--- /dev/null
+From 01f4fd27087078c90a0e22860d1dfa2cd0510791 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 2 Aug 2023 19:43:20 +0800
+Subject: bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 01f4fd27087078c90a0e22860d1dfa2cd0510791 upstream.
+
+BUG_ON(!vlan_info) is triggered in unregister_vlan_dev() with
+following testcase:
+
+ # ip netns add ns1
+ # ip netns exec ns1 ip link add bond0 type bond mode 0
+ # ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2
+ # ip netns exec ns1 ip link set bond_slave_1 master bond0
+ # ip netns exec ns1 ip link add link bond_slave_1 name vlan10 type vlan id 10 protocol 802.1ad
+ # ip netns exec ns1 ip link add link bond0 name bond0_vlan10 type vlan id 10 protocol 802.1ad
+ # ip netns exec ns1 ip link set bond_slave_1 nomaster
+ # ip netns del ns1
+
+The logical analysis of the problem is as follows:
+
+1. create ETH_P_8021AD protocol vlan10 for bond_slave_1:
+register_vlan_dev()
+ vlan_vid_add()
+ vlan_info_alloc()
+ __vlan_vid_add() // add [ETH_P_8021AD, 10] vid to bond_slave_1
+
+2. create ETH_P_8021AD protocol bond0_vlan10 for bond0:
+register_vlan_dev()
+ vlan_vid_add()
+ __vlan_vid_add()
+ vlan_add_rx_filter_info()
+ if (!vlan_hw_filter_capable(dev, proto)) // condition established because bond0 without NETIF_F_HW_VLAN_STAG_FILTER
+ return 0;
+
+ if (netif_device_present(dev))
+ return dev->netdev_ops->ndo_vlan_rx_add_vid(dev, proto, vid); // will be never called
+ // The slaves of bond0 will not refer to the [ETH_P_8021AD, 10] vid.
+
+3. detach bond_slave_1 from bond0:
+__bond_release_one()
+ vlan_vids_del_by_dev()
+ list_for_each_entry(vid_info, &vlan_info->vid_list, list)
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
+ // bond_slave_1 [ETH_P_8021AD, 10] vid will be deleted.
+ // bond_slave_1->vlan_info will be assigned NULL.
+
+4. delete vlan10 during delete ns1:
+default_device_exit_batch()
+ dev->rtnl_link_ops->dellink() // unregister_vlan_dev() for vlan10
+ vlan_info = rtnl_dereference(real_dev->vlan_info); // real_dev of vlan10 is bond_slave_1
+ BUG_ON(!vlan_info); // bond_slave_1->vlan_info is NULL now, bug is triggered!!!
+
+Add S-VLAN tag related features support to bond driver. So the bond driver
+will always propagate the VLAN info to its slaves.
+
+Fixes: 8ad227ff89a7 ("net: vlan: add 802.1ad support")
+Suggested-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://lore.kernel.org/r/20230802114320.4156068-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4395,7 +4395,9 @@ void bond_setup(struct net_device *bond_
+
+ bond_dev->hw_features = BOND_VLAN_FEATURES |
+ NETIF_F_HW_VLAN_CTAG_RX |
+- NETIF_F_HW_VLAN_CTAG_FILTER;
++ NETIF_F_HW_VLAN_CTAG_FILTER |
++ NETIF_F_HW_VLAN_STAG_RX |
++ NETIF_F_HW_VLAN_STAG_FILTER;
+
+ bond_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL | NETIF_F_GSO_UDP_L4;
+ bond_dev->features |= bond_dev->hw_features;
--- /dev/null
+From a47e598fbd8617967e49d85c49c22f9fc642704c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 3 Aug 2023 16:30:21 +0000
+Subject: dccp: fix data-race around dp->dccps_mss_cache
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit a47e598fbd8617967e49d85c49c22f9fc642704c upstream.
+
+dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket.
+Same thing in do_dccp_getsockopt().
+
+Add READ_ONCE()/WRITE_ONCE() annotations,
+and change dccp_sendmsg() to check again dccps_mss_cache
+after socket is locked.
+
+Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230803163021.2958262-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/output.c | 2 +-
+ net/dccp/proto.c | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/dccp/output.c
++++ b/net/dccp/output.c
+@@ -189,7 +189,7 @@ unsigned int dccp_sync_mss(struct sock *
+
+ /* And store cached results */
+ icsk->icsk_pmtu_cookie = pmtu;
+- dp->dccps_mss_cache = cur_mps;
++ WRITE_ONCE(dp->dccps_mss_cache, cur_mps);
+
+ return cur_mps;
+ }
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -648,7 +648,7 @@ static int do_dccp_getsockopt(struct soc
+ return dccp_getsockopt_service(sk, len,
+ (__be32 __user *)optval, optlen);
+ case DCCP_SOCKOPT_GET_CUR_MPS:
+- val = dp->dccps_mss_cache;
++ val = READ_ONCE(dp->dccps_mss_cache);
+ break;
+ case DCCP_SOCKOPT_AVAILABLE_CCIDS:
+ return ccid_getsockopt_builtin_ccids(sk, len, optval, optlen);
+@@ -770,7 +770,7 @@ int dccp_sendmsg(struct sock *sk, struct
+
+ trace_dccp_probe(sk, len);
+
+- if (len > dp->dccps_mss_cache)
++ if (len > READ_ONCE(dp->dccps_mss_cache))
+ return -EMSGSIZE;
+
+ lock_sock(sk);
+@@ -803,6 +803,12 @@ int dccp_sendmsg(struct sock *sk, struct
+ goto out_discard;
+ }
+
++ /* We need to check dccps_mss_cache after socket is locked. */
++ if (len > dp->dccps_mss_cache) {
++ rc = -EMSGSIZE;
++ goto out_discard;
++ }
++
+ skb_reserve(skb, sk->sk_prot->max_header);
+ rc = memcpy_from_msg(skb_put(skb, len), msg, len);
+ if (rc != 0)
--- /dev/null
+From 59eeb232940515590de513b997539ef495faca9a Mon Sep 17 00:00:00 2001
+From: Andrew Kanner <andrew.kanner@gmail.com>
+Date: Thu, 3 Aug 2023 20:59:48 +0200
+Subject: drivers: net: prevent tun_build_skb() to exceed the packet size limit
+
+From: Andrew Kanner <andrew.kanner@gmail.com>
+
+commit 59eeb232940515590de513b997539ef495faca9a upstream.
+
+Using the syzkaller repro with reduced packet size it was discovered
+that XDP_PACKET_HEADROOM is not checked in tun_can_build_skb(),
+although pad may be incremented in tun_build_skb(). This may end up
+with exceeding the PAGE_SIZE limit in tun_build_skb().
+
+Jason Wang <jasowang@redhat.com> proposed to count XDP_PACKET_HEADROOM
+always (e.g. without rcu_access_pointer(tun->xdp_prog)) in
+tun_can_build_skb() since there's a window during which XDP program
+might be attached between tun_can_build_skb() and tun_build_skb().
+
+Fixes: 7df13219d757 ("tun: reserve extra headroom only when XDP is set")
+Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a
+Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com>
+Link: https://lore.kernel.org/r/20230803185947.2379988-1-andrew.kanner@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1654,7 +1654,7 @@ static bool tun_can_build_skb(struct tun
+ if (zerocopy)
+ return false;
+
+- if (SKB_DATA_ALIGN(len + TUN_RX_PAD) +
++ if (SKB_DATA_ALIGN(len + TUN_RX_PAD + XDP_PACKET_HEADROOM) +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE)
+ return false;
+
--- /dev/null
+From 4fdfaef71fced490835145631a795497646f4555 Mon Sep 17 00:00:00 2001
+From: Douglas Miller <doug.miller@cornelisnetworks.com>
+Date: Wed, 2 Aug 2023 13:32:41 -0400
+Subject: IB/hfi1: Fix possible panic during hotplug remove
+
+From: Douglas Miller <doug.miller@cornelisnetworks.com>
+
+commit 4fdfaef71fced490835145631a795497646f4555 upstream.
+
+During hotplug remove it is possible that the update counters work
+might be pending, and may run after memory has been freed.
+Cancel the update counters work before freeing memory.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Signed-off-by: Douglas Miller <doug.miller@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/169099756100.3927190.15284930454106475280.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/chip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/hw/hfi1/chip.c
++++ b/drivers/infiniband/hw/hfi1/chip.c
+@@ -12178,6 +12178,7 @@ static void free_cntrs(struct hfi1_devda
+
+ if (dd->synth_stats_timer.function)
+ del_timer_sync(&dd->synth_stats_timer);
++ cancel_work_sync(&dd->update_cntr_work);
+ ppd = (struct hfi1_pportdata *)(dd + 1);
+ for (i = 0; i < dd->num_pports; i++, ppd++) {
+ kfree(ppd->cntrs);
--- /dev/null
+From 1696ec8654016dad3b1baf6c024303e584400453 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 2 Aug 2023 10:40:29 -0700
+Subject: mISDN: Update parameter type of dsp_cmx_send()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 1696ec8654016dad3b1baf6c024303e584400453 upstream.
+
+When booting a kernel with CONFIG_MISDN_DSP=y and CONFIG_CFI_CLANG=y,
+there is a failure when dsp_cmx_send() is called indirectly from
+call_timer_fn():
+
+ [ 0.371412] CFI failure at call_timer_fn+0x2f/0x150 (target: dsp_cmx_send+0x0/0x530; expected type: 0x92ada1e9)
+
+The function pointer prototype that call_timer_fn() expects is
+
+ void (*fn)(struct timer_list *)
+
+whereas dsp_cmx_send() has a parameter type of 'void *', which causes
+the control flow integrity checks to fail because the parameter types do
+not match.
+
+Change dsp_cmx_send()'s parameter type to be 'struct timer_list' to
+match the expected prototype. The argument is unused anyways, so this
+has no functional change, aside from avoiding the CFI failure.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202308020936.58787e6c-oliver.sang@intel.com
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Fixes: e313ac12eb13 ("mISDN: Convert timers to use timer_setup()")
+Link: https://lore.kernel.org/r/20230802-fix-dsp_cmx_send-cfi-failure-v1-1-2f2e79b0178d@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/mISDN/dsp.h | 2 +-
+ drivers/isdn/mISDN/dsp_cmx.c | 2 +-
+ drivers/isdn/mISDN/dsp_core.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/isdn/mISDN/dsp.h
++++ b/drivers/isdn/mISDN/dsp.h
+@@ -247,7 +247,7 @@ extern void dsp_cmx_hardware(struct dsp_
+ extern int dsp_cmx_conf(struct dsp *dsp, u32 conf_id);
+ extern void dsp_cmx_receive(struct dsp *dsp, struct sk_buff *skb);
+ extern void dsp_cmx_hdlc(struct dsp *dsp, struct sk_buff *skb);
+-extern void dsp_cmx_send(void *arg);
++extern void dsp_cmx_send(struct timer_list *arg);
+ extern void dsp_cmx_transmit(struct dsp *dsp, struct sk_buff *skb);
+ extern int dsp_cmx_del_conf_member(struct dsp *dsp);
+ extern int dsp_cmx_del_conf(struct dsp_conf *conf);
+--- a/drivers/isdn/mISDN/dsp_cmx.c
++++ b/drivers/isdn/mISDN/dsp_cmx.c
+@@ -1625,7 +1625,7 @@ static u16 dsp_count; /* last sample cou
+ static int dsp_count_valid; /* if we have last sample count */
+
+ void
+-dsp_cmx_send(void *arg)
++dsp_cmx_send(struct timer_list *arg)
+ {
+ struct dsp_conf *conf;
+ struct dsp_conf_member *member;
+--- a/drivers/isdn/mISDN/dsp_core.c
++++ b/drivers/isdn/mISDN/dsp_core.c
+@@ -1202,7 +1202,7 @@ static int __init dsp_init(void)
+ }
+
+ /* set sample timer */
+- timer_setup(&dsp_spl_tl, (void *)dsp_cmx_send, 0);
++ timer_setup(&dsp_spl_tl, dsp_cmx_send, 0);
+ dsp_spl_tl.expires = jiffies + dsp_tics;
+ dsp_spl_jiffies = dsp_spl_tl.expires;
+ add_timer(&dsp_spl_tl);
--- /dev/null
+From 8a9896177784063d01068293caea3f74f6830ff6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 3 Aug 2023 14:56:00 +0000
+Subject: net/packet: annotate data-races around tp->status
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 8a9896177784063d01068293caea3f74f6830ff6 upstream.
+
+Another syzbot report [1] is about tp->status lockless reads
+from __packet_get_status()
+
+[1]
+BUG: KCSAN: data-race in __packet_rcv_has_room / __packet_set_status
+
+write to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 0:
+__packet_set_status+0x78/0xa0 net/packet/af_packet.c:407
+tpacket_rcv+0x18bb/0x1a60 net/packet/af_packet.c:2483
+deliver_skb net/core/dev.c:2173 [inline]
+__netif_receive_skb_core+0x408/0x1e80 net/core/dev.c:5337
+__netif_receive_skb_one_core net/core/dev.c:5491 [inline]
+__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5607
+process_backlog+0x21f/0x380 net/core/dev.c:5935
+__napi_poll+0x60/0x3b0 net/core/dev.c:6498
+napi_poll net/core/dev.c:6565 [inline]
+net_rx_action+0x32b/0x750 net/core/dev.c:6698
+__do_softirq+0xc1/0x265 kernel/softirq.c:571
+invoke_softirq kernel/softirq.c:445 [inline]
+__irq_exit_rcu+0x57/0xa0 kernel/softirq.c:650
+sysvec_apic_timer_interrupt+0x6d/0x80 arch/x86/kernel/apic/apic.c:1106
+asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
+smpboot_thread_fn+0x33c/0x4a0 kernel/smpboot.c:112
+kthread+0x1d7/0x210 kernel/kthread.c:379
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+
+read to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 1:
+__packet_get_status net/packet/af_packet.c:436 [inline]
+packet_lookup_frame net/packet/af_packet.c:524 [inline]
+__tpacket_has_room net/packet/af_packet.c:1255 [inline]
+__packet_rcv_has_room+0x3f9/0x450 net/packet/af_packet.c:1298
+tpacket_rcv+0x275/0x1a60 net/packet/af_packet.c:2285
+deliver_skb net/core/dev.c:2173 [inline]
+dev_queue_xmit_nit+0x38a/0x5e0 net/core/dev.c:2243
+xmit_one net/core/dev.c:3574 [inline]
+dev_hard_start_xmit+0xcf/0x3f0 net/core/dev.c:3594
+__dev_queue_xmit+0xefb/0x1d10 net/core/dev.c:4244
+dev_queue_xmit include/linux/netdevice.h:3088 [inline]
+can_send+0x4eb/0x5d0 net/can/af_can.c:276
+bcm_can_tx+0x314/0x410 net/can/bcm.c:302
+bcm_tx_timeout_handler+0xdb/0x260
+__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
+__hrtimer_run_queues+0x217/0x700 kernel/time/hrtimer.c:1749
+hrtimer_run_softirq+0xd6/0x120 kernel/time/hrtimer.c:1766
+__do_softirq+0xc1/0x265 kernel/softirq.c:571
+run_ksoftirqd+0x17/0x20 kernel/softirq.c:939
+smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
+kthread+0x1d7/0x210 kernel/kthread.c:379
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+
+value changed: 0x0000000000000000 -> 0x0000000020000081
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 6.4.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
+
+Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230803145600.2937518-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -370,18 +370,20 @@ static void __packet_set_status(struct p
+ {
+ union tpacket_uhdr h;
+
++ /* WRITE_ONCE() are paired with READ_ONCE() in __packet_get_status */
++
+ h.raw = frame;
+ switch (po->tp_version) {
+ case TPACKET_V1:
+- h.h1->tp_status = status;
++ WRITE_ONCE(h.h1->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h1->tp_status));
+ break;
+ case TPACKET_V2:
+- h.h2->tp_status = status;
++ WRITE_ONCE(h.h2->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h2->tp_status));
+ break;
+ case TPACKET_V3:
+- h.h3->tp_status = status;
++ WRITE_ONCE(h.h3->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h3->tp_status));
+ break;
+ default:
+@@ -398,17 +400,19 @@ static int __packet_get_status(struct pa
+
+ smp_rmb();
+
++ /* READ_ONCE() are paired with WRITE_ONCE() in __packet_set_status */
++
+ h.raw = frame;
+ switch (po->tp_version) {
+ case TPACKET_V1:
+ flush_dcache_page(pgv_to_page(&h.h1->tp_status));
+- return h.h1->tp_status;
++ return READ_ONCE(h.h1->tp_status);
+ case TPACKET_V2:
+ flush_dcache_page(pgv_to_page(&h.h2->tp_status));
+- return h.h2->tp_status;
++ return READ_ONCE(h.h2->tp_status);
+ case TPACKET_V3:
+ flush_dcache_page(pgv_to_page(&h.h3->tp_status));
+- return h.h3->tp_status;
++ return READ_ONCE(h.h3->tp_status);
+ default:
+ WARN(1, "TPACKET version not supported.\n");
+ BUG();
x86-mm-fix-vdso-and-vvar-placement-on-5-level-paging-machines.patch
x86-move-gds_ucode_mitigated-declaration-to-header.patch
drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch
+misdn-update-parameter-type-of-dsp_cmx_send.patch
+net-packet-annotate-data-races-around-tp-status.patch
+vlan-fix-vlan-0-memory-leak.patch
+bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch
+dccp-fix-data-race-around-dp-dccps_mss_cache.patch
+drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch
+ib-hfi1-fix-possible-panic-during-hotplug-remove.patch
+wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch
--- /dev/null
+From 718cb09aaa6fa78cc8124e9517efbc6c92665384 Mon Sep 17 00:00:00 2001
+From: Vlad Buslov <vladbu@nvidia.com>
+Date: Tue, 8 Aug 2023 11:35:21 +0200
+Subject: vlan: Fix VLAN 0 memory leak
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+commit 718cb09aaa6fa78cc8124e9517efbc6c92665384 upstream.
+
+The referenced commit intended to fix memleak of VLAN 0 that is implicitly
+created on devices with NETIF_F_HW_VLAN_CTAG_FILTER feature. However, it
+doesn't take into account that the feature can be re-set during the
+netdevice lifetime which will cause memory leak if feature is disabled
+during the device deletion as illustrated by [0]. Fix the leak by
+unconditionally deleting VLAN 0 on NETDEV_DOWN event.
+
+[0]:
+> modprobe 8021q
+> ip l set dev eth2 up
+> ethtool -K eth2 rx-vlan-filter off
+> modprobe -r mlx5_ib
+> modprobe -r mlx5_core
+> cat /sys/kernel/debug/kmemleak
+unreferenced object 0xffff888103dcd900 (size 256):
+ comm "ip", pid 1490, jiffies 4294907305 (age 325.364s)
+ hex dump (first 32 bytes):
+ 00 80 5d 03 81 88 ff ff 00 00 00 00 00 00 00 00 ..].............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000899f3bb9>] kmalloc_trace+0x25/0x80
+ [<000000002889a7a2>] vlan_vid_add+0xa0/0x210
+ [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q]
+ [<000000009a0716b1>] notifier_call_chain+0x35/0xb0
+ [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0
+ [<0000000053d2b05d>] dev_change_flags+0x4d/0x60
+ [<00000000982807e9>] do_setlink+0x28d/0x10a0
+ [<0000000058c1be00>] __rtnl_newlink+0x545/0x980
+ [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70
+ [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390
+ [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100
+ [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0
+ [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0
+ [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60
+ [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200
+ [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0
+unreferenced object 0xffff88813354fde0 (size 32):
+ comm "ip", pid 1490, jiffies 4294907305 (age 325.364s)
+ hex dump (first 32 bytes):
+ a0 d9 dc 03 81 88 ff ff a0 d9 dc 03 81 88 ff ff ................
+ 81 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000899f3bb9>] kmalloc_trace+0x25/0x80
+ [<000000002da64724>] vlan_vid_add+0xdf/0x210
+ [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q]
+ [<000000009a0716b1>] notifier_call_chain+0x35/0xb0
+ [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0
+ [<0000000053d2b05d>] dev_change_flags+0x4d/0x60
+ [<00000000982807e9>] do_setlink+0x28d/0x10a0
+ [<0000000058c1be00>] __rtnl_newlink+0x545/0x980
+ [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70
+ [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390
+ [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100
+ [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0
+ [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0
+ [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60
+ [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200
+ [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0
+
+Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Link: https://lore.kernel.org/r/20230808093521.1468929-1-vladbu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -381,8 +381,7 @@ static int vlan_device_event(struct noti
+ dev->name);
+ vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
+ }
+- if (event == NETDEV_DOWN &&
+- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
++ if (event == NETDEV_DOWN)
+ vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+
+ vlan_info = rtnl_dereference(dev->vlan_info);
--- /dev/null
+From 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 22 Jun 2023 18:59:19 +0200
+Subject: wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 upstream.
+
+AP_VLAN interfaces are virtual, so doesn't really exist as a type for
+capabilities. When passed in as a type, AP is the one that's really intended.
+
+Fixes: c4cbaf7973a7 ("cfg80211: Add support for HE")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230622165919.46841-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cfg80211.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -370,6 +370,9 @@ ieee80211_get_sband_iftype_data(const st
+ if (WARN_ON(iftype >= NL80211_IFTYPE_MAX))
+ return NULL;
+
++ if (iftype == NL80211_IFTYPE_AP_VLAN)
++ iftype = NL80211_IFTYPE_AP;
++
+ for (i = 0; i < sband->n_iftype_data; i++) {
+ const struct ieee80211_sband_iftype_data *data =
+ &sband->iftype_data[i];
projects / thirdparty / kernel / stable-queue.git / commitdiff
