--- /dev/null
+From c27d2902fc0ffa090b3dfbafe0e3ee1f456885fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 19:33:26 -0400
+Subject: bnxt_en: Fix possible crash in bnxt_hwrm_set_coal()
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 6d81ea3765dfa6c8a20822613c81edad1c4a16a0 ]
+
+During the error recovery sequence, the rtnl_lock is not held for the
+entire duration and some datastructures may be freed during the sequence.
+Check for the BNXT_STATE_OPEN flag instead of netif_running() to ensure
+that the device is fully operational before proceeding to reconfigure
+the coalescing settings.
+
+This will fix a possible crash like this:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP NOPTI
+CPU: 10 PID: 181276 Comm: ethtool Kdump: loaded Tainted: G IOE --------- - - 4.18.0-348.el8.x86_64 #1
+Hardware name: Dell Inc. PowerEdge R740/0F9N89, BIOS 2.3.10 08/15/2019
+RIP: 0010:bnxt_hwrm_set_coal+0x1fb/0x2a0 [bnxt_en]
+Code: c2 66 83 4e 22 08 66 89 46 1c e8 10 cb 00 00 41 83 c6 01 44 39 b3 68 01 00 00 0f 8e a3 00 00 00 48 8b 93 c8 00 00 00 49 63 c6 <48> 8b 2c c2 48 8b 85 b8 02 00 00 48 85 c0 74 2e 48 8b 74 24 08 f6
+RSP: 0018:ffffb11c8dcaba50 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8d168a8b0ac0 RCX: 00000000000000c5
+RDX: 0000000000000000 RSI: ffff8d162f72c000 RDI: ffff8d168a8b0b28
+RBP: 0000000000000000 R08: b6e1f68a12e9a7eb R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000037 R12: ffff8d168a8b109c
+R13: ffff8d168a8b10aa R14: 0000000000000000 R15: ffffffffc01ac4e0
+FS: 00007f3852e4c740(0000) GS:ffff8d24c0080000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000000 CR3: 000000041b3ee003 CR4: 00000000007706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ ethnl_set_coalesce+0x3ce/0x4c0
+ genl_family_rcv_msg_doit.isra.15+0x10f/0x150
+ genl_family_rcv_msg+0xb3/0x160
+ ? coalesce_fill_reply+0x480/0x480
+ genl_rcv_msg+0x47/0x90
+ ? genl_family_rcv_msg+0x160/0x160
+ netlink_rcv_skb+0x4c/0x120
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x196/0x230
+ netlink_sendmsg+0x204/0x3d0
+ sock_sendmsg+0x4c/0x50
+ __sys_sendto+0xee/0x160
+ ? syscall_trace_enter+0x1d3/0x2c0
+ ? __audit_syscall_exit+0x249/0x2a0
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0x5b/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x65/0xca
+RIP: 0033:0x7f38524163bb
+
+Fixes: 2151fe0830fd ("bnxt_en: Handle RESET_NOTIFY async event from firmware.")
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+index 0f276ce2d1eb..586311a271f2 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -132,7 +132,7 @@ static int bnxt_set_coalesce(struct net_device *dev,
+ }
+
+ reset_coalesce:
+- if (netif_running(dev)) {
++ if (test_bit(BNXT_STATE_OPEN, &bp->state)) {
+ if (update_stats) {
+ rc = bnxt_close_nic(bp, true, false);
+ if (!rc)
+--
+2.35.1
+
--- /dev/null
+From 62b07bd0686e130c08afd8baffff45e21f19993a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 19:33:27 -0400
+Subject: bnxt_en: fix potentially incorrect return value for ndo_rx_flow_steer
+
+From: Alex Barba <alex.barba@broadcom.com>
+
+[ Upstream commit 02597d39145bb0aa81d04bf39b6a913ce9a9d465 ]
+
+In the bnxt_en driver ndo_rx_flow_steer returns '0' whenever an entry
+that we are attempting to steer is already found. This is not the
+correct behavior. The return code should be the value/index that
+corresponds to the entry. Returning zero all the time causes the
+RFS records to be incorrect unless entry '0' is the correct one. As
+flows migrate to different cores this can create entries that are not
+correct.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Reported-by: Akshay Navgire <anavgire@purestorage.com>
+Signed-off-by: Alex Barba <alex.barba@broadcom.com>
+Signed-off-by: Andy Gospodarek <gospo@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index a6ca7ba5276c..db1864a3f64a 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -12605,8 +12605,8 @@ static int bnxt_rx_flow_steer(struct net_device *dev, const struct sk_buff *skb,
+ rcu_read_lock();
+ hlist_for_each_entry_rcu(fltr, head, hash) {
+ if (bnxt_fltr_match(fltr, new_fltr)) {
++ rc = fltr->sw_id;
+ rcu_read_unlock();
+- rc = 0;
+ goto err_free;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From e0aeac0851658f0842a57d807c3ebbaaf611cb8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 22:41:28 +0200
+Subject: bpf: Add helper macro bpf_for_each_reg_in_vstate
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+[ Upstream commit b239da34203f49c40b5d656220c39647c3ff0b3c ]
+
+For a lot of use cases in future patches, we will want to modify the
+state of registers part of some same 'group' (e.g. same ref_obj_id). It
+won't just be limited to releasing reference state, but setting a type
+flag dynamically based on certain actions, etc.
+
+Hence, we need a way to easily pass a callback to the function that
+iterates over all registers in current bpf_verifier_state in all frames
+upto (and including) the curframe.
+
+While in C++ we would be able to easily use a lambda to pass state and
+the callback together, sadly we aren't using C++ in the kernel. The next
+best thing to avoid defining a function for each case seems like
+statement expressions in GNU C. The kernel already uses them heavily,
+hence they can passed to the macro in the style of a lambda. The
+statement expression will then be substituted in the for loop bodies.
+
+Variables __state and __reg are set to current bpf_func_state and reg
+for each invocation of the expression inside the passed in verifier
+state.
+
+Then, convert mark_ptr_or_null_regs, clear_all_pkt_pointers,
+release_reference, find_good_pkt_pointers, find_equal_scalars to
+use bpf_for_each_reg_in_vstate.
+
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/r/20220904204145.3089-16-memxor@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: f1db20814af5 ("bpf: Fix wrong reg type conversion in release_reference()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf_verifier.h | 21 ++++++
+ kernel/bpf/verifier.c | 135 ++++++++---------------------------
+ 2 files changed, 49 insertions(+), 107 deletions(-)
+
+diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
+index 5625e19ae95b..3d04b48e502d 100644
+--- a/include/linux/bpf_verifier.h
++++ b/include/linux/bpf_verifier.h
+@@ -328,6 +328,27 @@ struct bpf_verifier_state {
+ iter < frame->allocated_stack / BPF_REG_SIZE; \
+ iter++, reg = bpf_get_spilled_reg(iter, frame))
+
++/* Invoke __expr over regsiters in __vst, setting __state and __reg */
++#define bpf_for_each_reg_in_vstate(__vst, __state, __reg, __expr) \
++ ({ \
++ struct bpf_verifier_state *___vstate = __vst; \
++ int ___i, ___j; \
++ for (___i = 0; ___i <= ___vstate->curframe; ___i++) { \
++ struct bpf_reg_state *___regs; \
++ __state = ___vstate->frame[___i]; \
++ ___regs = __state->regs; \
++ for (___j = 0; ___j < MAX_BPF_REG; ___j++) { \
++ __reg = &___regs[___j]; \
++ (void)(__expr); \
++ } \
++ bpf_for_each_spilled_reg(___j, __state, __reg) { \
++ if (!__reg) \
++ continue; \
++ (void)(__expr); \
++ } \
++ } \
++ })
++
+ /* linked list of verifier states used to prune search */
+ struct bpf_verifier_state_list {
+ struct bpf_verifier_state state;
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 259248306056..96f317c494d9 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5634,31 +5634,15 @@ static int check_func_proto(const struct bpf_func_proto *fn, int func_id)
+ /* Packet data might have moved, any old PTR_TO_PACKET[_META,_END]
+ * are now invalid, so turn them into unknown SCALAR_VALUE.
+ */
+-static void __clear_all_pkt_pointers(struct bpf_verifier_env *env,
+- struct bpf_func_state *state)
++static void clear_all_pkt_pointers(struct bpf_verifier_env *env)
+ {
+- struct bpf_reg_state *regs = state->regs, *reg;
+- int i;
+-
+- for (i = 0; i < MAX_BPF_REG; i++)
+- if (reg_is_pkt_pointer_any(®s[i]))
+- mark_reg_unknown(env, regs, i);
++ struct bpf_func_state *state;
++ struct bpf_reg_state *reg;
+
+- bpf_for_each_spilled_reg(i, state, reg) {
+- if (!reg)
+- continue;
++ bpf_for_each_reg_in_vstate(env->cur_state, state, reg, ({
+ if (reg_is_pkt_pointer_any(reg))
+ __mark_reg_unknown(env, reg);
+- }
+-}
+-
+-static void clear_all_pkt_pointers(struct bpf_verifier_env *env)
+-{
+- struct bpf_verifier_state *vstate = env->cur_state;
+- int i;
+-
+- for (i = 0; i <= vstate->curframe; i++)
+- __clear_all_pkt_pointers(env, vstate->frame[i]);
++ }));
+ }
+
+ enum {
+@@ -5687,41 +5671,24 @@ static void mark_pkt_end(struct bpf_verifier_state *vstate, int regn, bool range
+ reg->range = AT_PKT_END;
+ }
+
+-static void release_reg_references(struct bpf_verifier_env *env,
+- struct bpf_func_state *state,
+- int ref_obj_id)
+-{
+- struct bpf_reg_state *regs = state->regs, *reg;
+- int i;
+-
+- for (i = 0; i < MAX_BPF_REG; i++)
+- if (regs[i].ref_obj_id == ref_obj_id)
+- mark_reg_unknown(env, regs, i);
+-
+- bpf_for_each_spilled_reg(i, state, reg) {
+- if (!reg)
+- continue;
+- if (reg->ref_obj_id == ref_obj_id)
+- __mark_reg_unknown(env, reg);
+- }
+-}
+-
+ /* The pointer with the specified id has released its reference to kernel
+ * resources. Identify all copies of the same pointer and clear the reference.
+ */
+ static int release_reference(struct bpf_verifier_env *env,
+ int ref_obj_id)
+ {
+- struct bpf_verifier_state *vstate = env->cur_state;
++ struct bpf_func_state *state;
++ struct bpf_reg_state *reg;
+ int err;
+- int i;
+
+ err = release_reference_state(cur_func(env), ref_obj_id);
+ if (err)
+ return err;
+
+- for (i = 0; i <= vstate->curframe; i++)
+- release_reg_references(env, vstate->frame[i], ref_obj_id);
++ bpf_for_each_reg_in_vstate(env->cur_state, state, reg, ({
++ if (reg->ref_obj_id == ref_obj_id)
++ __mark_reg_unknown(env, reg);
++ }));
+
+ return 0;
+ }
+@@ -8221,34 +8188,14 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
+ return 0;
+ }
+
+-static void __find_good_pkt_pointers(struct bpf_func_state *state,
+- struct bpf_reg_state *dst_reg,
+- enum bpf_reg_type type, int new_range)
+-{
+- struct bpf_reg_state *reg;
+- int i;
+-
+- for (i = 0; i < MAX_BPF_REG; i++) {
+- reg = &state->regs[i];
+- if (reg->type == type && reg->id == dst_reg->id)
+- /* keep the maximum range already checked */
+- reg->range = max(reg->range, new_range);
+- }
+-
+- bpf_for_each_spilled_reg(i, state, reg) {
+- if (!reg)
+- continue;
+- if (reg->type == type && reg->id == dst_reg->id)
+- reg->range = max(reg->range, new_range);
+- }
+-}
+-
+ static void find_good_pkt_pointers(struct bpf_verifier_state *vstate,
+ struct bpf_reg_state *dst_reg,
+ enum bpf_reg_type type,
+ bool range_right_open)
+ {
+- int new_range, i;
++ struct bpf_func_state *state;
++ struct bpf_reg_state *reg;
++ int new_range;
+
+ if (dst_reg->off < 0 ||
+ (dst_reg->off == 0 && range_right_open))
+@@ -8313,9 +8260,11 @@ static void find_good_pkt_pointers(struct bpf_verifier_state *vstate,
+ * the range won't allow anything.
+ * dst_reg->off is known < MAX_PACKET_OFF, therefore it fits in a u16.
+ */
+- for (i = 0; i <= vstate->curframe; i++)
+- __find_good_pkt_pointers(vstate->frame[i], dst_reg, type,
+- new_range);
++ bpf_for_each_reg_in_vstate(vstate, state, reg, ({
++ if (reg->type == type && reg->id == dst_reg->id)
++ /* keep the maximum range already checked */
++ reg->range = max(reg->range, new_range);
++ }));
+ }
+
+ static int is_branch32_taken(struct bpf_reg_state *reg, u32 val, u8 opcode)
+@@ -8804,7 +8753,7 @@ static void mark_ptr_or_null_reg(struct bpf_func_state *state,
+
+ if (!reg_may_point_to_spin_lock(reg)) {
+ /* For not-NULL ptr, reg->ref_obj_id will be reset
+- * in release_reg_references().
++ * in release_reference().
+ *
+ * reg->id is still used by spin_lock ptr. Other
+ * than spin_lock ptr type, reg->id can be reset.
+@@ -8814,22 +8763,6 @@ static void mark_ptr_or_null_reg(struct bpf_func_state *state,
+ }
+ }
+
+-static void __mark_ptr_or_null_regs(struct bpf_func_state *state, u32 id,
+- bool is_null)
+-{
+- struct bpf_reg_state *reg;
+- int i;
+-
+- for (i = 0; i < MAX_BPF_REG; i++)
+- mark_ptr_or_null_reg(state, &state->regs[i], id, is_null);
+-
+- bpf_for_each_spilled_reg(i, state, reg) {
+- if (!reg)
+- continue;
+- mark_ptr_or_null_reg(state, reg, id, is_null);
+- }
+-}
+-
+ /* The logic is similar to find_good_pkt_pointers(), both could eventually
+ * be folded together at some point.
+ */
+@@ -8837,10 +8770,9 @@ static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno,
+ bool is_null)
+ {
+ struct bpf_func_state *state = vstate->frame[vstate->curframe];
+- struct bpf_reg_state *regs = state->regs;
++ struct bpf_reg_state *regs = state->regs, *reg;
+ u32 ref_obj_id = regs[regno].ref_obj_id;
+ u32 id = regs[regno].id;
+- int i;
+
+ if (ref_obj_id && ref_obj_id == id && is_null)
+ /* regs[regno] is in the " == NULL" branch.
+@@ -8849,8 +8781,9 @@ static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno,
+ */
+ WARN_ON_ONCE(release_reference_state(state, id));
+
+- for (i = 0; i <= vstate->curframe; i++)
+- __mark_ptr_or_null_regs(vstate->frame[i], id, is_null);
++ bpf_for_each_reg_in_vstate(vstate, state, reg, ({
++ mark_ptr_or_null_reg(state, reg, id, is_null);
++ }));
+ }
+
+ static bool try_match_pkt_pointers(const struct bpf_insn *insn,
+@@ -8963,23 +8896,11 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate,
+ {
+ struct bpf_func_state *state;
+ struct bpf_reg_state *reg;
+- int i, j;
+
+- for (i = 0; i <= vstate->curframe; i++) {
+- state = vstate->frame[i];
+- for (j = 0; j < MAX_BPF_REG; j++) {
+- reg = &state->regs[j];
+- if (reg->type == SCALAR_VALUE && reg->id == known_reg->id)
+- *reg = *known_reg;
+- }
+-
+- bpf_for_each_spilled_reg(j, state, reg) {
+- if (!reg)
+- continue;
+- if (reg->type == SCALAR_VALUE && reg->id == known_reg->id)
+- *reg = *known_reg;
+- }
+- }
++ bpf_for_each_reg_in_vstate(vstate, state, reg, ({
++ if (reg->type == SCALAR_VALUE && reg->id == known_reg->id)
++ *reg = *known_reg;
++ }));
+ }
+
+ static int check_cond_jmp_op(struct bpf_verifier_env *env,
+--
+2.35.1
+
--- /dev/null
+From 3f67946ee3f6f0f0bb6f89cbb78ba21fcfd64b7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jun 2022 20:58:03 -0700
+Subject: bpf: Fix sockmap calling sleepable function in teardown path
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 697fb80a53642be624f5121b6ca9d66769c180e0 ]
+
+syzbot reproduced the bug ...
+
+ BUG: sleeping function called from invalid context at kernel/workqueue.c:3010
+
+... with the following stack trace fragment ...
+
+ start_flush_work kernel/workqueue.c:3010 [inline]
+ __flush_work+0x109/0xb10 kernel/workqueue.c:3074
+ __cancel_work_timer+0x3f9/0x570 kernel/workqueue.c:3162
+ sk_psock_stop+0x4cb/0x630 net/core/skmsg.c:802
+ sock_map_destroy+0x333/0x760 net/core/sock_map.c:1581
+ inet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1130
+ __tcp_close+0xd5b/0x12b0 net/ipv4/tcp.c:2897
+ tcp_close+0x29/0xc0 net/ipv4/tcp.c:2909
+
+... introduced by d8616ee2affc. Do a quick trace of the code path and the
+bug is obvious:
+
+ inet_csk_destroy_sock(sk)
+ sk_prot->destroy(sk); <--- sock_map_destroy
+ sk_psock_stop(, true); <--- true so cancel workqueue
+ cancel_work_sync() <--- splat, because *_bh_disable()
+
+We can not call cancel_work_sync() from inside destroy path. So mark
+the sk_psock_stop call to skip this cancel_work_sync(). This will avoid
+the BUG, but means we may run sk_psock_backlog after or during the
+destroy op. We zapped the ingress_skb queue in sk_psock_stop (safe to
+do with local_bh_disable) so its empty and the sk_psock_backlog work
+item will not find any pkts to process here. However, because we are
+not going to wait for it or clear its ->state its possible it kicks off
+or is already running. This should be 'safe' up until psock drops its
+refcnt to psock->sk. The sock_put() that drops this reference is only
+done at psock destroy time from sk_psock_destroy(). This is done through
+workqueue when sk_psock_drop() is called on psock refnt reaches 0.
+And importantly sk_psock_destroy() does a cancel_work_sync(). So trivial
+fix works.
+
+I've had hit or miss luck reproducing this caught it once or twice with
+the provided reproducer when running with many runners. However, syzkaller
+is very good at reproducing so relying on syzkaller to verify fix.
+
+Fixes: d8616ee2affc ("bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues")
+Reported-by: syzbot+140186ceba0c496183bc@syzkaller.appspotmail.com
+Suggested-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Wang Yufen <wangyufen@huawei.com>
+Link: https://lore.kernel.org/bpf/20220628035803.317876-1-john.fastabend@gmail.com
+Stable-dep-of: 8bbabb3fddcd ("bpf, sock_map: Move cancel_work_sync() out of sock lock")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock_map.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index 43563d651ed0..6eef46eafb3e 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -1541,7 +1541,7 @@ void sock_map_destroy(struct sock *sk)
+ saved_destroy = psock->saved_destroy;
+ sock_map_remove_links(sk, psock);
+ rcu_read_unlock();
+- sk_psock_stop(psock, true);
++ sk_psock_stop(psock, false);
+ sk_psock_put(sk, psock);
+ saved_destroy(sk);
+ }
+--
+2.35.1
+
--- /dev/null
+From 9ca419bf95bbda5244deff94ea04b845edde4de2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 17:34:39 +0800
+Subject: bpf: Fix wrong reg type conversion in release_reference()
+
+From: Youlin Li <liulin063@gmail.com>
+
+[ Upstream commit f1db20814af532f85e091231223e5e4818e8464b ]
+
+Some helper functions will allocate memory. To avoid memory leaks, the
+verifier requires the eBPF program to release these memories by calling
+the corresponding helper functions.
+
+When a resource is released, all pointer registers corresponding to the
+resource should be invalidated. The verifier use release_references() to
+do this job, by apply __mark_reg_unknown() to each relevant register.
+
+It will give these registers the type of SCALAR_VALUE. A register that
+will contain a pointer value at runtime, but of type SCALAR_VALUE, which
+may allow the unprivileged user to get a kernel pointer by storing this
+register into a map.
+
+Using __mark_reg_not_init() while NOT allow_ptr_leaks can mitigate this
+problem.
+
+Fixes: fd978bf7fd31 ("bpf: Add reference tracking to verifier")
+Signed-off-by: Youlin Li <liulin063@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20221103093440.3161-1-liulin063@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 96f317c494d9..8a73a165ac76 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5686,8 +5686,12 @@ static int release_reference(struct bpf_verifier_env *env,
+ return err;
+
+ bpf_for_each_reg_in_vstate(env->cur_state, state, reg, ({
+- if (reg->ref_obj_id == ref_obj_id)
+- __mark_reg_unknown(env, reg);
++ if (reg->ref_obj_id == ref_obj_id) {
++ if (!env->allow_ptr_leaks)
++ __mark_reg_not_init(env, reg);
++ else
++ __mark_reg_unknown(env, reg);
++ }
+ }));
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 2e64a27e46a5bc9d749f17db1acb33163397ac19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 21:34:17 -0700
+Subject: bpf, sock_map: Move cancel_work_sync() out of sock lock
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+[ Upstream commit 8bbabb3fddcd0f858be69ed5abc9b470a239d6f2 ]
+
+Stanislav reported a lockdep warning, which is caused by the
+cancel_work_sync() called inside sock_map_close(), as analyzed
+below by Jakub:
+
+psock->work.func = sk_psock_backlog()
+ ACQUIRE psock->work_mutex
+ sk_psock_handle_skb()
+ skb_send_sock()
+ __skb_send_sock()
+ sendpage_unlocked()
+ kernel_sendpage()
+ sock->ops->sendpage = inet_sendpage()
+ sk->sk_prot->sendpage = tcp_sendpage()
+ ACQUIRE sk->sk_lock
+ tcp_sendpage_locked()
+ RELEASE sk->sk_lock
+ RELEASE psock->work_mutex
+
+sock_map_close()
+ ACQUIRE sk->sk_lock
+ sk_psock_stop()
+ sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED)
+ cancel_work_sync()
+ __cancel_work_timer()
+ __flush_work()
+ // wait for psock->work to finish
+ RELEASE sk->sk_lock
+
+We can move the cancel_work_sync() out of the sock lock protection,
+but still before saved_close() was called.
+
+Fixes: 799aa7f98d53 ("skmsg: Avoid lock_sock() in sk_psock_backlog()")
+Reported-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Jakub Sitnicki <jakub@cloudflare.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20221102043417.279409-1-xiyou.wangcong@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skmsg.h | 2 +-
+ net/core/skmsg.c | 7 ++-----
+ net/core/sock_map.c | 7 ++++---
+ 3 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
+index ee7c67d8442d..ba015a77238a 100644
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -382,7 +382,7 @@ static inline void sk_psock_report_error(struct sk_psock *psock, int err)
+ }
+
+ struct sk_psock *sk_psock_init(struct sock *sk, int node);
+-void sk_psock_stop(struct sk_psock *psock, bool wait);
++void sk_psock_stop(struct sk_psock *psock);
+
+ #if IS_ENABLED(CONFIG_BPF_STREAM_PARSER)
+ int sk_psock_init_strp(struct sock *sk, struct sk_psock *psock);
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 680f51f8974a..f562f7e2bdc7 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -797,16 +797,13 @@ static void sk_psock_link_destroy(struct sk_psock *psock)
+ }
+ }
+
+-void sk_psock_stop(struct sk_psock *psock, bool wait)
++void sk_psock_stop(struct sk_psock *psock)
+ {
+ spin_lock_bh(&psock->ingress_lock);
+ sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED);
+ sk_psock_cork_free(psock);
+ __sk_psock_zap_ingress(psock);
+ spin_unlock_bh(&psock->ingress_lock);
+-
+- if (wait)
+- cancel_work_sync(&psock->work);
+ }
+
+ static void sk_psock_done_strp(struct sk_psock *psock);
+@@ -844,7 +841,7 @@ void sk_psock_drop(struct sock *sk, struct sk_psock *psock)
+ sk_psock_stop_verdict(sk, psock);
+ write_unlock_bh(&sk->sk_callback_lock);
+
+- sk_psock_stop(psock, false);
++ sk_psock_stop(psock);
+
+ INIT_RCU_WORK(&psock->rwork, sk_psock_destroy);
+ queue_rcu_work(system_wq, &psock->rwork);
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index 6eef46eafb3e..4f4bc163a223 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -1541,7 +1541,7 @@ void sock_map_destroy(struct sock *sk)
+ saved_destroy = psock->saved_destroy;
+ sock_map_remove_links(sk, psock);
+ rcu_read_unlock();
+- sk_psock_stop(psock, false);
++ sk_psock_stop(psock);
+ sk_psock_put(sk, psock);
+ saved_destroy(sk);
+ }
+@@ -1564,9 +1564,10 @@ void sock_map_close(struct sock *sk, long timeout)
+ saved_close = psock->saved_close;
+ sock_map_remove_links(sk, psock);
+ rcu_read_unlock();
+- sk_psock_stop(psock, true);
+- sk_psock_put(sk, psock);
++ sk_psock_stop(psock);
+ release_sock(sk);
++ cancel_work_sync(&psock->work);
++ sk_psock_put(sk, psock);
+ saved_close(sk, timeout);
+ }
+ EXPORT_SYMBOL_GPL(sock_map_close);
+--
+2.35.1
+
--- /dev/null
+From 62e6bcf550edf137dbf06b1977338bcc9bf1524c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 May 2022 15:53:11 +0800
+Subject: bpf, sockmap: Fix sk->sk_forward_alloc warn_on in
+ sk_stream_kill_queues
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit d8616ee2affcff37c5d315310da557a694a3303d ]
+
+During TCP sockmap redirect pressure test, the following warning is triggered:
+
+WARNING: CPU: 3 PID: 2145 at net/core/stream.c:205 sk_stream_kill_queues+0xbc/0xd0
+CPU: 3 PID: 2145 Comm: iperf Kdump: loaded Tainted: G W 5.10.0+ #9
+Call Trace:
+ inet_csk_destroy_sock+0x55/0x110
+ inet_csk_listen_stop+0xbb/0x380
+ tcp_close+0x41b/0x480
+ inet_release+0x42/0x80
+ __sock_release+0x3d/0xa0
+ sock_close+0x11/0x20
+ __fput+0x9d/0x240
+ task_work_run+0x62/0x90
+ exit_to_user_mode_prepare+0x110/0x120
+ syscall_exit_to_user_mode+0x27/0x190
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The reason we observed is that:
+
+When the listener is closing, a connection may have completed the three-way
+handshake but not accepted, and the client has sent some packets. The child
+sks in accept queue release by inet_child_forget()->inet_csk_destroy_sock(),
+but psocks of child sks have not released.
+
+To fix, add sock_map_destroy to release psocks.
+
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20220524075311.649153-1-wangyufen@huawei.com
+Stable-dep-of: 8bbabb3fddcd ("bpf, sock_map: Move cancel_work_sync() out of sock lock")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 1 +
+ include/linux/skmsg.h | 1 +
+ net/core/skmsg.c | 1 +
+ net/core/sock_map.c | 23 +++++++++++++++++++++++
+ net/ipv4/tcp_bpf.c | 1 +
+ 5 files changed, 27 insertions(+)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 818cd594e922..84efd8dd139d 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -2022,6 +2022,7 @@ int sock_map_get_from_fd(const union bpf_attr *attr, struct bpf_prog *prog);
+ int sock_map_prog_detach(const union bpf_attr *attr, enum bpf_prog_type ptype);
+ int sock_map_update_elem_sys(struct bpf_map *map, void *key, void *value, u64 flags);
+ void sock_map_unhash(struct sock *sk);
++void sock_map_destroy(struct sock *sk);
+ void sock_map_close(struct sock *sk, long timeout);
+ #else
+ static inline int bpf_prog_offload_init(struct bpf_prog *prog,
+diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
+index 0c742cdf413c..ee7c67d8442d 100644
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -96,6 +96,7 @@ struct sk_psock {
+ spinlock_t link_lock;
+ refcount_t refcnt;
+ void (*saved_unhash)(struct sock *sk);
++ void (*saved_destroy)(struct sock *sk);
+ void (*saved_close)(struct sock *sk, long timeout);
+ void (*saved_write_space)(struct sock *sk);
+ void (*saved_data_ready)(struct sock *sk);
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 736d8b035a67..680f51f8974a 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -720,6 +720,7 @@ struct sk_psock *sk_psock_init(struct sock *sk, int node)
+ psock->eval = __SK_NONE;
+ psock->sk_proto = prot;
+ psock->saved_unhash = prot->unhash;
++ psock->saved_destroy = prot->destroy;
+ psock->saved_close = prot->close;
+ psock->saved_write_space = sk->sk_write_space;
+
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index 795b3acfb9fd..43563d651ed0 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -1524,6 +1524,29 @@ void sock_map_unhash(struct sock *sk)
+ }
+ EXPORT_SYMBOL_GPL(sock_map_unhash);
+
++void sock_map_destroy(struct sock *sk)
++{
++ void (*saved_destroy)(struct sock *sk);
++ struct sk_psock *psock;
++
++ rcu_read_lock();
++ psock = sk_psock_get(sk);
++ if (unlikely(!psock)) {
++ rcu_read_unlock();
++ if (sk->sk_prot->destroy)
++ sk->sk_prot->destroy(sk);
++ return;
++ }
++
++ saved_destroy = psock->saved_destroy;
++ sock_map_remove_links(sk, psock);
++ rcu_read_unlock();
++ sk_psock_stop(psock, true);
++ sk_psock_put(sk, psock);
++ saved_destroy(sk);
++}
++EXPORT_SYMBOL_GPL(sock_map_destroy);
++
+ void sock_map_close(struct sock *sk, long timeout)
+ {
+ void (*saved_close)(struct sock *sk, long timeout);
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 72892ebe9607..5194c6870273 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -543,6 +543,7 @@ static void tcp_bpf_rebuild_protos(struct proto prot[TCP_BPF_NUM_CFGS],
+ struct proto *base)
+ {
+ prot[TCP_BPF_BASE] = *base;
++ prot[TCP_BPF_BASE].destroy = sock_map_destroy;
+ prot[TCP_BPF_BASE].close = sock_map_close;
+ prot[TCP_BPF_BASE].recvmsg = tcp_bpf_recvmsg;
+ prot[TCP_BPF_BASE].sock_is_readable = sk_msg_is_readable;
+--
+2.35.1
+
--- /dev/null
+From 3da7262f8334459d1164ae9c8136ff2b8f579ada Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 09:31:36 +0800
+Subject: bpf, sockmap: Fix the sk->sk_forward_alloc warning of
+ sk_stream_kill_queues
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit 8ec95b94716a1e4d126edc3fb2bc426a717e2dba ]
+
+When running `test_sockmap` selftests, the following warning appears:
+
+ WARNING: CPU: 2 PID: 197 at net/core/stream.c:205 sk_stream_kill_queues+0xd3/0xf0
+ Call Trace:
+ <TASK>
+ inet_csk_destroy_sock+0x55/0x110
+ tcp_rcv_state_process+0xd28/0x1380
+ ? tcp_v4_do_rcv+0x77/0x2c0
+ tcp_v4_do_rcv+0x77/0x2c0
+ __release_sock+0x106/0x130
+ __tcp_close+0x1a7/0x4e0
+ tcp_close+0x20/0x70
+ inet_release+0x3c/0x80
+ __sock_release+0x3a/0xb0
+ sock_close+0x14/0x20
+ __fput+0xa3/0x260
+ task_work_run+0x59/0xb0
+ exit_to_user_mode_prepare+0x1b3/0x1c0
+ syscall_exit_to_user_mode+0x19/0x50
+ do_syscall_64+0x48/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The root case is in commit 84472b436e76 ("bpf, sockmap: Fix more uncharged
+while msg has more_data"), where I used msg->sg.size to replace the tosend,
+causing breakage:
+
+ if (msg->apply_bytes && msg->apply_bytes < tosend)
+ tosend = psock->apply_bytes;
+
+Fixes: 84472b436e76 ("bpf, sockmap: Fix more uncharged while msg has more_data")
+Reported-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/1667266296-8794-1-git-send-email-wangyufen@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 2c597a4e429a..72892ebe9607 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -279,7 +279,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ {
+ bool cork = false, enospc = sk_msg_full(msg);
+ struct sock *sk_redir;
+- u32 tosend, delta = 0;
++ u32 tosend, origsize, sent, delta = 0;
+ u32 eval = __SK_NONE;
+ int ret;
+
+@@ -334,10 +334,12 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ cork = true;
+ psock->cork = NULL;
+ }
+- sk_msg_return(sk, msg, msg->sg.size);
++ sk_msg_return(sk, msg, tosend);
+ release_sock(sk);
+
++ origsize = msg->sg.size;
+ ret = tcp_bpf_sendmsg_redir(sk_redir, msg, tosend, flags);
++ sent = origsize - msg->sg.size;
+
+ if (eval == __SK_REDIRECT)
+ sock_put(sk_redir);
+@@ -376,7 +378,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ msg->sg.data[msg->sg.start].page_link &&
+ msg->sg.data[msg->sg.start].length) {
+ if (eval == __SK_REDIRECT)
+- sk_mem_charge(sk, msg->sg.size);
++ sk_mem_charge(sk, tosend - sent);
+ goto more_data;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 4e0d077ede9475132b292874c7c213013e151c11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 19:54:30 -0700
+Subject: bpf, verifier: Fix memory leak in array reallocation for stack state
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 42378a9ca55347102bbf86708776061d8fe3ece2 ]
+
+If an error (NULL) is returned by krealloc(), callers of realloc_array()
+were setting their allocation pointers to NULL, but on error krealloc()
+does not touch the original allocation. This would result in a memory
+resource leak. Instead, free the old allocation on the error handling
+path.
+
+The memory leak information is as follows as also reported by Zhengchao:
+
+ unreferenced object 0xffff888019801800 (size 256):
+ comm "bpf_repo", pid 6490, jiffies 4294959200 (age 17.170s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000b211474b>] __kmalloc_node_track_caller+0x45/0xc0
+ [<0000000086712a0b>] krealloc+0x83/0xd0
+ [<00000000139aab02>] realloc_array+0x82/0xe2
+ [<00000000b1ca41d1>] grow_stack_state+0xfb/0x186
+ [<00000000cd6f36d2>] check_mem_access.cold+0x141/0x1341
+ [<0000000081780455>] do_check_common+0x5358/0xb350
+ [<0000000015f6b091>] bpf_check.cold+0xc3/0x29d
+ [<000000002973c690>] bpf_prog_load+0x13db/0x2240
+ [<00000000028d1644>] __sys_bpf+0x1605/0x4ce0
+ [<00000000053f29bd>] __x64_sys_bpf+0x75/0xb0
+ [<0000000056fedaf5>] do_syscall_64+0x35/0x80
+ [<000000002bd58261>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: c69431aab67a ("bpf: verifier: Improve function state reallocation")
+Reported-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reported-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Bill Wendling <morbo@google.com>
+Cc: Lorenz Bauer <oss@lmb.io>
+Link: https://lore.kernel.org/bpf/20221029025433.2533810-1-keescook@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index c3a4158e838e..259248306056 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -770,12 +770,17 @@ static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t
+ */
+ static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size)
+ {
++ void *new_arr;
++
+ if (!new_n || old_n == new_n)
+ goto out;
+
+- arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
+- if (!arr)
++ new_arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
++ if (!new_arr) {
++ kfree(arr);
+ return NULL;
++ }
++ arr = new_arr;
+
+ if (new_n > old_n)
+ memset(arr + old_n * size, 0, (new_n - old_n) * size);
+--
+2.35.1
+
--- /dev/null
+From b3fafff200c96c89a6eb4c892dd085270a435f00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 16:40:34 +0800
+Subject: bpftool: Fix NULL pointer dereference when pin {PROG, MAP, LINK}
+ without FILE
+
+From: Pu Lehui <pulehui@huawei.com>
+
+[ Upstream commit 34de8e6e0e1f66e431abf4123934a2581cb5f133 ]
+
+When using bpftool to pin {PROG, MAP, LINK} without FILE,
+segmentation fault will occur. The reson is that the lack
+of FILE will cause strlen to trigger NULL pointer dereference.
+The corresponding stacktrace is shown below:
+
+do_pin
+ do_pin_any
+ do_pin_fd
+ mount_bpffs_for_pin
+ strlen(name) <- NULL pointer dereference
+
+Fix it by adding validation to the common process.
+
+Fixes: 75a1e792c335 ("tools: bpftool: Allow all prog/map handles for pinning objects")
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Quentin Monnet <quentin@isovalent.com>
+Link: https://lore.kernel.org/bpf/20221102084034.3342995-1-pulehui@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c
+index d42d930a3ec4..e4c65d34fe74 100644
+--- a/tools/bpf/bpftool/common.c
++++ b/tools/bpf/bpftool/common.c
+@@ -278,6 +278,9 @@ int do_pin_any(int argc, char **argv, int (*get_fd)(int *, char ***))
+ int err;
+ int fd;
+
++ if (!REQ_ARGS(3))
++ return -EINVAL;
++
+ fd = get_fd(&argc, &argv);
+ if (fd < 0)
+ return fd;
+--
+2.35.1
+
--- /dev/null
+From 30ab07f6bd7d2d13f3d0c3afdbef549918c4822d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 16:56:50 +0800
+Subject: can: af_can: fix NULL pointer dereference in can_rx_register()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 8aa59e355949442c408408c2d836e561794c40a1 ]
+
+It causes NULL pointer dereference when testing as following:
+(a) use syscall(__NR_socket, 0x10ul, 3ul, 0) to create netlink socket.
+(b) use syscall(__NR_sendmsg, ...) to create bond link device and vxcan
+ link device, and bind vxcan device to bond device (can also use
+ ifenslave command to bind vxcan device to bond device).
+(c) use syscall(__NR_socket, 0x1dul, 3ul, 1) to create CAN socket.
+(d) use syscall(__NR_bind, ...) to bind the bond device to CAN socket.
+
+The bond device invokes the can-raw protocol registration interface to
+receive CAN packets. However, ml_priv is not allocated to the dev,
+dev_rcv_lists is assigned to NULL in can_rx_register(). In this case,
+it will occur the NULL pointer dereference issue.
+
+The following is the stack information:
+BUG: kernel NULL pointer dereference, address: 0000000000000008
+PGD 122a4067 P4D 122a4067 PUD 1223c067 PMD 0
+Oops: 0000 [#1] PREEMPT SMP
+RIP: 0010:can_rx_register+0x12d/0x1e0
+Call Trace:
+<TASK>
+raw_enable_filters+0x8d/0x120
+raw_enable_allfilters+0x3b/0x130
+raw_bind+0x118/0x4f0
+__sys_bind+0x163/0x1a0
+__x64_sys_bind+0x1e/0x30
+do_syscall_64+0x35/0x80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+</TASK>
+
+Fixes: 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Link: https://lore.kernel.org/all/20221028085650.170470-1-shaozhengchao@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/af_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/can/af_can.c b/net/can/af_can.c
+index cce2af10eb3e..4ddefa6a3e05 100644
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -451,7 +451,7 @@ int can_rx_register(struct net *net, struct net_device *dev, canid_t can_id,
+
+ /* insert new receiver (dev,canid,mask) -> (func,data) */
+
+- if (dev && dev->type != ARPHRD_CAN)
++ if (dev && (dev->type != ARPHRD_CAN || !can_get_ml_priv(dev)))
+ return -ENODEV;
+
+ if (dev && !net_eq(net, dev_net(dev)))
+--
+2.35.1
+
--- /dev/null
+From e6874d1cf560e34119170e68d55fa6af75279d24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 19:25:36 +0800
+Subject: capabilities: fix undefined behavior in bit shift for CAP_TO_MASK
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 46653972e3ea64f79e7f8ae3aa41a4d3fdb70a13 ]
+
+Shifting signed 32-bit value by 31 bits is undefined, so changing
+significant bit to unsigned. The UBSAN warning calltrace like below:
+
+UBSAN: shift-out-of-bounds in security/commoncap.c:1252:2
+left shift of 1 by 31 places cannot be represented in type 'int'
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x7d/0xa5
+ dump_stack+0x15/0x1b
+ ubsan_epilogue+0xe/0x4e
+ __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
+ cap_task_prctl+0x561/0x6f0
+ security_task_prctl+0x5a/0xb0
+ __x64_sys_prctl+0x61/0x8f0
+ do_syscall_64+0x58/0x80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ </TASK>
+
+Fixes: e338d263a76a ("Add 64-bit capability support to the kernel")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Acked-by: Andrew G. Morgan <morgan@kernel.org>
+Reviewed-by: Serge Hallyn <serge@hallyn.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/capability.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
+index 463d1ba2232a..3d61a0ae055d 100644
+--- a/include/uapi/linux/capability.h
++++ b/include/uapi/linux/capability.h
+@@ -426,7 +426,7 @@ struct vfs_ns_cap_data {
+ */
+
+ #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */
+-#define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */
++#define CAP_TO_MASK(x) (1U << ((x) & 31)) /* mask for indexed __u32 */
+
+
+ #endif /* _UAPI_LINUX_CAPABILITY_H */
+--
+2.35.1
+
--- /dev/null
+From d2361f85ec2b21cb902c3e5ffa27cbee0fbc7574 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 09:21:00 +0800
+Subject: cxgb4vf: shut down the adapter when t4vf_update_port_info() failed in
+ cxgb4vf_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit c6092ea1e6d7bd12acd881f6aa2b5054cd70e096 ]
+
+When t4vf_update_port_info() failed in cxgb4vf_open(), resources applied
+during adapter goes up are not cleared. Fix it. Only be compiled, not be
+tested.
+
+Fixes: 18d79f721e0a ("cxgb4vf: Update port information in cxgb4vf_open()")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109012100.99132-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c b/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c
+index 49b76fd47daa..464c2b365721 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c
+@@ -858,7 +858,7 @@ static int cxgb4vf_open(struct net_device *dev)
+ */
+ err = t4vf_update_port_info(pi);
+ if (err < 0)
+- return err;
++ goto err_unwind;
+
+ /*
+ * Note that this interface is up and start everything up ...
+--
+2.35.1
+
--- /dev/null
+From 530bcfc0925c5019298c98b33be40348891a363a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 21:50:09 +0200
+Subject: dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 081195d17a0c4c636da2b869bd5809d42e8cbb13 ]
+
+A clk_prepare_enable() call in the probe is not balanced by a corresponding
+clk_disable_unprepare() in the remove function.
+
+Add the missing call.
+
+Fixes: 3cd2c313f1d6 ("dmaengine: mv_xor_v2: Fix clock resource by adding a register clock")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/e9e3837a680c9bd2438e4db2b83270c6c052d005.1666640987.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mv_xor_v2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/dma/mv_xor_v2.c b/drivers/dma/mv_xor_v2.c
+index 9b0d463f89bb..4800c596433a 100644
+--- a/drivers/dma/mv_xor_v2.c
++++ b/drivers/dma/mv_xor_v2.c
+@@ -899,6 +899,7 @@ static int mv_xor_v2_remove(struct platform_device *pdev)
+ tasklet_kill(&xor_dev->irq_tasklet);
+
+ clk_disable_unprepare(xor_dev->clk);
++ clk_disable_unprepare(xor_dev->reg_clk);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From f363284965e94249045a27be0ee75630b7515a60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 17:07:09 -0700
+Subject: dmaengine: pxa_dma: use platform_get_irq_optional
+
+From: Doug Brown <doug@schmorgal.com>
+
+[ Upstream commit b3d726cb8497c6b12106fd617d46eef11763ea86 ]
+
+The first IRQ is required, but IRQs 1 through (nb_phy_chans - 1) are
+optional, because on some platforms (e.g. PXA168) there is a single IRQ
+shared between all channels.
+
+This change inhibits a flood of "IRQ index # not found" messages at
+startup. Tested on a PXA168-based device.
+
+Fixes: 7723f4c5ecdb ("driver core: platform: Add an error message to platform_get_irq*()")
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Link: https://lore.kernel.org/r/20220906000709.52705-1-doug@schmorgal.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/pxa_dma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c
+index aa6e552249ab..e613ace79ea8 100644
+--- a/drivers/dma/pxa_dma.c
++++ b/drivers/dma/pxa_dma.c
+@@ -1248,14 +1248,14 @@ static int pxad_init_phys(struct platform_device *op,
+ return -ENOMEM;
+
+ for (i = 0; i < nb_phy_chans; i++)
+- if (platform_get_irq(op, i) > 0)
++ if (platform_get_irq_optional(op, i) > 0)
+ nr_irq++;
+
+ for (i = 0; i < nb_phy_chans; i++) {
+ phy = &pdev->phys[i];
+ phy->base = pdev->base;
+ phy->idx = i;
+- irq = platform_get_irq(op, i);
++ irq = platform_get_irq_optional(op, i);
+ if ((nr_irq > 1) && (irq > 0))
+ ret = devm_request_irq(&op->dev, irq,
+ pxad_chan_handler,
+--
+2.35.1
+
--- /dev/null
+From 33cfe7cbd22e572b3c01cdfaa1f3bc85a1d0ca32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 14:28:27 +0800
+Subject: dmaengine: ti: k3-udma-glue: fix memory leak when register device
+ fail
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ac2b9f34f02052709aea7b34bb2a165e1853eb41 ]
+
+If device_register() fails, it should call put_device() to give
+up reference, the name allocated in dev_set_name() can be freed
+in callback function kobject_cleanup().
+
+Fixes: 5b65781d06ea ("dmaengine: ti: k3-udma-glue: Add support for K3 PKTDMA")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Link: https://lore.kernel.org/r/20221020062827.2914148-1-yangyingliang@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/k3-udma-glue.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/dma/ti/k3-udma-glue.c b/drivers/dma/ti/k3-udma-glue.c
+index 4fdd9f06b723..4f1aeb81e9c7 100644
+--- a/drivers/dma/ti/k3-udma-glue.c
++++ b/drivers/dma/ti/k3-udma-glue.c
+@@ -299,6 +299,7 @@ struct k3_udma_glue_tx_channel *k3_udma_glue_request_tx_chn(struct device *dev,
+ ret = device_register(&tx_chn->common.chan_dev);
+ if (ret) {
+ dev_err(dev, "Channel Device registration failed %d\n", ret);
++ put_device(&tx_chn->common.chan_dev);
+ tx_chn->common.chan_dev.parent = NULL;
+ goto err;
+ }
+@@ -917,6 +918,7 @@ k3_udma_glue_request_rx_chn_priv(struct device *dev, const char *name,
+ ret = device_register(&rx_chn->common.chan_dev);
+ if (ret) {
+ dev_err(dev, "Channel Device registration failed %d\n", ret);
++ put_device(&rx_chn->common.chan_dev);
+ rx_chn->common.chan_dev.parent = NULL;
+ goto err;
+ }
+@@ -1048,6 +1050,7 @@ k3_udma_glue_request_remote_rx_chn(struct device *dev, const char *name,
+ ret = device_register(&rx_chn->common.chan_dev);
+ if (ret) {
+ dev_err(dev, "Channel Device registration failed %d\n", ret);
++ put_device(&rx_chn->common.chan_dev);
+ rx_chn->common.chan_dev.parent = NULL;
+ goto err;
+ }
+--
+2.35.1
+
--- /dev/null
+From e670e57ba0c4b7c7cbdfde14c8d9c6b656462af3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 12:30:32 +0800
+Subject: drivers: net: xgene: disable napi when register irq failed in
+ xgene_enet_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit ce9e57feeed81d17d5e80ed86f516ff0d39c3867 ]
+
+When failed to register irq in xgene_enet_open() for opening device,
+napi isn't disabled. When open xgene device next time, it will reports
+a invalid opcode issue. Fix it. Only be compiled, not be tested.
+
+Fixes: aeb20b6b3f4e ("drivers: net: xgene: fix: ifconfig up/down crash")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221107043032.357673-1-shaozhengchao@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/apm/xgene/xgene_enet_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
+index 78c7cbc372b0..71151f675a49 100644
+--- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c
+@@ -1004,8 +1004,10 @@ static int xgene_enet_open(struct net_device *ndev)
+
+ xgene_enet_napi_enable(pdata);
+ ret = xgene_enet_register_irq(ndev);
+- if (ret)
++ if (ret) {
++ xgene_enet_napi_disable(pdata);
+ return ret;
++ }
+
+ if (ndev->phydev) {
+ phy_start(ndev->phydev);
+--
+2.35.1
+
--- /dev/null
+From 9b8cb61e23bb8e00112b9958013affc11e07379d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 01:47:05 +0000
+Subject: drm/vc4: Fix missing platform_unregister_drivers() call in
+ vc4_drm_register()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit cf53db768a8790fdaae2fa3a81322b080285f7e5 ]
+
+A problem about modprobe vc4 failed is triggered with the following log
+given:
+
+ [ 420.327987] Error: Driver 'vc4_hvs' is already registered, aborting...
+ [ 420.333904] failed to register platform driver vc4_hvs_driver [vc4]: -16
+ modprobe: ERROR: could not insert 'vc4': Device or resource busy
+
+The reason is that vc4_drm_register() returns platform_driver_register()
+directly without checking its return value, if platform_driver_register()
+fails, it returns without unregistering all the vc4 drivers, resulting the
+vc4 can never be installed later.
+A simple call graph is shown as below:
+
+ vc4_drm_register()
+ platform_register_drivers() # all vc4 drivers are registered
+ platform_driver_register()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without unregister drivers
+
+Fixing this problem by checking the return value of
+platform_driver_register() and do platform_unregister_drivers() if
+error happened.
+
+Fixes: c8b75bca92cb ("drm/vc4: Add KMS support for Raspberry Pi.")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221103014705.109322-1-yuancan@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_drv.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_drv.c b/drivers/gpu/drm/vc4/vc4_drv.c
+index d216a1fd057c..099df15e1a61 100644
+--- a/drivers/gpu/drm/vc4/vc4_drv.c
++++ b/drivers/gpu/drm/vc4/vc4_drv.c
+@@ -383,7 +383,12 @@ static int __init vc4_drm_register(void)
+ if (ret)
+ return ret;
+
+- return platform_driver_register(&vc4_platform_driver);
++ ret = platform_driver_register(&vc4_platform_driver);
++ if (ret)
++ platform_unregister_drivers(component_drivers,
++ ARRAY_SIZE(component_drivers));
++
++ return ret;
+ }
+
+ static void __exit vc4_drm_unregister(void)
+--
+2.35.1
+
--- /dev/null
+From 760a00e697a3a38be554443afb217ab4c6cf35b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 10:37:41 +0800
+Subject: ethernet: s2io: disable napi when start nic failed in s2io_card_up()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 0348c1ab980c1d43fb37b758d4b760990c066cb5 ]
+
+When failed to start nic or add interrupt service routine in
+s2io_card_up() for opening device, napi isn't disabled. When open
+s2io device next time, it will trigger a BUG_ON()in napi_enable().
+Compile tested only.
+
+Fixes: 5f490c968056 ("S2io: Fixed synchronization between scheduling of napi with card reset and close")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109023741.131552-1-shaozhengchao@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/neterion/s2io.c | 29 +++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c
+index 3b6b2e61139e..f4703f53bcdc 100644
+--- a/drivers/net/ethernet/neterion/s2io.c
++++ b/drivers/net/ethernet/neterion/s2io.c
+@@ -7125,9 +7125,8 @@ static int s2io_card_up(struct s2io_nic *sp)
+ if (ret) {
+ DBG_PRINT(ERR_DBG, "%s: Out of memory in Open\n",
+ dev->name);
+- s2io_reset(sp);
+- free_rx_buffers(sp);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto err_fill_buff;
+ }
+ DBG_PRINT(INFO_DBG, "Buf in ring:%d is %d:\n", i,
+ ring->rx_bufs_left);
+@@ -7165,18 +7164,16 @@ static int s2io_card_up(struct s2io_nic *sp)
+ /* Enable Rx Traffic and interrupts on the NIC */
+ if (start_nic(sp)) {
+ DBG_PRINT(ERR_DBG, "%s: Starting NIC failed\n", dev->name);
+- s2io_reset(sp);
+- free_rx_buffers(sp);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_out;
+ }
+
+ /* Add interrupt service routine */
+ if (s2io_add_isr(sp) != 0) {
+ if (sp->config.intr_type == MSI_X)
+ s2io_rem_isr(sp);
+- s2io_reset(sp);
+- free_rx_buffers(sp);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_out;
+ }
+
+ timer_setup(&sp->alarm_timer, s2io_alarm_handle, 0);
+@@ -7196,6 +7193,20 @@ static int s2io_card_up(struct s2io_nic *sp)
+ }
+
+ return 0;
++
++err_out:
++ if (config->napi) {
++ if (config->intr_type == MSI_X) {
++ for (i = 0; i < sp->config.rx_ring_num; i++)
++ napi_disable(&sp->mac_control.rings[i].napi);
++ } else {
++ napi_disable(&sp->napi);
++ }
++ }
++err_fill_buff:
++ s2io_reset(sp);
++ free_rx_buffers(sp);
++ return ret;
+ }
+
+ /**
+--
+2.35.1
+
--- /dev/null
+From bb40270cd50f0535a73ac92691f3d331622c020c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 12:40:16 +0800
+Subject: ethernet: tundra: free irq when alloc ring failed in tsi108_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit acce40037041f97baad18142bb253064491ebde3 ]
+
+When alloc tx/rx ring failed in tsi108_open(), it doesn't free irq. Fix
+it.
+
+Fixes: 5e123b844a1c ("[PATCH] Add tsi108/9 On Chip Ethernet device driver support")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109044016.126866-1-shaozhengchao@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/tundra/tsi108_eth.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/tundra/tsi108_eth.c b/drivers/net/ethernet/tundra/tsi108_eth.c
+index cf0917b29e30..f175c098698d 100644
+--- a/drivers/net/ethernet/tundra/tsi108_eth.c
++++ b/drivers/net/ethernet/tundra/tsi108_eth.c
+@@ -1302,12 +1302,15 @@ static int tsi108_open(struct net_device *dev)
+
+ data->rxring = dma_alloc_coherent(&data->pdev->dev, rxring_size,
+ &data->rxdma, GFP_KERNEL);
+- if (!data->rxring)
++ if (!data->rxring) {
++ free_irq(data->irq_num, dev);
+ return -ENOMEM;
++ }
+
+ data->txring = dma_alloc_coherent(&data->pdev->dev, txring_size,
+ &data->txdma, GFP_KERNEL);
+ if (!data->txring) {
++ free_irq(data->irq_num, dev);
+ dma_free_coherent(&data->pdev->dev, rxring_size, data->rxring,
+ data->rxdma);
+ return -ENOMEM;
+--
+2.35.1
+
--- /dev/null
+From 22954d1e4052444ce2c0df3ea40ed3909ca7aaf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 17:09:05 +0800
+Subject: hamradio: fix issue of dev reference count leakage in
+ bpq_device_event()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 85cbaf032d3cd9f595152625eda5d4ecb1d6d78d ]
+
+When following tests are performed, it will cause dev reference counting
+leakage.
+a)ip link add bond2 type bond mode balance-rr
+b)ip link set bond2 up
+c)ifenslave -f bond2 rose1
+d)ip link del bond2
+
+When new bond device is created, the default type of the bond device is
+ether. And the bond device is up, bpq_device_event() receives the message
+and creates a new bpq device. In this case, the reference count value of
+dev is hold once. But after "ifenslave -f bond2 rose1" command is
+executed, the type of the bond device is changed to rose. When the bond
+device is unregistered, bpq_device_event() will not put the dev reference
+count.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/bpqether.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/hamradio/bpqether.c b/drivers/net/hamradio/bpqether.c
+index d967b0748773..027b04795421 100644
+--- a/drivers/net/hamradio/bpqether.c
++++ b/drivers/net/hamradio/bpqether.c
+@@ -534,7 +534,7 @@ static int bpq_device_event(struct notifier_block *this,
+ if (!net_eq(dev_net(dev), &init_net))
+ return NOTIFY_DONE;
+
+- if (!dev_is_ethdev(dev))
++ if (!dev_is_ethdev(dev) && !bpq_get_ax25_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+--
+2.35.1
+
--- /dev/null
+From f0a983a47813435b116a9ea42f7d9998ebd087ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 21:40:43 +0800
+Subject: HID: hyperv: fix possible memory leak in mousevsc_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b5bcb94b0954a026bbd671741fdb00e7141f9c91 ]
+
+If hid_add_device() returns error, it should call hid_destroy_device()
+to free hid_dev which is allocated in hid_allocate_device().
+
+Fixes: 74c4fb058083 ("HID: hv_mouse: Properly add the hid device")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-hyperv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-hyperv.c b/drivers/hid/hid-hyperv.c
+index 978ee2aab2d4..b7704dd6809d 100644
+--- a/drivers/hid/hid-hyperv.c
++++ b/drivers/hid/hid-hyperv.c
+@@ -498,7 +498,7 @@ static int mousevsc_probe(struct hv_device *device,
+
+ ret = hid_add_device(hid_dev);
+ if (ret)
+- goto probe_err1;
++ goto probe_err2;
+
+
+ ret = hid_parse(hid_dev);
+--
+2.35.1
+
--- /dev/null
+From 0341b8fd2d7d964a0a2bfb206fc15af8a09860c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 11:20:23 +0200
+Subject: hwspinlock: qcom: correct MMIO max register for newer SoCs
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 90cb380f9ceb811059340d06ff5fd0c0e93ecbe1 ]
+
+Newer ARMv8 Qualcomm SoCs using 0x1000 register stride have maximum
+register 0x20000 (32 mutexes * 0x1000).
+
+Fixes: 7a1e6fb1c606 ("hwspinlock: qcom: Allow mmio usage in addition to syscon")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220909092035.223915-4-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwspinlock/qcom_hwspinlock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwspinlock/qcom_hwspinlock.c b/drivers/hwspinlock/qcom_hwspinlock.c
+index 364710966665..e49914664863 100644
+--- a/drivers/hwspinlock/qcom_hwspinlock.c
++++ b/drivers/hwspinlock/qcom_hwspinlock.c
+@@ -105,7 +105,7 @@ static const struct regmap_config tcsr_mutex_config = {
+ .reg_bits = 32,
+ .reg_stride = 4,
+ .val_bits = 32,
+- .max_register = 0x40000,
++ .max_register = 0x20000,
+ .fast_io = true,
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 6c8fe1e1d68e0948f68884d6079fad120c2cabc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 11:32:16 +0100
+Subject: ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to
+ network
+
+From: Alexander Potapenko <glider@google.com>
+
+[ Upstream commit c23fb2c82267638f9d206cb96bb93e1f93ad7828 ]
+
+When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved
+remained uninitialized, resulting in a 1-byte infoleak:
+
+ BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841
+ __netdev_start_xmit ./include/linux/netdevice.h:4841
+ netdev_start_xmit ./include/linux/netdevice.h:4857
+ xmit_one net/core/dev.c:3590
+ dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606
+ __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256
+ dev_queue_xmit ./include/linux/netdevice.h:3009
+ __netlink_deliver_tap_skb net/netlink/af_netlink.c:307
+ __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325
+ netlink_deliver_tap net/netlink/af_netlink.c:338
+ __netlink_sendskb net/netlink/af_netlink.c:1263
+ netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272
+ netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360
+ nlmsg_unicast ./include/net/netlink.h:1061
+ rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758
+ ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628
+ rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082
+ ...
+ Uninit was created at:
+ slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742
+ slab_alloc_node mm/slub.c:3398
+ __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437
+ __do_kmalloc_node mm/slab_common.c:954
+ __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975
+ kmalloc_reserve net/core/skbuff.c:437
+ __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509
+ alloc_skb ./include/linux/skbuff.h:1267
+ nlmsg_new ./include/net/netlink.h:964
+ ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608
+ rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082
+ netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540
+ rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109
+ netlink_unicast_kernel net/netlink/af_netlink.c:1319
+ netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345
+ netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921
+ ...
+
+This patch ensures that the reserved field is always initialized.
+
+Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com
+Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.")
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrlabel.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c
+index 8a22486cf270..17ac45aa7194 100644
+--- a/net/ipv6/addrlabel.c
++++ b/net/ipv6/addrlabel.c
+@@ -437,6 +437,7 @@ static void ip6addrlbl_putmsg(struct nlmsghdr *nlh,
+ {
+ struct ifaddrlblmsg *ifal = nlmsg_data(nlh);
+ ifal->ifal_family = AF_INET6;
++ ifal->__ifal_reserved = 0;
+ ifal->ifal_prefixlen = prefixlen;
+ ifal->ifal_flags = 0;
+ ifal->ifal_index = ifindex;
+--
+2.35.1
+
--- /dev/null
+From 9c1fbe7a06630db83276812fb602c3bb8602cf9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 18:07:12 +0200
+Subject: KVM: s390: pv: don't allow userspace to set the clock under PV
+
+From: Nico Boehr <nrb@linux.ibm.com>
+
+[ Upstream commit 6973091d1b50ab4042f6a2d495f59e9db3662ab8 ]
+
+When running under PV, the guest's TOD clock is under control of the
+ultravisor and the hypervisor isn't allowed to change it. Hence, don't
+allow userspace to change the guest's TOD clock by returning
+-EOPNOTSUPP.
+
+When userspace changes the guest's TOD clock, KVM updates its
+kvm.arch.epoch field and, in addition, the epoch field in all state
+descriptions of all VCPUs.
+
+But, under PV, the ultravisor will ignore the epoch field in the state
+description and simply overwrite it on next SIE exit with the actual
+guest epoch. This leads to KVM having an incorrect view of the guest's
+TOD clock: it has updated its internal kvm.arch.epoch field, but the
+ultravisor ignores the field in the state description.
+
+Whenever a guest is now waiting for a clock comparator, KVM will
+incorrectly calculate the time when the guest should wake up, possibly
+causing the guest to sleep for much longer than expected.
+
+With this change, kvm_s390_set_tod() will now take the kvm->lock to be
+able to call kvm_s390_pv_is_protected(). Since kvm_s390_set_tod_clock()
+also takes kvm->lock, use __kvm_s390_set_tod_clock() instead.
+
+The function kvm_s390_set_tod_clock is now unused, hence remove it.
+Update the documentation to indicate the TOD clock attr calls can now
+return -EOPNOTSUPP.
+
+Fixes: 0f3035047140 ("KVM: s390: protvirt: Do only reset registers that are accessible")
+Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Signed-off-by: Nico Boehr <nrb@linux.ibm.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Link: https://lore.kernel.org/r/20221011160712.928239-2-nrb@linux.ibm.com
+Message-Id: <20221011160712.928239-2-nrb@linux.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/virt/kvm/devices/vm.rst | 3 +++
+ arch/s390/kvm/kvm-s390.c | 26 +++++++++++++++++---------
+ arch/s390/kvm/kvm-s390.h | 1 -
+ 3 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/Documentation/virt/kvm/devices/vm.rst b/Documentation/virt/kvm/devices/vm.rst
+index 0aa5b1cfd700..60acc39e0e93 100644
+--- a/Documentation/virt/kvm/devices/vm.rst
++++ b/Documentation/virt/kvm/devices/vm.rst
+@@ -215,6 +215,7 @@ KVM_S390_VM_TOD_EXT).
+ :Parameters: address of a buffer in user space to store the data (u8) to
+ :Returns: -EFAULT if the given address is not accessible from kernel space;
+ -EINVAL if setting the TOD clock extension to != 0 is not supported
++ -EOPNOTSUPP for a PV guest (TOD managed by the ultravisor)
+
+ 3.2. ATTRIBUTE: KVM_S390_VM_TOD_LOW
+ -----------------------------------
+@@ -224,6 +225,7 @@ the POP (u64).
+
+ :Parameters: address of a buffer in user space to store the data (u64) to
+ :Returns: -EFAULT if the given address is not accessible from kernel space
++ -EOPNOTSUPP for a PV guest (TOD managed by the ultravisor)
+
+ 3.3. ATTRIBUTE: KVM_S390_VM_TOD_EXT
+ -----------------------------------
+@@ -237,6 +239,7 @@ it, it is stored as 0 and not allowed to be set to a value != 0.
+ (kvm_s390_vm_tod_clock) to
+ :Returns: -EFAULT if the given address is not accessible from kernel space;
+ -EINVAL if setting the TOD clock extension to != 0 is not supported
++ -EOPNOTSUPP for a PV guest (TOD managed by the ultravisor)
+
+ 4. GROUP: KVM_S390_VM_CRYPTO
+ ============================
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index b456aa196c04..c61533e1448a 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -1117,6 +1117,8 @@ static int kvm_s390_vm_get_migration(struct kvm *kvm,
+ return 0;
+ }
+
++static void __kvm_s390_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod);
++
+ static int kvm_s390_set_tod_ext(struct kvm *kvm, struct kvm_device_attr *attr)
+ {
+ struct kvm_s390_vm_tod_clock gtod;
+@@ -1126,7 +1128,7 @@ static int kvm_s390_set_tod_ext(struct kvm *kvm, struct kvm_device_attr *attr)
+
+ if (!test_kvm_facility(kvm, 139) && gtod.epoch_idx)
+ return -EINVAL;
+- kvm_s390_set_tod_clock(kvm, >od);
++ __kvm_s390_set_tod_clock(kvm, >od);
+
+ VM_EVENT(kvm, 3, "SET: TOD extension: 0x%x, TOD base: 0x%llx",
+ gtod.epoch_idx, gtod.tod);
+@@ -1157,7 +1159,7 @@ static int kvm_s390_set_tod_low(struct kvm *kvm, struct kvm_device_attr *attr)
+ sizeof(gtod.tod)))
+ return -EFAULT;
+
+- kvm_s390_set_tod_clock(kvm, >od);
++ __kvm_s390_set_tod_clock(kvm, >od);
+ VM_EVENT(kvm, 3, "SET: TOD base: 0x%llx", gtod.tod);
+ return 0;
+ }
+@@ -1169,6 +1171,16 @@ static int kvm_s390_set_tod(struct kvm *kvm, struct kvm_device_attr *attr)
+ if (attr->flags)
+ return -EINVAL;
+
++ mutex_lock(&kvm->lock);
++ /*
++ * For protected guests, the TOD is managed by the ultravisor, so trying
++ * to change it will never bring the expected results.
++ */
++ if (kvm_s390_pv_is_protected(kvm)) {
++ ret = -EOPNOTSUPP;
++ goto out_unlock;
++ }
++
+ switch (attr->attr) {
+ case KVM_S390_VM_TOD_EXT:
+ ret = kvm_s390_set_tod_ext(kvm, attr);
+@@ -1183,6 +1195,9 @@ static int kvm_s390_set_tod(struct kvm *kvm, struct kvm_device_attr *attr)
+ ret = -ENXIO;
+ break;
+ }
++
++out_unlock:
++ mutex_unlock(&kvm->lock);
+ return ret;
+ }
+
+@@ -3941,13 +3956,6 @@ static void __kvm_s390_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_t
+ preempt_enable();
+ }
+
+-void kvm_s390_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod)
+-{
+- mutex_lock(&kvm->lock);
+- __kvm_s390_set_tod_clock(kvm, gtod);
+- mutex_unlock(&kvm->lock);
+-}
+-
+ int kvm_s390_try_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod)
+ {
+ if (!mutex_trylock(&kvm->lock))
+diff --git a/arch/s390/kvm/kvm-s390.h b/arch/s390/kvm/kvm-s390.h
+index f8803bf0ff17..a2fde6d69057 100644
+--- a/arch/s390/kvm/kvm-s390.h
++++ b/arch/s390/kvm/kvm-s390.h
+@@ -326,7 +326,6 @@ int kvm_s390_handle_sigp(struct kvm_vcpu *vcpu);
+ int kvm_s390_handle_sigp_pei(struct kvm_vcpu *vcpu);
+
+ /* implemented in kvm-s390.c */
+-void kvm_s390_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod);
+ int kvm_s390_try_set_tod_clock(struct kvm *kvm, const struct kvm_s390_vm_tod_clock *gtod);
+ long kvm_arch_fault_in_page(struct kvm_vcpu *vcpu, gpa_t gpa, int writable);
+ int kvm_s390_store_status_unloaded(struct kvm_vcpu *vcpu, unsigned long addr);
+--
+2.35.1
+
--- /dev/null
+From f4d671bf641601f0714404576f0f5ce80f4b3ce0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 22:33:16 +0100
+Subject: macsec: clear encryption keys from the stack after setting up offload
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit aaab73f8fba4fd38f4d2617440d541a1c334e819 ]
+
+macsec_add_rxsa and macsec_add_txsa copy the key to an on-stack
+offloading context to pass it to the drivers, but leaves it there when
+it's done. Clear it with memzero_explicit as soon as it's not needed
+anymore.
+
+Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Antoine Tenart <atenart@kernel.org>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index af9b5eaf5b94..4811bd1f3d74 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1820,6 +1820,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
+ secy->key_len);
+
+ err = macsec_offload(ops->mdo_add_rxsa, &ctx);
++ memzero_explicit(ctx.sa.key, secy->key_len);
+ if (err)
+ goto cleanup;
+ }
+@@ -2062,6 +2063,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
+ secy->key_len);
+
+ err = macsec_offload(ops->mdo_add_txsa, &ctx);
++ memzero_explicit(ctx.sa.key, secy->key_len);
+ if (err)
+ goto cleanup;
+ }
+--
+2.35.1
+
--- /dev/null
+From dd73211cdfcfdb283e49a5ab331598edad8919b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 22:33:13 +0100
+Subject: macsec: delete new rxsc when offload fails
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 93a30947821c203d08865c4e17ea181c9668ce52 ]
+
+Currently we get an inconsistent state:
+ - netlink returns the error to userspace
+ - the RXSC is installed but not offloaded
+
+Then the device could get confused when we try to add an RXSA, because
+the RXSC isn't supposed to exist.
+
+Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Antoine Tenart <atenart@kernel.org>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 71700f279278..3a38266ba105 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1863,7 +1863,6 @@ static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info)
+ struct macsec_rx_sc *rx_sc;
+ struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
+ struct macsec_secy *secy;
+- bool was_active;
+ int ret;
+
+ if (!attrs[MACSEC_ATTR_IFINDEX])
+@@ -1891,7 +1890,6 @@ static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info)
+ return PTR_ERR(rx_sc);
+ }
+
+- was_active = rx_sc->active;
+ if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE])
+ rx_sc->active = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]);
+
+@@ -1918,7 +1916,8 @@ static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info)
+ return 0;
+
+ cleanup:
+- rx_sc->active = was_active;
++ del_rx_sc(secy, sci);
++ free_rx_sc(rx_sc);
+ rtnl_unlock();
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 29e46e427120e148c843194e46630d138b58c415 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 22:33:15 +0100
+Subject: macsec: fix detection of RXSCs when toggling offloading
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 80df4706357a5a06bbbc70273bf2611df1ceee04 ]
+
+macsec_is_configured incorrectly uses secy->n_rx_sc to check if some
+RXSCs exist. secy->n_rx_sc only counts the number of active RXSCs, but
+there can also be inactive SCs as well, which may be stored in the
+driver (in case we're disabling offloading), or would have to be
+pushed to the device (in case we're trying to enable offloading).
+
+As long as RXSCs active on creation and never turned off, the issue is
+not visible.
+
+Fixes: dcb780fb2795 ("net: macsec: add nla support for changing the offloading selection")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Antoine Tenart <atenart@kernel.org>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 328f6a172b84..af9b5eaf5b94 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2558,7 +2558,7 @@ static bool macsec_is_configured(struct macsec_dev *macsec)
+ struct macsec_tx_sc *tx_sc = &secy->tx_sc;
+ int i;
+
+- if (secy->n_rx_sc > 0)
++ if (secy->rx_sc)
+ return true;
+
+ for (i = 0; i < MACSEC_NUM_AN; i++)
+--
+2.35.1
+
--- /dev/null
+From ccda52a85a31f2d7c70f9ce8dd87a1c5294e0eac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 22:33:14 +0100
+Subject: macsec: fix secy->n_rx_sc accounting
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 73a4b31c9d11f98ae3bc5286d5382930adb0e9c7 ]
+
+secy->n_rx_sc is supposed to be the number of _active_ rxsc's within a
+secy. This is then used by macsec_send_sci to help decide if we should
+add the SCI to the header or not.
+
+This logic is currently broken when we create a new RXSC and turn it
+off at creation, as create_rx_sc always sets ->active to true (and
+immediately uses that to increment n_rx_sc), and only later
+macsec_add_rxsc sets rx_sc->active.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Antoine Tenart <atenart@kernel.org>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 3a38266ba105..328f6a172b84 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1386,7 +1386,8 @@ static struct macsec_rx_sc *del_rx_sc(struct macsec_secy *secy, sci_t sci)
+ return NULL;
+ }
+
+-static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci)
++static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci,
++ bool active)
+ {
+ struct macsec_rx_sc *rx_sc;
+ struct macsec_dev *macsec;
+@@ -1410,7 +1411,7 @@ static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci)
+ }
+
+ rx_sc->sci = sci;
+- rx_sc->active = true;
++ rx_sc->active = active;
+ refcount_set(&rx_sc->refcnt, 1);
+
+ secy = &macsec_priv(dev)->secy;
+@@ -1863,6 +1864,7 @@ static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info)
+ struct macsec_rx_sc *rx_sc;
+ struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
+ struct macsec_secy *secy;
++ bool active = true;
+ int ret;
+
+ if (!attrs[MACSEC_ATTR_IFINDEX])
+@@ -1884,15 +1886,15 @@ static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info)
+ secy = &macsec_priv(dev)->secy;
+ sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
+
+- rx_sc = create_rx_sc(dev, sci);
++ if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE])
++ active = nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]);
++
++ rx_sc = create_rx_sc(dev, sci, active);
+ if (IS_ERR(rx_sc)) {
+ rtnl_unlock();
+ return PTR_ERR(rx_sc);
+ }
+
+- if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE])
+- rx_sc->active = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]);
+-
+ if (macsec_is_offloaded(netdev_priv(dev))) {
+ const struct macsec_ops *ops;
+ struct macsec_context ctx;
+--
+2.35.1
+
--- /dev/null
+From aec886aad07d9ad599019f62e479975939e175aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 09:55:17 +0000
+Subject: mctp: Fix an error handling path in mctp_init()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit d4072058af4fd8fb4658e7452289042a406a9398 ]
+
+If mctp_neigh_init() return error, the routes resources should
+be released in the error handling path. Otherwise some resources
+leak.
+
+Fixes: 4d8b9319282a ("mctp: Add neighbour implementation")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Matt Johnston <matt@codeconstruct.com.au>
+Link: https://lore.kernel.org/r/20221108095517.620115-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/af_mctp.c | 4 +++-
+ net/mctp/route.c | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
+index 85cc1a28cbe9..cbbde0f73a08 100644
+--- a/net/mctp/af_mctp.c
++++ b/net/mctp/af_mctp.c
+@@ -375,12 +375,14 @@ static __init int mctp_init(void)
+
+ rc = mctp_neigh_init();
+ if (rc)
+- goto err_unreg_proto;
++ goto err_unreg_routes;
+
+ mctp_device_init();
+
+ return 0;
+
++err_unreg_routes:
++ mctp_routes_exit();
+ err_unreg_proto:
+ proto_unregister(&mctp_proto);
+ err_unreg_sock:
+diff --git a/net/mctp/route.c b/net/mctp/route.c
+index bbb13dbc9227..6aebb4a3eded 100644
+--- a/net/mctp/route.c
++++ b/net/mctp/route.c
+@@ -1109,7 +1109,7 @@ int __init mctp_routes_init(void)
+ return register_pernet_subsys(&mctp_net_ops);
+ }
+
+-void __exit mctp_routes_exit(void)
++void mctp_routes_exit(void)
+ {
+ unregister_pernet_subsys(&mctp_net_ops);
+ rtnl_unregister(PF_MCTP, RTM_DELROUTE);
+--
+2.35.1
+
--- /dev/null
+From 53faa7f4fbc33af853b846361fc3b7e04e08a9ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 16:34:59 +0100
+Subject: net: atlantic: macsec: clear encryption keys from the stack
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit 879785def0f5e71d54399de0f8a5cb399db14171 ]
+
+Commit aaab73f8fba4 ("macsec: clear encryption keys from the stack after
+setting up offload") made sure to clean encryption keys from the stack
+after setting up offloading, but the atlantic driver made a copy and did
+not clear it. Fix this.
+
+[4 Fixes tags below, all part of the same series, no need to split this]
+
+Fixes: 9ff40a751a6f ("net: atlantic: MACSec ingress offload implementation")
+Fixes: b8f8a0b7b5cb ("net: atlantic: MACSec ingress offload HW bindings")
+Fixes: 27736563ce32 ("net: atlantic: MACSec egress offload implementation")
+Fixes: 9d106c6dd81b ("net: atlantic: MACSec egress offload HW bindings")
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/aquantia/atlantic/aq_macsec.c | 2 ++
+ .../aquantia/atlantic/macsec/macsec_api.c | 18 +++++++++++-------
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c b/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
+index 7c6e0811f2e6..ee823a18294c 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
+@@ -585,6 +585,7 @@ static int aq_update_txsa(struct aq_nic_s *nic, const unsigned int sc_idx,
+
+ ret = aq_mss_set_egress_sakey_record(hw, &key_rec, sa_idx);
+
++ memzero_explicit(&key_rec, sizeof(key_rec));
+ return ret;
+ }
+
+@@ -932,6 +933,7 @@ static int aq_update_rxsa(struct aq_nic_s *nic, const unsigned int sc_idx,
+
+ ret = aq_mss_set_ingress_sakey_record(hw, &sa_key_record, sa_idx);
+
++ memzero_explicit(&sa_key_record, sizeof(sa_key_record));
+ return ret;
+ }
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c b/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
+index 36c7cf05630a..431924959520 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
++++ b/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
+@@ -757,6 +757,7 @@ set_ingress_sakey_record(struct aq_hw_s *hw,
+ u16 table_index)
+ {
+ u16 packed_record[18];
++ int ret;
+
+ if (table_index >= NUMROWS_INGRESSSAKEYRECORD)
+ return -EINVAL;
+@@ -789,9 +790,12 @@ set_ingress_sakey_record(struct aq_hw_s *hw,
+
+ packed_record[16] = rec->key_len & 0x3;
+
+- return set_raw_ingress_record(hw, packed_record, 18, 2,
+- ROWOFFSET_INGRESSSAKEYRECORD +
+- table_index);
++ ret = set_raw_ingress_record(hw, packed_record, 18, 2,
++ ROWOFFSET_INGRESSSAKEYRECORD +
++ table_index);
++
++ memzero_explicit(packed_record, sizeof(packed_record));
++ return ret;
+ }
+
+ int aq_mss_set_ingress_sakey_record(struct aq_hw_s *hw,
+@@ -1739,14 +1743,14 @@ static int set_egress_sakey_record(struct aq_hw_s *hw,
+ ret = set_raw_egress_record(hw, packed_record, 8, 2,
+ ROWOFFSET_EGRESSSAKEYRECORD + table_index);
+ if (unlikely(ret))
+- return ret;
++ goto clear_key;
+ ret = set_raw_egress_record(hw, packed_record + 8, 8, 2,
+ ROWOFFSET_EGRESSSAKEYRECORD + table_index -
+ 32);
+- if (unlikely(ret))
+- return ret;
+
+- return 0;
++clear_key:
++ memzero_explicit(packed_record, sizeof(packed_record));
++ return ret;
+ }
+
+ int aq_mss_set_egress_sakey_record(struct aq_hw_s *hw,
+--
+2.35.1
+
--- /dev/null
+From c00b6092943b807b5ad68c647522345dd77ece12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Nov 2022 17:02:45 +0800
+Subject: net: broadcom: Fix BCMGENET Kconfig
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 8d820bc9d12b8beebca836cceaf2bbe68216c2f8 ]
+
+While BCMGENET select BROADCOM_PHY as y, but PTP_1588_CLOCK_OPTIONAL is m,
+kconfig warning and build errors:
+
+WARNING: unmet direct dependencies detected for BROADCOM_PHY
+ Depends on [m]: NETDEVICES [=y] && PHYLIB [=y] && PTP_1588_CLOCK_OPTIONAL [=m]
+ Selected by [y]:
+ - BCMGENET [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_BROADCOM [=y] && HAS_IOMEM [=y] && ARCH_BCM2835 [=y]
+
+drivers/net/phy/broadcom.o: In function `bcm54xx_suspend':
+broadcom.c:(.text+0x6ac): undefined reference to `bcm_ptp_stop'
+drivers/net/phy/broadcom.o: In function `bcm54xx_phy_probe':
+broadcom.c:(.text+0x784): undefined reference to `bcm_ptp_probe'
+drivers/net/phy/broadcom.o: In function `bcm54xx_config_init':
+broadcom.c:(.text+0xd4c): undefined reference to `bcm_ptp_config_init'
+
+Fixes: 99addbe31f55 ("net: broadcom: Select BROADCOM_PHY for BCMGENET")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Florian Fainelli <f.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20221105090245.8508-1-yuehaibing@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/Kconfig b/drivers/net/ethernet/broadcom/Kconfig
+index 56e0fb07aec7..1cd3c289f49b 100644
+--- a/drivers/net/ethernet/broadcom/Kconfig
++++ b/drivers/net/ethernet/broadcom/Kconfig
+@@ -77,7 +77,7 @@ config BCMGENET
+ select BCM7XXX_PHY
+ select MDIO_BCM_UNIMAC
+ select DIMLIB
+- select BROADCOM_PHY if ARCH_BCM2835
++ select BROADCOM_PHY if (ARCH_BCM2835 && PTP_1588_CLOCK_OPTIONAL)
+ help
+ This driver supports the built-in Ethernet MACs found in the
+ Broadcom BCM7xxx Set Top Box family chipset.
+--
+2.35.1
+
--- /dev/null
+From d3523072e3ab95b0d3bd02f7f9f55bdadb80cfd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 09:15:37 +0800
+Subject: net: cpsw: disable napi in cpsw_ndo_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 6d47b53fb3f363a74538a1dbd09954af3d8d4131 ]
+
+When failed to create xdp rxqs or fill rx channels in cpsw_ndo_open() for
+opening device, napi isn't disabled. When open cpsw device next time, it
+will report a invalid opcode issue. Compiled tested only.
+
+Fixes: d354eb85d618 ("drivers: net: cpsw: dual_emac: simplify napi usage")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109011537.96975-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
+index e226ecd95a2c..ca587fe28150 100644
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -856,6 +856,8 @@ static int cpsw_ndo_open(struct net_device *ndev)
+
+ err_cleanup:
+ if (!cpsw->usage_count) {
++ napi_disable(&cpsw->napi_rx);
++ napi_disable(&cpsw->napi_tx);
+ cpdma_ctlr_stop(cpsw->dma);
+ cpsw_destroy_xdp_rxqs(cpsw);
+ }
+--
+2.35.1
+
--- /dev/null
+From b022600f4827bad08d6878ce12cef0c079339d43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 10:14:51 +0800
+Subject: net: cxgb3_main: disable napi when bind qsets failed in cxgb_up()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit d75aed1428da787cbe42bc073d76f1354f364d92 ]
+
+When failed to bind qsets in cxgb_up() for opening device, napi isn't
+disabled. When open cxgb3 device next time, it will trigger a BUG_ON()
+in napi_enable(). Compile tested only.
+
+Fixes: 48c4b6dbb7e2 ("cxgb3 - fix port up/down error path")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109021451.121490-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+index 38e47703f9ab..07568aa15873 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -1302,6 +1302,7 @@ static int cxgb_up(struct adapter *adap)
+ if (ret < 0) {
+ CH_ERR(adap, "failed to bind qsets, err %d\n", ret);
+ t3_intr_disable(adap);
++ quiesce_rx(adap);
+ free_irq_resources(adap);
+ err = ret;
+ goto out;
+--
+2.35.1
+
--- /dev/null
+From 4eda0469f28fec6fd5302675468306926bee501f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 09:21:59 +0800
+Subject: net: ethernet: mtk-star-emac: disable napi when connect and start PHY
+ failed in mtk_star_enable()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit b0c09c7f08c2467b2089bdf4adb2fbbc2464f4a8 ]
+
+When failed to connect to and start PHY in mtk_star_enable() for opening
+device, napi isn't disabled. When open mtk star device next time, it will
+reports a invalid opcode issue. Fix it. Only be compiled, not be tested.
+
+Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/20221107012159.211387-1-shaozhengchao@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_star_emac.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c
+index 1d5dd2015453..b3c4849f9f39 100644
+--- a/drivers/net/ethernet/mediatek/mtk_star_emac.c
++++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c
+@@ -977,6 +977,8 @@ static int mtk_star_enable(struct net_device *ndev)
+ return 0;
+
+ err_free_irq:
++ napi_disable(&priv->rx_napi);
++ napi_disable(&priv->tx_napi);
+ free_irq(ndev->irq, ndev);
+ err_free_skbs:
+ mtk_star_free_rx_skbs(priv);
+--
+2.35.1
+
--- /dev/null
+From d8420ae5b41fee0a75690352558df809f6bc15be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 14:28:30 -0400
+Subject: net: fman: Unregister ethernet device on removal
+
+From: Sean Anderson <sean.anderson@seco.com>
+
+[ Upstream commit b7cbc6740bd6ad5d43345a2504f7e4beff0d709f ]
+
+When the mac device gets removed, it leaves behind the ethernet device.
+This will result in a segfault next time the ethernet device accesses
+mac_dev. Remove the ethernet device when we get removed to prevent
+this. This is not completely reversible, since some resources aren't
+cleaned up properly, but that can be addressed later.
+
+Fixes: 3933961682a3 ("fsl/fman: Add FMan MAC driver")
+Signed-off-by: Sean Anderson <sean.anderson@seco.com>
+Link: https://lore.kernel.org/r/20221103182831.2248833-1-sean.anderson@seco.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fman/mac.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c
+index 39ae965cd4f6..b0c756b65cc2 100644
+--- a/drivers/net/ethernet/freescale/fman/mac.c
++++ b/drivers/net/ethernet/freescale/fman/mac.c
+@@ -882,12 +882,21 @@ static int mac_probe(struct platform_device *_of_dev)
+ return err;
+ }
+
++static int mac_remove(struct platform_device *pdev)
++{
++ struct mac_device *mac_dev = platform_get_drvdata(pdev);
++
++ platform_device_unregister(mac_dev->priv->eth_dev);
++ return 0;
++}
++
+ static struct platform_driver mac_driver = {
+ .driver = {
+ .name = KBUILD_MODNAME,
+ .of_match_table = mac_match,
+ },
+ .probe = mac_probe,
++ .remove = mac_remove,
+ };
+
+ builtin_platform_driver(mac_driver);
+--
+2.35.1
+
--- /dev/null
+From faad69bc387e7f37e85550be1917d03f2314e669 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 17:53:25 +0100
+Subject: net: gso: fix panic on frag_list with mixed head alloc types
+
+From: Jiri Benc <jbenc@redhat.com>
+
+[ Upstream commit 9e4b7a99a03aefd37ba7bb1f022c8efab5019165 ]
+
+Since commit 3dcbdb134f32 ("net: gso: Fix skb_segment splat when
+splitting gso_size mangled skb having linear-headed frag_list"), it is
+allowed to change gso_size of a GRO packet. However, that commit assumes
+that "checking the first list_skb member suffices; i.e if either of the
+list_skb members have non head_frag head, then the first one has too".
+
+It turns out this assumption does not hold. We've seen BUG_ON being hit
+in skb_segment when skbs on the frag_list had differing head_frag with
+the vmxnet3 driver. This happens because __netdev_alloc_skb and
+__napi_alloc_skb can return a skb that is page backed or kmalloced
+depending on the requested size. As the result, the last small skb in
+the GRO packet can be kmalloced.
+
+There are three different locations where this can be fixed:
+
+(1) We could check head_frag in GRO and not allow GROing skbs with
+ different head_frag. However, that would lead to performance
+ regression on normal forward paths with unmodified gso_size, where
+ !head_frag in the last packet is not a problem.
+
+(2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating
+ that NETIF_F_SG is undesirable. That would need to eat a bit in
+ sk_buff. Furthermore, that flag can be unset when all skbs on the
+ frag_list are page backed. To retain good performance,
+ bpf_skb_net_grow/shrink would have to walk the frag_list.
+
+(3) Walk the frag_list in skb_segment when determining whether
+ NETIF_F_SG should be cleared. This of course slows things down.
+
+This patch implements (3). To limit the performance impact in
+skb_segment, the list is walked only for skbs with SKB_GSO_DODGY set
+that have gso_size changed. Normal paths thus will not hit it.
+
+We could check only the last skb but since we need to walk the whole
+list anyway, let's stay on the safe side.
+
+Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list")
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/e04426a6a91baf4d1081e1b478c82b5de25fdf21.1667407944.git.jbenc@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skbuff.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 9cc607b2d3d2..6706bd3c8e9c 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4010,23 +4010,25 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
+ int i = 0;
+ int pos;
+
+- if (list_skb && !list_skb->head_frag && skb_headlen(list_skb) &&
+- (skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY)) {
+- /* gso_size is untrusted, and we have a frag_list with a linear
+- * non head_frag head.
+- *
+- * (we assume checking the first list_skb member suffices;
+- * i.e if either of the list_skb members have non head_frag
+- * head, then the first one has too).
+- *
+- * If head_skb's headlen does not fit requested gso_size, it
+- * means that the frag_list members do NOT terminate on exact
+- * gso_size boundaries. Hence we cannot perform skb_frag_t page
+- * sharing. Therefore we must fallback to copying the frag_list
+- * skbs; we do so by disabling SG.
+- */
+- if (mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb))
+- features &= ~NETIF_F_SG;
++ if ((skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY) &&
++ mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) {
++ struct sk_buff *check_skb;
++
++ for (check_skb = list_skb; check_skb; check_skb = check_skb->next) {
++ if (skb_headlen(check_skb) && !check_skb->head_frag) {
++ /* gso_size is untrusted, and we have a frag_list with
++ * a linear non head_frag item.
++ *
++ * If head_skb's headlen does not fit requested gso_size,
++ * it means that the frag_list members do NOT terminate
++ * on exact gso_size boundaries. Hence we cannot perform
++ * skb_frag_t page sharing. Therefore we must fallback to
++ * copying the frag_list skbs; we do so by disabling SG.
++ */
++ features &= ~NETIF_F_SG;
++ break;
++ }
++ }
+ }
+
+ __skb_push(head_skb, doffset);
+--
+2.35.1
+
--- /dev/null
+From 59b0aee5e9d69372ce2dd45f7ed2d42afd4332ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 17:05:37 +0800
+Subject: net: lapbether: fix issue of dev reference count leakage in
+ lapbeth_device_event()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 531705a765493655472c993627106e19f7e5a6d2 ]
+
+When following tests are performed, it will cause dev reference counting
+leakage.
+a)ip link add bond2 type bond mode balance-rr
+b)ip link set bond2 up
+c)ifenslave -f bond2 rose1
+d)ip link del bond2
+
+When new bond device is created, the default type of the bond device is
+ether. And the bond device is up, lapbeth_device_event() receives the
+message and creates a new lapbeth device. In this case, the reference
+count value of dev is hold once. But after "ifenslave -f bond2 rose1"
+command is executed, the type of the bond device is changed to rose. When
+the bond device is unregistered, lapbeth_device_event() will not put the
+dev reference count.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 89d31adc3809..365edfd804ef 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -446,7 +446,7 @@ static int lapbeth_device_event(struct notifier_block *this,
+ if (dev_net(dev) != &init_net)
+ return NOTIFY_DONE;
+
+- if (!dev_is_ethdev(dev))
++ if (!dev_is_ethdev(dev) && !lapbeth_get_x25_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+--
+2.35.1
+
--- /dev/null
+From ca1272a8bc1ac866e5983379a9f41cd5262185c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 09:14:45 +0800
+Subject: net: lapbether: fix issue of invalid opcode in lapbeth_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 3faf7e14ec0c3462c2d747fa6793b8645d1391df ]
+
+If lapb_register() failed when lapb device goes to up for the first time,
+the NAPI is not disabled. As a result, the invalid opcode issue is
+reported when the lapb device goes to up for the second time.
+
+The stack info is as follows:
+[ 1958.311422][T11356] kernel BUG at net/core/dev.c:6442!
+[ 1958.312206][T11356] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+[ 1958.315979][T11356] RIP: 0010:napi_enable+0x16a/0x1f0
+[ 1958.332310][T11356] Call Trace:
+[ 1958.332817][T11356] <TASK>
+[ 1958.336135][T11356] lapbeth_open+0x18/0x90
+[ 1958.337446][T11356] __dev_open+0x258/0x490
+[ 1958.341672][T11356] __dev_change_flags+0x4d4/0x6a0
+[ 1958.345325][T11356] dev_change_flags+0x93/0x160
+[ 1958.346027][T11356] devinet_ioctl+0x1276/0x1bf0
+[ 1958.346738][T11356] inet_ioctl+0x1c8/0x2d0
+[ 1958.349638][T11356] sock_ioctl+0x5d1/0x750
+[ 1958.356059][T11356] __x64_sys_ioctl+0x3ec/0x1790
+[ 1958.365594][T11356] do_syscall_64+0x35/0x80
+[ 1958.366239][T11356] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+[ 1958.377381][T11356] </TASK>
+
+Fixes: 514e1150da9c ("net: x25: Queue received packets in the drivers instead of per-CPU queues")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221107011445.207372-1-shaozhengchao@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 365edfd804ef..5037ef82be46 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -325,6 +325,7 @@ static int lapbeth_open(struct net_device *dev)
+
+ err = lapb_register(dev, &lapbeth_callbacks);
+ if (err != LAPB_OK) {
++ napi_disable(&lapbeth->napi);
+ pr_err("lapb_register error: %d\n", err);
+ return -ENODEV;
+ }
+--
+2.35.1
+
--- /dev/null
+From c24f6c3c9c1d9cf27ec24f25a79ae8cde8d7391e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 17:07:34 +0800
+Subject: net: macvlan: fix memory leaks of macvlan_common_newlink
+
+From: Chuang Wang <nashuiliang@gmail.com>
+
+[ Upstream commit 23569b5652ee8e8e55a12f7835f59af6f3cefc30 ]
+
+kmemleak reports memory leaks in macvlan_common_newlink, as follows:
+
+ ip link add link eth0 name .. type macvlan mode source macaddr add
+ <MAC-ADDR>
+
+kmemleak reports:
+
+unreferenced object 0xffff8880109bb140 (size 64):
+ comm "ip", pid 284, jiffies 4294986150 (age 430.108s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 b8 aa 5a 12 80 88 ff ff ..........Z.....
+ 80 1b fa 0d 80 88 ff ff 1e ff ac af c7 c1 6b 6b ..............kk
+ backtrace:
+ [<ffffffff813e06a7>] kmem_cache_alloc_trace+0x1c7/0x300
+ [<ffffffff81b66025>] macvlan_hash_add_source+0x45/0xc0
+ [<ffffffff81b66a67>] macvlan_changelink_sources+0xd7/0x170
+ [<ffffffff81b6775c>] macvlan_common_newlink+0x38c/0x5a0
+ [<ffffffff81b6797e>] macvlan_newlink+0xe/0x20
+ [<ffffffff81d97f8f>] __rtnl_newlink+0x7af/0xa50
+ [<ffffffff81d98278>] rtnl_newlink+0x48/0x70
+ ...
+
+In the scenario where the macvlan mode is configured as 'source',
+macvlan_changelink_sources() will be execured to reconfigure list of
+remote source mac addresses, at the same time, if register_netdevice()
+return an error, the resource generated by macvlan_changelink_sources()
+is not cleaned up.
+
+Using this patch, in the case of an error, it will execute
+macvlan_flush_sources() to ensure that the resource is cleaned up.
+
+Fixes: aa5fd0fb7748 ("driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.")
+Signed-off-by: Chuang Wang <nashuiliang@gmail.com>
+Link: https://lore.kernel.org/r/20221109090735.690500-1-nashuiliang@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 6363459ba1d0..cdc238dda1e1 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -1521,8 +1521,10 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev,
+ /* the macvlan port may be freed by macvlan_uninit when fail to register.
+ * so we destroy the macvlan port only when it's valid.
+ */
+- if (create && macvlan_port_get_rtnl(lowerdev))
++ if (create && macvlan_port_get_rtnl(lowerdev)) {
++ macvlan_flush_sources(port, vlan);
+ macvlan_port_destroy(port->dev);
++ }
+ return err;
+ }
+ EXPORT_SYMBOL_GPL(macvlan_common_newlink);
+--
+2.35.1
+
--- /dev/null
+From a10f90435a4be26f69a17d97a9d601e0c6b6e4d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 10:56:07 +0800
+Subject: net: marvell: prestera: fix memory leak in
+ prestera_rxtx_switch_init()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 519b58bbfa825f042fcf80261cc18e1e35f85ffd ]
+
+When prestera_sdma_switch_init() failed, the memory pointed to by
+sw->rxtx isn't released. Fix it. Only be compiled, not be tested.
+
+Fixes: 501ef3066c89 ("net: marvell: prestera: Add driver for Prestera family ASIC devices")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Vadym Kochan <vadym.kochan@plvision.eu>
+Link: https://lore.kernel.org/r/20221108025607.338450-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/prestera/prestera_rxtx.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/prestera/prestera_rxtx.c b/drivers/net/ethernet/marvell/prestera/prestera_rxtx.c
+index 73d2eba5262f..a47aa624f745 100644
+--- a/drivers/net/ethernet/marvell/prestera/prestera_rxtx.c
++++ b/drivers/net/ethernet/marvell/prestera/prestera_rxtx.c
+@@ -776,6 +776,7 @@ static netdev_tx_t prestera_sdma_xmit(struct prestera_sdma *sdma,
+ int prestera_rxtx_switch_init(struct prestera_switch *sw)
+ {
+ struct prestera_rxtx *rxtx;
++ int err;
+
+ rxtx = kzalloc(sizeof(*rxtx), GFP_KERNEL);
+ if (!rxtx)
+@@ -783,7 +784,11 @@ int prestera_rxtx_switch_init(struct prestera_switch *sw)
+
+ sw->rxtx = rxtx;
+
+- return prestera_sdma_switch_init(sw);
++ err = prestera_sdma_switch_init(sw);
++ if (err)
++ kfree(rxtx);
++
++ return err;
+ }
+
+ void prestera_rxtx_switch_fini(struct prestera_switch *sw)
+--
+2.35.1
+
--- /dev/null
+From f3b312e3d7896cdb01301e837c6a77adfe40c1ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 23:55:38 -0700
+Subject: net/mlx5: Allow async trigger completion execution on single CPU
+ systems
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roy Novich <royno@nvidia.com>
+
+[ Upstream commit 2808b37b59288ad8f1897e3546c2296df3384b65 ]
+
+For a single CPU system, the kernel thread executing mlx5_cmd_flush()
+never releases the CPU but calls down_trylock(&cmd→sem) in a busy loop.
+On a single processor system, this leads to a deadlock as the kernel
+thread which executes mlx5_cmd_invoke() never gets scheduled. Fix this,
+by adding the cond_resched() call to the loop, allow the command
+completion kernel thread to execute.
+
+Fixes: 8e715cd613a1 ("net/mlx5: Set command entry semaphore up once got index free")
+Signed-off-by: Alexander Schmidt <alexschm@de.ibm.com>
+Signed-off-by: Roy Novich <royno@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 8a3100f32d3b..98ca5d1ed45d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1699,12 +1699,17 @@ void mlx5_cmd_flush(struct mlx5_core_dev *dev)
+ struct mlx5_cmd *cmd = &dev->cmd;
+ int i;
+
+- for (i = 0; i < cmd->max_reg_cmds; i++)
+- while (down_trylock(&cmd->sem))
++ for (i = 0; i < cmd->max_reg_cmds; i++) {
++ while (down_trylock(&cmd->sem)) {
+ mlx5_cmd_trigger_completions(dev);
++ cond_resched();
++ }
++ }
+
+- while (down_trylock(&cmd->pages_sem))
++ while (down_trylock(&cmd->pages_sem)) {
+ mlx5_cmd_trigger_completions(dev);
++ cond_resched();
++ }
+
+ /* Unlock cmdif */
+ up(&cmd->pages_sem);
+--
+2.35.1
+
--- /dev/null
+From 973c27733f644c0ce6ae8b4770a0b7ffb85205c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 23:55:37 -0700
+Subject: net/mlx5: Bridge, verify LAG state when adding bond to bridge
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+[ Upstream commit 15f8f168952f54d3c86d734dc764f20844e423ac ]
+
+Mlx5 LAG is initialized asynchronously on a workqueue which means that for
+a brief moment after setting mlx5 UL representors as lower devices of a
+bond netdevice the LAG itself is not fully initialized in the driver. When
+adding such bond device to a bridge mlx5 bridge code will not consider it
+as offload-capable, skip creating necessary bookkeeping and fail any
+further bridge offload-related commands with it (setting VLANs, offloading
+FDBs, etc.). In order to make the error explicit during bridge
+initialization stage implement the code that detects such condition during
+NETDEV_PRECHANGEUPPER event and returns an error.
+
+Fixes: ff9b7521468b ("net/mlx5: Bridge, support LAG")
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en/rep/bridge.c | 31 +++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c
+index 48dc121b2cb4..8e7177d4539e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c
+@@ -164,6 +164,36 @@ static int mlx5_esw_bridge_port_changeupper(struct notifier_block *nb, void *ptr
+ return err;
+ }
+
++static int
++mlx5_esw_bridge_changeupper_validate_netdev(void *ptr)
++{
++ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++ struct netdev_notifier_changeupper_info *info = ptr;
++ struct net_device *upper = info->upper_dev;
++ struct net_device *lower;
++ struct list_head *iter;
++
++ if (!netif_is_bridge_master(upper) || !netif_is_lag_master(dev))
++ return 0;
++
++ netdev_for_each_lower_dev(dev, lower, iter) {
++ struct mlx5_core_dev *mdev;
++ struct mlx5e_priv *priv;
++
++ if (!mlx5e_eswitch_rep(lower))
++ continue;
++
++ priv = netdev_priv(lower);
++ mdev = priv->mdev;
++ if (!mlx5_lag_is_active(mdev))
++ return -EAGAIN;
++ if (!mlx5_lag_is_shared_fdb(mdev))
++ return -EOPNOTSUPP;
++ }
++
++ return 0;
++}
++
+ static int mlx5_esw_bridge_switchdev_port_event(struct notifier_block *nb,
+ unsigned long event, void *ptr)
+ {
+@@ -171,6 +201,7 @@ static int mlx5_esw_bridge_switchdev_port_event(struct notifier_block *nb,
+
+ switch (event) {
+ case NETDEV_PRECHANGEUPPER:
++ err = mlx5_esw_bridge_changeupper_validate_netdev(ptr);
+ break;
+
+ case NETDEV_CHANGEUPPER:
+--
+2.35.1
+
--- /dev/null
+From 688709e868001dfb04e013e85bc68dd67a7d5bb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 23:55:46 -0700
+Subject: net/mlx5e: E-Switch, Fix comparing termination table instance
+
+From: Roi Dayan <roid@nvidia.com>
+
+[ Upstream commit f4f4096b410e8d31c3f07f39de3b17d144edd53d ]
+
+The pkt_reformat pointer being saved under flow_act and not
+dest attribute in the termination table instance.
+Fix the comparison pointers.
+
+Also fix returning success if one pkt_reformat pointer is null
+and the other is not.
+
+Fixes: 249ccc3c95bd ("net/mlx5e: Add support for offloading traffic from uplink to uplink")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Reviewed-by: Chris Mi <cmi@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/eswitch_offloads_termtbl.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
+index b45954905845..8f86b62e49e3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
+@@ -30,9 +30,9 @@ mlx5_eswitch_termtbl_hash(struct mlx5_flow_act *flow_act,
+ sizeof(dest->vport.num), hash);
+ hash = jhash((const void *)&dest->vport.vhca_id,
+ sizeof(dest->vport.num), hash);
+- if (dest->vport.pkt_reformat)
+- hash = jhash(dest->vport.pkt_reformat,
+- sizeof(*dest->vport.pkt_reformat),
++ if (flow_act->pkt_reformat)
++ hash = jhash(flow_act->pkt_reformat,
++ sizeof(*flow_act->pkt_reformat),
+ hash);
+ return hash;
+ }
+@@ -53,9 +53,11 @@ mlx5_eswitch_termtbl_cmp(struct mlx5_flow_act *flow_act1,
+ if (ret)
+ return ret;
+
+- return dest1->vport.pkt_reformat && dest2->vport.pkt_reformat ?
+- memcmp(dest1->vport.pkt_reformat, dest2->vport.pkt_reformat,
+- sizeof(*dest1->vport.pkt_reformat)) : 0;
++ if (flow_act1->pkt_reformat && flow_act2->pkt_reformat)
++ return memcmp(flow_act1->pkt_reformat, flow_act2->pkt_reformat,
++ sizeof(*flow_act1->pkt_reformat));
++
++ return !(flow_act1->pkt_reformat == flow_act2->pkt_reformat);
+ }
+
+ static int
+--
+2.35.1
+
--- /dev/null
+From e681f16b2fdc3881182d9633c3dd101450bfb86f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 10:54:32 +0800
+Subject: net: mv643xx_eth: disable napi when init rxq or txq failed in
+ mv643xx_eth_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit f111606b63ff2282428ffbac0447c871eb957b6c ]
+
+When failed to init rxq or txq in mv643xx_eth_open() for opening device,
+napi isn't disabled. When open mv643xx_eth device next time, it will
+trigger a BUG_ON() in napi_enable(). Compile tested only.
+
+Fixes: 2257e05c1705 ("mv643xx_eth: get rid of receive-side locking")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221109025432.80900-1-shaozhengchao@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mv643xx_eth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c
+index 90fd5588e20d..fc67e9d31f6d 100644
+--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
+@@ -2477,6 +2477,7 @@ static int mv643xx_eth_open(struct net_device *dev)
+ for (i = 0; i < mp->rxq_count; i++)
+ rxq_deinit(mp->rxq + i);
+ out:
++ napi_disable(&mp->napi);
+ free_irq(dev->irq, dev);
+
+ return err;
+--
+2.35.1
+
--- /dev/null
+From 605b42466c60d1732e981a8e183ce485ff57021a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 18:14:43 +0800
+Subject: net: nixge: disable napi when enable interrupts failed in
+ nixge_open()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit b06334919c7a068d54ba5b219c05e919d89943f7 ]
+
+When failed to enable interrupts in nixge_open() for opening device,
+napi isn't disabled. When open nixge device next time, it will reports
+a invalid opcode issue. Fix it. Only be compiled, not be tested.
+
+Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Link: https://lore.kernel.org/r/20221107101443.120205-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ni/nixge.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c
+index 346145d3180e..057b7419404d 100644
+--- a/drivers/net/ethernet/ni/nixge.c
++++ b/drivers/net/ethernet/ni/nixge.c
+@@ -899,6 +899,7 @@ static int nixge_open(struct net_device *ndev)
+ err_rx_irq:
+ free_irq(priv->tx_irq, ndev);
+ err_tx_irq:
++ napi_disable(&priv->napi);
+ phy_stop(phy);
+ phy_disconnect(phy);
+ tasklet_kill(&priv->dma_err_tasklet);
+--
+2.35.1
+
--- /dev/null
+From 2f4c82c786697f328d5b7e814fc58bfd2c5aca44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 16:34:58 +0100
+Subject: net: phy: mscc: macsec: clear encryption keys when freeing a flow
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit 1b16b3fdf675cca15a537572bac50cc5354368fc ]
+
+Commit aaab73f8fba4 ("macsec: clear encryption keys from the stack after
+setting up offload") made sure to clean encryption keys from the stack
+after setting up offloading, but the MSCC PHY driver made a copy, kept
+it in the flow data and did not clear it when freeing a flow. Fix this.
+
+Fixes: 28c5107aa904 ("net: phy: mscc: macsec support")
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_macsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/phy/mscc/mscc_macsec.c b/drivers/net/phy/mscc/mscc_macsec.c
+index b7b2521c73fb..c00eef457b85 100644
+--- a/drivers/net/phy/mscc/mscc_macsec.c
++++ b/drivers/net/phy/mscc/mscc_macsec.c
+@@ -632,6 +632,7 @@ static void vsc8584_macsec_free_flow(struct vsc8531_private *priv,
+
+ list_del(&flow->list);
+ clear_bit(flow->index, bitmap);
++ memzero_explicit(flow->key, sizeof(flow->key));
+ kfree(flow);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From d9297c19696c00d8739649bcd721d8348e4dac4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 09:30:04 +0100
+Subject: net: stmmac: dwmac-meson8b: fix meson8b_devm_clk_prepare_enable()
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit ed4314f7729714d788698ade4f9905ee5378ebc0 ]
+
+There are two problems with meson8b_devm_clk_prepare_enable(),
+introduced in commit a54dc4a49045 ("net: stmmac: dwmac-meson8b:
+Make the clock enabling code re-usable"):
+
+- It doesn't pass the clk argument, but instead always the
+ rgmii_tx_clk of the device.
+
+- It silently ignores the return value of devm_add_action_or_reset().
+
+The former didn't become an actual bug until another user showed up in
+the next commit 9308c47640d5 ("net: stmmac: dwmac-meson8b: add support
+for the RX delay configuration"). The latter means the callers could
+end up with the clock not actually prepared/enabled.
+
+Fixes: a54dc4a49045 ("net: stmmac: dwmac-meson8b: Make the clock enabling code re-usable")
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://lore.kernel.org/r/20221104083004.2212520-1-linux@rasmusvillemoes.dk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c
+index c7a6588d9398..e8b507f88fbc 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c
+@@ -272,11 +272,9 @@ static int meson8b_devm_clk_prepare_enable(struct meson8b_dwmac *dwmac,
+ if (ret)
+ return ret;
+
+- devm_add_action_or_reset(dwmac->dev,
+- (void(*)(void *))clk_disable_unprepare,
+- dwmac->rgmii_tx_clk);
+-
+- return 0;
++ return devm_add_action_or_reset(dwmac->dev,
++ (void(*)(void *))clk_disable_unprepare,
++ clk);
+ }
+
+ static int meson8b_init_rgmii_delays(struct meson8b_dwmac *dwmac)
+--
+2.35.1
+
--- /dev/null
+From 3ede5800ec9fe978fdadea53e57319ecd2e52820 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 17:41:19 +0800
+Subject: net: tun: Fix memory leaks of napi_get_frags
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit 1118b2049d77ca0b505775fc1a8d1909cf19a7ec ]
+
+kmemleak reports after running test_progs:
+
+unreferenced object 0xffff8881b1672dc0 (size 232):
+ comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s)
+ hex dump (first 32 bytes):
+ e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g.....
+ 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
+ backtrace:
+ [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150
+ [<0000000041c7fc09>] __napi_build_skb+0x15/0x50
+ [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540
+ [<000000003ecfa30e>] napi_get_frags+0x59/0x140
+ [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun]
+ [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun]
+ [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320
+ [<000000008f338ea2>] do_iter_write+0x135/0x630
+ [<000000008a3377a4>] vfs_writev+0x12e/0x440
+ [<00000000a6b5639a>] do_writev+0x104/0x280
+ [<00000000ccf065d8>] do_syscall_64+0x3b/0x90
+ [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+The issue occurs in the following scenarios:
+tun_get_user()
+ napi_gro_frags()
+ napi_frags_finish()
+ case GRO_NORMAL:
+ gro_normal_one()
+ list_add_tail(&skb->list, &napi->rx_list);
+ <-- While napi->rx_count < READ_ONCE(gro_normal_batch),
+ <-- gro_normal_list() is not called, napi->rx_list is not empty
+ <-- not ask to complete the gro work, will cause memory leaks in
+ <-- following tun_napi_del()
+...
+tun_napi_del()
+ netif_napi_del()
+ __netif_napi_del()
+ <-- &napi->rx_list is not empty, which caused memory leaks
+
+To fix, add napi_complete() after napi_gro_frags().
+
+Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/tun.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 9909f430d723..4e77b269ef0a 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1959,6 +1959,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+
+ local_bh_disable();
+ napi_gro_frags(&tfile->napi);
++ napi_complete(&tfile->napi);
+ local_bh_enable();
+ mutex_unlock(&tfile->napi_mutex);
+ } else if (tfile->napi_enabled) {
+--
+2.35.1
+
--- /dev/null
+From e2b8032a363c5d5ce70b115785844b25c682d7a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 13:04:49 +0530
+Subject: net: wwan: iosm: fix memory leak in ipc_pcie_read_bios_cfg
+
+From: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+
+[ Upstream commit d38a648d2d6cc7bee11c6f533ff9426a00c2a74c ]
+
+ipc_pcie_read_bios_cfg() is using the acpi_evaluate_dsm() to
+obtain the wwan power state configuration from BIOS but is
+not freeing the acpi_object. The acpi_evaluate_dsm() returned
+acpi_object to be freed.
+
+Free the acpi_object after use.
+
+Fixes: 7e98d785ae61 ("net: iosm: entry point")
+Signed-off-by: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_pcie.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_pcie.c b/drivers/net/wwan/iosm/iosm_ipc_pcie.c
+index 2fe88b8be348..01df23835be0 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_pcie.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_pcie.c
+@@ -232,6 +232,7 @@ static void ipc_pcie_config_init(struct iosm_pcie *ipc_pcie)
+ */
+ static enum ipc_pcie_sleep_state ipc_pcie_read_bios_cfg(struct device *dev)
+ {
++ enum ipc_pcie_sleep_state sleep_state = IPC_PCIE_D0L12;
+ union acpi_object *object;
+ acpi_handle handle_acpi;
+
+@@ -242,12 +243,16 @@ static enum ipc_pcie_sleep_state ipc_pcie_read_bios_cfg(struct device *dev)
+ }
+
+ object = acpi_evaluate_dsm(handle_acpi, &wwan_acpi_guid, 0, 3, NULL);
++ if (!object)
++ goto default_ret;
++
++ if (object->integer.value == 3)
++ sleep_state = IPC_PCIE_D3L2;
+
+- if (object && object->integer.value == 3)
+- return IPC_PCIE_D3L2;
++ kfree(object);
+
+ default_ret:
+- return IPC_PCIE_D0L12;
++ return sleep_state;
+ }
+
+ static int ipc_pcie_probe(struct pci_dev *pci,
+--
+2.35.1
+
--- /dev/null
+From f0a90f766537557ca918b8f73198bf4cbb633b8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 18:40:00 +0800
+Subject: net: wwan: iosm: fix memory leak in ipc_wwan_dellink
+
+From: HW He <hw.he@mediatek.com>
+
+[ Upstream commit f25caaca424703d5a0607310f0452f978f1f78d9 ]
+
+IOSM driver registers network device without setting the
+needs_free_netdev flag, and does NOT call free_netdev() when
+unregisters network device, which causes a memory leak.
+
+This patch sets needs_free_netdev to true when registers
+network device, which makes netdev subsystem call free_netdev()
+automatically after unregister_netdevice().
+
+Fixes: 2a54f2c77934 ("net: iosm: net driver")
+Signed-off-by: HW He <hw.he@mediatek.com>
+Reviewed-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Zhaoping Shu <zhaoping.shu@mediatek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_wwan.c b/drivers/net/wwan/iosm/iosm_ipc_wwan.c
+index 92f064a8f837..3449f877e19f 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_wwan.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_wwan.c
+@@ -167,6 +167,7 @@ static void ipc_wwan_setup(struct net_device *iosm_dev)
+ iosm_dev->max_mtu = ETH_MAX_MTU;
+
+ iosm_dev->flags = IFF_POINTOPOINT | IFF_NOARP;
++ iosm_dev->needs_free_netdev = true;
+
+ iosm_dev->netdev_ops = &ipc_inm_ops;
+ }
+--
+2.35.1
+
--- /dev/null
+From a0b4885e1dd0d84200221af5fc38d2506e336fbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 18:54:19 +0800
+Subject: net: wwan: mhi: fix memory leak in mhi_mbim_dellink
+
+From: HW He <hw.he@mediatek.com>
+
+[ Upstream commit 668205b9c9f94d5ed6ab00cce9a46a654c2b5d16 ]
+
+MHI driver registers network device without setting the
+needs_free_netdev flag, and does NOT call free_netdev() when
+unregisters network device, which causes a memory leak.
+
+This patch sets needs_free_netdev to true when registers
+network device, which makes netdev subsystem call free_netdev()
+automatically after unregister_netdevice().
+
+Fixes: aa730a9905b7 ("net: wwan: Add MHI MBIM network driver")
+Signed-off-by: HW He <hw.he@mediatek.com>
+Signed-off-by: Zhaoping Shu <zhaoping.shu@mediatek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/mhi_wwan_mbim.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wwan/mhi_wwan_mbim.c b/drivers/net/wwan/mhi_wwan_mbim.c
+index 6872782e8dd8..ef70bb7c88ad 100644
+--- a/drivers/net/wwan/mhi_wwan_mbim.c
++++ b/drivers/net/wwan/mhi_wwan_mbim.c
+@@ -582,6 +582,7 @@ static void mhi_mbim_setup(struct net_device *ndev)
+ ndev->min_mtu = ETH_MIN_MTU;
+ ndev->max_mtu = MHI_MAX_BUF_SZ - ndev->needed_headroom;
+ ndev->tx_queue_len = 1000;
++ ndev->needs_free_netdev = true;
+ }
+
+ static const struct wwan_ops mhi_mbim_wwan_ops = {
+--
+2.35.1
+
--- /dev/null
+From 9b1071bc2aab8a26d9f84a7980bd3dced665ad42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 22:08:49 +0900
+Subject: netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 03c1f1ef1584c981935fab2fa0c45d3e43e2c235 ]
+
+syzbot reported a warning like below [1]:
+
+WARNING: CPU: 3 PID: 9 at net/netfilter/nf_tables_api.c:10096 nf_tables_exit_net+0x71c/0x840
+Modules linked in:
+CPU: 2 PID: 9 Comm: kworker/u8:0 Tainted: G W 6.1.0-rc3-00072-g8e5423e991e8 #47
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
+Workqueue: netns cleanup_net
+RIP: 0010:nf_tables_exit_net+0x71c/0x840
+...
+Call Trace:
+ <TASK>
+ ? __nft_release_table+0xfc0/0xfc0
+ ops_exit_list+0xb5/0x180
+ cleanup_net+0x506/0xb10
+ ? unregister_pernet_device+0x80/0x80
+ process_one_work+0xa38/0x1730
+ ? pwq_dec_nr_in_flight+0x2b0/0x2b0
+ ? rwlock_bug.part.0+0x90/0x90
+ ? _raw_spin_lock_irq+0x46/0x50
+ worker_thread+0x67e/0x10e0
+ ? process_one_work+0x1730/0x1730
+ kthread+0x2e5/0x3a0
+ ? kthread_complete_and_exit+0x40/0x40
+ ret_from_fork+0x1f/0x30
+ </TASK>
+
+In nf_tables_exit_net(), there is a case where nft_net->commit_list is
+empty but nft_net->module_list is not empty. Such a case occurs with
+the following scenario:
+
+1. nfnetlink_rcv_batch() is called
+2. nf_tables_newset() returns -EAGAIN and NFNL_BATCH_FAILURE bit is
+ set to status
+3. nf_tables_abort() is called with NFNL_ABORT_AUTOLOAD
+ (nft_net->commit_list is released, but nft_net->module_list is not
+ because of NFNL_ABORT_AUTOLOAD flag)
+4. Jump to replay label
+5. netlink_skb_clone() fails and returns from the function (this is
+ caused by fault injection in the reproducer of syzbot)
+
+This patch fixes this issue by calling __nf_tables_abort() when
+nft_net->module_list is not empty in nf_tables_exit_net().
+
+Fixes: eb014de4fd41 ("netfilter: nf_tables: autoload modules from the abort path")
+Link: https://syzkaller.appspot.com/bug?id=802aba2422de4218ad0c01b46c9525cc9d4e4aa3 [1]
+Reported-by: syzbot+178efee9e2d7f87f5103@syzkaller.appspotmail.com
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 899f01c6c26c..227f03db7ee1 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -9884,7 +9884,8 @@ static void __net_exit nf_tables_exit_net(struct net *net)
+ struct nftables_pernet *nft_net = nft_pernet(net);
+
+ mutex_lock(&nft_net->commit_mutex);
+- if (!list_empty(&nft_net->commit_list))
++ if (!list_empty(&nft_net->commit_list) ||
++ !list_empty(&nft_net->module_list))
+ __nf_tables_abort(net, NFNL_ABORT_NONE);
+ __nft_release_tables(net);
+ mutex_unlock(&nft_net->commit_mutex);
+--
+2.35.1
+
--- /dev/null
+From 0f5483c72f1fdb159579df1a23dac9b5e0cd14f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 09:12:02 +0800
+Subject: netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 03832a32bf8ff0a8305d94ddd3979835a807248f ]
+
+When type is NFNL_CB_MUTEX and -EAGAIN error occur in nfnetlink_rcv_msg(),
+it does not execute nfnl_unlock(). That would trigger potential dead lock.
+
+Fixes: 50f2db9e368f ("netfilter: nfnetlink: consolidate callback types")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
+index 7e2c8dd01408..2cce4033a70a 100644
+--- a/net/netfilter/nfnetlink.c
++++ b/net/netfilter/nfnetlink.c
+@@ -290,6 +290,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
+ nfnl_lock(subsys_id);
+ if (nfnl_dereference_protected(subsys_id) != ss ||
+ nfnetlink_find_client(type, ss) != nc) {
++ nfnl_unlock(subsys_id);
+ err = -EAGAIN;
+ break;
+ }
+--
+2.35.1
+
--- /dev/null
+From 4122a153647bef6081ecb3d23322ae40eb07b77c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 08:41:13 +0530
+Subject: octeontx2-pf: NIX TX overwrites SQ_CTX_HW_S[SQ_INT]
+
+From: Ratheesh Kannoth <rkannoth@marvell.com>
+
+[ Upstream commit 51afe9026d0c63263abe9840e629f118d7405b36 ]
+
+In scenarios where multiple errors have occurred
+for a SQ before SW starts handling error interrupt,
+SQ_CTX[OP_INT] may get overwritten leading to
+NIX_LF_SQ_OP_INT returning incorrect value.
+To workaround this read LMT, MNQ and SQ individual
+error status registers to determine the cause of error.
+
+Fixes: 4ff7d1488a84 ("octeontx2-pf: Error handling support")
+Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
+Reviewed-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/marvell/octeontx2/nic/otx2_pf.c | 135 ++++++++++++++----
+ .../marvell/octeontx2/nic/otx2_struct.h | 57 ++++++++
+ 2 files changed, 162 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+index b1894d4045b8..ab291c2c3014 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+@@ -13,6 +13,7 @@
+ #include <linux/if_vlan.h>
+ #include <linux/iommu.h>
+ #include <net/ip.h>
++#include <linux/bitfield.h>
+
+ #include "otx2_reg.h"
+ #include "otx2_common.h"
+@@ -1153,6 +1154,59 @@ int otx2_set_real_num_queues(struct net_device *netdev,
+ }
+ EXPORT_SYMBOL(otx2_set_real_num_queues);
+
++static char *nix_sqoperr_e_str[NIX_SQOPERR_MAX] = {
++ "NIX_SQOPERR_OOR",
++ "NIX_SQOPERR_CTX_FAULT",
++ "NIX_SQOPERR_CTX_POISON",
++ "NIX_SQOPERR_DISABLED",
++ "NIX_SQOPERR_SIZE_ERR",
++ "NIX_SQOPERR_OFLOW",
++ "NIX_SQOPERR_SQB_NULL",
++ "NIX_SQOPERR_SQB_FAULT",
++ "NIX_SQOPERR_SQE_SZ_ZERO",
++};
++
++static char *nix_mnqerr_e_str[NIX_MNQERR_MAX] = {
++ "NIX_MNQERR_SQ_CTX_FAULT",
++ "NIX_MNQERR_SQ_CTX_POISON",
++ "NIX_MNQERR_SQB_FAULT",
++ "NIX_MNQERR_SQB_POISON",
++ "NIX_MNQERR_TOTAL_ERR",
++ "NIX_MNQERR_LSO_ERR",
++ "NIX_MNQERR_CQ_QUERY_ERR",
++ "NIX_MNQERR_MAX_SQE_SIZE_ERR",
++ "NIX_MNQERR_MAXLEN_ERR",
++ "NIX_MNQERR_SQE_SIZEM1_ZERO",
++};
++
++static char *nix_snd_status_e_str[NIX_SND_STATUS_MAX] = {
++ "NIX_SND_STATUS_GOOD",
++ "NIX_SND_STATUS_SQ_CTX_FAULT",
++ "NIX_SND_STATUS_SQ_CTX_POISON",
++ "NIX_SND_STATUS_SQB_FAULT",
++ "NIX_SND_STATUS_SQB_POISON",
++ "NIX_SND_STATUS_HDR_ERR",
++ "NIX_SND_STATUS_EXT_ERR",
++ "NIX_SND_STATUS_JUMP_FAULT",
++ "NIX_SND_STATUS_JUMP_POISON",
++ "NIX_SND_STATUS_CRC_ERR",
++ "NIX_SND_STATUS_IMM_ERR",
++ "NIX_SND_STATUS_SG_ERR",
++ "NIX_SND_STATUS_MEM_ERR",
++ "NIX_SND_STATUS_INVALID_SUBDC",
++ "NIX_SND_STATUS_SUBDC_ORDER_ERR",
++ "NIX_SND_STATUS_DATA_FAULT",
++ "NIX_SND_STATUS_DATA_POISON",
++ "NIX_SND_STATUS_NPC_DROP_ACTION",
++ "NIX_SND_STATUS_LOCK_VIOL",
++ "NIX_SND_STATUS_NPC_UCAST_CHAN_ERR",
++ "NIX_SND_STATUS_NPC_MCAST_CHAN_ERR",
++ "NIX_SND_STATUS_NPC_MCAST_ABORT",
++ "NIX_SND_STATUS_NPC_VTAG_PTR_ERR",
++ "NIX_SND_STATUS_NPC_VTAG_SIZE_ERR",
++ "NIX_SND_STATUS_SEND_STATS_ERR",
++};
++
+ static irqreturn_t otx2_q_intr_handler(int irq, void *data)
+ {
+ struct otx2_nic *pf = data;
+@@ -1186,46 +1240,67 @@ static irqreturn_t otx2_q_intr_handler(int irq, void *data)
+
+ /* SQ */
+ for (qidx = 0; qidx < pf->hw.tx_queues; qidx++) {
++ u64 sq_op_err_dbg, mnq_err_dbg, snd_err_dbg;
++ u8 sq_op_err_code, mnq_err_code, snd_err_code;
++
++ /* Below debug registers captures first errors corresponding to
++ * those registers. We don't have to check against SQ qid as
++ * these are fatal errors.
++ */
++
+ ptr = otx2_get_regaddr(pf, NIX_LF_SQ_OP_INT);
+ val = otx2_atomic64_add((qidx << 44), ptr);
+ otx2_write64(pf, NIX_LF_SQ_OP_INT, (qidx << 44) |
+ (val & NIX_SQINT_BITS));
+
+- if (!(val & (NIX_SQINT_BITS | BIT_ULL(42))))
+- continue;
+-
+ if (val & BIT_ULL(42)) {
+ netdev_err(pf->netdev, "SQ%lld: error reading NIX_LF_SQ_OP_INT, NIX_LF_ERR_INT 0x%llx\n",
+ qidx, otx2_read64(pf, NIX_LF_ERR_INT));
+- } else {
+- if (val & BIT_ULL(NIX_SQINT_LMT_ERR)) {
+- netdev_err(pf->netdev, "SQ%lld: LMT store error NIX_LF_SQ_OP_ERR_DBG:0x%llx",
+- qidx,
+- otx2_read64(pf,
+- NIX_LF_SQ_OP_ERR_DBG));
+- otx2_write64(pf, NIX_LF_SQ_OP_ERR_DBG,
+- BIT_ULL(44));
+- }
+- if (val & BIT_ULL(NIX_SQINT_MNQ_ERR)) {
+- netdev_err(pf->netdev, "SQ%lld: Meta-descriptor enqueue error NIX_LF_MNQ_ERR_DGB:0x%llx\n",
+- qidx,
+- otx2_read64(pf, NIX_LF_MNQ_ERR_DBG));
+- otx2_write64(pf, NIX_LF_MNQ_ERR_DBG,
+- BIT_ULL(44));
+- }
+- if (val & BIT_ULL(NIX_SQINT_SEND_ERR)) {
+- netdev_err(pf->netdev, "SQ%lld: Send error, NIX_LF_SEND_ERR_DBG 0x%llx",
+- qidx,
+- otx2_read64(pf,
+- NIX_LF_SEND_ERR_DBG));
+- otx2_write64(pf, NIX_LF_SEND_ERR_DBG,
+- BIT_ULL(44));
+- }
+- if (val & BIT_ULL(NIX_SQINT_SQB_ALLOC_FAIL))
+- netdev_err(pf->netdev, "SQ%lld: SQB allocation failed",
+- qidx);
++ goto done;
+ }
+
++ sq_op_err_dbg = otx2_read64(pf, NIX_LF_SQ_OP_ERR_DBG);
++ if (!(sq_op_err_dbg & BIT(44)))
++ goto chk_mnq_err_dbg;
++
++ sq_op_err_code = FIELD_GET(GENMASK(7, 0), sq_op_err_dbg);
++ netdev_err(pf->netdev, "SQ%lld: NIX_LF_SQ_OP_ERR_DBG(%llx) err=%s\n",
++ qidx, sq_op_err_dbg, nix_sqoperr_e_str[sq_op_err_code]);
++
++ otx2_write64(pf, NIX_LF_SQ_OP_ERR_DBG, BIT_ULL(44));
++
++ if (sq_op_err_code == NIX_SQOPERR_SQB_NULL)
++ goto chk_mnq_err_dbg;
++
++ /* Err is not NIX_SQOPERR_SQB_NULL, call aq function to read SQ structure.
++ * TODO: But we are in irq context. How to call mbox functions which does sleep
++ */
++
++chk_mnq_err_dbg:
++ mnq_err_dbg = otx2_read64(pf, NIX_LF_MNQ_ERR_DBG);
++ if (!(mnq_err_dbg & BIT(44)))
++ goto chk_snd_err_dbg;
++
++ mnq_err_code = FIELD_GET(GENMASK(7, 0), mnq_err_dbg);
++ netdev_err(pf->netdev, "SQ%lld: NIX_LF_MNQ_ERR_DBG(%llx) err=%s\n",
++ qidx, mnq_err_dbg, nix_mnqerr_e_str[mnq_err_code]);
++ otx2_write64(pf, NIX_LF_MNQ_ERR_DBG, BIT_ULL(44));
++
++chk_snd_err_dbg:
++ snd_err_dbg = otx2_read64(pf, NIX_LF_SEND_ERR_DBG);
++ if (snd_err_dbg & BIT(44)) {
++ snd_err_code = FIELD_GET(GENMASK(7, 0), snd_err_dbg);
++ netdev_err(pf->netdev, "SQ%lld: NIX_LF_SND_ERR_DBG:0x%llx err=%s\n",
++ qidx, snd_err_dbg, nix_snd_status_e_str[snd_err_code]);
++ otx2_write64(pf, NIX_LF_SEND_ERR_DBG, BIT_ULL(44));
++ }
++
++done:
++ /* Print values and reset */
++ if (val & BIT_ULL(NIX_SQINT_SQB_ALLOC_FAIL))
++ netdev_err(pf->netdev, "SQ%lld: SQB allocation failed",
++ qidx);
++
+ schedule_work(&pf->reset_task);
+ }
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h
+index 4bbd12ff26e6..e5f30fd778fc 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_struct.h
+@@ -274,4 +274,61 @@ enum nix_sqint_e {
+ BIT_ULL(NIX_SQINT_SEND_ERR) | \
+ BIT_ULL(NIX_SQINT_SQB_ALLOC_FAIL))
+
++enum nix_sqoperr_e {
++ NIX_SQOPERR_OOR = 0,
++ NIX_SQOPERR_CTX_FAULT = 1,
++ NIX_SQOPERR_CTX_POISON = 2,
++ NIX_SQOPERR_DISABLED = 3,
++ NIX_SQOPERR_SIZE_ERR = 4,
++ NIX_SQOPERR_OFLOW = 5,
++ NIX_SQOPERR_SQB_NULL = 6,
++ NIX_SQOPERR_SQB_FAULT = 7,
++ NIX_SQOPERR_SQE_SZ_ZERO = 8,
++ NIX_SQOPERR_MAX,
++};
++
++enum nix_mnqerr_e {
++ NIX_MNQERR_SQ_CTX_FAULT = 0,
++ NIX_MNQERR_SQ_CTX_POISON = 1,
++ NIX_MNQERR_SQB_FAULT = 2,
++ NIX_MNQERR_SQB_POISON = 3,
++ NIX_MNQERR_TOTAL_ERR = 4,
++ NIX_MNQERR_LSO_ERR = 5,
++ NIX_MNQERR_CQ_QUERY_ERR = 6,
++ NIX_MNQERR_MAX_SQE_SIZE_ERR = 7,
++ NIX_MNQERR_MAXLEN_ERR = 8,
++ NIX_MNQERR_SQE_SIZEM1_ZERO = 9,
++ NIX_MNQERR_MAX,
++};
++
++enum nix_snd_status_e {
++ NIX_SND_STATUS_GOOD = 0x0,
++ NIX_SND_STATUS_SQ_CTX_FAULT = 0x1,
++ NIX_SND_STATUS_SQ_CTX_POISON = 0x2,
++ NIX_SND_STATUS_SQB_FAULT = 0x3,
++ NIX_SND_STATUS_SQB_POISON = 0x4,
++ NIX_SND_STATUS_HDR_ERR = 0x5,
++ NIX_SND_STATUS_EXT_ERR = 0x6,
++ NIX_SND_STATUS_JUMP_FAULT = 0x7,
++ NIX_SND_STATUS_JUMP_POISON = 0x8,
++ NIX_SND_STATUS_CRC_ERR = 0x9,
++ NIX_SND_STATUS_IMM_ERR = 0x10,
++ NIX_SND_STATUS_SG_ERR = 0x11,
++ NIX_SND_STATUS_MEM_ERR = 0x12,
++ NIX_SND_STATUS_INVALID_SUBDC = 0x13,
++ NIX_SND_STATUS_SUBDC_ORDER_ERR = 0x14,
++ NIX_SND_STATUS_DATA_FAULT = 0x15,
++ NIX_SND_STATUS_DATA_POISON = 0x16,
++ NIX_SND_STATUS_NPC_DROP_ACTION = 0x17,
++ NIX_SND_STATUS_LOCK_VIOL = 0x18,
++ NIX_SND_STATUS_NPC_UCAST_CHAN_ERR = 0x19,
++ NIX_SND_STATUS_NPC_MCAST_CHAN_ERR = 0x20,
++ NIX_SND_STATUS_NPC_MCAST_ABORT = 0x21,
++ NIX_SND_STATUS_NPC_VTAG_PTR_ERR = 0x22,
++ NIX_SND_STATUS_NPC_VTAG_SIZE_ERR = 0x23,
++ NIX_SND_STATUS_SEND_MEM_FAULT = 0x24,
++ NIX_SND_STATUS_SEND_STATS_ERR = 0x25,
++ NIX_SND_STATUS_MAX,
++};
++
+ #endif /* OTX2_STRUCT_H */
+--
+2.35.1
+
--- /dev/null
+From 30840464842922134282fa3aa16d69f801a8ff31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 11:25:26 +0530
+Subject: octeontx2-pf: Use hardware register for CQE count
+
+From: Geetha sowjanya <gakula@marvell.com>
+
+[ Upstream commit af3826db74d184bc9c2c9d3ff34548e5f317a6f3 ]
+
+Current driver uses software CQ head pointer to poll on CQE
+header in memory to determine if CQE is valid. Software needs
+to make sure, that the reads of the CQE do not get re-ordered
+so much that it ends up with an inconsistent view of the CQE.
+To ensure that DMB barrier after read to first CQE cacheline
+and before reading of the rest of the CQE is needed.
+But having barrier for every CQE read will impact the performance,
+instead use hardware CQ head and tail pointers to find the
+valid number of CQEs.
+
+Signed-off-by: Geetha sowjanya <gakula@marvell.com>
+Signed-off-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 51afe9026d0c ("octeontx2-pf: NIX TX overwrites SQ_CTX_HW_S[SQ_INT]")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../marvell/octeontx2/nic/otx2_common.c | 3 +
+ .../marvell/octeontx2/nic/otx2_common.h | 1 +
+ .../marvell/octeontx2/nic/otx2_txrx.c | 69 +++++++++++++++++--
+ .../marvell/octeontx2/nic/otx2_txrx.h | 5 ++
+ include/linux/soc/marvell/octeontx2/asm.h | 14 ++++
+ 5 files changed, 85 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
+index 7cf24dd5c878..e14624caddc6 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
+@@ -1013,6 +1013,9 @@ int otx2_config_nix_queues(struct otx2_nic *pfvf)
+ return err;
+ }
+
++ pfvf->cq_op_addr = (__force u64 *)otx2_get_regaddr(pfvf,
++ NIX_LF_CQ_OP_STATUS);
++
+ /* Initialize work queue for receive buffer refill */
+ pfvf->refill_wrk = devm_kcalloc(pfvf->dev, pfvf->qset.cq_cnt,
+ sizeof(struct refill_work), GFP_KERNEL);
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
+index 4ecd0ef05f3b..095e5de78c0b 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
+@@ -337,6 +337,7 @@ struct otx2_nic {
+ #define OTX2_FLAG_TC_MATCHALL_INGRESS_ENABLED BIT_ULL(13)
+ #define OTX2_FLAG_DMACFLTR_SUPPORT BIT_ULL(14)
+ u64 flags;
++ u64 *cq_op_addr;
+
+ struct otx2_qset qset;
+ struct otx2_hw hw;
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
+index f42b1d4e0c67..3f3ec8ffc4dd 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
+@@ -18,6 +18,31 @@
+
+ #define CQE_ADDR(CQ, idx) ((CQ)->cqe_base + ((CQ)->cqe_size * (idx)))
+
++static int otx2_nix_cq_op_status(struct otx2_nic *pfvf,
++ struct otx2_cq_queue *cq)
++{
++ u64 incr = (u64)(cq->cq_idx) << 32;
++ u64 status;
++
++ status = otx2_atomic64_fetch_add(incr, pfvf->cq_op_addr);
++
++ if (unlikely(status & BIT_ULL(CQ_OP_STAT_OP_ERR) ||
++ status & BIT_ULL(CQ_OP_STAT_CQ_ERR))) {
++ dev_err(pfvf->dev, "CQ stopped due to error");
++ return -EINVAL;
++ }
++
++ cq->cq_tail = status & 0xFFFFF;
++ cq->cq_head = (status >> 20) & 0xFFFFF;
++ if (cq->cq_tail < cq->cq_head)
++ cq->pend_cqe = (cq->cqe_cnt - cq->cq_head) +
++ cq->cq_tail;
++ else
++ cq->pend_cqe = cq->cq_tail - cq->cq_head;
++
++ return 0;
++}
++
+ static struct nix_cqe_hdr_s *otx2_get_next_cqe(struct otx2_cq_queue *cq)
+ {
+ struct nix_cqe_hdr_s *cqe_hdr;
+@@ -318,7 +343,14 @@ static int otx2_rx_napi_handler(struct otx2_nic *pfvf,
+ struct nix_cqe_rx_s *cqe;
+ int processed_cqe = 0;
+
+- while (likely(processed_cqe < budget)) {
++ if (cq->pend_cqe >= budget)
++ goto process_cqe;
++
++ if (otx2_nix_cq_op_status(pfvf, cq) || !cq->pend_cqe)
++ return 0;
++
++process_cqe:
++ while (likely(processed_cqe < budget) && cq->pend_cqe) {
+ cqe = (struct nix_cqe_rx_s *)CQE_ADDR(cq, cq->cq_head);
+ if (cqe->hdr.cqe_type == NIX_XQE_TYPE_INVALID ||
+ !cqe->sg.seg_addr) {
+@@ -334,6 +366,7 @@ static int otx2_rx_napi_handler(struct otx2_nic *pfvf,
+ cqe->hdr.cqe_type = NIX_XQE_TYPE_INVALID;
+ cqe->sg.seg_addr = 0x00;
+ processed_cqe++;
++ cq->pend_cqe--;
+ }
+
+ /* Free CQEs to HW */
+@@ -368,7 +401,14 @@ static int otx2_tx_napi_handler(struct otx2_nic *pfvf,
+ struct nix_cqe_tx_s *cqe;
+ int processed_cqe = 0;
+
+- while (likely(processed_cqe < budget)) {
++ if (cq->pend_cqe >= budget)
++ goto process_cqe;
++
++ if (otx2_nix_cq_op_status(pfvf, cq) || !cq->pend_cqe)
++ return 0;
++
++process_cqe:
++ while (likely(processed_cqe < budget) && cq->pend_cqe) {
+ cqe = (struct nix_cqe_tx_s *)otx2_get_next_cqe(cq);
+ if (unlikely(!cqe)) {
+ if (!processed_cqe)
+@@ -380,6 +420,7 @@ static int otx2_tx_napi_handler(struct otx2_nic *pfvf,
+
+ cqe->hdr.cqe_type = NIX_XQE_TYPE_INVALID;
+ processed_cqe++;
++ cq->pend_cqe--;
+ }
+
+ /* Free CQEs to HW */
+@@ -936,10 +977,16 @@ void otx2_cleanup_rx_cqes(struct otx2_nic *pfvf, struct otx2_cq_queue *cq)
+ int processed_cqe = 0;
+ u64 iova, pa;
+
+- while ((cqe = (struct nix_cqe_rx_s *)otx2_get_next_cqe(cq))) {
+- if (!cqe->sg.subdc)
+- continue;
++ if (otx2_nix_cq_op_status(pfvf, cq) || !cq->pend_cqe)
++ return;
++
++ while (cq->pend_cqe) {
++ cqe = (struct nix_cqe_rx_s *)otx2_get_next_cqe(cq);
+ processed_cqe++;
++ cq->pend_cqe--;
++
++ if (!cqe)
++ continue;
+ if (cqe->sg.segs > 1) {
+ otx2_free_rcv_seg(pfvf, cqe, cq->cq_idx);
+ continue;
+@@ -965,7 +1012,16 @@ void otx2_cleanup_tx_cqes(struct otx2_nic *pfvf, struct otx2_cq_queue *cq)
+
+ sq = &pfvf->qset.sq[cq->cint_idx];
+
+- while ((cqe = (struct nix_cqe_tx_s *)otx2_get_next_cqe(cq))) {
++ if (otx2_nix_cq_op_status(pfvf, cq) || !cq->pend_cqe)
++ return;
++
++ while (cq->pend_cqe) {
++ cqe = (struct nix_cqe_tx_s *)otx2_get_next_cqe(cq);
++ processed_cqe++;
++ cq->pend_cqe--;
++
++ if (!cqe)
++ continue;
+ sg = &sq->sg[cqe->comp.sqe_id];
+ skb = (struct sk_buff *)sg->skb;
+ if (skb) {
+@@ -973,7 +1029,6 @@ void otx2_cleanup_tx_cqes(struct otx2_nic *pfvf, struct otx2_cq_queue *cq)
+ dev_kfree_skb_any(skb);
+ sg->skb = (u64)NULL;
+ }
+- processed_cqe++;
+ }
+
+ /* Free CQEs to HW */
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h
+index 3ff1ad79c001..6a97631ff226 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h
+@@ -56,6 +56,9 @@
+ */
+ #define CQ_QCOUNT_DEFAULT 1
+
++#define CQ_OP_STAT_OP_ERR 63
++#define CQ_OP_STAT_CQ_ERR 46
++
+ struct queue_stats {
+ u64 bytes;
+ u64 pkts;
+@@ -122,6 +125,8 @@ struct otx2_cq_queue {
+ u16 pool_ptrs;
+ u32 cqe_cnt;
+ u32 cq_head;
++ u32 cq_tail;
++ u32 pend_cqe;
+ void *cqe_base;
+ struct qmem *cqe;
+ struct otx2_pool *rbpool;
+diff --git a/include/linux/soc/marvell/octeontx2/asm.h b/include/linux/soc/marvell/octeontx2/asm.h
+index fa1d6af0164e..0f79fd7f81a1 100644
+--- a/include/linux/soc/marvell/octeontx2/asm.h
++++ b/include/linux/soc/marvell/octeontx2/asm.h
+@@ -34,9 +34,23 @@
+ : [rf] "+r"(val) \
+ : [rs] "r"(addr)); \
+ })
++
++static inline u64 otx2_atomic64_fetch_add(u64 incr, u64 *ptr)
++{
++ u64 result;
++
++ asm volatile (".cpu generic+lse\n"
++ "ldadda %x[i], %x[r], [%[b]]"
++ : [r] "=r" (result), "+m" (*ptr)
++ : [i] "r" (incr), [b] "r" (ptr)
++ : "memory");
++ return result;
++}
++
+ #else
+ #define otx2_lmt_flush(ioaddr) ({ 0; })
+ #define cn10k_lmt_flush(val, addr) ({ addr = val; })
++#define otx2_atomic64_fetch_add(incr, ptr) ({ incr; })
+ #endif
+
+ #endif /* __SOC_OTX2_ASM_H */
+--
+2.35.1
+
--- /dev/null
+From e5e25078d100762257d0d0d051ffa3d4c8462449 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 14:26:04 +0530
+Subject: perf stat: Fix printing os->prefix in CSV metrics output
+
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+
+[ Upstream commit ad353b710c7493df3d4fc2d3a51819126bed2e81 ]
+
+'perf stat' with CSV output option prints an extra empty string as first
+field in metrics output line. Sample output below:
+
+ # ./perf stat -x, --per-socket -a -C 1 ls
+ S0,1,1.78,msec,cpu-clock,1785146,100.00,0.973,CPUs utilized
+ S0,1,26,,context-switches,1781750,100.00,0.015,M/sec
+ S0,1,1,,cpu-migrations,1780526,100.00,0.561,K/sec
+ S0,1,1,,page-faults,1779060,100.00,0.561,K/sec
+ S0,1,875807,,cycles,1769826,100.00,0.491,GHz
+ S0,1,85281,,stalled-cycles-frontend,1767512,100.00,9.74,frontend cycles idle
+ S0,1,576839,,stalled-cycles-backend,1766260,100.00,65.86,backend cycles idle
+ S0,1,288430,,instructions,1762246,100.00,0.33,insn per cycle
+====> ,S0,1,,,,,,,2.00,stalled cycles per insn
+
+The above command line uses field separator as "," via "-x," option and
+per-socket option displays socket value as first field. But here the
+last line for "stalled cycles per insn" has "," in the beginning.
+
+Sample output using interval mode:
+
+ # ./perf stat -I 1000 -x, --per-socket -a -C 1 ls
+ 0.001813453,S0,1,1.87,msec,cpu-clock,1872052,100.00,0.002,CPUs utilized
+ 0.001813453,S0,1,2,,context-switches,1868028,100.00,1.070,K/sec
+ ------
+ 0.001813453,S0,1,85379,,instructions,1856754,100.00,0.32,insn per cycle
+====> 0.001813453,,S0,1,,,,,,,1.34,stalled cycles per insn
+
+Above result also has an extra CSV separator after
+the timestamp. Patch addresses extra field separator
+in the beginning of the metric output line.
+
+The counter stats are displayed by function
+"perf_stat__print_shadow_stats" in code
+"util/stat-shadow.c". While printing the stats info
+for "stalled cycles per insn", function "new_line_csv"
+is used as new_line callback.
+
+The new_line_csv function has check for "os->prefix"
+and if prefix is not null, it will be printed along
+with cvs separator.
+Snippet from "new_line_csv":
+ if (os->prefix)
+ fprintf(os->fh, "%s%s", os->prefix, config->csv_sep);
+
+Here os->prefix gets printed followed by ","
+which is the cvs separator. The os->prefix is
+used in interval mode option ( -I ), to print
+time stamp on every new line. But prefix is
+already set to contain CSV separator when used
+in interval mode for CSV option.
+
+Reference: Function "static void print_interval"
+Snippet:
+ sprintf(prefix, "%6lu.%09lu%s", ts->tv_sec, ts->tv_nsec, config->csv_sep);
+
+Also if prefix is not assigned (if not used with
+-I option), it gets set to empty string.
+Reference: function printout() in util/stat-display.c
+Snippet:
+ .prefix = prefix ? prefix : "",
+
+Since prefix already set to contain cvs_sep in interval
+option, patch removes printing config->csv_sep in
+new_line_csv function to avoid printing extra field.
+
+After the patch:
+
+ # ./perf stat -x, --per-socket -a -C 1 ls
+ S0,1,2.04,msec,cpu-clock,2045202,100.00,1.013,CPUs utilized
+ S0,1,2,,context-switches,2041444,100.00,979.289,/sec
+ S0,1,0,,cpu-migrations,2040820,100.00,0.000,/sec
+ S0,1,2,,page-faults,2040288,100.00,979.289,/sec
+ S0,1,254589,,cycles,2036066,100.00,0.125,GHz
+ S0,1,82481,,stalled-cycles-frontend,2032420,100.00,32.40,frontend cycles idle
+ S0,1,113170,,stalled-cycles-backend,2031722,100.00,44.45,backend cycles idle
+ S0,1,88766,,instructions,2030942,100.00,0.35,insn per cycle
+ S0,1,,,,,,,1.27,stalled cycles per insn
+
+Fixes: 92a61f6412d3a09d ("perf stat: Implement CSV metrics output")
+Reported-by: Disha Goel <disgoel@linux.vnet.ibm.com>
+Reviewed-By: Kajol Jain <kjain@linux.ibm.com>
+Signed-off-by: Athira Jajeev <atrajeev@linux.vnet.ibm.com>
+Tested-by: Disha Goel <disgoel@linux.vnet.ibm.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: James Clark <james.clark@arm.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nageswara R Sastry <rnsastry@linux.ibm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20221018085605.63834-1-atrajeev@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/stat-display.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/stat-display.c b/tools/perf/util/stat-display.c
+index db00ca6a67de..24e50fabb6c3 100644
+--- a/tools/perf/util/stat-display.c
++++ b/tools/perf/util/stat-display.c
+@@ -207,7 +207,7 @@ static void new_line_csv(struct perf_stat_config *config, void *ctx)
+
+ fputc('\n', os->fh);
+ if (os->prefix)
+- fprintf(os->fh, "%s%s", os->prefix, config->csv_sep);
++ fprintf(os->fh, "%s", os->prefix);
+ aggr_printout(config, os->evsel, os->id, os->nr);
+ for (i = 0; i < os->nfields; i++)
+ fputs(config->csv_sep, os->fh);
+--
+2.35.1
+
--- /dev/null
+From c33e7d9c26247f3df1e452bd184090c6039e7c72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 02:27:04 -0700
+Subject: perf tools: Add the include/perf/ directory to .gitignore
+
+From: Donglin Peng <dolinux.peng@gmail.com>
+
+[ Upstream commit 94d957ae513fc420d0a5a9bac815eb49ffebb56f ]
+
+Commit 3af1dfdd51e06697 ("perf build: Move perf_dlfilters.h in the
+source tree") moved perf_dlfilters.h to the include/perf/ directory
+while include/perf is ignored because it has 'perf' in the name. Newly
+created files in the include/perf/ directory will be ignored.
+
+Testing:
+
+Before:
+
+ $ touch tools/perf/include/perf/junk
+ $ git status | grep junk
+ $ git check-ignore -v tools/perf/include/perf/junk
+ tools/perf/.gitignore:6:perf tools/perf/include/perf/junk
+
+After:
+
+ $ git status | grep junk
+ tools/perf/include/perf/junk
+ $ git check-ignore -v tools/perf/include/perf/junk
+
+Add !include/perf/ to perf's .gitignore file.
+
+Fixes: 3af1dfdd51e06697 ("perf build: Move perf_dlfilters.h in the source tree")
+Signed-off-by: Donglin Peng <dolinux.peng@gmail.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20221103092704.173391-1-dolinux.peng@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/.gitignore | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/.gitignore b/tools/perf/.gitignore
+index 8e0163b7ef01..cdb7a347ceb5 100644
+--- a/tools/perf/.gitignore
++++ b/tools/perf/.gitignore
+@@ -4,6 +4,7 @@ PERF-GUI-VARS
+ PERF-VERSION-FILE
+ FEATURE-DUMP
+ perf
++!include/perf/
+ perf-read-vdso32
+ perf-read-vdsox32
+ perf-help
+--
+2.35.1
+
--- /dev/null
+From a64517a06e121b56da8d996a10578d528a6bdaed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Nov 2022 06:52:41 +1000
+Subject: phy: ralink: mt7621-pci: add sentinel to quirks table
+
+From: John Thomson <git@johnthomson.fastmail.com.au>
+
+[ Upstream commit 819b885cd886c193782891c4f51bbcab3de119a4 ]
+
+With mt7621 soc_dev_attr fixed to register the soc as a device,
+kernel will experience an oops in soc_device_match_attr
+
+This quirk test was introduced in the staging driver in
+commit 9445ccb3714c ("staging: mt7621-pci-phy: add quirks for 'E2'
+revision using 'soc_device_attribute'"). The staging driver was removed,
+and later re-added in commit d87da32372a0 ("phy: ralink: Add PHY driver
+for MT7621 PCIe PHY") for kernel 5.11
+
+Link: https://lore.kernel.org/lkml/26ebbed1-0fe9-4af9-8466-65f841d0b382@app.fastmail.com
+Fixes: d87da32372a0 ("phy: ralink: Add PHY driver for MT7621 PCIe PHY")
+Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
+Acked-by: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+Link: https://lore.kernel.org/r/20221104205242.3440388-2-git@johnthomson.fastmail.com.au
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/ralink/phy-mt7621-pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/phy/ralink/phy-mt7621-pci.c b/drivers/phy/ralink/phy-mt7621-pci.c
+index 5e6530f545b5..85888ab2d307 100644
+--- a/drivers/phy/ralink/phy-mt7621-pci.c
++++ b/drivers/phy/ralink/phy-mt7621-pci.c
+@@ -280,7 +280,8 @@ static struct phy *mt7621_pcie_phy_of_xlate(struct device *dev,
+ }
+
+ static const struct soc_device_attribute mt7621_pci_quirks_match[] = {
+- { .soc_id = "mt7621", .revision = "E2" }
++ { .soc_id = "mt7621", .revision = "E2" },
++ { /* sentinel */ }
+ };
+
+ static const struct regmap_config mt7621_pci_phy_regmap_config = {
+--
+2.35.1
+
--- /dev/null
+From e78443f2a162c216f8d0c36d6925d1af0d3b8459 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Oct 2022 12:25:06 +0300
+Subject: phy: stm32: fix an error code in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ca1c73628f5bd0c1ef6e46073cc3be2450605b06 ]
+
+If "index > usbphyc->nphys" is true then this returns success but it
+should return -EINVAL.
+
+Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://lore.kernel.org/r/Y0kq8j6S+5nDdMpr@kili
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/st/phy-stm32-usbphyc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c
+index cd0747ab6267..27f7e2292cf0 100644
+--- a/drivers/phy/st/phy-stm32-usbphyc.c
++++ b/drivers/phy/st/phy-stm32-usbphyc.c
+@@ -532,6 +532,8 @@ static int stm32_usbphyc_probe(struct platform_device *pdev)
+ ret = of_property_read_u32(child, "reg", &index);
+ if (ret || index > usbphyc->nphys) {
+ dev_err(&phy->dev, "invalid reg property: %d\n", ret);
++ if (!ret)
++ ret = -EINVAL;
+ goto put_child;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 5e6c9b1e83043563834a5cec53f8c92e213aea89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 15:15:25 +0000
+Subject: riscv: fix reserved memory setup
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+[ Upstream commit 50e63dd8ed92045eb70a72d7ec725488320fb68b ]
+
+Currently, RISC-V sets up reserved memory using the "early" copy of the
+device tree. As a result, when trying to get a reserved memory region
+using of_reserved_mem_lookup(), the pointer to reserved memory regions
+is using the early, pre-virtual-memory address which causes a kernel
+panic when trying to use the buffer's name:
+
+ Unable to handle kernel paging request at virtual address 00000000401c31ac
+ Oops [#1]
+ Modules linked in:
+ CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1
+ Hardware name: Microchip PolarFire-SoC Icicle Kit (DT)
+ epc : string+0x4a/0xea
+ ra : vsnprintf+0x1e4/0x336
+ epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0
+ gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000
+ t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20
+ s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000
+ a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff
+ a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff
+ s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008
+ s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00
+ s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002
+ s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617
+ t5 : ffffffff812f3618 t6 : ffffffff81203d08
+ status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d
+ [<ffffffff80338936>] vsnprintf+0x1e4/0x336
+ [<ffffffff80055ae2>] vprintk_store+0xf6/0x344
+ [<ffffffff80055d86>] vprintk_emit+0x56/0x192
+ [<ffffffff80055ed8>] vprintk_default+0x16/0x1e
+ [<ffffffff800563d2>] vprintk+0x72/0x80
+ [<ffffffff806813b2>] _printk+0x36/0x50
+ [<ffffffff8068af48>] print_reserved_mem+0x1c/0x24
+ [<ffffffff808057ec>] paging_init+0x528/0x5bc
+ [<ffffffff808031ae>] setup_arch+0xd0/0x592
+ [<ffffffff8080070e>] start_kernel+0x82/0x73c
+
+early_init_fdt_scan_reserved_mem() takes no arguments as it operates on
+initial_boot_params, which is populated by early_init_dt_verify(). On
+RISC-V, early_init_dt_verify() is called twice. Once, directly, in
+setup_arch() if CONFIG_BUILTIN_DTB is not enabled and once indirectly,
+very early in the boot process, by parse_dtb() when it calls
+early_init_dt_scan_nodes().
+
+This first call uses dtb_early_va to set initial_boot_params, which is
+not usable later in the boot process when
+early_init_fdt_scan_reserved_mem() is called. On arm64 for example, the
+corresponding call to early_init_dt_scan_nodes() uses fixmap addresses
+and doesn't suffer the same fate.
+
+Move early_init_fdt_scan_reserved_mem() further along the boot sequence,
+after the direct call to early_init_dt_verify() in setup_arch() so that
+the names use the correct virtual memory addresses. The above supposed
+that CONFIG_BUILTIN_DTB was not set, but should work equally in the case
+where it is - unflatted_and_copy_device_tree() also updates
+initial_boot_params.
+
+Reported-by: Valentina Fernandez <valentina.fernandezalanis@microchip.com>
+Reported-by: Evgenii Shatokhin <e.shatokhin@yadro.com>
+Link: https://lore.kernel.org/linux-riscv/f8e67f82-103d-156c-deb0-d6d6e2756f5e@microchip.com/
+Fixes: 922b0375fc93 ("riscv: Fix memblock reservation for device tree blob")
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Tested-by: Evgenii Shatokhin <e.shatokhin@yadro.com>
+Link: https://lore.kernel.org/r/20221107151524.3941467-1-conor.dooley@microchip.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/setup.c | 1 +
+ arch/riscv/mm/init.c | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c
+index 7bdbf3f608a4..ef81e9003ab8 100644
+--- a/arch/riscv/kernel/setup.c
++++ b/arch/riscv/kernel/setup.c
+@@ -291,6 +291,7 @@ void __init setup_arch(char **cmdline_p)
+ else
+ pr_err("No DTB found in kernel mappings\n");
+ #endif
++ early_init_fdt_scan_reserved_mem();
+ misc_mem_init();
+
+ init_resources();
+diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
+index a37a08ceeded..830f53b141a0 100644
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -242,7 +242,6 @@ static void __init setup_bootmem(void)
+ memblock_reserve(dtb_early_pa, fdt_totalsize(dtb_early_va));
+ }
+
+- early_init_fdt_scan_reserved_mem();
+ dma_contiguous_reserve(dma32_phys_limit);
+ if (IS_ENABLED(CONFIG_64BIT))
+ hugetlb_cma_reserve(PUD_SHIFT - PAGE_SHIFT);
+--
+2.35.1
+
--- /dev/null
+From 9864d1d1b664360851358db9df02aa1db362be23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Oct 2022 19:34:50 +0800
+Subject: riscv: process: fix kernel info leakage
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+[ Upstream commit 6510c78490c490a6636e48b61eeaa6fb65981f4b ]
+
+thread_struct's s[12] may contain random kernel memory content, which
+may be finally leaked to userspace. This is a security hole. Fix it
+by clearing the s[12] array in thread_struct when fork.
+
+As for kthread case, it's better to clear the s[12] array as well.
+
+Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Tested-by: Guo Ren <guoren@kernel.org>
+Link: https://lore.kernel.org/r/20221029113450.4027-1-jszhang@kernel.org
+Reviewed-by: Guo Ren <guoren@kernel.org>
+Link: https://lore.kernel.org/r/CAJF2gTSdVyAaM12T%2B7kXAdRPGS4VyuO08X1c7paE-n4Fr8OtRA@mail.gmail.com/
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/process.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c
+index 03ac3aa611f5..bda3bc294718 100644
+--- a/arch/riscv/kernel/process.c
++++ b/arch/riscv/kernel/process.c
+@@ -124,6 +124,8 @@ int copy_thread(unsigned long clone_flags, unsigned long usp, unsigned long arg,
+ {
+ struct pt_regs *childregs = task_pt_regs(p);
+
++ memset(&p->thread.s, 0, sizeof(p->thread.s));
++
+ /* p->thread holds context to be restored by __switch_to() */
+ if (unlikely(p->flags & (PF_KTHREAD | PF_IO_WORKER))) {
+ /* Kernel thread */
+--
+2.35.1
+
--- /dev/null
+From c982faf94c8e6b1a625419aa4aae2c6fd144bf2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 02:29:43 +0800
+Subject: riscv: vdso: fix build with llvm
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+[ Upstream commit 50f4dd657a0fcf90aa8da8dc2794a8100ff4c37c ]
+
+Even after commit 89fd4a1df829 ("riscv: jump_label: mark arguments as
+const to satisfy asm constraints"), building with CC_OPTIMIZE_FOR_SIZE
++ LLVM=1 can reproduce below build error:
+
+ CC arch/riscv/kernel/vdso/vgettimeofday.o
+In file included from <built-in>:4:
+In file included from lib/vdso/gettimeofday.c:5:
+In file included from include/vdso/datapage.h:17:
+In file included from include/vdso/processor.h:10:
+In file included from arch/riscv/include/asm/vdso/processor.h:7:
+In file included from include/linux/jump_label.h:112:
+arch/riscv/include/asm/jump_label.h:42:3: error:
+invalid operand for inline asm constraint 'i'
+ " .option push \n\t"
+ ^
+1 error generated.
+
+I think the problem is when "-Os" is passed as CFLAGS, it's removed by
+"CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE) -Os" which is
+introduced in commit e05d57dcb8c7 ("riscv: Fixup __vdso_gettimeofday
+broke dynamic ftrace"), thus no optimization at all for vgettimeofday.c
+arm64 does remove "-Os" as well, but it forces "-O2" after removing
+"-Os".
+
+I compared the generated vgettimeofday.o with "-O2" and "-Os",
+I think no big performance difference. So let's tell the kbuild not
+to remove "-Os" rather than follow arm64 style.
+
+vdso related performance can be improved a lot when building kernel with
+CC_OPTIMIZE_FOR_SIZE after this commit, ("-Os" VS no optimization)
+
+Fixes: e05d57dcb8c7 ("riscv: Fixup __vdso_gettimeofday broke dynamic ftrace")
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Tested-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20221031182943.2453-1-jszhang@kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/vdso/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile
+index f2e065671e4d..84ac0fe612e7 100644
+--- a/arch/riscv/kernel/vdso/Makefile
++++ b/arch/riscv/kernel/vdso/Makefile
+@@ -30,7 +30,7 @@ obj-y += vdso.o
+ CPPFLAGS_vdso.lds += -P -C -U$(ARCH)
+
+ # Disable -pg to prevent insert call site
+-CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE) -Os
++CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE)
+
+ # Disable profiling and instrumentation for VDSO code
+ GCOV_PROFILE := n
+--
+2.35.1
+
drm-amdkfd-avoid-recursive-lock-in-migrations-back-t.patch
drm-amdkfd-handle-cpu-fault-on-cow-mapping.patch
drm-amdkfd-fix-null-pointer-dereference-in-svm_migra.patch
+hwspinlock-qcom-correct-mmio-max-register-for-newer-.patch
+phy-stm32-fix-an-error-code-in-probe.patch
+wifi-cfg80211-silence-a-sparse-rcu-warning.patch
+wifi-cfg80211-fix-memory-leak-in-query_regdb_file.patch
+soundwire-qcom-reinit-broadcast-completion.patch
+soundwire-qcom-check-for-outanding-writes-before-doi.patch
+bpf-verifier-fix-memory-leak-in-array-reallocation-f.patch
+bpf-sockmap-fix-the-sk-sk_forward_alloc-warning-of-s.patch
+wifi-mac80211-set-twt-information-frame-disabled-bit.patch
+bpftool-fix-null-pointer-dereference-when-pin-prog-m.patch
+hid-hyperv-fix-possible-memory-leak-in-mousevsc_prob.patch
+bpf-sockmap-fix-sk-sk_forward_alloc-warn_on-in-sk_st.patch
+bpf-fix-sockmap-calling-sleepable-function-in-teardo.patch
+bpf-sock_map-move-cancel_work_sync-out-of-sock-lock.patch
+bpf-add-helper-macro-bpf_for_each_reg_in_vstate.patch
+bpf-fix-wrong-reg-type-conversion-in-release_referen.patch
+net-gso-fix-panic-on-frag_list-with-mixed-head-alloc.patch
+macsec-delete-new-rxsc-when-offload-fails.patch
+macsec-fix-secy-n_rx_sc-accounting.patch
+macsec-fix-detection-of-rxscs-when-toggling-offloadi.patch
+macsec-clear-encryption-keys-from-the-stack-after-se.patch
+octeontx2-pf-use-hardware-register-for-cqe-count.patch
+octeontx2-pf-nix-tx-overwrites-sq_ctx_hw_s-sq_int.patch
+net-tun-fix-memory-leaks-of-napi_get_frags.patch
+bnxt_en-fix-possible-crash-in-bnxt_hwrm_set_coal.patch
+bnxt_en-fix-potentially-incorrect-return-value-for-n.patch
+net-fman-unregister-ethernet-device-on-removal.patch
+capabilities-fix-undefined-behavior-in-bit-shift-for.patch
+phy-ralink-mt7621-pci-add-sentinel-to-quirks-table.patch
+kvm-s390-pv-don-t-allow-userspace-to-set-the-clock-u.patch
+net-lapbether-fix-issue-of-dev-reference-count-leaka.patch
+hamradio-fix-issue-of-dev-reference-count-leakage-in.patch
+net-wwan-iosm-fix-memory-leak-in-ipc_wwan_dellink.patch
+net-wwan-mhi-fix-memory-leak-in-mhi_mbim_dellink.patch
+drm-vc4-fix-missing-platform_unregister_drivers-call.patch
+tcp-prohibit-tcp_repair_options-if-data-was-already-.patch
+ipv6-addrlabel-fix-infoleak-when-sending-struct-ifad.patch
+can-af_can-fix-null-pointer-dereference-in-can_rx_re.patch
+net-stmmac-dwmac-meson8b-fix-meson8b_devm_clk_prepar.patch
+net-broadcom-fix-bcmgenet-kconfig.patch
+tipc-fix-the-msg-req-tlv-len-check-in-tipc_nl_compat.patch
+dmaengine-pxa_dma-use-platform_get_irq_optional.patch
+dmaengine-mv_xor_v2-fix-a-resource-leak-in-mv_xor_v2.patch
+dmaengine-ti-k3-udma-glue-fix-memory-leak-when-regis.patch
+net-lapbether-fix-issue-of-invalid-opcode-in-lapbeth.patch
+net-ethernet-mtk-star-emac-disable-napi-when-connect.patch
+drivers-net-xgene-disable-napi-when-register-irq-fai.patch
+perf-stat-fix-printing-os-prefix-in-csv-metrics-outp.patch
+perf-tools-add-the-include-perf-directory-to-.gitign.patch
+netfilter-nfnetlink-fix-potential-dead-lock-in-nfnet.patch
+netfilter-cleanup-nft_net-module_list-from-nf_tables.patch
+net-marvell-prestera-fix-memory-leak-in-prestera_rxt.patch
+net-nixge-disable-napi-when-enable-interrupts-failed.patch
+net-wwan-iosm-fix-memory-leak-in-ipc_pcie_read_bios_.patch
+net-mlx5-bridge-verify-lag-state-when-adding-bond-to.patch
+net-mlx5-allow-async-trigger-completion-execution-on.patch
+net-mlx5e-e-switch-fix-comparing-termination-table-i.patch
+net-cpsw-disable-napi-in-cpsw_ndo_open.patch
+net-cxgb3_main-disable-napi-when-bind-qsets-failed-i.patch
+stmmac-intel-enable-2.5gbps-for-intel-alderlake-s.patch
+stmmac-intel-update-pch-ptp-clock-rate-from-200mhz-t.patch
+mctp-fix-an-error-handling-path-in-mctp_init.patch
+cxgb4vf-shut-down-the-adapter-when-t4vf_update_port_.patch
+stmmac-dwmac-loongson-fix-missing-pci_disable_msi-wh.patch
+stmmac-dwmac-loongson-fix-missing-pci_disable_device.patch
+stmmac-dwmac-loongson-fix-missing-of_node_put-while-.patch
+net-phy-mscc-macsec-clear-encryption-keys-when-freei.patch
+net-atlantic-macsec-clear-encryption-keys-from-the-s.patch
+ethernet-s2io-disable-napi-when-start-nic-failed-in-.patch
+net-mv643xx_eth-disable-napi-when-init-rxq-or-txq-fa.patch
+ethernet-tundra-free-irq-when-alloc-ring-failed-in-t.patch
+net-macvlan-fix-memory-leaks-of-macvlan_common_newli.patch
+riscv-process-fix-kernel-info-leakage.patch
+riscv-vdso-fix-build-with-llvm.patch
+riscv-fix-reserved-memory-setup.patch
--- /dev/null
+From 84ad63b06077113fb92246649ebb2fa2ed823fe3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 12:02:06 +0100
+Subject: soundwire: qcom: check for outanding writes before doing a read
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 49a467310dc4fae591a3547860ee04d8730780f4 ]
+
+Reading will increase the fifo count, so check for outstanding cmd wrt.
+write fifo depth to avoid overflow as read will also increase
+write fifo cnt.
+
+Fixes: a661308c34de ("soundwire: qcom: wait for fifo space to be available before read/write")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20221026110210.6575-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/qcom.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c
+index bbc8a9b1e87a..f88c5d451f09 100644
+--- a/drivers/soundwire/qcom.c
++++ b/drivers/soundwire/qcom.c
+@@ -351,6 +351,12 @@ static int qcom_swrm_cmd_fifo_rd_cmd(struct qcom_swrm_ctrl *swrm,
+
+ val = swrm_get_packed_reg_val(&swrm->rcmd_id, len, dev_addr, reg_addr);
+
++ /*
++ * Check for outstanding cmd wrt. write fifo depth to avoid
++ * overflow as read will also increase write fifo cnt.
++ */
++ swrm_wait_for_wr_fifo_avail(swrm);
++
+ /* wait for FIFO RD to complete to avoid overflow */
+ usleep_range(100, 105);
+ swrm->reg_write(swrm, SWRM_CMD_FIFO_RD_CMD, val);
+--
+2.35.1
+
--- /dev/null
+From c2bb979a57af7c3d4f602c79456dbd71ffd68d7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Oct 2022 12:02:05 +0100
+Subject: soundwire: qcom: reinit broadcast completion
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit f936fa7a954b262cb3908bbc8f01ba19dfaf9fbf ]
+
+For some reason we never reinit the broadcast completion, there is a
+danger that broadcast commands could be treated as completed by driver
+from previous complete status.
+Fix this by reinitializing the completion before sending a broadcast command.
+
+Fixes: ddea6cf7b619 ("soundwire: qcom: update register read/write routine")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20221026110210.6575-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/qcom.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c
+index 1ce6f948e9a4..bbc8a9b1e87a 100644
+--- a/drivers/soundwire/qcom.c
++++ b/drivers/soundwire/qcom.c
+@@ -315,6 +315,9 @@ static int qcom_swrm_cmd_fifo_wr_cmd(struct qcom_swrm_ctrl *swrm, u8 cmd_data,
+ if (swrm_wait_for_wr_fifo_avail(swrm))
+ return SDW_CMD_FAIL_OTHER;
+
++ if (cmd_id == SWR_BROADCAST_CMD_ID)
++ reinit_completion(&swrm->broadcast);
++
+ /* Its assumed that write is okay as we do not get any status back */
+ swrm->reg_write(swrm, SWRM_CMD_FIFO_WR_CMD, val);
+
+--
+2.35.1
+
--- /dev/null
+From 807cf3e521c6c07722fd6255db11c7373a428625 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 19:46:47 +0800
+Subject: stmmac: dwmac-loongson: fix missing of_node_put() while module
+ exiting
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7f94d0498f9c763f37172c08059ae91804c3075a ]
+
+The node returned by of_get_child_by_name() with refcount decremented,
+of_node_put() needs be called when finish using it. So add it in the
+error path in loongson_dwmac_probe() and in loongson_dwmac_remove().
+
+Fixes: 2ae34111fe4e ("stmmac: dwmac-loongson: fix invalid mdio_node")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/stmicro/stmmac/dwmac-loongson.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+index bf6e9f3fe1ef..2ae59f94afe1 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+@@ -75,20 +75,24 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id
+ plat->mdio_bus_data = devm_kzalloc(&pdev->dev,
+ sizeof(*plat->mdio_bus_data),
+ GFP_KERNEL);
+- if (!plat->mdio_bus_data)
+- return -ENOMEM;
++ if (!plat->mdio_bus_data) {
++ ret = -ENOMEM;
++ goto err_put_node;
++ }
+ plat->mdio_bus_data->needs_reset = true;
+ }
+
+ plat->dma_cfg = devm_kzalloc(&pdev->dev, sizeof(*plat->dma_cfg), GFP_KERNEL);
+- if (!plat->dma_cfg)
+- return -ENOMEM;
++ if (!plat->dma_cfg) {
++ ret = -ENOMEM;
++ goto err_put_node;
++ }
+
+ /* Enable pci device */
+ ret = pci_enable_device(pdev);
+ if (ret) {
+ dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n", __func__);
+- return ret;
++ goto err_put_node;
+ }
+
+ /* Get the base address of device */
+@@ -152,13 +156,18 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id
+ pci_disable_msi(pdev);
+ err_disable_device:
+ pci_disable_device(pdev);
++err_put_node:
++ of_node_put(plat->mdio_node);
+ return ret;
+ }
+
+ static void loongson_dwmac_remove(struct pci_dev *pdev)
+ {
++ struct net_device *ndev = dev_get_drvdata(&pdev->dev);
++ struct stmmac_priv *priv = netdev_priv(ndev);
+ int i;
+
++ of_node_put(priv->plat->mdio_node);
+ stmmac_dvr_remove(&pdev->dev);
+
+ for (i = 0; i < PCI_STD_NUM_BARS; i++) {
+--
+2.35.1
+
--- /dev/null
+From 08d95554c3d0e072a599424f6467697ae9ef73fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 19:46:46 +0800
+Subject: stmmac: dwmac-loongson: fix missing pci_disable_device() in
+ loongson_dwmac_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit fe5b3ce8b4377e543960220f539b989a927afd8a ]
+
+Add missing pci_disable_device() in the error path in loongson_dwmac_probe().
+
+Fixes: 30bba69d7db4 ("stmmac: pci: Add dwmac support for Loongson")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+index b18f1e24f4f3..bf6e9f3fe1ef 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+@@ -97,7 +97,7 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id
+ continue;
+ ret = pcim_iomap_regions(pdev, BIT(0), pci_name(pdev));
+ if (ret)
+- return ret;
++ goto err_disable_device;
+ break;
+ }
+
+@@ -108,7 +108,8 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id
+ phy_mode = device_get_phy_mode(&pdev->dev);
+ if (phy_mode < 0) {
+ dev_err(&pdev->dev, "phy_mode not found\n");
+- return phy_mode;
++ ret = phy_mode;
++ goto err_disable_device;
+ }
+
+ plat->phy_interface = phy_mode;
+@@ -149,6 +150,8 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id
+
+ err_disable_msi:
+ pci_disable_msi(pdev);
++err_disable_device:
++ pci_disable_device(pdev);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 336b1cb36e6c87c8fd8147c0457bd210ac7773bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 19:46:45 +0800
+Subject: stmmac: dwmac-loongson: fix missing pci_disable_msi() while module
+ exiting
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f2d45fdf9a0ed2c94c01c422a0d0add8ffd42099 ]
+
+pci_enable_msi() has been called in loongson_dwmac_probe(),
+so pci_disable_msi() needs be called in remove path and error
+path of probe().
+
+Fixes: 30bba69d7db4 ("stmmac: pci: Add dwmac support for Loongson")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/dwmac-loongson.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+index 220bb454626c..b18f1e24f4f3 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c
+@@ -125,6 +125,7 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id
+ if (res.irq < 0) {
+ dev_err(&pdev->dev, "IRQ macirq not found\n");
+ ret = -ENODEV;
++ goto err_disable_msi;
+ }
+
+ res.wol_irq = of_irq_get_byname(np, "eth_wake_irq");
+@@ -137,9 +138,18 @@ static int loongson_dwmac_probe(struct pci_dev *pdev, const struct pci_device_id
+ if (res.lpi_irq < 0) {
+ dev_err(&pdev->dev, "IRQ eth_lpi not found\n");
+ ret = -ENODEV;
++ goto err_disable_msi;
+ }
+
+- return stmmac_dvr_probe(&pdev->dev, plat, &res);
++ ret = stmmac_dvr_probe(&pdev->dev, plat, &res);
++ if (ret)
++ goto err_disable_msi;
++
++ return ret;
++
++err_disable_msi:
++ pci_disable_msi(pdev);
++ return ret;
+ }
+
+ static void loongson_dwmac_remove(struct pci_dev *pdev)
+@@ -155,6 +165,7 @@ static void loongson_dwmac_remove(struct pci_dev *pdev)
+ break;
+ }
+
++ pci_disable_msi(pdev);
+ pci_disable_device(pdev);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From c7d46cba714b9bc26749788c67dc612dc309d303 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Feb 2022 10:33:25 +0800
+Subject: stmmac: intel: Enable 2.5Gbps for Intel AlderLake-S
+
+From: Wong Vee Khee <vee.khee.wong@linux.intel.com>
+
+[ Upstream commit 23d743301198f7903d732d5abb4f2b44f22f5df0 ]
+
+Intel AlderLake-S platform is capable of running on 2.5GBps link speed.
+
+This patch enables 2.5Gbps link speed on AlderLake-S platform.
+
+Signed-off-by: Wong Vee Khee <vee.khee.wong@linux.intel.com>
+Link: https://lore.kernel.org/r/20220225023325.474242-1-vee.khee.wong@linux.intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: dcea1a8107c0 ("stmmac: intel: Update PCH PTP clock rate from 200MHz to 204.8MHz")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c
+index b32f1f5d841f..3829bd23e47d 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c
+@@ -722,6 +722,7 @@ static int tgl_common_data(struct pci_dev *pdev,
+ plat->rx_queues_to_use = 6;
+ plat->tx_queues_to_use = 4;
+ plat->clk_ptp_rate = 200000000;
++ plat->speed_mode_2500 = intel_speed_mode_2500;
+
+ plat->safety_feat_cfg->tsoee = 1;
+ plat->safety_feat_cfg->mrxpee = 0;
+@@ -741,7 +742,6 @@ static int tgl_sgmii_phy0_data(struct pci_dev *pdev,
+ {
+ plat->bus_id = 1;
+ plat->phy_interface = PHY_INTERFACE_MODE_SGMII;
+- plat->speed_mode_2500 = intel_speed_mode_2500;
+ plat->serdes_powerup = intel_serdes_powerup;
+ plat->serdes_powerdown = intel_serdes_powerdown;
+ return tgl_common_data(pdev, plat);
+@@ -756,7 +756,6 @@ static int tgl_sgmii_phy1_data(struct pci_dev *pdev,
+ {
+ plat->bus_id = 2;
+ plat->phy_interface = PHY_INTERFACE_MODE_SGMII;
+- plat->speed_mode_2500 = intel_speed_mode_2500;
+ plat->serdes_powerup = intel_serdes_powerup;
+ plat->serdes_powerdown = intel_serdes_powerdown;
+ return tgl_common_data(pdev, plat);
+--
+2.35.1
+
--- /dev/null
+From 1eda8ef183cd2184997cce325877e9b3c18db800 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 21:08:11 -0500
+Subject: stmmac: intel: Update PCH PTP clock rate from 200MHz to 204.8MHz
+
+From: Tan, Tee Min <tee.min.tan@intel.com>
+
+[ Upstream commit dcea1a8107c04b9521dee1dd37971757a22db162 ]
+
+Current Intel platform has an output of ~976ms interval
+when probed on 1 Pulse-per-Second(PPS) hardware pin.
+
+The correct PTP clock frequency for PCH GbE should be 204.8MHz
+instead of 200MHz. PSE GbE PTP clock rate remains at 200MHz.
+
+Fixes: 58da0cfa6cf1 ("net: stmmac: create dwmac-intel.c to contain all Intel platform")
+Signed-off-by: Ling Pei Lee <pei.lee.ling@intel.com>
+Signed-off-by: Tan, Tee Min <tee.min.tan@intel.com>
+Signed-off-by: Voon Weifeng <weifeng.voon@intel.com>
+Signed-off-by: Gan Yi Fang <yi.fang.gan@intel.com>
+Link: https://lore.kernel.org/r/20221108020811.12919-1-yi.fang.gan@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c
+index 3829bd23e47d..fb9ff4ce9453 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c
+@@ -593,7 +593,6 @@ static int ehl_common_data(struct pci_dev *pdev,
+ {
+ plat->rx_queues_to_use = 8;
+ plat->tx_queues_to_use = 8;
+- plat->clk_ptp_rate = 200000000;
+ plat->use_phy_wol = 1;
+
+ plat->safety_feat_cfg->tsoee = 1;
+@@ -618,6 +617,8 @@ static int ehl_sgmii_data(struct pci_dev *pdev,
+ plat->serdes_powerup = intel_serdes_powerup;
+ plat->serdes_powerdown = intel_serdes_powerdown;
+
++ plat->clk_ptp_rate = 204800000;
++
+ return ehl_common_data(pdev, plat);
+ }
+
+@@ -631,6 +632,8 @@ static int ehl_rgmii_data(struct pci_dev *pdev,
+ plat->bus_id = 1;
+ plat->phy_interface = PHY_INTERFACE_MODE_RGMII;
+
++ plat->clk_ptp_rate = 204800000;
++
+ return ehl_common_data(pdev, plat);
+ }
+
+@@ -647,6 +650,8 @@ static int ehl_pse0_common_data(struct pci_dev *pdev,
+ plat->bus_id = 2;
+ plat->addr64 = 32;
+
++ plat->clk_ptp_rate = 200000000;
++
+ intel_mgbe_pse_crossts_adj(intel_priv, EHL_PSE_ART_MHZ);
+
+ return ehl_common_data(pdev, plat);
+@@ -686,6 +691,8 @@ static int ehl_pse1_common_data(struct pci_dev *pdev,
+ plat->bus_id = 3;
+ plat->addr64 = 32;
+
++ plat->clk_ptp_rate = 200000000;
++
+ intel_mgbe_pse_crossts_adj(intel_priv, EHL_PSE_ART_MHZ);
+
+ return ehl_common_data(pdev, plat);
+@@ -721,7 +728,7 @@ static int tgl_common_data(struct pci_dev *pdev,
+ {
+ plat->rx_queues_to_use = 6;
+ plat->tx_queues_to_use = 4;
+- plat->clk_ptp_rate = 200000000;
++ plat->clk_ptp_rate = 204800000;
+ plat->speed_mode_2500 = intel_speed_mode_2500;
+
+ plat->safety_feat_cfg->tsoee = 1;
+--
+2.35.1
+
--- /dev/null
+From 25b13cf746c9dbf7c6de451e034cddfc12c33fdb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 10:27:23 +0800
+Subject: tcp: prohibit TCP_REPAIR_OPTIONS if data was already sent
+
+From: Lu Wei <luwei32@huawei.com>
+
+[ Upstream commit 0c175da7b0378445f5ef53904247cfbfb87e0b78 ]
+
+If setsockopt with option name of TCP_REPAIR_OPTIONS and opt_code
+of TCPOPT_SACK_PERM is called to enable sack after data is sent
+and dupacks are received , it will trigger a warning in function
+tcp_verify_left_out() as follows:
+
+============================================
+WARNING: CPU: 8 PID: 0 at net/ipv4/tcp_input.c:2132
+tcp_timeout_mark_lost+0x154/0x160
+tcp_enter_loss+0x2b/0x290
+tcp_retransmit_timer+0x50b/0x640
+tcp_write_timer_handler+0x1c8/0x340
+tcp_write_timer+0xe5/0x140
+call_timer_fn+0x3a/0x1b0
+__run_timers.part.0+0x1bf/0x2d0
+run_timer_softirq+0x43/0xb0
+__do_softirq+0xfd/0x373
+__irq_exit_rcu+0xf6/0x140
+
+The warning is caused in the following steps:
+1. a socket named socketA is created
+2. socketA enters repair mode without build a connection
+3. socketA calls connect() and its state is changed to TCP_ESTABLISHED
+ directly
+4. socketA leaves repair mode
+5. socketA calls sendmsg() to send data, packets_out and sack_outs(dup
+ ack receives) increase
+6. socketA enters repair mode again
+7. socketA calls setsockopt with TCPOPT_SACK_PERM to enable sack
+8. retransmit timer expires, it calls tcp_timeout_mark_lost(), lost_out
+ increases
+9. sack_outs + lost_out > packets_out triggers since lost_out and
+ sack_outs increase repeatly
+
+In function tcp_timeout_mark_lost(), tp->sacked_out will be cleared if
+Step7 not happen and the warning will not be triggered. As suggested by
+Denis and Eric, TCP_REPAIR_OPTIONS should be prohibited if data was
+already sent.
+
+socket-tcp tests in CRIU has been tested as follows:
+$ sudo ./test/zdtm.py run -t zdtm/static/socket-tcp* --keep-going \
+ --ignore-taint
+
+socket-tcp* represent all socket-tcp tests in test/zdtm/static/.
+
+Fixes: b139ba4e90dc ("tcp: Repair connection-time negotiated parameters")
+Signed-off-by: Lu Wei <luwei32@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 5b4e170b6a34..fe1972aad279 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3536,7 +3536,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname,
+ case TCP_REPAIR_OPTIONS:
+ if (!tp->repair)
+ err = -EINVAL;
+- else if (sk->sk_state == TCP_ESTABLISHED)
++ else if (sk->sk_state == TCP_ESTABLISHED && !tp->bytes_sent)
+ err = tcp_repair_options_est(sk, optval, optlen);
+ else
+ err = -EPERM;
+--
+2.35.1
+
--- /dev/null
+From fac8453b1691e44da0607dffb0c557a049fe8df9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 16:48:53 -0400
+Subject: tipc: fix the msg->req tlv len check in
+ tipc_nl_compat_name_table_dump_header
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 1c075b192fe41030457cd4a5f7dea730412bca40 ]
+
+This is a follow-up for commit 974cb0e3e7c9 ("tipc: fix uninit-value
+in tipc_nl_compat_name_table_dump") where it should have type casted
+sizeof(..) to int to work when TLV_GET_DATA_LEN() returns a negative
+value.
+
+syzbot reported a call trace because of it:
+
+ BUG: KMSAN: uninit-value in ...
+ tipc_nl_compat_name_table_dump+0x841/0xea0 net/tipc/netlink_compat.c:934
+ __tipc_nl_compat_dumpit+0xab2/0x1320 net/tipc/netlink_compat.c:238
+ tipc_nl_compat_dumpit+0x991/0xb50 net/tipc/netlink_compat.c:321
+ tipc_nl_compat_recv+0xb6e/0x1640 net/tipc/netlink_compat.c:1324
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:775 [inline]
+ genl_rcv_msg+0x103f/0x1260 net/netlink/genetlink.c:792
+ netlink_rcv_skb+0x3a5/0x6c0 net/netlink/af_netlink.c:2501
+ genl_rcv+0x3c/0x50 net/netlink/genetlink.c:803
+ netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
+ netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345
+ netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg net/socket.c:734 [inline]
+
+Reported-by: syzbot+e5dbaaa238680ce206ea@syzkaller.appspotmail.com
+Fixes: 974cb0e3e7c9 ("tipc: fix uninit-value in tipc_nl_compat_name_table_dump")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/ccd6a7ea801b15aec092c3b532a883b4c5708695.1667594933.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/netlink_compat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index 0749df80454d..ce00f271ca6b 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -880,7 +880,7 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg)
+ };
+
+ ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req);
+- if (TLV_GET_DATA_LEN(msg->req) < sizeof(struct tipc_name_table_query))
++ if (TLV_GET_DATA_LEN(msg->req) < (int)sizeof(struct tipc_name_table_query))
+ return -EINVAL;
+
+ depth = ntohl(ntq->depth);
+--
+2.35.1
+
--- /dev/null
+From a46b69b08576e241ac64e476b75875283b05e566 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 13:40:40 +0200
+Subject: wifi: cfg80211: fix memory leak in query_regdb_file()
+
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+
+[ Upstream commit 57b962e627ec0ae53d4d16d7bd1033e27e67677a ]
+
+In the function query_regdb_file() the alpha2 parameter is duplicated
+using kmemdup() and subsequently freed in regdb_fw_cb(). However,
+request_firmware_nowait() can fail without calling regdb_fw_cb() and
+thus leak memory.
+
+Fixes: 007f6c5e6eb4 ("cfg80211: support loading regulatory database as firmware file")
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index 54c13ea7d977..7b19a2087db9 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -1083,6 +1083,8 @@ MODULE_FIRMWARE("regulatory.db");
+
+ static int query_regdb_file(const char *alpha2)
+ {
++ int err;
++
+ ASSERT_RTNL();
+
+ if (regdb)
+@@ -1092,9 +1094,13 @@ static int query_regdb_file(const char *alpha2)
+ if (!alpha2)
+ return -ENOMEM;
+
+- return request_firmware_nowait(THIS_MODULE, true, "regulatory.db",
+- ®_pdev->dev, GFP_KERNEL,
+- (void *)alpha2, regdb_fw_cb);
++ err = request_firmware_nowait(THIS_MODULE, true, "regulatory.db",
++ ®_pdev->dev, GFP_KERNEL,
++ (void *)alpha2, regdb_fw_cb);
++ if (err)
++ kfree(alpha2);
++
++ return err;
+ }
+
+ int reg_reload_regdb(void)
+--
+2.35.1
+
--- /dev/null
+From b053856fc53eb5ae56b11e4ddd2d2ced419005d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 19:41:51 +0200
+Subject: wifi: cfg80211: silence a sparse RCU warning
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 03c0ad4b06c3566de624b4f4b78ac1a5d1e4c8e7 ]
+
+All we're going to do with this pointer is assign it to
+another __rcu pointer, but sparse can't see that, so
+use rcu_access_pointer() to silence the warning here.
+
+Fixes: c90b93b5b782 ("wifi: cfg80211: update hidden BSSes to avoid WARN_ON")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index f0de22a6caf7..2477d28c2dab 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1676,7 +1676,9 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
+ if (old == rcu_access_pointer(known->pub.ies))
+ rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies);
+
+- cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old);
++ cfg80211_update_hidden_bsses(known,
++ rcu_access_pointer(new->pub.beacon_ies),
++ old);
+
+ if (old)
+ kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
+--
+2.35.1
+
--- /dev/null
+From 14ba9f958b0c8628b531dc447a93337c87c72baf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 09:56:53 +0800
+Subject: wifi: mac80211: Set TWT Information Frame Disabled bit as 1
+
+From: Howard Hsu <howard-yh.hsu@mediatek.com>
+
+[ Upstream commit 30ac96f7cc973bb850c718c9bbe1fdcedfbe826b ]
+
+The TWT Information Frame Disabled bit of control field of TWT Setup
+frame shall be set to 1 since handling TWT Information frame is not
+supported by current mac80211 implementation.
+
+Fixes: f5a4c24e689f ("mac80211: introduce individual TWT support in AP mode")
+Signed-off-by: Howard Hsu <howard-yh.hsu@mediatek.com>
+Link: https://lore.kernel.org/r/20221027015653.1448-1-howard-yh.hsu@mediatek.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/s1g.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/s1g.c b/net/mac80211/s1g.c
+index 4141bc80cdfd..10b34bc4b67d 100644
+--- a/net/mac80211/s1g.c
++++ b/net/mac80211/s1g.c
+@@ -112,6 +112,9 @@ ieee80211_s1g_rx_twt_setup(struct ieee80211_sub_if_data *sdata,
+ goto out;
+ }
+
++ /* TWT Information not supported yet */
++ twt->control |= IEEE80211_TWT_CONTROL_RX_DISABLED;
++
+ drv_add_twt_setup(sdata->local, sdata, &sta->sta, twt);
+ out:
+ ieee80211_s1g_send_twt_setup(sdata, mgmt->sa, sdata->vif.addr, twt);
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
