Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch b/queue-4.19/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch
new file mode 100644 (file)
index 0000000..0220157
--- /dev/null
+++ b/queue-4.19/af_unix-remove-put_pid-put_cred-in-copy_peercred.patch
@@ -0,0 +1,58 @@
+From 7c73b1f6112b34fa59ae87eef37a90332d1f339e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2024 13:56:22 -0700
+Subject: af_unix: Remove put_pid()/put_cred() in copy_peercred().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit e4bd881d987121dbf1a288641491955a53d9f8f7 ]
+
+When (AF_UNIX, SOCK_STREAM) socket connect()s to a listening socket,
+the listener's sk_peer_pid/sk_peer_cred are copied to the client in
+copy_peercred().
+
+Then, the client's sk_peer_pid and sk_peer_cred are always NULL, so
+we need not call put_pid() and put_cred() there.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index dfcafbb8cd0e..24fb6f00f597 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -610,9 +610,6 @@ static void init_peercred(struct sock *sk)
+ 
+ static void copy_peercred(struct sock *sk, struct sock *peersk)
+ {
+-      const struct cred *old_cred;
+-      struct pid *old_pid;
+-
+       if (sk < peersk) {
+               spin_lock(&sk->sk_peer_lock);
+               spin_lock_nested(&peersk->sk_peer_lock, SINGLE_DEPTH_NESTING);
+@@ -620,16 +617,12 @@ static void copy_peercred(struct sock *sk, struct sock *peersk)
+               spin_lock(&peersk->sk_peer_lock);
+               spin_lock_nested(&sk->sk_peer_lock, SINGLE_DEPTH_NESTING);
+       }
+-      old_pid = sk->sk_peer_pid;
+-      old_cred = sk->sk_peer_cred;
++
+       sk->sk_peer_pid  = get_pid(peersk->sk_peer_pid);
+       sk->sk_peer_cred = get_cred(peersk->sk_peer_cred);
+ 
+       spin_unlock(&sk->sk_peer_lock);
+       spin_unlock(&peersk->sk_peer_lock);
+-
+-      put_pid(old_pid);
+-      put_cred(old_cred);
+ }
+ 
+ static int unix_listen(struct socket *sock, int backlog)
+-- 
+2.43.0
+

diff --git a/queue-4.19/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch b/queue-4.19/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch
new file mode 100644 (file)
index 0000000..1591958
--- /dev/null
+++ b/queue-4.19/alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch
@@ -0,0 +1,61 @@
+From 3a12136c5addfaa0f6fd31ff1eac4c6246137dd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Jun 2024 09:34:47 +0200
+Subject: ALSA: hda: Add input value sanity checks to HDMI channel map controls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 6278056e42d953e207e2afd416be39d09ed2d496 ]
+
+Add a simple sanity check to HD-audio HDMI Channel Map controls.
+Although the value might not be accepted for the actual connection, we
+can filter out some bogus values beforehand, and that should be enough
+for making kselftest happier.
+
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/20240616073454.16512-7-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/hdmi_chmap.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/sound/hda/hdmi_chmap.c b/sound/hda/hdmi_chmap.c
+index acbe61b8db7b..4463992d2102 100644
+--- a/sound/hda/hdmi_chmap.c
++++ b/sound/hda/hdmi_chmap.c
+@@ -752,6 +752,20 @@ static int hdmi_chmap_ctl_get(struct snd_kcontrol *kcontrol,
+       return 0;
+ }
+ 
++/* a simple sanity check for input values to chmap kcontrol */
++static int chmap_value_check(struct hdac_chmap *hchmap,
++                           const struct snd_ctl_elem_value *ucontrol)
++{
++      int i;
++
++      for (i = 0; i < hchmap->channels_max; i++) {
++              if (ucontrol->value.integer.value[i] < 0 ||
++                  ucontrol->value.integer.value[i] > SNDRV_CHMAP_LAST)
++                      return -EINVAL;
++      }
++      return 0;
++}
++
+ static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol,
+                             struct snd_ctl_elem_value *ucontrol)
+ {
+@@ -763,6 +777,10 @@ static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol,
+       unsigned char chmap[8], per_pin_chmap[8];
+       int i, err, ca, prepared = 0;
+ 
++      err = chmap_value_check(hchmap, ucontrol);
++      if (err < 0)
++              return err;
++
+       /* No monitor is connected in dyn_pcm_assign.
+        * It's invalid to setup the chmap
+        */
+-- 
+2.43.0
+

diff --git a/queue-4.19/ata-pata_macio-use-warn-instead-of-bug.patch b/queue-4.19/ata-pata_macio-use-warn-instead-of-bug.patch
new file mode 100644 (file)
index 0000000..239d47a
--- /dev/null
+++ b/queue-4.19/ata-pata_macio-use-warn-instead-of-bug.patch
@@ -0,0 +1,53 @@
+From eb3b81ebc6e21ee1490ef5ce6d7fd27bc9896dd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 13:04:07 +1000
+Subject: ata: pata_macio: Use WARN instead of BUG
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit d4bc0a264fb482b019c84fbc7202dd3cab059087 ]
+
+The overflow/underflow conditions in pata_macio_qc_prep() should never
+happen. But if they do there's no need to kill the system entirely, a
+WARN and failing the IO request should be sufficient and might allow the
+system to keep running.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_macio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/pata_macio.c b/drivers/ata/pata_macio.c
+index 765b99319d3c..7beb5dd9ff87 100644
+--- a/drivers/ata/pata_macio.c
++++ b/drivers/ata/pata_macio.c
+@@ -537,7 +537,8 @@ static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc)
+ 
+               while (sg_len) {
+                       /* table overflow should never happen */
+-                      BUG_ON (pi++ >= MAX_DCMDS);
++                      if (WARN_ON_ONCE(pi >= MAX_DCMDS))
++                              return AC_ERR_SYSTEM;
+ 
+                       len = (sg_len < MAX_DBDMA_SEG) ? sg_len : MAX_DBDMA_SEG;
+                       table->command = cpu_to_le16(write ? OUTPUT_MORE: INPUT_MORE);
+@@ -549,11 +550,13 @@ static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc)
+                       addr += len;
+                       sg_len -= len;
+                       ++table;
++                      ++pi;
+               }
+       }
+ 
+       /* Should never happen according to Tejun */
+-      BUG_ON(!pi);
++      if (WARN_ON_ONCE(!pi))
++              return AC_ERR_SYSTEM;
+ 
+       /* Convert the last command to an input/output */
+       table--;
+-- 
+2.43.0
+

diff --git a/queue-4.19/bridge-switchdev-allow-clearing-fdb-entry-offload-in.patch b/queue-4.19/bridge-switchdev-allow-clearing-fdb-entry-offload-in.patch
new file mode 100644 (file)
index 0000000..2d790ce
--- /dev/null
+++ b/queue-4.19/bridge-switchdev-allow-clearing-fdb-entry-offload-in.patch
@@ -0,0 +1,221 @@
+From 71bc0073585860561dd2f2e5de51a8e4806455ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Oct 2018 08:53:29 +0000
+Subject: bridge: switchdev: Allow clearing FDB entry offload indication
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit e9ba0fbc7dd23a74e77960c98c988f59a1ff75aa ]
+
+Currently, an FDB entry only ceases being offloaded when it is deleted.
+This changes with VxLAN encapsulation.
+
+Devices capable of performing VxLAN encapsulation usually have only one
+FDB table, unlike the software data path which has two - one in the
+bridge driver and another in the VxLAN driver.
+
+Therefore, bridge FDB entries pointing to a VxLAN device are only
+offloaded if there is a corresponding entry in the VxLAN FDB.
+
+Allow clearing the offload indication in case the corresponding entry
+was deleted from the VxLAN FDB.
+
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Petr Machata <petrm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 9 +++++----
+ drivers/net/ethernet/rocker/rocker_main.c                | 1 +
+ include/net/switchdev.h                                  | 3 ++-
+ net/bridge/br.c                                          | 4 ++--
+ net/bridge/br_fdb.c                                      | 4 ++--
+ net/bridge/br_private.h                                  | 2 +-
+ net/bridge/br_switchdev.c                                | 9 ++++++---
+ net/dsa/slave.c                                          | 1 +
+ 8 files changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+index 8d556eb37b7a..c0c73b76f6c7 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+@@ -2072,12 +2072,13 @@ void mlxsw_sp_port_bridge_leave(struct mlxsw_sp_port *mlxsw_sp_port,
+ static void
+ mlxsw_sp_fdb_call_notifiers(enum switchdev_notifier_type type,
+                           const char *mac, u16 vid,
+-                          struct net_device *dev)
++                          struct net_device *dev, bool offloaded)
+ {
+       struct switchdev_notifier_fdb_info info;
+ 
+       info.addr = mac;
+       info.vid = vid;
++      info.offloaded = offloaded;
+       call_switchdev_notifiers(type, dev, &info.info);
+ }
+ 
+@@ -2129,7 +2130,7 @@ static void mlxsw_sp_fdb_notify_mac_process(struct mlxsw_sp *mlxsw_sp,
+       if (!do_notification)
+               return;
+       type = adding ? SWITCHDEV_FDB_ADD_TO_BRIDGE : SWITCHDEV_FDB_DEL_TO_BRIDGE;
+-      mlxsw_sp_fdb_call_notifiers(type, mac, vid, bridge_port->dev);
++      mlxsw_sp_fdb_call_notifiers(type, mac, vid, bridge_port->dev, adding);
+ 
+       return;
+ 
+@@ -2189,7 +2190,7 @@ static void mlxsw_sp_fdb_notify_mac_lag_process(struct mlxsw_sp *mlxsw_sp,
+       if (!do_notification)
+               return;
+       type = adding ? SWITCHDEV_FDB_ADD_TO_BRIDGE : SWITCHDEV_FDB_DEL_TO_BRIDGE;
+-      mlxsw_sp_fdb_call_notifiers(type, mac, vid, bridge_port->dev);
++      mlxsw_sp_fdb_call_notifiers(type, mac, vid, bridge_port->dev, adding);
+ 
+       return;
+ 
+@@ -2294,7 +2295,7 @@ static void mlxsw_sp_switchdev_event_work(struct work_struct *work)
+                       break;
+               mlxsw_sp_fdb_call_notifiers(SWITCHDEV_FDB_OFFLOADED,
+                                           fdb_info->addr,
+-                                          fdb_info->vid, dev);
++                                          fdb_info->vid, dev, true);
+               break;
+       case SWITCHDEV_FDB_DEL_TO_DEVICE:
+               fdb_info = &switchdev_work->fdb_info;
+diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c
+index b13ab4eee4c7..7d81de57b6f4 100644
+--- a/drivers/net/ethernet/rocker/rocker_main.c
++++ b/drivers/net/ethernet/rocker/rocker_main.c
+@@ -2728,6 +2728,7 @@ rocker_fdb_offload_notify(struct rocker_port *rocker_port,
+ 
+       info.addr = recv_info->addr;
+       info.vid = recv_info->vid;
++      info.offloaded = true;
+       call_switchdev_notifiers(SWITCHDEV_FDB_OFFLOADED,
+                                rocker_port->dev, &info.info);
+ }
+diff --git a/include/net/switchdev.h b/include/net/switchdev.h
+index d574ce63bf22..435bb79925b2 100644
+--- a/include/net/switchdev.h
++++ b/include/net/switchdev.h
+@@ -155,7 +155,8 @@ struct switchdev_notifier_fdb_info {
+       struct switchdev_notifier_info info; /* must be first */
+       const unsigned char *addr;
+       u16 vid;
+-      bool added_by_user;
++      u8 added_by_user:1,
++         offloaded:1;
+ };
+ 
+ static inline struct net_device *
+diff --git a/net/bridge/br.c b/net/bridge/br.c
+index b0a0b82e2d91..a175f5557873 100644
+--- a/net/bridge/br.c
++++ b/net/bridge/br.c
+@@ -151,7 +151,7 @@ static int br_switchdev_event(struct notifier_block *unused,
+                       break;
+               }
+               br_fdb_offloaded_set(br, p, fdb_info->addr,
+-                                   fdb_info->vid);
++                                   fdb_info->vid, true);
+               break;
+       case SWITCHDEV_FDB_DEL_TO_BRIDGE:
+               fdb_info = ptr;
+@@ -163,7 +163,7 @@ static int br_switchdev_event(struct notifier_block *unused,
+       case SWITCHDEV_FDB_OFFLOADED:
+               fdb_info = ptr;
+               br_fdb_offloaded_set(br, p, fdb_info->addr,
+-                                   fdb_info->vid);
++                                   fdb_info->vid, fdb_info->offloaded);
+               break;
+       }
+ 
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 1714f4e91fca..a659e7c4ee43 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -1156,7 +1156,7 @@ int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p,
+ }
+ 
+ void br_fdb_offloaded_set(struct net_bridge *br, struct net_bridge_port *p,
+-                        const unsigned char *addr, u16 vid)
++                        const unsigned char *addr, u16 vid, bool offloaded)
+ {
+       struct net_bridge_fdb_entry *fdb;
+ 
+@@ -1164,7 +1164,7 @@ void br_fdb_offloaded_set(struct net_bridge *br, struct net_bridge_port *p,
+ 
+       fdb = br_fdb_find(br, addr, vid);
+       if (fdb)
+-              fdb->offloaded = 1;
++              fdb->offloaded = offloaded;
+ 
+       spin_unlock_bh(&br->hash_lock);
+ }
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 4e0c6f9d9c16..f5e258ca3043 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -565,7 +565,7 @@ int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p,
+                             const unsigned char *addr, u16 vid,
+                             bool swdev_notify);
+ void br_fdb_offloaded_set(struct net_bridge *br, struct net_bridge_port *p,
+-                        const unsigned char *addr, u16 vid);
++                        const unsigned char *addr, u16 vid, bool offloaded);
+ 
+ /* br_forward.c */
+ enum br_pkt_type {
+diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c
+index d77f807420c4..b993df770675 100644
+--- a/net/bridge/br_switchdev.c
++++ b/net/bridge/br_switchdev.c
+@@ -103,7 +103,7 @@ int br_switchdev_set_port_flag(struct net_bridge_port *p,
+ static void
+ br_switchdev_fdb_call_notifiers(bool adding, const unsigned char *mac,
+                               u16 vid, struct net_device *dev,
+-                              bool added_by_user)
++                              bool added_by_user, bool offloaded)
+ {
+       struct switchdev_notifier_fdb_info info;
+       unsigned long notifier_type;
+@@ -111,6 +111,7 @@ br_switchdev_fdb_call_notifiers(bool adding, const unsigned char *mac,
+       info.addr = mac;
+       info.vid = vid;
+       info.added_by_user = added_by_user;
++      info.offloaded = offloaded;
+       notifier_type = adding ? SWITCHDEV_FDB_ADD_TO_DEVICE : SWITCHDEV_FDB_DEL_TO_DEVICE;
+       call_switchdev_notifiers(notifier_type, dev, &info.info);
+ }
+@@ -126,13 +127,15 @@ br_switchdev_fdb_notify(const struct net_bridge_fdb_entry *fdb, int type)
+               br_switchdev_fdb_call_notifiers(false, fdb->key.addr.addr,
+                                               fdb->key.vlan_id,
+                                               fdb->dst->dev,
+-                                              fdb->added_by_user);
++                                              fdb->added_by_user,
++                                              fdb->offloaded);
+               break;
+       case RTM_NEWNEIGH:
+               br_switchdev_fdb_call_notifiers(true, fdb->key.addr.addr,
+                                               fdb->key.vlan_id,
+                                               fdb->dst->dev,
+-                                              fdb->added_by_user);
++                                              fdb->added_by_user,
++                                              fdb->offloaded);
+               break;
+       }
+ }
+diff --git a/net/dsa/slave.c b/net/dsa/slave.c
+index f7c122357a96..9b74e439809f 100644
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -1464,6 +1464,7 @@ static void dsa_slave_switchdev_event_work(struct work_struct *work)
+                       netdev_dbg(dev, "fdb add failed err=%d\n", err);
+                       break;
+               }
++              fdb_info->offloaded = true;
+               call_switchdev_notifiers(SWITCHDEV_FDB_OFFLOADED, dev,
+                                        &fdb_info->info);
+               break;
+-- 
+2.43.0
+

diff --git a/queue-4.19/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch b/queue-4.19/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch
new file mode 100644 (file)
index 0000000..e010221
--- /dev/null
+++ b/queue-4.19/btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch
@@ -0,0 +1,90 @@
+From e10df5bfd7212ca9487a51e9a10c268eaaed0a31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 14:12:13 -0400
+Subject: btrfs: clean up our handling of refs == 0 in snapshot delete
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit b8ccef048354074a548f108e51d0557d6adfd3a3 ]
+
+In reada we BUG_ON(refs == 0), which could be unkind since we aren't
+holding a lock on the extent leaf and thus could get a transient
+incorrect answer.  In walk_down_proc we also BUG_ON(refs == 0), which
+could happen if we have extent tree corruption.  Change that to return
+-EUCLEAN.  In do_walk_down() we catch this case and handle it correctly,
+however we return -EIO, which -EUCLEAN is a more appropriate error code.
+Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert
+that to proper error handling.  Also adjust the error message so we can
+actually do something with the information.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 635d51c8098d..6b8ece5175ef 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -8409,7 +8409,15 @@ static noinline void reada_walk_down(struct btrfs_trans_handle *trans,
+               /* We don't care about errors in readahead. */
+               if (ret < 0)
+                       continue;
+-              BUG_ON(refs == 0);
++
++              /*
++               * This could be racey, it's conceivable that we raced and end
++               * up with a bogus refs count, if that's the case just skip, if
++               * we are actually corrupt we will notice when we look up
++               * everything again with our locks.
++               */
++              if (refs == 0)
++                      continue;
+ 
+               if (wc->stage == DROP_REFERENCE) {
+                       if (refs == 1)
+@@ -8476,7 +8484,11 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans,
+               BUG_ON(ret == -ENOMEM);
+               if (ret)
+                       return ret;
+-              BUG_ON(wc->refs[level] == 0);
++              if (unlikely(wc->refs[level] == 0)) {
++                      btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0",
++                                eb->start);
++                      return -EUCLEAN;
++              }
+       }
+ 
+       if (wc->stage == DROP_REFERENCE) {
+@@ -8584,8 +8596,9 @@ static noinline int do_walk_down(struct btrfs_trans_handle *trans,
+               goto out_unlock;
+ 
+       if (unlikely(wc->refs[level - 1] == 0)) {
+-              btrfs_err(fs_info, "Missing references.");
+-              ret = -EIO;
++              btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0",
++                        bytenr);
++              ret = -EUCLEAN;
+               goto out_unlock;
+       }
+       *lookup_info = 0;
+@@ -8753,7 +8766,12 @@ static noinline int walk_up_proc(struct btrfs_trans_handle *trans,
+                               path->locks[level] = 0;
+                               return ret;
+                       }
+-                      BUG_ON(wc->refs[level] == 0);
++                      if (unlikely(wc->refs[level] == 0)) {
++                              btrfs_tree_unlock_rw(eb, path->locks[level]);
++                              btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0",
++                                        eb->start);
++                              return -EUCLEAN;
++                      }
+                       if (wc->refs[level] == 1) {
+                               btrfs_tree_unlock_rw(eb, path->locks[level]);
+                               path->locks[level] = 0;
+-- 
+2.43.0
+

diff --git a/queue-4.19/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch b/queue-4.19/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch
new file mode 100644 (file)
index 0000000..e7ba3ba
--- /dev/null
+++ b/queue-4.19/btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch
@@ -0,0 +1,56 @@
+From d2744c2f15f98b9e94c2f6bf5890a0afa461fd2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 21:59:24 +0200
+Subject: btrfs: initialize location to fix -Wmaybe-uninitialized in
+ btrfs_lookup_dentry()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit b8e947e9f64cac9df85a07672b658df5b2bcff07 ]
+
+Some arch + compiler combinations report a potentially unused variable
+location in btrfs_lookup_dentry(). This is a false alert as the variable
+is passed by value and always valid or there's an error. The compilers
+cannot probably reason about that although btrfs_inode_by_name() is in
+the same file.
+
+   >  + /kisskb/src/fs/btrfs/inode.c: error: 'location.objectid' may be used
+   +uninitialized in this function [-Werror=maybe-uninitialized]:  => 5603:9
+   >  + /kisskb/src/fs/btrfs/inode.c: error: 'location.type' may be used
+   +uninitialized in this function [-Werror=maybe-uninitialized]:  => 5674:5
+
+   m68k-gcc8/m68k-allmodconfig
+   mips-gcc8/mips-allmodconfig
+   powerpc-gcc5/powerpc-all{mod,yes}config
+   powerpc-gcc5/ppc64_defconfig
+
+Initialize it to zero, this should fix the warnings and won't change the
+behaviour as btrfs_inode_by_name() accepts only a root or inode item
+types, otherwise returns an error.
+
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/linux-btrfs/bd4e9928-17b3-9257-8ba7-6b7f9bbb639a@linux-m68k.org/
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 15ebebed4005..22059aa5eb26 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -5869,7 +5869,7 @@ struct inode *btrfs_lookup_dentry(struct inode *dir, struct dentry *dentry)
+       struct inode *inode;
+       struct btrfs_root *root = BTRFS_I(dir)->root;
+       struct btrfs_root *sub_root = root;
+-      struct btrfs_key location;
++      struct btrfs_key location = { 0 };
+       u8 di_type = 0;
+       int index;
+       int ret = 0;
+-- 
+2.43.0
+

diff --git a/queue-4.19/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch b/queue-4.19/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch
new file mode 100644 (file)
index 0000000..c2ef5b4
--- /dev/null
+++ b/queue-4.19/btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch
@@ -0,0 +1,46 @@
+From ede6627af477cf92c6e10807d9e82d983c416d35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 14:12:12 -0400
+Subject: btrfs: replace BUG_ON with ASSERT in walk_down_proc()
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 1f9d44c0a12730a24f8bb75c5e1102207413cc9b ]
+
+We have a couple of areas where we check to make sure the tree block is
+locked before looking up or messing with references.  This is old code
+so it has this as BUG_ON().  Convert this to ASSERT() for developers.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 51f21cd61422..635d51c8098d 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -8468,7 +8468,7 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans,
+       if (lookup_info &&
+           ((wc->stage == DROP_REFERENCE && wc->refs[level] != 1) ||
+            (wc->stage == UPDATE_BACKREF && !(wc->flags[level] & flag)))) {
+-              BUG_ON(!path->locks[level]);
++              ASSERT(path->locks[level]);
+               ret = btrfs_lookup_extent_info(trans, fs_info,
+                                              eb->start, level, 1,
+                                              &wc->refs[level],
+@@ -8492,7 +8492,7 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans,
+ 
+       /* wc->stage == UPDATE_BACKREF */
+       if (!(wc->flags[level] & flag)) {
+-              BUG_ON(!path->locks[level]);
++              ASSERT(path->locks[level]);
+               ret = btrfs_inc_ref(trans, root, eb, 1);
+               BUG_ON(ret); /* -ENOMEM */
+               ret = btrfs_dec_ref(trans, root, eb, 0);
+-- 
+2.43.0
+

diff --git a/queue-4.19/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch b/queue-4.19/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch
new file mode 100644 (file)
index 0000000..3a251e8
--- /dev/null
+++ b/queue-4.19/can-bcm-remove-proc-entry-when-dev-is-unregistered.patch
@@ -0,0 +1,99 @@
+From f06613b021bf39ff362d0aabb0851caf8374a56f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 12:28:42 -0700
+Subject: can: bcm: Remove proc entry when dev is unregistered.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 ]
+
+syzkaller reported a warning in bcm_connect() below. [0]
+
+The repro calls connect() to vxcan1, removes vxcan1, and calls
+connect() with ifindex == 0.
+
+Calling connect() for a BCM socket allocates a proc entry.
+Then, bcm_sk(sk)->bound is set to 1 to prevent further connect().
+
+However, removing the bound device resets bcm_sk(sk)->bound to 0
+in bcm_notify().
+
+The 2nd connect() tries to allocate a proc entry with the same
+name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the
+original proc entry.
+
+Since the proc entry is available only for connect()ed sockets,
+let's clean up the entry when the bound netdev is unregistered.
+
+[0]:
+proc_dir_entry 'can-bcm/2456' already registered
+WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375
+Modules linked in:
+CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375
+Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48
+RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246
+RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
+RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0
+R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec
+FS:  00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220
+ bcm_connect+0x472/0x840 net/can/bcm.c:1673
+ __sys_connect_file net/socket.c:2049 [inline]
+ __sys_connect+0x5d2/0x690 net/socket.c:2066
+ __do_sys_connect net/socket.c:2076 [inline]
+ __se_sys_connect net/socket.c:2073 [inline]
+ __x64_sys_connect+0x8f/0x100 net/socket.c:2073
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+RIP: 0033:0x7fbd708b0e5d
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
+RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d
+RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040
+R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098
+R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000
+ </TASK>
+remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'
+
+Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/all/20240722192842.37421-1-kuniyu@amazon.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/bcm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 1c9953c68f09..095f68536c14 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1422,6 +1422,10 @@ static void bcm_notify(struct bcm_sock *bo, unsigned long msg,
+ 
+               /* remove device reference, if this is our bound device */
+               if (bo->bound && bo->ifindex == dev->ifindex) {
++#if IS_ENABLED(CONFIG_PROC_FS)
++                      if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read)
++                              remove_proc_entry(bo->procname, sock_net(sk)->can.bcmproc_dir);
++#endif
+                       bo->bound   = 0;
+                       bo->ifindex = 0;
+                       notify_enodev = 1;
+-- 
+2.43.0
+

diff --git a/queue-4.19/cgroup-protect-css-cgroup-write-under-css_set_lock.patch b/queue-4.19/cgroup-protect-css-cgroup-write-under-css_set_lock.patch
new file mode 100644 (file)
index 0000000..57f419d
--- /dev/null
+++ b/queue-4.19/cgroup-protect-css-cgroup-write-under-css_set_lock.patch
@@ -0,0 +1,45 @@
+From a0bded996c9cec5a6645def0c0f9117be38e55ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 14:52:29 -0400
+Subject: cgroup: Protect css->cgroup write under css_set_lock
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 57b56d16800e8961278ecff0dc755d46c4575092 ]
+
+The writing of css->cgroup associated with the cgroup root in
+rebind_subsystems() is currently protected only by cgroup_mutex.
+However, the reading of css->cgroup in both proc_cpuset_show() and
+proc_cgroup_show() is protected just by css_set_lock. That makes the
+readers susceptible to racing problems like data tearing or caching.
+It is also a problem that can be reported by KCSAN.
+
+This can be fixed by using READ_ONCE() and WRITE_ONCE() to access
+css->cgroup. Alternatively, the writing of css->cgroup can be moved
+under css_set_lock as well which is done by this patch.
+
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 6322b56529e9..30c058806702 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -1712,9 +1712,9 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)
+               RCU_INIT_POINTER(scgrp->subsys[ssid], NULL);
+               rcu_assign_pointer(dcgrp->subsys[ssid], css);
+               ss->root = dst_root;
+-              css->cgroup = dcgrp;
+ 
+               spin_lock_irq(&css_set_lock);
++              css->cgroup = dcgrp;
+               WARN_ON(!list_empty(&dcgrp->e_csets[ss->id]));
+               list_for_each_entry_safe(cset, cset_pos, &scgrp->e_csets[ss->id],
+                                        e_cset_node[ss->id]) {
+-- 
+2.43.0
+

diff --git a/queue-4.19/cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch b/queue-4.19/cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch
new file mode 100644 (file)
index 0000000..c61d233
--- /dev/null
+++ b/queue-4.19/cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch
@@ -0,0 +1,146 @@
+From 01914725d5d1c61e812869bf0142c8e1cbf73ca0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Oct 2020 16:00:46 +0200
+Subject: cx82310_eth: re-enable ethernet mode after router reboot
+
+From: Ondrej Zary <linux@zary.sk>
+
+[ Upstream commit ca139d76b0d9e59d18f2d2ec8f0d81b82acd6808 ]
+
+When the router is rebooted without a power cycle, the USB device
+remains connected but its configuration is reset. This results in
+a non-working ethernet connection with messages like this in syslog:
+       usb 2-2: RX packet too long: 65535 B
+
+Re-enable ethernet mode when receiving a packet with invalid size of
+0xffff.
+
+Signed-off-by: Ondrej Zary <linux@zary.sk>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: bab8eb0dd4cb ("usbnet: modern method to get random MAC")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cx82310_eth.c | 50 ++++++++++++++++++++++++++++++-----
+ 1 file changed, 44 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c
+index dfbdea22fbad..6a9a5e540b09 100644
+--- a/drivers/net/usb/cx82310_eth.c
++++ b/drivers/net/usb/cx82310_eth.c
+@@ -52,6 +52,11 @@ enum cx82310_status {
+ #define CX82310_MTU   1514
+ #define CMD_EP                0x01
+ 
++struct cx82310_priv {
++      struct work_struct reenable_work;
++      struct usbnet *dev;
++};
++
+ /*
+  * execute control command
+  *  - optionally send some data (command parameters)
+@@ -127,6 +132,23 @@ static int cx82310_cmd(struct usbnet *dev, enum cx82310_cmd cmd, bool reply,
+       return ret;
+ }
+ 
++static int cx82310_enable_ethernet(struct usbnet *dev)
++{
++      int ret = cx82310_cmd(dev, CMD_ETHERNET_MODE, true, "\x01", 1, NULL, 0);
++
++      if (ret)
++              netdev_err(dev->net, "unable to enable ethernet mode: %d\n",
++                         ret);
++      return ret;
++}
++
++static void cx82310_reenable_work(struct work_struct *work)
++{
++      struct cx82310_priv *priv = container_of(work, struct cx82310_priv,
++                                               reenable_work);
++      cx82310_enable_ethernet(priv->dev);
++}
++
+ #define partial_len   data[0]         /* length of partial packet data */
+ #define partial_rem   data[1]         /* remaining (missing) data length */
+ #define partial_data  data[2]         /* partial packet data */
+@@ -138,6 +160,7 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+       struct usb_device *udev = dev->udev;
+       u8 link[3];
+       int timeout = 50;
++      struct cx82310_priv *priv;
+ 
+       /* avoid ADSL modems - continue only if iProduct is "USB NET CARD" */
+       if (usb_string(udev, udev->descriptor.iProduct, buf, sizeof(buf)) > 0
+@@ -164,6 +187,15 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+       if (!dev->partial_data)
+               return -ENOMEM;
+ 
++      priv = kzalloc(sizeof(*priv), GFP_KERNEL);
++      if (!priv) {
++              ret = -ENOMEM;
++              goto err_partial;
++      }
++      dev->driver_priv = priv;
++      INIT_WORK(&priv->reenable_work, cx82310_reenable_work);
++      priv->dev = dev;
++
+       /* wait for firmware to become ready (indicated by the link being up) */
+       while (--timeout) {
+               ret = cx82310_cmd(dev, CMD_GET_LINK_STATUS, true, NULL, 0,
+@@ -180,12 +212,8 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+       }
+ 
+       /* enable ethernet mode (?) */
+-      ret = cx82310_cmd(dev, CMD_ETHERNET_MODE, true, "\x01", 1, NULL, 0);
+-      if (ret) {
+-              dev_err(&udev->dev, "unable to enable ethernet mode: %d\n",
+-                      ret);
++      if (cx82310_enable_ethernet(dev))
+               goto err;
+-      }
+ 
+       /* get the MAC address */
+       ret = cx82310_cmd(dev, CMD_GET_MAC_ADDR, true, NULL, 0,
+@@ -202,13 +230,19 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+ 
+       return 0;
+ err:
++      kfree(dev->driver_priv);
++err_partial:
+       kfree((void *)dev->partial_data);
+       return ret;
+ }
+ 
+ static void cx82310_unbind(struct usbnet *dev, struct usb_interface *intf)
+ {
++      struct cx82310_priv *priv = dev->driver_priv;
++
+       kfree((void *)dev->partial_data);
++      cancel_work_sync(&priv->reenable_work);
++      kfree(dev->driver_priv);
+ }
+ 
+ /*
+@@ -223,6 +257,7 @@ static int cx82310_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ {
+       int len;
+       struct sk_buff *skb2;
++      struct cx82310_priv *priv = dev->driver_priv;
+ 
+       /*
+        * If the last skb ended with an incomplete packet, this skb contains
+@@ -257,7 +292,10 @@ static int cx82310_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+                       break;
+               }
+ 
+-              if (len > CX82310_MTU) {
++              if (len == 0xffff) {
++                      netdev_info(dev->net, "router was rebooted, re-enabling ethernet mode");
++                      schedule_work(&priv->reenable_work);
++              } else if (len > CX82310_MTU) {
+                       dev_err(&dev->udev->dev, "RX packet too long: %d B\n",
+                               len);
+                       return 0;
+-- 
+2.43.0
+

diff --git a/queue-4.19/devres-initialize-an-uninitialized-struct-member.patch b/queue-4.19/devres-initialize-an-uninitialized-struct-member.patch
new file mode 100644 (file)
index 0000000..068137c
--- /dev/null
+++ b/queue-4.19/devres-initialize-an-uninitialized-struct-member.patch
@@ -0,0 +1,35 @@
+From c8c191dd6b56e7d328f4635bf7830e331908daab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 22:51:52 +0800
+Subject: devres: Initialize an uninitialized struct member
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit 56a20ad349b5c51909cf8810f7c79b288864ad33 ]
+
+Initialize an uninitialized struct member for driver API
+devres_open_group().
+
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/1719931914-19035-4-git-send-email-quic_zijuhu@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/devres.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/devres.c b/drivers/base/devres.c
+index a64f70a62e28..f9e5deb72db6 100644
+--- a/drivers/base/devres.c
++++ b/drivers/base/devres.c
+@@ -559,6 +559,7 @@ void * devres_open_group(struct device *dev, void *id, gfp_t gfp)
+       grp->id = grp;
+       if (id)
+               grp->id = id;
++      grp->color = 0;
+ 
+       spin_lock_irqsave(&dev->devres_lock, flags);
+       add_dr(dev, &grp->node[0]);
+-- 
+2.43.0
+

diff --git a/queue-4.19/drivers-net-usb-remove-all-strcpy-uses.patch b/queue-4.19/drivers-net-usb-remove-all-strcpy-uses.patch
new file mode 100644 (file)
index 0000000..16bc247
--- /dev/null
+++ b/queue-4.19/drivers-net-usb-remove-all-strcpy-uses.patch
@@ -0,0 +1,68 @@
+From efc299d391cc20499434c54bdde3de33e429b0b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Aug 2021 19:12:26 +0200
+Subject: drivers/net/usb: Remove all strcpy() uses
+
+From: Len Baker <len.baker@gmx.com>
+
+[ Upstream commit 493c3ca6bd754d8587604496eb814f72e933075d ]
+
+strcpy() performs no bounds checking on the destination buffer. This
+could result in linear overflows beyond the end of the buffer, leading
+to all kinds of misbehaviors. The safe replacement is strscpy().
+
+Signed-off-by: Len Baker <len.baker@gmx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bab8eb0dd4cb ("usbnet: modern method to get random MAC")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ipheth.c | 2 +-
+ drivers/net/usb/usbnet.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index cea005cc7b2a..5e8fd2aa1888 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -497,7 +497,7 @@ static int ipheth_probe(struct usb_interface *intf,
+ 
+       netdev->netdev_ops = &ipheth_netdev_ops;
+       netdev->watchdog_timeo = IPHETH_TX_TIMEOUT;
+-      strcpy(netdev->name, "eth%d");
++      strscpy(netdev->name, "eth%d", sizeof(netdev->name));
+ 
+       dev = netdev_priv(netdev);
+       dev->udev = udev;
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index f7f037b399a7..8065af844410 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1722,7 +1722,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+       dev->interrupt_count = 0;
+ 
+       dev->net = net;
+-      strcpy (net->name, "usb%d");
++      strscpy(net->name, "usb%d", sizeof(net->name));
+       memcpy (net->dev_addr, node_id, sizeof node_id);
+ 
+       /* rx and tx sides can use different message sizes;
+@@ -1749,13 +1749,13 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+               if ((dev->driver_info->flags & FLAG_ETHER) != 0 &&
+                   ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 ||
+                    (net->dev_addr [0] & 0x02) == 0))
+-                      strcpy (net->name, "eth%d");
++                      strscpy(net->name, "eth%d", sizeof(net->name));
+               /* WLAN devices should always be named "wlan%d" */
+               if ((dev->driver_info->flags & FLAG_WLAN) != 0)
+-                      strcpy(net->name, "wlan%d");
++                      strscpy(net->name, "wlan%d", sizeof(net->name));
+               /* WWAN devices should always be named "wwan%d" */
+               if ((dev->driver_info->flags & FLAG_WWAN) != 0)
+-                      strcpy(net->name, "wwan%d");
++                      strscpy(net->name, "wwan%d", sizeof(net->name));
+ 
+               /* devices that cannot do ARP */
+               if ((dev->driver_info->flags & FLAG_NOARP) != 0)
+-- 
+2.43.0
+

diff --git a/queue-4.19/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch b/queue-4.19/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch
new file mode 100644 (file)
index 0000000..952e0da
--- /dev/null
+++ b/queue-4.19/hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch
@@ -0,0 +1,38 @@
+From 24d17d1dc590adfda223967dd8bf3e7904c4ac8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 19:42:43 -0400
+Subject: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
+
+From: Camila Alvarez <cam.alvarez.i@gmail.com>
+
+[ Upstream commit a6e9c391d45b5865b61e569146304cff72821a5d ]
+
+report_fixup for the Cougar 500k Gaming Keyboard was not verifying
+that the report descriptor size was correct before accessing it
+
+Reported-by: syzbot+24c0361074799d02c452@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452
+Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com>
+Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-cougar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-cougar.c b/drivers/hid/hid-cougar.c
+index ad2e87de7dc5..d58a108a96c0 100644
+--- a/drivers/hid/hid-cougar.c
++++ b/drivers/hid/hid-cougar.c
+@@ -104,7 +104,7 @@ static void cougar_fix_g6_mapping(struct hid_device *hdev)
+ static __u8 *cougar_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+                                unsigned int *rsize)
+ {
+-      if (rdesc[2] == 0x09 && rdesc[3] == 0x02 &&
++      if (*rsize >= 117 && rdesc[2] == 0x09 && rdesc[3] == 0x02 &&
+           (rdesc[115] | rdesc[116] << 8) >= HID_MAX_USAGES) {
+               hid_info(hdev,
+                       "usage count exceeds max: fixing up report descriptor\n");
+-- 
+2.43.0
+

diff --git a/queue-4.19/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch b/queue-4.19/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch
new file mode 100644 (file)
index 0000000..68c648f
--- /dev/null
+++ b/queue-4.19/hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch
@@ -0,0 +1,44 @@
+From 7cb38035c940e0065b58fa9d17c6d5cc329e9e03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:43:04 -0700
+Subject: hwmon: (adc128d818) Fix underflows seen when writing limit attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 8cad724c8537fe3e0da8004646abc00290adae40 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/adc128d818.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/adc128d818.c b/drivers/hwmon/adc128d818.c
+index bd2ca315c9d8..5abb28cd81bf 100644
+--- a/drivers/hwmon/adc128d818.c
++++ b/drivers/hwmon/adc128d818.c
+@@ -184,7 +184,7 @@ static ssize_t adc128_set_in(struct device *dev, struct device_attribute *attr,
+ 
+       mutex_lock(&data->update_lock);
+       /* 10 mV LSB on limit registers */
+-      regval = clamp_val(DIV_ROUND_CLOSEST(val, 10), 0, 255);
++      regval = DIV_ROUND_CLOSEST(clamp_val(val, 0, 2550), 10);
+       data->in[index][nr] = regval << 4;
+       reg = index == 1 ? ADC128_REG_IN_MIN(nr) : ADC128_REG_IN_MAX(nr);
+       i2c_smbus_write_byte_data(data->client, reg, regval);
+@@ -222,7 +222,7 @@ static ssize_t adc128_set_temp(struct device *dev,
+               return err;
+ 
+       mutex_lock(&data->update_lock);
+-      regval = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127);
++      regval = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000);
+       data->temp[index] = regval << 1;
+       i2c_smbus_write_byte_data(data->client,
+                                 index == 1 ? ADC128_REG_TEMP_MAX
+-- 
+2.43.0
+

diff --git a/queue-4.19/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch b/queue-4.19/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch
new file mode 100644 (file)
index 0000000..b848906
--- /dev/null
+++ b/queue-4.19/hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch
@@ -0,0 +1,63 @@
+From eb0a221d0a2ecdf526ac4769a9f59999fa109e0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:48:42 -0700
+Subject: hwmon: (lm95234) Fix underflows seen when writing limit attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit af64e3e1537896337405f880c1e9ac1f8c0c6198 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/lm95234.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hwmon/lm95234.c b/drivers/hwmon/lm95234.c
+index c7fcc9e7f57a..13912ac7c69f 100644
+--- a/drivers/hwmon/lm95234.c
++++ b/drivers/hwmon/lm95234.c
+@@ -310,7 +310,8 @@ static ssize_t set_tcrit2(struct device *dev, struct device_attribute *attr,
+       if (ret < 0)
+               return ret;
+ 
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, index ? 255 : 127);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, 0, (index ? 255 : 127) * 1000),
++                              1000);
+ 
+       mutex_lock(&data->update_lock);
+       data->tcrit2[index] = val;
+@@ -359,7 +360,7 @@ static ssize_t set_tcrit1(struct device *dev, struct device_attribute *attr,
+       if (ret < 0)
+               return ret;
+ 
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 255);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 255000), 1000);
+ 
+       mutex_lock(&data->update_lock);
+       data->tcrit1[index] = val;
+@@ -400,7 +401,7 @@ static ssize_t set_tcrit1_hyst(struct device *dev,
+       if (ret < 0)
+               return ret;
+ 
+-      val = DIV_ROUND_CLOSEST(val, 1000);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, -255000, 255000), 1000);
+       val = clamp_val((int)data->tcrit1[index] - val, 0, 31);
+ 
+       mutex_lock(&data->update_lock);
+@@ -440,7 +441,7 @@ static ssize_t set_offset(struct device *dev, struct device_attribute *attr,
+               return ret;
+ 
+       /* Accuracy is 1/2 degrees C */
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 500), -128, 127);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, -64000, 63500), 500);
+ 
+       mutex_lock(&data->update_lock);
+       data->toffset[index] = val;
+-- 
+2.43.0
+

diff --git a/queue-4.19/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch b/queue-4.19/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch
new file mode 100644 (file)
index 0000000..191714d
--- /dev/null
+++ b/queue-4.19/hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch
@@ -0,0 +1,36 @@
+From c6d7ec84788dd80d1d643d985179ea84d9539315 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:50:08 -0700
+Subject: hwmon: (nct6775-core) Fix underflows seen when writing limit
+ attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 0403e10bf0824bf0ec2bb135d4cf1c0cc3bf4bf0 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/nct6775.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c
+index 559101a1c136..23581dc62246 100644
+--- a/drivers/hwmon/nct6775.c
++++ b/drivers/hwmon/nct6775.c
+@@ -2264,7 +2264,7 @@ store_temp_offset(struct device *dev, struct device_attribute *attr,
+       if (err < 0)
+               return err;
+ 
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000);
+ 
+       mutex_lock(&data->update_lock);
+       data->temp_offset[nr] = val;
+-- 
+2.43.0
+

diff --git a/queue-4.19/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch b/queue-4.19/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch
new file mode 100644 (file)
index 0000000..f341ba0
--- /dev/null
+++ b/queue-4.19/hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch
@@ -0,0 +1,44 @@
+From aa56abda1b37c777d7fddf9f32d1b194ecbf7aaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:51:34 -0700
+Subject: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 5c1de37969b7bc0abcb20b86e91e70caebbd4f89 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/w83627ehf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c
+index ad68b6d9ff17..8da5f77b8987 100644
+--- a/drivers/hwmon/w83627ehf.c
++++ b/drivers/hwmon/w83627ehf.c
+@@ -1519,7 +1519,7 @@ store_target_temp(struct device *dev, struct device_attribute *attr,
+       if (err < 0)
+               return err;
+ 
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 127);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 127000), 1000);
+ 
+       mutex_lock(&data->update_lock);
+       data->target_temp[nr] = val;
+@@ -1545,7 +1545,7 @@ store_tolerance(struct device *dev, struct device_attribute *attr,
+               return err;
+ 
+       /* Limit the temp to 0C - 15C */
+-      val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 15);
++      val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 15000), 1000);
+ 
+       mutex_lock(&data->update_lock);
+       if (sio_data->kind == nct6775 || sio_data->kind == nct6776) {
+-- 
+2.43.0
+

diff --git a/queue-4.19/igb-fix-not-clearing-timesync-interrupts-for-82580.patch b/queue-4.19/igb-fix-not-clearing-timesync-interrupts-for-82580.patch
new file mode 100644 (file)
index 0000000..c7a443e
--- /dev/null
+++ b/queue-4.19/igb-fix-not-clearing-timesync-interrupts-for-82580.patch
@@ -0,0 +1,70 @@
+From 0b11af75acf01db075cd27f7e0cde5c58fc816dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Aug 2024 21:55:53 -0700
+Subject: igb: Fix not clearing TimeSync interrupts for 82580
+
+From: Daiwei Li <daiweili@google.com>
+
+[ Upstream commit ba8cf80724dbc09825b52498e4efacb563935408 ]
+
+82580 NICs have a hardware bug that makes it
+necessary to write into the TSICR (TimeSync Interrupt Cause) register
+to clear it:
+https://lore.kernel.org/all/CDCB8BE0.1EC2C%25matthew.vick@intel.com/
+
+Add a conditional so only for 82580 we write into the TSICR register,
+so we don't risk losing events for other models.
+
+Without this change, when running ptp4l with an Intel 82580 card,
+I get the following output:
+
+> timed out while polling for tx timestamp increasing tx_timestamp_timeout or
+> increasing kworker priority may correct this issue, but a driver bug likely
+> causes it
+
+This goes away with this change.
+
+This (partially) reverts commit ee14cc9ea19b ("igb: Fix missing time sync events").
+
+Fixes: ee14cc9ea19b ("igb: Fix missing time sync events")
+Closes: https://lore.kernel.org/intel-wired-lan/CAN0jFd1kO0MMtOh8N2Ztxn6f7vvDKp2h507sMryobkBKe=xk=w@mail.gmail.com/
+Tested-by: Daiwei Li <daiweili@google.com>
+Suggested-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Daiwei Li <daiweili@google.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 5d8d5915bc27..01138fc93ea1 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -6554,10 +6554,20 @@ static void igb_extts(struct igb_adapter *adapter, int tsintr_tt)
+ 
+ static void igb_tsync_interrupt(struct igb_adapter *adapter)
+ {
++      const u32 mask = (TSINTR_SYS_WRAP | E1000_TSICR_TXTS |
++                        TSINTR_TT0 | TSINTR_TT1 |
++                        TSINTR_AUTT0 | TSINTR_AUTT1);
+       struct e1000_hw *hw = &adapter->hw;
+       u32 tsicr = rd32(E1000_TSICR);
+       struct ptp_clock_event event;
+ 
++      if (hw->mac.type == e1000_82580) {
++              /* 82580 has a hardware bug that requires an explicit
++               * write to clear the TimeSync interrupt cause.
++               */
++              wr32(E1000_TSICR, tsicr & mask);
++      }
++
+       if (tsicr & TSINTR_SYS_WRAP) {
+               event.type = PTP_CLOCK_PPS;
+               if (adapter->ptp_caps.pps)
+-- 
+2.43.0
+

diff --git a/queue-4.19/input-uinput-reject-requests-with-unreasonable-numbe.patch b/queue-4.19/input-uinput-reject-requests-with-unreasonable-numbe.patch
new file mode 100644 (file)
index 0000000..16edf5c
--- /dev/null
+++ b/queue-4.19/input-uinput-reject-requests-with-unreasonable-numbe.patch
@@ -0,0 +1,59 @@
+From ed0a4c60527dbf9bb5ea4975232dffbbc39049cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Aug 2024 17:50:25 -0700
+Subject: Input: uinput - reject requests with unreasonable number of slots
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 206f533a0a7c683982af473079c4111f4a0f9f5e ]
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+When exercising uinput interface syzkaller may try setting up device
+with a really large number of slots, which causes memory allocation
+failure in input_mt_init_slots(). While this allocation failure is
+handled properly and request is rejected, it results in syzkaller
+reports. Additionally, such request may put undue burden on the
+system which will try to free a lot of memory for a bogus request.
+
+Fix it by limiting allowed number of slots to 100. This can easily
+be extended if we see devices that can track more than 100 contacts.
+
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+0122fa359a69694395d5@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=0122fa359a69694395d5
+Link: https://lore.kernel.org/r/Zqgi7NYEbpRsJfa2@google.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/uinput.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
+index e746920872a4..50839c902518 100644
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -429,6 +429,20 @@ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
+               return -EINVAL;
+       }
+ 
++      /*
++       * Limit number of contacts to a reasonable value (100). This
++       * ensures that we need less than 2 pages for struct input_mt
++       * (we are not using in-kernel slot assignment so not going to
++       * allocate memory for the "red" table), and we should have no
++       * trouble getting this much memory.
++       */
++      if (code == ABS_MT_SLOT && max > 99) {
++              printk(KERN_DEBUG
++                     "%s: unreasonably large number of slots requested: %d\n",
++                     UINPUT_NAME, max);
++              return -EINVAL;
++      }
++
+       return 0;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/iommu-vt-d-handle-volatile-descriptor-status-read.patch b/queue-4.19/iommu-vt-d-handle-volatile-descriptor-status-read.patch
new file mode 100644 (file)
index 0000000..a890d7c
--- /dev/null
+++ b/queue-4.19/iommu-vt-d-handle-volatile-descriptor-status-read.patch
@@ -0,0 +1,56 @@
+From 04b39be3f04c1d792a0122a64a560285b0e83234 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 21:08:33 +0800
+Subject: iommu/vt-d: Handle volatile descriptor status read
+
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+
+[ Upstream commit b5e86a95541cea737394a1da967df4cd4d8f7182 ]
+
+Queued invalidation wait descriptor status is volatile in that IOMMU
+hardware writes the data upon completion.
+
+Use READ_ONCE() to prevent compiler optimizations which ensures memory
+reads every time. As a side effect, READ_ONCE() also enforces strict
+types and may add an extra instruction. But it should not have negative
+performance impact since we use cpu_relax anyway and the extra time(by
+adding an instruction) may allow IOMMU HW request cacheline ownership
+easier.
+
+e.g. gcc 12.3
+BEFORE:
+       81 38 ad de 00 00       cmpl   $0x2,(%rax)
+
+AFTER (with READ_ONCE())
+    772f:       8b 00                   mov    (%rax),%eax
+    7731:       3d ad de 00 00          cmp    $0x2,%eax
+                                        //status data is 32 bit
+
+Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Link: https://lore.kernel.org/r/20240607173817.3914600-1-jacob.jun.pan@linux.intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/20240702130839.108139-2-baolu.lu@linux.intel.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/dmar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
+index 3ea851583724..865847546f8e 100644
+--- a/drivers/iommu/dmar.c
++++ b/drivers/iommu/dmar.c
+@@ -1292,7 +1292,7 @@ int qi_submit_sync(struct qi_desc *desc, struct intel_iommu *iommu)
+        */
+       writel(qi->free_head << DMAR_IQ_SHIFT, iommu->reg + DMAR_IQT_REG);
+ 
+-      while (qi->desc_status[wait_index] != QI_DONE) {
++      while (READ_ONCE(qi->desc_status[wait_index]) != QI_DONE) {
+               /*
+                * We will leave the interrupts disabled, to prevent interrupt
+                * context to queue another cmd while a cmd is already submitted
+-- 
+2.43.0
+

diff --git a/queue-4.19/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch b/queue-4.19/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch
new file mode 100644 (file)
index 0000000..c42c471
--- /dev/null
+++ b/queue-4.19/irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch
@@ -0,0 +1,46 @@
+From 547d0900c62518a1ad32538f30044d192ccef78a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jun 2024 11:38:28 +0200
+Subject: irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 3cef738208e5c3cb7084e208caf9bbf684f24feb ]
+
+IRQs 0 (IPI) and 1 (MSI) are handled internally by this driver,
+generic_handle_domain_irq() is never called for these IRQs.
+
+Disallow mapping these IRQs.
+
+[ Marek: changed commit message ]
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-armada-370-xp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/irqchip/irq-armada-370-xp.c b/drivers/irqchip/irq-armada-370-xp.c
+index 0fd428db3aa4..73c386aba368 100644
+--- a/drivers/irqchip/irq-armada-370-xp.c
++++ b/drivers/irqchip/irq-armada-370-xp.c
+@@ -346,6 +346,10 @@ static struct irq_chip armada_370_xp_irq_chip = {
+ static int armada_370_xp_mpic_irq_map(struct irq_domain *h,
+                                     unsigned int virq, irq_hw_number_t hw)
+ {
++      /* IRQs 0 and 1 cannot be mapped, they are handled internally */
++      if (hw <= 1)
++              return -EINVAL;
++
+       armada_370_xp_irq_mask(irq_get_irq_data(virq));
+       if (!is_percpu_irq(hw))
+               writel(hw, per_cpu_int_base +
+-- 
+2.43.0
+

diff --git a/queue-4.19/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch b/queue-4.19/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch
new file mode 100644 (file)
index 0000000..14a2c40
--- /dev/null
+++ b/queue-4.19/media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch
@@ -0,0 +1,39 @@
+From ac1e3874c82a3176b455cc721b9edef2de5e8526 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jun 2024 09:35:22 +0800
+Subject: media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit 4caf6d93d9f2c11d6441c64e1c549c445fa322ed ]
+
+Add check for the return value of v4l2_fwnode_endpoint_parse() and
+return the error if it fails in order to catch the error.
+
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/camss/camss.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c
+index 669615fff6a0..0fc7951640e2 100644
+--- a/drivers/media/platform/qcom/camss/camss.c
++++ b/drivers/media/platform/qcom/camss/camss.c
+@@ -431,8 +431,11 @@ static int camss_of_parse_endpoint_node(struct device *dev,
+       struct v4l2_fwnode_bus_mipi_csi2 *mipi_csi2;
+       struct v4l2_fwnode_endpoint vep = { { 0 } };
+       unsigned int i;
++      int ret;
+ 
+-      v4l2_fwnode_endpoint_parse(of_fwnode_handle(node), &vep);
++      ret = v4l2_fwnode_endpoint_parse(of_fwnode_handle(node), &vep);
++      if (ret)
++              return ret;
+ 
+       csd->interface.csiphy_id = vep.base.port;
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-bridge-add-support-for-sticky-fdb-entries.patch b/queue-4.19/net-bridge-add-support-for-sticky-fdb-entries.patch
new file mode 100644 (file)
index 0000000..2d04ad0
--- /dev/null
+++ b/queue-4.19/net-bridge-add-support-for-sticky-fdb-entries.patch
@@ -0,0 +1,116 @@
+From 9e6fd9468dcfe3a5e21af3c6a4f0895ab1f352c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Sep 2018 09:39:53 +0300
+Subject: net: bridge: add support for sticky fdb entries
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 435f2e7cc0b783615d7fbcf08f5f00d289f9caeb ]
+
+Add support for entries which are "sticky", i.e. will not change their port
+if they show up from a different one. A new ndm flag is introduced for that
+purpose - NTF_STICKY. We allow to set it only to non-local entries.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/neighbour.h |  1 +
+ net/bridge/br_fdb.c            | 19 ++++++++++++++++---
+ net/bridge/br_private.h        |  1 +
+ 3 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
+index 904db6148476..998155444e0d 100644
+--- a/include/uapi/linux/neighbour.h
++++ b/include/uapi/linux/neighbour.h
+@@ -43,6 +43,7 @@ enum {
+ #define NTF_PROXY     0x08    /* == ATF_PUBL */
+ #define NTF_EXT_LEARNED       0x10
+ #define NTF_OFFLOADED   0x20
++#define NTF_STICKY    0x40
+ #define NTF_ROUTER    0x80
+ 
+ /*
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 4d4b9b5ea1c1..1714f4e91fca 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -584,7 +584,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+                       unsigned long now = jiffies;
+ 
+                       /* fastpath: update of existing entry */
+-                      if (unlikely(source != fdb->dst)) {
++                      if (unlikely(source != fdb->dst && !fdb->is_sticky)) {
+                               fdb->dst = source;
+                               fdb_modified = true;
+                               /* Take over HW learned entry */
+@@ -656,6 +656,8 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
+               ndm->ndm_flags |= NTF_OFFLOADED;
+       if (fdb->added_by_external_learn)
+               ndm->ndm_flags |= NTF_EXT_LEARNED;
++      if (fdb->is_sticky)
++              ndm->ndm_flags |= NTF_STICKY;
+ 
+       if (nla_put(skb, NDA_LLADDR, ETH_ALEN, &fdb->key.addr))
+               goto nla_put_failure;
+@@ -772,8 +774,10 @@ int br_fdb_dump(struct sk_buff *skb,
+ 
+ /* Update (create or replace) forwarding database entry */
+ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+-                       const __u8 *addr, __u16 state, __u16 flags, __u16 vid)
++                       const u8 *addr, u16 state, u16 flags, u16 vid,
++                       u8 ndm_flags)
+ {
++      u8 is_sticky = !!(ndm_flags & NTF_STICKY);
+       struct net_bridge_fdb_entry *fdb;
+       bool modified = false;
+ 
+@@ -789,6 +793,9 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+               return -EINVAL;
+       }
+ 
++      if (is_sticky && (state & NUD_PERMANENT))
++              return -EINVAL;
++
+       fdb = br_fdb_find(br, addr, vid);
+       if (fdb == NULL) {
+               if (!(flags & NLM_F_CREATE))
+@@ -832,6 +839,12 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+ 
+               modified = true;
+       }
++
++      if (is_sticky != fdb->is_sticky) {
++              fdb->is_sticky = is_sticky;
++              modified = true;
++      }
++
+       fdb->added_by_user = 1;
+ 
+       fdb->used = jiffies;
+@@ -865,7 +878,7 @@ static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br,
+       } else {
+               spin_lock_bh(&br->hash_lock);
+               err = fdb_add_entry(br, p, addr, ndm->ndm_state,
+-                                  nlh_flags, vid);
++                                  nlh_flags, vid, ndm->ndm_flags);
+               spin_unlock_bh(&br->hash_lock);
+       }
+ 
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 7ca3b469242e..4e0c6f9d9c16 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -181,6 +181,7 @@ struct net_bridge_fdb_entry {
+       struct hlist_node               fdb_node;
+       unsigned char                   is_local:1,
+                                       is_static:1,
++                                      is_sticky:1,
+                                       added_by_user:1,
+                                       added_by_external_learn:1,
+                                       offloaded:1;
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch b/queue-4.19/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch
new file mode 100644 (file)
index 0000000..8c2d6cd
--- /dev/null
+++ b/queue-4.19/net-bridge-br_fdb_external_learn_add-always-set-ext_.patch
@@ -0,0 +1,58 @@
+From c7736c920541cfb90a21bc42e5132084d924b90d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 10:19:57 +0200
+Subject: net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
+
+From: Jonas Gorski <jonas.gorski@bisdn.de>
+
+[ Upstream commit bee2ef946d3184e99077be526567d791c473036f ]
+
+When userspace wants to take over a fdb entry by setting it as
+EXTERN_LEARNED, we set both flags BR_FDB_ADDED_BY_EXT_LEARN and
+BR_FDB_ADDED_BY_USER in br_fdb_external_learn_add().
+
+If the bridge updates the entry later because its port changed, we clear
+the BR_FDB_ADDED_BY_EXT_LEARN flag, but leave the BR_FDB_ADDED_BY_USER
+flag set.
+
+If userspace then wants to take over the entry again,
+br_fdb_external_learn_add() sees that BR_FDB_ADDED_BY_USER and skips
+setting the BR_FDB_ADDED_BY_EXT_LEARN flags, thus silently ignores the
+update.
+
+Fix this by always allowing to set BR_FDB_ADDED_BY_EXT_LEARN regardless
+if this was a user fdb entry or not.
+
+Fixes: 710ae7287737 ("net: bridge: Mark FDB entries that were added by user as such")
+Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20240903081958.29951-1-jonas.gorski@bisdn.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index d898e3814f91..a6e4901909e3 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -1116,12 +1116,10 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+                       modified = true;
+               }
+ 
+-              if (test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
++              if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
+                       /* Refresh entry */
+                       fdb->used = jiffies;
+-              } else if (!test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags)) {
+-                      /* Take over SW learned entry */
+-                      set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags);
++              } else {
+                       modified = true;
+               }
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-bridge-fdb-convert-added_by_external_learn-to-us.patch b/queue-4.19/net-bridge-fdb-convert-added_by_external_learn-to-us.patch
new file mode 100644 (file)
index 0000000..58ef7cc
--- /dev/null
+++ b/queue-4.19/net-bridge-fdb-convert-added_by_external_learn-to-us.patch
@@ -0,0 +1,128 @@
+From dc1f456da5eb374dc1da7fb85a45ddaa1a8cf58f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 13:45:57 +0200
+Subject: net: bridge: fdb: convert added_by_external_learn to use bitops
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit b5cd9f7c42480ede119a390607a9dbe6263f6795 ]
+
+Convert the added_by_external_learn field to a flag and use bitops.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c     | 19 +++++++++----------
+ net/bridge/br_private.h |  4 ++--
+ 2 files changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 7ae27569ced9..d898e3814f91 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -81,7 +81,7 @@ static inline int has_expired(const struct net_bridge *br,
+                                 const struct net_bridge_fdb_entry *fdb)
+ {
+       return !test_bit(BR_FDB_STATIC, &fdb->flags) &&
+-             !fdb->added_by_external_learn &&
++             !test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags) &&
+              time_before_eq(fdb->updated + hold_time(br), jiffies);
+ }
+ 
+@@ -357,7 +357,7 @@ void br_fdb_cleanup(struct work_struct *work)
+               unsigned long this_timer;
+ 
+               if (test_bit(BR_FDB_STATIC, &f->flags) ||
+-                  f->added_by_external_learn)
++                  test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &f->flags))
+                       continue;
+               this_timer = f->updated + delay;
+               if (time_after(this_timer, now)) {
+@@ -511,7 +511,6 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br,
+                       set_bit(BR_FDB_LOCAL, &fdb->flags);
+               if (is_static)
+                       set_bit(BR_FDB_STATIC, &fdb->flags);
+-              fdb->added_by_external_learn = 0;
+               fdb->offloaded = 0;
+               fdb->updated = fdb->used = jiffies;
+               if (rhashtable_lookup_insert_fast(&br->fdb_hash_tbl,
+@@ -598,8 +597,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+                               fdb->dst = source;
+                               fdb_modified = true;
+                               /* Take over HW learned entry */
+-                              if (unlikely(fdb->added_by_external_learn))
+-                                      fdb->added_by_external_learn = 0;
++                              test_and_clear_bit(BR_FDB_ADDED_BY_EXT_LEARN,
++                                                 &fdb->flags);
+                       }
+                       if (now != fdb->updated)
+                               fdb->updated = now;
+@@ -664,7 +663,7 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
+ 
+       if (fdb->offloaded)
+               ndm->ndm_flags |= NTF_OFFLOADED;
+-      if (fdb->added_by_external_learn)
++      if (test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags))
+               ndm->ndm_flags |= NTF_EXT_LEARNED;
+       if (test_bit(BR_FDB_STICKY, &fdb->flags))
+               ndm->ndm_flags |= NTF_STICKY;
+@@ -1107,7 +1106,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+               }
+               if (swdev_notify)
+                       set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+-              fdb->added_by_external_learn = 1;
++              set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags);
+               fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify);
+       } else {
+               fdb->updated = jiffies;
+@@ -1117,12 +1116,12 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+                       modified = true;
+               }
+ 
+-              if (fdb->added_by_external_learn) {
++              if (test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
+                       /* Refresh entry */
+                       fdb->used = jiffies;
+               } else if (!test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags)) {
+                       /* Take over SW learned entry */
+-                      fdb->added_by_external_learn = 1;
++                      set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags);
+                       modified = true;
+               }
+ 
+@@ -1149,7 +1148,7 @@ int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p,
+       spin_lock_bh(&br->hash_lock);
+ 
+       fdb = br_fdb_find(br, addr, vid);
+-      if (fdb && fdb->added_by_external_learn)
++      if (fdb && test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags))
+               fdb_delete(br, fdb, swdev_notify);
+       else
+               err = -ENOENT;
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 9132f11db683..4ff5e3c96e57 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -174,6 +174,7 @@ enum {
+       BR_FDB_STATIC,
+       BR_FDB_STICKY,
+       BR_FDB_ADDED_BY_USER,
++      BR_FDB_ADDED_BY_EXT_LEARN,
+ };
+ 
+ struct net_bridge_fdb_key {
+@@ -188,8 +189,7 @@ struct net_bridge_fdb_entry {
+       struct net_bridge_fdb_key       key;
+       struct hlist_node               fdb_node;
+       unsigned long                   flags;
+-      unsigned char                   added_by_external_learn:1,
+-                                      offloaded:1;
++      unsigned char                   offloaded:1;
+ 
+       /* write-heavy members should not affect lookups */
+       unsigned long                   updated ____cacheline_aligned_in_smp;
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-bridge-fdb-convert-added_by_user-to-bitops.patch b/queue-4.19/net-bridge-fdb-convert-added_by_user-to-bitops.patch
new file mode 100644 (file)
index 0000000..79d2559
--- /dev/null
+++ b/queue-4.19/net-bridge-fdb-convert-added_by_user-to-bitops.patch
@@ -0,0 +1,188 @@
+From 6645f22ae5692c550b1e2f51cbdd5506bd1681bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 13:45:56 +0200
+Subject: net: bridge: fdb: convert added_by_user to bitops
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit ac3ca6af443aa495c7907e5010ac77fbd2450eaa ]
+
+Straight-forward convert of the added_by_user field to bitops.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c       | 25 ++++++++++++-------------
+ net/bridge/br_private.h   |  4 ++--
+ net/bridge/br_switchdev.c |  6 ++++--
+ 3 files changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 25aeaedce762..7ae27569ced9 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -230,7 +230,7 @@ static void fdb_delete_local(struct net_bridge *br,
+               if (op != p && ether_addr_equal(op->dev->dev_addr, addr) &&
+                   (!vid || br_vlan_find(vg, vid))) {
+                       f->dst = op;
+-                      f->added_by_user = 0;
++                      clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
+                       return;
+               }
+       }
+@@ -241,7 +241,7 @@ static void fdb_delete_local(struct net_bridge *br,
+       if (p && ether_addr_equal(br->dev->dev_addr, addr) &&
+           (!vid || (v && br_vlan_should_use(v)))) {
+               f->dst = NULL;
+-              f->added_by_user = 0;
++              clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
+               return;
+       }
+ 
+@@ -257,7 +257,7 @@ void br_fdb_find_delete_local(struct net_bridge *br,
+       spin_lock_bh(&br->hash_lock);
+       f = br_fdb_find(br, addr, vid);
+       if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
+-          !f->added_by_user && f->dst == p)
++          !test_bit(BR_FDB_ADDED_BY_USER, &f->flags) && f->dst == p)
+               fdb_delete_local(br, p, f);
+       spin_unlock_bh(&br->hash_lock);
+ }
+@@ -273,7 +273,7 @@ void br_fdb_changeaddr(struct net_bridge_port *p, const unsigned char *newaddr)
+       vg = nbp_vlan_group(p);
+       hlist_for_each_entry(f, &br->fdb_list, fdb_node) {
+               if (f->dst == p && test_bit(BR_FDB_LOCAL, &f->flags) &&
+-                  !f->added_by_user) {
++                  !test_bit(BR_FDB_ADDED_BY_USER, &f->flags)) {
+                       /* delete old one */
+                       fdb_delete_local(br, p, f);
+ 
+@@ -315,7 +315,7 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
+       /* If old entry was unassociated with any port, then delete it. */
+       f = br_fdb_find(br, br->dev->dev_addr, 0);
+       if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
+-          !f->dst && !f->added_by_user)
++          !f->dst && !test_bit(BR_FDB_ADDED_BY_USER, &f->flags))
+               fdb_delete_local(br, NULL, f);
+ 
+       fdb_insert(br, NULL, newaddr, 0);
+@@ -331,7 +331,7 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
+                       continue;
+               f = br_fdb_find(br, br->dev->dev_addr, v->vid);
+               if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
+-                  !f->dst && !f->added_by_user)
++                  !f->dst && !test_bit(BR_FDB_ADDED_BY_USER, &f->flags))
+                       fdb_delete_local(br, NULL, f);
+               fdb_insert(br, NULL, newaddr, v->vid);
+       }
+@@ -511,7 +511,6 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br,
+                       set_bit(BR_FDB_LOCAL, &fdb->flags);
+               if (is_static)
+                       set_bit(BR_FDB_STATIC, &fdb->flags);
+-              fdb->added_by_user = 0;
+               fdb->added_by_external_learn = 0;
+               fdb->offloaded = 0;
+               fdb->updated = fdb->used = jiffies;
+@@ -605,7 +604,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+                       if (now != fdb->updated)
+                               fdb->updated = now;
+                       if (unlikely(added_by_user))
+-                              fdb->added_by_user = 1;
++                              set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+                       if (unlikely(fdb_modified)) {
+                               trace_br_fdb_update(br, source, addr, vid, added_by_user);
+                               fdb_notify(br, fdb, RTM_NEWNEIGH, true);
+@@ -616,7 +615,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+               fdb = fdb_create(br, source, addr, vid, 0, 0);
+               if (fdb) {
+                       if (unlikely(added_by_user))
+-                              fdb->added_by_user = 1;
++                              set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+                       trace_br_fdb_update(br, source, addr, vid,
+                                           added_by_user);
+                       fdb_notify(br, fdb, RTM_NEWNEIGH, true);
+@@ -850,7 +849,7 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+               modified = true;
+       }
+ 
+-      fdb->added_by_user = 1;
++      set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+ 
+       fdb->used = jiffies;
+       if (modified) {
+@@ -1107,7 +1106,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+                       goto err_unlock;
+               }
+               if (swdev_notify)
+-                      fdb->added_by_user = 1;
++                      set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+               fdb->added_by_external_learn = 1;
+               fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify);
+       } else {
+@@ -1121,14 +1120,14 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+               if (fdb->added_by_external_learn) {
+                       /* Refresh entry */
+                       fdb->used = jiffies;
+-              } else if (!fdb->added_by_user) {
++              } else if (!test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags)) {
+                       /* Take over SW learned entry */
+                       fdb->added_by_external_learn = 1;
+                       modified = true;
+               }
+ 
+               if (swdev_notify)
+-                      fdb->added_by_user = 1;
++                      set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+ 
+               if (modified)
+                       fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify);
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 131e5be58468..9132f11db683 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -173,6 +173,7 @@ enum {
+       BR_FDB_LOCAL,
+       BR_FDB_STATIC,
+       BR_FDB_STICKY,
++      BR_FDB_ADDED_BY_USER,
+ };
+ 
+ struct net_bridge_fdb_key {
+@@ -187,8 +188,7 @@ struct net_bridge_fdb_entry {
+       struct net_bridge_fdb_key       key;
+       struct hlist_node               fdb_node;
+       unsigned long                   flags;
+-      unsigned char                   added_by_user:1,
+-                                      added_by_external_learn:1,
++      unsigned char                   added_by_external_learn:1,
+                                       offloaded:1;
+ 
+       /* write-heavy members should not affect lookups */
+diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c
+index b993df770675..e8948d49e5fc 100644
+--- a/net/bridge/br_switchdev.c
++++ b/net/bridge/br_switchdev.c
+@@ -127,14 +127,16 @@ br_switchdev_fdb_notify(const struct net_bridge_fdb_entry *fdb, int type)
+               br_switchdev_fdb_call_notifiers(false, fdb->key.addr.addr,
+                                               fdb->key.vlan_id,
+                                               fdb->dst->dev,
+-                                              fdb->added_by_user,
++                                              test_bit(BR_FDB_ADDED_BY_USER,
++                                                       &fdb->flags),
+                                               fdb->offloaded);
+               break;
+       case RTM_NEWNEIGH:
+               br_switchdev_fdb_call_notifiers(true, fdb->key.addr.addr,
+                                               fdb->key.vlan_id,
+                                               fdb->dst->dev,
+-                                              fdb->added_by_user,
++                                              test_bit(BR_FDB_ADDED_BY_USER,
++                                                       &fdb->flags),
+                                               fdb->offloaded);
+               break;
+       }
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-bridge-fdb-convert-is_local-to-bitops.patch b/queue-4.19/net-bridge-fdb-convert-is_local-to-bitops.patch
new file mode 100644 (file)
index 0000000..1ed9109
--- /dev/null
+++ b/queue-4.19/net-bridge-fdb-convert-is_local-to-bitops.patch
@@ -0,0 +1,188 @@
+From 4a11fea46194f2d1ab7a579c7e892262708ac9fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 13:45:53 +0200
+Subject: net: bridge: fdb: convert is_local to bitops
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 6869c3b02b596eba931a754f56875d2e2ac612db ]
+
+The patch adds a new fdb flags field in the hole between the two cache
+lines and uses it to convert is_local to bitops.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c     | 32 +++++++++++++++++++-------------
+ net/bridge/br_input.c   |  2 +-
+ net/bridge/br_private.h |  9 +++++++--
+ 3 files changed, 27 insertions(+), 16 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index a659e7c4ee43..f01ccf6ca4f4 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -255,7 +255,8 @@ void br_fdb_find_delete_local(struct net_bridge *br,
+ 
+       spin_lock_bh(&br->hash_lock);
+       f = br_fdb_find(br, addr, vid);
+-      if (f && f->is_local && !f->added_by_user && f->dst == p)
++      if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
++          !f->added_by_user && f->dst == p)
+               fdb_delete_local(br, p, f);
+       spin_unlock_bh(&br->hash_lock);
+ }
+@@ -270,7 +271,8 @@ void br_fdb_changeaddr(struct net_bridge_port *p, const unsigned char *newaddr)
+       spin_lock_bh(&br->hash_lock);
+       vg = nbp_vlan_group(p);
+       hlist_for_each_entry(f, &br->fdb_list, fdb_node) {
+-              if (f->dst == p && f->is_local && !f->added_by_user) {
++              if (f->dst == p && test_bit(BR_FDB_LOCAL, &f->flags) &&
++                  !f->added_by_user) {
+                       /* delete old one */
+                       fdb_delete_local(br, p, f);
+ 
+@@ -311,7 +313,8 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
+ 
+       /* If old entry was unassociated with any port, then delete it. */
+       f = br_fdb_find(br, br->dev->dev_addr, 0);
+-      if (f && f->is_local && !f->dst && !f->added_by_user)
++      if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
++          !f->dst && !f->added_by_user)
+               fdb_delete_local(br, NULL, f);
+ 
+       fdb_insert(br, NULL, newaddr, 0);
+@@ -326,7 +329,8 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
+               if (!br_vlan_should_use(v))
+                       continue;
+               f = br_fdb_find(br, br->dev->dev_addr, v->vid);
+-              if (f && f->is_local && !f->dst && !f->added_by_user)
++              if (f && test_bit(BR_FDB_LOCAL, &f->flags) &&
++                  !f->dst && !f->added_by_user)
+                       fdb_delete_local(br, NULL, f);
+               fdb_insert(br, NULL, newaddr, v->vid);
+       }
+@@ -405,7 +409,7 @@ void br_fdb_delete_by_port(struct net_bridge *br,
+                       if (f->is_static || (vid && f->key.vlan_id != vid))
+                               continue;
+ 
+-              if (f->is_local)
++              if (test_bit(BR_FDB_LOCAL, &f->flags))
+                       fdb_delete_local(br, p, f);
+               else
+                       fdb_delete(br, f, true);
+@@ -474,7 +478,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
+               fe->port_no = f->dst->port_no;
+               fe->port_hi = f->dst->port_no >> 8;
+ 
+-              fe->is_local = f->is_local;
++              fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
+               if (!f->is_static)
+                       fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated);
+               ++fe;
+@@ -499,7 +503,9 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br,
+               memcpy(fdb->key.addr.addr, addr, ETH_ALEN);
+               fdb->dst = source;
+               fdb->key.vlan_id = vid;
+-              fdb->is_local = is_local;
++              fdb->flags = 0;
++              if (is_local)
++                      set_bit(BR_FDB_LOCAL, &fdb->flags);
+               fdb->is_static = is_static;
+               fdb->added_by_user = 0;
+               fdb->added_by_external_learn = 0;
+@@ -530,7 +536,7 @@ static int fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
+               /* it is okay to have multiple ports with same
+                * address, just use the first one.
+                */
+-              if (fdb->is_local)
++              if (test_bit(BR_FDB_LOCAL, &fdb->flags))
+                       return 0;
+               br_warn(br, "adding interface %s with same address as a received packet (addr:%pM, vlan:%u)\n",
+                      source ? source->dev->name : br->dev->name, addr, vid);
+@@ -576,7 +582,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+       fdb = fdb_find_rcu(&br->fdb_hash_tbl, addr, vid);
+       if (likely(fdb)) {
+               /* attempt to update an entry for a local interface */
+-              if (unlikely(fdb->is_local)) {
++              if (unlikely(test_bit(BR_FDB_LOCAL, &fdb->flags))) {
+                       if (net_ratelimit())
+                               br_warn(br, "received packet on %s with own address as source address (addr:%pM, vlan:%u)\n",
+                                       source->dev->name, addr, vid);
+@@ -620,7 +626,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+ static int fdb_to_nud(const struct net_bridge *br,
+                     const struct net_bridge_fdb_entry *fdb)
+ {
+-      if (fdb->is_local)
++      if (test_bit(BR_FDB_LOCAL, &fdb->flags))
+               return NUD_PERMANENT;
+       else if (fdb->is_static)
+               return NUD_NOARP;
+@@ -818,19 +824,19 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+ 
+       if (fdb_to_nud(br, fdb) != state) {
+               if (state & NUD_PERMANENT) {
+-                      fdb->is_local = 1;
++                      set_bit(BR_FDB_LOCAL, &fdb->flags);
+                       if (!fdb->is_static) {
+                               fdb->is_static = 1;
+                               fdb_add_hw_addr(br, addr);
+                       }
+               } else if (state & NUD_NOARP) {
+-                      fdb->is_local = 0;
++                      clear_bit(BR_FDB_LOCAL, &fdb->flags);
+                       if (!fdb->is_static) {
+                               fdb->is_static = 1;
+                               fdb_add_hw_addr(br, addr);
+                       }
+               } else {
+-                      fdb->is_local = 0;
++                      clear_bit(BR_FDB_LOCAL, &fdb->flags);
+                       if (fdb->is_static) {
+                               fdb->is_static = 0;
+                               fdb_del_hw_addr(br, addr);
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index f3938337ff87..e126ba0bd486 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -163,7 +163,7 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+       if (dst) {
+               unsigned long now = jiffies;
+ 
+-              if (dst->is_local)
++              if (test_bit(BR_FDB_LOCAL, &dst->flags))
+                       return br_pass_frame_up(skb);
+ 
+               if (now != dst->used)
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index f5e258ca3043..6a38ea247a9e 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -168,6 +168,11 @@ struct net_bridge_vlan_group {
+       u16                             pvid;
+ };
+ 
++/* bridge fdb flags */
++enum {
++      BR_FDB_LOCAL,
++};
++
+ struct net_bridge_fdb_key {
+       mac_addr addr;
+       u16 vlan_id;
+@@ -179,8 +184,8 @@ struct net_bridge_fdb_entry {
+ 
+       struct net_bridge_fdb_key       key;
+       struct hlist_node               fdb_node;
+-      unsigned char                   is_local:1,
+-                                      is_static:1,
++      unsigned long                   flags;
++      unsigned char                   is_static:1,
+                                       is_sticky:1,
+                                       added_by_user:1,
+                                       added_by_external_learn:1,
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-bridge-fdb-convert-is_static-to-bitops.patch b/queue-4.19/net-bridge-fdb-convert-is_static-to-bitops.patch
new file mode 100644 (file)
index 0000000..418a2c4
--- /dev/null
+++ b/queue-4.19/net-bridge-fdb-convert-is_static-to-bitops.patch
@@ -0,0 +1,181 @@
+From d5ff0a245bce53431e5a7b4214a7961f90e225a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 13:45:54 +0200
+Subject: net: bridge: fdb: convert is_static to bitops
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 29e63fffd666f1945756882d4b02bc7bec132101 ]
+
+Convert the is_static to bitops, make use of the combined
+test_and_set/clear_bit to simplify expressions in fdb_add_entry.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c     | 40 +++++++++++++++++++---------------------
+ net/bridge/br_private.h |  4 ++--
+ 2 files changed, 21 insertions(+), 23 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index f01ccf6ca4f4..2639cc744bca 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -80,8 +80,9 @@ static inline unsigned long hold_time(const struct net_bridge *br)
+ static inline int has_expired(const struct net_bridge *br,
+                                 const struct net_bridge_fdb_entry *fdb)
+ {
+-      return !fdb->is_static && !fdb->added_by_external_learn &&
+-              time_before_eq(fdb->updated + hold_time(br), jiffies);
++      return !test_bit(BR_FDB_STATIC, &fdb->flags) &&
++             !fdb->added_by_external_learn &&
++             time_before_eq(fdb->updated + hold_time(br), jiffies);
+ }
+ 
+ static void fdb_rcu_free(struct rcu_head *head)
+@@ -202,7 +203,7 @@ static void fdb_delete(struct net_bridge *br, struct net_bridge_fdb_entry *f,
+ {
+       trace_fdb_delete(br, f);
+ 
+-      if (f->is_static)
++      if (test_bit(BR_FDB_STATIC, &f->flags))
+               fdb_del_hw_addr(br, f->key.addr.addr);
+ 
+       hlist_del_init_rcu(&f->fdb_node);
+@@ -355,7 +356,8 @@ void br_fdb_cleanup(struct work_struct *work)
+       hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+               unsigned long this_timer;
+ 
+-              if (f->is_static || f->added_by_external_learn)
++              if (test_bit(BR_FDB_STATIC, &f->flags) ||
++                  f->added_by_external_learn)
+                       continue;
+               this_timer = f->updated + delay;
+               if (time_after(this_timer, now)) {
+@@ -382,7 +384,7 @@ void br_fdb_flush(struct net_bridge *br)
+ 
+       spin_lock_bh(&br->hash_lock);
+       hlist_for_each_entry_safe(f, tmp, &br->fdb_list, fdb_node) {
+-              if (!f->is_static)
++              if (!test_bit(BR_FDB_STATIC, &f->flags))
+                       fdb_delete(br, f, true);
+       }
+       spin_unlock_bh(&br->hash_lock);
+@@ -406,7 +408,8 @@ void br_fdb_delete_by_port(struct net_bridge *br,
+                       continue;
+ 
+               if (!do_all)
+-                      if (f->is_static || (vid && f->key.vlan_id != vid))
++                      if (test_bit(BR_FDB_STATIC, &f->flags) ||
++                          (vid && f->key.vlan_id != vid))
+                               continue;
+ 
+               if (test_bit(BR_FDB_LOCAL, &f->flags))
+@@ -479,7 +482,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
+               fe->port_hi = f->dst->port_no >> 8;
+ 
+               fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
+-              if (!f->is_static)
++              if (!test_bit(BR_FDB_STATIC, &f->flags))
+                       fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated);
+               ++fe;
+               ++num;
+@@ -506,7 +509,8 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br,
+               fdb->flags = 0;
+               if (is_local)
+                       set_bit(BR_FDB_LOCAL, &fdb->flags);
+-              fdb->is_static = is_static;
++              if (is_static)
++                      set_bit(BR_FDB_STATIC, &fdb->flags);
+               fdb->added_by_user = 0;
+               fdb->added_by_external_learn = 0;
+               fdb->offloaded = 0;
+@@ -628,7 +632,7 @@ static int fdb_to_nud(const struct net_bridge *br,
+ {
+       if (test_bit(BR_FDB_LOCAL, &fdb->flags))
+               return NUD_PERMANENT;
+-      else if (fdb->is_static)
++      else if (test_bit(BR_FDB_STATIC, &fdb->flags))
+               return NUD_NOARP;
+       else if (has_expired(br, fdb))
+               return NUD_STALE;
+@@ -825,22 +829,16 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+       if (fdb_to_nud(br, fdb) != state) {
+               if (state & NUD_PERMANENT) {
+                       set_bit(BR_FDB_LOCAL, &fdb->flags);
+-                      if (!fdb->is_static) {
+-                              fdb->is_static = 1;
++                      if (!test_and_set_bit(BR_FDB_STATIC, &fdb->flags))
+                               fdb_add_hw_addr(br, addr);
+-                      }
+               } else if (state & NUD_NOARP) {
+                       clear_bit(BR_FDB_LOCAL, &fdb->flags);
+-                      if (!fdb->is_static) {
+-                              fdb->is_static = 1;
++                      if (!test_and_set_bit(BR_FDB_STATIC, &fdb->flags))
+                               fdb_add_hw_addr(br, addr);
+-                      }
+               } else {
+                       clear_bit(BR_FDB_LOCAL, &fdb->flags);
+-                      if (fdb->is_static) {
+-                              fdb->is_static = 0;
++                      if (test_and_clear_bit(BR_FDB_STATIC, &fdb->flags))
+                               fdb_del_hw_addr(br, addr);
+-                      }
+               }
+ 
+               modified = true;
+@@ -1047,7 +1045,7 @@ int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p)
+       rcu_read_lock();
+       hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+               /* We only care for static entries */
+-              if (!f->is_static)
++              if (!test_bit(BR_FDB_STATIC, &f->flags))
+                       continue;
+               err = dev_uc_add(p->dev, f->key.addr.addr);
+               if (err)
+@@ -1061,7 +1059,7 @@ int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p)
+ rollback:
+       hlist_for_each_entry_rcu(tmp, &br->fdb_list, fdb_node) {
+               /* We only care for static entries */
+-              if (!tmp->is_static)
++              if (!test_bit(BR_FDB_STATIC, &tmp->flags))
+                       continue;
+               if (tmp == f)
+                       break;
+@@ -1080,7 +1078,7 @@ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p)
+       rcu_read_lock();
+       hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+               /* We only care for static entries */
+-              if (!f->is_static)
++              if (!test_bit(BR_FDB_STATIC, &f->flags))
+                       continue;
+ 
+               dev_uc_del(p->dev, f->key.addr.addr);
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 6a38ea247a9e..c3160d73e6ed 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -171,6 +171,7 @@ struct net_bridge_vlan_group {
+ /* bridge fdb flags */
+ enum {
+       BR_FDB_LOCAL,
++      BR_FDB_STATIC,
+ };
+ 
+ struct net_bridge_fdb_key {
+@@ -185,8 +186,7 @@ struct net_bridge_fdb_entry {
+       struct net_bridge_fdb_key       key;
+       struct hlist_node               fdb_node;
+       unsigned long                   flags;
+-      unsigned char                   is_static:1,
+-                                      is_sticky:1,
++      unsigned char                   is_sticky:1,
+                                       added_by_user:1,
+                                       added_by_external_learn:1,
+                                       offloaded:1;
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-bridge-fdb-convert-is_sticky-to-bitops.patch b/queue-4.19/net-bridge-fdb-convert-is_sticky-to-bitops.patch
new file mode 100644 (file)
index 0000000..0f823e4
--- /dev/null
+++ b/queue-4.19/net-bridge-fdb-convert-is_sticky-to-bitops.patch
@@ -0,0 +1,88 @@
+From fa3c4f543d01a62e2eae4b7d147b40ecf5fdd496 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2019 13:45:55 +0200
+Subject: net: bridge: fdb: convert is_sticky to bitops
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit e0458d9a733ba71a2821d0c3fc0745baac697db0 ]
+
+Straight-forward convert of the is_sticky field to bitops.
+
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c     | 11 ++++++-----
+ net/bridge/br_private.h |  4 ++--
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 2639cc744bca..25aeaedce762 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -594,7 +594,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
+                       unsigned long now = jiffies;
+ 
+                       /* fastpath: update of existing entry */
+-                      if (unlikely(source != fdb->dst && !fdb->is_sticky)) {
++                      if (unlikely(source != fdb->dst &&
++                                   !test_bit(BR_FDB_STICKY, &fdb->flags))) {
+                               fdb->dst = source;
+                               fdb_modified = true;
+                               /* Take over HW learned entry */
+@@ -666,7 +667,7 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
+               ndm->ndm_flags |= NTF_OFFLOADED;
+       if (fdb->added_by_external_learn)
+               ndm->ndm_flags |= NTF_EXT_LEARNED;
+-      if (fdb->is_sticky)
++      if (test_bit(BR_FDB_STICKY, &fdb->flags))
+               ndm->ndm_flags |= NTF_STICKY;
+ 
+       if (nla_put(skb, NDA_LLADDR, ETH_ALEN, &fdb->key.addr))
+@@ -787,7 +788,7 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+                        const u8 *addr, u16 state, u16 flags, u16 vid,
+                        u8 ndm_flags)
+ {
+-      u8 is_sticky = !!(ndm_flags & NTF_STICKY);
++      bool is_sticky = !!(ndm_flags & NTF_STICKY);
+       struct net_bridge_fdb_entry *fdb;
+       bool modified = false;
+ 
+@@ -844,8 +845,8 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+               modified = true;
+       }
+ 
+-      if (is_sticky != fdb->is_sticky) {
+-              fdb->is_sticky = is_sticky;
++      if (is_sticky != test_bit(BR_FDB_STICKY, &fdb->flags)) {
++              change_bit(BR_FDB_STICKY, &fdb->flags);
+               modified = true;
+       }
+ 
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index c3160d73e6ed..131e5be58468 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -172,6 +172,7 @@ struct net_bridge_vlan_group {
+ enum {
+       BR_FDB_LOCAL,
+       BR_FDB_STATIC,
++      BR_FDB_STICKY,
+ };
+ 
+ struct net_bridge_fdb_key {
+@@ -186,8 +187,7 @@ struct net_bridge_fdb_entry {
+       struct net_bridge_fdb_key       key;
+       struct hlist_node               fdb_node;
+       unsigned long                   flags;
+-      unsigned char                   is_sticky:1,
+-                                      added_by_user:1,
++      unsigned char                   added_by_user:1,
+                                       added_by_external_learn:1,
+                                       offloaded:1;
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch b/queue-4.19/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch
new file mode 100644 (file)
index 0000000..dc21b7b
--- /dev/null
+++ b/queue-4.19/net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch
@@ -0,0 +1,62 @@
+From f98e716168ad5cbd0b5e73369112406fdfa15037 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 22:33:41 +0200
+Subject: net: dsa: vsc73xx: fix possible subblocks range of CAPT block
+
+From: Pawel Dembicki <paweldembicki@gmail.com>
+
+[ Upstream commit 8e69c96df771ab469cec278edb47009351de4da6 ]
+
+CAPT block (CPU Capture Buffer) have 7 sublocks: 0-3, 4, 6, 7.
+Function 'vsc73xx_is_addr_valid' allows to use only block 0 at this
+moment.
+
+This patch fix it.
+
+Fixes: 05bd97fc559d ("net: dsa: Add Vitesse VSC73xx DSA router driver")
+Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20240903203340.1518789-1-paweldembicki@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/vitesse-vsc73xx.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/vitesse-vsc73xx.c b/drivers/net/dsa/vitesse-vsc73xx.c
+index eaafb1c30c91..c91f989165ad 100644
+--- a/drivers/net/dsa/vitesse-vsc73xx.c
++++ b/drivers/net/dsa/vitesse-vsc73xx.c
+@@ -38,7 +38,7 @@
+ #define VSC73XX_BLOCK_ANALYZER        0x2 /* Only subblock 0 */
+ #define VSC73XX_BLOCK_MII     0x3 /* Subblocks 0 and 1 */
+ #define VSC73XX_BLOCK_MEMINIT 0x3 /* Only subblock 2 */
+-#define VSC73XX_BLOCK_CAPTURE 0x4 /* Only subblock 2 */
++#define VSC73XX_BLOCK_CAPTURE 0x4 /* Subblocks 0-4, 6, 7 */
+ #define VSC73XX_BLOCK_ARBITER 0x5 /* Only subblock 0 */
+ #define VSC73XX_BLOCK_SYSTEM  0x7 /* Only subblock 0 */
+ 
+@@ -385,13 +385,19 @@ static int vsc73xx_is_addr_valid(u8 block, u8 subblock)
+               break;
+ 
+       case VSC73XX_BLOCK_MII:
+-      case VSC73XX_BLOCK_CAPTURE:
+       case VSC73XX_BLOCK_ARBITER:
+               switch (subblock) {
+               case 0 ... 1:
+                       return 1;
+               }
+               break;
++      case VSC73XX_BLOCK_CAPTURE:
++              switch (subblock) {
++              case 0 ... 4:
++              case 6 ... 7:
++                      return 1;
++              }
++              break;
+       }
+ 
+       return 0;
+-- 
+2.43.0
+

diff --git a/queue-4.19/net-usb-don-t-write-directly-to-netdev-dev_addr.patch b/queue-4.19/net-usb-don-t-write-directly-to-netdev-dev_addr.patch
new file mode 100644 (file)
index 0000000..aff54de
--- /dev/null
+++ b/queue-4.19/net-usb-don-t-write-directly-to-netdev-dev_addr.patch
@@ -0,0 +1,236 @@
+From be4250bcf98b5355c0c81c7ad4f546ea2abdad7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Oct 2021 06:12:06 -0700
+Subject: net: usb: don't write directly to netdev->dev_addr
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 2674e7ea22ba0e22a2d1603bd51e0b8f6442a267 ]
+
+Commit 406f42fa0d3c ("net-next: When a bond have a massive amount
+of VLANs...") introduced a rbtree for faster Ethernet address look
+up. To maintain netdev->dev_addr in this tree we need to make all
+the writes to it got through appropriate helpers.
+
+Manually fix all net/usb drivers without separate maintainers.
+
+v2: catc does DMA to the buffer, leave the conversion to Oliver
+
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: bab8eb0dd4cb ("usbnet: modern method to get random MAC")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ch9200.c      | 4 +++-
+ drivers/net/usb/cx82310_eth.c | 5 +++--
+ drivers/net/usb/kaweth.c      | 3 +--
+ drivers/net/usb/mcs7830.c     | 4 +++-
+ drivers/net/usb/sierra_net.c  | 6 ++++--
+ drivers/net/usb/sr9700.c      | 4 +++-
+ drivers/net/usb/sr9800.c      | 5 +++--
+ drivers/net/usb/usbnet.c      | 6 ++++--
+ 8 files changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c
+index 9df3c1ffff35..6ed8da85b081 100644
+--- a/drivers/net/usb/ch9200.c
++++ b/drivers/net/usb/ch9200.c
+@@ -338,6 +338,7 @@ static int ch9200_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+       int retval = 0;
+       unsigned char data[2];
++      u8 addr[ETH_ALEN];
+ 
+       retval = usbnet_get_endpoints(dev, intf);
+       if (retval)
+@@ -385,7 +386,8 @@ static int ch9200_bind(struct usbnet *dev, struct usb_interface *intf)
+       retval = control_write(dev, REQUEST_WRITE, 0, MAC_REG_CTRL, data, 0x02,
+                              CONTROL_TIMEOUT_MS);
+ 
+-      retval = get_mac_address(dev, dev->net->dev_addr);
++      retval = get_mac_address(dev, addr);
++      eth_hw_addr_set(dev->net, addr);
+ 
+       return retval;
+ }
+diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c
+index 6a9a5e540b09..2efa33eb1f73 100644
+--- a/drivers/net/usb/cx82310_eth.c
++++ b/drivers/net/usb/cx82310_eth.c
+@@ -161,6 +161,7 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+       u8 link[3];
+       int timeout = 50;
+       struct cx82310_priv *priv;
++      u8 addr[ETH_ALEN];
+ 
+       /* avoid ADSL modems - continue only if iProduct is "USB NET CARD" */
+       if (usb_string(udev, udev->descriptor.iProduct, buf, sizeof(buf)) > 0
+@@ -216,12 +217,12 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+               goto err;
+ 
+       /* get the MAC address */
+-      ret = cx82310_cmd(dev, CMD_GET_MAC_ADDR, true, NULL, 0,
+-                        dev->net->dev_addr, ETH_ALEN);
++      ret = cx82310_cmd(dev, CMD_GET_MAC_ADDR, true, NULL, 0, addr, ETH_ALEN);
+       if (ret) {
+               dev_err(&udev->dev, "unable to read MAC address: %d\n", ret);
+               goto err;
+       }
++      eth_hw_addr_set(dev->net, addr);
+ 
+       /* start (does not seem to have any effect?) */
+       ret = cx82310_cmd(dev, CMD_START, false, NULL, 0, NULL, 0);
+diff --git a/drivers/net/usb/kaweth.c b/drivers/net/usb/kaweth.c
+index 913e50bab0a2..b05154fad3ce 100644
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -1139,8 +1139,7 @@ static int kaweth_probe(
+               goto err_all_but_rxbuf;
+ 
+       memcpy(netdev->broadcast, &bcast_addr, sizeof(bcast_addr));
+-      memcpy(netdev->dev_addr, &kaweth->configuration.hw_addr,
+-               sizeof(kaweth->configuration.hw_addr));
++      eth_hw_addr_set(netdev, (u8 *)&kaweth->configuration.hw_addr);
+ 
+       netdev->netdev_ops = &kaweth_netdev_ops;
+       netdev->watchdog_timeo = KAWETH_TX_TIMEOUT;
+diff --git a/drivers/net/usb/mcs7830.c b/drivers/net/usb/mcs7830.c
+index c0f52a622964..c304ce4abaa4 100644
+--- a/drivers/net/usb/mcs7830.c
++++ b/drivers/net/usb/mcs7830.c
+@@ -493,17 +493,19 @@ static const struct net_device_ops mcs7830_netdev_ops = {
+ static int mcs7830_bind(struct usbnet *dev, struct usb_interface *udev)
+ {
+       struct net_device *net = dev->net;
++      u8 addr[ETH_ALEN];
+       int ret;
+       int retry;
+ 
+       /* Initial startup: Gather MAC address setting from EEPROM */
+       ret = -EINVAL;
+       for (retry = 0; retry < 5 && ret; retry++)
+-              ret = mcs7830_hif_get_mac_address(dev, net->dev_addr);
++              ret = mcs7830_hif_get_mac_address(dev, addr);
+       if (ret) {
+               dev_warn(&dev->udev->dev, "Cannot read MAC address\n");
+               goto out;
+       }
++      eth_hw_addr_set(net, addr);
+ 
+       mcs7830_data_set_multicast(net);
+ 
+diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c
+index c43087e06696..4226ad0f11f3 100644
+--- a/drivers/net/usb/sierra_net.c
++++ b/drivers/net/usb/sierra_net.c
+@@ -686,6 +686,7 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
+               0x00, 0x00, SIERRA_NET_HIP_MSYNC_ID, 0x00};
+       static const u8 shdwn_tmplate[sizeof(priv->shdwn_msg)] = {
+               0x00, 0x00, SIERRA_NET_HIP_SHUTD_ID, 0x00};
++      u8 mod[2];
+ 
+       dev_dbg(&dev->udev->dev, "%s", __func__);
+ 
+@@ -715,8 +716,9 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
+       dev->net->netdev_ops = &sierra_net_device_ops;
+ 
+       /* change MAC addr to include, ifacenum, and to be unique */
+-      dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return(&iface_counter);
+-      dev->net->dev_addr[ETH_ALEN-1] = ifacenum;
++      mod[0] = atomic_inc_return(&iface_counter);
++      mod[1] = ifacenum;
++      dev_addr_mod(dev->net, ETH_ALEN - 2, mod, 2);
+ 
+       /* prepare shutdown message template */
+       memcpy(priv->shdwn_msg, shdwn_tmplate, sizeof(priv->shdwn_msg));
+diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
+index 1f11c56ccd5c..1f4b2fabb5e6 100644
+--- a/drivers/net/usb/sr9700.c
++++ b/drivers/net/usb/sr9700.c
+@@ -326,6 +326,7 @@ static int sr9700_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+       struct net_device *netdev;
+       struct mii_if_info *mii;
++      u8 addr[ETH_ALEN];
+       int ret;
+ 
+       ret = usbnet_get_endpoints(dev, intf);
+@@ -356,11 +357,12 @@ static int sr9700_bind(struct usbnet *dev, struct usb_interface *intf)
+        * EEPROM automatically to PAR. In case there is no EEPROM externally,
+        * a default MAC address is stored in PAR for making chip work properly.
+        */
+-      if (sr_read(dev, SR_PAR, ETH_ALEN, netdev->dev_addr) < 0) {
++      if (sr_read(dev, SR_PAR, ETH_ALEN, addr) < 0) {
+               netdev_err(netdev, "Error reading MAC address\n");
+               ret = -ENODEV;
+               goto out;
+       }
++      eth_hw_addr_set(netdev, addr);
+ 
+       /* power up and reset phy */
+       sr_write_reg(dev, SR_PRR, PRR_PHY_RST);
+diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
+index a5ff7df10505..485a50d9f281 100644
+--- a/drivers/net/usb/sr9800.c
++++ b/drivers/net/usb/sr9800.c
+@@ -732,6 +732,7 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf)
+       struct sr_data *data = (struct sr_data *)&dev->data;
+       u16 led01_mux, led23_mux;
+       int ret, embd_phy;
++      u8 addr[ETH_ALEN];
+       u32 phyid;
+       u16 rx_ctl;
+ 
+@@ -757,12 +758,12 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf)
+       }
+ 
+       /* Get the MAC address */
+-      ret = sr_read_cmd(dev, SR_CMD_READ_NODE_ID, 0, 0, ETH_ALEN,
+-                        dev->net->dev_addr);
++      ret = sr_read_cmd(dev, SR_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, addr);
+       if (ret < 0) {
+               netdev_dbg(dev->net, "Failed to read MAC address: %d\n", ret);
+               return ret;
+       }
++      eth_hw_addr_set(dev->net, addr);
+       netdev_dbg(dev->net, "mac addr : %pM\n", dev->net->dev_addr);
+ 
+       /* Initialize MII structure */
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 8065af844410..16225654d88c 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -163,12 +163,13 @@ EXPORT_SYMBOL_GPL(usbnet_get_endpoints);
+ 
+ int usbnet_get_ethernet_addr(struct usbnet *dev, int iMACAddress)
+ {
++      u8              addr[ETH_ALEN];
+       int             tmp = -1, ret;
+       unsigned char   buf [13];
+ 
+       ret = usb_string(dev->udev, iMACAddress, buf, sizeof buf);
+       if (ret == 12)
+-              tmp = hex2bin(dev->net->dev_addr, buf, 6);
++              tmp = hex2bin(addr, buf, 6);
+       if (tmp < 0) {
+               dev_dbg(&dev->udev->dev,
+                       "bad MAC string %d fetch, %d\n", iMACAddress, tmp);
+@@ -176,6 +177,7 @@ int usbnet_get_ethernet_addr(struct usbnet *dev, int iMACAddress)
+                       ret = -EINVAL;
+               return ret;
+       }
++      eth_hw_addr_set(dev->net, addr);
+       return 0;
+ }
+ EXPORT_SYMBOL_GPL(usbnet_get_ethernet_addr);
+@@ -1723,7 +1725,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+ 
+       dev->net = net;
+       strscpy(net->name, "usb%d", sizeof(net->name));
+-      memcpy (net->dev_addr, node_id, sizeof node_id);
++      eth_hw_addr_set(net, node_id);
+ 
+       /* rx and tx sides can use different message sizes;
+        * bind() should set rx_urb_size in that case.
+-- 
+2.43.0
+

diff --git a/queue-4.19/netfilter-nf_conncount-fix-wrong-variable-type.patch b/queue-4.19/netfilter-nf_conncount-fix-wrong-variable-type.patch
new file mode 100644 (file)
index 0000000..64f8f67
--- /dev/null
+++ b/queue-4.19/netfilter-nf_conncount-fix-wrong-variable-type.patch
@@ -0,0 +1,70 @@
+From 3b3c970a589416fd2a8020c46f97521c30b4f760 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 11:48:47 +0800
+Subject: netfilter: nf_conncount: fix wrong variable type
+
+From: Yunjian Wang <wangyunjian@huawei.com>
+
+[ Upstream commit 0b88d1654d556264bcd24a9cb6383f0888e30131 ]
+
+Now there is a issue is that code checks reports a warning: implicit
+narrowing conversion from type 'unsigned int' to small type 'u8' (the
+'keylen' variable). Fix it by removing the 'keylen' variable.
+
+Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conncount.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
+index 7554c56b2e63..d189ca7c2c02 100644
+--- a/net/netfilter/nf_conncount.c
++++ b/net/netfilter/nf_conncount.c
+@@ -309,7 +309,6 @@ insert_tree(struct net *net,
+       struct nf_conncount_rb *rbconn;
+       struct nf_conncount_tuple *conn;
+       unsigned int count = 0, gc_count = 0;
+-      u8 keylen = data->keylen;
+       bool do_gc = true;
+ 
+       spin_lock_bh(&nf_conncount_locks[hash]);
+@@ -321,7 +320,7 @@ insert_tree(struct net *net,
+               rbconn = rb_entry(*rbnode, struct nf_conncount_rb, node);
+ 
+               parent = *rbnode;
+-              diff = key_diff(key, rbconn->key, keylen);
++              diff = key_diff(key, rbconn->key, data->keylen);
+               if (diff < 0) {
+                       rbnode = &((*rbnode)->rb_left);
+               } else if (diff > 0) {
+@@ -366,7 +365,7 @@ insert_tree(struct net *net,
+ 
+       conn->tuple = *tuple;
+       conn->zone = *zone;
+-      memcpy(rbconn->key, key, sizeof(u32) * keylen);
++      memcpy(rbconn->key, key, sizeof(u32) * data->keylen);
+ 
+       nf_conncount_list_init(&rbconn->list);
+       list_add(&conn->node, &rbconn->list.head);
+@@ -391,7 +390,6 @@ count_tree(struct net *net,
+       struct rb_node *parent;
+       struct nf_conncount_rb *rbconn;
+       unsigned int hash;
+-      u8 keylen = data->keylen;
+ 
+       hash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS;
+       root = &data->root[hash];
+@@ -402,7 +400,7 @@ count_tree(struct net *net,
+ 
+               rbconn = rb_entry(parent, struct nf_conncount_rb, node);
+ 
+-              diff = key_diff(key, rbconn->key, keylen);
++              diff = key_diff(key, rbconn->key, data->keylen);
+               if (diff < 0) {
+                       parent = rcu_dereference_raw(parent->rb_left);
+               } else if (diff > 0) {
+-- 
+2.43.0
+

diff --git a/queue-4.19/of-irq-prevent-device-address-out-of-bounds-read-in-.patch b/queue-4.19/of-irq-prevent-device-address-out-of-bounds-read-in-.patch
new file mode 100644 (file)
index 0000000..3959d67
--- /dev/null
+++ b/queue-4.19/of-irq-prevent-device-address-out-of-bounds-read-in-.patch
@@ -0,0 +1,131 @@
+From 85c1ce76b09b121e9bc264c228aafe0a666f47ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 12:06:51 +0200
+Subject: of/irq: Prevent device address out-of-bounds read in interrupt map
+ walk
+
+From: Stefan Wiehler <stefan.wiehler@nokia.com>
+
+[ Upstream commit b739dffa5d570b411d4bdf4bb9b8dfd6b7d72305 ]
+
+When of_irq_parse_raw() is invoked with a device address smaller than
+the interrupt parent node (from #address-cells property), KASAN detects
+the following out-of-bounds read when populating the initial match table
+(dyndbg="func of_irq_parse_* +p"):
+
+  OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0
+  OF:  parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2
+  OF:  intspec=4
+  OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2
+  OF:  -> addrsize=3
+  ==================================================================
+  BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0
+  Read of size 4 at addr ffffff81beca5608 by task bash/764
+
+  CPU: 1 PID: 764 Comm: bash Tainted: G           O       6.1.67-484c613561-nokia_sm_arm64 #1
+  Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023
+  Call trace:
+   dump_backtrace+0xdc/0x130
+   show_stack+0x1c/0x30
+   dump_stack_lvl+0x6c/0x84
+   print_report+0x150/0x448
+   kasan_report+0x98/0x140
+   __asan_load4+0x78/0xa0
+   of_irq_parse_raw+0x2b8/0x8d0
+   of_irq_parse_one+0x24c/0x270
+   parse_interrupts+0xc0/0x120
+   of_fwnode_add_links+0x100/0x2d0
+   fw_devlink_parse_fwtree+0x64/0xc0
+   device_add+0xb38/0xc30
+   of_device_add+0x64/0x90
+   of_platform_device_create_pdata+0xd0/0x170
+   of_platform_bus_create+0x244/0x600
+   of_platform_notify+0x1b0/0x254
+   blocking_notifier_call_chain+0x9c/0xd0
+   __of_changeset_entry_notify+0x1b8/0x230
+   __of_changeset_apply_notify+0x54/0xe4
+   of_overlay_fdt_apply+0xc04/0xd94
+   ...
+
+  The buggy address belongs to the object at ffffff81beca5600
+   which belongs to the cache kmalloc-128 of size 128
+  The buggy address is located 8 bytes inside of
+   128-byte region [ffffff81beca5600, ffffff81beca5680)
+
+  The buggy address belongs to the physical page:
+  page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4
+  head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0
+  flags: 0x8000000000010200(slab|head|zone=2)
+  raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300
+  raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
+  page dumped because: kasan: bad access detected
+
+  Memory state around the buggy address:
+   ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+   ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+  >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+                        ^
+   ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+   ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
+  ==================================================================
+  OF:  -> got it !
+
+Prevent the out-of-bounds read by copying the device address into a
+buffer of sufficient size.
+
+Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
+Link: https://lore.kernel.org/r/20240812100652.3800963-1-stefan.wiehler@nokia.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/irq.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/of/irq.c b/drivers/of/irq.c
+index 02ad93a304a4..f06c9df60e34 100644
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -289,7 +289,8 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar
+       struct device_node *p;
+       const __be32 *addr;
+       u32 intsize;
+-      int i, res;
++      int i, res, addr_len;
++      __be32 addr_buf[3] = { 0 };
+ 
+       pr_debug("of_irq_parse_one: dev=%pOF, index=%d\n", device, index);
+ 
+@@ -298,13 +299,19 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar
+               return of_irq_parse_oldworld(device, index, out_irq);
+ 
+       /* Get the reg property (if any) */
+-      addr = of_get_property(device, "reg", NULL);
++      addr = of_get_property(device, "reg", &addr_len);
++
++      /* Prevent out-of-bounds read in case of longer interrupt parent address size */
++      if (addr_len > (3 * sizeof(__be32)))
++              addr_len = 3 * sizeof(__be32);
++      if (addr)
++              memcpy(addr_buf, addr, addr_len);
+ 
+       /* Try the new-style interrupts-extended first */
+       res = of_parse_phandle_with_args(device, "interrupts-extended",
+                                       "#interrupt-cells", index, out_irq);
+       if (!res)
+-              return of_irq_parse_raw(addr, out_irq);
++              return of_irq_parse_raw(addr_buf, out_irq);
+ 
+       /* Look for the interrupt parent. */
+       p = of_irq_find_parent(device);
+@@ -334,7 +341,7 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar
+ 
+ 
+       /* Check if there are any interrupt-map translations to process */
+-      res = of_irq_parse_raw(addr, out_irq);
++      res = of_irq_parse_raw(addr_buf, out_irq);
+  out:
+       of_node_put(p);
+       return res;
+-- 
+2.43.0
+

diff --git a/queue-4.19/pci-add-missing-bridge-lock-to-pci_bus_lock.patch b/queue-4.19/pci-add-missing-bridge-lock-to-pci_bus_lock.patch
new file mode 100644 (file)
index 0000000..30bc546
--- /dev/null
+++ b/queue-4.19/pci-add-missing-bridge-lock-to-pci_bus_lock.patch
@@ -0,0 +1,163 @@
+From 4d91de223cc71feffb1ee50efd2dfc52b9e831b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 May 2024 18:04:35 -0700
+Subject: PCI: Add missing bridge lock to pci_bus_lock()
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+[ Upstream commit a4e772898f8bf2e7e1cf661a12c60a5612c4afab ]
+
+One of the true positives that the cfg_access_lock lockdep effort
+identified is this sequence:
+
+  WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70
+  RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70
+  Call Trace:
+   <TASK>
+   ? __warn+0x8c/0x190
+   ? pci_bridge_secondary_bus_reset+0x5d/0x70
+   ? report_bug+0x1f8/0x200
+   ? handle_bug+0x3c/0x70
+   ? exc_invalid_op+0x18/0x70
+   ? asm_exc_invalid_op+0x1a/0x20
+   ? pci_bridge_secondary_bus_reset+0x5d/0x70
+   pci_reset_bus+0x1d8/0x270
+   vmd_probe+0x778/0xa10
+   pci_device_probe+0x95/0x120
+
+Where pci_reset_bus() users are triggering unlocked secondary bus resets.
+Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses
+pci_bus_lock() before issuing the reset which locks everything *but* the
+bridge itself.
+
+For the same motivation as adding:
+
+  bridge = pci_upstream_bridge(dev);
+  if (bridge)
+    pci_dev_lock(bridge);
+
+to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add
+pci_dev_lock() for @bus->self to pci_bus_lock().
+
+Link: https://lore.kernel.org/r/171711747501.1628941.15217746952476635316.stgit@dwillia2-xfh.jf.intel.com
+Reported-by: Imre Deak <imre.deak@intel.com>
+Closes: http://lore.kernel.org/r/6657833b3b5ae_14984b29437@dwillia2-xfh.jf.intel.com.notmuch
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+[bhelgaas: squash in recursive locking deadlock fix from Keith Busch:
+https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Kalle Valo <kvalo@kernel.org>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 4f229cb5d2a9..aa2be8d81504 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -4957,10 +4957,12 @@ static void pci_bus_lock(struct pci_bus *bus)
+ {
+       struct pci_dev *dev;
+ 
++      pci_dev_lock(bus->self);
+       list_for_each_entry(dev, &bus->devices, bus_list) {
+-              pci_dev_lock(dev);
+               if (dev->subordinate)
+                       pci_bus_lock(dev->subordinate);
++              else
++                      pci_dev_lock(dev);
+       }
+ }
+ 
+@@ -4972,8 +4974,10 @@ static void pci_bus_unlock(struct pci_bus *bus)
+       list_for_each_entry(dev, &bus->devices, bus_list) {
+               if (dev->subordinate)
+                       pci_bus_unlock(dev->subordinate);
+-              pci_dev_unlock(dev);
++              else
++                      pci_dev_unlock(dev);
+       }
++      pci_dev_unlock(bus->self);
+ }
+ 
+ /* Return 1 on successful lock, 0 on contention */
+@@ -4981,15 +4985,15 @@ static int pci_bus_trylock(struct pci_bus *bus)
+ {
+       struct pci_dev *dev;
+ 
++      if (!pci_dev_trylock(bus->self))
++              return 0;
++
+       list_for_each_entry(dev, &bus->devices, bus_list) {
+-              if (!pci_dev_trylock(dev))
+-                      goto unlock;
+               if (dev->subordinate) {
+-                      if (!pci_bus_trylock(dev->subordinate)) {
+-                              pci_dev_unlock(dev);
++                      if (!pci_bus_trylock(dev->subordinate))
+                               goto unlock;
+-                      }
+-              }
++              } else if (!pci_dev_trylock(dev))
++                      goto unlock;
+       }
+       return 1;
+ 
+@@ -4997,8 +5001,10 @@ static int pci_bus_trylock(struct pci_bus *bus)
+       list_for_each_entry_continue_reverse(dev, &bus->devices, bus_list) {
+               if (dev->subordinate)
+                       pci_bus_unlock(dev->subordinate);
+-              pci_dev_unlock(dev);
++              else
++                      pci_dev_unlock(dev);
+       }
++      pci_dev_unlock(bus->self);
+       return 0;
+ }
+ 
+@@ -5030,9 +5036,10 @@ static void pci_slot_lock(struct pci_slot *slot)
+       list_for_each_entry(dev, &slot->bus->devices, bus_list) {
+               if (!dev->slot || dev->slot != slot)
+                       continue;
+-              pci_dev_lock(dev);
+               if (dev->subordinate)
+                       pci_bus_lock(dev->subordinate);
++              else
++                      pci_dev_lock(dev);
+       }
+ }
+ 
+@@ -5058,14 +5065,13 @@ static int pci_slot_trylock(struct pci_slot *slot)
+       list_for_each_entry(dev, &slot->bus->devices, bus_list) {
+               if (!dev->slot || dev->slot != slot)
+                       continue;
+-              if (!pci_dev_trylock(dev))
+-                      goto unlock;
+               if (dev->subordinate) {
+                       if (!pci_bus_trylock(dev->subordinate)) {
+                               pci_dev_unlock(dev);
+                               goto unlock;
+                       }
+-              }
++              } else if (!pci_dev_trylock(dev))
++                      goto unlock;
+       }
+       return 1;
+ 
+@@ -5076,7 +5082,8 @@ static int pci_slot_trylock(struct pci_slot *slot)
+                       continue;
+               if (dev->subordinate)
+                       pci_bus_unlock(dev->subordinate);
+-              pci_dev_unlock(dev);
++              else
++                      pci_dev_unlock(dev);
+       }
+       return 0;
+ }
+-- 
+2.43.0
+

diff --git a/queue-4.19/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch b/queue-4.19/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch
new file mode 100644 (file)
index 0000000..2c67590
--- /dev/null
+++ b/queue-4.19/pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch
@@ -0,0 +1,58 @@
+From 823beebb5b49ac29c3848a23870a545e7a97ad8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 13:15:06 +0530
+Subject: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
+
+From: Krishna Kumar <krishnak@linux.ibm.com>
+
+[ Upstream commit 335e35b748527f0c06ded9eebb65387f60647fda ]
+
+The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel
+crash when we try to hot-unplug/disable the PCIe switch/bridge from
+the PHB.
+
+The crash occurs because although the MSI data structure has been
+released during disable/hot-unplug path and it has been assigned
+with NULL, still during unregistration the code was again trying to
+explicitly disable the MSI which causes the NULL pointer dereference and
+kernel crash.
+
+The patch fixes the check during unregistration path to prevent invoking
+pci_disable_msi/msix() since its data structure is already freed.
+
+Reported-by: Timothy Pearson <tpearson@raptorengineering.com>
+Closes: https://lore.kernel.org/all/1981605666.2142272.1703742465927.JavaMail.zimbra@raptorengineeringinc.com/
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Shawn Anastasio <sanastasio@raptorengineering.com>
+Signed-off-by: Krishna Kumar <krishnak@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240701074513.94873-2-krishnak@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pnv_php.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
+index 3276a5e4c430..486fad430958 100644
+--- a/drivers/pci/hotplug/pnv_php.c
++++ b/drivers/pci/hotplug/pnv_php.c
+@@ -35,7 +35,6 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
+                               bool disable_device)
+ {
+       struct pci_dev *pdev = php_slot->pdev;
+-      int irq = php_slot->irq;
+       u16 ctrl;
+ 
+       if (php_slot->irq > 0) {
+@@ -54,7 +53,7 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
+               php_slot->wq = NULL;
+       }
+ 
+-      if (disable_device || irq > 0) {
++      if (disable_device) {
+               if (pdev->msix_enabled)
+                       pci_disable_msix(pdev);
+               else if (pdev->msi_enabled)
+-- 
+2.43.0
+

diff --git a/queue-4.19/pcmcia-use-resource_size-function-on-resource-object.patch b/queue-4.19/pcmcia-use-resource_size-function-on-resource-object.patch
new file mode 100644 (file)
index 0000000..a773243
--- /dev/null
+++ b/queue-4.19/pcmcia-use-resource_size-function-on-resource-object.patch
@@ -0,0 +1,46 @@
+From 16cfe918cb3d51f5e1d250d11c5bd4393d11d9ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 May 2024 23:31:21 +0100
+Subject: pcmcia: Use resource_size function on resource object
+
+From: Jules Irenge <jbi.octave@gmail.com>
+
+[ Upstream commit 24a025497e7e883bd2adef5d0ece1e9b9268009f ]
+
+Cocinnele reports a warning
+
+WARNING: Suspicious code. resource_size is maybe missing with root
+
+The root cause is the function resource_size is not used when needed
+
+Use resource_size() on variable "root" of type resource
+
+Signed-off-by: Jules Irenge <jbi.octave@gmail.com>
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pcmcia/yenta_socket.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pcmcia/yenta_socket.c b/drivers/pcmcia/yenta_socket.c
+index ac6a3f46b1e6..738660002ef3 100644
+--- a/drivers/pcmcia/yenta_socket.c
++++ b/drivers/pcmcia/yenta_socket.c
+@@ -636,11 +636,11 @@ static int yenta_search_one_res(struct resource *root, struct resource *res,
+               start = PCIBIOS_MIN_CARDBUS_IO;
+               end = ~0U;
+       } else {
+-              unsigned long avail = root->end - root->start;
++              unsigned long avail = resource_size(root);
+               int i;
+               size = BRIDGE_MEM_MAX;
+-              if (size > avail/8) {
+-                      size = (avail+1)/8;
++              if (size > (avail - 1) / 8) {
++                      size = avail / 8;
+                       /* round size down to next power of 2 */
+                       i = 0;
+                       while ((size /= 2) != 0)
+-- 
+2.43.0
+

diff --git a/queue-4.19/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch b/queue-4.19/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch
new file mode 100644 (file)
index 0000000..8019990
--- /dev/null
+++ b/queue-4.19/platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch
@@ -0,0 +1,54 @@
+From 771fa6701953729486c11a6fec437286f4ad154a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 09:54:28 +0300
+Subject: platform/x86: dell-smbios: Fix error path in dell_smbios_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit ffc17e1479e8e9459b7afa80e5d9d40d0dd78abb ]
+
+In case of error in build_tokens_sysfs(), all the memory that has been
+allocated is freed at end of this function. But then free_group() is
+called which performs memory deallocation again.
+
+Also, instead of free_group() call, there should be exit_dell_smbios_smm()
+and exit_dell_smbios_wmi() calls, since there is initialization, but there
+is no release of resources in case of an error.
+
+Fix these issues by replacing free_group() call with
+exit_dell_smbios_wmi() and exit_dell_smbios_smm().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Link: https://lore.kernel.org/r/20240830065428.9544-1-amishin@t-argos.ru
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/dell-smbios-base.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/dell-smbios-base.c b/drivers/platform/x86/dell-smbios-base.c
+index 9e9fc5155789..f5299edb83f5 100644
+--- a/drivers/platform/x86/dell-smbios-base.c
++++ b/drivers/platform/x86/dell-smbios-base.c
+@@ -613,7 +613,10 @@ static int __init dell_smbios_init(void)
+       return 0;
+ 
+ fail_sysfs:
+-      free_group(platform_device);
++      if (!wmi)
++              exit_dell_smbios_wmi();
++      if (!smm)
++              exit_dell_smbios_smm();
+ 
+ fail_create_group:
+       platform_device_del(platform_device);
+-- 
+2.43.0
+

diff --git a/queue-4.19/rfkill-fix-spelling-mistake-contidion-to-condition.patch b/queue-4.19/rfkill-fix-spelling-mistake-contidion-to-condition.patch
new file mode 100644 (file)
index 0000000..85649a2
--- /dev/null
+++ b/queue-4.19/rfkill-fix-spelling-mistake-contidion-to-condition.patch
@@ -0,0 +1,39 @@
+From d432b55ecd36ea63222b2e0082991f8561ef1ef4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jul 2018 15:41:38 -0400
+Subject: rfkill: fix spelling mistake contidion to condition
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+[ Upstream commit f404c3ecc401b3617c454c06a3d36a43a01f1aaf ]
+
+This came about while trying to determine if there would be any pattern
+match on contid, a new audit container identifier internal variable.
+This was the only one.
+
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: bee2ef946d31 ("net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rfkill/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/rfkill/core.c b/net/rfkill/core.c
+index d6467cbf5c4f..d138a2123d70 100644
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -510,8 +510,8 @@ void rfkill_remove_epo_lock(void)
+ /**
+  * rfkill_is_epo_lock_active - returns true EPO is active
+  *
+- * Returns 0 (false) if there is NOT an active EPO contidion,
+- * and 1 (true) if there is an active EPO contition, which
++ * Returns 0 (false) if there is NOT an active EPO condition,
++ * and 1 (true) if there is an active EPO condition, which
+  * locks all radios in one of the BLOCKED states.
+  *
+  * Can be called in atomic context.
+-- 
+2.43.0
+

diff --git a/queue-4.19/series b/queue-4.19/series
index 322b69eb91dfb12c3484ded54922bc564bde1d68..87c1ef5b2f1fabbded29d4252eea11b65bae1e36 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -23,3 +23,50 @@ fuse-use-unsigned-type-for-getxattr-listxattr-size-truncation.patch
 clk-qcom-clk-alpha-pll-fix-the-pll-post-div-mask.patch
 nilfs2-fix-missing-cleanup-on-rollforward-recovery-error.patch
 nilfs2-fix-state-management-in-error-path-of-log-writing-function.patch
+alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch
+smack-unix-sockets-fix-accept-ed-socket-label.patch
+irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch
+af_unix-remove-put_pid-put_cred-in-copy_peercred.patch
+netfilter-nf_conncount-fix-wrong-variable-type.patch
+udf-avoid-excessive-partition-lengths.patch
+wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch
+media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch
+pcmcia-use-resource_size-function-on-resource-object.patch
+can-bcm-remove-proc-entry-when-dev-is-unregistered.patch
+igb-fix-not-clearing-timesync-interrupts-for-82580.patch
+platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch
+cx82310_eth-re-enable-ethernet-mode-after-router-reb.patch
+drivers-net-usb-remove-all-strcpy-uses.patch
+net-usb-don-t-write-directly-to-netdev-dev_addr.patch
+usbnet-modern-method-to-get-random-mac.patch
+rfkill-fix-spelling-mistake-contidion-to-condition.patch
+net-bridge-add-support-for-sticky-fdb-entries.patch
+bridge-switchdev-allow-clearing-fdb-entry-offload-in.patch
+net-bridge-fdb-convert-is_local-to-bitops.patch
+net-bridge-fdb-convert-is_static-to-bitops.patch
+net-bridge-fdb-convert-is_sticky-to-bitops.patch
+net-bridge-fdb-convert-added_by_user-to-bitops.patch
+net-bridge-fdb-convert-added_by_external_learn-to-us.patch
+net-bridge-br_fdb_external_learn_add-always-set-ext_.patch
+net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch
+iommu-vt-d-handle-volatile-descriptor-status-read.patch
+cgroup-protect-css-cgroup-write-under-css_set_lock.patch
+um-line-always-fill-error_out-in-setup_one_line.patch
+devres-initialize-an-uninitialized-struct-member.patch
+pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch
+hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch
+hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch
+hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch
+hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch
+wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch
+smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch
+btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch
+btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch
+pci-add-missing-bridge-lock-to-pci_bus_lock.patch
+btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch
+hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch
+input-uinput-reject-requests-with-unreasonable-numbe.patch
+usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch
+squashfs-sanity-check-symbolic-link-size.patch
+of-irq-prevent-device-address-out-of-bounds-read-in-.patch
+ata-pata_macio-use-warn-instead-of-bug.patch

diff --git a/queue-4.19/smack-unix-sockets-fix-accept-ed-socket-label.patch b/queue-4.19/smack-unix-sockets-fix-accept-ed-socket-label.patch
new file mode 100644 (file)
index 0000000..aeb0d43
--- /dev/null
+++ b/queue-4.19/smack-unix-sockets-fix-accept-ed-socket-label.patch
@@ -0,0 +1,60 @@
+From c1aba40e51ac08449b1036a1b57f3ed993f69175 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 01:44:30 +0300
+Subject: smack: unix sockets: fix accept()ed socket label
+
+From: Konstantin Andreev <andreev@swemel.ru>
+
+[ Upstream commit e86cac0acdb1a74f608bacefe702f2034133a047 ]
+
+When a process accept()s connection from a unix socket
+(either stream or seqpacket)
+it gets the socket with the label of the connecting process.
+
+For example, if a connecting process has a label 'foo',
+the accept()ed socket will also have 'in' and 'out' labels 'foo',
+regardless of the label of the listener process.
+
+This is because kernel creates unix child sockets
+in the context of the connecting process.
+
+I do not see any obvious way for the listener to abuse
+alien labels coming with the new socket, but,
+to be on the safe side, it's better fix new socket labels.
+
+Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack_lsm.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 158f4df39be4..00d8e1b53b2a 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -3745,12 +3745,18 @@ static int smack_unix_stream_connect(struct sock *sock,
+               }
+       }
+ 
+-      /*
+-       * Cross reference the peer labels for SO_PEERSEC.
+-       */
+       if (rc == 0) {
++              /*
++               * Cross reference the peer labels for SO_PEERSEC.
++               */
+               nsp->smk_packet = ssp->smk_out;
+               ssp->smk_packet = osp->smk_out;
++
++              /*
++               * new/child/established socket must inherit listening socket labels
++               */
++              nsp->smk_out = osp->smk_out;
++              nsp->smk_in  = osp->smk_in;
+       }
+ 
+       return rc;
+-- 
+2.43.0
+

diff --git a/queue-4.19/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch b/queue-4.19/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch
new file mode 100644 (file)
index 0000000..a107465
--- /dev/null
+++ b/queue-4.19/smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch
@@ -0,0 +1,45 @@
+From edf302a33a65a39f2cf59fbcf328b070fe1a4f99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jul 2024 14:52:13 +0800
+Subject: smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
+
+From: Zqiang <qiang.zhang1211@gmail.com>
+
+[ Upstream commit 77aeb1b685f9db73d276bad4bb30d48505a6fd23 ]
+
+For CONFIG_DEBUG_OBJECTS_WORK=y kernels sscs.work defined by
+INIT_WORK_ONSTACK() is initialized by debug_object_init_on_stack() for
+the debug check in __init_work() to work correctly.
+
+But this lacks the counterpart to remove the tracked object from debug
+objects again, which will cause a debug object warning once the stack is
+freed.
+
+Add the missing destroy_work_on_stack() invocation to cure that.
+
+[ tglx: Massaged changelog ]
+
+Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Paul E. McKenney <paulmck@kernel.org>
+Link: https://lore.kernel.org/r/20240704065213.13559-1-qiang.zhang1211@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/smp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/smp.c b/kernel/smp.c
+index 9fa2fe6c0c05..c5f333258ecf 100644
+--- a/kernel/smp.c
++++ b/kernel/smp.c
+@@ -791,6 +791,7 @@ int smp_call_on_cpu(unsigned int cpu, int (*func)(void *), void *par, bool phys)
+ 
+       queue_work_on(cpu, system_wq, &sscs.work);
+       wait_for_completion(&sscs.done);
++      destroy_work_on_stack(&sscs.work);
+ 
+       return sscs.ret;
+ }
+-- 
+2.43.0
+

diff --git a/queue-4.19/squashfs-sanity-check-symbolic-link-size.patch b/queue-4.19/squashfs-sanity-check-symbolic-link-size.patch
new file mode 100644 (file)
index 0000000..d9add06
--- /dev/null
+++ b/queue-4.19/squashfs-sanity-check-symbolic-link-size.patch
@@ -0,0 +1,68 @@
+From a320717e1c8364d5bbbf8d25b0648c5af828579a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 00:28:21 +0100
+Subject: Squashfs: sanity check symbolic link size
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+[ Upstream commit 810ee43d9cd245d138a2733d87a24858a23f577d ]
+
+Syzkiller reports a "KMSAN: uninit-value in pick_link" bug.
+
+This is caused by an uninitialised page, which is ultimately caused
+by a corrupted symbolic link size read from disk.
+
+The reason why the corrupted symlink size causes an uninitialised
+page is due to the following sequence of events:
+
+1. squashfs_read_inode() is called to read the symbolic
+   link from disk.  This assigns the corrupted value
+   3875536935 to inode->i_size.
+
+2. Later squashfs_symlink_read_folio() is called, which assigns
+   this corrupted value to the length variable, which being a
+   signed int, overflows producing a negative number.
+
+3. The following loop that fills in the page contents checks that
+   the copied bytes is less than length, which being negative means
+   the loop is skipped, producing an uninitialised page.
+
+This patch adds a sanity check which checks that the symbolic
+link size is not larger than expected.
+
+--
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Link: https://lore.kernel.org/r/20240811232821.13903-1-phillip@squashfs.org.uk
+Reported-by: Lizhi Xu <lizhi.xu@windriver.com>
+Reported-by: syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000a90e8c061e86a76b@google.com/
+V2: fix spelling mistake.
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/squashfs/inode.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c
+index e9793b1e49a5..89ac1c6de97b 100644
+--- a/fs/squashfs/inode.c
++++ b/fs/squashfs/inode.c
+@@ -289,8 +289,13 @@ int squashfs_read_inode(struct inode *inode, long long ino)
+               if (err < 0)
+                       goto failed_read;
+ 
+-              set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               inode->i_size = le32_to_cpu(sqsh_ino->symlink_size);
++              if (inode->i_size > PAGE_SIZE) {
++                      ERROR("Corrupted symlink\n");
++                      return -EINVAL;
++              }
++
++              set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+               inode->i_op = &squashfs_symlink_inode_ops;
+               inode_nohighmem(inode);
+               inode->i_data.a_ops = &squashfs_symlink_aops;
+-- 
+2.43.0
+

diff --git a/queue-4.19/udf-avoid-excessive-partition-lengths.patch b/queue-4.19/udf-avoid-excessive-partition-lengths.patch
new file mode 100644 (file)
index 0000000..a8a7906
--- /dev/null
+++ b/queue-4.19/udf-avoid-excessive-partition-lengths.patch
@@ -0,0 +1,63 @@
+From 1a59891920072f81361ee978bc692ea6a8776ff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2024 12:52:17 +0200
+Subject: udf: Avoid excessive partition lengths
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ]
+
+Avoid mounting filesystems where the partition would overflow the
+32-bits used for block number. Also refuse to mount filesystems where
+the partition length is so large we cannot safely index bits in a
+block bitmap.
+
+Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/super.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 6273ffd312cc..22c76a33f6f3 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1054,12 +1054,19 @@ static int udf_fill_partdesc_info(struct super_block *sb,
+       struct udf_part_map *map;
+       struct udf_sb_info *sbi = UDF_SB(sb);
+       struct partitionHeaderDesc *phd;
++      u32 sum;
+       int err;
+ 
+       map = &sbi->s_partmaps[p_index];
+ 
+       map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */
+       map->s_partition_root = le32_to_cpu(p->partitionStartingLocation);
++      if (check_add_overflow(map->s_partition_root, map->s_partition_len,
++                             &sum)) {
++              udf_err(sb, "Partition %d has invalid location %u + %u\n",
++                      p_index, map->s_partition_root, map->s_partition_len);
++              return -EFSCORRUPTED;
++      }
+ 
+       if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY))
+               map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY;
+@@ -1115,6 +1122,14 @@ static int udf_fill_partdesc_info(struct super_block *sb,
+               bitmap->s_extPosition = le32_to_cpu(
+                               phd->unallocSpaceBitmap.extPosition);
+               map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP;
++              /* Check whether math over bitmap won't overflow. */
++              if (check_add_overflow(map->s_partition_len,
++                                     sizeof(struct spaceBitmapDesc) << 3,
++                                     &sum)) {
++                      udf_err(sb, "Partition %d is too long (%u)\n", p_index,
++                              map->s_partition_len);
++                      return -EFSCORRUPTED;
++              }
+               udf_debug("unallocSpaceBitmap (part %d) @ %u\n",
+                         p_index, bitmap->s_extPosition);
+       }
+-- 
+2.43.0
+

diff --git a/queue-4.19/um-line-always-fill-error_out-in-setup_one_line.patch b/queue-4.19/um-line-always-fill-error_out-in-setup_one_line.patch
new file mode 100644 (file)
index 0000000..9429325
--- /dev/null
+++ b/queue-4.19/um-line-always-fill-error_out-in-setup_one_line.patch
@@ -0,0 +1,44 @@
+From 1f91b37f9214d5f193bd13532e0c5e58238f60c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 17:22:36 +0200
+Subject: um: line: always fill *error_out in setup_one_line()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 824ac4a5edd3f7494ab1996826c4f47f8ef0f63d ]
+
+The pointer isn't initialized by callers, but I have
+encountered cases where it's still printed; initialize
+it in all possible cases in setup_one_line().
+
+Link: https://patch.msgid.link/20240703172235.ad863568b55f.Iaa1eba4db8265d7715ba71d5f6bb8c7ff63d27e9@changeid
+Acked-By: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/line.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c
+index 71e26488dfde..b5c3bc0e6bce 100644
+--- a/arch/um/drivers/line.c
++++ b/arch/um/drivers/line.c
+@@ -391,6 +391,7 @@ int setup_one_line(struct line *lines, int n, char *init,
+                       parse_chan_pair(NULL, line, n, opts, error_out);
+                       err = 0;
+               }
++              *error_out = "configured as 'none'";
+       } else {
+               char *new = kstrdup(init, GFP_KERNEL);
+               if (!new) {
+@@ -414,6 +415,7 @@ int setup_one_line(struct line *lines, int n, char *init,
+                       }
+               }
+               if (err) {
++                      *error_out = "failed to parse channel pair";
+                       line->init_str = NULL;
+                       line->valid = 0;
+                       kfree(new);
+-- 
+2.43.0
+

diff --git a/queue-4.19/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch b/queue-4.19/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch
new file mode 100644 (file)
index 0000000..e118b11
--- /dev/null
+++ b/queue-4.19/usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch
@@ -0,0 +1,44 @@
+From c5d35898da82e150c68498ff30cfeb6db0154daf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 19:28:05 +0200
+Subject: usbnet: ipheth: race between ipheth_close and error handling
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ]
+
+ipheth_sndbulk_callback() can submit carrier_work
+as a part of its error handling. That means that
+the driver must make sure that the work is cancelled
+after it has made sure that no more URB can terminate
+with an error condition.
+
+Hence the order of actions in ipheth_close() needs
+to be inverted.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Foster Snowhill <forst@pen.gy>
+Tested-by: Georgi Valkov <gvalkov@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ipheth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index 5e8fd2aa1888..0a86ba028c4d 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -407,8 +407,8 @@ static int ipheth_close(struct net_device *net)
+ {
+       struct ipheth_device *dev = netdev_priv(net);
+ 
+-      cancel_delayed_work_sync(&dev->carrier_work);
+       netif_stop_queue(net);
++      cancel_delayed_work_sync(&dev->carrier_work);
+       return 0;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-4.19/usbnet-modern-method-to-get-random-mac.patch b/queue-4.19/usbnet-modern-method-to-get-random-mac.patch
new file mode 100644 (file)
index 0000000..231cd00
--- /dev/null
+++ b/queue-4.19/usbnet-modern-method-to-get-random-mac.patch
@@ -0,0 +1,75 @@
+From 20ed0ddfce3f26d1e7b00073c8360a407aee0417 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 19:50:55 +0200
+Subject: usbnet: modern method to get random MAC
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit bab8eb0dd4cb995caa4a0529d5655531c2ec5e8e ]
+
+The driver generates a random MAC once on load
+and uses it over and over, including on two devices
+needing a random MAC at the same time.
+
+Jakub suggested revamping the driver to the modern
+API for setting a random MAC rather than fixing
+the old stuff.
+
+The bug is as old as the driver.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://patch.msgid.link/20240829175201.670718-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 16225654d88c..938335f4738d 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -79,9 +79,6 @@
+ 
+ /*-------------------------------------------------------------------------*/
+ 
+-// randomly generated ethernet address
+-static u8     node_id [ETH_ALEN];
+-
+ /* use ethtool to change the level for any given device */
+ static int msg_level = -1;
+ module_param (msg_level, int, 0);
+@@ -1725,7 +1722,6 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+ 
+       dev->net = net;
+       strscpy(net->name, "usb%d", sizeof(net->name));
+-      eth_hw_addr_set(net, node_id);
+ 
+       /* rx and tx sides can use different message sizes;
+        * bind() should set rx_urb_size in that case.
+@@ -1799,9 +1795,9 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+               goto out4;
+       }
+ 
+-      /* let userspace know we have a random address */
+-      if (ether_addr_equal(net->dev_addr, node_id))
+-              net->addr_assign_type = NET_ADDR_RANDOM;
++      /* this flags the device for user space */
++      if (!is_valid_ether_addr(net->dev_addr))
++              eth_hw_addr_random(net);
+ 
+       if ((dev->driver_info->flags & FLAG_WLAN) != 0)
+               SET_NETDEV_DEVTYPE(net, &wlan_type);
+@@ -2211,7 +2207,6 @@ static int __init usbnet_init(void)
+       BUILD_BUG_ON(
+               FIELD_SIZEOF(struct sk_buff, cb) < sizeof(struct skb_data));
+ 
+-      eth_random_addr(node_id);
+       return 0;
+ }
+ module_init(usbnet_init);
+-- 
+2.43.0
+

diff --git a/queue-4.19/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch b/queue-4.19/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch
new file mode 100644 (file)
index 0000000..806ff0e
--- /dev/null
+++ b/queue-4.19/wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch
@@ -0,0 +1,38 @@
+From 1d3f0ff64c6c2fd83774e00003afa930d537ba09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 14:26:09 +0200
+Subject: wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
+
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+
+[ Upstream commit dbb5265a5d7cca1cdba7736dba313ab7d07bc19d ]
+
+After being asked about support for WPA3 for BCM43224 chipset it
+was found that all it takes is setting the MFP_CAPABLE flag and
+mac80211 will take care of all that is needed [1].
+
+Link: https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/ [1]
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Tested-by: Reijer Boekhoff <reijerboekhoff@protonmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20240617122609.349582-1-arend.vanspriel@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+index 288d4d4d4454..eb735b054790 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+@@ -1091,6 +1091,7 @@ static int ieee_hw_init(struct ieee80211_hw *hw)
+       ieee80211_hw_set(hw, AMPDU_AGGREGATION);
+       ieee80211_hw_set(hw, SIGNAL_DBM);
+       ieee80211_hw_set(hw, REPORTS_TX_ACK_STATUS);
++      ieee80211_hw_set(hw, MFP_CAPABLE);
+ 
+       hw->extra_tx_headroom = brcms_c_get_header_len();
+       hw->queues = N_TX_QUEUES;
+-- 
+2.43.0
+

diff --git a/queue-4.19/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch b/queue-4.19/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch
new file mode 100644 (file)
index 0000000..341137a
--- /dev/null
+++ b/queue-4.19/wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch
@@ -0,0 +1,112 @@
+From 19c184dec1f1bee2c5664827177b3917ff1701af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 09:24:09 +0200
+Subject: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+[ Upstream commit c145eea2f75ff7949392aebecf7ef0a81c1f6c14 ]
+
+mwifiex_get_priv_by_id() returns the priv pointer corresponding to
+the bss_num and bss_type, but without checking if the priv is actually
+currently in use.
+Unused priv pointers do not have a wiphy attached to them which can
+lead to NULL pointer dereferences further down the callstack.  Fix
+this by returning only used priv pointers which have priv->bss_mode
+set to something else than NL80211_IFTYPE_UNSPECIFIED.
+
+Said NULL pointer dereference happened when an Accesspoint was started
+with wpa_supplicant -i mlan0 with this config:
+
+network={
+        ssid="somessid"
+        mode=2
+        frequency=2412
+        key_mgmt=WPA-PSK WPA-PSK-SHA256
+        proto=RSN
+        group=CCMP
+        pairwise=CCMP
+        psk="12345678"
+}
+
+When waiting for the AP to be established, interrupting wpa_supplicant
+with <ctrl-c> and starting it again this happens:
+
+| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140
+| Mem abort info:
+|   ESR = 0x0000000096000004
+|   EC = 0x25: DABT (current EL), IL = 32 bits
+|   SET = 0, FnV = 0
+|   EA = 0, S1PTW = 0
+|   FSC = 0x04: level 0 translation fault
+| Data abort info:
+|   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+|   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+|   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000
+| [0000000000000140] pgd=0000000000000000, p4d=0000000000000000
+| Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
+| Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio
++mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs
++imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6
+| CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18
+| Hardware name: somemachine (DT)
+| Workqueue: events sdio_irq_work
+| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+| pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex]
+| lr : mwifiex_get_cfp+0x34/0x15c [mwifiex]
+| sp : ffff8000818b3a70
+| x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004
+| x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9
+| x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000
+| x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000
+| x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517
+| x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1
+| x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157
+| x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124
+| x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000
+| x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000
+| Call trace:
+|  mwifiex_get_cfp+0xd8/0x15c [mwifiex]
+|  mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex]
+|  mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex]
+|  mwifiex_process_sta_event+0x298/0xf0c [mwifiex]
+|  mwifiex_process_event+0x110/0x238 [mwifiex]
+|  mwifiex_main_process+0x428/0xa44 [mwifiex]
+|  mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio]
+|  process_sdio_pending_irqs+0x64/0x1b8
+|  sdio_irq_work+0x4c/0x7c
+|  process_one_work+0x148/0x2a0
+|  worker_thread+0x2fc/0x40c
+|  kthread+0x110/0x114
+|  ret_from_fork+0x10/0x20
+| Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000)
+| ---[ end trace 0000000000000000 ]---
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Acked-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20240703072409.556618-1-s.hauer@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/main.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/main.h b/drivers/net/wireless/marvell/mwifiex/main.h
+index 7e526014b638..89774e0316bd 100644
+--- a/drivers/net/wireless/marvell/mwifiex/main.h
++++ b/drivers/net/wireless/marvell/mwifiex/main.h
+@@ -1306,6 +1306,9 @@ mwifiex_get_priv_by_id(struct mwifiex_adapter *adapter,
+ 
+       for (i = 0; i < adapter->priv_num; i++) {
+               if (adapter->priv[i]) {
++                      if (adapter->priv[i]->bss_mode == NL80211_IFTYPE_UNSPECIFIED)
++                              continue;
++
+                       if ((adapter->priv[i]->bss_num == bss_num) &&
+                           (adapter->priv[i]->bss_type == bss_type))
+                               break;
+-- 
+2.43.0
+