--- /dev/null
+From cd9ab5726517edadce16dab63d549afdcbf6f763 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 19:33:26 -0400
+Subject: bnxt_en: Fix possible crash in bnxt_hwrm_set_coal()
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 6d81ea3765dfa6c8a20822613c81edad1c4a16a0 ]
+
+During the error recovery sequence, the rtnl_lock is not held for the
+entire duration and some datastructures may be freed during the sequence.
+Check for the BNXT_STATE_OPEN flag instead of netif_running() to ensure
+that the device is fully operational before proceeding to reconfigure
+the coalescing settings.
+
+This will fix a possible crash like this:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP NOPTI
+CPU: 10 PID: 181276 Comm: ethtool Kdump: loaded Tainted: G IOE --------- - - 4.18.0-348.el8.x86_64 #1
+Hardware name: Dell Inc. PowerEdge R740/0F9N89, BIOS 2.3.10 08/15/2019
+RIP: 0010:bnxt_hwrm_set_coal+0x1fb/0x2a0 [bnxt_en]
+Code: c2 66 83 4e 22 08 66 89 46 1c e8 10 cb 00 00 41 83 c6 01 44 39 b3 68 01 00 00 0f 8e a3 00 00 00 48 8b 93 c8 00 00 00 49 63 c6 <48> 8b 2c c2 48 8b 85 b8 02 00 00 48 85 c0 74 2e 48 8b 74 24 08 f6
+RSP: 0018:ffffb11c8dcaba50 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8d168a8b0ac0 RCX: 00000000000000c5
+RDX: 0000000000000000 RSI: ffff8d162f72c000 RDI: ffff8d168a8b0b28
+RBP: 0000000000000000 R08: b6e1f68a12e9a7eb R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000037 R12: ffff8d168a8b109c
+R13: ffff8d168a8b10aa R14: 0000000000000000 R15: ffffffffc01ac4e0
+FS: 00007f3852e4c740(0000) GS:ffff8d24c0080000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000000 CR3: 000000041b3ee003 CR4: 00000000007706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ ethnl_set_coalesce+0x3ce/0x4c0
+ genl_family_rcv_msg_doit.isra.15+0x10f/0x150
+ genl_family_rcv_msg+0xb3/0x160
+ ? coalesce_fill_reply+0x480/0x480
+ genl_rcv_msg+0x47/0x90
+ ? genl_family_rcv_msg+0x160/0x160
+ netlink_rcv_skb+0x4c/0x120
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x196/0x230
+ netlink_sendmsg+0x204/0x3d0
+ sock_sendmsg+0x4c/0x50
+ __sys_sendto+0xee/0x160
+ ? syscall_trace_enter+0x1d3/0x2c0
+ ? __audit_syscall_exit+0x249/0x2a0
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0x5b/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x65/0xca
+RIP: 0033:0x7f38524163bb
+
+Fixes: 2151fe0830fd ("bnxt_en: Handle RESET_NOTIFY async event from firmware.")
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+index d74c6a34b936..24282a426481 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -124,7 +124,7 @@ static int bnxt_set_coalesce(struct net_device *dev,
+ }
+
+ reset_coalesce:
+- if (netif_running(dev)) {
++ if (test_bit(BNXT_STATE_OPEN, &bp->state)) {
+ if (update_stats) {
+ rc = bnxt_close_nic(bp, true, false);
+ if (!rc)
+--
+2.35.1
+
--- /dev/null
+From 063bec259c93fa6913ff93aa62664801d0e82a47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 19:33:27 -0400
+Subject: bnxt_en: fix potentially incorrect return value for ndo_rx_flow_steer
+
+From: Alex Barba <alex.barba@broadcom.com>
+
+[ Upstream commit 02597d39145bb0aa81d04bf39b6a913ce9a9d465 ]
+
+In the bnxt_en driver ndo_rx_flow_steer returns '0' whenever an entry
+that we are attempting to steer is already found. This is not the
+correct behavior. The return code should be the value/index that
+corresponds to the entry. Returning zero all the time causes the
+RFS records to be incorrect unless entry '0' is the correct one. As
+flows migrate to different cores this can create entries that are not
+correct.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Reported-by: Akshay Navgire <anavgire@purestorage.com>
+Signed-off-by: Alex Barba <alex.barba@broadcom.com>
+Signed-off-by: Andy Gospodarek <gospo@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 5a7d5e7f3b23..d7d7d6421c48 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11182,8 +11182,8 @@ static int bnxt_rx_flow_steer(struct net_device *dev, const struct sk_buff *skb,
+ rcu_read_lock();
+ hlist_for_each_entry_rcu(fltr, head, hash) {
+ if (bnxt_fltr_match(fltr, new_fltr)) {
++ rc = fltr->sw_id;
+ rcu_read_unlock();
+- rc = 0;
+ goto err_free;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 30fe2be7d9fa4e85d35ca84d6983d148b6f0adbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 09:31:36 +0800
+Subject: bpf, sockmap: Fix the sk->sk_forward_alloc warning of
+ sk_stream_kill_queues
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit 8ec95b94716a1e4d126edc3fb2bc426a717e2dba ]
+
+When running `test_sockmap` selftests, the following warning appears:
+
+ WARNING: CPU: 2 PID: 197 at net/core/stream.c:205 sk_stream_kill_queues+0xd3/0xf0
+ Call Trace:
+ <TASK>
+ inet_csk_destroy_sock+0x55/0x110
+ tcp_rcv_state_process+0xd28/0x1380
+ ? tcp_v4_do_rcv+0x77/0x2c0
+ tcp_v4_do_rcv+0x77/0x2c0
+ __release_sock+0x106/0x130
+ __tcp_close+0x1a7/0x4e0
+ tcp_close+0x20/0x70
+ inet_release+0x3c/0x80
+ __sock_release+0x3a/0xb0
+ sock_close+0x14/0x20
+ __fput+0xa3/0x260
+ task_work_run+0x59/0xb0
+ exit_to_user_mode_prepare+0x1b3/0x1c0
+ syscall_exit_to_user_mode+0x19/0x50
+ do_syscall_64+0x48/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The root case is in commit 84472b436e76 ("bpf, sockmap: Fix more uncharged
+while msg has more_data"), where I used msg->sg.size to replace the tosend,
+causing breakage:
+
+ if (msg->apply_bytes && msg->apply_bytes < tosend)
+ tosend = psock->apply_bytes;
+
+Fixes: 84472b436e76 ("bpf, sockmap: Fix more uncharged while msg has more_data")
+Reported-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/1667266296-8794-1-git-send-email-wangyufen@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index bcc13368c836..f69dcd3c7797 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -311,7 +311,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ {
+ bool cork = false, enospc = sk_msg_full(msg);
+ struct sock *sk_redir;
+- u32 tosend, delta = 0;
++ u32 tosend, origsize, sent, delta = 0;
+ u32 eval = __SK_NONE;
+ int ret;
+
+@@ -366,10 +366,12 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ cork = true;
+ psock->cork = NULL;
+ }
+- sk_msg_return(sk, msg, msg->sg.size);
++ sk_msg_return(sk, msg, tosend);
+ release_sock(sk);
+
++ origsize = msg->sg.size;
+ ret = tcp_bpf_sendmsg_redir(sk_redir, msg, tosend, flags);
++ sent = origsize - msg->sg.size;
+
+ if (eval == __SK_REDIRECT)
+ sock_put(sk_redir);
+@@ -408,7 +410,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ msg->sg.data[msg->sg.start].page_link &&
+ msg->sg.data[msg->sg.start].length) {
+ if (eval == __SK_REDIRECT)
+- sk_mem_charge(sk, msg->sg.size);
++ sk_mem_charge(sk, tosend - sent);
+ goto more_data;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 411fcead06df05bb094c440bde3e9eb05dbd4344 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 16:56:50 +0800
+Subject: can: af_can: fix NULL pointer dereference in can_rx_register()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 8aa59e355949442c408408c2d836e561794c40a1 ]
+
+It causes NULL pointer dereference when testing as following:
+(a) use syscall(__NR_socket, 0x10ul, 3ul, 0) to create netlink socket.
+(b) use syscall(__NR_sendmsg, ...) to create bond link device and vxcan
+ link device, and bind vxcan device to bond device (can also use
+ ifenslave command to bind vxcan device to bond device).
+(c) use syscall(__NR_socket, 0x1dul, 3ul, 1) to create CAN socket.
+(d) use syscall(__NR_bind, ...) to bind the bond device to CAN socket.
+
+The bond device invokes the can-raw protocol registration interface to
+receive CAN packets. However, ml_priv is not allocated to the dev,
+dev_rcv_lists is assigned to NULL in can_rx_register(). In this case,
+it will occur the NULL pointer dereference issue.
+
+The following is the stack information:
+BUG: kernel NULL pointer dereference, address: 0000000000000008
+PGD 122a4067 P4D 122a4067 PUD 1223c067 PMD 0
+Oops: 0000 [#1] PREEMPT SMP
+RIP: 0010:can_rx_register+0x12d/0x1e0
+Call Trace:
+<TASK>
+raw_enable_filters+0x8d/0x120
+raw_enable_allfilters+0x3b/0x130
+raw_bind+0x118/0x4f0
+__sys_bind+0x163/0x1a0
+__x64_sys_bind+0x1e/0x30
+do_syscall_64+0x35/0x80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+</TASK>
+
+Fixes: 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Link: https://lore.kernel.org/all/20221028085650.170470-1-shaozhengchao@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/af_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/can/af_can.c b/net/can/af_can.c
+index c758a12ffe46..f7dc68cd86e4 100644
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -450,7 +450,7 @@ int can_rx_register(struct net *net, struct net_device *dev, canid_t can_id,
+
+ /* insert new receiver (dev,canid,mask) -> (func,data) */
+
+- if (dev && dev->type != ARPHRD_CAN)
++ if (dev && (dev->type != ARPHRD_CAN || !can_get_ml_priv(dev)))
+ return -ENODEV;
+
+ if (dev && !net_eq(net, dev_net(dev)))
+--
+2.35.1
+
--- /dev/null
+From 2cc6843705432f379defeb179d9352beb7663bcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 19:25:36 +0800
+Subject: capabilities: fix undefined behavior in bit shift for CAP_TO_MASK
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 46653972e3ea64f79e7f8ae3aa41a4d3fdb70a13 ]
+
+Shifting signed 32-bit value by 31 bits is undefined, so changing
+significant bit to unsigned. The UBSAN warning calltrace like below:
+
+UBSAN: shift-out-of-bounds in security/commoncap.c:1252:2
+left shift of 1 by 31 places cannot be represented in type 'int'
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x7d/0xa5
+ dump_stack+0x15/0x1b
+ ubsan_epilogue+0xe/0x4e
+ __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
+ cap_task_prctl+0x561/0x6f0
+ security_task_prctl+0x5a/0xb0
+ __x64_sys_prctl+0x61/0x8f0
+ do_syscall_64+0x58/0x80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ </TASK>
+
+Fixes: e338d263a76a ("Add 64-bit capability support to the kernel")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Acked-by: Andrew G. Morgan <morgan@kernel.org>
+Reviewed-by: Serge Hallyn <serge@hallyn.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/capability.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
+index 240fdb9a60f6..6e0d68e841cd 100644
+--- a/include/uapi/linux/capability.h
++++ b/include/uapi/linux/capability.h
+@@ -376,7 +376,7 @@ struct vfs_ns_cap_data {
+ */
+
+ #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */
+-#define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */
++#define CAP_TO_MASK(x) (1U << ((x) & 31)) /* mask for indexed __u32 */
+
+
+ #endif /* _UAPI_LINUX_CAPABILITY_H */
+--
+2.35.1
+
--- /dev/null
+From c2212e9e21acec95e4f5c5aa50af769344f3331c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 09:21:00 +0800
+Subject: cxgb4vf: shut down the adapter when t4vf_update_port_info() failed in
+ cxgb4vf_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit c6092ea1e6d7bd12acd881f6aa2b5054cd70e096 ]
+
+When t4vf_update_port_info() failed in cxgb4vf_open(), resources applied
+during adapter goes up are not cleared. Fix it. Only be compiled, not be
+tested.
+
+Fixes: 18d79f721e0a ("cxgb4vf: Update port information in cxgb4vf_open()")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109012100.99132-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c b/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c
+index f4d41f968afa..97963d9a6d16 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c
+@@ -860,7 +860,7 @@ static int cxgb4vf_open(struct net_device *dev)
+ */
+ err = t4vf_update_port_info(pi);
+ if (err < 0)
+- return err;
++ goto err_unwind;
+
+ /*
+ * Note that this interface is up and start everything up ...
+--
+2.35.1
+
--- /dev/null
+From 37ff0b7194f72e6b03f5185551f413172347e4ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 21:50:09 +0200
+Subject: dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 081195d17a0c4c636da2b869bd5809d42e8cbb13 ]
+
+A clk_prepare_enable() call in the probe is not balanced by a corresponding
+clk_disable_unprepare() in the remove function.
+
+Add the missing call.
+
+Fixes: 3cd2c313f1d6 ("dmaengine: mv_xor_v2: Fix clock resource by adding a register clock")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/e9e3837a680c9bd2438e4db2b83270c6c052d005.1666640987.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mv_xor_v2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/dma/mv_xor_v2.c b/drivers/dma/mv_xor_v2.c
+index 889a94af4c85..3fa884145eb1 100644
+--- a/drivers/dma/mv_xor_v2.c
++++ b/drivers/dma/mv_xor_v2.c
+@@ -895,6 +895,7 @@ static int mv_xor_v2_remove(struct platform_device *pdev)
+ tasklet_kill(&xor_dev->irq_tasklet);
+
+ clk_disable_unprepare(xor_dev->clk);
++ clk_disable_unprepare(xor_dev->reg_clk);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From d609aa6958094eeca1ff1c2aee671cb8cacf5e79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 17:07:09 -0700
+Subject: dmaengine: pxa_dma: use platform_get_irq_optional
+
+From: Doug Brown <doug@schmorgal.com>
+
+[ Upstream commit b3d726cb8497c6b12106fd617d46eef11763ea86 ]
+
+The first IRQ is required, but IRQs 1 through (nb_phy_chans - 1) are
+optional, because on some platforms (e.g. PXA168) there is a single IRQ
+shared between all channels.
+
+This change inhibits a flood of "IRQ index # not found" messages at
+startup. Tested on a PXA168-based device.
+
+Fixes: 7723f4c5ecdb ("driver core: platform: Add an error message to platform_get_irq*()")
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Link: https://lore.kernel.org/r/20220906000709.52705-1-doug@schmorgal.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/pxa_dma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c
+index b4ef4f19f7de..68d9d60c051d 100644
+--- a/drivers/dma/pxa_dma.c
++++ b/drivers/dma/pxa_dma.c
+@@ -1249,14 +1249,14 @@ static int pxad_init_phys(struct platform_device *op,
+ return -ENOMEM;
+
+ for (i = 0; i < nb_phy_chans; i++)
+- if (platform_get_irq(op, i) > 0)
++ if (platform_get_irq_optional(op, i) > 0)
+ nr_irq++;
+
+ for (i = 0; i < nb_phy_chans; i++) {
+ phy = &pdev->phys[i];
+ phy->base = pdev->base;
+ phy->idx = i;
+- irq = platform_get_irq(op, i);
++ irq = platform_get_irq_optional(op, i);
+ if ((nr_irq > 1) && (irq > 0))
+ ret = devm_request_irq(&op->dev, irq,
+ pxad_chan_handler,
+--
+2.35.1
+
--- /dev/null
+From 9deeb5b349d1c7a9c987506808f3f5db1022ecf7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 12:30:32 +0800
+Subject: drivers: net: xgene: disable napi when register irq failed in
+ xgene_enet_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit ce9e57feeed81d17d5e80ed86f516ff0d39c3867 ]
+
+When failed to register irq in xgene_enet_open() for opening device,
+napi isn't disabled. When open xgene device next time, it will reports
+a invalid opcode issue. Fix it. Only be compiled, not be tested.
+
+Fixes: aeb20b6b3f4e ("drivers: net: xgene: fix: ifconfig up/down crash")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221107043032.357673-1-shaozhengchao@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/apm/xgene/xgene_enet_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
+index ce4e617a6ec4..29fcc4deb4da 100644
+--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
+@@ -1004,8 +1004,10 @@ static int xgene_enet_open(struct net_device *ndev)
+
+ xgene_enet_napi_enable(pdata);
+ ret = xgene_enet_register_irq(ndev);
+- if (ret)
++ if (ret) {
++ xgene_enet_napi_disable(pdata);
+ return ret;
++ }
+
+ if (ndev->phydev) {
+ phy_start(ndev->phydev);
+--
+2.35.1
+
--- /dev/null
+From 185558119808329616f87ed575e51c88049d1929 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 01:47:05 +0000
+Subject: drm/vc4: Fix missing platform_unregister_drivers() call in
+ vc4_drm_register()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit cf53db768a8790fdaae2fa3a81322b080285f7e5 ]
+
+A problem about modprobe vc4 failed is triggered with the following log
+given:
+
+ [ 420.327987] Error: Driver 'vc4_hvs' is already registered, aborting...
+ [ 420.333904] failed to register platform driver vc4_hvs_driver [vc4]: -16
+ modprobe: ERROR: could not insert 'vc4': Device or resource busy
+
+The reason is that vc4_drm_register() returns platform_driver_register()
+directly without checking its return value, if platform_driver_register()
+fails, it returns without unregistering all the vc4 drivers, resulting the
+vc4 can never be installed later.
+A simple call graph is shown as below:
+
+ vc4_drm_register()
+ platform_register_drivers() # all vc4 drivers are registered
+ platform_driver_register()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without unregister drivers
+
+Fixing this problem by checking the return value of
+platform_driver_register() and do platform_unregister_drivers() if
+error happened.
+
+Fixes: c8b75bca92cb ("drm/vc4: Add KMS support for Raspberry Pi.")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221103014705.109322-1-yuancan@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_drv.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_drv.c b/drivers/gpu/drm/vc4/vc4_drv.c
+index 0d78ba017a29..36688a56c91c 100644
+--- a/drivers/gpu/drm/vc4/vc4_drv.c
++++ b/drivers/gpu/drm/vc4/vc4_drv.c
+@@ -392,7 +392,12 @@ static int __init vc4_drm_register(void)
+ if (ret)
+ return ret;
+
+- return platform_driver_register(&vc4_platform_driver);
++ ret = platform_driver_register(&vc4_platform_driver);
++ if (ret)
++ platform_unregister_drivers(component_drivers,
++ ARRAY_SIZE(component_drivers));
++
++ return ret;
+ }
+
+ static void __exit vc4_drm_unregister(void)
+--
+2.35.1
+
--- /dev/null
+From 6eb73a9b555075a57bbc49ac06c13957129fe979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 10:37:41 +0800
+Subject: ethernet: s2io: disable napi when start nic failed in s2io_card_up()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 0348c1ab980c1d43fb37b758d4b760990c066cb5 ]
+
+When failed to start nic or add interrupt service routine in
+s2io_card_up() for opening device, napi isn't disabled. When open
+s2io device next time, it will trigger a BUG_ON()in napi_enable().
+Compile tested only.
+
+Fixes: 5f490c968056 ("S2io: Fixed synchronization between scheduling of napi with card reset and close")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109023741.131552-1-shaozhengchao@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/neterion/s2io.c | 29 +++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c
+index 71ab4e9c9a17..69316ddcf067 100644
+--- a/drivers/net/ethernet/neterion/s2io.c
++++ b/drivers/net/ethernet/neterion/s2io.c
+@@ -7122,9 +7122,8 @@ static int s2io_card_up(struct s2io_nic *sp)
+ if (ret) {
+ DBG_PRINT(ERR_DBG, "%s: Out of memory in Open\n",
+ dev->name);
+- s2io_reset(sp);
+- free_rx_buffers(sp);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto err_fill_buff;
+ }
+ DBG_PRINT(INFO_DBG, "Buf in ring:%d is %d:\n", i,
+ ring->rx_bufs_left);
+@@ -7162,18 +7161,16 @@ static int s2io_card_up(struct s2io_nic *sp)
+ /* Enable Rx Traffic and interrupts on the NIC */
+ if (start_nic(sp)) {
+ DBG_PRINT(ERR_DBG, "%s: Starting NIC failed\n", dev->name);
+- s2io_reset(sp);
+- free_rx_buffers(sp);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_out;
+ }
+
+ /* Add interrupt service routine */
+ if (s2io_add_isr(sp) != 0) {
+ if (sp->config.intr_type == MSI_X)
+ s2io_rem_isr(sp);
+- s2io_reset(sp);
+- free_rx_buffers(sp);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_out;
+ }
+
+ timer_setup(&sp->alarm_timer, s2io_alarm_handle, 0);
+@@ -7193,6 +7190,20 @@ static int s2io_card_up(struct s2io_nic *sp)
+ }
+
+ return 0;
++
++err_out:
++ if (config->napi) {
++ if (config->intr_type == MSI_X) {
++ for (i = 0; i < sp->config.rx_ring_num; i++)
++ napi_disable(&sp->mac_control.rings[i].napi);
++ } else {
++ napi_disable(&sp->napi);
++ }
++ }
++err_fill_buff:
++ s2io_reset(sp);
++ free_rx_buffers(sp);
++ return ret;
+ }
+
+ /**
+--
+2.35.1
+
--- /dev/null
+From 189f00c53ad05bcc6da871892babdc314388824e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 12:40:16 +0800
+Subject: ethernet: tundra: free irq when alloc ring failed in tsi108_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit acce40037041f97baad18142bb253064491ebde3 ]
+
+When alloc tx/rx ring failed in tsi108_open(), it doesn't free irq. Fix
+it.
+
+Fixes: 5e123b844a1c ("[PATCH] Add tsi108/9 On Chip Ethernet device driver support")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109044016.126866-1-shaozhengchao@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/tundra/tsi108_eth.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/tundra/tsi108_eth.c b/drivers/net/ethernet/tundra/tsi108_eth.c
+index c62f474b6d08..fcebd2418dbd 100644
+--- a/drivers/net/ethernet/tundra/tsi108_eth.c
++++ b/drivers/net/ethernet/tundra/tsi108_eth.c
+@@ -1302,12 +1302,15 @@ static int tsi108_open(struct net_device *dev)
+
+ data->rxring = dma_alloc_coherent(&data->pdev->dev, rxring_size,
+ &data->rxdma, GFP_KERNEL);
+- if (!data->rxring)
++ if (!data->rxring) {
++ free_irq(data->irq_num, dev);
+ return -ENOMEM;
++ }
+
+ data->txring = dma_alloc_coherent(&data->pdev->dev, txring_size,
+ &data->txdma, GFP_KERNEL);
+ if (!data->txring) {
++ free_irq(data->irq_num, dev);
+ dma_free_coherent(&data->pdev->dev, rxring_size, data->rxring,
+ data->rxdma);
+ return -ENOMEM;
+--
+2.35.1
+
--- /dev/null
+From ebafdc0758bc7d4ff53dedeeec196af707baa838 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 17:09:05 +0800
+Subject: hamradio: fix issue of dev reference count leakage in
+ bpq_device_event()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 85cbaf032d3cd9f595152625eda5d4ecb1d6d78d ]
+
+When following tests are performed, it will cause dev reference counting
+leakage.
+a)ip link add bond2 type bond mode balance-rr
+b)ip link set bond2 up
+c)ifenslave -f bond2 rose1
+d)ip link del bond2
+
+When new bond device is created, the default type of the bond device is
+ether. And the bond device is up, bpq_device_event() receives the message
+and creates a new bpq device. In this case, the reference count value of
+dev is hold once. But after "ifenslave -f bond2 rose1" command is
+executed, the type of the bond device is changed to rose. When the bond
+device is unregistered, bpq_device_event() will not put the dev reference
+count.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/bpqether.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/hamradio/bpqether.c b/drivers/net/hamradio/bpqether.c
+index e2ad3c2e8df5..e0b9823170bf 100644
+--- a/drivers/net/hamradio/bpqether.c
++++ b/drivers/net/hamradio/bpqether.c
+@@ -511,7 +511,7 @@ static int bpq_device_event(struct notifier_block *this,
+ if (!net_eq(dev_net(dev), &init_net))
+ return NOTIFY_DONE;
+
+- if (!dev_is_ethdev(dev))
++ if (!dev_is_ethdev(dev) && !bpq_get_ax25_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+--
+2.35.1
+
--- /dev/null
+From 0cf7d85cc108ad44306d5c405519c9d517e43aa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 21:40:43 +0800
+Subject: HID: hyperv: fix possible memory leak in mousevsc_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b5bcb94b0954a026bbd671741fdb00e7141f9c91 ]
+
+If hid_add_device() returns error, it should call hid_destroy_device()
+to free hid_dev which is allocated in hid_allocate_device().
+
+Fixes: 74c4fb058083 ("HID: hv_mouse: Properly add the hid device")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-hyperv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-hyperv.c b/drivers/hid/hid-hyperv.c
+index 79a28fc91521..5928e934d734 100644
+--- a/drivers/hid/hid-hyperv.c
++++ b/drivers/hid/hid-hyperv.c
+@@ -492,7 +492,7 @@ static int mousevsc_probe(struct hv_device *device,
+
+ ret = hid_add_device(hid_dev);
+ if (ret)
+- goto probe_err1;
++ goto probe_err2;
+
+
+ ret = hid_parse(hid_dev);
+--
+2.35.1
+
--- /dev/null
+From 59b93531fcfcd27b2b243055168927a6248073f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 11:32:16 +0100
+Subject: ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to
+ network
+
+From: Alexander Potapenko <glider@google.com>
+
+[ Upstream commit c23fb2c82267638f9d206cb96bb93e1f93ad7828 ]
+
+When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved
+remained uninitialized, resulting in a 1-byte infoleak:
+
+ BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841
+ __netdev_start_xmit ./include/linux/netdevice.h:4841
+ netdev_start_xmit ./include/linux/netdevice.h:4857
+ xmit_one net/core/dev.c:3590
+ dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606
+ __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256
+ dev_queue_xmit ./include/linux/netdevice.h:3009
+ __netlink_deliver_tap_skb net/netlink/af_netlink.c:307
+ __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325
+ netlink_deliver_tap net/netlink/af_netlink.c:338
+ __netlink_sendskb net/netlink/af_netlink.c:1263
+ netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272
+ netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360
+ nlmsg_unicast ./include/net/netlink.h:1061
+ rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758
+ ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628
+ rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082
+ ...
+ Uninit was created at:
+ slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742
+ slab_alloc_node mm/slub.c:3398
+ __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437
+ __do_kmalloc_node mm/slab_common.c:954
+ __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975
+ kmalloc_reserve net/core/skbuff.c:437
+ __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509
+ alloc_skb ./include/linux/skbuff.h:1267
+ nlmsg_new ./include/net/netlink.h:964
+ ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608
+ rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082
+ netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540
+ rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109
+ netlink_unicast_kernel net/netlink/af_netlink.c:1319
+ netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345
+ netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921
+ ...
+
+This patch ensures that the reserved field is always initialized.
+
+Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com
+Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.")
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrlabel.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c
+index 8a22486cf270..17ac45aa7194 100644
+--- a/net/ipv6/addrlabel.c
++++ b/net/ipv6/addrlabel.c
+@@ -437,6 +437,7 @@ static void ip6addrlbl_putmsg(struct nlmsghdr *nlh,
+ {
+ struct ifaddrlblmsg *ifal = nlmsg_data(nlh);
+ ifal->ifal_family = AF_INET6;
++ ifal->__ifal_reserved = 0;
+ ifal->ifal_prefixlen = prefixlen;
+ ifal->ifal_flags = 0;
+ ifal->ifal_index = ifindex;
+--
+2.35.1
+
--- /dev/null
+From 7e311880f36784ef56ef69aecb1ed2d0d241dc2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 09:15:37 +0800
+Subject: net: cpsw: disable napi in cpsw_ndo_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 6d47b53fb3f363a74538a1dbd09954af3d8d4131 ]
+
+When failed to create xdp rxqs or fill rx channels in cpsw_ndo_open() for
+opening device, napi isn't disabled. When open cpsw device next time, it
+will report a invalid opcode issue. Compiled tested only.
+
+Fixes: d354eb85d618 ("drivers: net: cpsw: dual_emac: simplify napi usage")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109011537.96975-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
+index 33eca554424a..774a72db7c96 100644
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -1753,6 +1753,8 @@ static int cpsw_ndo_open(struct net_device *ndev)
+
+ err_cleanup:
+ if (!cpsw->usage_count) {
++ napi_disable(&cpsw->napi_rx);
++ napi_disable(&cpsw->napi_tx);
+ cpdma_ctlr_stop(cpsw->dma);
+ cpsw_destroy_xdp_rxqs(cpsw);
+ }
+--
+2.35.1
+
--- /dev/null
+From a86a1f037af7a70ebef4458343416a3b9cbd5b8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 10:14:51 +0800
+Subject: net: cxgb3_main: disable napi when bind qsets failed in cxgb_up()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit d75aed1428da787cbe42bc073d76f1354f364d92 ]
+
+When failed to bind qsets in cxgb_up() for opening device, napi isn't
+disabled. When open cxgb3 device next time, it will trigger a BUG_ON()
+in napi_enable(). Compile tested only.
+
+Fixes: 48c4b6dbb7e2 ("cxgb3 - fix port up/down error path")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109021451.121490-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+index 97ff8608f0ab..b0fd22cbeef4 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -1303,6 +1303,7 @@ static int cxgb_up(struct adapter *adap)
+ if (ret < 0) {
+ CH_ERR(adap, "failed to bind qsets, err %d\n", ret);
+ t3_intr_disable(adap);
++ quiesce_rx(adap);
+ free_irq_resources(adap);
+ err = ret;
+ goto out;
+--
+2.35.1
+
--- /dev/null
+From dc2340db6fc4b13d4d722460255e97b5be5fd6b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 14:28:30 -0400
+Subject: net: fman: Unregister ethernet device on removal
+
+From: Sean Anderson <sean.anderson@seco.com>
+
+[ Upstream commit b7cbc6740bd6ad5d43345a2504f7e4beff0d709f ]
+
+When the mac device gets removed, it leaves behind the ethernet device.
+This will result in a segfault next time the ethernet device accesses
+mac_dev. Remove the ethernet device when we get removed to prevent
+this. This is not completely reversible, since some resources aren't
+cleaned up properly, but that can be addressed later.
+
+Fixes: 3933961682a3 ("fsl/fman: Add FMan MAC driver")
+Signed-off-by: Sean Anderson <sean.anderson@seco.com>
+Link: https://lore.kernel.org/r/20221103182831.2248833-1-sean.anderson@seco.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fman/mac.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c
+index 147126e79986..8e2a243aa102 100644
+--- a/drivers/net/ethernet/freescale/fman/mac.c
++++ b/drivers/net/ethernet/freescale/fman/mac.c
+@@ -885,12 +885,21 @@ static int mac_probe(struct platform_device *_of_dev)
+ return err;
+ }
+
++static int mac_remove(struct platform_device *pdev)
++{
++ struct mac_device *mac_dev = platform_get_drvdata(pdev);
++
++ platform_device_unregister(mac_dev->priv->eth_dev);
++ return 0;
++}
++
+ static struct platform_driver mac_driver = {
+ .driver = {
+ .name = KBUILD_MODNAME,
+ .of_match_table = mac_match,
+ },
+ .probe = mac_probe,
++ .remove = mac_remove,
+ };
+
+ builtin_platform_driver(mac_driver);
+--
+2.35.1
+
--- /dev/null
+From 329252c144d294147eb887978905a87450bdb439 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 17:53:25 +0100
+Subject: net: gso: fix panic on frag_list with mixed head alloc types
+
+From: Jiri Benc <jbenc@redhat.com>
+
+[ Upstream commit 9e4b7a99a03aefd37ba7bb1f022c8efab5019165 ]
+
+Since commit 3dcbdb134f32 ("net: gso: Fix skb_segment splat when
+splitting gso_size mangled skb having linear-headed frag_list"), it is
+allowed to change gso_size of a GRO packet. However, that commit assumes
+that "checking the first list_skb member suffices; i.e if either of the
+list_skb members have non head_frag head, then the first one has too".
+
+It turns out this assumption does not hold. We've seen BUG_ON being hit
+in skb_segment when skbs on the frag_list had differing head_frag with
+the vmxnet3 driver. This happens because __netdev_alloc_skb and
+__napi_alloc_skb can return a skb that is page backed or kmalloced
+depending on the requested size. As the result, the last small skb in
+the GRO packet can be kmalloced.
+
+There are three different locations where this can be fixed:
+
+(1) We could check head_frag in GRO and not allow GROing skbs with
+ different head_frag. However, that would lead to performance
+ regression on normal forward paths with unmodified gso_size, where
+ !head_frag in the last packet is not a problem.
+
+(2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating
+ that NETIF_F_SG is undesirable. That would need to eat a bit in
+ sk_buff. Furthermore, that flag can be unset when all skbs on the
+ frag_list are page backed. To retain good performance,
+ bpf_skb_net_grow/shrink would have to walk the frag_list.
+
+(3) Walk the frag_list in skb_segment when determining whether
+ NETIF_F_SG should be cleared. This of course slows things down.
+
+This patch implements (3). To limit the performance impact in
+skb_segment, the list is walked only for skbs with SKB_GSO_DODGY set
+that have gso_size changed. Normal paths thus will not hit it.
+
+We could check only the last skb but since we need to walk the whole
+list anyway, let's stay on the safe side.
+
+Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list")
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/e04426a6a91baf4d1081e1b478c82b5de25fdf21.1667407944.git.jbenc@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skbuff.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index c9fe2c0b8cae..e9c796e2944e 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3700,23 +3700,25 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
+ int pos;
+ int dummy;
+
+- if (list_skb && !list_skb->head_frag && skb_headlen(list_skb) &&
+- (skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY)) {
+- /* gso_size is untrusted, and we have a frag_list with a linear
+- * non head_frag head.
+- *
+- * (we assume checking the first list_skb member suffices;
+- * i.e if either of the list_skb members have non head_frag
+- * head, then the first one has too).
+- *
+- * If head_skb's headlen does not fit requested gso_size, it
+- * means that the frag_list members do NOT terminate on exact
+- * gso_size boundaries. Hence we cannot perform skb_frag_t page
+- * sharing. Therefore we must fallback to copying the frag_list
+- * skbs; we do so by disabling SG.
+- */
+- if (mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb))
+- features &= ~NETIF_F_SG;
++ if ((skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY) &&
++ mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) {
++ struct sk_buff *check_skb;
++
++ for (check_skb = list_skb; check_skb; check_skb = check_skb->next) {
++ if (skb_headlen(check_skb) && !check_skb->head_frag) {
++ /* gso_size is untrusted, and we have a frag_list with
++ * a linear non head_frag item.
++ *
++ * If head_skb's headlen does not fit requested gso_size,
++ * it means that the frag_list members do NOT terminate
++ * on exact gso_size boundaries. Hence we cannot perform
++ * skb_frag_t page sharing. Therefore we must fallback to
++ * copying the frag_list skbs; we do so by disabling SG.
++ */
++ features &= ~NETIF_F_SG;
++ break;
++ }
++ }
+ }
+
+ __skb_push(head_skb, doffset);
+--
+2.35.1
+
--- /dev/null
+From d61e5d2eee9ea323622b925242b8abae8b1b1b5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 17:05:37 +0800
+Subject: net: lapbether: fix issue of dev reference count leakage in
+ lapbeth_device_event()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 531705a765493655472c993627106e19f7e5a6d2 ]
+
+When following tests are performed, it will cause dev reference counting
+leakage.
+a)ip link add bond2 type bond mode balance-rr
+b)ip link set bond2 up
+c)ifenslave -f bond2 rose1
+d)ip link del bond2
+
+When new bond device is created, the default type of the bond device is
+ether. And the bond device is up, lapbeth_device_event() receives the
+message and creates a new lapbeth device. In this case, the reference
+count value of dev is hold once. But after "ifenslave -f bond2 rose1"
+command is executed, the type of the bond device is changed to rose. When
+the bond device is unregistered, lapbeth_device_event() will not put the
+dev reference count.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 4e42954d8cbf..bbcd8ef2873f 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -403,7 +403,7 @@ static int lapbeth_device_event(struct notifier_block *this,
+ if (dev_net(dev) != &init_net)
+ return NOTIFY_DONE;
+
+- if (!dev_is_ethdev(dev))
++ if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+--
+2.35.1
+
--- /dev/null
+From d21a54d5605dea96f8f2c3f7a3bf2d2f43d89f34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 17:07:34 +0800
+Subject: net: macvlan: fix memory leaks of macvlan_common_newlink
+
+From: Chuang Wang <nashuiliang@gmail.com>
+
+[ Upstream commit 23569b5652ee8e8e55a12f7835f59af6f3cefc30 ]
+
+kmemleak reports memory leaks in macvlan_common_newlink, as follows:
+
+ ip link add link eth0 name .. type macvlan mode source macaddr add
+ <MAC-ADDR>
+
+kmemleak reports:
+
+unreferenced object 0xffff8880109bb140 (size 64):
+ comm "ip", pid 284, jiffies 4294986150 (age 430.108s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 b8 aa 5a 12 80 88 ff ff ..........Z.....
+ 80 1b fa 0d 80 88 ff ff 1e ff ac af c7 c1 6b 6b ..............kk
+ backtrace:
+ [<ffffffff813e06a7>] kmem_cache_alloc_trace+0x1c7/0x300
+ [<ffffffff81b66025>] macvlan_hash_add_source+0x45/0xc0
+ [<ffffffff81b66a67>] macvlan_changelink_sources+0xd7/0x170
+ [<ffffffff81b6775c>] macvlan_common_newlink+0x38c/0x5a0
+ [<ffffffff81b6797e>] macvlan_newlink+0xe/0x20
+ [<ffffffff81d97f8f>] __rtnl_newlink+0x7af/0xa50
+ [<ffffffff81d98278>] rtnl_newlink+0x48/0x70
+ ...
+
+In the scenario where the macvlan mode is configured as 'source',
+macvlan_changelink_sources() will be execured to reconfigure list of
+remote source mac addresses, at the same time, if register_netdevice()
+return an error, the resource generated by macvlan_changelink_sources()
+is not cleaned up.
+
+Using this patch, in the case of an error, it will execute
+macvlan_flush_sources() to ensure that the resource is cleaned up.
+
+Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.")
+Signed-off-by: Chuang Wang <nashuiliang@gmail.com>
+Link: https://lore.kernel.org/r/20221109090735.690500-1-nashuiliang@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 07622cf8765a..253c0605f6e6 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -1499,8 +1499,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev,
+ /* the macvlan port may be freed by macvlan_uninit when fail to register.
+ * so we destroy the macvlan port only when it's valid.
+ */
+- if (create && macvlan_port_get_rtnl(lowerdev))
++ if (create && macvlan_port_get_rtnl(lowerdev)) {
++ macvlan_flush_sources(port, vlan);
+ macvlan_port_destroy(port->dev);
++ }
+ return err;
+ }
+ EXPORT_SYMBOL_GPL(macvlan_common_newlink);
+--
+2.35.1
+
--- /dev/null
+From 60718a93b4c3fb096f281ba6bdc14ac3f091517f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 23:55:38 -0700
+Subject: net/mlx5: Allow async trigger completion execution on single CPU
+ systems
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roy Novich <royno@nvidia.com>
+
+[ Upstream commit 2808b37b59288ad8f1897e3546c2296df3384b65 ]
+
+For a single CPU system, the kernel thread executing mlx5_cmd_flush()
+never releases the CPU but calls down_trylock(&cmd→sem) in a busy loop.
+On a single processor system, this leads to a deadlock as the kernel
+thread which executes mlx5_cmd_invoke() never gets scheduled. Fix this,
+by adding the cond_resched() call to the loop, allow the command
+completion kernel thread to execute.
+
+Fixes: 8e715cd613a1 ("net/mlx5: Set command entry semaphore up once got index free")
+Signed-off-by: Alexander Schmidt <alexschm@de.ibm.com>
+Signed-off-by: Roy Novich <royno@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 4fdc97304f69..e00a8eb7716f 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1682,12 +1682,17 @@ void mlx5_cmd_flush(struct mlx5_core_dev *dev)
+ struct mlx5_cmd *cmd = &dev->cmd;
+ int i;
+
+- for (i = 0; i < cmd->max_reg_cmds; i++)
+- while (down_trylock(&cmd->sem))
++ for (i = 0; i < cmd->max_reg_cmds; i++) {
++ while (down_trylock(&cmd->sem)) {
+ mlx5_cmd_trigger_completions(dev);
++ cond_resched();
++ }
++ }
+
+- while (down_trylock(&cmd->pages_sem))
++ while (down_trylock(&cmd->pages_sem)) {
+ mlx5_cmd_trigger_completions(dev);
++ cond_resched();
++ }
+
+ /* Unlock cmdif */
+ up(&cmd->pages_sem);
+--
+2.35.1
+
--- /dev/null
+From d7b746eec9e46a0efb00a45c6b7d240d810a23b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 10:54:32 +0800
+Subject: net: mv643xx_eth: disable napi when init rxq or txq failed in
+ mv643xx_eth_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit f111606b63ff2282428ffbac0447c871eb957b6c ]
+
+When failed to init rxq or txq in mv643xx_eth_open() for opening device,
+napi isn't disabled. When open mv643xx_eth device next time, it will
+trigger a BUG_ON() in napi_enable(). Compile tested only.
+
+Fixes: 2257e05c1705 ("mv643xx_eth: get rid of receive-side locking")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109025432.80900-1-shaozhengchao@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mv643xx_eth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c
+index 82ea55ae5053..10e5c4c59657 100644
+--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
+@@ -2476,6 +2476,7 @@ static int mv643xx_eth_open(struct net_device *dev)
+ for (i = 0; i < mp->rxq_count; i++)
+ rxq_deinit(mp->rxq + i);
+ out:
++ napi_disable(&mp->napi);
+ free_irq(dev->irq, dev);
+
+ return err;
+--
+2.35.1
+
--- /dev/null
+From 3fccfe82e21e3d67ab7b92cbbf5ce87af4dfda17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 18:14:43 +0800
+Subject: net: nixge: disable napi when enable interrupts failed in
+ nixge_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit b06334919c7a068d54ba5b219c05e919d89943f7 ]
+
+When failed to enable interrupts in nixge_open() for opening device,
+napi isn't disabled. When open nixge device next time, it will reports
+a invalid opcode issue. Fix it. Only be compiled, not be tested.
+
+Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221107101443.120205-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ni/nixge.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c
+index 56f285985b43..ffd44edfffbf 100644
+--- a/drivers/net/ethernet/ni/nixge.c
++++ b/drivers/net/ethernet/ni/nixge.c
+@@ -899,6 +899,7 @@ static int nixge_open(struct net_device *ndev)
+ err_rx_irq:
+ free_irq(priv->tx_irq, ndev);
+ err_tx_irq:
++ napi_disable(&priv->napi);
+ phy_stop(phy);
+ phy_disconnect(phy);
+ tasklet_kill(&priv->dma_err_tasklet);
+--
+2.35.1
+
--- /dev/null
+From 36503adb31c6a66d1cdc71aaa05b954f89b0ab6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 17:41:19 +0800
+Subject: net: tun: Fix memory leaks of napi_get_frags
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit 1118b2049d77ca0b505775fc1a8d1909cf19a7ec ]
+
+kmemleak reports after running test_progs:
+
+unreferenced object 0xffff8881b1672dc0 (size 232):
+ comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s)
+ hex dump (first 32 bytes):
+ e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g.....
+ 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
+ backtrace:
+ [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150
+ [<0000000041c7fc09>] __napi_build_skb+0x15/0x50
+ [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540
+ [<000000003ecfa30e>] napi_get_frags+0x59/0x140
+ [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun]
+ [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun]
+ [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320
+ [<000000008f338ea2>] do_iter_write+0x135/0x630
+ [<000000008a3377a4>] vfs_writev+0x12e/0x440
+ [<00000000a6b5639a>] do_writev+0x104/0x280
+ [<00000000ccf065d8>] do_syscall_64+0x3b/0x90
+ [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+The issue occurs in the following scenarios:
+tun_get_user()
+ napi_gro_frags()
+ napi_frags_finish()
+ case GRO_NORMAL:
+ gro_normal_one()
+ list_add_tail(&skb->list, &napi->rx_list);
+ <-- While napi->rx_count < READ_ONCE(gro_normal_batch),
+ <-- gro_normal_list() is not called, napi->rx_list is not empty
+ <-- not ask to complete the gro work, will cause memory leaks in
+ <-- following tun_napi_del()
+...
+tun_napi_del()
+ netif_napi_del()
+ __netif_napi_del()
+ <-- &napi->rx_list is not empty, which caused memory leaks
+
+To fix, add napi_complete() after napi_gro_frags().
+
+Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/tun.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 22a46a1382ba..4d7b869db12a 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -2012,6 +2012,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+
+ local_bh_disable();
+ napi_gro_frags(&tfile->napi);
++ napi_complete(&tfile->napi);
+ local_bh_enable();
+ mutex_unlock(&tfile->napi_mutex);
+ } else if (tfile->napi_enabled) {
+--
+2.35.1
+
--- /dev/null
+From b7023e5183355fe2d507dae483cab0e6545aedcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 14:26:04 +0530
+Subject: perf stat: Fix printing os->prefix in CSV metrics output
+
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+
+[ Upstream commit ad353b710c7493df3d4fc2d3a51819126bed2e81 ]
+
+'perf stat' with CSV output option prints an extra empty string as first
+field in metrics output line. Sample output below:
+
+ # ./perf stat -x, --per-socket -a -C 1 ls
+ S0,1,1.78,msec,cpu-clock,1785146,100.00,0.973,CPUs utilized
+ S0,1,26,,context-switches,1781750,100.00,0.015,M/sec
+ S0,1,1,,cpu-migrations,1780526,100.00,0.561,K/sec
+ S0,1,1,,page-faults,1779060,100.00,0.561,K/sec
+ S0,1,875807,,cycles,1769826,100.00,0.491,GHz
+ S0,1,85281,,stalled-cycles-frontend,1767512,100.00,9.74,frontend cycles idle
+ S0,1,576839,,stalled-cycles-backend,1766260,100.00,65.86,backend cycles idle
+ S0,1,288430,,instructions,1762246,100.00,0.33,insn per cycle
+====> ,S0,1,,,,,,,2.00,stalled cycles per insn
+
+The above command line uses field separator as "," via "-x," option and
+per-socket option displays socket value as first field. But here the
+last line for "stalled cycles per insn" has "," in the beginning.
+
+Sample output using interval mode:
+
+ # ./perf stat -I 1000 -x, --per-socket -a -C 1 ls
+ 0.001813453,S0,1,1.87,msec,cpu-clock,1872052,100.00,0.002,CPUs utilized
+ 0.001813453,S0,1,2,,context-switches,1868028,100.00,1.070,K/sec
+ ------
+ 0.001813453,S0,1,85379,,instructions,1856754,100.00,0.32,insn per cycle
+====> 0.001813453,,S0,1,,,,,,,1.34,stalled cycles per insn
+
+Above result also has an extra CSV separator after
+the timestamp. Patch addresses extra field separator
+in the beginning of the metric output line.
+
+The counter stats are displayed by function
+"perf_stat__print_shadow_stats" in code
+"util/stat-shadow.c". While printing the stats info
+for "stalled cycles per insn", function "new_line_csv"
+is used as new_line callback.
+
+The new_line_csv function has check for "os->prefix"
+and if prefix is not null, it will be printed along
+with cvs separator.
+Snippet from "new_line_csv":
+ if (os->prefix)
+ fprintf(os->fh, "%s%s", os->prefix, config->csv_sep);
+
+Here os->prefix gets printed followed by ","
+which is the cvs separator. The os->prefix is
+used in interval mode option ( -I ), to print
+time stamp on every new line. But prefix is
+already set to contain CSV separator when used
+in interval mode for CSV option.
+
+Reference: Function "static void print_interval"
+Snippet:
+ sprintf(prefix, "%6lu.%09lu%s", ts->tv_sec, ts->tv_nsec, config->csv_sep);
+
+Also if prefix is not assigned (if not used with
+-I option), it gets set to empty string.
+Reference: function printout() in util/stat-display.c
+Snippet:
+ .prefix = prefix ? prefix : "",
+
+Since prefix already set to contain cvs_sep in interval
+option, patch removes printing config->csv_sep in
+new_line_csv function to avoid printing extra field.
+
+After the patch:
+
+ # ./perf stat -x, --per-socket -a -C 1 ls
+ S0,1,2.04,msec,cpu-clock,2045202,100.00,1.013,CPUs utilized
+ S0,1,2,,context-switches,2041444,100.00,979.289,/sec
+ S0,1,0,,cpu-migrations,2040820,100.00,0.000,/sec
+ S0,1,2,,page-faults,2040288,100.00,979.289,/sec
+ S0,1,254589,,cycles,2036066,100.00,0.125,GHz
+ S0,1,82481,,stalled-cycles-frontend,2032420,100.00,32.40,frontend cycles idle
+ S0,1,113170,,stalled-cycles-backend,2031722,100.00,44.45,backend cycles idle
+ S0,1,88766,,instructions,2030942,100.00,0.35,insn per cycle
+ S0,1,,,,,,,1.27,stalled cycles per insn
+
+Fixes: 92a61f6412d3a09d ("perf stat: Implement CSV metrics output")
+Reported-by: Disha Goel <disgoel@linux.vnet.ibm.com>
+Reviewed-By: Kajol Jain <kjain@linux.ibm.com>
+Signed-off-by: Athira Jajeev <atrajeev@linux.vnet.ibm.com>
+Tested-by: Disha Goel <disgoel@linux.vnet.ibm.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: James Clark <james.clark@arm.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nageswara R Sastry <rnsastry@linux.ibm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20221018085605.63834-1-atrajeev@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/stat-display.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c
+index 93147cc40162..e18c26501a7f 100644
+--- a/tools/perf/util/stat-display.c
++++ b/tools/perf/util/stat-display.c
+@@ -193,7 +193,7 @@ static void new_line_csv(struct perf_stat_config *config, void *ctx)
+
+ fputc('\n', os->fh);
+ if (os->prefix)
+- fprintf(os->fh, "%s%s", os->prefix, config->csv_sep);
++ fprintf(os->fh, "%s", os->prefix);
+ aggr_printout(config, os->evsel, os->id, os->nr);
+ for (i = 0; i < os->nfields; i++)
+ fputs(config->csv_sep, os->fh);
+--
+2.35.1
+
--- /dev/null
+From aa8365ea94d48c30fda3a6ec5885ea6f604972e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Oct 2022 12:25:06 +0300
+Subject: phy: stm32: fix an error code in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ca1c73628f5bd0c1ef6e46073cc3be2450605b06 ]
+
+If "index > usbphyc->nphys" is true then this returns success but it
+should return -EINVAL.
+
+Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://lore.kernel.org/r/Y0kq8j6S+5nDdMpr@kili
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/st/phy-stm32-usbphyc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c
+index 56bdea4b0bd9..e643c21c1217 100644
+--- a/drivers/phy/st/phy-stm32-usbphyc.c
++++ b/drivers/phy/st/phy-stm32-usbphyc.c
+@@ -393,6 +393,8 @@ static int stm32_usbphyc_probe(struct platform_device *pdev)
+ ret = of_property_read_u32(child, "reg", &index);
+ if (ret || index > usbphyc->nphys) {
+ dev_err(&phy->dev, "invalid reg property: %d\n", ret);
++ if (!ret)
++ ret = -EINVAL;
+ goto put_child;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 1f7a29999d55916fe720a82df33a703133743ee6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Oct 2022 19:34:50 +0800
+Subject: riscv: process: fix kernel info leakage
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+[ Upstream commit 6510c78490c490a6636e48b61eeaa6fb65981f4b ]
+
+thread_struct's s[12] may contain random kernel memory content, which
+may be finally leaked to userspace. This is a security hole. Fix it
+by clearing the s[12] array in thread_struct when fork.
+
+As for kthread case, it's better to clear the s[12] array as well.
+
+Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Tested-by: Guo Ren <guoren@kernel.org>
+Link: https://lore.kernel.org/r/20221029113450.4027-1-jszhang@kernel.org
+Reviewed-by: Guo Ren <guoren@kernel.org>
+Link: https://lore.kernel.org/r/CAJF2gTSdVyAaM12T%2B7kXAdRPGS4VyuO08X1c7paE-n4Fr8OtRA@mail.gmail.com/
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/process.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c
+index 330b34706aa0..9d4b4098874b 100644
+--- a/arch/riscv/kernel/process.c
++++ b/arch/riscv/kernel/process.c
+@@ -104,6 +104,8 @@ int copy_thread_tls(unsigned long clone_flags, unsigned long usp,
+ {
+ struct pt_regs *childregs = task_pt_regs(p);
+
++ memset(&p->thread.s, 0, sizeof(p->thread.s));
++
+ /* p->thread holds context to be restored by __switch_to() */
+ if (unlikely(p->flags & PF_KTHREAD)) {
+ /* Kernel thread */
+--
+2.35.1
+
xfs-use-mmaplock-around-filemap_map_pages.patch
xfs-preserve-inode-versioning-across-remounts.patch
xfs-drain-the-buf-delwri-queue-before-xfsaild-idles.patch
+phy-stm32-fix-an-error-code-in-probe.patch
+wifi-cfg80211-silence-a-sparse-rcu-warning.patch
+wifi-cfg80211-fix-memory-leak-in-query_regdb_file.patch
+bpf-sockmap-fix-the-sk-sk_forward_alloc-warning-of-s.patch
+hid-hyperv-fix-possible-memory-leak-in-mousevsc_prob.patch
+net-gso-fix-panic-on-frag_list-with-mixed-head-alloc.patch
+net-tun-fix-memory-leaks-of-napi_get_frags.patch
+bnxt_en-fix-possible-crash-in-bnxt_hwrm_set_coal.patch
+bnxt_en-fix-potentially-incorrect-return-value-for-n.patch
+net-fman-unregister-ethernet-device-on-removal.patch
+capabilities-fix-undefined-behavior-in-bit-shift-for.patch
+net-lapbether-fix-issue-of-dev-reference-count-leaka.patch
+hamradio-fix-issue-of-dev-reference-count-leakage-in.patch
+drm-vc4-fix-missing-platform_unregister_drivers-call.patch
+ipv6-addrlabel-fix-infoleak-when-sending-struct-ifad.patch
+can-af_can-fix-null-pointer-dereference-in-can_rx_re.patch
+tipc-fix-the-msg-req-tlv-len-check-in-tipc_nl_compat.patch
+dmaengine-pxa_dma-use-platform_get_irq_optional.patch
+dmaengine-mv_xor_v2-fix-a-resource-leak-in-mv_xor_v2.patch
+drivers-net-xgene-disable-napi-when-register-irq-fai.patch
+perf-stat-fix-printing-os-prefix-in-csv-metrics-outp.patch
+net-nixge-disable-napi-when-enable-interrupts-failed.patch
+net-mlx5-allow-async-trigger-completion-execution-on.patch
+net-cpsw-disable-napi-in-cpsw_ndo_open.patch
+net-cxgb3_main-disable-napi-when-bind-qsets-failed-i.patch
+cxgb4vf-shut-down-the-adapter-when-t4vf_update_port_.patch
+ethernet-s2io-disable-napi-when-start-nic-failed-in-.patch
+net-mv643xx_eth-disable-napi-when-init-rxq-or-txq-fa.patch
+ethernet-tundra-free-irq-when-alloc-ring-failed-in-t.patch
+net-macvlan-fix-memory-leaks-of-macvlan_common_newli.patch
+riscv-process-fix-kernel-info-leakage.patch
--- /dev/null
+From 3d8ae0da3b3c05fdda793ff52ee35089fa9ac7df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 16:48:53 -0400
+Subject: tipc: fix the msg->req tlv len check in
+ tipc_nl_compat_name_table_dump_header
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 1c075b192fe41030457cd4a5f7dea730412bca40 ]
+
+This is a follow-up for commit 974cb0e3e7c9 ("tipc: fix uninit-value
+in tipc_nl_compat_name_table_dump") where it should have type casted
+sizeof(..) to int to work when TLV_GET_DATA_LEN() returns a negative
+value.
+
+syzbot reported a call trace because of it:
+
+ BUG: KMSAN: uninit-value in ...
+ tipc_nl_compat_name_table_dump+0x841/0xea0 net/tipc/netlink_compat.c:934
+ __tipc_nl_compat_dumpit+0xab2/0x1320 net/tipc/netlink_compat.c:238
+ tipc_nl_compat_dumpit+0x991/0xb50 net/tipc/netlink_compat.c:321
+ tipc_nl_compat_recv+0xb6e/0x1640 net/tipc/netlink_compat.c:1324
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:775 [inline]
+ genl_rcv_msg+0x103f/0x1260 net/netlink/genetlink.c:792
+ netlink_rcv_skb+0x3a5/0x6c0 net/netlink/af_netlink.c:2501
+ genl_rcv+0x3c/0x50 net/netlink/genetlink.c:803
+ netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
+ netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345
+ netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg net/socket.c:734 [inline]
+
+Reported-by: syzbot+e5dbaaa238680ce206ea@syzkaller.appspotmail.com
+Fixes: 974cb0e3e7c9 ("tipc: fix uninit-value in tipc_nl_compat_name_table_dump")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/ccd6a7ea801b15aec092c3b532a883b4c5708695.1667594933.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/netlink_compat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index 561ea834f732..bef28e900b3e 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -857,7 +857,7 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg)
+ };
+
+ ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req);
+- if (TLV_GET_DATA_LEN(msg->req) < sizeof(struct tipc_name_table_query))
++ if (TLV_GET_DATA_LEN(msg->req) < (int)sizeof(struct tipc_name_table_query))
+ return -EINVAL;
+
+ depth = ntohl(ntq->depth);
+--
+2.35.1
+
--- /dev/null
+From 451dd89b9cb03be0920b274ecade16c47c4ca906 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 13:40:40 +0200
+Subject: wifi: cfg80211: fix memory leak in query_regdb_file()
+
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+
+[ Upstream commit 57b962e627ec0ae53d4d16d7bd1033e27e67677a ]
+
+In the function query_regdb_file() the alpha2 parameter is duplicated
+using kmemdup() and subsequently freed in regdb_fw_cb(). However,
+request_firmware_nowait() can fail without calling regdb_fw_cb() and
+thus leak memory.
+
+Fixes: 007f6c5e6eb4 ("cfg80211: support loading regulatory database as firmware file")
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index 74caece77963..4db397db2fb4 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -1060,6 +1060,8 @@ static void regdb_fw_cb(const struct firmware *fw, void *context)
+
+ static int query_regdb_file(const char *alpha2)
+ {
++ int err;
++
+ ASSERT_RTNL();
+
+ if (regdb)
+@@ -1069,9 +1071,13 @@ static int query_regdb_file(const char *alpha2)
+ if (!alpha2)
+ return -ENOMEM;
+
+- return request_firmware_nowait(THIS_MODULE, true, "regulatory.db",
+- ®_pdev->dev, GFP_KERNEL,
+- (void *)alpha2, regdb_fw_cb);
++ err = request_firmware_nowait(THIS_MODULE, true, "regulatory.db",
++ ®_pdev->dev, GFP_KERNEL,
++ (void *)alpha2, regdb_fw_cb);
++ if (err)
++ kfree(alpha2);
++
++ return err;
+ }
+
+ int reg_reload_regdb(void)
+--
+2.35.1
+
--- /dev/null
+From 60858a532ce6fa7dc96b5c454da9ca9a8a044a94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 19:41:51 +0200
+Subject: wifi: cfg80211: silence a sparse RCU warning
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 03c0ad4b06c3566de624b4f4b78ac1a5d1e4c8e7 ]
+
+All we're going to do with this pointer is assign it to
+another __rcu pointer, but sparse can't see that, so
+use rcu_access_pointer() to silence the warning here.
+
+Fixes: c90b93b5b782 ("wifi: cfg80211: update hidden BSSes to avoid WARN_ON")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index c433235e6390..630c64520516 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1166,7 +1166,9 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
+ if (old == rcu_access_pointer(known->pub.ies))
+ rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies);
+
+- cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old);
++ cfg80211_update_hidden_bsses(known,
++ rcu_access_pointer(new->pub.beacon_ies),
++ old);
+
+ if (old)
+ kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
