--- /dev/null
+From ac10408efdc8891781765a29cae1c7c121436e22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2024 09:00:32 -0800
+Subject: cxl/pci: Fix potential bogus return value upon successful probing
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+[ Upstream commit da4d8c83358163df9a4addaeba0ef8bcb03b22e8 ]
+
+If cxl_pci_ras_unmask() returns non-zero, cxl_pci_probe() will end up
+returning that value, instead of zero.
+
+Fixes: 248529edc86f ("cxl: add RAS status unmasking for CXL")
+Reviewed-by: Fan Ni <fan.ni@samsung.com>
+Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Link: https://patch.msgid.link/20241115170032.108445-1-dave@stgolabs.net
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/pci.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/cxl/pci.c b/drivers/cxl/pci.c
+index 8bece1e2e249..aacd93f9067d 100644
+--- a/drivers/cxl/pci.c
++++ b/drivers/cxl/pci.c
+@@ -911,8 +911,7 @@ static int cxl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ if (rc)
+ return rc;
+
+- rc = cxl_pci_ras_unmask(pdev);
+- if (rc)
++ if (cxl_pci_ras_unmask(pdev))
+ dev_dbg(&pdev->dev, "No RAS reporting unmasked\n");
+
+ pci_save_state(pdev);
+--
+2.39.5
+
--- /dev/null
+From 9a183cebac00374e4ce1cf167cdeda19fda2318b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 15:33:02 -0800
+Subject: cxl/region: Fix region creation for greater than x2 switches
+
+From: Huaisheng Ye <huaisheng.ye@intel.com>
+
+[ Upstream commit 76467a94810c2aa4dd3096903291ac6df30c399e ]
+
+The cxl_port_setup_targets() algorithm fails to identify valid target list
+ordering in the presence of 4-way and above switches resulting in
+'cxl create-region' failures of the form:
+
+ $ cxl create-region -d decoder0.0 -g 1024 -s 2G -t ram -w 8 -m mem4 mem1 mem6 mem3 mem2 mem5 mem7 mem0
+ cxl region: create_region: region0: failed to set target7 to mem0
+ cxl region: cmd_create_region: created 0 regions
+
+ [kernel debug message]
+ check_last_peer:1213: cxl region0: pci0000:0c:port1: cannot host mem6:decoder7.0 at 2
+ bus_remove_device:574: bus: 'cxl': remove device region0
+
+QEMU can create this failing topology:
+
+ ACPI0017:00 [root0]
+ |
+ HB_0 [port1]
+ / \
+ RP_0 RP_1
+ | |
+ USP [port2] USP [port3]
+ / / \ \ / / \ \
+ DSP DSP DSP DSP DSP DSP DSP DSP
+ | | | | | | | |
+ mem4 mem6 mem2 mem7 mem1 mem3 mem5 mem0
+ Pos: 0 2 4 6 1 3 5 7
+
+ HB: Host Bridge
+ RP: Root Port
+ USP: Upstream Port
+ DSP: Downstream Port
+
+...with the following command steps:
+
+$ qemu-system-x86_64 -machine q35,cxl=on,accel=tcg \
+ -smp cpus=8 \
+ -m 8G \
+ -hda /home/work/vm-images/centos-stream8-02.qcow2 \
+ -object memory-backend-ram,size=4G,id=m0 \
+ -object memory-backend-ram,size=4G,id=m1 \
+ -object memory-backend-ram,size=2G,id=cxl-mem0 \
+ -object memory-backend-ram,size=2G,id=cxl-mem1 \
+ -object memory-backend-ram,size=2G,id=cxl-mem2 \
+ -object memory-backend-ram,size=2G,id=cxl-mem3 \
+ -object memory-backend-ram,size=2G,id=cxl-mem4 \
+ -object memory-backend-ram,size=2G,id=cxl-mem5 \
+ -object memory-backend-ram,size=2G,id=cxl-mem6 \
+ -object memory-backend-ram,size=2G,id=cxl-mem7 \
+ -numa node,memdev=m0,cpus=0-3,nodeid=0 \
+ -numa node,memdev=m1,cpus=4-7,nodeid=1 \
+ -netdev user,id=net0,hostfwd=tcp::2222-:22 \
+ -device virtio-net-pci,netdev=net0 \
+ -device pxb-cxl,bus_nr=12,bus=pcie.0,id=cxl.1 \
+ -device cxl-rp,port=0,bus=cxl.1,id=root_port0,chassis=0,slot=0 \
+ -device cxl-rp,port=1,bus=cxl.1,id=root_port1,chassis=0,slot=1 \
+ -device cxl-upstream,bus=root_port0,id=us0 \
+ -device cxl-downstream,port=0,bus=us0,id=swport0,chassis=0,slot=4 \
+ -device cxl-type3,bus=swport0,volatile-memdev=cxl-mem0,id=cxl-vmem0 \
+ -device cxl-downstream,port=1,bus=us0,id=swport1,chassis=0,slot=5 \
+ -device cxl-type3,bus=swport1,volatile-memdev=cxl-mem1,id=cxl-vmem1 \
+ -device cxl-downstream,port=2,bus=us0,id=swport2,chassis=0,slot=6 \
+ -device cxl-type3,bus=swport2,volatile-memdev=cxl-mem2,id=cxl-vmem2 \
+ -device cxl-downstream,port=3,bus=us0,id=swport3,chassis=0,slot=7 \
+ -device cxl-type3,bus=swport3,volatile-memdev=cxl-mem3,id=cxl-vmem3 \
+ -device cxl-upstream,bus=root_port1,id=us1 \
+ -device cxl-downstream,port=4,bus=us1,id=swport4,chassis=0,slot=8 \
+ -device cxl-type3,bus=swport4,volatile-memdev=cxl-mem4,id=cxl-vmem4 \
+ -device cxl-downstream,port=5,bus=us1,id=swport5,chassis=0,slot=9 \
+ -device cxl-type3,bus=swport5,volatile-memdev=cxl-mem5,id=cxl-vmem5 \
+ -device cxl-downstream,port=6,bus=us1,id=swport6,chassis=0,slot=10 \
+ -device cxl-type3,bus=swport6,volatile-memdev=cxl-mem6,id=cxl-vmem6 \
+ -device cxl-downstream,port=7,bus=us1,id=swport7,chassis=0,slot=11 \
+ -device cxl-type3,bus=swport7,volatile-memdev=cxl-mem7,id=cxl-vmem7 \
+ -M cxl-fmw.0.targets.0=cxl.1,cxl-fmw.0.size=32G &
+
+In Guest OS:
+$ cxl create-region -d decoder0.0 -g 1024 -s 2G -t ram -w 8 -m mem4 mem1 mem6 mem3 mem2 mem5 mem7 mem0
+
+Fix the method to calculate @distance by iterativeley multiplying the
+number of targets per switch port. This also follows the algorithm
+recommended here [1].
+
+Fixes: 27b3f8d13830 ("cxl/region: Program target lists")
+Link: http://lore.kernel.org/6538824b52349_7258329466@dwillia2-xfh.jf.intel.com.notmuch [1]
+Signed-off-by: Huaisheng Ye <huaisheng.ye@intel.com>
+Tested-by: Li Zhijian <lizhijian@fujitsu.com>
+[djbw: add a comment explaining 'distance']
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Link: https://patch.msgid.link/173378716722.1270362.9546805175813426729.stgit@dwillia2-xfh.jf.intel.com
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/core/region.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
+index 7a9357f42dad..d7f7f88009d7 100644
+--- a/drivers/cxl/core/region.c
++++ b/drivers/cxl/core/region.c
+@@ -1167,6 +1167,7 @@ static int cxl_port_setup_targets(struct cxl_port *port,
+ struct cxl_region_params *p = &cxlr->params;
+ struct cxl_decoder *cxld = cxl_rr->decoder;
+ struct cxl_switch_decoder *cxlsd;
++ struct cxl_port *iter = port;
+ u16 eig, peig;
+ u8 eiw, peiw;
+
+@@ -1183,16 +1184,26 @@ static int cxl_port_setup_targets(struct cxl_port *port,
+
+ cxlsd = to_cxl_switch_decoder(&cxld->dev);
+ if (cxl_rr->nr_targets_set) {
+- int i, distance;
++ int i, distance = 1;
++ struct cxl_region_ref *cxl_rr_iter;
+
+ /*
+- * Passthrough decoders impose no distance requirements between
+- * peers
++ * The "distance" between peer downstream ports represents which
++ * endpoint positions in the region interleave a given port can
++ * host.
++ *
++ * For example, at the root of a hierarchy the distance is
++ * always 1 as every index targets a different host-bridge. At
++ * each subsequent switch level those ports map every Nth region
++ * position where N is the width of the switch == distance.
+ */
+- if (cxl_rr->nr_targets == 1)
+- distance = 0;
+- else
+- distance = p->nr_targets / cxl_rr->nr_targets;
++ do {
++ cxl_rr_iter = cxl_rr_load(iter, cxlr);
++ distance *= cxl_rr_iter->nr_targets;
++ iter = to_cxl_port(iter->dev.parent);
++ } while (!is_cxl_root(iter));
++ distance *= cxlrd->cxlsd.cxld.interleave_ways;
++
+ for (i = 0; i < cxl_rr->nr_targets_set; i++)
+ if (ep->dport == cxlsd->target[i]) {
+ rc = check_last_peer(cxled, ep, cxl_rr,
+--
+2.39.5
+
--- /dev/null
+From 8226432dd035927c05efd2a616a9e9c9fd581a89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2024 13:31:55 -0800
+Subject: ionic: Fix netdev notifier unregister on failure
+
+From: Brett Creeley <brett.creeley@amd.com>
+
+[ Upstream commit 9590d32e090ea2751e131ae5273859ca22f5ac14 ]
+
+If register_netdev() fails, then the driver leaks the netdev notifier.
+Fix this by calling ionic_lif_unregister() on register_netdev()
+failure. This will also call ionic_lif_unregister_phc() if it has
+already been registered.
+
+Fixes: 30b87ab4c0b3 ("ionic: remove lif list concept")
+Signed-off-by: Brett Creeley <brett.creeley@amd.com>
+Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20241212213157.12212-2-shannon.nelson@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+index 9d724d228b83..bc7c5cd38596 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+@@ -3736,8 +3736,8 @@ int ionic_lif_register(struct ionic_lif *lif)
+ /* only register LIF0 for now */
+ err = register_netdev(lif->netdev);
+ if (err) {
+- dev_err(lif->ionic->dev, "Cannot register net device, aborting\n");
+- ionic_lif_unregister_phc(lif);
++ dev_err(lif->ionic->dev, "Cannot register net device: %d, aborting\n", err);
++ ionic_lif_unregister(lif);
+ return err;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 090fdeae6286e89d03e48c7808bb7b73807a7477 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2024 13:31:57 -0800
+Subject: ionic: use ee->offset when returning sprom data
+
+From: Shannon Nelson <shannon.nelson@amd.com>
+
+[ Upstream commit b096d62ba1323391b2db98b7704e2468cf3b1588 ]
+
+Some calls into ionic_get_module_eeprom() don't use a single
+full buffer size, but instead multiple calls with an offset.
+Teach our driver to use the offset correctly so we can
+respond appropriately to the caller.
+
+Fixes: 4d03e00a2140 ("ionic: Add initial ethtool support")
+Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20241212213157.12212-4-shannon.nelson@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
+index 35829a2851fa..d76e63f57ff1 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
+@@ -945,8 +945,8 @@ static int ionic_get_module_eeprom(struct net_device *netdev,
+ len = min_t(u32, sizeof(xcvr->sprom), ee->len);
+
+ do {
+- memcpy(data, xcvr->sprom, len);
+- memcpy(tbuf, xcvr->sprom, len);
++ memcpy(data, &xcvr->sprom[ee->offset], len);
++ memcpy(tbuf, &xcvr->sprom[ee->offset], len);
+
+ /* Let's make sure we got a consistent copy */
+ if (!memcmp(data, tbuf, len))
+--
+2.39.5
+
--- /dev/null
+From 711d2407225b7e562d6d78513aaf55146fcc3c03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Dec 2024 17:30:53 +0000
+Subject: ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems
+
+From: David Laight <David.Laight@ACULAB.COM>
+
+[ Upstream commit cf2c97423a4f89c8b798294d3f34ecfe7e7035c3 ]
+
+The 'max_avail' value is calculated from the system memory
+size using order_base_2().
+order_base_2(x) is defined as '(x) ? fn(x) : 0'.
+The compiler generates two copies of the code that follows
+and then expands clamp(max, min, PAGE_SHIFT - 12) (11 on 32bit).
+This triggers a compile-time assert since min is 5.
+
+In reality a system would have to have less than 512MB memory
+for the bounds passed to clamp to be reversed.
+
+Swap the order of the arguments to clamp() to avoid the warning.
+
+Replace the clamp_val() on the line below with clamp().
+clamp_val() is just 'an accident waiting to happen' and not needed here.
+
+Detected by compile time checks added to clamp(), specifically:
+minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()
+
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Closes: https://lore.kernel.org/all/CA+G9fYsT34UkGFKxus63H6UVpYi5GRZkezT9MRLfAbM3f6ke0g@mail.gmail.com/
+Fixes: 4f325e26277b ("ipvs: dynamically limit the connection hash table")
+Tested-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: David Laight <david.laight@aculab.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_conn.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
+index 9065da3cdd12..8182833a3582 100644
+--- a/net/netfilter/ipvs/ip_vs_conn.c
++++ b/net/netfilter/ipvs/ip_vs_conn.c
+@@ -1494,8 +1494,8 @@ int __init ip_vs_conn_init(void)
+ max_avail -= 2; /* ~4 in hash row */
+ max_avail -= 1; /* IPVS up to 1/2 of mem */
+ max_avail -= order_base_2(sizeof(struct ip_vs_conn));
+- max = clamp(max, min, max_avail);
+- ip_vs_conn_tab_bits = clamp_val(ip_vs_conn_tab_bits, min, max);
++ max = clamp(max_avail, min, max);
++ ip_vs_conn_tab_bits = clamp(ip_vs_conn_tab_bits, min, max);
+ ip_vs_conn_tab_size = 1 << ip_vs_conn_tab_bits;
+ ip_vs_conn_tab_mask = ip_vs_conn_tab_size - 1;
+
+--
+2.39.5
+
--- /dev/null
+From f8e15dfc5f0590d657fbbe1821a05bcde0c15f8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Dec 2024 12:16:45 +0900
+Subject: ksmbd: count all requests in req_running counter
+
+From: Marios Makassikis <mmakassikis@freebox.fr>
+
+[ Upstream commit 83c47d9e0ce79b5d7c0b21b9f35402dbde0fa15c ]
+
+This changes the semantics of req_running to count all in-flight
+requests on a given connection, rather than the number of elements
+in the conn->request list. The latter is used only in smb2_cancel,
+and the counter is not used
+
+Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Stable-dep-of: 43fb7bce8866 ("ksmbd: fix broken transfers when exceeding max simultaneous operations")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/connection.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c
+index a751793c4512..5ded9372b2fb 100644
+--- a/fs/smb/server/connection.c
++++ b/fs/smb/server/connection.c
+@@ -120,8 +120,8 @@ void ksmbd_conn_enqueue_request(struct ksmbd_work *work)
+ if (conn->ops->get_cmd_val(work) != SMB2_CANCEL_HE)
+ requests_queue = &conn->requests;
+
++ atomic_inc(&conn->req_running);
+ if (requests_queue) {
+- atomic_inc(&conn->req_running);
+ spin_lock(&conn->request_lock);
+ list_add_tail(&work->request_entry, requests_queue);
+ spin_unlock(&conn->request_lock);
+@@ -132,11 +132,12 @@ void ksmbd_conn_try_dequeue_request(struct ksmbd_work *work)
+ {
+ struct ksmbd_conn *conn = work->conn;
+
++ atomic_dec(&conn->req_running);
++
+ if (list_empty(&work->request_entry) &&
+ list_empty(&work->async_request_entry))
+ return;
+
+- atomic_dec(&conn->req_running);
+ spin_lock(&conn->request_lock);
+ list_del_init(&work->request_entry);
+ spin_unlock(&conn->request_lock);
+--
+2.39.5
+
--- /dev/null
+From 9cc3f8a0358ea99b8cbb409055dd7cb0e770b698 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Dec 2024 12:17:23 +0900
+Subject: ksmbd: fix broken transfers when exceeding max simultaneous
+ operations
+
+From: Marios Makassikis <mmakassikis@freebox.fr>
+
+[ Upstream commit 43fb7bce8866e793275c4f9f25af6a37745f3416 ]
+
+Since commit 0a77d947f599 ("ksmbd: check outstanding simultaneous SMB
+operations"), ksmbd enforces a maximum number of simultaneous operations
+for a connection. The problem is that reaching the limit causes ksmbd to
+close the socket, and the client has no indication that it should have
+slowed down.
+
+This behaviour can be reproduced by setting "smb2 max credits = 128" (or
+lower), and transferring a large file (25GB).
+
+smbclient fails as below:
+
+ $ smbclient //192.168.1.254/testshare -U user%pass
+ smb: \> put file.bin
+ cli_push returned NT_STATUS_USER_SESSION_DELETED
+ putting file file.bin as \file.bin smb2cli_req_compound_submit:
+ Insufficient credits. 0 available, 1 needed
+ NT_STATUS_INTERNAL_ERROR closing remote file \file.bin
+ smb: \> smb2cli_req_compound_submit: Insufficient credits. 0 available,
+ 1 needed
+
+Windows clients fail with 0x8007003b (with smaller files even).
+
+Fix this by delaying reading from the socket until there's room to
+allocate a request. This effectively applies backpressure on the client,
+so the transfer completes, albeit at a slower rate.
+
+Fixes: 0a77d947f599 ("ksmbd: check outstanding simultaneous SMB operations")
+Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/connection.c | 13 +++++++++++--
+ fs/smb/server/connection.h | 1 -
+ fs/smb/server/server.c | 7 +------
+ fs/smb/server/server.h | 1 +
+ fs/smb/server/transport_ipc.c | 5 ++++-
+ 5 files changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c
+index 5ded9372b2fb..f3178570329a 100644
+--- a/fs/smb/server/connection.c
++++ b/fs/smb/server/connection.c
+@@ -70,7 +70,6 @@ struct ksmbd_conn *ksmbd_conn_alloc(void)
+ atomic_set(&conn->req_running, 0);
+ atomic_set(&conn->r_count, 0);
+ atomic_set(&conn->refcnt, 1);
+- atomic_set(&conn->mux_smb_requests, 0);
+ conn->total_credits = 1;
+ conn->outstanding_credits = 0;
+
+@@ -133,6 +132,8 @@ void ksmbd_conn_try_dequeue_request(struct ksmbd_work *work)
+ struct ksmbd_conn *conn = work->conn;
+
+ atomic_dec(&conn->req_running);
++ if (waitqueue_active(&conn->req_running_q))
++ wake_up(&conn->req_running_q);
+
+ if (list_empty(&work->request_entry) &&
+ list_empty(&work->async_request_entry))
+@@ -309,7 +310,7 @@ int ksmbd_conn_handler_loop(void *p)
+ {
+ struct ksmbd_conn *conn = (struct ksmbd_conn *)p;
+ struct ksmbd_transport *t = conn->transport;
+- unsigned int pdu_size, max_allowed_pdu_size;
++ unsigned int pdu_size, max_allowed_pdu_size, max_req;
+ char hdr_buf[4] = {0,};
+ int size;
+
+@@ -319,6 +320,7 @@ int ksmbd_conn_handler_loop(void *p)
+ if (t->ops->prepare && t->ops->prepare(t))
+ goto out;
+
++ max_req = server_conf.max_inflight_req;
+ conn->last_active = jiffies;
+ set_freezable();
+ while (ksmbd_conn_alive(conn)) {
+@@ -328,6 +330,13 @@ int ksmbd_conn_handler_loop(void *p)
+ kvfree(conn->request_buf);
+ conn->request_buf = NULL;
+
++recheck:
++ if (atomic_read(&conn->req_running) + 1 > max_req) {
++ wait_event_interruptible(conn->req_running_q,
++ atomic_read(&conn->req_running) < max_req);
++ goto recheck;
++ }
++
+ size = t->ops->read(t, hdr_buf, sizeof(hdr_buf), -1);
+ if (size != sizeof(hdr_buf))
+ break;
+diff --git a/fs/smb/server/connection.h b/fs/smb/server/connection.h
+index 368295fb18a7..82343afc8d04 100644
+--- a/fs/smb/server/connection.h
++++ b/fs/smb/server/connection.h
+@@ -107,7 +107,6 @@ struct ksmbd_conn {
+ __le16 signing_algorithm;
+ bool binding;
+ atomic_t refcnt;
+- atomic_t mux_smb_requests;
+ };
+
+ struct ksmbd_conn_ops {
+diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c
+index 7f9aca4aa742..71e1c1db9dea 100644
+--- a/fs/smb/server/server.c
++++ b/fs/smb/server/server.c
+@@ -270,7 +270,6 @@ static void handle_ksmbd_work(struct work_struct *wk)
+
+ ksmbd_conn_try_dequeue_request(work);
+ ksmbd_free_work_struct(work);
+- atomic_dec(&conn->mux_smb_requests);
+ /*
+ * Checking waitqueue to dropping pending requests on
+ * disconnection. waitqueue_active is safe because it
+@@ -300,11 +299,6 @@ static int queue_ksmbd_work(struct ksmbd_conn *conn)
+ if (err)
+ return 0;
+
+- if (atomic_inc_return(&conn->mux_smb_requests) >= conn->vals->max_credits) {
+- atomic_dec_return(&conn->mux_smb_requests);
+- return -ENOSPC;
+- }
+-
+ work = ksmbd_alloc_work_struct();
+ if (!work) {
+ pr_err("allocation for work failed\n");
+@@ -367,6 +361,7 @@ static int server_conf_init(void)
+ server_conf.auth_mechs |= KSMBD_AUTH_KRB5 |
+ KSMBD_AUTH_MSKRB5;
+ #endif
++ server_conf.max_inflight_req = SMB2_MAX_CREDITS;
+ return 0;
+ }
+
+diff --git a/fs/smb/server/server.h b/fs/smb/server/server.h
+index db7278181760..4d06f2eb0d6a 100644
+--- a/fs/smb/server/server.h
++++ b/fs/smb/server/server.h
+@@ -42,6 +42,7 @@ struct ksmbd_server_config {
+ struct smb_sid domain_sid;
+ unsigned int auth_mechs;
+ unsigned int max_connections;
++ unsigned int max_inflight_req;
+
+ char *conf[SERVER_CONF_WORK_GROUP + 1];
+ };
+diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c
+index 8752ac82c557..c12b70d01880 100644
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -305,8 +305,11 @@ static int ipc_server_config_on_startup(struct ksmbd_startup_request *req)
+ init_smb2_max_write_size(req->smb2_max_write);
+ if (req->smb2_max_trans)
+ init_smb2_max_trans_size(req->smb2_max_trans);
+- if (req->smb2_max_credits)
++ if (req->smb2_max_credits) {
+ init_smb2_max_credits(req->smb2_max_credits);
++ server_conf.max_inflight_req =
++ req->smb2_max_credits;
++ }
+ if (req->smbd_max_io_size)
+ init_smbd_max_io_size(req->smbd_max_io_size);
+
+--
+2.39.5
+
--- /dev/null
+From d44e0d6d4722c38bd31939b8a46de51308133a60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Dec 2024 10:49:12 +0900
+Subject: net: ethernet: bgmac-platform: fix an OF node reference leak
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit 0cb2c504d79e7caa3abade3f466750c82ad26f01 ]
+
+The OF node obtained by of_parse_phandle() is not freed. Call
+of_node_put() to balance the refcount.
+
+This bug was found by an experimental static analysis tool that I am
+developing.
+
+Fixes: 1676aba5ef7e ("net: ethernet: bgmac: device tree phy enablement")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241214014912.2810315-1-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bgmac-platform.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bgmac-platform.c b/drivers/net/ethernet/broadcom/bgmac-platform.c
+index b4381cd41979..3f4e8bac40c1 100644
+--- a/drivers/net/ethernet/broadcom/bgmac-platform.c
++++ b/drivers/net/ethernet/broadcom/bgmac-platform.c
+@@ -171,6 +171,7 @@ static int platform_phy_connect(struct bgmac *bgmac)
+ static int bgmac_probe(struct platform_device *pdev)
+ {
+ struct device_node *np = pdev->dev.of_node;
++ struct device_node *phy_node;
+ struct bgmac *bgmac;
+ struct resource *regs;
+ int ret;
+@@ -236,7 +237,9 @@ static int bgmac_probe(struct platform_device *pdev)
+ bgmac->cco_ctl_maskset = platform_bgmac_cco_ctl_maskset;
+ bgmac->get_bus_clock = platform_bgmac_get_bus_clock;
+ bgmac->cmn_maskset32 = platform_bgmac_cmn_maskset32;
+- if (of_parse_phandle(np, "phy-handle", 0)) {
++ phy_node = of_parse_phandle(np, "phy-handle", 0);
++ if (phy_node) {
++ of_node_put(phy_node);
+ bgmac->phy_connect = platform_phy_connect;
+ } else {
+ bgmac->phy_connect = bgmac_phy_connect_direct;
+--
+2.39.5
+
--- /dev/null
+From 4d6f5ce80ac00e28ddb8fde0a41c24ddbbfa490e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2024 17:28:11 +0300
+Subject: net: hinic: Fix cleanup in create_rxqs/txqs()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7203d10e93b6e6e1d19481ef7907de6a9133a467 ]
+
+There is a check for NULL at the start of create_txqs() and
+create_rxqs() which tess if "nic_dev->txqs" is non-NULL. The
+intention is that if the device is already open and the queues
+are already created then we don't create them a second time.
+
+However, the bug is that if we have an error in the create_txqs()
+then the pointer doesn't get set back to NULL. The NULL check
+at the start of the function will say that it's already open when
+it's not and the device can't be used.
+
+Set ->txqs back to NULL on cleanup on error.
+
+Fixes: c3e79baf1b03 ("net-next/hinic: Add logical Txq and Rxq")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/0cc98faf-a0ed-4565-a55b-0fa2734bc205@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/huawei/hinic/hinic_main.c b/drivers/net/ethernet/huawei/hinic/hinic_main.c
+index 499c657d37a9..579c3dc0014c 100644
+--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c
++++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c
+@@ -172,6 +172,7 @@ static int create_txqs(struct hinic_dev *nic_dev)
+ hinic_sq_dbgfs_uninit(nic_dev);
+
+ devm_kfree(&netdev->dev, nic_dev->txqs);
++ nic_dev->txqs = NULL;
+ return err;
+ }
+
+@@ -268,6 +269,7 @@ static int create_rxqs(struct hinic_dev *nic_dev)
+ hinic_rq_dbgfs_uninit(nic_dev);
+
+ devm_kfree(&netdev->dev, nic_dev->rxqs);
++ nic_dev->rxqs = NULL;
+ return err;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 863e0b194a19f3c9b1f1faa87de904fe2063a689 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2024 12:51:06 +0900
+Subject: net: mdiobus: fix an OF node reference leak
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit 572af9f284669d31d9175122bbef9bc62cea8ded ]
+
+fwnode_find_mii_timestamper() calls of_parse_phandle_with_fixed_args()
+but does not decrement the refcount of the obtained OF node. Add an
+of_node_put() call before returning from the function.
+
+This bug was detected by an experimental static analysis tool that I am
+developing.
+
+Fixes: bc1bee3b87ee ("net: mdiobus: Introduce fwnode_mdiobus_register_phy()")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20241218035106.1436405-1-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/fwnode_mdio.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c
+index 1183ef5e203e..c62f2e85414d 100644
+--- a/drivers/net/mdio/fwnode_mdio.c
++++ b/drivers/net/mdio/fwnode_mdio.c
+@@ -38,6 +38,7 @@ fwnode_find_pse_control(struct fwnode_handle *fwnode)
+ static struct mii_timestamper *
+ fwnode_find_mii_timestamper(struct fwnode_handle *fwnode)
+ {
++ struct mii_timestamper *mii_ts;
+ struct of_phandle_args arg;
+ int err;
+
+@@ -51,10 +52,16 @@ fwnode_find_mii_timestamper(struct fwnode_handle *fwnode)
+ else if (err)
+ return ERR_PTR(err);
+
+- if (arg.args_count != 1)
+- return ERR_PTR(-EINVAL);
++ if (arg.args_count != 1) {
++ mii_ts = ERR_PTR(-EINVAL);
++ goto put_node;
++ }
++
++ mii_ts = register_mii_timestamper(arg.np, arg.args[0]);
+
+- return register_mii_timestamper(arg.np, arg.args[0]);
++put_node:
++ of_node_put(arg.np);
++ return mii_ts;
+ }
+
+ int fwnode_mdiobus_phy_device_register(struct mii_bus *mdio,
+--
+2.39.5
+
--- /dev/null
+From 56f10df68bc57ae48c3edd22d04d5c7154266636 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2024 18:55:45 +0200
+Subject: net: mscc: ocelot: fix incorrect IFH SRC_PORT field in
+ ocelot_ifh_set_basic()
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 2d5df3a680ffdaf606baa10636bdb1daf757832e ]
+
+Packets injected by the CPU should have a SRC_PORT field equal to the
+CPU port module index in the Analyzer block (ocelot->num_phys_ports).
+
+The blamed commit copied the ocelot_ifh_set_basic() call incorrectly
+from ocelot_xmit_common() in net/dsa/tag_ocelot.c. Instead of calling
+with "x", it calls with BIT_ULL(x), but the field is not a port mask,
+but rather a single port index.
+
+[ side note: this is the technical debt of code duplication :( ]
+
+The error used to be silent and doesn't appear to have other
+user-visible manifestations, but with new changes in the packing
+library, it now fails loudly as follows:
+
+------------[ cut here ]------------
+Cannot store 0x40 inside bits 46-43 - will truncate
+sja1105 spi2.0: xmit timed out
+WARNING: CPU: 1 PID: 102 at lib/packing.c:98 __pack+0x90/0x198
+sja1105 spi2.0: timed out polling for tstamp
+CPU: 1 UID: 0 PID: 102 Comm: felix_xmit
+Tainted: G W N 6.13.0-rc1-00372-gf706b85d972d-dirty #2605
+Call trace:
+ __pack+0x90/0x198 (P)
+ __pack+0x90/0x198 (L)
+ packing+0x78/0x98
+ ocelot_ifh_set_basic+0x260/0x368
+ ocelot_port_inject_frame+0xa8/0x250
+ felix_port_deferred_xmit+0x14c/0x258
+ kthread_worker_fn+0x134/0x350
+ kthread+0x114/0x138
+
+The code path pertains to the ocelot switchdev driver and to the felix
+secondary DSA tag protocol, ocelot-8021q. Here seen with ocelot-8021q.
+
+The messenger (packing) is not really to blame, so fix the original
+commit instead.
+
+Fixes: e1b9e80236c5 ("net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q"")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241212165546.879567-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
+index c2118bde908b..f6aa5d6b6597 100644
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -1266,7 +1266,7 @@ void ocelot_ifh_set_basic(void *ifh, struct ocelot *ocelot, int port,
+
+ memset(ifh, 0, OCELOT_TAG_LEN);
+ ocelot_ifh_set_bypass(ifh, 1);
+- ocelot_ifh_set_src(ifh, BIT_ULL(ocelot->num_phys_ports));
++ ocelot_ifh_set_src(ifh, ocelot->num_phys_ports);
+ ocelot_ifh_set_dest(ifh, BIT_ULL(port));
+ ocelot_ifh_set_qos_class(ifh, qos_class);
+ ocelot_ifh_set_tag_type(ifh, tag_type);
+--
+2.39.5
+
--- /dev/null
+From a862c45b7a2cc72824c3adee95872f87f46c4672 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2024 11:25:58 +0500
+Subject: net: renesas: rswitch: rework ts tags management
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+[ Upstream commit 922b4b955a03d19fea98938f33ef0e62d01f5159 ]
+
+The existing linked list based implementation of how ts tags are
+assigned and managed is unsafe against concurrency and corner cases:
+- element addition in tx processing can race against element removal
+ in ts queue completion,
+- element removal in ts queue completion can race against element
+ removal in device close,
+- if a large number of frames gets added to tx queue without ts queue
+ completions in between, elements with duplicate tag values can get
+ added.
+
+Use a different implementation, based on per-port used tags bitmaps and
+saved skb arrays.
+
+Safety for addition in tx processing vs removal in ts completion is
+provided by:
+
+ tag = find_first_zero_bit(...);
+ smp_mb();
+ <write rdev->ts_skb[tag]>
+ set_bit(...);
+
+ vs
+
+ <read rdev->ts_skb[tag]>
+ smp_mb();
+ clear_bit(...);
+
+Safety for removal in ts completion vs removal in device close is
+provided by using atomic read-and-clear for rdev->ts_skb[tag]:
+
+ ts_skb = xchg(&rdev->ts_skb[tag], NULL);
+ if (ts_skb)
+ <handle it>
+
+Fixes: 33f5d733b589 ("net: renesas: rswitch: Improve TX timestamp accuracy")
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Link: https://patch.msgid.link/20241212062558.436455-1-nikita.yoush@cogentembedded.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/rswitch.c | 74 ++++++++++++++------------
+ drivers/net/ethernet/renesas/rswitch.h | 13 ++---
+ 2 files changed, 42 insertions(+), 45 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c
+index 8abad9bb629e..54aa56c84133 100644
+--- a/drivers/net/ethernet/renesas/rswitch.c
++++ b/drivers/net/ethernet/renesas/rswitch.c
+@@ -546,7 +546,6 @@ static int rswitch_gwca_ts_queue_alloc(struct rswitch_private *priv)
+ desc = &gq->ts_ring[gq->ring_size];
+ desc->desc.die_dt = DT_LINKFIX;
+ rswitch_desc_set_dptr(&desc->desc, gq->ring_dma);
+- INIT_LIST_HEAD(&priv->gwca.ts_info_list);
+
+ return 0;
+ }
+@@ -934,9 +933,10 @@ static int rswitch_gwca_request_irqs(struct rswitch_private *priv)
+ static void rswitch_ts(struct rswitch_private *priv)
+ {
+ struct rswitch_gwca_queue *gq = &priv->gwca.ts_queue;
+- struct rswitch_gwca_ts_info *ts_info, *ts_info2;
+ struct skb_shared_hwtstamps shhwtstamps;
+ struct rswitch_ts_desc *desc;
++ struct rswitch_device *rdev;
++ struct sk_buff *ts_skb;
+ struct timespec64 ts;
+ unsigned int num;
+ u32 tag, port;
+@@ -946,23 +946,28 @@ static void rswitch_ts(struct rswitch_private *priv)
+ dma_rmb();
+
+ port = TS_DESC_DPN(__le32_to_cpu(desc->desc.dptrl));
+- tag = TS_DESC_TSUN(__le32_to_cpu(desc->desc.dptrl));
+-
+- list_for_each_entry_safe(ts_info, ts_info2, &priv->gwca.ts_info_list, list) {
+- if (!(ts_info->port == port && ts_info->tag == tag))
+- continue;
+-
+- memset(&shhwtstamps, 0, sizeof(shhwtstamps));
+- ts.tv_sec = __le32_to_cpu(desc->ts_sec);
+- ts.tv_nsec = __le32_to_cpu(desc->ts_nsec & cpu_to_le32(0x3fffffff));
+- shhwtstamps.hwtstamp = timespec64_to_ktime(ts);
+- skb_tstamp_tx(ts_info->skb, &shhwtstamps);
+- dev_consume_skb_irq(ts_info->skb);
+- list_del(&ts_info->list);
+- kfree(ts_info);
+- break;
+- }
++ if (unlikely(port >= RSWITCH_NUM_PORTS))
++ goto next;
++ rdev = priv->rdev[port];
+
++ tag = TS_DESC_TSUN(__le32_to_cpu(desc->desc.dptrl));
++ if (unlikely(tag >= TS_TAGS_PER_PORT))
++ goto next;
++ ts_skb = xchg(&rdev->ts_skb[tag], NULL);
++ smp_mb(); /* order rdev->ts_skb[] read before bitmap update */
++ clear_bit(tag, rdev->ts_skb_used);
++
++ if (unlikely(!ts_skb))
++ goto next;
++
++ memset(&shhwtstamps, 0, sizeof(shhwtstamps));
++ ts.tv_sec = __le32_to_cpu(desc->ts_sec);
++ ts.tv_nsec = __le32_to_cpu(desc->ts_nsec & cpu_to_le32(0x3fffffff));
++ shhwtstamps.hwtstamp = timespec64_to_ktime(ts);
++ skb_tstamp_tx(ts_skb, &shhwtstamps);
++ dev_consume_skb_irq(ts_skb);
++
++next:
+ gq->cur = rswitch_next_queue_index(gq, true, 1);
+ desc = &gq->ts_ring[gq->cur];
+ }
+@@ -1505,8 +1510,9 @@ static int rswitch_open(struct net_device *ndev)
+ static int rswitch_stop(struct net_device *ndev)
+ {
+ struct rswitch_device *rdev = netdev_priv(ndev);
+- struct rswitch_gwca_ts_info *ts_info, *ts_info2;
++ struct sk_buff *ts_skb;
+ unsigned long flags;
++ unsigned int tag;
+
+ netif_tx_stop_all_queues(ndev);
+
+@@ -1523,12 +1529,13 @@ static int rswitch_stop(struct net_device *ndev)
+ if (bitmap_empty(rdev->priv->opened_ports, RSWITCH_NUM_PORTS))
+ iowrite32(GWCA_TS_IRQ_BIT, rdev->priv->addr + GWTSDID);
+
+- list_for_each_entry_safe(ts_info, ts_info2, &rdev->priv->gwca.ts_info_list, list) {
+- if (ts_info->port != rdev->port)
+- continue;
+- dev_kfree_skb_irq(ts_info->skb);
+- list_del(&ts_info->list);
+- kfree(ts_info);
++ for (tag = find_first_bit(rdev->ts_skb_used, TS_TAGS_PER_PORT);
++ tag < TS_TAGS_PER_PORT;
++ tag = find_next_bit(rdev->ts_skb_used, TS_TAGS_PER_PORT, tag + 1)) {
++ ts_skb = xchg(&rdev->ts_skb[tag], NULL);
++ clear_bit(tag, rdev->ts_skb_used);
++ if (ts_skb)
++ dev_kfree_skb(ts_skb);
+ }
+
+ return 0;
+@@ -1541,20 +1548,17 @@ static bool rswitch_ext_desc_set_info1(struct rswitch_device *rdev,
+ desc->info1 = cpu_to_le64(INFO1_DV(BIT(rdev->etha->index)) |
+ INFO1_IPV(GWCA_IPV_NUM) | INFO1_FMT);
+ if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) {
+- struct rswitch_gwca_ts_info *ts_info;
++ unsigned int tag;
+
+- ts_info = kzalloc(sizeof(*ts_info), GFP_ATOMIC);
+- if (!ts_info)
++ tag = find_first_zero_bit(rdev->ts_skb_used, TS_TAGS_PER_PORT);
++ if (tag == TS_TAGS_PER_PORT)
+ return false;
++ smp_mb(); /* order bitmap read before rdev->ts_skb[] write */
++ rdev->ts_skb[tag] = skb_get(skb);
++ set_bit(tag, rdev->ts_skb_used);
+
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+- rdev->ts_tag++;
+- desc->info1 |= cpu_to_le64(INFO1_TSUN(rdev->ts_tag) | INFO1_TXC);
+-
+- ts_info->skb = skb_get(skb);
+- ts_info->port = rdev->port;
+- ts_info->tag = rdev->ts_tag;
+- list_add_tail(&ts_info->list, &rdev->priv->gwca.ts_info_list);
++ desc->info1 |= cpu_to_le64(INFO1_TSUN(tag) | INFO1_TXC);
+
+ skb_tx_timestamp(skb);
+ }
+diff --git a/drivers/net/ethernet/renesas/rswitch.h b/drivers/net/ethernet/renesas/rswitch.h
+index f2d1cd47187d..0c93ef16b43e 100644
+--- a/drivers/net/ethernet/renesas/rswitch.h
++++ b/drivers/net/ethernet/renesas/rswitch.h
+@@ -965,14 +965,6 @@ struct rswitch_gwca_queue {
+ };
+ };
+
+-struct rswitch_gwca_ts_info {
+- struct sk_buff *skb;
+- struct list_head list;
+-
+- int port;
+- u8 tag;
+-};
+-
+ #define RSWITCH_NUM_IRQ_REGS (RSWITCH_MAX_NUM_QUEUES / BITS_PER_TYPE(u32))
+ struct rswitch_gwca {
+ unsigned int index;
+@@ -982,7 +974,6 @@ struct rswitch_gwca {
+ struct rswitch_gwca_queue *queues;
+ int num_queues;
+ struct rswitch_gwca_queue ts_queue;
+- struct list_head ts_info_list;
+ DECLARE_BITMAP(used, RSWITCH_MAX_NUM_QUEUES);
+ u32 tx_irq_bits[RSWITCH_NUM_IRQ_REGS];
+ u32 rx_irq_bits[RSWITCH_NUM_IRQ_REGS];
+@@ -990,6 +981,7 @@ struct rswitch_gwca {
+ };
+
+ #define NUM_QUEUES_PER_NDEV 2
++#define TS_TAGS_PER_PORT 256
+ struct rswitch_device {
+ struct rswitch_private *priv;
+ struct net_device *ndev;
+@@ -997,7 +989,8 @@ struct rswitch_device {
+ void __iomem *addr;
+ struct rswitch_gwca_queue *tx_queue;
+ struct rswitch_gwca_queue *rx_queue;
+- u8 ts_tag;
++ struct sk_buff *ts_skb[TS_TAGS_PER_PORT];
++ DECLARE_BITMAP(ts_skb_used, TS_TAGS_PER_PORT);
+ bool disabled;
+
+ int port;
+--
+2.39.5
+
--- /dev/null
+From 35d11bd513ed2958819a1217612b0eeac094f259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 17:21:18 +0800
+Subject: net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving
+ proposal msg
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit a29e220d3c8edbf0e1beb0f028878a4a85966556 ]
+
+When receiving proposal msg in server, the field iparea_offset
+and the field ipv6_prefixes_cnt in proposal msg are from the
+remote client and can not be fully trusted. Especially the
+field iparea_offset, once exceed the max value, there has the
+chance to access wrong address, and crash may happen.
+
+This patch checks iparea_offset and ipv6_prefixes_cnt before using them.
+
+Fixes: e7b7a64a8493 ("smc: support variable CLC proposal messages")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 6 +++++-
+ net/smc/smc_clc.c | 4 ++++
+ net/smc/smc_clc.h | 6 +++++-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 06d607e676f6..8551e097ad33 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -2039,6 +2039,8 @@ static int smc_listen_prfx_check(struct smc_sock *new_smc,
+ if (pclc->hdr.typev1 == SMC_TYPE_N)
+ return 0;
+ pclc_prfx = smc_clc_proposal_get_prefix(pclc);
++ if (!pclc_prfx)
++ return -EPROTO;
+ if (smc_clc_prfx_match(newclcsock, pclc_prfx))
+ return SMC_CLC_DECL_DIFFPREFIX;
+
+@@ -2228,7 +2230,9 @@ static void smc_find_ism_v1_device_serv(struct smc_sock *new_smc,
+ int rc = 0;
+
+ /* check if ISM V1 is available */
+- if (!(ini->smcd_version & SMC_V1) || !smcd_indicated(ini->smc_type_v1))
++ if (!(ini->smcd_version & SMC_V1) ||
++ !smcd_indicated(ini->smc_type_v1) ||
++ !pclc_smcd)
+ goto not_found;
+ ini->is_smcd = true; /* prepare ISM check */
+ ini->ism_peer_gid[0].gid = ntohll(pclc_smcd->ism.gid);
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index 0084960a203d..b8fd64392209 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -354,6 +354,10 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc)
+
+ v2_ext = smc_get_clc_v2_ext(pclc);
+ pclc_prfx = smc_clc_proposal_get_prefix(pclc);
++ if (!pclc_prfx ||
++ pclc_prfx->ipv6_prefixes_cnt > SMC_CLC_MAX_V6_PREFIX)
++ return false;
++
+ if (hdr->version == SMC_V1) {
+ if (hdr->typev1 == SMC_TYPE_N)
+ return false;
+diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
+index c8d6282ec9c0..eb843907c9d0 100644
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -320,8 +320,12 @@ struct smc_clc_msg_decline_v2 { /* clc decline message */
+ static inline struct smc_clc_msg_proposal_prefix *
+ smc_clc_proposal_get_prefix(struct smc_clc_msg_proposal *pclc)
+ {
++ u16 offset = ntohs(pclc->iparea_offset);
++
++ if (offset > sizeof(struct smc_clc_msg_smcd))
++ return NULL;
+ return (struct smc_clc_msg_proposal_prefix *)
+- ((u8 *)pclc + sizeof(*pclc) + ntohs(pclc->iparea_offset));
++ ((u8 *)pclc + sizeof(*pclc) + offset);
+ }
+
+ static inline bool smcr_indicated(int smc_type)
+--
+2.39.5
+
--- /dev/null
+From e9310434a0352640d340542254b733d6be3135c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 17:21:21 +0800
+Subject: net/smc: check return value of sock_recvmsg when draining clc data
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit c5b8ee5022a19464783058dc6042e8eefa34e8cd ]
+
+When receiving clc msg, the field length in smc_clc_msg_hdr indicates the
+length of msg should be received from network and the value should not be
+fully trusted as it is from the network. Once the value of length exceeds
+the value of buflen in function smc_clc_wait_msg it may run into deadloop
+when trying to drain the remaining data exceeding buflen.
+
+This patch checks the return value of sock_recvmsg when draining data in
+case of deadloop in draining.
+
+Fixes: fb4f79264c0f ("net/smc: tolerate future SMCD versions")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_clc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index 286d6b19a1f1..dbce904c03cf 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -773,6 +773,11 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
+ SMC_CLC_RECV_BUF_LEN : datlen;
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &vec, 1, recvlen);
+ len = sock_recvmsg(smc->clcsock, &msg, krflags);
++ if (len < recvlen) {
++ smc->sk.sk_err = EPROTO;
++ reason_code = -EPROTO;
++ goto out;
++ }
+ datlen -= len;
+ }
+ if (clcm->type == SMC_CLC_DECLINE) {
+--
+2.39.5
+
--- /dev/null
+From 060aed4b87242f6d1cadd25ff3500d77853a7ddc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 17:21:20 +0800
+Subject: net/smc: check smcd_v2_ext_offset when receiving proposal msg
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit 9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad ]
+
+When receiving proposal msg in server, the field smcd_v2_ext_offset in
+proposal msg is from the remote client and can not be fully trusted.
+Once the value of smcd_v2_ext_offset exceed the max value, there has
+the chance to access wrong address, and crash may happen.
+
+This patch checks the value of smcd_v2_ext_offset before using it.
+
+Fixes: 5c21c4ccafe8 ("net/smc: determine accepted ISM devices")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 2 ++
+ net/smc/smc_clc.h | 8 +++++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 079ca4f1077d..0acf07538840 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -2154,6 +2154,8 @@ static void smc_find_ism_v2_device_serv(struct smc_sock *new_smc,
+ pclc_smcd = smc_get_clc_msg_smcd(pclc);
+ smc_v2_ext = smc_get_clc_v2_ext(pclc);
+ smcd_v2_ext = smc_get_clc_smcd_v2_ext(smc_v2_ext);
++ if (!pclc_smcd || !smc_v2_ext || !smcd_v2_ext)
++ goto not_found;
+
+ mutex_lock(&smcd_dev_list.mutex);
+ if (pclc_smcd->ism.chid) {
+diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
+index a3706300e04f..6e24d44de4a7 100644
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -384,9 +384,15 @@ smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop)
+ static inline struct smc_clc_smcd_v2_extension *
+ smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext)
+ {
++ u16 max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_smcd_v2_ext) -
++ offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) -
++ offsetof(struct smc_clc_v2_extension, hdr) -
++ offsetofend(struct smc_clnt_opts_area_hdr, smcd_v2_ext_offset);
++
+ if (!prop_v2ext)
+ return NULL;
+- if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset))
++ if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) ||
++ ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) > max_offset)
+ return NULL;
+
+ return (struct smc_clc_smcd_v2_extension *)
+--
+2.39.5
+
--- /dev/null
+From 1af083e47de7d30b292ac8788c1061b425c10f17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 17:21:17 +0800
+Subject: net/smc: check sndbuf_space again after NOSPACE flag is set in
+ smc_poll
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit 679e9ddcf90dbdf98aaaa71a492454654b627bcb ]
+
+When application sending data more than sndbuf_space, there have chances
+application will sleep in epoll_wait, and will never be wakeup again. This
+is caused by a race between smc_poll and smc_cdc_tx_handler.
+
+application tasklet
+smc_tx_sendmsg(len > sndbuf_space) |
+epoll_wait for EPOLL_OUT,timeout=0 |
+ smc_poll |
+ if (!smc->conn.sndbuf_space) |
+ | smc_cdc_tx_handler
+ | atomic_add sndbuf_space
+ | smc_tx_sndbuf_nonfull
+ | if (!test_bit SOCK_NOSPACE)
+ | do not sk_write_space;
+ set_bit SOCK_NOSPACE; |
+ return mask=0; |
+
+Application will sleep in epoll_wait as smc_poll returns 0. And
+smc_cdc_tx_handler will not call sk_write_space because the SOCK_NOSPACE
+has not be set. If there is no inflight cdc msg, sk_write_space will not be
+called any more, and application will sleep in epoll_wait forever.
+So check sndbuf_space again after NOSPACE flag is set to break the race.
+
+Fixes: 8dce2786a290 ("net/smc: smc_poll improvements")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Suggested-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 77c6c0dff069..06d607e676f6 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -2888,6 +2888,13 @@ static __poll_t smc_poll(struct file *file, struct socket *sock,
+ } else {
+ sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk);
+ set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
++
++ if (sk->sk_state != SMC_INIT) {
++ /* Race breaker the same way as tcp_poll(). */
++ smp_mb__after_atomic();
++ if (atomic_read(&smc->conn.sndbuf_space))
++ mask |= EPOLLOUT | EPOLLWRNORM;
++ }
+ }
+ if (atomic_read(&smc->conn.bytes_to_rcv))
+ mask |= EPOLLIN | EPOLLRDNORM;
+--
+2.39.5
+
--- /dev/null
+From 049816157874ef17ad4a5a13dbd40dea66cea9ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 17:21:19 +0800
+Subject: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving
+ proposal msg
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit 7863c9f3d24ba49dbead7e03dfbe40deb5888fdf ]
+
+When receiving proposal msg in server, the fields v2_ext_offset/
+eid_cnt/ism_gid_cnt in proposal msg are from the remote client
+and can not be fully trusted. Especially the field v2_ext_offset,
+once exceed the max value, there has the chance to access wrong
+address, and crash may happen.
+
+This patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt
+before using them.
+
+Fixes: 8c3dca341aea ("net/smc: build and send V2 CLC proposal")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 3 ++-
+ net/smc/smc_clc.c | 8 +++++++-
+ net/smc/smc_clc.h | 8 +++++++-
+ 3 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 8551e097ad33..079ca4f1077d 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -2283,7 +2283,8 @@ static void smc_find_rdma_v2_device_serv(struct smc_sock *new_smc,
+ goto not_found;
+
+ smc_v2_ext = smc_get_clc_v2_ext(pclc);
+- if (!smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))
++ if (!smc_v2_ext ||
++ !smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))
+ goto not_found;
+
+ /* prepare RDMA check */
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index b8fd64392209..286d6b19a1f1 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -352,7 +352,6 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc)
+ struct smc_clc_msg_hdr *hdr = &pclc->hdr;
+ struct smc_clc_v2_extension *v2_ext;
+
+- v2_ext = smc_get_clc_v2_ext(pclc);
+ pclc_prfx = smc_clc_proposal_get_prefix(pclc);
+ if (!pclc_prfx ||
+ pclc_prfx->ipv6_prefixes_cnt > SMC_CLC_MAX_V6_PREFIX)
+@@ -369,6 +368,13 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc)
+ sizeof(struct smc_clc_msg_trail))
+ return false;
+ } else {
++ v2_ext = smc_get_clc_v2_ext(pclc);
++ if ((hdr->typev2 != SMC_TYPE_N &&
++ (!v2_ext || v2_ext->hdr.eid_cnt > SMC_CLC_MAX_UEID)) ||
++ (smcd_indicated(hdr->typev2) &&
++ v2_ext->hdr.ism_gid_cnt > SMCD_CLC_MAX_V2_GID_ENTRIES))
++ return false;
++
+ if (ntohs(hdr->length) !=
+ sizeof(*pclc) +
+ sizeof(struct smc_clc_msg_smcd) +
+diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
+index eb843907c9d0..a3706300e04f 100644
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -364,8 +364,14 @@ static inline struct smc_clc_v2_extension *
+ smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop)
+ {
+ struct smc_clc_msg_smcd *prop_smcd = smc_get_clc_msg_smcd(prop);
++ u16 max_offset;
+
+- if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset))
++ max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) -
++ offsetof(struct smc_clc_msg_proposal_area, pclc_smcd) -
++ offsetofend(struct smc_clc_msg_smcd, v2_ext_offset);
++
++ if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset) ||
++ ntohs(prop_smcd->v2_ext_offset) > max_offset)
+ return NULL;
+
+ return (struct smc_clc_v2_extension *)
+--
+2.39.5
+
--- /dev/null
+From 3c970c7c5ec9bfecaa629d93f03706798656b9f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 17:21:16 +0800
+Subject: net/smc: protect link down work from execute after lgr freed
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit 2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec ]
+
+link down work may be scheduled before lgr freed but execute
+after lgr freed, which may result in crash. So it is need to
+hold a reference before shedule link down work, and put the
+reference after work executed or canceled.
+
+The relevant crash call stack as follows:
+ list_del corruption. prev->next should be ffffb638c9c0fe20,
+ but was 0000000000000000
+ ------------[ cut here ]------------
+ kernel BUG at lib/list_debug.c:51!
+ invalid opcode: 0000 [#1] SMP NOPTI
+ CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1
+ Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014
+ Workqueue: events smc_link_down_work [smc]
+ RIP: 0010:__list_del_entry_valid.cold+0x31/0x47
+ RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086
+ RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000
+ RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80
+ RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38
+ R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002
+ R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0
+ FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ rwsem_down_write_slowpath+0x17e/0x470
+ smc_link_down_work+0x3c/0x60 [smc]
+ process_one_work+0x1ac/0x350
+ worker_thread+0x49/0x2f0
+ ? rescuer_thread+0x360/0x360
+ kthread+0x118/0x140
+ ? __kthread_bind_mask+0x60/0x60
+ ret_from_fork+0x1f/0x30
+
+Fixes: 541afa10c126 ("net/smc: add smcr_port_err() and smcr_link_down() processing")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_core.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
+index 3d5c542cd231..3c626c014d1d 100644
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -1767,7 +1767,9 @@ void smcr_link_down_cond_sched(struct smc_link *lnk)
+ {
+ if (smc_link_downing(&lnk->state)) {
+ trace_smcr_link_down(lnk, __builtin_return_address(0));
+- schedule_work(&lnk->link_down_wrk);
++ smcr_link_hold(lnk); /* smcr_link_put in link_down_wrk */
++ if (!schedule_work(&lnk->link_down_wrk))
++ smcr_link_put(lnk);
+ }
+ }
+
+@@ -1799,11 +1801,14 @@ static void smc_link_down_work(struct work_struct *work)
+ struct smc_link_group *lgr = link->lgr;
+
+ if (list_empty(&lgr->list))
+- return;
++ goto out;
+ wake_up_all(&lgr->llc_msg_waiter);
+ down_write(&lgr->llc_conf_mutex);
+ smcr_link_down(link);
+ up_write(&lgr->llc_conf_mutex);
++
++out:
++ smcr_link_put(link); /* smcr_link_hold by schedulers of link_down_work */
+ }
+
+ static int smc_vlan_by_tcpsk_walk(struct net_device *lower_dev,
+--
+2.39.5
+
--- /dev/null
+From ad4c455ee5d1346928091ad2de0ab6314aced84c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2024 17:25:18 +0000
+Subject: netdevsim: prevent bad user input in nsim_dev_health_break_write()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ee76746387f6233bdfa93d7406990f923641568f ]
+
+If either a zero count or a large one is provided, kernel can crash.
+
+Fixes: 82c93a87bf8b ("netdevsim: implement couple of testing devlink health reporters")
+Reported-by: syzbot+ea40e4294e58b0292f74@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/675c6862.050a0220.37aaf.00b1.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Joe Damato <jdamato@fastly.com>
+Link: https://patch.msgid.link/20241213172518.2415666-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netdevsim/health.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/netdevsim/health.c b/drivers/net/netdevsim/health.c
+index eb04ed715d2d..c63427b71898 100644
+--- a/drivers/net/netdevsim/health.c
++++ b/drivers/net/netdevsim/health.c
+@@ -203,6 +203,8 @@ static ssize_t nsim_dev_health_break_write(struct file *file,
+ char *break_msg;
+ int err;
+
++ if (count == 0 || count > PAGE_SIZE)
++ return -EINVAL;
+ break_msg = memdup_user_nul(data, count);
+ if (IS_ERR(break_msg))
+ return PTR_ERR(break_msg);
+--
+2.39.5
+
--- /dev/null
+From 5dd878ba0d5fcab33a7d3cc1754eb6f0f6ddb303 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2024 20:56:55 +0100
+Subject: netfilter: ipset: Fix for recursive locking warning
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 70b6f46a4ed8bd56c85ffff22df91e20e8c85e33 ]
+
+With CONFIG_PROVE_LOCKING, when creating a set of type bitmap:ip, adding
+it to a set of type list:set and populating it from iptables SET target
+triggers a kernel warning:
+
+| WARNING: possible recursive locking detected
+| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted
+| --------------------------------------------
+| ping/4018 is trying to acquire lock:
+| ffff8881094a6848 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set]
+|
+| but task is already holding lock:
+| ffff88811034c048 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set]
+
+This is a false alarm: ipset does not allow nested list:set type, so the
+loop in list_set_kadd() can never encounter the outer set itself. No
+other set type supports embedded sets, so this is the only case to
+consider.
+
+To avoid the false report, create a distinct lock class for list:set
+type ipset locks.
+
+Fixes: f830837f0eed ("netfilter: ipset: list:set set type support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_list_set.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
+index bfae7066936b..db794fe1300e 100644
+--- a/net/netfilter/ipset/ip_set_list_set.c
++++ b/net/netfilter/ipset/ip_set_list_set.c
+@@ -611,6 +611,8 @@ init_list_set(struct net *net, struct ip_set *set, u32 size)
+ return true;
+ }
+
++static struct lock_class_key list_set_lockdep_key;
++
+ static int
+ list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
+ u32 flags)
+@@ -627,6 +629,7 @@ list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
+ if (size < IP_SET_LIST_MIN_SIZE)
+ size = IP_SET_LIST_MIN_SIZE;
+
++ lockdep_set_class(&set->lock, &list_set_lockdep_key);
+ set->variant = &set_variant;
+ set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem),
+ __alignof__(struct set_elem));
+--
+2.39.5
+
--- /dev/null
+From 3f2e6f07b9c9c31ccdf0ad2e0242b87010ffb2b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2024 22:16:51 +0100
+Subject: selftests: openvswitch: fix tcpdump execution
+
+From: Adrian Moreno <amorenoz@redhat.com>
+
+[ Upstream commit a17975992cc11588767175247ccaae1213a8b582 ]
+
+Fix the way tcpdump is executed by:
+- Using the right variable for the namespace. Currently the use of the
+ empty "ns" makes the command fail.
+- Waiting until it starts to capture to ensure the interesting traffic
+ is caught on slow systems.
+- Using line-buffered output to ensure logs are available when the test
+ is paused with "-p". Otherwise the last chunk of data might only be
+ written when tcpdump is killed.
+
+Fixes: 74cc26f416b9 ("selftests: openvswitch: add interface support")
+Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Link: https://patch.msgid.link/20241217211652.483016-1-amorenoz@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/openvswitch/openvswitch.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/openvswitch/openvswitch.sh b/tools/testing/selftests/net/openvswitch/openvswitch.sh
+index bab7436c6834..a0f4764ad0af 100755
+--- a/tools/testing/selftests/net/openvswitch/openvswitch.sh
++++ b/tools/testing/selftests/net/openvswitch/openvswitch.sh
+@@ -128,8 +128,10 @@ ovs_add_netns_and_veths () {
+ ovs_add_if "$1" "$2" "$4" -u || return 1
+ fi
+
+- [ $TRACING -eq 1 ] && ovs_netns_spawn_daemon "$1" "$ns" \
+- tcpdump -i any -s 65535
++ if [ $TRACING -eq 1 ]; then
++ ovs_netns_spawn_daemon "$1" "$3" tcpdump -l -i any -s 6553
++ ovs_wait grep -q "listening on any" ${ovs_dir}/stderr
++ fi
+
+ return 0
+ }
+--
+2.39.5
+
xfs-use-xfs_buf_daddr_null-for-daddrs-in-getfsmap-co.patch
xfs-take-m_growlock-when-running-growfsrt.patch
xfs-reset-rootdir-extent-size-hint-after-growfsrt.patch
+tools-hv-change-permissions-of-networkmanager-config.patch
+cxl-pci-fix-potential-bogus-return-value-upon-succes.patch
+cxl-region-fix-region-creation-for-greater-than-x2-s.patch
+net-smc-protect-link-down-work-from-execute-after-lg.patch
+net-smc-check-sndbuf_space-again-after-nospace-flag-.patch
+net-smc-check-iparea_offset-and-ipv6_prefixes_cnt-wh.patch
+net-smc-check-v2_ext_offset-eid_cnt-ism_gid_cnt-when.patch
+net-smc-check-smcd_v2_ext_offset-when-receiving-prop.patch
+net-smc-check-return-value-of-sock_recvmsg-when-drai.patch
+net-mscc-ocelot-fix-incorrect-ifh-src_port-field-in-.patch
+netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch
+ionic-fix-netdev-notifier-unregister-on-failure.patch
+ionic-use-ee-offset-when-returning-sprom-data.patch
+net-renesas-rswitch-rework-ts-tags-management.patch
+ksmbd-count-all-requests-in-req_running-counter.patch
+ksmbd-fix-broken-transfers-when-exceeding-max-simult.patch
+net-hinic-fix-cleanup-in-create_rxqs-txqs.patch
+net-ethernet-bgmac-platform-fix-an-of-node-reference.patch
+ipvs-fix-clamp-of-ip_vs_conn_tab-on-small-memory-sys.patch
+netfilter-ipset-fix-for-recursive-locking-warning.patch
+selftests-openvswitch-fix-tcpdump-execution.patch
+net-mdiobus-fix-an-of-node-reference-leak.patch
--- /dev/null
+From d7d1c3155ea6dbffb6b43a0544362647a510960f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 16:35:10 +0200
+Subject: tools: hv: change permissions of NetworkManager configuration file
+
+From: Olaf Hering <olaf@aepfle.de>
+
+[ Upstream commit 91ae69c7ed9e262f24240c425ad1eef2cf6639b7 ]
+
+Align permissions of the resulting .nmconnection file, instead of
+the input file from hv_kvp_daemon. To avoid the tiny time frame
+where the output file is world-readable, use umask instead of chmod.
+
+Fixes: 42999c904612 ("hv/hv_kvp_daemon:Support for keyfile based connection profile")
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Reviewed-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
+Link: https://lore.kernel.org/r/20241016143521.3735-1-olaf@aepfle.de
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Message-ID: <20241016143521.3735-1-olaf@aepfle.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/hv/hv_set_ifconfig.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/hv/hv_set_ifconfig.sh b/tools/hv/hv_set_ifconfig.sh
+index 440a91b35823..2f8baed2b8f7 100755
+--- a/tools/hv/hv_set_ifconfig.sh
++++ b/tools/hv/hv_set_ifconfig.sh
+@@ -81,7 +81,7 @@ echo "ONBOOT=yes" >> $1
+
+ cp $1 /etc/sysconfig/network-scripts/
+
+-chmod 600 $2
++umask 0177
+ interface=$(echo $2 | awk -F - '{ print $2 }')
+ filename="${2##*/}"
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
