--- /dev/null
+From a9093b601831b2c3b9ff3b29ca7d5d67f68f5e31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 11:12:04 +0800
+Subject: Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 7b1ab460592ca818e7b52f27cd3ec86af79220d1 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: bb7f4f0bcee6 ("btmrvl: add platform specific wakeup interrupt support")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmrvl_sdio.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c
+index 33d58b30c5acf..6e40a984ba7b3 100644
+--- a/drivers/bluetooth/btmrvl_sdio.c
++++ b/drivers/bluetooth/btmrvl_sdio.c
+@@ -105,7 +105,7 @@ static int btmrvl_sdio_probe_of(struct device *dev,
+ } else {
+ ret = devm_request_irq(dev, cfg->irq_bt,
+ btmrvl_wake_irq_bt,
+- 0, "bt_wake", card);
++ IRQF_NO_AUTOEN, "bt_wake", card);
+ if (ret) {
+ dev_err(dev,
+ "Failed to request irq_bt %d (%d)\n",
+@@ -114,7 +114,6 @@ static int btmrvl_sdio_probe_of(struct device *dev,
+
+ /* Configure wakeup (enabled by default) */
+ device_init_wakeup(dev, true);
+- disable_irq(cfg->irq_bt);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 01961965bd69ba43473fb2423ccf1cb29521d934 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 06:22:18 +0800
+Subject: ceph: remove the incorrect Fw reference check when dirtying pages
+
+From: Xiubo Li <xiubli@redhat.com>
+
+[ Upstream commit c08dfb1b49492c09cf13838c71897493ea3b424e ]
+
+When doing the direct-io reads it will also try to mark pages dirty,
+but for the read path it won't hold the Fw caps and there is case
+will it get the Fw reference.
+
+Fixes: 5dda377cf0a6 ("ceph: set i_head_snapc when getting CEPH_CAP_FILE_WR reference")
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Patrick Donnelly <pdonnell@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/addr.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
+index 3465ff95cb89f..2362f2591f4ad 100644
+--- a/fs/ceph/addr.c
++++ b/fs/ceph/addr.c
+@@ -91,7 +91,6 @@ static int ceph_set_page_dirty(struct page *page)
+
+ /* dirty the head */
+ spin_lock(&ci->i_ceph_lock);
+- BUG_ON(ci->i_wr_ref == 0); // caller should hold Fw reference
+ if (__ceph_have_pending_cap_snap(ci)) {
+ struct ceph_cap_snap *capsnap =
+ list_last_entry(&ci->i_cap_snaps,
+--
+2.43.0
+
--- /dev/null
+From 106efc6079074c4f178dd9871ded4283fc87c486 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 21:17:40 +0800
+Subject: ieee802154: Fix build error
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit addf89774e48c992316449ffab4f29c2309ebefb ]
+
+If REGMAP_SPI is m and IEEE802154_MCR20A is y,
+
+ mcr20a.c:(.text+0x3ed6c5b): undefined reference to `__devm_regmap_init_spi'
+ ld: mcr20a.c:(.text+0x3ed6cb5): undefined reference to `__devm_regmap_init_spi'
+
+Select REGMAP_SPI for IEEE802154_MCR20A to fix it.
+
+Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/20240909131740.1296608-1-ruanjinjie@huawei.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ieee802154/Kconfig b/drivers/net/ieee802154/Kconfig
+index 0f7c6dc2ed154..26f393a0507c1 100644
+--- a/drivers/net/ieee802154/Kconfig
++++ b/drivers/net/ieee802154/Kconfig
+@@ -108,6 +108,7 @@ config IEEE802154_CA8210_DEBUGFS
+
+ config IEEE802154_MCR20A
+ tristate "MCR20A transceiver driver"
++ select REGMAP_SPI
+ depends on IEEE802154_DRIVERS && MAC802154
+ depends on SPI
+ help
+--
+2.43.0
+
--- /dev/null
+From 9dc670c2c1e67c5fc9dfa51b354999802ecc6c10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2024 02:51:59 +0300
+Subject: ipv4: ip_gre: Fix drops of small packets in ipgre_xmit
+
+From: Anton Danilov <littlesmilingcloud@gmail.com>
+
+[ Upstream commit c4a14f6d9d17ad1e41a36182dd3b8a5fd91efbd7 ]
+
+Regression Description:
+
+Depending on the options specified for the GRE tunnel device, small
+packets may be dropped. This occurs because the pskb_network_may_pull
+function fails due to the packet's insufficient length.
+
+For example, if only the okey option is specified for the tunnel device,
+original (before encapsulation) packets smaller than 28 bytes (including
+the IPv4 header) will be dropped. This happens because the required
+length is calculated relative to the network header, not the skb->head.
+
+Here is how the required length is computed and checked:
+
+* The pull_len variable is set to 28 bytes, consisting of:
+ * IPv4 header: 20 bytes
+ * GRE header with Key field: 8 bytes
+
+* The pskb_network_may_pull function adds the network offset, shifting
+the checkable space further to the beginning of the network header and
+extending it to the beginning of the packet. As a result, the end of
+the checkable space occurs beyond the actual end of the packet.
+
+Instead of ensuring that 28 bytes are present in skb->head, the function
+is requesting these 28 bytes starting from the network header. For small
+packets, this requested length exceeds the actual packet size, causing
+the check to fail and the packets to be dropped.
+
+This issue affects both locally originated and forwarded packets in
+DMVPN-like setups.
+
+How to reproduce (for local originated packets):
+
+ ip link add dev gre1 type gre ikey 1.9.8.4 okey 1.9.8.4 \
+ local <your-ip> remote 0.0.0.0
+
+ ip link set mtu 1400 dev gre1
+ ip link set up dev gre1
+ ip address add 192.168.13.1/24 dev gre1
+ ip neighbor add 192.168.13.2 lladdr <remote-ip> dev gre1
+ ping -s 1374 -c 10 192.168.13.2
+ tcpdump -vni gre1
+ tcpdump -vni <your-ext-iface> 'ip proto 47'
+ ip -s -s -d link show dev gre1
+
+Solution:
+
+Use the pskb_may_pull function instead the pskb_network_may_pull.
+
+Fixes: 80d875cfc9d3 ("ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()")
+Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20240924235158.106062-1-littlesmilingcloud@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 0ac652fef06d4..9612867b70e9b 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -639,11 +639,11 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
+ if (skb_cow_head(skb, 0))
+ goto free_skb;
+
+- tnl_params = (const struct iphdr *)skb->data;
+-
+- if (!pskb_network_may_pull(skb, pull_len))
++ if (!pskb_may_pull(skb, pull_len))
+ goto free_skb;
+
++ tnl_params = (const struct iphdr *)skb->data;
++
+ /* ip_tunnel_xmit() needs skb->data pointing to gre header. */
+ skb_pull(skb, pull_len);
+ skb_reset_mac_header(skb);
+--
+2.43.0
+
--- /dev/null
+From f81976e778331b12846461ac3216076bb0a5ad6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 23:40:44 +0200
+Subject: mailbox: bcm2835: Fix timeout during suspend mode
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit dc09f007caed3b2f6a3b6bd7e13777557ae22bfd ]
+
+During noirq suspend phase the Raspberry Pi power driver suffer of
+firmware property timeouts. The reason is that the IRQ of the underlying
+BCM2835 mailbox is disabled and rpi_firmware_property_list() will always
+run into a timeout [1].
+
+Since the VideoCore side isn't consider as a wakeup source, set the
+IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled
+during suspend-resume cycle.
+
+[1]
+PM: late suspend of devices complete after 1.754 msecs
+WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128
+ rpi_firmware_property_list+0x204/0x22c
+Firmware transaction 0x00028001 timeout
+Modules linked in:
+CPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17
+Hardware name: BCM2835
+Call trace:
+unwind_backtrace from show_stack+0x18/0x1c
+show_stack from dump_stack_lvl+0x34/0x44
+dump_stack_lvl from __warn+0x88/0xec
+__warn from warn_slowpath_fmt+0x7c/0xb0
+warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c
+rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c
+rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0
+rpi_firmware_set_power from _genpd_power_off+0xe4/0x148
+_genpd_power_off from genpd_sync_power_off+0x7c/0x11c
+genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0
+genpd_finish_suspend from dpm_run_callback+0x78/0xd0
+dpm_run_callback from device_suspend_noirq+0xc0/0x238
+device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168
+dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac
+suspend_devices_and_enter from pm_suspend+0x254/0x2e4
+pm_suspend from state_store+0xa8/0xd4
+state_store from kernfs_fop_write_iter+0x154/0x1a0
+kernfs_fop_write_iter from vfs_write+0x12c/0x184
+vfs_write from ksys_write+0x78/0xc0
+ksys_write from ret_fast_syscall+0x0/0x54
+Exception stack(0xcc93dfa8 to 0xcc93dff0)
+[...]
+PM: noirq suspend of devices complete after 3095.584 msecs
+
+Link: https://github.com/raspberrypi/firmware/issues/1894
+Fixes: 0bae6af6d704 ("mailbox: Enable BCM2835 mailbox support")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/bcm2835-mailbox.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mailbox/bcm2835-mailbox.c b/drivers/mailbox/bcm2835-mailbox.c
+index 39761d1905459..5c33c01a9d26a 100644
+--- a/drivers/mailbox/bcm2835-mailbox.c
++++ b/drivers/mailbox/bcm2835-mailbox.c
+@@ -146,7 +146,8 @@ static int bcm2835_mbox_probe(struct platform_device *pdev)
+ spin_lock_init(&mbox->lock);
+
+ ret = devm_request_irq(dev, irq_of_parse_and_map(dev->of_node, 0),
+- bcm2835_mbox_irq, 0, dev_name(dev), mbox);
++ bcm2835_mbox_irq, IRQF_NO_SUSPEND, dev_name(dev),
++ mbox);
+ if (ret) {
+ dev_err(dev, "Failed to register a mailbox IRQ handler: %d\n",
+ ret);
+--
+2.43.0
+
--- /dev/null
+From e07399e36c3728691bf62dbe905601efdcf2640e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 02:51:47 +0000
+Subject: mailbox: rockchip: fix a typo in module autoloading
+
+From: Liao Chen <liaochen4@huawei.com>
+
+[ Upstream commit e92d87c9c5d769e4cb1dd7c90faa38dddd7e52e3 ]
+
+MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match) could let the module
+properly autoloaded based on the alias from of_device_id table. It
+should be 'rockchip_mbox_of_match' instead of 'rockchp_mbox_of_match',
+just fix it.
+
+Fixes: f70ed3b5dc8b ("mailbox: rockchip: Add Rockchip mailbox driver")
+Signed-off-by: Liao Chen <liaochen4@huawei.com>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/rockchip-mailbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mailbox/rockchip-mailbox.c b/drivers/mailbox/rockchip-mailbox.c
+index 979acc810f307..ca50f7f176f6a 100644
+--- a/drivers/mailbox/rockchip-mailbox.c
++++ b/drivers/mailbox/rockchip-mailbox.c
+@@ -159,7 +159,7 @@ static const struct of_device_id rockchip_mbox_of_match[] = {
+ { .compatible = "rockchip,rk3368-mailbox", .data = &rk3368_drv_data},
+ { },
+ };
+-MODULE_DEVICE_TABLE(of, rockchp_mbox_of_match);
++MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match);
+
+ static int rockchip_mbox_probe(struct platform_device *pdev)
+ {
+--
+2.43.0
+
--- /dev/null
+From 692b342dc377596c823bcba846488bd9acf5e2c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 15:02:57 +0000
+Subject: net: add more sanity checks to qdisc_pkt_len_init()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ab9a9a9e9647392a19e7a885b08000e89c86b535 ]
+
+One path takes care of SKB_GSO_DODGY, assuming
+skb->len is bigger than hdr_len.
+
+virtio_net_hdr_to_skb() does not fully dissect TCP headers,
+it only make sure it is at least 20 bytes.
+
+It is possible for an user to provide a malicious 'GSO' packet,
+total length of 80 bytes.
+
+- 20 bytes of IPv4 header
+- 60 bytes TCP header
+- a small gso_size like 8
+
+virtio_net_hdr_to_skb() would declare this packet as a normal
+GSO packet, because it would see 40 bytes of payload,
+bigger than gso_size.
+
+We need to make detect this case to not underflow
+qdisc_skb_cb(skb)->pkt_len.
+
+Fixes: 1def9238d4aa ("net_sched: more precise pkt_len computation")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 0da9ca0a42305..5edab9328d5e0 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3767,10 +3767,14 @@ static void qdisc_pkt_len_init(struct sk_buff *skb)
+ hdr_len += sizeof(struct udphdr);
+ }
+
+- if (shinfo->gso_type & SKB_GSO_DODGY)
+- gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
+- shinfo->gso_size);
++ if (unlikely(shinfo->gso_type & SKB_GSO_DODGY)) {
++ int payload = skb->len - hdr_len;
+
++ /* Malicious packet. */
++ if (payload <= 0)
++ return;
++ gso_segs = DIV_ROUND_UP(payload, shinfo->gso_size);
++ }
+ qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 5a4a0264adf426fd33265d4c9379ebc8b69aece4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 15:02:56 +0000
+Subject: net: avoid potential underflow in qdisc_pkt_len_init() with UFO
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c20029db28399ecc50e556964eaba75c43b1e2f1 ]
+
+After commit 7c6d2ecbda83 ("net: be more gentle about silly gso
+requests coming from user") virtio_net_hdr_to_skb() had sanity check
+to detect malicious attempts from user space to cook a bad GSO packet.
+
+Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count
+transport header in UFO") while fixing one issue, allowed user space
+to cook a GSO packet with the following characteristic :
+
+IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.
+
+When this packet arrives in qdisc_pkt_len_init(), we end up
+with hdr_len = 28 (IPv4 header + UDP header), matching skb->len
+
+Then the following sets gso_segs to 0 :
+
+gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
+ shinfo->gso_size);
+
+Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/
+
+qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;
+
+This leads to the following crash in fq_codel [1]
+
+qdisc_pkt_len_init() is best effort, we only want an estimation
+of the bytes sent on the wire, not crashing the kernel.
+
+This patch is fixing this particular issue, a following one
+adds more sanity checks for another potential bug.
+
+[1]
+[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 70.724561] #PF: supervisor read access in kernel mode
+[ 70.724561] #PF: error_code(0x0000) - not-present page
+[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0
+[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI
+[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991
+[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
+[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49
+All code
+========
+ 0: 24 08 and $0x8,%al
+ 2: 49 c1 e1 06 shl $0x6,%r9
+ 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp)
+ b: 45 31 ed xor %r13d,%r13d
+ e: 45 31 c0 xor %r8d,%r8d
+ 11: 31 ff xor %edi,%edi
+ 13: 89 44 24 14 mov %eax,0x14(%rsp)
+ 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9
+ 1e: eb 04 jmp 0x24
+ 20: 39 ca cmp %ecx,%edx
+ 22: 73 37 jae 0x5b
+ 24: 4d 8b 39 mov (%r9),%r15
+ 27: 83 c7 01 add $0x1,%edi
+ 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction
+ 2d: 49 89 11 mov %rdx,(%r9)
+ 30: 41 8b 57 28 mov 0x28(%r15),%edx
+ 34: 45 8b 5f 34 mov 0x34(%r15),%r11d
+ 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
+ 3f: 49 rex.WB
+
+Code starting with the faulting instruction
+===========================================
+ 0: 49 8b 17 mov (%r15),%rdx
+ 3: 49 89 11 mov %rdx,(%r9)
+ 6: 41 8b 57 28 mov 0x28(%r15),%edx
+ a: 45 8b 5f 34 mov 0x34(%r15),%r11d
+ e: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
+ 15: 49 rex.WB
+[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202
+[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000
+[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
+[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000
+[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58
+[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000
+[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000
+[ 70.724561] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 70.724561] CR2: 0000000000000000 CR3: 000000010c568000 CR4: 00000000000006f0
+[ 70.724561] Call Trace:
+[ 70.724561] <TASK>
+[ 70.724561] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
+[ 70.724561] ? page_fault_oops (arch/x86/mm/fault.c:715)
+[ 70.724561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
+[ 70.724561] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
+[ 70.724561] ? fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
+[ 70.724561] dev_qdisc_enqueue (net/core/dev.c:3784)
+[ 70.724561] __dev_queue_xmit (net/core/dev.c:3880 (discriminator 2) net/core/dev.c:4390 (discriminator 2))
+[ 70.724561] ? irqentry_enter (kernel/entry/common.c:237)
+[ 70.724561] ? sysvec_apic_timer_interrupt (./arch/x86/include/asm/hardirq.h:74 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2))
+[ 70.724561] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4))
+[ 70.724561] ? asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)
+[ 70.724561] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/virtio_net.h:129 (discriminator 1))
+[ 70.724561] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1))
+[ 70.724561] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
+[ 70.724561] ? netdev_name_node_lookup_rcu (net/core/dev.c:325 (discriminator 1))
+[ 70.724561] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1))
+[ 70.724561] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355)
+[ 70.724561] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1))
+[ 70.724561] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
+[ 70.724561] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+[ 70.724561] RIP: 0033:0x41ae09
+
+Fixes: cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jonathan Davies <jonathan.davies@nutanix.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Jonathan Davies <jonathan.davies@nutanix.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 5e91496fd3a36..0da9ca0a42305 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3759,7 +3759,7 @@ static void qdisc_pkt_len_init(struct sk_buff *skb)
+ sizeof(_tcphdr), &_tcphdr);
+ if (likely(th))
+ hdr_len += __tcp_hdrlen(th);
+- } else {
++ } else if (shinfo->gso_type & SKB_GSO_UDP_L4) {
+ struct udphdr _udphdr;
+
+ if (skb_header_pointer(skb, skb_transport_offset(skb),
+--
+2.43.0
+
--- /dev/null
+From 3341b37159e3e195dd5ef10d3348811a34ac13ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 23:49:49 +0200
+Subject: net: ethernet: lantiq_etop: fix memory disclosure
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit 45c0de18ff2dc9af01236380404bbd6a46502c69 ]
+
+When applying padding, the buffer is not zeroed, which results in memory
+disclosure. The mentioned data is observed on the wire. This patch uses
+skb_put_padto() to pad Ethernet frames properly. The mentioned function
+zeroes the expanded buffer.
+
+In case the packet cannot be padded it is silently dropped. Statistics
+are also not incremented. This driver does not support statistics in the
+old 32-bit format or the new 64-bit format. These will be added in the
+future. In its current form, the patch should be easily backported to
+stable versions.
+
+Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets
+in hardware, so software padding must be applied.
+
+Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver")
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20240923214949.231511-2-olek2@wp.pl
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/lantiq_etop.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c
+index 1d7c0b872c594..45155023a2985 100644
+--- a/drivers/net/ethernet/lantiq_etop.c
++++ b/drivers/net/ethernet/lantiq_etop.c
+@@ -464,7 +464,9 @@ ltq_etop_tx(struct sk_buff *skb, struct net_device *dev)
+ unsigned long flags;
+ u32 byte_offset;
+
+- len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;
++ if (skb_put_padto(skb, ETH_ZLEN))
++ return NETDEV_TX_OK;
++ len = skb->len;
+
+ if ((desc->ctl & (LTQ_DMA_OWN | LTQ_DMA_C)) || ch->skb[ch->dma.desc]) {
+ netdev_err(dev, "tx ring full\n");
+--
+2.43.0
+
--- /dev/null
+From ab8133272d4f3c75ef3d9ac4664af29314be343d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 May 2022 08:20:07 +0200
+Subject: net: fec: Avoid allocating rx buffer using ATOMIC in ndo_open
+
+From: Michael Trimarchi <michael@amarulasolutions.com>
+
+[ Upstream commit b885aab3d39d1c81709e957324c7fb9aeac02c38 ]
+
+Make ndo_open less sensitive to memory pressure.
+
+Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20220518062007.10056-1-michael@amarulasolutions.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: a1477dc87dc4 ("net: fec: Restart PPS after link state change")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index a591ca0b37787..c6d08395a289c 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -2952,7 +2952,7 @@ fec_enet_alloc_rxq_buffers(struct net_device *ndev, unsigned int queue)
+ rxq = fep->rx_queue[queue];
+ bdp = rxq->bd.base;
+ for (i = 0; i < rxq->bd.ring_size; i++) {
+- skb = netdev_alloc_skb(ndev, FEC_ENET_RX_FRSIZE);
++ skb = __netdev_alloc_skb(ndev, FEC_ENET_RX_FRSIZE, GFP_KERNEL);
+ if (!skb)
+ goto err_alloc;
+
+--
+2.43.0
+
--- /dev/null
+From c5939dea05ec63f123e8dcadd7a2ef7c404667ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 11:37:06 +0200
+Subject: net: fec: Reload PTP registers after link-state change
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Csókás, Bence <csokas.bence@prolan.hu>
+
+[ Upstream commit d9335d0232d2da605585eea1518ac6733518f938 ]
+
+On link-state change, the controller gets reset,
+which clears all PTP registers, including PHC time,
+calibrated clock correction values etc. For correct
+IEEE 1588 operation we need to restore these after
+the reset.
+
+Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware clock")
+Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
+Reviewed-by: Wei Fang <wei.fang@nxp.com>
+Link: https://patch.msgid.link/20240924093705.2897329-2-csokas.bence@prolan.hu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec.h | 3 +++
+ drivers/net/ethernet/freescale/fec_ptp.c | 20 ++++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/drivers/net/ethernet/freescale/fec.h b/drivers/net/ethernet/freescale/fec.h
+index 44fd2eaccb8fa..eb5c330752fb5 100644
+--- a/drivers/net/ethernet/freescale/fec.h
++++ b/drivers/net/ethernet/freescale/fec.h
+@@ -595,6 +595,9 @@ struct fec_enet_private {
+
+ struct {
+ int pps_enable;
++ u64 ns_sys, ns_phc;
++ u32 at_corr;
++ u8 at_inc_corr;
+ } ptp_saved_state;
+
+ u64 ethtool_stats[];
+diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
+index 0726291fbb4c0..7148f0086e329 100644
+--- a/drivers/net/ethernet/freescale/fec_ptp.c
++++ b/drivers/net/ethernet/freescale/fec_ptp.c
+@@ -638,24 +638,44 @@ void fec_ptp_init(struct platform_device *pdev, int irq_idx)
+ void fec_ptp_save_state(struct fec_enet_private *fep)
+ {
+ unsigned long flags;
++ u32 atime_inc_corr;
+
+ spin_lock_irqsave(&fep->tmreg_lock, flags);
+
+ fep->ptp_saved_state.pps_enable = fep->pps_enable;
+
++ fep->ptp_saved_state.ns_phc = timecounter_read(&fep->tc);
++ fep->ptp_saved_state.ns_sys = ktime_get_ns();
++
++ fep->ptp_saved_state.at_corr = readl(fep->hwp + FEC_ATIME_CORR);
++ atime_inc_corr = readl(fep->hwp + FEC_ATIME_INC) & FEC_T_INC_CORR_MASK;
++ fep->ptp_saved_state.at_inc_corr = (u8)(atime_inc_corr >> FEC_T_INC_CORR_OFFSET);
++
+ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
+ }
+
+ /* Restore PTP functionality after a reset */
+ void fec_ptp_restore_state(struct fec_enet_private *fep)
+ {
++ u32 atime_inc = readl(fep->hwp + FEC_ATIME_INC) & FEC_T_INC_MASK;
+ unsigned long flags;
++ u32 counter;
++ u64 ns;
+
+ spin_lock_irqsave(&fep->tmreg_lock, flags);
+
+ /* Reset turned it off, so adjust our status flag */
+ fep->pps_enable = 0;
+
++ writel(fep->ptp_saved_state.at_corr, fep->hwp + FEC_ATIME_CORR);
++ atime_inc |= ((u32)fep->ptp_saved_state.at_inc_corr) << FEC_T_INC_CORR_OFFSET;
++ writel(atime_inc, fep->hwp + FEC_ATIME_INC);
++
++ ns = ktime_get_ns() - fep->ptp_saved_state.ns_sys + fep->ptp_saved_state.ns_phc;
++ counter = ns & fep->cc.mask;
++ writel(counter, fep->hwp + FEC_ATIME);
++ timecounter_init(&fep->tc, &fep->cc, ns);
++
+ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
+
+ /* Restart PPS if needed */
+--
+2.43.0
+
--- /dev/null
+From ad298337babdfde4aeedc6eb66eb24fc1affd356 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 11:37:04 +0200
+Subject: net: fec: Restart PPS after link state change
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Csókás, Bence <csokas.bence@prolan.hu>
+
+[ Upstream commit a1477dc87dc4996dcf65a4893d4e2c3a6b593002 ]
+
+On link state change, the controller gets reset,
+causing PPS to drop out. Re-enable PPS if it was
+enabled before the controller reset.
+
+Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware clock")
+Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
+Link: https://patch.msgid.link/20240924093705.2897329-1-csokas.bence@prolan.hu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec.h | 6 +++++
+ drivers/net/ethernet/freescale/fec_main.c | 11 ++++++++-
+ drivers/net/ethernet/freescale/fec_ptp.c | 30 +++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec.h b/drivers/net/ethernet/freescale/fec.h
+index 6ea98af63b341..44fd2eaccb8fa 100644
+--- a/drivers/net/ethernet/freescale/fec.h
++++ b/drivers/net/ethernet/freescale/fec.h
+@@ -593,10 +593,16 @@ struct fec_enet_private {
+ int pps_enable;
+ unsigned int next_counter;
+
++ struct {
++ int pps_enable;
++ } ptp_saved_state;
++
+ u64 ethtool_stats[];
+ };
+
+ void fec_ptp_init(struct platform_device *pdev, int irq_idx);
++void fec_ptp_restore_state(struct fec_enet_private *fep);
++void fec_ptp_save_state(struct fec_enet_private *fep);
+ void fec_ptp_stop(struct platform_device *pdev);
+ void fec_ptp_start_cyclecounter(struct net_device *ndev);
+ void fec_ptp_disable_hwts(struct net_device *ndev);
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index c6d08395a289c..250b543e10ee8 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -966,6 +966,8 @@ fec_restart(struct net_device *ndev)
+ u32 rcntl = OPT_FRAME_SIZE | 0x04;
+ u32 ecntl = FEC_ECR_ETHEREN;
+
++ fec_ptp_save_state(fep);
++
+ /* Whack a reset. We should wait for this.
+ * For i.MX6SX SOC, enet use AXI bus, we use disable MAC
+ * instead of reset MAC itself.
+@@ -1127,8 +1129,10 @@ fec_restart(struct net_device *ndev)
+ writel(ecntl, fep->hwp + FEC_ECNTRL);
+ fec_enet_active_rxring(ndev);
+
+- if (fep->bufdesc_ex)
++ if (fep->bufdesc_ex) {
+ fec_ptp_start_cyclecounter(ndev);
++ fec_ptp_restore_state(fep);
++ }
+
+ /* Enable interrupts we wish to service */
+ if (fep->link)
+@@ -1174,6 +1178,8 @@ fec_stop(struct net_device *ndev)
+ netdev_err(ndev, "Graceful transmit stop did not complete!\n");
+ }
+
++ fec_ptp_save_state(fep);
++
+ /* Whack a reset. We should wait for this.
+ * For i.MX6SX SOC, enet use AXI bus, we use disable MAC
+ * instead of reset MAC itself.
+@@ -1206,6 +1212,9 @@ fec_stop(struct net_device *ndev)
+ val = readl(fep->hwp + FEC_ECNTRL);
+ val |= FEC_ECR_EN1588;
+ writel(val, fep->hwp + FEC_ECNTRL);
++
++ fec_ptp_start_cyclecounter(ndev);
++ fec_ptp_restore_state(fep);
+ }
+ }
+
+diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
+index 84e0855069a84..0726291fbb4c0 100644
+--- a/drivers/net/ethernet/freescale/fec_ptp.c
++++ b/drivers/net/ethernet/freescale/fec_ptp.c
+@@ -635,6 +635,36 @@ void fec_ptp_init(struct platform_device *pdev, int irq_idx)
+ schedule_delayed_work(&fep->time_keep, HZ);
+ }
+
++void fec_ptp_save_state(struct fec_enet_private *fep)
++{
++ unsigned long flags;
++
++ spin_lock_irqsave(&fep->tmreg_lock, flags);
++
++ fep->ptp_saved_state.pps_enable = fep->pps_enable;
++
++ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
++}
++
++/* Restore PTP functionality after a reset */
++void fec_ptp_restore_state(struct fec_enet_private *fep)
++{
++ unsigned long flags;
++
++ spin_lock_irqsave(&fep->tmreg_lock, flags);
++
++ /* Reset turned it off, so adjust our status flag */
++ fep->pps_enable = 0;
++
++ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
++
++ /* Restart PPS if needed */
++ if (fep->ptp_saved_state.pps_enable) {
++ /* Re-enable PPS */
++ fec_ptp_enable_pps(fep, 1);
++ }
++}
++
+ void fec_ptp_stop(struct platform_device *pdev)
+ {
+ struct net_device *ndev = platform_get_drvdata(pdev);
+--
+2.43.0
+
--- /dev/null
+From a5aa54b973c92929fb1f17928e46ff19a40a75a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 17:42:34 +0800
+Subject: net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 09573b1cc76e7ff8f056ab29ea1cdc152ec8c653 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver")
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/20240911094234.1922418-1-ruanjinjie@huawei.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mcr20a.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ieee802154/mcr20a.c b/drivers/net/ieee802154/mcr20a.c
+index 383231b854642..16474990dc01e 100644
+--- a/drivers/net/ieee802154/mcr20a.c
++++ b/drivers/net/ieee802154/mcr20a.c
+@@ -1311,16 +1311,13 @@ mcr20a_probe(struct spi_device *spi)
+ irq_type = IRQF_TRIGGER_FALLING;
+
+ ret = devm_request_irq(&spi->dev, spi->irq, mcr20a_irq_isr,
+- irq_type, dev_name(&spi->dev), lp);
++ irq_type | IRQF_NO_AUTOEN, dev_name(&spi->dev), lp);
+ if (ret) {
+ dev_err(&spi->dev, "could not request_irq for mcr20a\n");
+ ret = -ENODEV;
+ goto free_dev;
+ }
+
+- /* disable_irq by default and wait for starting hardware */
+- disable_irq(spi->irq);
+-
+ ret = ieee802154_register_hw(hw);
+ if (ret) {
+ dev_crit(&spi->dev, "ieee802154_register_hw failed\n");
+--
+2.43.0
+
--- /dev/null
+From 56d474f1e9d8b44fe890023f0b6090b4483227c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 22:02:48 -0600
+Subject: net/mlx5: Added cond_resched() to crdump collection
+
+From: Mohamed Khalfella <mkhalfella@purestorage.com>
+
+[ Upstream commit ec793155894140df7421d25903de2e6bc12c695b ]
+
+Collecting crdump involves reading vsc registers from pci config space
+of mlx device, which can take long time to complete. This might result
+in starving other threads waiting to run on the cpu.
+
+Numbers I got from testing ConnectX-5 Ex MCX516A-CDAT in the lab:
+
+- mlx5_vsc_gw_read_block_fast() was called with length = 1310716.
+- mlx5_vsc_gw_read_fast() reads 4 bytes at a time. It was not used to
+ read the entire 1310716 bytes. It was called 53813 times because
+ there are jumps in read_addr.
+- On average mlx5_vsc_gw_read_fast() took 35284.4ns.
+- In total mlx5_vsc_wait_on_flag() called vsc_read() 54707 times.
+ The average time for each call was 17548.3ns. In some instances
+ vsc_read() was called more than one time when the flag was not set.
+ As expected the thread released the cpu after 16 iterations in
+ mlx5_vsc_wait_on_flag().
+- Total time to read crdump was 35284.4ns * 53813 ~= 1.898s.
+
+It was seen in the field that crdump can take more than 5 seconds to
+complete. During that time mlx5_vsc_wait_on_flag() did not release the
+cpu because it did not complete 16 iterations. It is believed that pci
+config reads were slow. Adding cond_resched() every 128 register read
+improves the situation. In the common case the, crdump takes ~1.8989s,
+the thread yields the cpu every ~4.51ms. If crdump takes ~5s, the thread
+yields the cpu every ~18.0ms.
+
+Fixes: 8b9d8baae1de ("net/mlx5: Add Crdump support")
+Reviewed-by: Yuanyuan Zhong <yzhong@purestorage.com>
+Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c
+index 6b774e0c27665..c14f9529c25f2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c
+@@ -24,6 +24,11 @@
+ pci_write_config_dword((dev)->pdev, (dev)->vsc_addr + (offset), (val))
+ #define VSC_MAX_RETRIES 2048
+
++/* Reading VSC registers can take relatively long time.
++ * Yield the cpu every 128 registers read.
++ */
++#define VSC_GW_READ_BLOCK_COUNT 128
++
+ enum {
+ VSC_CTRL_OFFSET = 0x4,
+ VSC_COUNTER_OFFSET = 0x8,
+@@ -269,6 +274,7 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data,
+ {
+ unsigned int next_read_addr = 0;
+ unsigned int read_addr = 0;
++ unsigned int count = 0;
+
+ while (read_addr < length) {
+ if (mlx5_vsc_gw_read_fast(dev, read_addr, &next_read_addr,
+@@ -276,6 +282,10 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data,
+ return read_addr;
+
+ read_addr = next_read_addr;
++ if (++count == VSC_GW_READ_BLOCK_COUNT) {
++ cond_resched();
++ count = 0;
++ }
+ }
+ return length;
+ }
+--
+2.43.0
+
--- /dev/null
+From 0997647b317c1a981d3cece451b9a3713d3851a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 10:53:51 +0200
+Subject: net/mlx5: Fix error path in multi-packet WQE transmit
+
+From: Gerd Bayer <gbayer@linux.ibm.com>
+
+[ Upstream commit 2bcae12c795f32ddfbf8c80d1b5f1d3286341c32 ]
+
+Remove the erroneous unmap in case no DMA mapping was established
+
+The multi-packet WQE transmit code attempts to obtain a DMA mapping for
+the skb. This could fail, e.g. under memory pressure, when the IOMMU
+driver just can't allocate more memory for page tables. While the code
+tries to handle this in the path below the err_unmap label it erroneously
+unmaps one entry from the sq's FIFO list of active mappings. Since the
+current map attempt failed this unmap is removing some random DMA mapping
+that might still be required. If the PCI function now presents that IOVA,
+the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI
+function in error state.
+
+The erroneous behavior was seen in a stress-test environment that created
+memory pressure.
+
+Fixes: 5af75c747e2a ("net/mlx5e: Enhanced TX MPWQE for SKBs")
+Signed-off-by: Gerd Bayer <gbayer@linux.ibm.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Acked-by: Maxim Mikityanskiy <maxtram95@gmail.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+index 3736680680715..9b1e43ff8ae1e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+@@ -601,7 +601,6 @@ mlx5e_sq_xmit_mpwqe(struct mlx5e_txqsq *sq, struct sk_buff *skb,
+ return;
+
+ err_unmap:
+- mlx5e_dma_unmap_wqe_err(sq, 1);
+ sq->stats->dropped++;
+ dev_kfree_skb_any(skb);
+ }
+--
+2.43.0
+
--- /dev/null
+From a494313392ddcaad9aa819ca642c878e5a3d15b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2024 18:56:11 +0000
+Subject: netfilter: nf_tables: prevent nf_skb_duplicated corruption
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 92ceba94de6fb4cee2bf40b485979c342f44a492 ]
+
+syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write
+per-cpu variable nf_skb_duplicated in an unsafe way [1].
+
+Disabling preemption as hinted by the splat is not enough,
+we have to disable soft interrupts as well.
+
+[1]
+BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316
+ caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
+CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:93 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
+ check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49
+ nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
+ nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
+ nf_hook+0x2c4/0x450 include/linux/netfilter.h:269
+ NF_HOOK_COND include/linux/netfilter.h:302 [inline]
+ ip_output+0x185/0x230 net/ipv4/ip_output.c:433
+ ip_local_out net/ipv4/ip_output.c:129 [inline]
+ ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495
+ udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981
+ udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x1a6/0x270 net/socket.c:745
+ ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
+ ___sys_sendmsg net/socket.c:2651 [inline]
+ __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737
+ __do_sys_sendmmsg net/socket.c:2766 [inline]
+ __se_sys_sendmmsg net/socket.c:2763 [inline]
+ __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f4ce4f7def9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
+RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9
+RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006
+RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68
+ </TASK>
+
+Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/netfilter/nf_dup_ipv4.c | 7 +++++--
+ net/ipv6/netfilter/nf_dup_ipv6.c | 7 +++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c
+index 6cc5743c553a0..9a21175693db5 100644
+--- a/net/ipv4/netfilter/nf_dup_ipv4.c
++++ b/net/ipv4/netfilter/nf_dup_ipv4.c
+@@ -52,8 +52,9 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
+ {
+ struct iphdr *iph;
+
++ local_bh_disable();
+ if (this_cpu_read(nf_skb_duplicated))
+- return;
++ goto out;
+ /*
+ * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
+ * the original skb, which should continue on its way as if nothing has
+@@ -61,7 +62,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
+ */
+ skb = pskb_copy(skb, GFP_ATOMIC);
+ if (skb == NULL)
+- return;
++ goto out;
+
+ #if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ /* Avoid counting cloned packets towards the original connection. */
+@@ -90,6 +91,8 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
+ } else {
+ kfree_skb(skb);
+ }
++out:
++ local_bh_enable();
+ }
+ EXPORT_SYMBOL_GPL(nf_dup_ipv4);
+
+diff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c
+index a0a2de30be3e7..0c39c77fe8a8a 100644
+--- a/net/ipv6/netfilter/nf_dup_ipv6.c
++++ b/net/ipv6/netfilter/nf_dup_ipv6.c
+@@ -47,11 +47,12 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb,
+ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
+ const struct in6_addr *gw, int oif)
+ {
++ local_bh_disable();
+ if (this_cpu_read(nf_skb_duplicated))
+- return;
++ goto out;
+ skb = pskb_copy(skb, GFP_ATOMIC);
+ if (skb == NULL)
+- return;
++ goto out;
+
+ #if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ nf_reset_ct(skb);
+@@ -69,6 +70,8 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
+ } else {
+ kfree_skb(skb);
+ }
++out:
++ local_bh_enable();
+ }
+ EXPORT_SYMBOL_GPL(nf_dup_ipv6);
+
+--
+2.43.0
+
--- /dev/null
+From 55c51eb770109b3dd9e8190d1b680e321d8c2193 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2024 20:01:20 +0200
+Subject: netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 76f1ed087b562a469f2153076f179854b749c09a ]
+
+Fix the comment which incorrectly defines it as NLA_U32.
+
+Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/netfilter/nf_tables.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
+index 40d9005370939..702bcb7c9c73a 100644
+--- a/include/uapi/linux/netfilter/nf_tables.h
++++ b/include/uapi/linux/netfilter/nf_tables.h
+@@ -1602,7 +1602,7 @@ enum nft_flowtable_flags {
+ *
+ * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING)
+ * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
+- * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
++ * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED)
+ * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
+ * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
+ * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
+--
+2.43.0
+
--- /dev/null
+From 17cccc2dbab0913ff09a8e84132358f3ef0c97d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 16:49:51 -0400
+Subject: sctp: set sk_state back to CLOSED if autobind fails in
+ sctp_listen_start
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 8beee4d8dee76b67c75dc91fd8185d91e845c160 ]
+
+In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
+sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.
+
+Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
+is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
+be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
+is NULL.
+
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
+ Call Trace:
+ <TASK>
+ __sys_listen_socket net/socket.c:1883 [inline]
+ __sys_listen+0x1b7/0x230 net/socket.c:1894
+ __do_sys_listen net/socket.c:1902 [inline]
+
+Fixes: 5e8f3f703ae4 ("sctp: simplify sctp listening code")
+Reported-by: syzbot+f4e0f821e3a3b7cee51d@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Link: https://patch.msgid.link/a93e655b3c153dc8945d7a812e6d8ab0d52b7aa0.1727729391.git.lucien.xin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/socket.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 5053d813e91cf..c1b713a260602 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -8299,8 +8299,10 @@ static int sctp_listen_start(struct sock *sk, int backlog)
+ */
+ inet_sk_set_state(sk, SCTP_SS_LISTENING);
+ if (!ep->base.bind_addr.port) {
+- if (sctp_autobind(sk))
++ if (sctp_autobind(sk)) {
++ inet_sk_set_state(sk, SCTP_SS_CLOSED);
+ return -EAGAIN;
++ }
+ } else {
+ if (sctp_get_port(sk, inet_sk(sk)->inet_num)) {
+ inet_sk_set_state(sk, SCTP_SS_CLOSED);
+--
+2.43.0
+
i2c-isch-add-missed-else.patch
usb-yurex-fix-inconsistent-locking-bug-in-yurex_read.patch
spi-lpspi-simplify-some-error-message.patch
+mailbox-rockchip-fix-a-typo-in-module-autoloading.patch
+mailbox-bcm2835-fix-timeout-during-suspend-mode.patch
+ceph-remove-the-incorrect-fw-reference-check-when-di.patch
+ieee802154-fix-build-error.patch
+net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch
+net-mlx5-added-cond_resched-to-crdump-collection.patch
+netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch
+net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch
+netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch
+bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch
+net-ethernet-lantiq_etop-fix-memory-disclosure.patch
+net-fec-avoid-allocating-rx-buffer-using-atomic-in-n.patch
+net-fec-restart-pps-after-link-state-change.patch
+net-fec-reload-ptp-registers-after-link-state-change.patch
+net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch
+net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch
+ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch
+sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
