drive if=virtio,format=raw,file=root.img,file.locking=on
+ -device e1000e,netdev=netdev
+ -netdev tap,script=ifup,downscript=no,id=netdev
+```
+
+Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index 407bbb4cc236..7e41ce188cc6 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -5941,9 +5941,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb,
+ e1000_tx_queue(tx_ring, tx_flags, count);
+ /* Make sure there is space in the ring for the next send. */
+ e1000_maybe_stop_tx(tx_ring,
+- (MAX_SKB_FRAGS *
++ ((MAX_SKB_FRAGS + 1) *
+ DIV_ROUND_UP(PAGE_SIZE,
+- adapter->tx_fifo_limit) + 2));
++ adapter->tx_fifo_limit) + 4));
+
+ if (!netdev_xmit_more() ||
+ netif_xmit_stopped(netdev_get_tx_queue(netdev, 0))) {
+--
+2.35.1
+
--- /dev/null
+From 34be629d35b7e1341994d771a1b4aece990d01ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Dec 2022 14:09:08 +0800
+Subject: ethernet: aeroflex: fix potential skb leak in greth_init_rings()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 063a932b64db3317ec020c94466fe52923a15f60 ]
+
+The greth_init_rings() function won't free the newly allocated skb when
+dma_mapping_error() returns error, so add dev_kfree_skb() to fix it.
+
+Compile tested only.
+
+Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/1670134149-29516-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aeroflex/greth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c
+index c560ad06f0be..a95bac4e14f6 100644
+--- a/drivers/net/ethernet/aeroflex/greth.c
++++ b/drivers/net/ethernet/aeroflex/greth.c
+@@ -258,6 +258,7 @@ static int greth_init_rings(struct greth_private *greth)
+ if (dma_mapping_error(greth->dev, dma_addr)) {
+ if (netif_msg_ifup(greth))
+ dev_err(greth->dev, "Could not create initial DMA mapping\n");
++ dev_kfree_skb(skb);
+ goto cleanup;
+ }
+ greth->rx_skbuff[i] = skb;
+--
+2.35.1
+
--- /dev/null
+From 222dd9b037a36653801badbc0752fda038e86999 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 20:35:08 +0800
+Subject: gpio: amd8111: Fix PCI device reference count leak
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 45fecdb9f658d9c82960c98240bc0770ade19aca ]
+
+for_each_pci_dev() is implemented by pci_get_device(). The comment of
+pci_get_device() says that it will increase the reference count for the
+returned pci_dev and also decrease the reference count for the input
+pci_dev @from if it is not NULL.
+
+If we break for_each_pci_dev() loop with pdev not NULL, we need to call
+pci_dev_put() to decrease the reference count. Add the missing
+pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL
+input parameter, there is no problem for the 'Device not found' branch.
+For the normal path, add pci_dev_put() in amd_gpio_exit().
+
+Fixes: f942a7de047d ("gpio: add a driver for GPIO pins found on AMD-8111 south bridge chips")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-amd8111.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpio/gpio-amd8111.c b/drivers/gpio/gpio-amd8111.c
+index 14e6b3e64add..6f3ded619c8b 100644
+--- a/drivers/gpio/gpio-amd8111.c
++++ b/drivers/gpio/gpio-amd8111.c
+@@ -226,7 +226,10 @@ static int __init amd_gpio_init(void)
+ ioport_unmap(gp.pm);
+ goto out;
+ }
++ return 0;
++
+ out:
++ pci_dev_put(pdev);
+ return err;
+ }
+
+@@ -234,6 +237,7 @@ static void __exit amd_gpio_exit(void)
+ {
+ gpiochip_remove(&gp.chip);
+ ioport_unmap(gp.pm);
++ pci_dev_put(gp.pdev);
+ }
+
+ module_init(amd_gpio_init);
+--
+2.35.1
+
--- /dev/null
+From 57b98656a8f7ab9caf6898ce30a4ab6c27bc5f63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 14:19:56 +0800
+Subject: gpio/rockchip: fix refcount leak in rockchip_gpiolib_register()
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit 63ff545af73f759d1bd04198af8ed8577fb739fc ]
+
+The node returned by of_get_parent() with refcount incremented,
+of_node_put() needs be called when finish using it. So add it in the
+end of of_pinctrl_get().
+
+Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-rockchip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpio/gpio-rockchip.c b/drivers/gpio/gpio-rockchip.c
+index d32928c1efe0..a197f698efeb 100644
+--- a/drivers/gpio/gpio-rockchip.c
++++ b/drivers/gpio/gpio-rockchip.c
+@@ -605,6 +605,7 @@ static int rockchip_gpiolib_register(struct rockchip_pin_bank *bank)
+ return -ENODATA;
+
+ pctldev = of_pinctrl_get(pctlnp);
++ of_node_put(pctlnp);
+ if (!pctldev)
+ return -ENODEV;
+
+--
+2.35.1
+
--- /dev/null
+From 41304b9a6babb076aea3507da2bf2210e7dbab68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Dec 2021 14:40:34 +0100
+Subject: gpiolib: check the 'ngpios' property in core gpiolib code
+
+From: Bartosz Golaszewski <brgl@bgdev.pl>
+
+[ Upstream commit 9dbd1ab20509e85cd3fac9479a00c59e83c08196 ]
+
+Several drivers read the 'ngpios' device property on their own, but
+since it's defined as a standard GPIO property in the device tree bindings
+anyway, it's a good candidate for generalization. If the driver didn't
+set its gc->ngpio, try to read the 'ngpios' property from the GPIO
+device's firmware node before bailing out.
+
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Stable-dep-of: ec851b23084b ("gpiolib: fix memory leak in gpiochip_setup_dev()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index a87c4cd94f7a..b7b5fe151e1a 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -599,6 +599,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
+ int base = gc->base;
+ unsigned int i;
+ int ret = 0;
++ u32 ngpios;
+
+ /*
+ * First: allocate and populate the internal stat container, and
+@@ -646,6 +647,26 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
+ goto err_free_dev_name;
+ }
+
++ /*
++ * Try the device properties if the driver didn't supply the number
++ * of GPIO lines.
++ */
++ if (gc->ngpio == 0) {
++ ret = device_property_read_u32(&gdev->dev, "ngpios", &ngpios);
++ if (ret == -ENODATA)
++ /*
++ * -ENODATA means that there is no property found and
++ * we want to issue the error message to the user.
++ * Besides that, we want to return different error code
++ * to state that supplied value is not valid.
++ */
++ ngpios = 0;
++ else if (ret)
++ goto err_free_descs;
++
++ gc->ngpio = ngpios;
++ }
++
+ if (gc->ngpio == 0) {
+ chip_err(gc, "tried to insert a GPIO chip with zero lines\n");
+ ret = -EINVAL;
+--
+2.35.1
+
--- /dev/null
+From 4d949331f4eaa84b672775178b68392d96394a1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 22:07:57 +0100
+Subject: gpiolib: fix memory leak in gpiochip_setup_dev()
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+[ Upstream commit ec851b23084b3a0af8bf0f5e51d33a8d678bdc49 ]
+
+Here is a backtrace report about memory leak detected in
+gpiochip_setup_dev():
+
+unreferenced object 0xffff88810b406400 (size 512):
+ comm "python3", pid 1682, jiffies 4295346908 (age 24.090s)
+ backtrace:
+ kmalloc_trace
+ device_add device_private_init at drivers/base/core.c:3361
+ (inlined by) device_add at drivers/base/core.c:3411
+ cdev_device_add
+ gpiolib_cdev_register
+ gpiochip_setup_dev
+ gpiochip_add_data_with_key
+
+gcdev_register() & gcdev_unregister() would call device_add() &
+device_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to
+register/unregister device.
+
+However, if device_add() succeeds, some resource (like
+struct device_private allocated by device_private_init())
+is not released by device_del().
+
+Therefore, after device_add() succeeds by gcdev_register(), it
+needs to call put_device() to release resource in the error handle
+path.
+
+Here we move forward the register of release function, and let it
+release every piece of resource by put_device() instead of kfree().
+
+While at it, fix another subtle issue, i.e. when gc->ngpio is equal
+to 0, we still call kcalloc() and, in case of further error, kfree()
+on the ZERO_PTR pointer, which is not NULL. It's not a bug per se,
+but rather waste of the resources and potentially wrong expectation
+about contents of the gdev->descs variable.
+
+Fixes: 159f3cd92f17 ("gpiolib: Defer gpio device setup until after gpiolib initialization")
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Co-developed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 42 ++++++++++++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index b7b5fe151e1a..67bc96403a4e 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -525,12 +525,13 @@ static int gpiochip_setup_dev(struct gpio_device *gdev)
+ if (ret)
+ return ret;
+
++ /* From this point, the .release() function cleans up gpio_device */
++ gdev->dev.release = gpiodevice_release;
++
+ ret = gpiochip_sysfs_register(gdev);
+ if (ret)
+ goto err_remove_device;
+
+- /* From this point, the .release() function cleans up gpio_device */
+- gdev->dev.release = gpiodevice_release;
+ dev_dbg(&gdev->dev, "registered GPIOs %d to %d on %s\n", gdev->base,
+ gdev->base + gdev->ngpio - 1, gdev->chip->label ? : "generic");
+
+@@ -596,10 +597,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
+ struct fwnode_handle *fwnode = gc->parent ? dev_fwnode(gc->parent) : NULL;
+ struct gpio_device *gdev;
+ unsigned long flags;
+- int base = gc->base;
+ unsigned int i;
++ u32 ngpios = 0;
++ int base = 0;
+ int ret = 0;
+- u32 ngpios;
+
+ /*
+ * First: allocate and populate the internal stat container, and
+@@ -641,17 +642,12 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
+ else
+ gdev->owner = THIS_MODULE;
+
+- gdev->descs = kcalloc(gc->ngpio, sizeof(gdev->descs[0]), GFP_KERNEL);
+- if (!gdev->descs) {
+- ret = -ENOMEM;
+- goto err_free_dev_name;
+- }
+-
+ /*
+ * Try the device properties if the driver didn't supply the number
+ * of GPIO lines.
+ */
+- if (gc->ngpio == 0) {
++ ngpios = gc->ngpio;
++ if (ngpios == 0) {
+ ret = device_property_read_u32(&gdev->dev, "ngpios", &ngpios);
+ if (ret == -ENODATA)
+ /*
+@@ -662,7 +658,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
+ */
+ ngpios = 0;
+ else if (ret)
+- goto err_free_descs;
++ goto err_free_dev_name;
+
+ gc->ngpio = ngpios;
+ }
+@@ -670,13 +666,19 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
+ if (gc->ngpio == 0) {
+ chip_err(gc, "tried to insert a GPIO chip with zero lines\n");
+ ret = -EINVAL;
+- goto err_free_descs;
++ goto err_free_dev_name;
+ }
+
+ if (gc->ngpio > FASTPATH_NGPIO)
+ chip_warn(gc, "line cnt %u is greater than fast path cnt %u\n",
+ gc->ngpio, FASTPATH_NGPIO);
+
++ gdev->descs = kcalloc(gc->ngpio, sizeof(*gdev->descs), GFP_KERNEL);
++ if (!gdev->descs) {
++ ret = -ENOMEM;
++ goto err_free_dev_name;
++ }
++
+ gdev->label = kstrdup_const(gc->label ?: "unknown", GFP_KERNEL);
+ if (!gdev->label) {
+ ret = -ENOMEM;
+@@ -695,11 +697,13 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
+ * it may be a pipe dream. It will not happen before we get rid
+ * of the sysfs interface anyways.
+ */
++ base = gc->base;
+ if (base < 0) {
+ base = gpiochip_find_base(gc->ngpio);
+ if (base < 0) {
+- ret = base;
+ spin_unlock_irqrestore(&gpio_lock, flags);
++ ret = base;
++ base = 0;
+ goto err_free_label;
+ }
+ /*
+@@ -807,6 +811,11 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
+ err_free_gpiochip_mask:
+ gpiochip_remove_pin_ranges(gc);
+ gpiochip_free_valid_mask(gc);
++ if (gdev->dev.release) {
++ /* release() has been registered by gpiochip_setup_dev() */
++ put_device(&gdev->dev);
++ goto err_print_message;
++ }
+ err_remove_from_list:
+ spin_lock_irqsave(&gpio_lock, flags);
+ list_del(&gdev->list);
+@@ -820,13 +829,14 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
+ err_free_ida:
+ ida_free(&gpio_ida, gdev->id);
+ err_free_gdev:
++ kfree(gdev);
++err_print_message:
+ /* failures here can mean systems won't boot... */
+ if (ret != -EPROBE_DEFER) {
+ pr_err("%s: GPIOs %d..%d (%s) failed to register, %d\n", __func__,
+- gdev->base, gdev->base + gdev->ngpio - 1,
++ base, base + (int)ngpios - 1,
+ gc->label ? : "generic", ret);
+ }
+- kfree(gdev);
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(gpiochip_add_data_with_key);
+--
+2.35.1
+
--- /dev/null
+From de28cd86de6a38169dde87aad97557512fdc632a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Dec 2021 14:40:33 +0100
+Subject: gpiolib: improve coding style for local variables
+
+From: Bartosz Golaszewski <brgl@bgdev.pl>
+
+[ Upstream commit e5ab49cd3d6937b1818b80cb5eb09dc018ae0718 ]
+
+Drop unneeded whitespaces and put the variables of the same type
+together for consistency with the rest of the code.
+
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Stable-dep-of: ec851b23084b ("gpiolib: fix memory leak in gpiochip_setup_dev()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index 320baed949ee..a87c4cd94f7a 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -594,11 +594,11 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
+ struct lock_class_key *request_key)
+ {
+ struct fwnode_handle *fwnode = gc->parent ? dev_fwnode(gc->parent) : NULL;
+- unsigned long flags;
+- int ret = 0;
+- unsigned i;
+- int base = gc->base;
+ struct gpio_device *gdev;
++ unsigned long flags;
++ int base = gc->base;
++ unsigned int i;
++ int ret = 0;
+
+ /*
+ * First: allocate and populate the internal stat container, and
+--
+2.35.1
+
--- /dev/null
+From 725c3e6b4e265621b97156f94c201ef53941c59d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 09:49:25 +0100
+Subject: i40e: Disallow ip4 and ip6 l4_4_bytes
+
+From: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+
+[ Upstream commit d64aaf3f7869f915fd120763d75f11d6b116424d ]
+
+Return -EOPNOTSUPP, when user requests l4_4_bytes for raw IP4 or
+IP6 flow director filters. Flow director does not support filtering
+on l4 bytes for PCTYPEs used by IP4 and IP6 filters.
+Without this patch, user could create filters with l4_4_bytes fields,
+which did not do any filtering on L4, but only on L3 fields.
+
+Fixes: 36777d9fa24c ("i40e: check current configured input set when adding ntuple filters")
+Signed-off-by: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+Signed-off-by: Kamil Maziarz <kamil.maziarz@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index 4e3243287805..813889604ff8 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -4364,11 +4364,7 @@ static int i40e_check_fdir_input_set(struct i40e_vsi *vsi,
+ return -EOPNOTSUPP;
+
+ /* First 4 bytes of L4 header */
+- if (usr_ip4_spec->l4_4_bytes == htonl(0xFFFFFFFF))
+- new_mask |= I40E_L4_SRC_MASK | I40E_L4_DST_MASK;
+- else if (!usr_ip4_spec->l4_4_bytes)
+- new_mask &= ~(I40E_L4_SRC_MASK | I40E_L4_DST_MASK);
+- else
++ if (usr_ip4_spec->l4_4_bytes)
+ return -EOPNOTSUPP;
+
+ /* Filtering on Type of Service is not supported. */
+@@ -4407,11 +4403,7 @@ static int i40e_check_fdir_input_set(struct i40e_vsi *vsi,
+ else
+ return -EOPNOTSUPP;
+
+- if (usr_ip6_spec->l4_4_bytes == htonl(0xFFFFFFFF))
+- new_mask |= I40E_L4_SRC_MASK | I40E_L4_DST_MASK;
+- else if (!usr_ip6_spec->l4_4_bytes)
+- new_mask &= ~(I40E_L4_SRC_MASK | I40E_L4_DST_MASK);
+- else
++ if (usr_ip6_spec->l4_4_bytes)
+ return -EOPNOTSUPP;
+
+ /* Filtering on Traffic class is not supported. */
+--
+2.35.1
+
--- /dev/null
+From f922148de325b2f3d7ebed08dfd06b0ce734fb95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 13:00:28 +0100
+Subject: i40e: Fix for VF MAC address 0
+
+From: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+
+[ Upstream commit 08501970472077ed5de346ad89943a37d1692e9b ]
+
+After spawning max VFs on a PF, some VFs were not getting resources and
+their MAC addresses were 0. This was caused by PF sleeping before flushing
+HW registers which caused VIRTCHNL_VFR_VFACTIVE to not be set in time for
+VF.
+
+Fix by adding a sleep after hw flush.
+
+Fixes: e4b433f4a741 ("i40e: reset all VFs in parallel when rebuilding PF")
+Signed-off-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+Signed-off-by: Jan Sokolowski <jan.sokolowski@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 8f350792e823..7aedf20a1021 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -1578,6 +1578,7 @@ bool i40e_reset_vf(struct i40e_vf *vf, bool flr)
+ i40e_cleanup_reset_vf(vf);
+
+ i40e_flush(hw);
++ usleep_range(20000, 40000);
+ clear_bit(I40E_VF_STATE_RESETTING, &vf->vf_states);
+
+ return true;
+@@ -1701,6 +1702,7 @@ bool i40e_reset_all_vfs(struct i40e_pf *pf, bool flr)
+ }
+
+ i40e_flush(hw);
++ usleep_range(20000, 40000);
+ clear_bit(__I40E_VF_DISABLE, pf->state);
+
+ return true;
+--
+2.35.1
+
--- /dev/null
+From 737b4edebce6e91c8c0754a1953ff55bd1a23027 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 10:19:42 +0200
+Subject: i40e: Fix not setting default xps_cpus after reset
+
+From: Michal Jaron <michalx.jaron@intel.com>
+
+[ Upstream commit 82e0572b23029b380464fa9fdc125db9c1506d0a ]
+
+During tx rings configuration default XPS queue config is set and
+__I40E_TX_XPS_INIT_DONE is locked. __I40E_TX_XPS_INIT_DONE state is
+cleared and set again with default mapping only during queues build,
+it means after first setup or reset with queues rebuild. (i.e.
+ethtool -L <interface> combined <number>) After other resets (i.e.
+ethtool -t <interface>) XPS_INIT_DONE is not cleared and those default
+maps cannot be set again. It results in cleared xps_cpus mapping
+until queues are not rebuild or mapping is not set by user.
+
+Add clearing __I40E_TX_XPS_INIT_DONE state during reset to let
+the driver set xps_cpus to defaults again after it was cleared.
+
+Fixes: 6f853d4f8e93 ("i40e: allow XPS with QoS enabled")
+Signed-off-by: Michal Jaron <michalx.jaron@intel.com>
+Signed-off-by: Kamil Maziarz <kamil.maziarz@intel.com>
+Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 19b5c5677584..ed2c961902b6 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -10519,6 +10519,21 @@ static int i40e_rebuild_channels(struct i40e_vsi *vsi)
+ return 0;
+ }
+
++/**
++ * i40e_clean_xps_state - clean xps state for every tx_ring
++ * @vsi: ptr to the VSI
++ **/
++static void i40e_clean_xps_state(struct i40e_vsi *vsi)
++{
++ int i;
++
++ if (vsi->tx_rings)
++ for (i = 0; i < vsi->num_queue_pairs; i++)
++ if (vsi->tx_rings[i])
++ clear_bit(__I40E_TX_XPS_INIT_DONE,
++ vsi->tx_rings[i]->state);
++}
++
+ /**
+ * i40e_prep_for_reset - prep for the core to reset
+ * @pf: board private structure
+@@ -10543,8 +10558,10 @@ static void i40e_prep_for_reset(struct i40e_pf *pf)
+ i40e_pf_quiesce_all_vsi(pf);
+
+ for (v = 0; v < pf->num_alloc_vsi; v++) {
+- if (pf->vsi[v])
++ if (pf->vsi[v]) {
++ i40e_clean_xps_state(pf->vsi[v]);
+ pf->vsi[v]->seid = 0;
++ }
+ }
+
+ i40e_shutdown_adminq(&pf->hw);
+--
+2.35.1
+
--- /dev/null
+From e1a74c927833db9ee0c924f229eb9eb86c2cc5de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 15:50:46 +0800
+Subject: ieee802154: cc2520: Fix error return code in cc2520_hw_init()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 4d002d6a2a00ac1c433899bd7625c6400a74cfba ]
+
+In cc2520_hw_init(), if oscillator start failed, the error code
+should be returned.
+
+Fixes: 0da6bc8cc341 ("ieee802154: cc2520: adds driver for TI CC2520 radio")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Link: https://lore.kernel.org/r/20221120075046.2213633-1-william.xuanziyang@huawei.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/cc2520.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/cc2520.c b/drivers/net/ieee802154/cc2520.c
+index 4517517215f2..a8369bfa4050 100644
+--- a/drivers/net/ieee802154/cc2520.c
++++ b/drivers/net/ieee802154/cc2520.c
+@@ -970,7 +970,7 @@ static int cc2520_hw_init(struct cc2520_private *priv)
+
+ if (timeout-- <= 0) {
+ dev_err(&priv->spi->dev, "oscillator start failed!\n");
+- return ret;
++ return -ETIMEDOUT;
+ }
+ udelay(1);
+ } while (!(status & CC2520_STATUS_XOSC32M_STABLE));
+--
+2.35.1
+
--- /dev/null
+From ce8adb9b05919201342fc9818b60fe4e8e4397f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 22:30:31 +0900
+Subject: igb: Allocate MSI-X vector when testing
+
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+
+[ Upstream commit 28e96556baca7056d11d9fb3cdd0aba4483e00d8 ]
+
+Without this change, the interrupt test fail with MSI-X environment:
+
+$ sudo ethtool -t enp0s2 offline
+[ 43.921783] igb 0000:00:02.0: offline testing starting
+[ 44.855824] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Down
+[ 44.961249] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
+[ 51.272202] igb 0000:00:02.0: testing shared interrupt
+[ 56.996975] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
+The test result is FAIL
+The test extra info:
+Register test (offline) 0
+Eeprom test (offline) 0
+Interrupt test (offline) 4
+Loopback test (offline) 0
+Link test (on/offline) 0
+
+Here, "4" means an expected interrupt was not delivered.
+
+To fix this, route IRQs correctly to the first MSI-X vector by setting
+IVAR_MISC. Also, set bit 0 of EIMS so that the vector will not be
+masked. The interrupt test now runs properly with this change:
+
+$ sudo ethtool -t enp0s2 offline
+[ 42.762985] igb 0000:00:02.0: offline testing starting
+[ 50.141967] igb 0000:00:02.0: testing shared interrupt
+[ 56.163957] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
+The test result is PASS
+The test extra info:
+Register test (offline) 0
+Eeprom test (offline) 0
+Interrupt test (offline) 0
+Loopback test (offline) 0
+Link test (on/offline) 0
+
+Fixes: 4eefa8f01314 ("igb: add single vector msi-x testing to interrupt test")
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+index 3cbb5a89b336..e99e6e44b525 100644
+--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c
++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+@@ -1409,6 +1409,8 @@ static int igb_intr_test(struct igb_adapter *adapter, u64 *data)
+ *data = 1;
+ return -1;
+ }
++ wr32(E1000_IVAR_MISC, E1000_IVAR_VALID << 8);
++ wr32(E1000_EIMS, BIT(0));
+ } else if (adapter->flags & IGB_FLAG_HAS_MSI) {
+ shared_int = false;
+ if (request_irq(irq,
+--
+2.35.1
+
--- /dev/null
+From d8d2d9d22faf58b85e529b374c22e20f7a765ade Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 01:38:32 -0800
+Subject: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 998b30c3948e4d0b1097e639918c5cff332acac5 ]
+
+Syzkaller reports a NULL deref bug as follows:
+
+ BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3
+ Read of size 4 at addr 0000000000000138 by task file1/1955
+
+ CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0xcd/0x134
+ ? io_tctx_exit_cb+0x53/0xd3
+ kasan_report+0xbb/0x1f0
+ ? io_tctx_exit_cb+0x53/0xd3
+ kasan_check_range+0x140/0x190
+ io_tctx_exit_cb+0x53/0xd3
+ task_work_run+0x164/0x250
+ ? task_work_cancel+0x30/0x30
+ get_signal+0x1c3/0x2440
+ ? lock_downgrade+0x6e0/0x6e0
+ ? lock_downgrade+0x6e0/0x6e0
+ ? exit_signals+0x8b0/0x8b0
+ ? do_raw_read_unlock+0x3b/0x70
+ ? do_raw_spin_unlock+0x50/0x230
+ arch_do_signal_or_restart+0x82/0x2470
+ ? kmem_cache_free+0x260/0x4b0
+ ? putname+0xfe/0x140
+ ? get_sigframe_size+0x10/0x10
+ ? do_execveat_common.isra.0+0x226/0x710
+ ? lockdep_hardirqs_on+0x79/0x100
+ ? putname+0xfe/0x140
+ ? do_execveat_common.isra.0+0x238/0x710
+ exit_to_user_mode_prepare+0x15f/0x250
+ syscall_exit_to_user_mode+0x19/0x50
+ do_syscall_64+0x42/0xb0
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ RIP: 0023:0x0
+ Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+ RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+ Kernel panic - not syncing: panic_on_warn set ...
+
+This happens because the adding of task_work from io_ring_exit_work()
+isn't synchronized with canceling all work items from eg exec. The
+execution of the two are ordered in that they are both run by the task
+itself, but if io_tctx_exit_cb() is queued while we're canceling all
+work items off exec AND gets executed when the task exits to userspace
+rather than in the main loop in io_uring_cancel_generic(), then we can
+find current->io_uring == NULL and hit the above crash.
+
+It's safe to add this NULL check here, because the execution of the two
+paths are done by the task itself.
+
+Cc: stable@vger.kernel.org
+Fixes: d56d938b4bef ("io_uring: do ctx initiated file note removal")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Link: https://lore.kernel.org/r/20221206093833.3812138-1-harshit.m.mogalapalli@oracle.com
+[axboe: add code comment and also put an explanation in the commit msg]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/io_uring.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
+index 1279b5c5c959..eebbe8a6da0c 100644
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -9467,8 +9467,10 @@ static void io_tctx_exit_cb(struct callback_head *cb)
+ /*
+ * When @in_idle, we're in cancellation and it's racy to remove the
+ * node. It'll be removed by the end of cancellation, just ignore it.
++ * tctx can be NULL if the queueing of this task_work raced with
++ * work cancelation off the exec path.
+ */
+- if (!atomic_read(&tctx->in_idle))
++ if (tctx && !atomic_read(&tctx->in_idle))
+ io_uring_del_tctx_node((unsigned long)work->ctx);
+ complete(&work->completion);
+ }
+--
+2.35.1
+
--- /dev/null
+From 9e36099973ee7337495177555c2f0e4650e9cf6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 May 2022 17:05:03 -0600
+Subject: io_uring: move to separate directory
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit ed29b0b4fd835b058ddd151c49d021e28d631ee6 ]
+
+In preparation for splitting io_uring up a bit, move it into its own
+top level directory. It didn't really belong in fs/ anyway, as it's
+not a file system only API.
+
+This adds io_uring/ and moves the core files in there, and updates the
+MAINTAINERS file for the new location.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 998b30c3948e ("io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ MAINTAINERS | 7 +------
+ Makefile | 1 +
+ fs/Makefile | 2 --
+ io_uring/Makefile | 6 ++++++
+ {fs => io_uring}/io-wq.c | 0
+ {fs => io_uring}/io-wq.h | 0
+ {fs => io_uring}/io_uring.c | 2 +-
+ kernel/sched/core.c | 2 +-
+ 8 files changed, 10 insertions(+), 10 deletions(-)
+ create mode 100644 io_uring/Makefile
+ rename {fs => io_uring}/io-wq.c (100%)
+ rename {fs => io_uring}/io-wq.h (100%)
+ rename {fs => io_uring}/io_uring.c (99%)
+
+diff --git a/MAINTAINERS b/MAINTAINERS
+index edc32575828b..1cf05aee91af 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -7244,9 +7244,6 @@ F: include/linux/fs.h
+ F: include/linux/fs_types.h
+ F: include/uapi/linux/fs.h
+ F: include/uapi/linux/openat2.h
+-X: fs/io-wq.c
+-X: fs/io-wq.h
+-X: fs/io_uring.c
+
+ FINTEK F75375S HARDWARE MONITOR AND FAN CONTROLLER DRIVER
+ M: Riku Voipio <riku.voipio@iki.fi>
+@@ -9818,9 +9815,7 @@ L: io-uring@vger.kernel.org
+ S: Maintained
+ T: git git://git.kernel.dk/linux-block
+ T: git git://git.kernel.dk/liburing
+-F: fs/io-wq.c
+-F: fs/io-wq.h
+-F: fs/io_uring.c
++F: io_uring/
+ F: include/linux/io_uring.h
+ F: include/uapi/linux/io_uring.h
+ F: tools/io_uring/
+diff --git a/Makefile b/Makefile
+index 0acea54c2ffd..e6570933dcfa 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1152,6 +1152,7 @@ export MODULES_NSDEPS := $(extmod_prefix)modules.nsdeps
+ ifeq ($(KBUILD_EXTMOD),)
+ core-y += kernel/ certs/ mm/ fs/ ipc/ security/ crypto/
+ core-$(CONFIG_BLOCK) += block/
++core-$(CONFIG_IO_URING) += io_uring/
+
+ vmlinux-dirs := $(patsubst %/,%,$(filter %/, \
+ $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
+diff --git a/fs/Makefile b/fs/Makefile
+index 84c5e4cdfee5..d504be65a210 100644
+--- a/fs/Makefile
++++ b/fs/Makefile
+@@ -32,8 +32,6 @@ obj-$(CONFIG_TIMERFD) += timerfd.o
+ obj-$(CONFIG_EVENTFD) += eventfd.o
+ obj-$(CONFIG_USERFAULTFD) += userfaultfd.o
+ obj-$(CONFIG_AIO) += aio.o
+-obj-$(CONFIG_IO_URING) += io_uring.o
+-obj-$(CONFIG_IO_WQ) += io-wq.o
+ obj-$(CONFIG_FS_DAX) += dax.o
+ obj-$(CONFIG_FS_ENCRYPTION) += crypto/
+ obj-$(CONFIG_FS_VERITY) += verity/
+diff --git a/io_uring/Makefile b/io_uring/Makefile
+new file mode 100644
+index 000000000000..3680425df947
+--- /dev/null
++++ b/io_uring/Makefile
+@@ -0,0 +1,6 @@
++# SPDX-License-Identifier: GPL-2.0
++#
++# Makefile for io_uring
++
++obj-$(CONFIG_IO_URING) += io_uring.o
++obj-$(CONFIG_IO_WQ) += io-wq.o
+diff --git a/fs/io-wq.c b/io_uring/io-wq.c
+similarity index 100%
+rename from fs/io-wq.c
+rename to io_uring/io-wq.c
+diff --git a/fs/io-wq.h b/io_uring/io-wq.h
+similarity index 100%
+rename from fs/io-wq.h
+rename to io_uring/io-wq.h
+diff --git a/fs/io_uring.c b/io_uring/io_uring.c
+similarity index 99%
+rename from fs/io_uring.c
+rename to io_uring/io_uring.c
+index c2fdde6fdda3..1279b5c5c959 100644
+--- a/fs/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -85,7 +85,7 @@
+
+ #include <uapi/linux/io_uring.h>
+
+-#include "internal.h"
++#include "../fs/internal.h"
+ #include "io-wq.h"
+
+ #define IORING_MAX_ENTRIES 32768
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 85be684687b0..bb684fe1b96e 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -21,7 +21,7 @@
+ #include <asm/tlb.h>
+
+ #include "../workqueue_internal.h"
+-#include "../../fs/io-wq.h"
++#include "../../io_uring/io-wq.h"
+ #include "../smpboot.h"
+
+ #include "pelt.h"
+--
+2.35.1
+
--- /dev/null
+From 28c23032e3100e9f9fe0b6c627f88b5bf7f502c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 11:28:58 +0800
+Subject: ip_gre: do not report erspan version on GRE interface
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit ee496694b9eea651ae1aa4c4667d886cdf74aa3b ]
+
+Although the type I ERSPAN is based on the barebones IP + GRE
+encapsulation and no extra ERSPAN header. Report erspan version on GRE
+interface looks unreasonable. Fix this by separating the erspan and gre
+fill info.
+
+IPv6 GRE does not have this info as IPv6 only supports erspan version
+1 and 2.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Fixes: f989d546a2d5 ("erspan: Add type I version 0 support.")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: William Tu <u9012063@gmail.com>
+Link: https://lore.kernel.org/r/20221203032858.3130339-1-liuhangbin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 48 ++++++++++++++++++++++++++++-------------------
+ 1 file changed, 29 insertions(+), 19 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index fc74a3e3b3e1..454c4357a297 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -1498,24 +1498,6 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
+ struct ip_tunnel_parm *p = &t->parms;
+ __be16 o_flags = p->o_flags;
+
+- if (t->erspan_ver <= 2) {
+- if (t->erspan_ver != 0 && !t->collect_md)
+- o_flags |= TUNNEL_KEY;
+-
+- if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver))
+- goto nla_put_failure;
+-
+- if (t->erspan_ver == 1) {
+- if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index))
+- goto nla_put_failure;
+- } else if (t->erspan_ver == 2) {
+- if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir))
+- goto nla_put_failure;
+- if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid))
+- goto nla_put_failure;
+- }
+- }
+-
+ if (nla_put_u32(skb, IFLA_GRE_LINK, p->link) ||
+ nla_put_be16(skb, IFLA_GRE_IFLAGS,
+ gre_tnl_flags_to_gre_flags(p->i_flags)) ||
+@@ -1556,6 +1538,34 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
+ return -EMSGSIZE;
+ }
+
++static int erspan_fill_info(struct sk_buff *skb, const struct net_device *dev)
++{
++ struct ip_tunnel *t = netdev_priv(dev);
++
++ if (t->erspan_ver <= 2) {
++ if (t->erspan_ver != 0 && !t->collect_md)
++ t->parms.o_flags |= TUNNEL_KEY;
++
++ if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver))
++ goto nla_put_failure;
++
++ if (t->erspan_ver == 1) {
++ if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index))
++ goto nla_put_failure;
++ } else if (t->erspan_ver == 2) {
++ if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir))
++ goto nla_put_failure;
++ if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid))
++ goto nla_put_failure;
++ }
++ }
++
++ return ipgre_fill_info(skb, dev);
++
++nla_put_failure:
++ return -EMSGSIZE;
++}
++
+ static void erspan_setup(struct net_device *dev)
+ {
+ struct ip_tunnel *t = netdev_priv(dev);
+@@ -1634,7 +1644,7 @@ static struct rtnl_link_ops erspan_link_ops __read_mostly = {
+ .changelink = erspan_changelink,
+ .dellink = ip_tunnel_dellink,
+ .get_size = ipgre_get_size,
+- .fill_info = ipgre_fill_info,
++ .fill_info = erspan_fill_info,
+ .get_link_net = ip_tunnel_get_link_net,
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 7b4539d0d93c64ef2b7f90782393fa97c7836c3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Dec 2022 09:50:44 +0200
+Subject: ipv4: Fix incorrect route flushing when source address is deleted
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit f96a3d74554df537b6db5c99c27c80e7afadc8d1 ]
+
+Cited commit added the table ID to the FIB info structure, but did not
+prevent structures with different table IDs from being consolidated.
+This can lead to routes being flushed from a VRF when an address is
+deleted from a different VRF.
+
+Fix by taking the table ID into account when looking for a matching FIB
+info. This is already done for FIB info structures backed by a nexthop
+object in fib_find_info_nh().
+
+Add test cases that fail before the fix:
+
+ # ./fib_tests.sh -t ipv4_del_addr
+
+ IPv4 delete address route tests
+ Regular FIB info
+ TEST: Route removed from VRF when source address deleted [ OK ]
+ TEST: Route in default VRF not removed [ OK ]
+ TEST: Route removed in default VRF when source address deleted [ OK ]
+ TEST: Route in VRF is not removed by address delete [ OK ]
+ Identical FIB info with different table ID
+ TEST: Route removed from VRF when source address deleted [FAIL]
+ TEST: Route in default VRF not removed [ OK ]
+ RTNETLINK answers: File exists
+ TEST: Route removed in default VRF when source address deleted [ OK ]
+ TEST: Route in VRF is not removed by address delete [FAIL]
+
+ Tests passed: 6
+ Tests failed: 2
+
+And pass after:
+
+ # ./fib_tests.sh -t ipv4_del_addr
+
+ IPv4 delete address route tests
+ Regular FIB info
+ TEST: Route removed from VRF when source address deleted [ OK ]
+ TEST: Route in default VRF not removed [ OK ]
+ TEST: Route removed in default VRF when source address deleted [ OK ]
+ TEST: Route in VRF is not removed by address delete [ OK ]
+ Identical FIB info with different table ID
+ TEST: Route removed from VRF when source address deleted [ OK ]
+ TEST: Route in default VRF not removed [ OK ]
+ TEST: Route removed in default VRF when source address deleted [ OK ]
+ TEST: Route in VRF is not removed by address delete [ OK ]
+
+ Tests passed: 8
+ Tests failed: 0
+
+Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_semantics.c | 1 +
+ tools/testing/selftests/net/fib_tests.sh | 27 ++++++++++++++++++++++++
+ 2 files changed, 28 insertions(+)
+
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index af64ae689b13..250af6e5a892 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -421,6 +421,7 @@ static struct fib_info *fib_find_info(struct fib_info *nfi)
+ nfi->fib_prefsrc == fi->fib_prefsrc &&
+ nfi->fib_priority == fi->fib_priority &&
+ nfi->fib_type == fi->fib_type &&
++ nfi->fib_tb_id == fi->fib_tb_id &&
+ memcmp(nfi->fib_metrics, fi->fib_metrics,
+ sizeof(u32) * RTAX_MAX) == 0 &&
+ !((nfi->fib_flags ^ fi->fib_flags) & ~RTNH_COMPARE_MASK) &&
+diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh
+index 996af1ae3d3d..d238617b6ab5 100755
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -1622,13 +1622,19 @@ ipv4_del_addr_test()
+
+ $IP addr add dev dummy1 172.16.104.1/24
+ $IP addr add dev dummy1 172.16.104.11/24
++ $IP addr add dev dummy1 172.16.104.12/24
+ $IP addr add dev dummy2 172.16.104.1/24
+ $IP addr add dev dummy2 172.16.104.11/24
++ $IP addr add dev dummy2 172.16.104.12/24
+ $IP route add 172.16.105.0/24 via 172.16.104.2 src 172.16.104.11
++ $IP route add 172.16.106.0/24 dev lo src 172.16.104.12
+ $IP route add vrf red 172.16.105.0/24 via 172.16.104.2 src 172.16.104.11
++ $IP route add vrf red 172.16.106.0/24 dev lo src 172.16.104.12
+ set +e
+
+ # removing address from device in vrf should only remove route from vrf table
++ echo " Regular FIB info"
++
+ $IP addr del dev dummy2 172.16.104.11/24
+ $IP ro ls vrf red | grep -q 172.16.105.0/24
+ log_test $? 1 "Route removed from VRF when source address deleted"
+@@ -1646,6 +1652,27 @@ ipv4_del_addr_test()
+ $IP ro ls vrf red | grep -q 172.16.105.0/24
+ log_test $? 0 "Route in VRF is not removed by address delete"
+
++ # removing address from device in vrf should only remove route from vrf
++ # table even when the associated fib info only differs in table ID
++ echo " Identical FIB info with different table ID"
++
++ $IP addr del dev dummy2 172.16.104.12/24
++ $IP ro ls vrf red | grep -q 172.16.106.0/24
++ log_test $? 1 "Route removed from VRF when source address deleted"
++
++ $IP ro ls | grep -q 172.16.106.0/24
++ log_test $? 0 "Route in default VRF not removed"
++
++ $IP addr add dev dummy2 172.16.104.12/24
++ $IP route add vrf red 172.16.106.0/24 dev lo src 172.16.104.12
++
++ $IP addr del dev dummy1 172.16.104.12/24
++ $IP ro ls | grep -q 172.16.106.0/24
++ log_test $? 1 "Route removed in default VRF when source address deleted"
++
++ $IP ro ls vrf red | grep -q 172.16.106.0/24
++ log_test $? 0 "Route in VRF is not removed by address delete"
++
+ $IP li del dummy1
+ $IP li del dummy2
+ cleanup
+--
+2.35.1
+
--- /dev/null
+From 3534d3c8114ac3cced7752c92a99db0f6529bf60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Dec 2022 09:50:45 +0200
+Subject: ipv4: Fix incorrect route flushing when table ID 0 is used
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit c0d999348e01df03e0a7f550351f3907fabbf611 ]
+
+Cited commit added the table ID to the FIB info structure, but did not
+properly initialize it when table ID 0 is used. This can lead to a route
+in the default VRF with a preferred source address not being flushed
+when the address is deleted.
+
+Consider the following example:
+
+ # ip address add dev dummy1 192.0.2.1/28
+ # ip address add dev dummy1 192.0.2.17/28
+ # ip route add 198.51.100.0/24 via 192.0.2.2 src 192.0.2.17 metric 100
+ # ip route add table 0 198.51.100.0/24 via 192.0.2.2 src 192.0.2.17 metric 200
+ # ip route show 198.51.100.0/24
+ 198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 100
+ 198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 200
+
+Both routes are installed in the default VRF, but they are using two
+different FIB info structures. One with a metric of 100 and table ID of
+254 (main) and one with a metric of 200 and table ID of 0. Therefore,
+when the preferred source address is deleted from the default VRF,
+the second route is not flushed:
+
+ # ip address del dev dummy1 192.0.2.17/28
+ # ip route show 198.51.100.0/24
+ 198.51.100.0/24 via 192.0.2.2 dev dummy1 src 192.0.2.17 metric 200
+
+Fix by storing a table ID of 254 instead of 0 in the route configuration
+structure.
+
+Add a test case that fails before the fix:
+
+ # ./fib_tests.sh -t ipv4_del_addr
+
+ IPv4 delete address route tests
+ Regular FIB info
+ TEST: Route removed from VRF when source address deleted [ OK ]
+ TEST: Route in default VRF not removed [ OK ]
+ TEST: Route removed in default VRF when source address deleted [ OK ]
+ TEST: Route in VRF is not removed by address delete [ OK ]
+ Identical FIB info with different table ID
+ TEST: Route removed from VRF when source address deleted [ OK ]
+ TEST: Route in default VRF not removed [ OK ]
+ TEST: Route removed in default VRF when source address deleted [ OK ]
+ TEST: Route in VRF is not removed by address delete [ OK ]
+ Table ID 0
+ TEST: Route removed in default VRF when source address deleted [FAIL]
+
+ Tests passed: 8
+ Tests failed: 1
+
+And passes after:
+
+ # ./fib_tests.sh -t ipv4_del_addr
+
+ IPv4 delete address route tests
+ Regular FIB info
+ TEST: Route removed from VRF when source address deleted [ OK ]
+ TEST: Route in default VRF not removed [ OK ]
+ TEST: Route removed in default VRF when source address deleted [ OK ]
+ TEST: Route in VRF is not removed by address delete [ OK ]
+ Identical FIB info with different table ID
+ TEST: Route removed from VRF when source address deleted [ OK ]
+ TEST: Route in default VRF not removed [ OK ]
+ TEST: Route removed in default VRF when source address deleted [ OK ]
+ TEST: Route in VRF is not removed by address delete [ OK ]
+ Table ID 0
+ TEST: Route removed in default VRF when source address deleted [ OK ]
+
+ Tests passed: 9
+ Tests failed: 0
+
+Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs")
+Reported-by: Donald Sharp <sharpd@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_frontend.c | 3 +++
+ tools/testing/selftests/net/fib_tests.sh | 10 ++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index 1452bb72b7d9..75c88d486327 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -830,6 +830,9 @@ static int rtm_to_fib_config(struct net *net, struct sk_buff *skb,
+ return -EINVAL;
+ }
+
++ if (!cfg->fc_table)
++ cfg->fc_table = RT_TABLE_MAIN;
++
+ return 0;
+ errout:
+ return err;
+diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh
+index d238617b6ab5..7df066bf74b8 100755
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -1623,11 +1623,13 @@ ipv4_del_addr_test()
+ $IP addr add dev dummy1 172.16.104.1/24
+ $IP addr add dev dummy1 172.16.104.11/24
+ $IP addr add dev dummy1 172.16.104.12/24
++ $IP addr add dev dummy1 172.16.104.13/24
+ $IP addr add dev dummy2 172.16.104.1/24
+ $IP addr add dev dummy2 172.16.104.11/24
+ $IP addr add dev dummy2 172.16.104.12/24
+ $IP route add 172.16.105.0/24 via 172.16.104.2 src 172.16.104.11
+ $IP route add 172.16.106.0/24 dev lo src 172.16.104.12
++ $IP route add table 0 172.16.107.0/24 via 172.16.104.2 src 172.16.104.13
+ $IP route add vrf red 172.16.105.0/24 via 172.16.104.2 src 172.16.104.11
+ $IP route add vrf red 172.16.106.0/24 dev lo src 172.16.104.12
+ set +e
+@@ -1673,6 +1675,14 @@ ipv4_del_addr_test()
+ $IP ro ls vrf red | grep -q 172.16.106.0/24
+ log_test $? 0 "Route in VRF is not removed by address delete"
+
++ # removing address from device in default vrf should remove route from
++ # the default vrf even when route was inserted with a table ID of 0.
++ echo " Table ID 0"
++
++ $IP addr del dev dummy1 172.16.104.13/24
++ $IP ro ls | grep -q 172.16.107.0/24
++ log_test $? 1 "Route removed in default VRF when source address deleted"
++
+ $IP li del dummy1
+ $IP li del dummy2
+ cleanup
+--
+2.35.1
+
--- /dev/null
+From 5aa8be142fed963b60786ef74386c7844d367b7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 10:13:51 +0000
+Subject: ipv6: avoid use-after-free in ip6_fragment()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 803e84867de59a1e5d126666d25eb4860cfd2ebe ]
+
+Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.
+
+It seems to not be always true, at least for UDP stack.
+
+syzbot reported:
+
+BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]
+BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
+Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618
+
+CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:284 [inline]
+ print_report+0x15e/0x45d mm/kasan/report.c:395
+ kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
+ ip6_dst_idev include/net/ip6_fib.h:245 [inline]
+ ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
+ __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
+ ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
+ NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
+ dst_output include/net/dst.h:445 [inline]
+ ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
+ ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
+ udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
+ udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
+ udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
+ inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xd3/0x120 net/socket.c:734
+ sock_write_iter+0x295/0x3d0 net/socket.c:1108
+ call_write_iter include/linux/fs.h:2191 [inline]
+ new_sync_write fs/read_write.c:491 [inline]
+ vfs_write+0x9ed/0xdd0 fs/read_write.c:584
+ ksys_write+0x1ec/0x250 fs/read_write.c:637
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7fde3588c0d9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9
+RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a
+RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000
+ </TASK>
+
+Allocated by task 7618:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325
+ kasan_slab_alloc include/linux/kasan.h:201 [inline]
+ slab_post_alloc_hook mm/slab.h:737 [inline]
+ slab_alloc_node mm/slub.c:3398 [inline]
+ slab_alloc mm/slub.c:3406 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
+ kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422
+ dst_alloc+0x14a/0x1f0 net/core/dst.c:92
+ ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
+ ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]
+ rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]
+ ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254
+ pol_lookup_func include/net/ip6_fib.h:582 [inline]
+ fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121
+ ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625
+ ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638
+ ip6_route_output include/net/ip6_route.h:98 [inline]
+ ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092
+ ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222
+ ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260
+ udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554
+ inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xd3/0x120 net/socket.c:734
+ __sys_sendto+0x23a/0x340 net/socket.c:2117
+ __do_sys_sendto net/socket.c:2129 [inline]
+ __se_sys_sendto net/socket.c:2125 [inline]
+ __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Freed by task 7599:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:511
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
+ kasan_slab_free include/linux/kasan.h:177 [inline]
+ slab_free_hook mm/slub.c:1724 [inline]
+ slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750
+ slab_free mm/slub.c:3661 [inline]
+ kmem_cache_free+0xee/0x5c0 mm/slub.c:3683
+ dst_destroy+0x2ea/0x400 net/core/dst.c:127
+ rcu_do_batch kernel/rcu/tree.c:2250 [inline]
+ rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510
+ __do_softirq+0x1fb/0xadc kernel/softirq.c:571
+
+Last potentially related work creation:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
+ call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
+ dst_release net/core/dst.c:177 [inline]
+ dst_release+0x7d/0xe0 net/core/dst.c:167
+ refdst_drop include/net/dst.h:256 [inline]
+ skb_dst_drop include/net/dst.h:268 [inline]
+ skb_release_head_state+0x250/0x2a0 net/core/skbuff.c:838
+ skb_release_all net/core/skbuff.c:852 [inline]
+ __kfree_skb net/core/skbuff.c:868 [inline]
+ kfree_skb_reason+0x151/0x4b0 net/core/skbuff.c:891
+ kfree_skb_list_reason+0x4b/0x70 net/core/skbuff.c:901
+ kfree_skb_list include/linux/skbuff.h:1227 [inline]
+ ip6_fragment+0x2026/0x2770 net/ipv6/ip6_output.c:949
+ __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
+ ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
+ NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
+ dst_output include/net/dst.h:445 [inline]
+ ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
+ ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
+ udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
+ udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
+ udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
+ inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xd3/0x120 net/socket.c:734
+ sock_write_iter+0x295/0x3d0 net/socket.c:1108
+ call_write_iter include/linux/fs.h:2191 [inline]
+ new_sync_write fs/read_write.c:491 [inline]
+ vfs_write+0x9ed/0xdd0 fs/read_write.c:584
+ ksys_write+0x1ec/0x250 fs/read_write.c:637
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Second to last potentially related work creation:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
+ call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
+ dst_release net/core/dst.c:177 [inline]
+ dst_release+0x7d/0xe0 net/core/dst.c:167
+ refdst_drop include/net/dst.h:256 [inline]
+ skb_dst_drop include/net/dst.h:268 [inline]
+ __dev_queue_xmit+0x1b9d/0x3ba0 net/core/dev.c:4211
+ dev_queue_xmit include/linux/netdevice.h:3008 [inline]
+ neigh_resolve_output net/core/neighbour.c:1552 [inline]
+ neigh_resolve_output+0x51b/0x840 net/core/neighbour.c:1532
+ neigh_output include/net/neighbour.h:546 [inline]
+ ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134
+ __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
+ ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206
+ NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
+ dst_output include/net/dst.h:445 [inline]
+ NF_HOOK include/linux/netfilter.h:302 [inline]
+ NF_HOOK include/linux/netfilter.h:296 [inline]
+ mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820
+ mld_send_cr net/ipv6/mcast.c:2121 [inline]
+ mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653
+ process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
+ worker_thread+0x669/0x1090 kernel/workqueue.c:2436
+ kthread+0x2e8/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+
+The buggy address belongs to the object at ffff88801d403dc0
+ which belongs to the cache ip6_dst_cache of size 240
+The buggy address is located 192 bytes inside of
+ 240-byte region [ffff88801d403dc0, ffff88801d403eb0)
+
+The buggy address belongs to the physical page:
+page:ffffea00007500c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d403
+memcg:ffff888022f49c81
+flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
+raw: 00fff00000000200 ffffea0001ef6580 dead000000000002 ffff88814addf640
+raw: 0000000000000000 00000000800c000c 00000001ffffffff ffff888022f49c81
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 3719, tgid 3719 (kworker/0:6), ts 136223432244, free_ts 136222971441
+ prep_new_page mm/page_alloc.c:2539 [inline]
+ get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4288
+ __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5555
+ alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285
+ alloc_slab_page mm/slub.c:1794 [inline]
+ allocate_slab+0x213/0x300 mm/slub.c:1939
+ new_slab mm/slub.c:1992 [inline]
+ ___slab_alloc+0xa91/0x1400 mm/slub.c:3180
+ __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
+ slab_alloc_node mm/slub.c:3364 [inline]
+ slab_alloc mm/slub.c:3406 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
+ kmem_cache_alloc+0x31a/0x3d0 mm/slub.c:3422
+ dst_alloc+0x14a/0x1f0 net/core/dst.c:92
+ ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
+ icmp6_dst_alloc+0x71/0x680 net/ipv6/route.c:3261
+ mld_sendpack+0x5de/0xe70 net/ipv6/mcast.c:1809
+ mld_send_cr net/ipv6/mcast.c:2121 [inline]
+ mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653
+ process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
+ worker_thread+0x669/0x1090 kernel/workqueue.c:2436
+ kthread+0x2e8/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+page last free stack trace:
+ reset_page_owner include/linux/page_owner.h:24 [inline]
+ free_pages_prepare mm/page_alloc.c:1459 [inline]
+ free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509
+ free_unref_page_prepare mm/page_alloc.c:3387 [inline]
+ free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483
+ __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586
+ qlink_free mm/kasan/quarantine.c:168 [inline]
+ qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
+ kasan_quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:294
+ __kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302
+ kasan_slab_alloc include/linux/kasan.h:201 [inline]
+ slab_post_alloc_hook mm/slab.h:737 [inline]
+ slab_alloc_node mm/slub.c:3398 [inline]
+ kmem_cache_alloc_node+0x304/0x410 mm/slub.c:3443
+ __alloc_skb+0x214/0x300 net/core/skbuff.c:497
+ alloc_skb include/linux/skbuff.h:1267 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1191 [inline]
+ netlink_sendmsg+0x9a6/0xe10 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xd3/0x120 net/socket.c:734
+ __sys_sendto+0x23a/0x340 net/socket.c:2117
+ __do_sys_sendto net/socket.c:2129 [inline]
+ __se_sys_sendto net/socket.c:2125 [inline]
+ __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: 1758fd4688eb ("ipv6: remove unnecessary dst_hold() in ip6_fragment()")
+Reported-by: syzbot+8c0ac31aa9681abb9e2d@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Wei Wang <weiwan@google.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/r/20221206101351.2037285-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_output.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 7951ade74d14..675a80dd78ba 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -897,6 +897,9 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+ if (err < 0)
+ goto fail;
+
++ /* We prevent @rt from being freed. */
++ rcu_read_lock();
++
+ for (;;) {
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+@@ -920,6 +923,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+ if (err == 0) {
+ IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
+ IPSTATS_MIB_FRAGOKS);
++ rcu_read_unlock();
+ return 0;
+ }
+
+@@ -927,6 +931,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+
+ IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
+ IPSTATS_MIB_FRAGFAILS);
++ rcu_read_unlock();
+ return err;
+
+ slow_path_clean:
+--
+2.35.1
+
--- /dev/null
+From b3a23942ad6594b1ff63d76ce3b47f93a6f4edee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 09:17:05 +0000
+Subject: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit b3d72d3135d2ef68296c1ee174436efd65386f04 ]
+
+Kernel fault injection test reports null-ptr-deref as follows:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000008
+RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114
+Call Trace:
+ <TASK>
+ raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87
+ call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944
+ unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982
+ unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879
+ register_netdevice+0x9a8/0xb90 net/core/dev.c:10083
+ ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659
+ ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229
+ mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316
+
+ieee802154_if_add() allocates wpan_dev as netdev's private data, but not
+init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage
+the list when device register/unregister, and may lead to null-ptr-deref.
+
+Use INIT_LIST_HEAD() on it to initialize it correctly.
+
+Fixes: fcf39e6e88e9 ("ieee802154: add wpan_dev_list")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+
+Link: https://lore.kernel.org/r/20221130091705.1831140-1-weiyongjun@huaweicloud.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac802154/iface.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
+index 323d3d2d986f..3e510664fc89 100644
+--- a/net/mac802154/iface.c
++++ b/net/mac802154/iface.c
+@@ -661,6 +661,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name,
+ sdata->dev = ndev;
+ sdata->wpan_dev.wpan_phy = local->hw.phy;
+ sdata->local = local;
++ INIT_LIST_HEAD(&sdata->wpan_dev.list);
+
+ /* setup type-dependent data */
+ ret = ieee802154_setup_sdata(sdata, type);
+--
+2.35.1
+
--- /dev/null
+From 904e2901a342d05f56ccf2ea99d705b9c2d634bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 12:16:18 +0200
+Subject: macsec: add missing attribute validation for offload
+
+From: Emeel Hakim <ehakim@nvidia.com>
+
+[ Upstream commit 38099024e51ee37dee5f0f577ca37175c932e3f7 ]
+
+Add missing attribute validation for IFLA_MACSEC_OFFLOAD
+to the netlink policy.
+
+Fixes: 791bb3fcafce ("net: macsec: add support for specifying offload upon link creation")
+Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20221207101618.989-1-ehakim@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index aa9d0dfeda5a..88e44eb39285 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -3675,6 +3675,7 @@ static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = {
+ [IFLA_MACSEC_SCB] = { .type = NLA_U8 },
+ [IFLA_MACSEC_REPLAY_PROTECT] = { .type = NLA_U8 },
+ [IFLA_MACSEC_VALIDATION] = { .type = NLA_U8 },
++ [IFLA_MACSEC_OFFLOAD] = { .type = NLA_U8 },
+ };
+
+ static void macsec_free_netdev(struct net_device *dev)
+--
+2.35.1
+
--- /dev/null
+From 16c1b551c44c2ff91f6d1b87aff78ffa2b4a7ea4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 19:50:03 +0800
+Subject: net: broadcom: Add PTP_1588_CLOCK_OPTIONAL dependency for BCMGENET
+ under ARCH_BCM2835
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 421f8663b3a775c32f724f793264097c60028f2e ]
+
+commit 8d820bc9d12b ("net: broadcom: Fix BCMGENET Kconfig") fixes the build
+that contain 99addbe31f55 ("net: broadcom: Select BROADCOM_PHY for BCMGENET")
+and enable BCMGENET=y but PTP_1588_CLOCK_OPTIONAL=m, which otherwise
+leads to a link failure. However this may trigger a runtime failure.
+
+Fix the original issue by propagating the PTP_1588_CLOCK_OPTIONAL dependency
+of BROADCOM_PHY down to BCMGENET.
+
+Fixes: 8d820bc9d12b ("net: broadcom: Fix BCMGENET Kconfig")
+Fixes: 99addbe31f55 ("net: broadcom: Select BROADCOM_PHY for BCMGENET")
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20221125115003.30308-1-yuehaibing@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/Kconfig b/drivers/net/ethernet/broadcom/Kconfig
+index 1cd3c289f49b..cd1706909044 100644
+--- a/drivers/net/ethernet/broadcom/Kconfig
++++ b/drivers/net/ethernet/broadcom/Kconfig
+@@ -71,13 +71,14 @@ config BCM63XX_ENET
+ config BCMGENET
+ tristate "Broadcom GENET internal MAC support"
+ depends on HAS_IOMEM
++ depends on PTP_1588_CLOCK_OPTIONAL || !ARCH_BCM2835
+ select MII
+ select PHYLIB
+ select FIXED_PHY
+ select BCM7XXX_PHY
+ select MDIO_BCM_UNIMAC
+ select DIMLIB
+- select BROADCOM_PHY if (ARCH_BCM2835 && PTP_1588_CLOCK_OPTIONAL)
++ select BROADCOM_PHY if ARCH_BCM2835
+ help
+ This driver supports the built-in Ethernet MACs found in the
+ Broadcom BCM7xxx Set Top Box family chipset.
+--
+2.35.1
+
--- /dev/null
+From adbc0a9a0aa1fa0c47237ebc5c665accf8ac3e56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 17:00:31 +0300
+Subject: net: dsa: hellcreek: Check return value
+
+From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+
+[ Upstream commit d4edb50688652eb10be270bc515da63815de428f ]
+
+Return NULL if we got unexpected value from skb_trim_rcsum()
+in hellcreek_rcv()
+
+Fixes: 01ef09caad66 ("net: dsa: Add tag handling for Hirschmann Hellcreek switches")
+Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
+Link: https://lore.kernel.org/r/20221201140032.26746-2-artem.chernyshev@red-soft.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/tag_hellcreek.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/dsa/tag_hellcreek.c b/net/dsa/tag_hellcreek.c
+index 846588c0070a..53a206d11685 100644
+--- a/net/dsa/tag_hellcreek.c
++++ b/net/dsa/tag_hellcreek.c
+@@ -49,7 +49,8 @@ static struct sk_buff *hellcreek_rcv(struct sk_buff *skb,
+ return NULL;
+ }
+
+- pskb_trim_rcsum(skb, skb->len - HELLCREEK_TAG_LEN);
++ if (pskb_trim_rcsum(skb, skb->len - HELLCREEK_TAG_LEN))
++ return NULL;
+
+ dsa_default_offload_fwd_mark(skb);
+
+--
+2.35.1
+
--- /dev/null
+From acc46805539b69a8e212b2cf591553c51108679f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 17:00:30 +0300
+Subject: net: dsa: ksz: Check return value
+
+From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+
+[ Upstream commit 3d8fdcbf1f42e2bb9ae8b8c0b6f202278c788a22 ]
+
+Return NULL if we got unexpected value from skb_trim_rcsum()
+in ksz_common_rcv()
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: bafe9ba7d908 ("net: dsa: ksz: Factor out common tag code")
+Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20221201140032.26746-1-artem.chernyshev@red-soft.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/tag_ksz.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c
+index fa1d60d13ad9..6795dd017499 100644
+--- a/net/dsa/tag_ksz.c
++++ b/net/dsa/tag_ksz.c
+@@ -22,7 +22,8 @@ static struct sk_buff *ksz_common_rcv(struct sk_buff *skb,
+ if (!skb->dev)
+ return NULL;
+
+- pskb_trim_rcsum(skb, skb->len - len);
++ if (pskb_trim_rcsum(skb, skb->len - len))
++ return NULL;
+
+ dsa_default_offload_fwd_mark(skb);
+
+--
+2.35.1
+
--- /dev/null
+From 95b1a7db8cd2f305be5e17ed4a3bf27259d04a56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 17:00:32 +0300
+Subject: net: dsa: sja1105: Check return value
+
+From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+
+[ Upstream commit 8948876335b1752176afdff8e704099a3ea0f6e6 ]
+
+Return NULL if we got unexpected value from skb_trim_rcsum() in
+sja1110_rcv_inband_control_extension()
+
+Fixes: 4913b8ebf8a9 ("net: dsa: add support for the SJA1110 native tagging protocol")
+Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20221201140032.26746-3-artem.chernyshev@red-soft.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/tag_sja1105.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/dsa/tag_sja1105.c b/net/dsa/tag_sja1105.c
+index 2edede9ddac9..d43feadd5fa6 100644
+--- a/net/dsa/tag_sja1105.c
++++ b/net/dsa/tag_sja1105.c
+@@ -644,7 +644,8 @@ static struct sk_buff *sja1110_rcv_inband_control_extension(struct sk_buff *skb,
+ * padding and trailer we need to account for the fact that
+ * skb->data points to skb_mac_header(skb) + ETH_HLEN.
+ */
+- pskb_trim_rcsum(skb, start_of_padding - ETH_HLEN);
++ if (pskb_trim_rcsum(skb, start_of_padding - ETH_HLEN))
++ return NULL;
+ /* Trap-to-host frame, no timestamp trailer */
+ } else {
+ *source_port = SJA1110_RX_HEADER_SRC_PORT(rx_header);
+--
+2.35.1
+
--- /dev/null
+From 19fb171a17d065f5d09976c274f2a6ec85108692 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 09:21:32 +0800
+Subject: net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 78a9ea43fc1a7c06a420b132d2d47cbf4344a5df ]
+
+When dsa_devlink_region_create failed in sja1105_setup_devlink_regions(),
+priv->regions is not released.
+
+Fixes: bf425b82059e ("net: dsa: sja1105: expose static config as devlink region")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20221205012132.2110979-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_devlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_devlink.c b/drivers/net/dsa/sja1105/sja1105_devlink.c
+index 10c6fea1227f..bdbbff2a7909 100644
+--- a/drivers/net/dsa/sja1105/sja1105_devlink.c
++++ b/drivers/net/dsa/sja1105/sja1105_devlink.c
+@@ -95,6 +95,8 @@ static int sja1105_setup_devlink_regions(struct dsa_switch *ds)
+ if (IS_ERR(region)) {
+ while (--i >= 0)
+ dsa_devlink_region_destroy(priv->regions[i]);
++
++ kfree(priv->regions);
+ return PTR_ERR(region);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From dcdab22445905fc5469fb1357dce3ed1d15392dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 20:34:07 +0300
+Subject: net: encx24j600: Add parentheses to fix precedence
+
+From: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+
+[ Upstream commit 167b3f2dcc62c271f3555b33df17e361bb1fa0ee ]
+
+In functions regmap_encx24j600_phy_reg_read() and
+regmap_encx24j600_phy_reg_write() in the conditions of the waiting
+cycles for filling the variable 'ret' it is necessary to add parentheses
+to prevent wrong assignment due to logical operations precedence.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: d70e53262f5c ("net: Microchip encx24j600 driver")
+Signed-off-by: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+index 81a8ccca7e5e..2e337c7a5773 100644
+--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c
++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+@@ -359,7 +359,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+@@ -397,7 +397,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+--
+2.35.1
+
--- /dev/null
+From 3bd4d4cdd7f900afbf1a1076465b9ec577cefcc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 20:34:08 +0300
+Subject: net: encx24j600: Fix invalid logic in reading of MISTAT register
+
+From: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+
+[ Upstream commit 25f427ac7b8d89b0259f86c0c6407b329df742b2 ]
+
+A loop for reading MISTAT register continues while regmap_read() fails
+and (mistat & BUSY), but if regmap_read() fails a value of mistat is
+undefined.
+
+The patch proposes to check for BUSY flag only when regmap_read()
+succeed. Compile test only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: d70e53262f5c ("net: Microchip encx24j600 driver")
+Signed-off-by: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+index 2e337c7a5773..5693784eec5b 100644
+--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c
++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+@@ -359,7 +359,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+@@ -397,7 +397,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+--
+2.35.1
+
--- /dev/null
+From f87d50fa7c78566c310261072f3da4bcf04faa6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 17:42:39 +0800
+Subject: net: hisilicon: Fix potential use-after-free in hisi_femac_rx()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 4640177049549de1a43e9bc49265f0cdfce08cfd ]
+
+The skb is delivered to napi_gro_receive() which may free it, after
+calling this, dereferencing skb may trigger use-after-free.
+
+Fixes: 542ae60af24f ("net: hisilicon: Add Fast Ethernet MAC driver")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Link: https://lore.kernel.org/r/20221203094240.1240211-1-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hisi_femac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hisi_femac.c b/drivers/net/ethernet/hisilicon/hisi_femac.c
+index 22bf914f2dbd..ea3e67cf5ffa 100644
+--- a/drivers/net/ethernet/hisilicon/hisi_femac.c
++++ b/drivers/net/ethernet/hisilicon/hisi_femac.c
+@@ -283,7 +283,7 @@ static int hisi_femac_rx(struct net_device *dev, int limit)
+ skb->protocol = eth_type_trans(skb, dev);
+ napi_gro_receive(&priv->napi, skb);
+ dev->stats.rx_packets++;
+- dev->stats.rx_bytes += skb->len;
++ dev->stats.rx_bytes += len;
+ next:
+ pos = (pos + 1) % rxq->num;
+ if (rx_pkts_num >= limit)
+--
+2.35.1
+
--- /dev/null
+From 568f53c7213d1ccb068bfca4f2b62548c99da338 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 17:42:40 +0800
+Subject: net: hisilicon: Fix potential use-after-free in hix5hd2_rx()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 433c07a13f59856e4585e89e86b7d4cc59348fab ]
+
+The skb is delivered to napi_gro_receive() which may free it, after
+calling this, dereferencing skb may trigger use-after-free.
+
+Fixes: 57c5bc9ad7d7 ("net: hisilicon: add hix5hd2 mac driver")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Link: https://lore.kernel.org/r/20221203094240.1240211-2-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hix5hd2_gmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c
+index c1aae0fca5e9..0a70fb979f0c 100644
+--- a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c
++++ b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c
+@@ -550,7 +550,7 @@ static int hix5hd2_rx(struct net_device *dev, int limit)
+ skb->protocol = eth_type_trans(skb, dev);
+ napi_gro_receive(&priv->napi, skb);
+ dev->stats.rx_packets++;
+- dev->stats.rx_bytes += skb->len;
++ dev->stats.rx_bytes += len;
+ next:
+ pos = dma_ring_incr(pos, RX_DESC_NUM);
+ }
+--
+2.35.1
+
--- /dev/null
+From cd783c3b86050e821d753825cf51668528183c2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 15:34:41 +0800
+Subject: net: mdio: fix unbalanced fwnode reference count in
+ mdio_device_release()
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+[ Upstream commit cb37617687f2bfa5b675df7779f869147c9002bd ]
+
+There is warning report about of_node refcount leak
+while probing mdio device:
+
+OF: ERROR: memory leak, expected refcount 1 instead of 2,
+of_node_get()/of_node_put() unbalanced - destroy cset entry:
+attach overlay node /spi/soc@0/mdio@710700c0/ethernet@4
+
+In of_mdiobus_register_device(), we increase fwnode refcount
+by fwnode_handle_get() before associating the of_node with
+mdio device, but it has never been decreased in normal path.
+Since that, in mdio_device_release(), it needs to call
+fwnode_handle_put() in addition instead of calling kfree()
+directly.
+
+After above, just calling mdio_device_free() in the error handle
+path of of_mdiobus_register_device() is enough to keep the
+refcount balanced.
+
+Fixes: a9049e0c513c ("mdio: Add support for mdio drivers.")
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Reviewed-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://lore.kernel.org/r/20221203073441.3885317-1-zengheng4@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/of_mdio.c | 3 ++-
+ drivers/net/phy/mdio_device.c | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/mdio/of_mdio.c b/drivers/net/mdio/of_mdio.c
+index 796e9c7857d0..510822d6d0d9 100644
+--- a/drivers/net/mdio/of_mdio.c
++++ b/drivers/net/mdio/of_mdio.c
+@@ -68,8 +68,9 @@ static int of_mdiobus_register_device(struct mii_bus *mdio,
+ /* All data is now stored in the mdiodev struct; register it. */
+ rc = mdio_device_register(mdiodev);
+ if (rc) {
++ device_set_node(&mdiodev->dev, NULL);
++ fwnode_handle_put(fwnode);
+ mdio_device_free(mdiodev);
+- of_node_put(child);
+ return rc;
+ }
+
+diff --git a/drivers/net/phy/mdio_device.c b/drivers/net/phy/mdio_device.c
+index 250742ffdfd9..044828d081d2 100644
+--- a/drivers/net/phy/mdio_device.c
++++ b/drivers/net/phy/mdio_device.c
+@@ -21,6 +21,7 @@
+ #include <linux/slab.h>
+ #include <linux/string.h>
+ #include <linux/unistd.h>
++#include <linux/property.h>
+
+ void mdio_device_free(struct mdio_device *mdiodev)
+ {
+@@ -30,6 +31,7 @@ EXPORT_SYMBOL(mdio_device_free);
+
+ static void mdio_device_release(struct device *dev)
+ {
++ fwnode_handle_put(dev->fwnode);
+ kfree(to_mdio_device(dev));
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 0a8381a5f0093cd3a668467d3a0f940d6402328d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 13:18:33 +0800
+Subject: net: mdiobus: fix double put fwnode in the error path
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 165df24186ecea95705505627df3dacf5e7ff6bf ]
+
+If phy_device_register() or fwnode_mdiobus_phy_device_register()
+fail, phy_device_free() is called, the device refcount is decreased
+to 0, then fwnode_handle_put() will be called in phy_device_release(),
+but in the error path, fwnode_handle_put() has already been called,
+so set fwnode to NULL after fwnode_handle_put() in the error path to
+avoid double put.
+
+Fixes: cdde1560118f ("net: mdiobus: fix unbalanced node reference count")
+Reported-by: Zeng Heng <zengheng4@huawei.com>
+Tested-by: Zeng Heng <zengheng4@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Zeng Heng <zengheng4@huawei.com>
+Tested-by: Zeng Heng <zengheng4@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/fwnode_mdio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c
+index 403b07f8ec2c..2c47efdae73b 100644
+--- a/drivers/net/mdio/fwnode_mdio.c
++++ b/drivers/net/mdio/fwnode_mdio.c
+@@ -77,6 +77,7 @@ int fwnode_mdiobus_phy_device_register(struct mii_bus *mdio,
+ */
+ rc = phy_device_register(phy);
+ if (rc) {
++ device_set_node(&phy->mdio.dev, NULL);
+ fwnode_handle_put(child);
+ return rc;
+ }
+@@ -125,7 +126,8 @@ int fwnode_mdiobus_register_phy(struct mii_bus *bus,
+ /* All data is now stored in the phy struct, so register it */
+ rc = phy_device_register(phy);
+ if (rc) {
+- fwnode_handle_put(phy->mdio.dev.fwnode);
++ phy->mdio.dev.fwnode = NULL;
++ fwnode_handle_put(child);
+ goto clean_phy;
+ }
+ } else if (is_of_node(child)) {
+--
+2.35.1
+
--- /dev/null
+From 85b69dbf766f7f165270f1948dbadef055d01dad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Oct 2022 08:51:58 +0200
+Subject: net: mdiobus: fwnode_mdiobus_register_phy() rework error handling
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit cfaa202a73eafaf91a3d0a86b5e5df006562f5c0 ]
+
+Rework error handling as preparation for PSE patch. This patch should
+make it easier to extend this function.
+
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 165df24186ec ("net: mdiobus: fix double put fwnode in the error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/fwnode_mdio.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c
+index 40e745a1d185..403b07f8ec2c 100644
+--- a/drivers/net/mdio/fwnode_mdio.c
++++ b/drivers/net/mdio/fwnode_mdio.c
+@@ -110,8 +110,8 @@ int fwnode_mdiobus_register_phy(struct mii_bus *bus,
+ else
+ phy = phy_device_create(bus, addr, phy_id, 0, NULL);
+ if (IS_ERR(phy)) {
+- unregister_mii_timestamper(mii_ts);
+- return PTR_ERR(phy);
++ rc = PTR_ERR(phy);
++ goto clean_mii_ts;
+ }
+
+ if (is_acpi_node(child)) {
+@@ -125,17 +125,13 @@ int fwnode_mdiobus_register_phy(struct mii_bus *bus,
+ /* All data is now stored in the phy struct, so register it */
+ rc = phy_device_register(phy);
+ if (rc) {
+- phy_device_free(phy);
+ fwnode_handle_put(phy->mdio.dev.fwnode);
+- return rc;
++ goto clean_phy;
+ }
+ } else if (is_of_node(child)) {
+ rc = fwnode_mdiobus_phy_device_register(bus, phy, child, addr);
+- if (rc) {
+- unregister_mii_timestamper(mii_ts);
+- phy_device_free(phy);
+- return rc;
+- }
++ if (rc)
++ goto clean_phy;
+ }
+
+ /* phy->mii_ts may already be defined by the PHY driver. A
+@@ -145,5 +141,12 @@ int fwnode_mdiobus_register_phy(struct mii_bus *bus,
+ if (mii_ts)
+ phy->mii_ts = mii_ts;
+ return 0;
++
++clean_phy:
++ phy_device_free(phy);
++clean_mii_ts:
++ unregister_mii_timestamper(mii_ts);
++
++ return rc;
+ }
+ EXPORT_SYMBOL(fwnode_mdiobus_register_phy);
+--
+2.35.1
+
--- /dev/null
+From b396dcd62cf502edac5ae55dae30cb9af33d6f1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 15:02:59 +0800
+Subject: net: microchip: sparx5: Fix missing destroy_workqueue of mact_queue
+
+From: Qiheng Lin <linqiheng@huawei.com>
+
+[ Upstream commit 7b8232bdb1789a257de3129a9bb08c69b93a17db ]
+
+The mchp_sparx5_probe() won't destroy workqueue created by
+create_singlethread_workqueue() in sparx5_start() when later
+inits failed. Add destroy_workqueue in the cleanup_ports case,
+also add it in mchp_sparx5_remove()
+
+Fixes: b37a1bae742f ("net: sparx5: add mactable support")
+Signed-off-by: Qiheng Lin <linqiheng@huawei.com>
+Link: https://lore.kernel.org/r/20221203070259.19560-1-linqiheng@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/sparx5/sparx5_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
+index 435ac224e38e..0463f20da17b 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
+@@ -829,6 +829,8 @@ static int mchp_sparx5_probe(struct platform_device *pdev)
+
+ cleanup_ports:
+ sparx5_cleanup_ports(sparx5);
++ if (sparx5->mact_queue)
++ destroy_workqueue(sparx5->mact_queue);
+ cleanup_config:
+ kfree(configs);
+ cleanup_pnode:
+@@ -852,6 +854,7 @@ static int mchp_sparx5_remove(struct platform_device *pdev)
+ sparx5_cleanup_ports(sparx5);
+ /* Unregister netdevs */
+ sparx5_unregister_notifier_blocks(sparx5);
++ destroy_workqueue(sparx5->mact_queue);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 538d450cfc0c6467473492d2c04e02c568cab69f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 10:06:31 +0300
+Subject: net: mvneta: Fix an out of bounds check
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit cdd97383e19d4afe29adc3376025a15ae3bab3a3 ]
+
+In an earlier commit, I added a bounds check to prevent an out of bounds
+read and a WARN(). On further discussion and consideration that check
+was probably too aggressive. Instead of returning -EINVAL, a better fix
+would be to just prevent the out of bounds read but continue the process.
+
+Background: The value of "pp->rxq_def" is a number between 0-7 by default,
+or even higher depending on the value of "rxq_number", which is a module
+parameter. If the value is more than the number of available CPUs then
+it will trigger the WARN() in cpu_max_bits_warn().
+
+Fixes: e8b4fc13900b ("net: mvneta: Prevent out of bounds read in mvneta_config_rss()")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/Y5A7d1E5ccwHTYPf@kadam
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index a3a5aa8c9656..5c431a369762 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -4162,7 +4162,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp)
+ /* Use the cpu associated to the rxq when it is online, in all
+ * the other cases, use the cpu 0 which can't be offline.
+ */
+- if (cpu_online(pp->rxq_def))
++ if (pp->rxq_def < nr_cpu_ids && cpu_online(pp->rxq_def))
+ elected_cpu = pp->rxq_def;
+
+ max_cpu = num_present_cpus();
+@@ -4793,9 +4793,6 @@ static int mvneta_config_rss(struct mvneta_port *pp)
+ napi_disable(&pp->napi);
+ }
+
+- if (pp->indir[0] >= nr_cpu_ids)
+- return -EINVAL;
+-
+ pp->rxq_def = pp->indir[0];
+
+ /* Update unicast mapping */
+--
+2.35.1
+
--- /dev/null
+From c0ab08f0a2edcd5dcd7bfdfbb41bae5495b129fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 12:58:26 +0300
+Subject: net: mvneta: Prevent out of bounds read in mvneta_config_rss()
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit e8b4fc13900b8e8be48debffd0dfd391772501f7 ]
+
+The pp->indir[0] value comes from the user. It is passed to:
+
+ if (cpu_online(pp->rxq_def))
+
+inside the mvneta_percpu_elect() function. It needs bounds checkeding
+to ensure that it is not beyond the end of the cpu bitmap.
+
+Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index 9d460a270601..a3a5aa8c9656 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -4793,6 +4793,9 @@ static int mvneta_config_rss(struct mvneta_port *pp)
+ napi_disable(&pp->napi);
+ }
+
++ if (pp->indir[0] >= nr_cpu_ids)
++ return -EINVAL;
++
+ pp->rxq_def = pp->indir[0];
+
+ /* Update unicast mapping */
+--
+2.35.1
+
--- /dev/null
+From 863db65cb1f01bdaeae89567fa1d3664ea230683 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Jul 2022 15:15:51 +0200
+Subject: net: phy: mxl-gpy: fix version reporting
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit fc3dd0367e610ae20ebbce6c38c7b86c3a2cc07f ]
+
+The commit 09ce6b20103b ("net: phy: mxl-gpy: add temperature sensor")
+will overwrite the return value and the reported version will be wrong.
+Fix it.
+
+Fixes: 09ce6b20103b ("net: phy: mxl-gpy: add temperature sensor")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 5f4d487d01ff ("net: phy: mxl-gpy: add MDINT workaround")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mxl-gpy.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/phy/mxl-gpy.c b/drivers/net/phy/mxl-gpy.c
+index 5ce1bf03bbd7..f9c70476d7e8 100644
+--- a/drivers/net/phy/mxl-gpy.c
++++ b/drivers/net/phy/mxl-gpy.c
+@@ -96,6 +96,7 @@ static int gpy_config_init(struct phy_device *phydev)
+
+ static int gpy_probe(struct phy_device *phydev)
+ {
++ int fw_version;
+ int ret;
+
+ if (!phydev->is_c45) {
+@@ -105,12 +106,12 @@ static int gpy_probe(struct phy_device *phydev)
+ }
+
+ /* Show GPY PHY FW version in dmesg */
+- ret = phy_read(phydev, PHY_FWV);
+- if (ret < 0)
+- return ret;
++ fw_version = phy_read(phydev, PHY_FWV);
++ if (fw_version < 0)
++ return fw_version;
+
+- phydev_info(phydev, "Firmware Version: 0x%04X (%s)\n", ret,
+- (ret & PHY_FWV_REL_MASK) ? "release" : "test");
++ phydev_info(phydev, "Firmware Version: 0x%04X (%s)\n", fw_version,
++ (fw_version & PHY_FWV_REL_MASK) ? "release" : "test");
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From ebb5f52026c8723dd47ae7a91e478e01771b14f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 09:53:10 +0800
+Subject: net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7d8c19bfc8ff3f78e5337107ca9246327fcb6b45 ]
+
+It is not allowed to call kfree_skb() or consume_skb() from
+hardware interrupt context or with interrupts being disabled.
+So replace kfree_skb/dev_kfree_skb() with dev_kfree_skb_irq()
+and dev_consume_skb_irq() under spin_lock_irq().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20221207015310.2984909-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/plip/plip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/plip/plip.c b/drivers/net/plip/plip.c
+index 2a2cb9d453e8..b1776116f9f7 100644
+--- a/drivers/net/plip/plip.c
++++ b/drivers/net/plip/plip.c
+@@ -446,12 +446,12 @@ plip_bh_timeout_error(struct net_device *dev, struct net_local *nl,
+ }
+ rcv->state = PLIP_PK_DONE;
+ if (rcv->skb) {
+- kfree_skb(rcv->skb);
++ dev_kfree_skb_irq(rcv->skb);
+ rcv->skb = NULL;
+ }
+ snd->state = PLIP_PK_DONE;
+ if (snd->skb) {
+- dev_kfree_skb(snd->skb);
++ dev_consume_skb_irq(snd->skb);
+ snd->skb = NULL;
+ }
+ spin_unlock_irq(&nl->lock);
+--
+2.35.1
+
--- /dev/null
+From 0c8347ccaec2ec39b8270abbc0041f2bd25c7b50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 00:17:39 +0800
+Subject: net: stmmac: fix "snps,axi-config" node property parsing
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+[ Upstream commit 61d4f140943c47c1386ed89f7260e00418dfad9d ]
+
+In dt-binding snps,dwmac.yaml, some properties under "snps,axi-config"
+node are named without "axi_" prefix, but the driver expects the
+prefix. Since the dt-binding has been there for a long time, we'd
+better make driver match the binding for compatibility.
+
+Fixes: afea03656add ("stmmac: rework DMA bus setting and introduce new platform AXI structure")
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Link: https://lore.kernel.org/r/20221202161739.2203-1-jszhang@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+index 9f5cac4000da..5c234a8158c7 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+@@ -108,10 +108,10 @@ static struct stmmac_axi *stmmac_axi_setup(struct platform_device *pdev)
+
+ axi->axi_lpi_en = of_property_read_bool(np, "snps,lpi_en");
+ axi->axi_xit_frm = of_property_read_bool(np, "snps,xit_frm");
+- axi->axi_kbbe = of_property_read_bool(np, "snps,axi_kbbe");
+- axi->axi_fb = of_property_read_bool(np, "snps,axi_fb");
+- axi->axi_mb = of_property_read_bool(np, "snps,axi_mb");
+- axi->axi_rb = of_property_read_bool(np, "snps,axi_rb");
++ axi->axi_kbbe = of_property_read_bool(np, "snps,kbbe");
++ axi->axi_fb = of_property_read_bool(np, "snps,fb");
++ axi->axi_mb = of_property_read_bool(np, "snps,mb");
++ axi->axi_rb = of_property_read_bool(np, "snps,rb");
+
+ if (of_property_read_u32(np, "snps,wr_osr_lmt", &axi->axi_wr_osr_lmt))
+ axi->axi_wr_osr_lmt = 1;
+--
+2.35.1
+
--- /dev/null
+From 8728d2c940c67b1e4cef5f8e095e4d8c242cb25a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 09:50:01 +0800
+Subject: net: thunderbolt: fix memory leak in tbnet_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit ed14e5903638f6eb868e3e2b4e610985e6a6c876 ]
+
+When tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in
+tb_xdomain_alloc_out_hopid() is not released. Add
+tb_xdomain_release_out_hopid() to the error path to release ida.
+
+Fixes: 180b0689425c ("thunderbolt: Allow multiple DMA tunnels over a single XDomain connection")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20221207015001.1755826-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/thunderbolt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c
+index 129149640225..3395dcb0b262 100644
+--- a/drivers/net/thunderbolt.c
++++ b/drivers/net/thunderbolt.c
+@@ -902,6 +902,7 @@ static int tbnet_open(struct net_device *dev)
+ tbnet_start_poll, net);
+ if (!ring) {
+ netdev_err(dev, "failed to allocate Rx ring\n");
++ tb_xdomain_release_out_hopid(xd, hopid);
+ tb_ring_free(net->tx_ring.ring);
+ net->tx_ring.ring = NULL;
+ return -ENOMEM;
+--
+2.35.1
+
--- /dev/null
+From caf28e910c02bbe30e605fcc854a8d478cd7da3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 09:41:25 +0000
+Subject: net: thunderx: Fix missing destroy_workqueue of nicvf_rx_mode_wq
+
+From: Yongqiang Liu <liuyongqiang13@huawei.com>
+
+[ Upstream commit 42330a32933fb42180c52022804dcf09f47a2f99 ]
+
+The nicvf_probe() won't destroy workqueue when register_netdev()
+failed. Add destroy_workqueue err handle case to fix this issue.
+
+Fixes: 2ecbe4f4a027 ("net: thunderx: replace global nicvf_rx_mode_wq work queue for all VFs to private for each of them.")
+Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Link: https://lore.kernel.org/r/20221203094125.602812-1-liuyongqiang13@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/nicvf_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+index a27227aeae88..b43b97e15a6f 100644
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+@@ -2250,7 +2250,7 @@ static int nicvf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ err = register_netdev(netdev);
+ if (err) {
+ dev_err(dev, "Failed to register netdevice\n");
+- goto err_unregister_interrupts;
++ goto err_destroy_workqueue;
+ }
+
+ nic->msg_enable = debug;
+@@ -2259,6 +2259,8 @@ static int nicvf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ return 0;
+
++err_destroy_workqueue:
++ destroy_workqueue(nic->nicvf_rx_mode_wq);
+ err_unregister_interrupts:
+ nicvf_unregister_interrupts(nic);
+ err_free_netdev:
+--
+2.35.1
+
--- /dev/null
+From af3e43a034d3d08e87fe0f36d138bdb86be97ff1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 10:58:53 +0100
+Subject: netfilter: ctnetlink: fix compilation warning after data race fixes
+ in ct mark
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 1feeae071507ad65cf9f462a1bdd543a4bf89e71 ]
+
+All warnings (new ones prefixed by >>):
+
+ net/netfilter/nf_conntrack_netlink.c: In function '__ctnetlink_glue_build':
+>> net/netfilter/nf_conntrack_netlink.c:2674:13: warning: unused variable 'mark' [-Wunused-variable]
+ 2674 | u32 mark;
+ | ^~~~
+
+Fixes: 52d1aa8b8249 ("netfilter: conntrack: Fix data-races around ct mark")
+Reported-by: kernel test robot <lkp@intel.com>
+Tested-by: Ivan Babrou <ivan@ivan.computer>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 1727a4c4764f..2cc6092b4f86 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -322,8 +322,13 @@ ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
+ }
+
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+-static int ctnetlink_dump_mark(struct sk_buff *skb, u32 mark)
++static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
+ {
++ u32 mark = READ_ONCE(ct->mark);
++
++ if (!mark)
++ return 0;
++
+ if (nla_put_be32(skb, CTA_MARK, htonl(mark)))
+ goto nla_put_failure;
+ return 0;
+@@ -537,7 +542,7 @@ static int ctnetlink_dump_extinfo(struct sk_buff *skb,
+ static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
+ {
+ if (ctnetlink_dump_status(skb, ct) < 0 ||
+- ctnetlink_dump_mark(skb, READ_ONCE(ct->mark)) < 0 ||
++ ctnetlink_dump_mark(skb, ct) < 0 ||
+ ctnetlink_dump_secctx(skb, ct) < 0 ||
+ ctnetlink_dump_id(skb, ct) < 0 ||
+ ctnetlink_dump_use(skb, ct) < 0 ||
+@@ -716,7 +721,6 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item)
+ struct sk_buff *skb;
+ unsigned int type;
+ unsigned int flags = 0, group;
+- u32 mark;
+ int err;
+
+ if (events & (1 << IPCT_DESTROY)) {
+@@ -821,9 +825,8 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item)
+ }
+
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+- mark = READ_ONCE(ct->mark);
+- if ((events & (1 << IPCT_MARK) || mark) &&
+- ctnetlink_dump_mark(skb, mark) < 0)
++ if (events & (1 << IPCT_MARK) &&
++ ctnetlink_dump_mark(skb, ct) < 0)
+ goto nla_put_failure;
+ #endif
+ nlmsg_end(skb, nlh);
+@@ -2692,7 +2695,6 @@ static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
+ {
+ const struct nf_conntrack_zone *zone;
+ struct nlattr *nest_parms;
+- u32 mark;
+
+ zone = nf_ct_zone(ct);
+
+@@ -2754,8 +2756,7 @@ static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
+ goto nla_put_failure;
+
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+- mark = READ_ONCE(ct->mark);
+- if (mark && ctnetlink_dump_mark(skb, mark) < 0)
++ if (ctnetlink_dump_mark(skb, ct) < 0)
+ goto nla_put_failure;
+ #endif
+ if (ctnetlink_dump_labels(skb, ct) < 0)
+--
+2.35.1
+
--- /dev/null
+From 01865124f752cdeb24ff902c95dc657e20f40f30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 13:04:37 +0100
+Subject: netfilter: nft_set_pipapo: Actually validate intervals in fields
+ after the first one
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit 97d4d394b58777f7056ebba8ffdb4002d0563259 ]
+
+Embarrassingly, nft_pipapo_insert() checked for interval validity in
+the first field only.
+
+The start_p and end_p pointers were reset to key data from the first
+field at every iteration of the loop which was supposed to go over
+the set fields.
+
+Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
+Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
+index 4f9299b9dcdd..06d46d182634 100644
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -1162,6 +1162,7 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,
+ struct nft_pipapo_match *m = priv->clone;
+ u8 genmask = nft_genmask_next(net);
+ struct nft_pipapo_field *f;
++ const u8 *start_p, *end_p;
+ int i, bsize_max, err = 0;
+
+ if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
+@@ -1202,9 +1203,9 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,
+ }
+
+ /* Validate */
++ start_p = start;
++ end_p = end;
+ nft_pipapo_for_each_field(f, i, m) {
+- const u8 *start_p = start, *end_p = end;
+-
+ if (f->rules >= (unsigned long)NFT_PIPAPO_RULE0_MAX)
+ return -ENOSPC;
+
+--
+2.35.1
+
--- /dev/null
+From da8f17ad81cf3d07c94a2da122f7462c0c6d8e09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 13:44:14 -0800
+Subject: NFC: nci: Bounds check struct nfc_target arrays
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit e329e71013c9b5a4535b099208493c7826ee4a64 ]
+
+While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported:
+
+ memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18)
+
+This appears to be a legitimate lack of bounds checking in
+nci_add_new_protocol(). Add the missing checks.
+
+Reported-by: syzbot+210e196cef4711b65139@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/lkml/0000000000001c590f05ee7b3ff4@google.com
+Fixes: 019c4fbaa790 ("NFC: Add NCI multiple targets support")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20221202214410.never.693-kees@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/ntf.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
+index c5eacaac41ae..8f48b1061944 100644
+--- a/net/nfc/nci/ntf.c
++++ b/net/nfc/nci/ntf.c
+@@ -240,6 +240,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
+ target->sens_res = nfca_poll->sens_res;
+ target->sel_res = nfca_poll->sel_res;
+ target->nfcid1_len = nfca_poll->nfcid1_len;
++ if (target->nfcid1_len > ARRAY_SIZE(target->nfcid1))
++ return -EPROTO;
+ if (target->nfcid1_len > 0) {
+ memcpy(target->nfcid1, nfca_poll->nfcid1,
+ target->nfcid1_len);
+@@ -248,6 +250,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
+ nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params;
+
+ target->sensb_res_len = nfcb_poll->sensb_res_len;
++ if (target->sensb_res_len > ARRAY_SIZE(target->sensb_res))
++ return -EPROTO;
+ if (target->sensb_res_len > 0) {
+ memcpy(target->sensb_res, nfcb_poll->sensb_res,
+ target->sensb_res_len);
+@@ -256,6 +260,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
+ nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params;
+
+ target->sensf_res_len = nfcf_poll->sensf_res_len;
++ if (target->sensf_res_len > ARRAY_SIZE(target->sensf_res))
++ return -EPROTO;
+ if (target->sensf_res_len > 0) {
+ memcpy(target->sensf_res, nfcf_poll->sensf_res,
+ target->sensf_res_len);
+--
+2.35.1
+
--- /dev/null
+From db8b6761facefedd73c738783b90e8c43702ad93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 13:52:34 +0100
+Subject: nvme initialize core quirks before calling nvme_init_subsystem
+
+From: Pankaj Raghav <p.raghav@samsung.com>
+
+[ Upstream commit 6f2d71524bcfdeb1fcbd22a4a92a5b7b161ab224 ]
+
+A device might have a core quirk for NVME_QUIRK_IGNORE_DEV_SUBNQN
+(such as Samsung X5) but it would still give a:
+
+ "missing or invalid SUBNQN field"
+
+warning as core quirks are filled after calling nvme_init_subnqn. Fill
+ctrl->quirks from struct core_quirks before calling nvme_init_subsystem
+to fix this.
+
+Tested on a Samsung X5.
+
+Fixes: ab9e00cc72fa ("nvme: track subsystems")
+Signed-off-by: Pankaj Raghav <p.raghav@samsung.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 694373951b18..692ee0f4a1ec 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2921,10 +2921,6 @@ static int nvme_init_identify(struct nvme_ctrl *ctrl)
+ if (!ctrl->identified) {
+ unsigned int i;
+
+- ret = nvme_init_subsystem(ctrl, id);
+- if (ret)
+- goto out_free;
+-
+ /*
+ * Check for quirks. Quirk can depend on firmware version,
+ * so, in principle, the set of quirks present can change
+@@ -2937,6 +2933,10 @@ static int nvme_init_identify(struct nvme_ctrl *ctrl)
+ if (quirk_matches(id, &core_quirks[i]))
+ ctrl->quirks |= core_quirks[i].quirks;
+ }
++
++ ret = nvme_init_subsystem(ctrl, id);
++ if (ret)
++ goto out_free;
+ }
+ memcpy(ctrl->subsys->firmware_rev, id->fr,
+ sizeof(ctrl->subsys->firmware_rev));
+--
+2.35.1
+
--- /dev/null
+From 13b37612ae76732c69b7d6378434ecc3aebefba1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 19:04:30 +0800
+Subject: octeontx2-pf: Fix potential memory leak in otx2_init_tc()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit fbf33f5ac76f2cdb47ad9763f620026d5cfa57ce ]
+
+In otx2_init_tc(), if rhashtable_init() failed, it does not free
+tc->tc_entries_bitmap which is allocated in otx2_tc_alloc_ent_bitmap().
+
+Fixes: 2e2a8126ffac ("octeontx2-pf: Unify flow management variables")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
+index 75388a65f349..a42373e6f259 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
+@@ -1090,7 +1090,12 @@ int otx2_init_tc(struct otx2_nic *nic)
+ return err;
+
+ tc->flow_ht_params = tc_flow_ht_params;
+- return rhashtable_init(&tc->flow_table, &tc->flow_ht_params);
++ err = rhashtable_init(&tc->flow_table, &tc->flow_ht_params);
++ if (err) {
++ kfree(tc->tc_entries_bitmap);
++ tc->tc_entries_bitmap = NULL;
++ }
++ return err;
+ }
+
+ void otx2_shutdown_tc(struct otx2_nic *nic)
+--
+2.35.1
+
--- /dev/null
+From 69790cf68f57bdb140c3b125b3c24f59bc8c610c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 11:53:04 +0100
+Subject: s390/qeth: fix use-after-free in hsci
+
+From: Alexandra Winter <wintera@linux.ibm.com>
+
+[ Upstream commit ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4 ]
+
+KASAN found that addr was dereferenced after br2dev_event_work was freed.
+
+==================================================================
+BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0
+Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540
+CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1
+Hardware name: IBM 8561 T01 703 (LPAR)
+Workqueue: 0.0.8000_event qeth_l2_br2dev_worker
+Call Trace:
+ [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8
+ [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0
+ [<000000016942d118>] print_report+0x110/0x1f8
+ [<0000000167a7bd04>] kasan_report+0xfc/0x128
+ [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0
+ [<00000001673edd1e>] process_one_work+0x76e/0x1128
+ [<00000001673ee85c>] worker_thread+0x184/0x1098
+ [<000000016740718a>] kthread+0x26a/0x310
+ [<00000001672c606a>] __ret_from_fork+0x8a/0xe8
+ [<00000001694711da>] ret_from_fork+0xa/0x40
+Allocated by task 108338:
+ kasan_save_stack+0x40/0x68
+ kasan_set_track+0x36/0x48
+ __kasan_kmalloc+0xa0/0xc0
+ qeth_l2_switchdev_event+0x25a/0x738
+ atomic_notifier_call_chain+0x9c/0xf8
+ br_switchdev_fdb_notify+0xf4/0x110
+ fdb_notify+0x122/0x180
+ fdb_add_entry.constprop.0.isra.0+0x312/0x558
+ br_fdb_add+0x59e/0x858
+ rtnl_fdb_add+0x58a/0x928
+ rtnetlink_rcv_msg+0x5f8/0x8d8
+ netlink_rcv_skb+0x1f2/0x408
+ netlink_unicast+0x570/0x790
+ netlink_sendmsg+0x752/0xbe0
+ sock_sendmsg+0xca/0x110
+ ____sys_sendmsg+0x510/0x6a8
+ ___sys_sendmsg+0x12a/0x180
+ __sys_sendmsg+0xe6/0x168
+ __do_sys_socketcall+0x3c8/0x468
+ do_syscall+0x22c/0x328
+ __do_syscall+0x94/0xf0
+ system_call+0x82/0xb0
+Freed by task 540:
+ kasan_save_stack+0x40/0x68
+ kasan_set_track+0x36/0x48
+ kasan_save_free_info+0x4c/0x68
+ ____kasan_slab_free+0x14e/0x1a8
+ __kasan_slab_free+0x24/0x30
+ __kmem_cache_free+0x168/0x338
+ qeth_l2_br2dev_worker+0x154/0x6b0
+ process_one_work+0x76e/0x1128
+ worker_thread+0x184/0x1098
+ kthread+0x26a/0x310
+ __ret_from_fork+0x8a/0xe8
+ ret_from_fork+0xa/0x40
+Last potentially related work creation:
+ kasan_save_stack+0x40/0x68
+ __kasan_record_aux_stack+0xbe/0xd0
+ insert_work+0x56/0x2e8
+ __queue_work+0x4ce/0xd10
+ queue_work_on+0xf4/0x100
+ qeth_l2_switchdev_event+0x520/0x738
+ atomic_notifier_call_chain+0x9c/0xf8
+ br_switchdev_fdb_notify+0xf4/0x110
+ fdb_notify+0x122/0x180
+ fdb_add_entry.constprop.0.isra.0+0x312/0x558
+ br_fdb_add+0x59e/0x858
+ rtnl_fdb_add+0x58a/0x928
+ rtnetlink_rcv_msg+0x5f8/0x8d8
+ netlink_rcv_skb+0x1f2/0x408
+ netlink_unicast+0x570/0x790
+ netlink_sendmsg+0x752/0xbe0
+ sock_sendmsg+0xca/0x110
+ ____sys_sendmsg+0x510/0x6a8
+ ___sys_sendmsg+0x12a/0x180
+ __sys_sendmsg+0xe6/0x168
+ __do_sys_socketcall+0x3c8/0x468
+ do_syscall+0x22c/0x328
+ __do_syscall+0x94/0xf0
+ system_call+0x82/0xb0
+Second to last potentially related work creation:
+ kasan_save_stack+0x40/0x68
+ __kasan_record_aux_stack+0xbe/0xd0
+ kvfree_call_rcu+0xb2/0x760
+ kernfs_unlink_open_file+0x348/0x430
+ kernfs_fop_release+0xc2/0x320
+ __fput+0x1ae/0x768
+ task_work_run+0x1bc/0x298
+ exit_to_user_mode_prepare+0x1a0/0x1a8
+ __do_syscall+0x94/0xf0
+ system_call+0x82/0xb0
+The buggy address belongs to the object at 00000000fdcea400
+ which belongs to the cache kmalloc-96 of size 96
+The buggy address is located 64 bytes inside of
+ 96-byte region [00000000fdcea400, 00000000fdcea460)
+The buggy address belongs to the physical page:
+page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea
+flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)
+raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00
+raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000
+page dumped because: kasan: bad access detected
+Memory state around the buggy address:
+ 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+ 00000000fdcea380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+>00000000fdcea400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+ ^
+ 00000000fdcea480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+ 00000000fdcea500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+==================================================================
+
+Fixes: f7936b7b2663 ("s390/qeth: Update MACs of LEARNING_SYNC device")
+Reported-by: Thorsten Winkler <twinkler@linux.ibm.com>
+Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Reviewed-by: Thorsten Winkler <twinkler@linux.ibm.com>
+Link: https://lore.kernel.org/r/20221207105304.20494-1-wintera@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/qeth_l2_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
+index dbe0ef11028b..d694e3ff8086 100644
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -764,7 +764,6 @@ static void qeth_l2_br2dev_worker(struct work_struct *work)
+ struct list_head *iter;
+ int err = 0;
+
+- kfree(br2dev_event_work);
+ QETH_CARD_TEXT_(card, 4, "b2dw%04lx", event);
+ QETH_CARD_TEXT_(card, 4, "ma%012llx", ether_addr_to_u64(addr));
+
+@@ -821,6 +820,7 @@ static void qeth_l2_br2dev_worker(struct work_struct *work)
+ dev_put(brdev);
+ dev_put(lsyncdev);
+ dev_put(dstdev);
++ kfree(br2dev_event_work);
+ }
+
+ static int qeth_l2_br2dev_queue_work(struct net_device *brdev,
+--
+2.35.1
+
--- /dev/null
+From 4d5d14648f90dee1cce8a8ca09502b95f35fe605 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 11:56:55 +0200
+Subject: s390/qeth: fix various format strings
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 22e2b5cdb0b9b59d4df6da5ca9bc5773a4f8e3ea ]
+
+Various format strings don't match with types of parameters.
+Fix all of them.
+
+Acked-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: ebaaadc332cd ("s390/qeth: fix use-after-free in hsci")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/net/qeth_l2_main.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
+index dc6c00768d91..dbe0ef11028b 100644
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -661,13 +661,13 @@ static void qeth_l2_dev2br_fdb_notify(struct qeth_card *card, u8 code,
+ card->dev, &info.info, NULL);
+ QETH_CARD_TEXT(card, 4, "andelmac");
+ QETH_CARD_TEXT_(card, 4,
+- "mc%012lx", ether_addr_to_u64(ntfy_mac));
++ "mc%012llx", ether_addr_to_u64(ntfy_mac));
+ } else {
+ call_switchdev_notifiers(SWITCHDEV_FDB_ADD_TO_BRIDGE,
+ card->dev, &info.info, NULL);
+ QETH_CARD_TEXT(card, 4, "anaddmac");
+ QETH_CARD_TEXT_(card, 4,
+- "mc%012lx", ether_addr_to_u64(ntfy_mac));
++ "mc%012llx", ether_addr_to_u64(ntfy_mac));
+ }
+ }
+
+@@ -765,8 +765,8 @@ static void qeth_l2_br2dev_worker(struct work_struct *work)
+ int err = 0;
+
+ kfree(br2dev_event_work);
+- QETH_CARD_TEXT_(card, 4, "b2dw%04x", event);
+- QETH_CARD_TEXT_(card, 4, "ma%012lx", ether_addr_to_u64(addr));
++ QETH_CARD_TEXT_(card, 4, "b2dw%04lx", event);
++ QETH_CARD_TEXT_(card, 4, "ma%012llx", ether_addr_to_u64(addr));
+
+ rcu_read_lock();
+ /* Verify preconditions are still valid: */
+@@ -795,7 +795,7 @@ static void qeth_l2_br2dev_worker(struct work_struct *work)
+ if (err) {
+ QETH_CARD_TEXT(card, 2, "b2derris");
+ QETH_CARD_TEXT_(card, 2,
+- "err%02x%03d", event,
++ "err%02lx%03d", event,
+ lowerdev->ifindex);
+ }
+ }
+@@ -813,7 +813,7 @@ static void qeth_l2_br2dev_worker(struct work_struct *work)
+ break;
+ }
+ if (err)
+- QETH_CARD_TEXT_(card, 2, "b2derr%02x", event);
++ QETH_CARD_TEXT_(card, 2, "b2derr%02lx", event);
+ }
+
+ unlock:
+@@ -878,7 +878,7 @@ static int qeth_l2_switchdev_event(struct notifier_block *unused,
+ while (lowerdev) {
+ if (qeth_l2_must_learn(lowerdev, dstdev)) {
+ card = lowerdev->ml_priv;
+- QETH_CARD_TEXT_(card, 4, "b2dqw%03x", event);
++ QETH_CARD_TEXT_(card, 4, "b2dqw%03lx", event);
+ rc = qeth_l2_br2dev_queue_work(brdev, lowerdev,
+ dstdev, event,
+ fdb_info->addr);
+--
+2.35.1
+
--- /dev/null
+From 9bec647a67ff32765a31850ebb232b2a85078713 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 16:22:46 +0800
+Subject: selftests: rtnetlink: correct xfrm policy rule in
+ kci_test_ipsec_offload
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 85a0506c073332a3057f5a9635fa0d4db5a8e03b ]
+
+When testing in kci_test_ipsec_offload, srcip is configured as $dstip,
+it should add xfrm policy rule in instead of out.
+The test result of this patch is as follows:
+PASS: ipsec_offload
+
+Fixes: 2766a11161cc ("selftests: rtnetlink: add ipsec offload API test")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Acked-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://lore.kernel.org/r/20221201082246.14131-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/rtnetlink.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
+index c9ce3dfa42ee..c3a905923ef2 100755
+--- a/tools/testing/selftests/net/rtnetlink.sh
++++ b/tools/testing/selftests/net/rtnetlink.sh
+@@ -782,7 +782,7 @@ kci_test_ipsec_offload()
+ tmpl proto esp src $srcip dst $dstip spi 9 \
+ mode transport reqid 42
+ check_err $?
+- ip x p add dir out src $dstip/24 dst $srcip/24 \
++ ip x p add dir in src $dstip/24 dst $srcip/24 \
+ tmpl proto esp src $dstip dst $srcip spi 9 \
+ mode transport reqid 42
+ check_err $?
+--
+2.35.1
+
hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch
can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch
clk-fix-pointer-casting-to-prevent-oops-in-devm_clk_.patch
+gpiolib-improve-coding-style-for-local-variables.patch
+gpiolib-check-the-ngpios-property-in-core-gpiolib-co.patch
+gpiolib-fix-memory-leak-in-gpiochip_setup_dev.patch
+netfilter-nft_set_pipapo-actually-validate-intervals.patch
+drm-vmwgfx-fix-race-issue-calling-pin_user_pages.patch
+ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch
+ca8210-fix-crash-by-zero-initializing-data.patch
+netfilter-ctnetlink-fix-compilation-warning-after-da.patch
+drm-bridge-ti-sn65dsi86-fix-output-polarity-setting-.patch
+gpio-amd8111-fix-pci-device-reference-count-leak.patch
+e1000e-fix-tx-dispatch-condition.patch
+igb-allocate-msi-x-vector-when-testing.patch
+net-broadcom-add-ptp_1588_clock_optional-dependency-.patch
+drm-bridge-dw_hdmi-fix-preference-of-rgb-modes-over-.patch
+af_unix-get-user_ns-from-in_skb-in-unix_diag_get_exa.patch
+vmxnet3-correctly-report-encapsulated-lro-packet.patch
+vmxnet3-use-correct-intrconf-reference-when-using-ex.patch
+bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch
+bluetooth-fix-not-cleanup-led-when-bt_init-fails.patch
+net-dsa-ksz-check-return-value.patch
+net-dsa-hellcreek-check-return-value.patch
+net-dsa-sja1105-check-return-value.patch
+selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch
+mac802154-fix-missing-init_list_head-in-ieee802154_i.patch
+net-encx24j600-add-parentheses-to-fix-precedence.patch
+net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch
+net-mdiobus-fwnode_mdiobus_register_phy-rework-error.patch
+net-mdiobus-fix-double-put-fwnode-in-the-error-path.patch
+octeontx2-pf-fix-potential-memory-leak-in-otx2_init_.patch
+xen-netfront-fix-null-sring-after-live-migration.patch
+net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch
+i40e-fix-not-setting-default-xps_cpus-after-reset.patch
+i40e-fix-for-vf-mac-address-0.patch
+i40e-disallow-ip4-and-ip6-l4_4_bytes.patch
+nfc-nci-bounds-check-struct-nfc_target-arrays.patch
+nvme-initialize-core-quirks-before-calling-nvme_init.patch
+gpio-rockchip-fix-refcount-leak-in-rockchip_gpiolib_.patch
+net-stmmac-fix-snps-axi-config-node-property-parsing.patch
+ip_gre-do-not-report-erspan-version-on-gre-interface.patch
+net-microchip-sparx5-fix-missing-destroy_workqueue-o.patch
+net-thunderx-fix-missing-destroy_workqueue-of-nicvf_.patch
+net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch
+net-mdio-fix-unbalanced-fwnode-reference-count-in-md.patch
+net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch
+tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch
+ipv4-fix-incorrect-route-flushing-when-source-addres.patch
+ipv4-fix-incorrect-route-flushing-when-table-id-0-is.patch
+net-dsa-sja1105-fix-memory-leak-in-sja1105_setup_dev.patch
+tipc-call-tipc_lxc_xmit-without-holding-node_read_lo.patch
+ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch
+dpaa2-switch-fix-memory-leak-in-dpaa2_switch_acl_ent.patch
+xen-netback-fix-build-warning.patch
+net-phy-mxl-gpy-fix-version-reporting.patch
+net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch
+ipv6-avoid-use-after-free-in-ip6_fragment.patch
+net-thunderbolt-fix-memory-leak-in-tbnet_open.patch
+net-mvneta-fix-an-out-of-bounds-check.patch
+macsec-add-missing-attribute-validation-for-offload.patch
+s390-qeth-fix-various-format-strings.patch
+s390-qeth-fix-use-after-free-in-hsci.patch
+can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch
+block-move-config_block-guard-to-top-makefile.patch
+io_uring-move-to-separate-directory.patch
+io_uring-fix-a-null-ptr-deref-in-io_tctx_exit_cb.patch
--- /dev/null
+From f15e6fc0740d06ab8b2fd3bda9a08f828e07c02c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 18:37:21 -0500
+Subject: tipc: call tipc_lxc_xmit without holding node_read_lock
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 88956177db179e4eba7cd590971961857d1565b8 ]
+
+When sending packets between nodes in netns, it calls tipc_lxc_xmit() for
+peer node to receive the packets where tipc_sk_mcast_rcv()/tipc_sk_rcv()
+might be called, and it's pretty much like in tipc_rcv().
+
+Currently the local 'node rw lock' is held during calling tipc_lxc_xmit()
+to protect the peer_net not being freed by another thread. However, when
+receiving these packets, tipc_node_add_conn() might be called where the
+peer 'node rw lock' is acquired. Then a dead lock warning is triggered by
+lockdep detector, although it is not a real dead lock:
+
+ WARNING: possible recursive locking detected
+ --------------------------------------------
+ conn_server/1086 is trying to acquire lock:
+ ffff8880065cb020 (&n->lock#2){++--}-{2:2}, \
+ at: tipc_node_add_conn.cold.76+0xaa/0x211 [tipc]
+
+ but task is already holding lock:
+ ffff8880065cd020 (&n->lock#2){++--}-{2:2}, \
+ at: tipc_node_xmit+0x285/0xb30 [tipc]
+
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&n->lock#2);
+ lock(&n->lock#2);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+ 4 locks held by conn_server/1086:
+ #0: ffff8880036d1e40 (sk_lock-AF_TIPC){+.+.}-{0:0}, \
+ at: tipc_accept+0x9c0/0x10b0 [tipc]
+ #1: ffff8880036d5f80 (sk_lock-AF_TIPC/1){+.+.}-{0:0}, \
+ at: tipc_accept+0x363/0x10b0 [tipc]
+ #2: ffff8880065cd020 (&n->lock#2){++--}-{2:2}, \
+ at: tipc_node_xmit+0x285/0xb30 [tipc]
+ #3: ffff888012e13370 (slock-AF_TIPC){+...}-{2:2}, \
+ at: tipc_sk_rcv+0x2da/0x1b40 [tipc]
+
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x44/0x5b
+ __lock_acquire.cold.77+0x1f2/0x3d7
+ lock_acquire+0x1d2/0x610
+ _raw_write_lock_bh+0x38/0x80
+ tipc_node_add_conn.cold.76+0xaa/0x211 [tipc]
+ tipc_sk_finish_conn+0x21e/0x640 [tipc]
+ tipc_sk_filter_rcv+0x147b/0x3030 [tipc]
+ tipc_sk_rcv+0xbb4/0x1b40 [tipc]
+ tipc_lxc_xmit+0x225/0x26b [tipc]
+ tipc_node_xmit.cold.82+0x4a/0x102 [tipc]
+ __tipc_sendstream+0x879/0xff0 [tipc]
+ tipc_accept+0x966/0x10b0 [tipc]
+ do_accept+0x37d/0x590
+
+This patch avoids this warning by not holding the 'node rw lock' before
+calling tipc_lxc_xmit(). As to protect the 'peer_net', rcu_read_lock()
+should be enough, as in cleanup_net() when freeing the netns, it calls
+synchronize_rcu() before the free is continued.
+
+Also since tipc_lxc_xmit() is like the RX path in tipc_rcv(), it makes
+sense to call it under rcu_read_lock(). Note that the right lock order
+must be:
+
+ rcu_read_lock();
+ tipc_node_read_lock(n);
+ tipc_node_read_unlock(n);
+ tipc_lxc_xmit();
+ rcu_read_unlock();
+
+instead of:
+
+ tipc_node_read_lock(n);
+ rcu_read_lock();
+ tipc_node_read_unlock(n);
+ tipc_lxc_xmit();
+ rcu_read_unlock();
+
+and we have to call tipc_node_read_lock/unlock() twice in
+tipc_node_xmit().
+
+Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/5bdd1f8fee9db695cfff4528a48c9b9d0523fb00.1670110641.git.lucien.xin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/node.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/tipc/node.c b/net/tipc/node.c
+index b48d97cbbe29..49ddc484c4fe 100644
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -1689,6 +1689,7 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
+ struct tipc_node *n;
+ struct sk_buff_head xmitq;
+ bool node_up = false;
++ struct net *peer_net;
+ int bearer_id;
+ int rc;
+
+@@ -1705,18 +1706,23 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
+ return -EHOSTUNREACH;
+ }
+
++ rcu_read_lock();
+ tipc_node_read_lock(n);
+ node_up = node_is_up(n);
+- if (node_up && n->peer_net && check_net(n->peer_net)) {
++ peer_net = n->peer_net;
++ tipc_node_read_unlock(n);
++ if (node_up && peer_net && check_net(peer_net)) {
+ /* xmit inner linux container */
+- tipc_lxc_xmit(n->peer_net, list);
++ tipc_lxc_xmit(peer_net, list);
+ if (likely(skb_queue_empty(list))) {
+- tipc_node_read_unlock(n);
++ rcu_read_unlock();
+ tipc_node_put(n);
+ return 0;
+ }
+ }
++ rcu_read_unlock();
+
++ tipc_node_read_lock(n);
+ bearer_id = n->active_links[selector & 1];
+ if (unlikely(bearer_id == INVALID_BEARER_ID)) {
+ tipc_node_read_unlock(n);
+--
+2.35.1
+
--- /dev/null
+From 806658e7b8b868bf1ffa5959ea2f818a6424a1b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 17:46:35 +0800
+Subject: tipc: Fix potential OOB in tipc_link_proto_rcv()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 743117a997bbd4840e827295c07e59bcd7f7caa3 ]
+
+Fix the potential risk of OOB if skb_linearize() fails in
+tipc_link_proto_rcv().
+
+Fixes: 5cbb28a4bf65 ("tipc: linearize arriving NAME_DISTR and LINK_PROTO buffers")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20221203094635.29024-1-yuehaibing@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/link.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/link.c b/net/tipc/link.c
+index 115a4a7950f5..8fdd3b23bd12 100644
+--- a/net/tipc/link.c
++++ b/net/tipc/link.c
+@@ -2223,7 +2223,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
+ if (tipc_own_addr(l->net) > msg_prevnode(hdr))
+ l->net_plane = msg_net_plane(hdr);
+
+- skb_linearize(skb);
++ if (skb_linearize(skb))
++ goto exit;
++
+ hdr = buf_msg(skb);
+ data = msg_data(hdr);
+
+--
+2.35.1
+
--- /dev/null
+From 6df0d38b29366c6d945bfc1d7f6356b7388f8ae5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 00:21:46 -0800
+Subject: vmxnet3: correctly report encapsulated LRO packet
+
+From: Ronak Doshi <doshir@vmware.com>
+
+[ Upstream commit 40b8c2a1af03ba3e8da55a4490d646bfa845e71a ]
+
+Commit dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload
+support") added support for encapsulation offload. However, the
+pathc did not report correctly the encapsulated packet which is
+LRO'ed by the hypervisor.
+
+This patch fixes this issue by using correct callback for the LRO'ed
+encapsulated packet.
+
+Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support")
+Signed-off-by: Ronak Doshi <doshir@vmware.com>
+Acked-by: Guolin Yang <gyang@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
+index bc3192cf48e3..44a0d469f3cf 100644
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -1350,6 +1350,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
+ };
+ u32 num_pkts = 0;
+ bool skip_page_frags = false;
++ bool encap_lro = false;
+ struct Vmxnet3_RxCompDesc *rcd;
+ struct vmxnet3_rx_ctx *ctx = &rq->rx_ctx;
+ u16 segCnt = 0, mss = 0;
+@@ -1508,13 +1509,18 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
+ if (VMXNET3_VERSION_GE_2(adapter) &&
+ rcd->type == VMXNET3_CDTYPE_RXCOMP_LRO) {
+ struct Vmxnet3_RxCompDescExt *rcdlro;
++ union Vmxnet3_GenericDesc *gdesc;
++
+ rcdlro = (struct Vmxnet3_RxCompDescExt *)rcd;
++ gdesc = (union Vmxnet3_GenericDesc *)rcd;
+
+ segCnt = rcdlro->segCnt;
+ WARN_ON_ONCE(segCnt == 0);
+ mss = rcdlro->mss;
+ if (unlikely(segCnt <= 1))
+ segCnt = 0;
++ encap_lro = (le32_to_cpu(gdesc->dword[0]) &
++ (1UL << VMXNET3_RCD_HDR_INNER_SHIFT));
+ } else {
+ segCnt = 0;
+ }
+@@ -1582,7 +1588,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
+ vmxnet3_rx_csum(adapter, skb,
+ (union Vmxnet3_GenericDesc *)rcd);
+ skb->protocol = eth_type_trans(skb, adapter->netdev);
+- if (!rcd->tcp ||
++ if ((!rcd->tcp && !encap_lro) ||
+ !(adapter->netdev->features & NETIF_F_LRO))
+ goto not_lro;
+
+@@ -1591,7 +1597,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
+ SKB_GSO_TCPV4 : SKB_GSO_TCPV6;
+ skb_shinfo(skb)->gso_size = mss;
+ skb_shinfo(skb)->gso_segs = segCnt;
+- } else if (segCnt != 0 || skb->len > mtu) {
++ } else if ((segCnt != 0 || skb->len > mtu) && !encap_lro) {
+ u32 hlen;
+
+ hlen = vmxnet3_get_hdr_len(adapter, skb,
+@@ -1620,6 +1626,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
+ napi_gro_receive(&rq->napi, skb);
+
+ ctx->skb = NULL;
++ encap_lro = false;
+ num_pkts++;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From cf683918b1c5ac2efc0678b9c81069a26ed095b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 00:21:47 -0800
+Subject: vmxnet3: use correct intrConf reference when using extended queues
+
+From: Ronak Doshi <doshir@vmware.com>
+
+[ Upstream commit 409e8ec8c5825591895937b8499b54aa2476fae7 ]
+
+Commit 39f9895a00f4 ("vmxnet3: add support for 32 Tx/Rx queues")
+added support for 32Tx/Rx queues. As a part of this patch, intrConf
+structure was extended to incorporate increased queues.
+
+This patch fixes the issue where incorrect reference is being used.
+
+Fixes: 39f9895a00f4 ("vmxnet3: add support for 32 Tx/Rx queues")
+Signed-off-by: Ronak Doshi <doshir@vmware.com>
+Acked-by: Guolin Yang <gyang@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
+index 44a0d469f3cf..21896e221300 100644
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -75,8 +75,14 @@ vmxnet3_enable_all_intrs(struct vmxnet3_adapter *adapter)
+
+ for (i = 0; i < adapter->intr.num_intrs; i++)
+ vmxnet3_enable_intr(adapter, i);
+- adapter->shared->devRead.intrConf.intrCtrl &=
++ if (!VMXNET3_VERSION_GE_6(adapter) ||
++ !adapter->queuesExtEnabled) {
++ adapter->shared->devRead.intrConf.intrCtrl &=
+ cpu_to_le32(~VMXNET3_IC_DISABLE_ALL);
++ } else {
++ adapter->shared->devReadExt.intrConfExt.intrCtrl &=
++ cpu_to_le32(~VMXNET3_IC_DISABLE_ALL);
++ }
+ }
+
+
+@@ -85,8 +91,14 @@ vmxnet3_disable_all_intrs(struct vmxnet3_adapter *adapter)
+ {
+ int i;
+
+- adapter->shared->devRead.intrConf.intrCtrl |=
++ if (!VMXNET3_VERSION_GE_6(adapter) ||
++ !adapter->queuesExtEnabled) {
++ adapter->shared->devRead.intrConf.intrCtrl |=
+ cpu_to_le32(VMXNET3_IC_DISABLE_ALL);
++ } else {
++ adapter->shared->devReadExt.intrConfExt.intrCtrl |=
++ cpu_to_le32(VMXNET3_IC_DISABLE_ALL);
++ }
+ for (i = 0; i < adapter->intr.num_intrs; i++)
+ vmxnet3_disable_intr(adapter, i);
+ }
+--
+2.35.1
+
--- /dev/null
+From 4e83a460b4169745518f2b1d0b49fab4f39a7634 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 08:19:38 +0100
+Subject: xen/netback: fix build warning
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 7dfa764e0223a324366a2a1fc056d4d9d4e95491 ]
+
+Commit ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in
+the non-linear area") introduced a (valid) build warning. There have
+even been reports of this problem breaking networking of Xen guests.
+
+Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Tested-by: Jason Andryuk <jandryuk@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netback/netback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
+index 6bd7b62fb90c..26428db845be 100644
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -530,7 +530,7 @@ static int xenvif_tx_check_gop(struct xenvif_queue *queue,
+ const bool sharedslot = nr_frags &&
+ frag_get_pending_idx(&shinfo->frags[0]) ==
+ copy_pending_idx(skb, copy_count(skb) - 1);
+- int i, err;
++ int i, err = 0;
+
+ for (i = 0; i < copy_count(skb); i++) {
+ int newerr;
+--
+2.35.1
+
--- /dev/null
+From bd5dd6cea6bf9e0026d076ede5c262c03cba5b1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 08:52:48 +0000
+Subject: xen-netfront: Fix NULL sring after live migration
+
+From: Lin Liu <lin.liu@citrix.com>
+
+[ Upstream commit d50b7914fae04d840ce36491d22133070b18cca9 ]
+
+A NAPI is setup for each network sring to poll data to kernel
+The sring with source host is destroyed before live migration and
+new sring with target host is setup after live migration.
+The NAPI for the old sring is not deleted until setup new sring
+with target host after migration. With busy_poll/busy_read enabled,
+the NAPI can be polled before got deleted when resume VM.
+
+BUG: unable to handle kernel NULL pointer dereference at
+0000000000000008
+IP: xennet_poll+0xae/0xd20
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP PTI
+Call Trace:
+ finish_task_switch+0x71/0x230
+ timerqueue_del+0x1d/0x40
+ hrtimer_try_to_cancel+0xb5/0x110
+ xennet_alloc_rx_buffers+0x2a0/0x2a0
+ napi_busy_loop+0xdb/0x270
+ sock_poll+0x87/0x90
+ do_sys_poll+0x26f/0x580
+ tracing_map_insert+0x1d4/0x2f0
+ event_hist_trigger+0x14a/0x260
+
+ finish_task_switch+0x71/0x230
+ __schedule+0x256/0x890
+ recalc_sigpending+0x1b/0x50
+ xen_sched_clock+0x15/0x20
+ __rb_reserve_next+0x12d/0x140
+ ring_buffer_lock_reserve+0x123/0x3d0
+ event_triggers_call+0x87/0xb0
+ trace_event_buffer_commit+0x1c4/0x210
+ xen_clocksource_get_cycles+0x15/0x20
+ ktime_get_ts64+0x51/0xf0
+ SyS_ppoll+0x160/0x1a0
+ SyS_ppoll+0x160/0x1a0
+ do_syscall_64+0x73/0x130
+ entry_SYSCALL_64_after_hwframe+0x41/0xa6
+...
+RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900
+CR2: 0000000000000008
+---[ end trace f8601785b354351c ]---
+
+xen frontend should remove the NAPIs for the old srings before live
+migration as the bond srings are destroyed
+
+There is a tiny window between the srings are set to NULL and
+the NAPIs are disabled, It is safe as the NAPI threads are still
+frozen at that time
+
+Signed-off-by: Lin Liu <lin.liu@citrix.com>
+Fixes: 4ec2411980d0 ([NET]: Do not check netif_running() and carrier state in ->poll())
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netfront.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 074dceb1930b..6e73d3a00eec 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1866,6 +1866,12 @@ static int netfront_resume(struct xenbus_device *dev)
+ netif_tx_unlock_bh(info->netdev);
+
+ xennet_disconnect_backend(info);
++
++ rtnl_lock();
++ if (info->queues)
++ xennet_destroy_queues(info);
++ rtnl_unlock();
++
+ return 0;
+ }
+
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
