--- /dev/null
+From 01f4fd27087078c90a0e22860d1dfa2cd0510791 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 2 Aug 2023 19:43:20 +0800
+Subject: bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 01f4fd27087078c90a0e22860d1dfa2cd0510791 upstream.
+
+BUG_ON(!vlan_info) is triggered in unregister_vlan_dev() with
+following testcase:
+
+ # ip netns add ns1
+ # ip netns exec ns1 ip link add bond0 type bond mode 0
+ # ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2
+ # ip netns exec ns1 ip link set bond_slave_1 master bond0
+ # ip netns exec ns1 ip link add link bond_slave_1 name vlan10 type vlan id 10 protocol 802.1ad
+ # ip netns exec ns1 ip link add link bond0 name bond0_vlan10 type vlan id 10 protocol 802.1ad
+ # ip netns exec ns1 ip link set bond_slave_1 nomaster
+ # ip netns del ns1
+
+The logical analysis of the problem is as follows:
+
+1. create ETH_P_8021AD protocol vlan10 for bond_slave_1:
+register_vlan_dev()
+ vlan_vid_add()
+ vlan_info_alloc()
+ __vlan_vid_add() // add [ETH_P_8021AD, 10] vid to bond_slave_1
+
+2. create ETH_P_8021AD protocol bond0_vlan10 for bond0:
+register_vlan_dev()
+ vlan_vid_add()
+ __vlan_vid_add()
+ vlan_add_rx_filter_info()
+ if (!vlan_hw_filter_capable(dev, proto)) // condition established because bond0 without NETIF_F_HW_VLAN_STAG_FILTER
+ return 0;
+
+ if (netif_device_present(dev))
+ return dev->netdev_ops->ndo_vlan_rx_add_vid(dev, proto, vid); // will be never called
+ // The slaves of bond0 will not refer to the [ETH_P_8021AD, 10] vid.
+
+3. detach bond_slave_1 from bond0:
+__bond_release_one()
+ vlan_vids_del_by_dev()
+ list_for_each_entry(vid_info, &vlan_info->vid_list, list)
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
+ // bond_slave_1 [ETH_P_8021AD, 10] vid will be deleted.
+ // bond_slave_1->vlan_info will be assigned NULL.
+
+4. delete vlan10 during delete ns1:
+default_device_exit_batch()
+ dev->rtnl_link_ops->dellink() // unregister_vlan_dev() for vlan10
+ vlan_info = rtnl_dereference(real_dev->vlan_info); // real_dev of vlan10 is bond_slave_1
+ BUG_ON(!vlan_info); // bond_slave_1->vlan_info is NULL now, bug is triggered!!!
+
+Add S-VLAN tag related features support to bond driver. So the bond driver
+will always propagate the VLAN info to its slaves.
+
+Fixes: 8ad227ff89a7 ("net: vlan: add 802.1ad support")
+Suggested-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://lore.kernel.org/r/20230802114320.4156068-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -5839,7 +5839,9 @@ void bond_setup(struct net_device *bond_
+
+ bond_dev->hw_features = BOND_VLAN_FEATURES |
+ NETIF_F_HW_VLAN_CTAG_RX |
+- NETIF_F_HW_VLAN_CTAG_FILTER;
++ NETIF_F_HW_VLAN_CTAG_FILTER |
++ NETIF_F_HW_VLAN_STAG_RX |
++ NETIF_F_HW_VLAN_STAG_FILTER;
+
+ bond_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL;
+ bond_dev->features |= bond_dev->hw_features;
--- /dev/null
+From 809e4dc71a0f2b8d2836035d98603694fff11d5d Mon Sep 17 00:00:00 2001
+From: Xu Kuohai <xukuohai@huawei.com>
+Date: Fri, 4 Aug 2023 03:37:38 -0400
+Subject: bpf, sockmap: Fix bug that strp_done cannot be called
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+commit 809e4dc71a0f2b8d2836035d98603694fff11d5d upstream.
+
+strp_done is only called when psock->progs.stream_parser is not NULL,
+but stream_parser was set to NULL by sk_psock_stop_strp(), called
+by sk_psock_drop() earlier. So, strp_done can never be called.
+
+Introduce SK_PSOCK_RX_ENABLED to mark whether there is strp on psock.
+Change the condition for calling strp_done from judging whether
+stream_parser is set to judging whether this flag is set. This flag is
+only set once when strp_init() succeeds, and will never be cleared later.
+
+Fixes: c0d95d3380ee ("bpf, sockmap: Re-evaluate proto ops when psock is removed from sockmap")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20230804073740.194770-3-xukuohai@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skmsg.h | 1 +
+ net/core/skmsg.c | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -62,6 +62,7 @@ struct sk_psock_progs {
+
+ enum sk_psock_state_bits {
+ SK_PSOCK_TX_ENABLED,
++ SK_PSOCK_RX_STRP_ENABLED,
+ };
+
+ struct sk_psock_link {
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -1117,13 +1117,19 @@ static void sk_psock_strp_data_ready(str
+
+ int sk_psock_init_strp(struct sock *sk, struct sk_psock *psock)
+ {
++ int ret;
++
+ static const struct strp_callbacks cb = {
+ .rcv_msg = sk_psock_strp_read,
+ .read_sock_done = sk_psock_strp_read_done,
+ .parse_msg = sk_psock_strp_parse,
+ };
+
+- return strp_init(&psock->strp, sk, &cb);
++ ret = strp_init(&psock->strp, sk, &cb);
++ if (!ret)
++ sk_psock_set_state(psock, SK_PSOCK_RX_STRP_ENABLED);
++
++ return ret;
+ }
+
+ void sk_psock_start_strp(struct sock *sk, struct sk_psock *psock)
+@@ -1151,7 +1157,7 @@ void sk_psock_stop_strp(struct sock *sk,
+ static void sk_psock_done_strp(struct sk_psock *psock)
+ {
+ /* Parser has been stopped */
+- if (psock->progs.stream_parser)
++ if (sk_psock_test_state(psock, SK_PSOCK_RX_STRP_ENABLED))
+ strp_done(&psock->strp);
+ }
+ #else
--- /dev/null
+From 7e96ec0e6605b69bb21bbf6c0ff9051e656ec2b1 Mon Sep 17 00:00:00 2001
+From: Xu Kuohai <xukuohai@huawei.com>
+Date: Fri, 4 Aug 2023 03:37:37 -0400
+Subject: bpf, sockmap: Fix map type error in sock_map_del_link
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+commit 7e96ec0e6605b69bb21bbf6c0ff9051e656ec2b1 upstream.
+
+sock_map_del_link() operates on both SOCKMAP and SOCKHASH, although
+both types have member named "progs", the offset of "progs" member in
+these two types is different, so "progs" should be accessed with the
+real map type.
+
+Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20230804073740.194770-2-xukuohai@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock_map.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -148,13 +148,13 @@ static void sock_map_del_link(struct soc
+ list_for_each_entry_safe(link, tmp, &psock->link, list) {
+ if (link->link_raw == link_raw) {
+ struct bpf_map *map = link->map;
+- struct bpf_stab *stab = container_of(map, struct bpf_stab,
+- map);
+- if (psock->saved_data_ready && stab->progs.stream_parser)
++ struct sk_psock_progs *progs = sock_map_progs(map);
++
++ if (psock->saved_data_ready && progs->stream_parser)
+ strp_stop = true;
+- if (psock->saved_data_ready && stab->progs.stream_verdict)
++ if (psock->saved_data_ready && progs->stream_verdict)
+ verdict_stop = true;
+- if (psock->saved_data_ready && stab->progs.skb_verdict)
++ if (psock->saved_data_ready && progs->skb_verdict)
+ verdict_stop = true;
+ list_del(&link->list);
+ sk_psock_free_link(link);
--- /dev/null
+From a47e598fbd8617967e49d85c49c22f9fc642704c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 3 Aug 2023 16:30:21 +0000
+Subject: dccp: fix data-race around dp->dccps_mss_cache
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit a47e598fbd8617967e49d85c49c22f9fc642704c upstream.
+
+dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket.
+Same thing in do_dccp_getsockopt().
+
+Add READ_ONCE()/WRITE_ONCE() annotations,
+and change dccp_sendmsg() to check again dccps_mss_cache
+after socket is locked.
+
+Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230803163021.2958262-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/output.c | 2 +-
+ net/dccp/proto.c | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/dccp/output.c
++++ b/net/dccp/output.c
+@@ -187,7 +187,7 @@ unsigned int dccp_sync_mss(struct sock *
+
+ /* And store cached results */
+ icsk->icsk_pmtu_cookie = pmtu;
+- dp->dccps_mss_cache = cur_mps;
++ WRITE_ONCE(dp->dccps_mss_cache, cur_mps);
+
+ return cur_mps;
+ }
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -627,7 +627,7 @@ static int do_dccp_getsockopt(struct soc
+ return dccp_getsockopt_service(sk, len,
+ (__be32 __user *)optval, optlen);
+ case DCCP_SOCKOPT_GET_CUR_MPS:
+- val = dp->dccps_mss_cache;
++ val = READ_ONCE(dp->dccps_mss_cache);
+ break;
+ case DCCP_SOCKOPT_AVAILABLE_CCIDS:
+ return ccid_getsockopt_builtin_ccids(sk, len, optval, optlen);
+@@ -736,7 +736,7 @@ int dccp_sendmsg(struct sock *sk, struct
+
+ trace_dccp_probe(sk, len);
+
+- if (len > dp->dccps_mss_cache)
++ if (len > READ_ONCE(dp->dccps_mss_cache))
+ return -EMSGSIZE;
+
+ lock_sock(sk);
+@@ -769,6 +769,12 @@ int dccp_sendmsg(struct sock *sk, struct
+ goto out_discard;
+ }
+
++ /* We need to check dccps_mss_cache after socket is locked. */
++ if (len > dp->dccps_mss_cache) {
++ rc = -EMSGSIZE;
++ goto out_discard;
++ }
++
+ skb_reserve(skb, sk->sk_prot->max_header);
+ rc = memcpy_from_msg(skb_put(skb, len), msg, len);
+ if (rc != 0)
--- /dev/null
+From 59eeb232940515590de513b997539ef495faca9a Mon Sep 17 00:00:00 2001
+From: Andrew Kanner <andrew.kanner@gmail.com>
+Date: Thu, 3 Aug 2023 20:59:48 +0200
+Subject: drivers: net: prevent tun_build_skb() to exceed the packet size limit
+
+From: Andrew Kanner <andrew.kanner@gmail.com>
+
+commit 59eeb232940515590de513b997539ef495faca9a upstream.
+
+Using the syzkaller repro with reduced packet size it was discovered
+that XDP_PACKET_HEADROOM is not checked in tun_can_build_skb(),
+although pad may be incremented in tun_build_skb(). This may end up
+with exceeding the PAGE_SIZE limit in tun_build_skb().
+
+Jason Wang <jasowang@redhat.com> proposed to count XDP_PACKET_HEADROOM
+always (e.g. without rcu_access_pointer(tun->xdp_prog)) in
+tun_can_build_skb() since there's a window during which XDP program
+might be attached between tun_can_build_skb() and tun_build_skb().
+
+Fixes: 7df13219d757 ("tun: reserve extra headroom only when XDP is set")
+Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a
+Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com>
+Link: https://lore.kernel.org/r/20230803185947.2379988-1-andrew.kanner@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1588,7 +1588,7 @@ static bool tun_can_build_skb(struct tun
+ if (zerocopy)
+ return false;
+
+- if (SKB_DATA_ALIGN(len + TUN_RX_PAD) +
++ if (SKB_DATA_ALIGN(len + TUN_RX_PAD + XDP_PACKET_HEADROOM) +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE)
+ return false;
+
--- /dev/null
+From b1c936e9af5dd08636d568736fc6075ed9d1d529 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Fri, 4 Aug 2023 18:53:36 +0300
+Subject: drivers: vxlan: vnifilter: free percpu vni stats on error path
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit b1c936e9af5dd08636d568736fc6075ed9d1d529 upstream.
+
+In case rhashtable_lookup_insert_fast() fails inside vxlan_vni_add(), the
+allocated percpu vni stats are not freed on the error path.
+
+Introduce vxlan_vni_free() which would work as a nice wrapper to free
+vxlan_vni_node resources properly.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: 4095e0e1328a ("drivers: vxlan: vnifilter: per vni stats")
+Suggested-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan/vxlan_vnifilter.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/vxlan/vxlan_vnifilter.c
++++ b/drivers/net/vxlan/vxlan_vnifilter.c
+@@ -713,6 +713,12 @@ static struct vxlan_vni_node *vxlan_vni_
+ return vninode;
+ }
+
++static void vxlan_vni_free(struct vxlan_vni_node *vninode)
++{
++ free_percpu(vninode->stats);
++ kfree(vninode);
++}
++
+ static int vxlan_vni_add(struct vxlan_dev *vxlan,
+ struct vxlan_vni_group *vg,
+ u32 vni, union vxlan_addr *group,
+@@ -740,7 +746,7 @@ static int vxlan_vni_add(struct vxlan_de
+ &vninode->vnode,
+ vxlan_vni_rht_params);
+ if (err) {
+- kfree(vninode);
++ vxlan_vni_free(vninode);
+ return err;
+ }
+
+@@ -763,8 +769,7 @@ static void vxlan_vni_node_rcu_free(stru
+ struct vxlan_vni_node *v;
+
+ v = container_of(rcu, struct vxlan_vni_node, rcu);
+- free_percpu(v->stats);
+- kfree(v);
++ vxlan_vni_free(v);
+ }
+
+ static int vxlan_vni_del(struct vxlan_dev *vxlan,
--- /dev/null
+From 43dae319b50fac075ad864f84501c703ef20eb2b Mon Sep 17 00:00:00 2001
+From: Daniel Stone <daniels@collabora.com>
+Date: Tue, 8 Aug 2023 11:44:05 +0100
+Subject: drm/rockchip: Don't spam logs in atomic check
+
+From: Daniel Stone <daniels@collabora.com>
+
+commit 43dae319b50fac075ad864f84501c703ef20eb2b upstream.
+
+Userspace should not be able to trigger DRM_ERROR messages to spam the
+logs; especially not through atomic commit parameters which are
+completely legitimate for userspace to attempt.
+
+Signed-off-by: Daniel Stone <daniels@collabora.com>
+Fixes: 7707f7227f09 ("drm/rockchip: Add support for afbc")
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230808104405.522493-1-daniels@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+@@ -836,12 +836,12 @@ static int vop_plane_atomic_check(struct
+ * need align with 2 pixel.
+ */
+ if (fb->format->is_yuv && ((new_plane_state->src.x1 >> 16) % 2)) {
+- DRM_ERROR("Invalid Source: Yuv format not support odd xpos\n");
++ DRM_DEBUG_KMS("Invalid Source: Yuv format not support odd xpos\n");
+ return -EINVAL;
+ }
+
+ if (fb->format->is_yuv && new_plane_state->rotation & DRM_MODE_REFLECT_Y) {
+- DRM_ERROR("Invalid Source: Yuv format does not support this rotation\n");
++ DRM_DEBUG_KMS("Invalid Source: Yuv format does not support this rotation\n");
+ return -EINVAL;
+ }
+
+@@ -849,7 +849,7 @@ static int vop_plane_atomic_check(struct
+ struct vop *vop = to_vop(crtc);
+
+ if (!vop->data->afbc) {
+- DRM_ERROR("vop does not support AFBC\n");
++ DRM_DEBUG_KMS("vop does not support AFBC\n");
+ return -EINVAL;
+ }
+
+@@ -858,15 +858,16 @@ static int vop_plane_atomic_check(struct
+ return ret;
+
+ if (new_plane_state->src.x1 || new_plane_state->src.y1) {
+- DRM_ERROR("AFBC does not support offset display, xpos=%d, ypos=%d, offset=%d\n",
+- new_plane_state->src.x1,
+- new_plane_state->src.y1, fb->offsets[0]);
++ DRM_DEBUG_KMS("AFBC does not support offset display, " \
++ "xpos=%d, ypos=%d, offset=%d\n",
++ new_plane_state->src.x1, new_plane_state->src.y1,
++ fb->offsets[0]);
+ return -EINVAL;
+ }
+
+ if (new_plane_state->rotation && new_plane_state->rotation != DRM_MODE_ROTATE_0) {
+- DRM_ERROR("No rotation support in AFBC, rotation=%d\n",
+- new_plane_state->rotation);
++ DRM_DEBUG_KMS("No rotation support in AFBC, rotation=%d\n",
++ new_plane_state->rotation);
+ return -EINVAL;
+ }
+ }
--- /dev/null
+From 0fb1d8eb234b6979d4981d2d385780dd7d8d9771 Mon Sep 17 00:00:00 2001
+From: Piotr Gardocki <piotrx.gardocki@intel.com>
+Date: Mon, 7 Aug 2023 13:50:11 -0700
+Subject: iavf: fix potential races for FDIR filters
+
+From: Piotr Gardocki <piotrx.gardocki@intel.com>
+
+commit 0fb1d8eb234b6979d4981d2d385780dd7d8d9771 upstream.
+
+Add fdir_fltr_lock locking in unprotected places.
+
+The change in iavf_fdir_is_dup_fltr adds a spinlock around a loop which
+iterates over all filters and looks for a duplicate. The filter can be
+removed from list and freed from memory at the same time it's being
+compared. All other places where filters are deleted are already
+protected with spinlock.
+
+The remaining changes protect adapter->fdir_active_fltr variable so now
+all its uses are under a spinlock.
+
+Fixes: 527691bf0682 ("iavf: Support IPv4 Flow Director filters")
+Signed-off-by: Piotr Gardocki <piotrx.gardocki@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230807205011.3129224-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 5 ++++-
+ drivers/net/ethernet/intel/iavf/iavf_fdir.c | 11 ++++++++---
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
+@@ -1401,14 +1401,15 @@ static int iavf_add_fdir_ethtool(struct
+ if (fsp->flow_type & FLOW_MAC_EXT)
+ return -EINVAL;
+
++ spin_lock_bh(&adapter->fdir_fltr_lock);
+ if (adapter->fdir_active_fltr >= IAVF_MAX_FDIR_FILTERS) {
++ spin_unlock_bh(&adapter->fdir_fltr_lock);
+ dev_err(&adapter->pdev->dev,
+ "Unable to add Flow Director filter because VF reached the limit of max allowed filters (%u)\n",
+ IAVF_MAX_FDIR_FILTERS);
+ return -ENOSPC;
+ }
+
+- spin_lock_bh(&adapter->fdir_fltr_lock);
+ if (iavf_find_fdir_fltr_by_loc(adapter, fsp->location)) {
+ dev_err(&adapter->pdev->dev, "Failed to add Flow Director filter, it already exists\n");
+ spin_unlock_bh(&adapter->fdir_fltr_lock);
+@@ -1781,7 +1782,9 @@ static int iavf_get_rxnfc(struct net_dev
+ case ETHTOOL_GRXCLSRLCNT:
+ if (!FDIR_FLTR_SUPPORT(adapter))
+ break;
++ spin_lock_bh(&adapter->fdir_fltr_lock);
+ cmd->rule_cnt = adapter->fdir_active_fltr;
++ spin_unlock_bh(&adapter->fdir_fltr_lock);
+ cmd->data = IAVF_MAX_FDIR_FILTERS;
+ ret = 0;
+ break;
+--- a/drivers/net/ethernet/intel/iavf/iavf_fdir.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_fdir.c
+@@ -722,7 +722,9 @@ void iavf_print_fdir_fltr(struct iavf_ad
+ bool iavf_fdir_is_dup_fltr(struct iavf_adapter *adapter, struct iavf_fdir_fltr *fltr)
+ {
+ struct iavf_fdir_fltr *tmp;
++ bool ret = false;
+
++ spin_lock_bh(&adapter->fdir_fltr_lock);
+ list_for_each_entry(tmp, &adapter->fdir_list_head, list) {
+ if (tmp->flow_type != fltr->flow_type)
+ continue;
+@@ -732,11 +734,14 @@ bool iavf_fdir_is_dup_fltr(struct iavf_a
+ !memcmp(&tmp->ip_data, &fltr->ip_data,
+ sizeof(fltr->ip_data)) &&
+ !memcmp(&tmp->ext_data, &fltr->ext_data,
+- sizeof(fltr->ext_data)))
+- return true;
++ sizeof(fltr->ext_data))) {
++ ret = true;
++ break;
++ }
+ }
++ spin_unlock_bh(&adapter->fdir_fltr_lock);
+
+- return false;
++ return ret;
+ }
+
+ /**
--- /dev/null
+From 4fdfaef71fced490835145631a795497646f4555 Mon Sep 17 00:00:00 2001
+From: Douglas Miller <doug.miller@cornelisnetworks.com>
+Date: Wed, 2 Aug 2023 13:32:41 -0400
+Subject: IB/hfi1: Fix possible panic during hotplug remove
+
+From: Douglas Miller <doug.miller@cornelisnetworks.com>
+
+commit 4fdfaef71fced490835145631a795497646f4555 upstream.
+
+During hotplug remove it is possible that the update counters work
+might be pending, and may run after memory has been freed.
+Cancel the update counters work before freeing memory.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Signed-off-by: Douglas Miller <doug.miller@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/169099756100.3927190.15284930454106475280.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/chip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/hw/hfi1/chip.c
++++ b/drivers/infiniband/hw/hfi1/chip.c
+@@ -12307,6 +12307,7 @@ static void free_cntrs(struct hfi1_devda
+
+ if (dd->synth_stats_timer.function)
+ del_timer_sync(&dd->synth_stats_timer);
++ cancel_work_sync(&dd->update_cntr_work);
+ ppd = (struct hfi1_pportdata *)(dd + 1);
+ for (i = 0; i < dd->num_pports; i++, ppd++) {
+ kfree(ppd->cntrs);
--- /dev/null
+From d8630f050d3fd2079f8617dd6c00c6509109c755 Mon Sep 17 00:00:00 2001
+From: Mike Tipton <mdtipton@codeaurora.org>
+Date: Fri, 23 Jun 2023 14:50:42 +0200
+Subject: interconnect: qcom: Add support for mask-based BCMs
+
+From: Mike Tipton <mdtipton@codeaurora.org>
+
+commit d8630f050d3fd2079f8617dd6c00c6509109c755 upstream.
+
+Some BCMs aren't directly associated with the data path (i.e. ACV) and
+therefore don't communicate using BW. Instead, they are simply
+enabled/disabled with a simple bit mask. Add support for these.
+
+Origin commit retrieved from:
+https://git.codelinaro.org/clo/la/kernel/msm-5.15/-/commit/2d1573e0206998151b342e6b52a4c0f7234d7e36
+
+Signed-off-by: Mike Tipton <mdtipton@codeaurora.org>
+[narmstrong: removed copyright change from original commit]
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20230619-topic-sm8550-upstream-interconnect-mask-vote-v2-1-709474b151cc@linaro.org
+Fixes: fafc114a468e ("interconnect: qcom: Add SM8450 interconnect provider driver")
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/interconnect/qcom/bcm-voter.c | 5 +++++
+ drivers/interconnect/qcom/icc-rpmh.h | 2 ++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/drivers/interconnect/qcom/bcm-voter.c b/drivers/interconnect/qcom/bcm-voter.c
+index 8f385f9c2dd3..d5f2a6b5376b 100644
+--- a/drivers/interconnect/qcom/bcm-voter.c
++++ b/drivers/interconnect/qcom/bcm-voter.c
+@@ -83,6 +83,11 @@ static void bcm_aggregate(struct qcom_icc_bcm *bcm)
+
+ temp = agg_peak[bucket] * bcm->vote_scale;
+ bcm->vote_y[bucket] = bcm_div(temp, bcm->aux_data.unit);
++
++ if (bcm->enable_mask && (bcm->vote_x[bucket] || bcm->vote_y[bucket])) {
++ bcm->vote_x[bucket] = 0;
++ bcm->vote_y[bucket] = bcm->enable_mask;
++ }
+ }
+
+ if (bcm->keepalive && bcm->vote_x[QCOM_ICC_BUCKET_AMC] == 0 &&
+diff --git a/drivers/interconnect/qcom/icc-rpmh.h b/drivers/interconnect/qcom/icc-rpmh.h
+index 04391c1ba465..7843d8864d6b 100644
+--- a/drivers/interconnect/qcom/icc-rpmh.h
++++ b/drivers/interconnect/qcom/icc-rpmh.h
+@@ -81,6 +81,7 @@ struct qcom_icc_node {
+ * @vote_x: aggregated threshold values, represents sum_bw when @type is bw bcm
+ * @vote_y: aggregated threshold values, represents peak_bw when @type is bw bcm
+ * @vote_scale: scaling factor for vote_x and vote_y
++ * @enable_mask: optional mask to send as vote instead of vote_x/vote_y
+ * @dirty: flag used to indicate whether the bcm needs to be committed
+ * @keepalive: flag used to indicate whether a keepalive is required
+ * @aux_data: auxiliary data used when calculating threshold values and
+@@ -97,6 +98,7 @@ struct qcom_icc_bcm {
+ u64 vote_x[QCOM_ICC_NUM_BUCKETS];
+ u64 vote_y[QCOM_ICC_NUM_BUCKETS];
+ u64 vote_scale;
++ u32 enable_mask;
+ bool dirty;
+ bool keepalive;
+ struct bcm_db aux_data;
+--
+2.41.0
+
--- /dev/null
+From be02db24cf840bc0fdfbecc78ad803619dd143e6 Mon Sep 17 00:00:00 2001
+From: Neil Armstrong <neil.armstrong@linaro.org>
+Date: Fri, 23 Jun 2023 14:50:43 +0200
+Subject: interconnect: qcom: sm8450: add enable_mask for bcm nodes
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+commit be02db24cf840bc0fdfbecc78ad803619dd143e6 upstream.
+
+Set the proper enable_mask to nodes requiring such value
+to be used instead of a bandwidth when voting.
+
+The masks were copied from the downstream implementation at [1].
+
+[1] https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/blob/KERNEL.PLATFORM.1.0.r2-05600-WAIPIOLE.0/drivers/interconnect/qcom/waipio.c
+
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20230619-topic-sm8550-upstream-interconnect-mask-vote-v2-2-709474b151cc@linaro.org
+Fixes: fafc114a468e ("interconnect: qcom: Add SM8450 interconnect provider driver")
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/interconnect/qcom/sm8450.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/interconnect/qcom/sm8450.c b/drivers/interconnect/qcom/sm8450.c
+index 2d7a8e7b85ec..e64c214b4020 100644
+--- a/drivers/interconnect/qcom/sm8450.c
++++ b/drivers/interconnect/qcom/sm8450.c
+@@ -1337,6 +1337,7 @@ static struct qcom_icc_node qns_mem_noc_sf_disp = {
+
+ static struct qcom_icc_bcm bcm_acv = {
+ .name = "ACV",
++ .enable_mask = 0x8,
+ .num_nodes = 1,
+ .nodes = { &ebi },
+ };
+@@ -1349,6 +1350,7 @@ static struct qcom_icc_bcm bcm_ce0 = {
+
+ static struct qcom_icc_bcm bcm_cn0 = {
+ .name = "CN0",
++ .enable_mask = 0x1,
+ .keepalive = true,
+ .num_nodes = 55,
+ .nodes = { &qnm_gemnoc_cnoc, &qnm_gemnoc_pcie,
+@@ -1383,6 +1385,7 @@ static struct qcom_icc_bcm bcm_cn0 = {
+
+ static struct qcom_icc_bcm bcm_co0 = {
+ .name = "CO0",
++ .enable_mask = 0x1,
+ .num_nodes = 2,
+ .nodes = { &qxm_nsp, &qns_nsp_gemnoc },
+ };
+@@ -1403,6 +1406,7 @@ static struct qcom_icc_bcm bcm_mm0 = {
+
+ static struct qcom_icc_bcm bcm_mm1 = {
+ .name = "MM1",
++ .enable_mask = 0x1,
+ .num_nodes = 12,
+ .nodes = { &qnm_camnoc_hf, &qnm_camnoc_icp,
+ &qnm_camnoc_sf, &qnm_mdp,
+@@ -1445,6 +1449,7 @@ static struct qcom_icc_bcm bcm_sh0 = {
+
+ static struct qcom_icc_bcm bcm_sh1 = {
+ .name = "SH1",
++ .enable_mask = 0x1,
+ .num_nodes = 7,
+ .nodes = { &alm_gpu_tcu, &alm_sys_tcu,
+ &qnm_nsp_gemnoc, &qnm_pcie,
+@@ -1461,6 +1466,7 @@ static struct qcom_icc_bcm bcm_sn0 = {
+
+ static struct qcom_icc_bcm bcm_sn1 = {
+ .name = "SN1",
++ .enable_mask = 0x1,
+ .num_nodes = 4,
+ .nodes = { &qhm_gic, &qxm_pimem,
+ &xm_gic, &qns_gemnoc_gc },
+@@ -1492,6 +1498,7 @@ static struct qcom_icc_bcm bcm_sn7 = {
+
+ static struct qcom_icc_bcm bcm_acv_disp = {
+ .name = "ACV",
++ .enable_mask = 0x1,
+ .num_nodes = 1,
+ .nodes = { &ebi_disp },
+ };
+@@ -1510,6 +1517,7 @@ static struct qcom_icc_bcm bcm_mm0_disp = {
+
+ static struct qcom_icc_bcm bcm_mm1_disp = {
+ .name = "MM1",
++ .enable_mask = 0x1,
+ .num_nodes = 3,
+ .nodes = { &qnm_mdp_disp, &qnm_rot_disp,
+ &qns_mem_noc_sf_disp },
+@@ -1523,6 +1531,7 @@ static struct qcom_icc_bcm bcm_sh0_disp = {
+
+ static struct qcom_icc_bcm bcm_sh1_disp = {
+ .name = "SH1",
++ .enable_mask = 0x1,
+ .num_nodes = 1,
+ .nodes = { &qnm_pcie_disp },
+ };
+--
+2.41.0
+
--- /dev/null
+From 32d0a49d36a2a306c2e47fe5659361e424f0ed3f Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 4 Aug 2023 17:26:52 +0000
+Subject: macsec: use DEV_STATS_INC()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 32d0a49d36a2a306c2e47fe5659361e424f0ed3f upstream.
+
+syzbot/KCSAN reported data-races in macsec whenever dev->stats fields
+are updated.
+
+It appears all of these updates can happen from multiple cpus.
+
+Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -743,7 +743,7 @@ static bool macsec_post_decrypt(struct s
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsLate++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+- secy->netdev->stats.rx_dropped++;
++ DEV_STATS_INC(secy->netdev, rx_dropped);
+ return false;
+ }
+
+@@ -767,7 +767,7 @@ static bool macsec_post_decrypt(struct s
+ rxsc_stats->stats.InPktsNotValid++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+ this_cpu_inc(rx_sa->stats->InPktsNotValid);
+- secy->netdev->stats.rx_errors++;
++ DEV_STATS_INC(secy->netdev, rx_errors);
+ return false;
+ }
+
+@@ -1059,7 +1059,7 @@ static enum rx_handler_result handle_not
+ u64_stats_update_begin(&secy_stats->syncp);
+ secy_stats->stats.InPktsNoTag++;
+ u64_stats_update_end(&secy_stats->syncp);
+- macsec->secy.netdev->stats.rx_dropped++;
++ DEV_STATS_INC(macsec->secy.netdev, rx_dropped);
+ continue;
+ }
+
+@@ -1169,7 +1169,7 @@ static rx_handler_result_t macsec_handle
+ u64_stats_update_begin(&secy_stats->syncp);
+ secy_stats->stats.InPktsBadTag++;
+ u64_stats_update_end(&secy_stats->syncp);
+- secy->netdev->stats.rx_errors++;
++ DEV_STATS_INC(secy->netdev, rx_errors);
+ goto drop_nosa;
+ }
+
+@@ -1186,7 +1186,7 @@ static rx_handler_result_t macsec_handle
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsNotUsingSA++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+- secy->netdev->stats.rx_errors++;
++ DEV_STATS_INC(secy->netdev, rx_errors);
+ if (active_rx_sa)
+ this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA);
+ goto drop_nosa;
+@@ -1220,7 +1220,7 @@ static rx_handler_result_t macsec_handle
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsLate++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+- macsec->secy.netdev->stats.rx_dropped++;
++ DEV_STATS_INC(macsec->secy.netdev, rx_dropped);
+ goto drop;
+ }
+ }
+@@ -1261,7 +1261,7 @@ deliver:
+ if (ret == NET_RX_SUCCESS)
+ count_rx(dev, len);
+ else
+- macsec->secy.netdev->stats.rx_dropped++;
++ DEV_STATS_INC(macsec->secy.netdev, rx_dropped);
+
+ rcu_read_unlock();
+
+@@ -1298,7 +1298,7 @@ nosci:
+ u64_stats_update_begin(&secy_stats->syncp);
+ secy_stats->stats.InPktsNoSCI++;
+ u64_stats_update_end(&secy_stats->syncp);
+- macsec->secy.netdev->stats.rx_errors++;
++ DEV_STATS_INC(macsec->secy.netdev, rx_errors);
+ continue;
+ }
+
+@@ -1317,7 +1317,7 @@ nosci:
+ secy_stats->stats.InPktsUnknownSCI++;
+ u64_stats_update_end(&secy_stats->syncp);
+ } else {
+- macsec->secy.netdev->stats.rx_dropped++;
++ DEV_STATS_INC(macsec->secy.netdev, rx_dropped);
+ }
+ }
+
+@@ -3418,7 +3418,7 @@ static netdev_tx_t macsec_start_xmit(str
+
+ if (!secy->operational) {
+ kfree_skb(skb);
+- dev->stats.tx_dropped++;
++ DEV_STATS_INC(dev, tx_dropped);
+ return NETDEV_TX_OK;
+ }
+
+@@ -3426,7 +3426,7 @@ static netdev_tx_t macsec_start_xmit(str
+ skb = macsec_encrypt(skb, dev);
+ if (IS_ERR(skb)) {
+ if (PTR_ERR(skb) != -EINPROGRESS)
+- dev->stats.tx_dropped++;
++ DEV_STATS_INC(dev, tx_dropped);
+ return NETDEV_TX_OK;
+ }
+
+@@ -3663,9 +3663,9 @@ static void macsec_get_stats64(struct ne
+
+ dev_fetch_sw_netstats(s, dev->tstats);
+
+- s->rx_dropped = dev->stats.rx_dropped;
+- s->tx_dropped = dev->stats.tx_dropped;
+- s->rx_errors = dev->stats.rx_errors;
++ s->rx_dropped = atomic_long_read(&dev->stats.__rx_dropped);
++ s->tx_dropped = atomic_long_read(&dev->stats.__tx_dropped);
++ s->rx_errors = atomic_long_read(&dev->stats.__rx_errors);
+ }
+
+ static int macsec_get_iflink(const struct net_device *dev)
--- /dev/null
+From 1696ec8654016dad3b1baf6c024303e584400453 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 2 Aug 2023 10:40:29 -0700
+Subject: mISDN: Update parameter type of dsp_cmx_send()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 1696ec8654016dad3b1baf6c024303e584400453 upstream.
+
+When booting a kernel with CONFIG_MISDN_DSP=y and CONFIG_CFI_CLANG=y,
+there is a failure when dsp_cmx_send() is called indirectly from
+call_timer_fn():
+
+ [ 0.371412] CFI failure at call_timer_fn+0x2f/0x150 (target: dsp_cmx_send+0x0/0x530; expected type: 0x92ada1e9)
+
+The function pointer prototype that call_timer_fn() expects is
+
+ void (*fn)(struct timer_list *)
+
+whereas dsp_cmx_send() has a parameter type of 'void *', which causes
+the control flow integrity checks to fail because the parameter types do
+not match.
+
+Change dsp_cmx_send()'s parameter type to be 'struct timer_list' to
+match the expected prototype. The argument is unused anyways, so this
+has no functional change, aside from avoiding the CFI failure.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202308020936.58787e6c-oliver.sang@intel.com
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Fixes: e313ac12eb13 ("mISDN: Convert timers to use timer_setup()")
+Link: https://lore.kernel.org/r/20230802-fix-dsp_cmx_send-cfi-failure-v1-1-2f2e79b0178d@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/mISDN/dsp.h | 2 +-
+ drivers/isdn/mISDN/dsp_cmx.c | 2 +-
+ drivers/isdn/mISDN/dsp_core.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/isdn/mISDN/dsp.h
++++ b/drivers/isdn/mISDN/dsp.h
+@@ -247,7 +247,7 @@ extern void dsp_cmx_hardware(struct dsp_
+ extern int dsp_cmx_conf(struct dsp *dsp, u32 conf_id);
+ extern void dsp_cmx_receive(struct dsp *dsp, struct sk_buff *skb);
+ extern void dsp_cmx_hdlc(struct dsp *dsp, struct sk_buff *skb);
+-extern void dsp_cmx_send(void *arg);
++extern void dsp_cmx_send(struct timer_list *arg);
+ extern void dsp_cmx_transmit(struct dsp *dsp, struct sk_buff *skb);
+ extern int dsp_cmx_del_conf_member(struct dsp *dsp);
+ extern int dsp_cmx_del_conf(struct dsp_conf *conf);
+--- a/drivers/isdn/mISDN/dsp_cmx.c
++++ b/drivers/isdn/mISDN/dsp_cmx.c
+@@ -1625,7 +1625,7 @@ static u16 dsp_count; /* last sample cou
+ static int dsp_count_valid; /* if we have last sample count */
+
+ void
+-dsp_cmx_send(void *arg)
++dsp_cmx_send(struct timer_list *arg)
+ {
+ struct dsp_conf *conf;
+ struct dsp_conf_member *member;
+--- a/drivers/isdn/mISDN/dsp_core.c
++++ b/drivers/isdn/mISDN/dsp_core.c
+@@ -1195,7 +1195,7 @@ static int __init dsp_init(void)
+ }
+
+ /* set sample timer */
+- timer_setup(&dsp_spl_tl, (void *)dsp_cmx_send, 0);
++ timer_setup(&dsp_spl_tl, dsp_cmx_send, 0);
+ dsp_spl_tl.expires = jiffies + dsp_tics;
+ dsp_spl_jiffies = dsp_spl_tl.expires;
+ add_timer(&dsp_spl_tl);
--- /dev/null
+From 17ebf8a4c38b5481c29623f5e003fdf7583947f9 Mon Sep 17 00:00:00 2001
+From: Xiang Yang <xiangyang3@huawei.com>
+Date: Thu, 3 Aug 2023 07:24:38 +0000
+Subject: mptcp: fix the incorrect judgment for msk->cb_flags
+
+From: Xiang Yang <xiangyang3@huawei.com>
+
+commit 17ebf8a4c38b5481c29623f5e003fdf7583947f9 upstream.
+
+Coccicheck reports the error below:
+net/mptcp/protocol.c:3330:15-28: ERROR: test of a variable/field address
+
+Since the address of msk->cb_flags is used in __test_and_clear_bit, the
+address should not be NULL. The judgment for if (unlikely(msk->cb_flags))
+will always be true, we should check the real value of msk->cb_flags here.
+
+Fixes: 65a569b03ca8 ("mptcp: optimize release_cb for the common case")
+Signed-off-by: Xiang Yang <xiangyang3@huawei.com>
+Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Link: https://lore.kernel.org/r/20230803072438.1847500-1-xiangyang3@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -3370,7 +3370,7 @@ static void mptcp_release_cb(struct sock
+
+ if (__test_and_clear_bit(MPTCP_CLEAN_UNA, &msk->cb_flags))
+ __mptcp_clean_una_wakeup(sk);
+- if (unlikely(&msk->cb_flags)) {
++ if (unlikely(msk->cb_flags)) {
+ /* be sure to set the current sk state before tacking actions
+ * depending on sk_state, that is processing MPTCP_ERROR_REPORT
+ */
--- /dev/null
+From d14eea09edf427fa36bd446f4a3271f99164202f Mon Sep 17 00:00:00 2001
+From: Andrew Kanner <andrew.kanner@gmail.com>
+Date: Thu, 3 Aug 2023 21:03:18 +0200
+Subject: net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()
+
+From: Andrew Kanner <andrew.kanner@gmail.com>
+
+commit d14eea09edf427fa36bd446f4a3271f99164202f upstream.
+
+Syzkaller reported the following issue:
+=======================================
+Too BIG xdp->frame_sz = 131072
+WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121
+ ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline]
+WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121
+ bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103
+...
+Call Trace:
+ <TASK>
+ bpf_prog_4add87e5301a4105+0x1a/0x1c
+ __bpf_prog_run include/linux/filter.h:600 [inline]
+ bpf_prog_run_xdp include/linux/filter.h:775 [inline]
+ bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721
+ netif_receive_generic_xdp net/core/dev.c:4807 [inline]
+ do_xdp_generic+0x35c/0x770 net/core/dev.c:4866
+ tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919
+ tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043
+ call_write_iter include/linux/fs.h:1871 [inline]
+ new_sync_write fs/read_write.c:491 [inline]
+ vfs_write+0x650/0xe40 fs/read_write.c:584
+ ksys_write+0x12f/0x250 fs/read_write.c:637
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+xdp->frame_sz > PAGE_SIZE check was introduced in commit c8741e2bfe87
+("xdp: Allow bpf_xdp_adjust_tail() to grow packet size"). But Jesper
+Dangaard Brouer <jbrouer@redhat.com> noted that after introducing the
+xdp_init_buff() which all XDP driver use - it's safe to remove this
+check. The original intend was to catch cases where XDP drivers have
+not been updated to use xdp.frame_sz, but that is not longer a concern
+(since xdp_init_buff).
+
+Running the initial syzkaller repro it was discovered that the
+contiguous physical memory allocation is used for both xdp paths in
+tun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also
+stated by Jesper Dangaard Brouer <jbrouer@redhat.com> that XDP can
+work on higher order pages, as long as this is contiguous physical
+memory (e.g. a page).
+
+Reported-and-tested-by: syzbot+f817490f5bd20541b90a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000774b9205f1d8a80d@google.com/T/
+Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a
+Link: https://lore.kernel.org/all/20230725155403.796-1-andrew.kanner@gmail.com/T/
+Fixes: 43b5169d8355 ("net, xdp: Introduce xdp_init_buff utility routine")
+Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com>
+Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://lore.kernel.org/r/20230803190316.2380231-1-andrew.kanner@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/filter.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -4064,12 +4064,6 @@ BPF_CALL_2(bpf_xdp_adjust_tail, struct x
+ if (unlikely(data_end > data_hard_end))
+ return -EINVAL;
+
+- /* ALL drivers MUST init xdp->frame_sz, chicken check below */
+- if (unlikely(xdp->frame_sz > PAGE_SIZE)) {
+- WARN_ONCE(1, "Too BIG xdp->frame_sz = %d\n", xdp->frame_sz);
+- return -EINVAL;
+- }
+-
+ if (unlikely(data_end < xdp->data + ETH_HLEN))
+ return -EINVAL;
+
--- /dev/null
+From 2aa71b4b294ee2c3041d085404cea914be9b3225 Mon Sep 17 00:00:00 2001
+From: Jonas Gorski <jonas.gorski@bisdn.de>
+Date: Fri, 4 Aug 2023 12:12:20 +0200
+Subject: net: marvell: prestera: fix handling IPv4 routes with nhid
+
+From: Jonas Gorski <jonas.gorski@bisdn.de>
+
+commit 2aa71b4b294ee2c3041d085404cea914be9b3225 upstream.
+
+Fix handling IPv4 routes referencing a nexthop via its id by replacing
+calls to fib_info_nh() with fib_info_nhc().
+
+Trying to add an IPv4 route referencing a nextop via nhid:
+
+ $ ip link set up swp5
+ $ ip a a 10.0.0.1/24 dev swp5
+ $ ip nexthop add dev swp5 id 20 via 10.0.0.2
+ $ ip route add 10.0.1.0/24 nhid 20
+
+triggers warnings when trying to handle the route:
+
+[ 528.805763] ------------[ cut here ]------------
+[ 528.810437] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 528.820434] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci]
+[ 528.837485] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G O 6.4.5 #1
+[ 528.845178] Hardware name: delta,tn48m-dn (DT)
+[ 528.849641] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera]
+[ 528.857352] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 528.864347] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 528.870135] lr : prestera_k_arb_fib_evt+0xb20/0xd50 [prestera]
+[ 528.876007] sp : ffff80000b20bc90
+[ 528.879336] x29: ffff80000b20bc90 x28: 0000000000000000 x27: ffff0001374d3a48
+[ 528.886510] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800
+[ 528.893683] x23: ffff000101c89148 x22: ffff000101c89000 x21: ffff000101c89200
+[ 528.900855] x20: ffff00013641fda0 x19: ffff800009d01088 x18: 0000000000000059
+[ 528.908027] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000
+[ 528.915198] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000
+[ 528.922371] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013d2020
+[ 528.929543] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 : 000000001ca72f86
+[ 528.936715] x5 : 0000000033399ea7 x4 : 0000000000000000 x3 : ffff0001374d3acc
+[ 528.943886] x2 : 0000000000000000 x1 : ffff00010200de00 x0 : ffff000134ae3f80
+[ 528.951058] Call trace:
+[ 528.953516] __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 528.958952] __prestera_router_fib_event_work+0x100/0x158 [prestera]
+[ 528.965348] process_one_work+0x208/0x488
+[ 528.969387] worker_thread+0x4c/0x430
+[ 528.973068] kthread+0x120/0x138
+[ 528.976313] ret_from_fork+0x10/0x20
+[ 528.979909] ---[ end trace 0000000000000000 ]---
+[ 528.984998] ------------[ cut here ]------------
+[ 528.989645] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 528.999628] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci]
+[ 529.016676] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G W O 6.4.5 #1
+[ 529.024368] Hardware name: delta,tn48m-dn (DT)
+[ 529.028830] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera]
+[ 529.036539] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 529.043533] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 529.049318] lr : __prestera_k_arb_fc_apply+0x280/0x2f8 [prestera]
+[ 529.055452] sp : ffff80000b20bc60
+[ 529.058781] x29: ffff80000b20bc60 x28: 0000000000000000 x27: ffff0001374d3a48
+[ 529.065953] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800
+[ 529.073126] x23: ffff000101c89148 x22: ffff000101c89148 x21: ffff00013641fda0
+[ 529.080299] x20: ffff000101c89000 x19: ffff000101c89020 x18: 0000000000000059
+[ 529.087471] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000
+[ 529.094642] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000
+[ 529.101814] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013cee80
+[ 529.108985] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 : 0000000000000018
+[ 529.116157] x5 : 00000000d3497eb6 x4 : ffff000105604081 x3 : 000000008e979557
+[ 529.123329] x2 : 0000000000000000 x1 : ffff00010200de00 x0 : ffff000134ae3f80
+[ 529.130501] Call trace:
+[ 529.132958] __prestera_fi_is_direct+0x2c/0x68 [prestera]
+[ 529.138394] prestera_k_arb_fib_evt+0x6b8/0xd50 [prestera]
+[ 529.143918] __prestera_router_fib_event_work+0x100/0x158 [prestera]
+[ 529.150313] process_one_work+0x208/0x488
+[ 529.154348] worker_thread+0x4c/0x430
+[ 529.158030] kthread+0x120/0x138
+[ 529.161274] ret_from_fork+0x10/0x20
+[ 529.164867] ---[ end trace 0000000000000000 ]---
+
+and results in a non offloaded route:
+
+ $ ip route
+ 10.0.0.0/24 dev swp5 proto kernel scope link src 10.0.0.1 rt_trap
+ 10.0.1.0/24 nhid 20 via 10.0.0.2 dev swp5 rt_trap
+
+When creating a route referencing a nexthop via its ID, the nexthop will
+be stored in a separate nh pointer instead of the array of nexthops in
+the fib_info struct. This causes issues since fib_info_nh() only handles
+the nexthops array, but not the separate nh pointer, and will loudly
+WARN about it.
+
+In contrast fib_info_nhc() handles both, but returns a fib_nh_common
+pointer instead of a fib_nh pointer. Luckily we only ever access fields
+from the fib_nh_common parts, so we can just replace all instances of
+fib_info_nh() with fib_info_nhc() and access the fields via their
+fib_nh_common names.
+
+This allows handling IPv4 routes with an external nexthop, and they now
+get offloaded as expected:
+
+ $ ip route
+ 10.0.0.0/24 dev swp5 proto kernel scope link src 10.0.0.1 rt_trap
+ 10.0.1.0/24 nhid 20 via 10.0.0.2 dev swp5 offload rt_offload
+
+Fixes: 396b80cb5cc8 ("net: marvell: prestera: Add neighbour cache accounting")
+Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
+Acked-by: Elad Nachman <enachman@marvell.com>
+Link: https://lore.kernel.org/r/20230804101220.247515-1-jonas.gorski@bisdn.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../ethernet/marvell/prestera/prestera_router.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/prestera/prestera_router.c b/drivers/net/ethernet/marvell/prestera/prestera_router.c
+index a9a1028cb17b..de317179a7dc 100644
+--- a/drivers/net/ethernet/marvell/prestera/prestera_router.c
++++ b/drivers/net/ethernet/marvell/prestera/prestera_router.c
+@@ -166,11 +166,11 @@ prestera_util_neigh2nc_key(struct prestera_switch *sw, struct neighbour *n,
+
+ static bool __prestera_fi_is_direct(struct fib_info *fi)
+ {
+- struct fib_nh *fib_nh;
++ struct fib_nh_common *fib_nhc;
+
+ if (fib_info_num_path(fi) == 1) {
+- fib_nh = fib_info_nh(fi, 0);
+- if (fib_nh->fib_nh_gw_family == AF_UNSPEC)
++ fib_nhc = fib_info_nhc(fi, 0);
++ if (fib_nhc->nhc_gw_family == AF_UNSPEC)
+ return true;
+ }
+
+@@ -261,7 +261,7 @@ static bool
+ __prestera_util_kern_n_is_reachable_v4(u32 tb_id, __be32 *addr,
+ struct net_device *dev)
+ {
+- struct fib_nh *fib_nh;
++ struct fib_nh_common *fib_nhc;
+ struct fib_result res;
+ bool reachable;
+
+@@ -269,8 +269,8 @@ __prestera_util_kern_n_is_reachable_v4(u32 tb_id, __be32 *addr,
+
+ if (!prestera_util_kern_get_route(&res, tb_id, addr))
+ if (prestera_fi_is_direct(res.fi)) {
+- fib_nh = fib_info_nh(res.fi, 0);
+- if (dev == fib_nh->fib_nh_dev)
++ fib_nhc = fib_info_nhc(res.fi, 0);
++ if (dev == fib_nhc->nhc_dev)
+ reachable = true;
+ }
+
+@@ -324,7 +324,7 @@ prestera_kern_fib_info_nhc(struct fib_notifier_info *info, int n)
+ if (info->family == AF_INET) {
+ fen4_info = container_of(info, struct fib_entry_notifier_info,
+ info);
+- return &fib_info_nh(fen4_info->fi, n)->nh_common;
++ return fib_info_nhc(fen4_info->fi, n);
+ } else if (info->family == AF_INET6) {
+ fen6_info = container_of(info, struct fib6_entry_notifier_info,
+ info);
+--
+2.41.0
+
--- /dev/null
+From 8a9896177784063d01068293caea3f74f6830ff6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 3 Aug 2023 14:56:00 +0000
+Subject: net/packet: annotate data-races around tp->status
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 8a9896177784063d01068293caea3f74f6830ff6 upstream.
+
+Another syzbot report [1] is about tp->status lockless reads
+from __packet_get_status()
+
+[1]
+BUG: KCSAN: data-race in __packet_rcv_has_room / __packet_set_status
+
+write to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 0:
+__packet_set_status+0x78/0xa0 net/packet/af_packet.c:407
+tpacket_rcv+0x18bb/0x1a60 net/packet/af_packet.c:2483
+deliver_skb net/core/dev.c:2173 [inline]
+__netif_receive_skb_core+0x408/0x1e80 net/core/dev.c:5337
+__netif_receive_skb_one_core net/core/dev.c:5491 [inline]
+__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5607
+process_backlog+0x21f/0x380 net/core/dev.c:5935
+__napi_poll+0x60/0x3b0 net/core/dev.c:6498
+napi_poll net/core/dev.c:6565 [inline]
+net_rx_action+0x32b/0x750 net/core/dev.c:6698
+__do_softirq+0xc1/0x265 kernel/softirq.c:571
+invoke_softirq kernel/softirq.c:445 [inline]
+__irq_exit_rcu+0x57/0xa0 kernel/softirq.c:650
+sysvec_apic_timer_interrupt+0x6d/0x80 arch/x86/kernel/apic/apic.c:1106
+asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
+smpboot_thread_fn+0x33c/0x4a0 kernel/smpboot.c:112
+kthread+0x1d7/0x210 kernel/kthread.c:379
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+
+read to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 1:
+__packet_get_status net/packet/af_packet.c:436 [inline]
+packet_lookup_frame net/packet/af_packet.c:524 [inline]
+__tpacket_has_room net/packet/af_packet.c:1255 [inline]
+__packet_rcv_has_room+0x3f9/0x450 net/packet/af_packet.c:1298
+tpacket_rcv+0x275/0x1a60 net/packet/af_packet.c:2285
+deliver_skb net/core/dev.c:2173 [inline]
+dev_queue_xmit_nit+0x38a/0x5e0 net/core/dev.c:2243
+xmit_one net/core/dev.c:3574 [inline]
+dev_hard_start_xmit+0xcf/0x3f0 net/core/dev.c:3594
+__dev_queue_xmit+0xefb/0x1d10 net/core/dev.c:4244
+dev_queue_xmit include/linux/netdevice.h:3088 [inline]
+can_send+0x4eb/0x5d0 net/can/af_can.c:276
+bcm_can_tx+0x314/0x410 net/can/bcm.c:302
+bcm_tx_timeout_handler+0xdb/0x260
+__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
+__hrtimer_run_queues+0x217/0x700 kernel/time/hrtimer.c:1749
+hrtimer_run_softirq+0xd6/0x120 kernel/time/hrtimer.c:1766
+__do_softirq+0xc1/0x265 kernel/softirq.c:571
+run_ksoftirqd+0x17/0x20 kernel/softirq.c:939
+smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
+kthread+0x1d7/0x210 kernel/kthread.c:379
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+
+value changed: 0x0000000000000000 -> 0x0000000020000081
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 6.4.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
+
+Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230803145600.2937518-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -404,18 +404,20 @@ static void __packet_set_status(struct p
+ {
+ union tpacket_uhdr h;
+
++ /* WRITE_ONCE() are paired with READ_ONCE() in __packet_get_status */
++
+ h.raw = frame;
+ switch (po->tp_version) {
+ case TPACKET_V1:
+- h.h1->tp_status = status;
++ WRITE_ONCE(h.h1->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h1->tp_status));
+ break;
+ case TPACKET_V2:
+- h.h2->tp_status = status;
++ WRITE_ONCE(h.h2->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h2->tp_status));
+ break;
+ case TPACKET_V3:
+- h.h3->tp_status = status;
++ WRITE_ONCE(h.h3->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h3->tp_status));
+ break;
+ default:
+@@ -432,17 +434,19 @@ static int __packet_get_status(const str
+
+ smp_rmb();
+
++ /* READ_ONCE() are paired with WRITE_ONCE() in __packet_set_status */
++
+ h.raw = frame;
+ switch (po->tp_version) {
+ case TPACKET_V1:
+ flush_dcache_page(pgv_to_page(&h.h1->tp_status));
+- return h.h1->tp_status;
++ return READ_ONCE(h.h1->tp_status);
+ case TPACKET_V2:
+ flush_dcache_page(pgv_to_page(&h.h2->tp_status));
+- return h.h2->tp_status;
++ return READ_ONCE(h.h2->tp_status);
+ case TPACKET_V3:
+ flush_dcache_page(pgv_to_page(&h.h3->tp_status));
+- return h.h3->tp_status;
++ return READ_ONCE(h.h3->tp_status);
+ default:
+ WARN(1, "TPACKET version not supported.\n");
+ BUG();
--- /dev/null
+From 30c3c4a4497c3765bf6b298f5072c8165aeaf7cc Mon Sep 17 00:00:00 2001
+From: Gerd Bayer <gbayer@linux.ibm.com>
+Date: Fri, 4 Aug 2023 19:06:24 +0200
+Subject: net/smc: Use correct buffer sizes when switching between TCP and SMC
+
+From: Gerd Bayer <gbayer@linux.ibm.com>
+
+commit 30c3c4a4497c3765bf6b298f5072c8165aeaf7cc upstream.
+
+Tuning of the effective buffer size through setsockopts was working for
+SMC traffic only but not for TCP fall-back connections even before
+commit 0227f058aa29 ("net/smc: Unbind r/w buffer size from clcsock and
+make them tunable"). That change made it apparent that TCP fall-back
+connections would use net.smc.[rw]mem as buffer size instead of
+net.ipv4_tcp_[rw]mem.
+
+Amend the code that copies attributes between the (TCP) clcsock and the
+SMC socket and adjust buffer sizes appropriately:
+- Copy over sk_userlocks so that both sockets agree on whether tuning
+ via setsockopt is active.
+- When falling back to TCP use sk_sndbuf or sk_rcvbuf as specified with
+ setsockopt. Otherwise, use the sysctl value for TCP/IPv4.
+- Likewise, use either values from setsockopt or from sysctl for SMC
+ (duplicated) on successful SMC connect.
+
+In smc_tcp_listen_work() drop the explicit copy of buffer sizes as that
+is taken care of by the attribute copy.
+
+Fixes: 0227f058aa29 ("net/smc: Unbind r/w buffer size from clcsock and make them tunable")
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Signed-off-by: Gerd Bayer <gbayer@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c | 73 ++++++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 51 insertions(+), 22 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -438,13 +438,60 @@ out:
+ return rc;
+ }
+
++/* copy only relevant settings and flags of SOL_SOCKET level from smc to
++ * clc socket (since smc is not called for these options from net/core)
++ */
++
++#define SK_FLAGS_SMC_TO_CLC ((1UL << SOCK_URGINLINE) | \
++ (1UL << SOCK_KEEPOPEN) | \
++ (1UL << SOCK_LINGER) | \
++ (1UL << SOCK_BROADCAST) | \
++ (1UL << SOCK_TIMESTAMP) | \
++ (1UL << SOCK_DBG) | \
++ (1UL << SOCK_RCVTSTAMP) | \
++ (1UL << SOCK_RCVTSTAMPNS) | \
++ (1UL << SOCK_LOCALROUTE) | \
++ (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE) | \
++ (1UL << SOCK_RXQ_OVFL) | \
++ (1UL << SOCK_WIFI_STATUS) | \
++ (1UL << SOCK_NOFCS) | \
++ (1UL << SOCK_FILTER_LOCKED) | \
++ (1UL << SOCK_TSTAMP_NEW))
++
++/* if set, use value set by setsockopt() - else use IPv4 or SMC sysctl value */
++static void smc_adjust_sock_bufsizes(struct sock *nsk, struct sock *osk,
++ unsigned long mask)
++{
++ struct net *nnet = sock_net(nsk);
++
++ nsk->sk_userlocks = osk->sk_userlocks;
++ if (osk->sk_userlocks & SOCK_SNDBUF_LOCK) {
++ nsk->sk_sndbuf = osk->sk_sndbuf;
++ } else {
++ if (mask == SK_FLAGS_SMC_TO_CLC)
++ WRITE_ONCE(nsk->sk_sndbuf,
++ READ_ONCE(nnet->ipv4.sysctl_tcp_wmem[1]));
++ else
++ WRITE_ONCE(nsk->sk_sndbuf,
++ 2 * READ_ONCE(nnet->smc.sysctl_wmem));
++ }
++ if (osk->sk_userlocks & SOCK_RCVBUF_LOCK) {
++ nsk->sk_rcvbuf = osk->sk_rcvbuf;
++ } else {
++ if (mask == SK_FLAGS_SMC_TO_CLC)
++ WRITE_ONCE(nsk->sk_rcvbuf,
++ READ_ONCE(nnet->ipv4.sysctl_tcp_rmem[1]));
++ else
++ WRITE_ONCE(nsk->sk_rcvbuf,
++ 2 * READ_ONCE(nnet->smc.sysctl_rmem));
++ }
++}
++
+ static void smc_copy_sock_settings(struct sock *nsk, struct sock *osk,
+ unsigned long mask)
+ {
+ /* options we don't get control via setsockopt for */
+ nsk->sk_type = osk->sk_type;
+- nsk->sk_sndbuf = osk->sk_sndbuf;
+- nsk->sk_rcvbuf = osk->sk_rcvbuf;
+ nsk->sk_sndtimeo = osk->sk_sndtimeo;
+ nsk->sk_rcvtimeo = osk->sk_rcvtimeo;
+ nsk->sk_mark = READ_ONCE(osk->sk_mark);
+@@ -455,26 +502,10 @@ static void smc_copy_sock_settings(struc
+
+ nsk->sk_flags &= ~mask;
+ nsk->sk_flags |= osk->sk_flags & mask;
++
++ smc_adjust_sock_bufsizes(nsk, osk, mask);
+ }
+
+-#define SK_FLAGS_SMC_TO_CLC ((1UL << SOCK_URGINLINE) | \
+- (1UL << SOCK_KEEPOPEN) | \
+- (1UL << SOCK_LINGER) | \
+- (1UL << SOCK_BROADCAST) | \
+- (1UL << SOCK_TIMESTAMP) | \
+- (1UL << SOCK_DBG) | \
+- (1UL << SOCK_RCVTSTAMP) | \
+- (1UL << SOCK_RCVTSTAMPNS) | \
+- (1UL << SOCK_LOCALROUTE) | \
+- (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE) | \
+- (1UL << SOCK_RXQ_OVFL) | \
+- (1UL << SOCK_WIFI_STATUS) | \
+- (1UL << SOCK_NOFCS) | \
+- (1UL << SOCK_FILTER_LOCKED) | \
+- (1UL << SOCK_TSTAMP_NEW))
+-/* copy only relevant settings and flags of SOL_SOCKET level from smc to
+- * clc socket (since smc is not called for these options from net/core)
+- */
+ static void smc_copy_sock_settings_to_clc(struct smc_sock *smc)
+ {
+ smc_copy_sock_settings(smc->clcsock->sk, &smc->sk, SK_FLAGS_SMC_TO_CLC);
+@@ -2466,8 +2497,6 @@ static void smc_tcp_listen_work(struct w
+ sock_hold(lsk); /* sock_put in smc_listen_work */
+ INIT_WORK(&new_smc->smc_listen_work, smc_listen_work);
+ smc_copy_sock_settings_to_smc(new_smc);
+- new_smc->sk.sk_sndbuf = lsmc->sk.sk_sndbuf;
+- new_smc->sk.sk_rcvbuf = lsmc->sk.sk_rcvbuf;
+ sock_hold(&new_smc->sk); /* sock_put in passive closing */
+ if (!queue_work(smc_hs_wq, &new_smc->smc_listen_work))
+ sock_put(&new_smc->sk);
--- /dev/null
+From 6b47808f223c70ff564f9b363446d2a5fa1e05b2 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Fri, 4 Aug 2023 15:59:51 -0700
+Subject: net: tls: avoid discarding data on record close
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit 6b47808f223c70ff564f9b363446d2a5fa1e05b2 upstream.
+
+TLS records end with a 16B tag. For TLS device offload we only
+need to make space for this tag in the stream, the device will
+generate and replace it with the actual calculated tag.
+
+Long time ago the code would just re-reference the head frag
+which mostly worked but was suboptimal because it prevented TCP
+from combining the record into a single skb frag. I'm not sure
+if it was correct as the first frag may be shorter than the tag.
+
+The commit under fixes tried to replace that with using the page
+frag and if the allocation failed rolling back the data, if record
+was long enough. It achieves better fragment coalescing but is
+also buggy.
+
+We don't roll back the iterator, so unless we're at the end of
+send we'll skip the data we designated as tag and start the
+next record as if the rollback never happened.
+There's also the possibility that the record was constructed
+with MSG_MORE and the data came from a different syscall and
+we already told the user space that we "got it".
+
+Allocate a single dummy page and use it as fallback.
+
+Found by code inspection, and proven by forcing allocation
+failures.
+
+Fixes: e7b159a48ba6 ("net/tls: remove the record tail optimization")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c | 64 ++++++++++++++++++++++++++-------------------------
+ 1 file changed, 33 insertions(+), 31 deletions(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -52,6 +52,8 @@ static LIST_HEAD(tls_device_list);
+ static LIST_HEAD(tls_device_down_list);
+ static DEFINE_SPINLOCK(tls_device_lock);
+
++static struct page *dummy_page;
++
+ static void tls_device_free_ctx(struct tls_context *ctx)
+ {
+ if (ctx->tx_conf == TLS_HW) {
+@@ -313,36 +315,33 @@ static int tls_push_record(struct sock *
+ return tls_push_sg(sk, ctx, offload_ctx->sg_tx_data, 0, flags);
+ }
+
+-static int tls_device_record_close(struct sock *sk,
+- struct tls_context *ctx,
+- struct tls_record_info *record,
+- struct page_frag *pfrag,
+- unsigned char record_type)
++static void tls_device_record_close(struct sock *sk,
++ struct tls_context *ctx,
++ struct tls_record_info *record,
++ struct page_frag *pfrag,
++ unsigned char record_type)
+ {
+ struct tls_prot_info *prot = &ctx->prot_info;
+- int ret;
++ struct page_frag dummy_tag_frag;
+
+ /* append tag
+ * device will fill in the tag, we just need to append a placeholder
+ * use socket memory to improve coalescing (re-using a single buffer
+ * increases frag count)
+- * if we can't allocate memory now, steal some back from data
++ * if we can't allocate memory now use the dummy page
+ */
+- if (likely(skb_page_frag_refill(prot->tag_size, pfrag,
+- sk->sk_allocation))) {
+- ret = 0;
+- tls_append_frag(record, pfrag, prot->tag_size);
+- } else {
+- ret = prot->tag_size;
+- if (record->len <= prot->overhead_size)
+- return -ENOMEM;
++ if (unlikely(pfrag->size - pfrag->offset < prot->tag_size) &&
++ !skb_page_frag_refill(prot->tag_size, pfrag, sk->sk_allocation)) {
++ dummy_tag_frag.page = dummy_page;
++ dummy_tag_frag.offset = 0;
++ pfrag = &dummy_tag_frag;
+ }
++ tls_append_frag(record, pfrag, prot->tag_size);
+
+ /* fill prepend */
+ tls_fill_prepend(ctx, skb_frag_address(&record->frags[0]),
+ record->len - prot->overhead_size,
+ record_type);
+- return ret;
+ }
+
+ static int tls_create_new_record(struct tls_offload_context_tx *offload_ctx,
+@@ -535,18 +534,8 @@ last_record:
+
+ if (done || record->len >= max_open_record_len ||
+ (record->num_frags >= MAX_SKB_FRAGS - 1)) {
+- rc = tls_device_record_close(sk, tls_ctx, record,
+- pfrag, record_type);
+- if (rc) {
+- if (rc > 0) {
+- size += rc;
+- } else {
+- size = orig_size;
+- destroy_record(record);
+- ctx->open_record = NULL;
+- break;
+- }
+- }
++ tls_device_record_close(sk, tls_ctx, record,
++ pfrag, record_type);
+
+ rc = tls_push_record(sk,
+ tls_ctx,
+@@ -1466,14 +1455,26 @@ int __init tls_device_init(void)
+ {
+ int err;
+
+- destruct_wq = alloc_workqueue("ktls_device_destruct", 0, 0);
+- if (!destruct_wq)
++ dummy_page = alloc_page(GFP_KERNEL);
++ if (!dummy_page)
+ return -ENOMEM;
+
++ destruct_wq = alloc_workqueue("ktls_device_destruct", 0, 0);
++ if (!destruct_wq) {
++ err = -ENOMEM;
++ goto err_free_dummy;
++ }
++
+ err = register_netdevice_notifier(&tls_dev_notifier);
+ if (err)
+- destroy_workqueue(destruct_wq);
++ goto err_destroy_wq;
+
++ return 0;
++
++err_destroy_wq:
++ destroy_workqueue(destruct_wq);
++err_free_dummy:
++ put_page(dummy_page);
+ return err;
+ }
+
+@@ -1482,4 +1483,5 @@ void __exit tls_device_cleanup(void)
+ unregister_netdevice_notifier(&tls_dev_notifier);
+ destroy_workqueue(destruct_wq);
+ clean_acked_data_flush();
++ put_page(dummy_page);
+ }
--- /dev/null
+From 5ac8480ae4d01f0ca5dfd561884424046df2478a Mon Sep 17 00:00:00 2001
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Date: Wed, 9 Aug 2023 21:44:36 -0700
+Subject: RDMA/bnxt_re: Fix error handling in probe failure path
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+commit 5ac8480ae4d01f0ca5dfd561884424046df2478a upstream.
+
+During bnxt_re_dev_init(), when bnxt_re_setup_chip_ctx() fails unregister
+with L2 first before bailing out probe.
+
+Fixes: ae8637e13185 ("RDMA/bnxt_re: Add chip context to identify 57500 series")
+Link: https://lore.kernel.org/r/1691642677-21369-3-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -1409,6 +1409,8 @@ static int bnxt_re_dev_init(struct bnxt_
+
+ rc = bnxt_re_setup_chip_ctx(rdev, wqe_mode);
+ if (rc) {
++ bnxt_unregister_dev(rdev->en_dev);
++ clear_bit(BNXT_RE_FLAG_NETDEV_REGISTERED, &rdev->flags);
+ ibdev_err(&rdev->ibdev, "Failed to get chip context\n");
+ return -EINVAL;
+ }
--- /dev/null
+From 186b169cf1e4be85aa212a893ea783a543400979 Mon Sep 17 00:00:00 2001
+From: Michael Guralnik <michaelgur@nvidia.com>
+Date: Wed, 19 Jul 2023 12:02:41 +0300
+Subject: RDMA/umem: Set iova in ODP flow
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+commit 186b169cf1e4be85aa212a893ea783a543400979 upstream.
+
+Fixing the ODP registration flow to set the iova correctly.
+The calculation in ib_umem_num_dma_blocks() function assumes the iova of
+the umem is set correctly.
+
+When iova is not set, the calculation in ib_umem_num_dma_blocks() is
+equivalent to length/page_size, which is true only when memory is aligned.
+For unaligned memory, iova must be set for the ALIGN() in the
+ib_umem_num_dma_blocks() to take effect and return a correct value.
+
+mlx5_ib uses ib_umem_num_dma_blocks() to decide the mkey size to use for
+the MR. Without this fix, when registering unaligned ODP MR, a wrong
+size mkey might be chosen and this might cause the UMR to fail.
+
+UMR would fail over insufficient size to update the mkey translation:
+infiniband mlx5_0: dump_cqe:273:(pid 0): dump error cqe
+00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00000030: 00 00 00 00 0f 00 78 06 25 00 00 58 00 da ac d2
+infiniband mlx5_0: mlx5_ib_post_send_wait:806:(pid 20311): reg umr
+failed (6)
+infiniband mlx5_0: pagefault_real_mr:661:(pid 20311): Failed to update
+mkey page tables
+
+Fixes: f0093fb1a7cb ("RDMA/mlx5: Move mlx5_ib_cont_pages() to the creation of the mlx5_ib_mr")
+Fixes: a665aca89a41 ("RDMA/umem: Split ib_umem_num_pages() into ib_umem_num_dma_blocks()")
+Signed-off-by: Artemy Kovalyov <artemyko@nvidia.com>
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://lore.kernel.org/r/3d4be7ca2155bf239dd8c00a2d25974a92c26ab8.1689757344.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/umem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -85,6 +85,8 @@ unsigned long ib_umem_find_best_pgsz(str
+ dma_addr_t mask;
+ int i;
+
++ umem->iova = va = virt;
++
+ if (umem->is_odp) {
+ unsigned int page_size = BIT(to_ib_umem_odp(umem)->page_shift);
+
+@@ -100,7 +102,6 @@ unsigned long ib_umem_find_best_pgsz(str
+ */
+ pgsz_bitmap &= GENMASK(BITS_PER_LONG - 1, PAGE_SHIFT);
+
+- umem->iova = va = virt;
+ /* The best result is the smallest page size that results in the minimum
+ * number of required pages. Compute the largest page size that could
+ * work based on VA address bits that don't change.
--- /dev/null
+From 66e131861ab7bf754b50813216f5c6885cd32d63 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:52 +0300
+Subject: selftests: forwarding: Add a helper to skip test when using veth pairs
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 66e131861ab7bf754b50813216f5c6885cd32d63 upstream.
+
+A handful of tests require physical loopbacks to be used instead of veth
+pairs. Add a helper that these tests will invoke in order to be skipped
+when executed with veth pairs.
+
+Fixes: 64916b57c0b1 ("selftests: forwarding: Add speed and auto-negotiation test")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-7-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/lib.sh | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/tools/testing/selftests/net/forwarding/lib.sh
++++ b/tools/testing/selftests/net/forwarding/lib.sh
+@@ -138,6 +138,17 @@ check_locked_port_support()
+ fi
+ }
+
++skip_on_veth()
++{
++ local kind=$(ip -j -d link show dev ${NETIFS[p1]} |
++ jq -r '.[].linkinfo.info_kind')
++
++ if [[ $kind == veth ]]; then
++ echo "SKIP: Test cannot be run with veth pairs"
++ exit $ksft_skip
++ fi
++}
++
+ if [[ "$(id -u)" -ne 0 ]]; then
+ echo "SKIP: need root privileges"
+ exit $ksft_skip
--- /dev/null
+From 60a36e21915c31c0375d9427be9406aa8ce2ec34 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:53 +0300
+Subject: selftests: forwarding: ethtool: Skip when using veth pairs
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 60a36e21915c31c0375d9427be9406aa8ce2ec34 upstream.
+
+Auto-negotiation cannot be tested with veth pairs, resulting in
+failures:
+
+ # ./ethtool.sh
+ TEST: force of same speed autoneg off [FAIL]
+ error in configuration. swp1 speed Not autoneg off
+ [...]
+
+Fix by skipping the test when used with veth pairs.
+
+Fixes: 64916b57c0b1 ("selftests: forwarding: Add speed and auto-negotiation test")
+Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Closes: https://lore.kernel.org/netdev/adc5e40d-d040-a65e-eb26-edf47dac5b02@alu.unizg.hr/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-8-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/ethtool.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/testing/selftests/net/forwarding/ethtool.sh
++++ b/tools/testing/selftests/net/forwarding/ethtool.sh
+@@ -286,6 +286,8 @@ different_speeds_autoneg_on()
+ ethtool -s $h1 autoneg on
+ }
+
++skip_on_veth
++
+ trap cleanup EXIT
+
+ setup_prepare
--- /dev/null
+From b3d9305e60d121dac20a77b6847c4cf14a4c0001 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:54 +0300
+Subject: selftests: forwarding: ethtool_extended_state: Skip when using veth pairs
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit b3d9305e60d121dac20a77b6847c4cf14a4c0001 upstream.
+
+Ethtool extended state cannot be tested with veth pairs, resulting in
+failures:
+
+ # ./ethtool_extended_state.sh
+ TEST: Autoneg, No partner detected [FAIL]
+ Expected "Autoneg", got "Link detected: no"
+ [...]
+
+Fix by skipping the test when used with veth pairs.
+
+Fixes: 7d10bcce98cd ("selftests: forwarding: Add tests for ethtool extended state")
+Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Closes: https://lore.kernel.org/netdev/adc5e40d-d040-a65e-eb26-edf47dac5b02@alu.unizg.hr/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-9-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/ethtool_extended_state.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/testing/selftests/net/forwarding/ethtool_extended_state.sh
++++ b/tools/testing/selftests/net/forwarding/ethtool_extended_state.sh
+@@ -108,6 +108,8 @@ no_cable()
+ ip link set dev $swp3 down
+ }
+
++skip_on_veth
++
+ setup_prepare
+
+ tests_run
--- /dev/null
+From 9a711cde07c245a163d95eee5b42ed1871e73236 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:55 +0300
+Subject: selftests: forwarding: hw_stats_l3_gre: Skip when using veth pairs
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 9a711cde07c245a163d95eee5b42ed1871e73236 upstream.
+
+Layer 3 hardware stats cannot be used when the underlying interfaces are
+veth pairs, resulting in failures:
+
+ # ./hw_stats_l3_gre.sh
+ TEST: ping gre flat [ OK ]
+ TEST: Test rx packets: [FAIL]
+ Traffic not reflected in the counter: 0 -> 0
+ TEST: Test tx packets: [FAIL]
+ Traffic not reflected in the counter: 0 -> 0
+
+Fix by skipping the test when used with veth pairs.
+
+Fixes: 813f97a26860 ("selftests: forwarding: Add a tunnel-based test for L3 HW stats")
+Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Closes: https://lore.kernel.org/netdev/adc5e40d-d040-a65e-eb26-edf47dac5b02@alu.unizg.hr/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-10-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/hw_stats_l3_gre.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/testing/selftests/net/forwarding/hw_stats_l3_gre.sh
++++ b/tools/testing/selftests/net/forwarding/hw_stats_l3_gre.sh
+@@ -99,6 +99,8 @@ test_stats_rx()
+ test_stats g2a rx
+ }
+
++skip_on_veth
++
+ trap cleanup EXIT
+
+ setup_prepare
--- /dev/null
+From d72c83b1e4b4a36a38269c77a85ff52f95eb0d08 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:47 +0300
+Subject: selftests: forwarding: Skip test when no interfaces are specified
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit d72c83b1e4b4a36a38269c77a85ff52f95eb0d08 upstream.
+
+As explained in [1], the forwarding selftests are meant to be run with
+either physical loopbacks or veth pairs. The interfaces are expected to
+be specified in a user-provided forwarding.config file or as command
+line arguments. By default, this file is not present and the tests fail:
+
+ # make -C tools/testing/selftests TARGETS=net/forwarding run_tests
+ [...]
+ TAP version 13
+ 1..102
+ # timeout set to 45
+ # selftests: net/forwarding: bridge_igmp.sh
+ # Command line is not complete. Try option "help"
+ # Failed to create netif
+ not ok 1 selftests: net/forwarding: bridge_igmp.sh # exit=1
+ [...]
+
+Fix by skipping a test if interfaces are not provided either via the
+configuration file or command line arguments.
+
+ # make -C tools/testing/selftests TARGETS=net/forwarding run_tests
+ [...]
+ TAP version 13
+ 1..102
+ # timeout set to 45
+ # selftests: net/forwarding: bridge_igmp.sh
+ # SKIP: Cannot create interface. Name not specified
+ ok 1 selftests: net/forwarding: bridge_igmp.sh # SKIP
+
+[1] tools/testing/selftests/net/forwarding/README
+
+Fixes: 81573b18f26d ("selftests/net/forwarding: add Makefile to install tests")
+Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Closes: https://lore.kernel.org/netdev/856d454e-f83c-20cf-e166-6dc06cbc1543@alu.unizg.hr/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-2-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/lib.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/tools/testing/selftests/net/forwarding/lib.sh
++++ b/tools/testing/selftests/net/forwarding/lib.sh
+@@ -211,6 +211,11 @@ create_netif_veth()
+ for ((i = 1; i <= NUM_NETIFS; ++i)); do
+ local j=$((i+1))
+
++ if [ -z ${NETIFS[p$i]} ]; then
++ echo "SKIP: Cannot create interface. Name not specified"
++ exit $ksft_skip
++ fi
++
+ ip link show dev ${NETIFS[p$i]} &> /dev/null
+ if [[ $? -ne 0 ]]; then
+ ip link add ${NETIFS[p$i]} type veth \
--- /dev/null
+From 0529883ad102f6c04e19fb7018f31e1bda575bbe Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:48 +0300
+Subject: selftests: forwarding: Switch off timeout
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 0529883ad102f6c04e19fb7018f31e1bda575bbe upstream.
+
+The default timeout for selftests is 45 seconds, but it is not enough
+for forwarding selftests which can takes minutes to finish depending on
+the number of tests cases:
+
+ # make -C tools/testing/selftests TARGETS=net/forwarding run_tests
+ TAP version 13
+ 1..102
+ # timeout set to 45
+ # selftests: net/forwarding: bridge_igmp.sh
+ # TEST: IGMPv2 report 239.10.10.10 [ OK ]
+ # TEST: IGMPv2 leave 239.10.10.10 [ OK ]
+ # TEST: IGMPv3 report 239.10.10.10 is_include [ OK ]
+ # TEST: IGMPv3 report 239.10.10.10 include -> allow [ OK ]
+ #
+ not ok 1 selftests: net/forwarding: bridge_igmp.sh # TIMEOUT 45 seconds
+
+Fix by switching off the timeout and setting it to 0. A similar change
+was done for BPF selftests in commit 6fc5916cc256 ("selftests: bpf:
+Switch off timeout").
+
+Fixes: 81573b18f26d ("selftests/net/forwarding: add Makefile to install tests")
+Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Closes: https://lore.kernel.org/netdev/8d149f8c-818e-d141-a0ce-a6bae606bc22@alu.unizg.hr/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-3-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/settings | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 tools/testing/selftests/net/forwarding/settings
+
+--- /dev/null
++++ b/tools/testing/selftests/net/forwarding/settings
+@@ -0,0 +1 @@
++timeout=0
--- /dev/null
+From 9ee37e53e7687654b487fc94e82569377272a7a8 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:58 +0300
+Subject: selftests: forwarding: tc_flower: Relax success criterion
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 9ee37e53e7687654b487fc94e82569377272a7a8 upstream.
+
+The test checks that filters that match on source or destination MAC
+were only hit once. A host can send more than one packet with a given
+source or destination MAC, resulting in failures.
+
+Fix by relaxing the success criterion and instead check that the filters
+were not hit zero times. Using tc_check_at_least_x_packets() is also an
+option, but it is not available in older kernels.
+
+Fixes: 07e5c75184a1 ("selftests: forwarding: Introduce tc flower matching tests")
+Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Closes: https://lore.kernel.org/netdev/adc5e40d-d040-a65e-eb26-edf47dac5b02@alu.unizg.hr/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-13-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/tc_flower.sh | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/net/forwarding/tc_flower.sh
++++ b/tools/testing/selftests/net/forwarding/tc_flower.sh
+@@ -52,8 +52,8 @@ match_dst_mac_test()
+ tc_check_packets "dev $h2 ingress" 101 1
+ check_fail $? "Matched on a wrong filter"
+
+- tc_check_packets "dev $h2 ingress" 102 1
+- check_err $? "Did not match on correct filter"
++ tc_check_packets "dev $h2 ingress" 102 0
++ check_fail $? "Did not match on correct filter"
+
+ tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
+ tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
+@@ -78,8 +78,8 @@ match_src_mac_test()
+ tc_check_packets "dev $h2 ingress" 101 1
+ check_fail $? "Matched on a wrong filter"
+
+- tc_check_packets "dev $h2 ingress" 102 1
+- check_err $? "Did not match on correct filter"
++ tc_check_packets "dev $h2 ingress" 102 0
++ check_fail $? "Did not match on correct filter"
+
+ tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
+ tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
--- /dev/null
+From d5ad9aae13dcced333c1a7816ff0a4fbbb052466 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Fri, 4 Aug 2023 20:22:11 +0100
+Subject: selftests/rseq: Fix build with undefined __weak
+
+From: Mark Brown <broonie@kernel.org>
+
+commit d5ad9aae13dcced333c1a7816ff0a4fbbb052466 upstream.
+
+Commit 3bcbc20942db ("selftests/rseq: Play nice with binaries statically
+linked against glibc 2.35+") which is now in Linus' tree introduced uses
+of __weak but did nothing to ensure that a definition is provided for it
+resulting in build failures for the rseq tests:
+
+rseq.c:41:1: error: unknown type name '__weak'
+__weak ptrdiff_t __rseq_offset;
+^
+rseq.c:41:17: error: expected ';' after top level declarator
+__weak ptrdiff_t __rseq_offset;
+ ^
+ ;
+rseq.c:42:1: error: unknown type name '__weak'
+__weak unsigned int __rseq_size;
+^
+rseq.c:43:1: error: unknown type name '__weak'
+__weak unsigned int __rseq_flags;
+
+Fix this by using the definition from tools/include compiler.h.
+
+Fixes: 3bcbc20942db ("selftests/rseq: Play nice with binaries statically linked against glibc 2.35+")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Message-Id: <20230804-kselftest-rseq-build-v1-1-015830b66aa9@kernel.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/rseq/Makefile | 4 +++-
+ tools/testing/selftests/rseq/rseq.c | 2 ++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/rseq/Makefile
++++ b/tools/testing/selftests/rseq/Makefile
+@@ -4,8 +4,10 @@ ifneq ($(shell $(CC) --version 2>&1 | he
+ CLANG_FLAGS += -no-integrated-as
+ endif
+
++top_srcdir = ../../../..
++
+ CFLAGS += -O2 -Wall -g -I./ $(KHDR_INCLUDES) -L$(OUTPUT) -Wl,-rpath=./ \
+- $(CLANG_FLAGS)
++ $(CLANG_FLAGS) -I$(top_srcdir)/tools/include
+ LDLIBS += -lpthread -ldl
+
+ # Own dependencies because we only want to build against 1st prerequisite, but
+--- a/tools/testing/selftests/rseq/rseq.c
++++ b/tools/testing/selftests/rseq/rseq.c
+@@ -29,6 +29,8 @@
+ #include <dlfcn.h>
+ #include <stddef.h>
+
++#include <linux/compiler.h>
++
+ #include "../kselftest.h"
+ #include "rseq.h"
+
drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch
netfilter-nf_tables-don-t-skip-expired-elements-during-walk.patch
iio-core-prevent-invalid-memory-access-when-there-is-no-parent.patch
+interconnect-qcom-add-support-for-mask-based-bcms.patch
+interconnect-qcom-sm8450-add-enable_mask-for-bcm-nodes.patch
+selftests-rseq-fix-build-with-undefined-__weak.patch
+selftests-forwarding-add-a-helper-to-skip-test-when-using-veth-pairs.patch
+selftests-forwarding-ethtool-skip-when-using-veth-pairs.patch
+selftests-forwarding-ethtool_extended_state-skip-when-using-veth-pairs.patch
+selftests-forwarding-hw_stats_l3_gre-skip-when-using-veth-pairs.patch
+selftests-forwarding-skip-test-when-no-interfaces-are-specified.patch
+selftests-forwarding-switch-off-timeout.patch
+selftests-forwarding-tc_flower-relax-success-criterion.patch
+net-core-remove-unnecessary-frame_sz-check-in-bpf_xdp_adjust_tail.patch
+bpf-sockmap-fix-map-type-error-in-sock_map_del_link.patch
+bpf-sockmap-fix-bug-that-strp_done-cannot-be-called.patch
+misdn-update-parameter-type-of-dsp_cmx_send.patch
+macsec-use-dev_stats_inc.patch
+mptcp-fix-the-incorrect-judgment-for-msk-cb_flags.patch
+net-packet-annotate-data-races-around-tp-status.patch
+net-smc-use-correct-buffer-sizes-when-switching-between-tcp-and-smc.patch
+tcp-add-missing-family-to-tcp_set_ca_state-tracepoint.patch
+tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch
+vlan-fix-vlan-0-memory-leak.patch
+xsk-fix-refcount-underflow-in-error-path.patch
+bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch
+dccp-fix-data-race-around-dp-dccps_mss_cache.patch
+drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch
+drivers-vxlan-vnifilter-free-percpu-vni-stats-on-error-path.patch
+iavf-fix-potential-races-for-fdir-filters.patch
+ib-hfi1-fix-possible-panic-during-hotplug-remove.patch
+drm-rockchip-don-t-spam-logs-in-atomic-check.patch
+wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch
+rdma-umem-set-iova-in-odp-flow.patch
+rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch
+net-tls-avoid-discarding-data-on-record-close.patch
+net-marvell-prestera-fix-handling-ipv4-routes-with-nhid.patch
--- /dev/null
+From 8a70ed9520c5fafaac91053cacdd44625c39e188 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 8 Aug 2023 08:49:23 +0000
+Subject: tcp: add missing family to tcp_set_ca_state() tracepoint
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 8a70ed9520c5fafaac91053cacdd44625c39e188 upstream.
+
+Before this code is copied, add the missing family, as we did in
+commit 3dd344ea84e1 ("net: tracepoint: exposing sk_family in all tcp:tracepoints")
+
+Fixes: 15fcdf6ae116 ("tcp: Add tracepoint for tcp_set_ca_state")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Ping Gan <jacky_gam_2001@163.com>
+Cc: Manjusaka <me@manjusaka.me>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230808084923.2239142-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/trace/events/tcp.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/trace/events/tcp.h
++++ b/include/trace/events/tcp.h
+@@ -381,6 +381,7 @@ TRACE_EVENT(tcp_cong_state_set,
+ __field(const void *, skaddr)
+ __field(__u16, sport)
+ __field(__u16, dport)
++ __field(__u16, family)
+ __array(__u8, saddr, 4)
+ __array(__u8, daddr, 4)
+ __array(__u8, saddr_v6, 16)
+@@ -396,6 +397,7 @@ TRACE_EVENT(tcp_cong_state_set,
+
+ __entry->sport = ntohs(inet->inet_sport);
+ __entry->dport = ntohs(inet->inet_dport);
++ __entry->family = sk->sk_family;
+
+ p32 = (__be32 *) __entry->saddr;
+ *p32 = inet->inet_saddr;
+@@ -409,7 +411,8 @@ TRACE_EVENT(tcp_cong_state_set,
+ __entry->cong_state = ca_state;
+ ),
+
+- TP_printk("sport=%hu dport=%hu saddr=%pI4 daddr=%pI4 saddrv6=%pI6c daddrv6=%pI6c cong_state=%u",
++ TP_printk("family=%s sport=%hu dport=%hu saddr=%pI4 daddr=%pI4 saddrv6=%pI6c daddrv6=%pI6c cong_state=%u",
++ show_family_name(__entry->family),
+ __entry->sport, __entry->dport,
+ __entry->saddr, __entry->daddr,
+ __entry->saddr_v6, __entry->daddr_v6,
--- /dev/null
+From 6a7ac3d20593865209dceb554d8b3f094c6bd940 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 3 Aug 2023 17:26:49 +0200
+Subject: tunnels: fix kasan splat when generating ipv4 pmtu error
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 6a7ac3d20593865209dceb554d8b3f094c6bd940 upstream.
+
+If we try to emit an icmp error in response to a nonliner skb, we get
+
+BUG: KASAN: slab-out-of-bounds in ip_compute_csum+0x134/0x220
+Read of size 4 at addr ffff88811c50db00 by task iperf3/1691
+CPU: 2 PID: 1691 Comm: iperf3 Not tainted 6.5.0-rc3+ #309
+[..]
+ kasan_report+0x105/0x140
+ ip_compute_csum+0x134/0x220
+ iptunnel_pmtud_build_icmp+0x554/0x1020
+ skb_tunnel_check_pmtu+0x513/0xb80
+ vxlan_xmit_one+0x139e/0x2ef0
+ vxlan_xmit+0x1867/0x2760
+ dev_hard_start_xmit+0x1ee/0x4f0
+ br_dev_queue_push_xmit+0x4d1/0x660
+ [..]
+
+ip_compute_csum() cannot deal with nonlinear skbs, so avoid it.
+After this change, splat is gone and iperf3 is no longer stuck.
+
+Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/r/20230803152653.29535-2-fw@strlen.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_tunnel_core.c
++++ b/net/ipv4/ip_tunnel_core.c
+@@ -224,7 +224,7 @@ static int iptunnel_pmtud_build_icmp(str
+ .un.frag.__unused = 0,
+ .un.frag.mtu = htons(mtu),
+ };
+- icmph->checksum = ip_compute_csum(icmph, len);
++ icmph->checksum = csum_fold(skb_checksum(skb, 0, len, 0));
+ skb_reset_transport_header(skb);
+
+ niph = skb_push(skb, sizeof(*niph));
--- /dev/null
+From 718cb09aaa6fa78cc8124e9517efbc6c92665384 Mon Sep 17 00:00:00 2001
+From: Vlad Buslov <vladbu@nvidia.com>
+Date: Tue, 8 Aug 2023 11:35:21 +0200
+Subject: vlan: Fix VLAN 0 memory leak
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+commit 718cb09aaa6fa78cc8124e9517efbc6c92665384 upstream.
+
+The referenced commit intended to fix memleak of VLAN 0 that is implicitly
+created on devices with NETIF_F_HW_VLAN_CTAG_FILTER feature. However, it
+doesn't take into account that the feature can be re-set during the
+netdevice lifetime which will cause memory leak if feature is disabled
+during the device deletion as illustrated by [0]. Fix the leak by
+unconditionally deleting VLAN 0 on NETDEV_DOWN event.
+
+[0]:
+> modprobe 8021q
+> ip l set dev eth2 up
+> ethtool -K eth2 rx-vlan-filter off
+> modprobe -r mlx5_ib
+> modprobe -r mlx5_core
+> cat /sys/kernel/debug/kmemleak
+unreferenced object 0xffff888103dcd900 (size 256):
+ comm "ip", pid 1490, jiffies 4294907305 (age 325.364s)
+ hex dump (first 32 bytes):
+ 00 80 5d 03 81 88 ff ff 00 00 00 00 00 00 00 00 ..].............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000899f3bb9>] kmalloc_trace+0x25/0x80
+ [<000000002889a7a2>] vlan_vid_add+0xa0/0x210
+ [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q]
+ [<000000009a0716b1>] notifier_call_chain+0x35/0xb0
+ [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0
+ [<0000000053d2b05d>] dev_change_flags+0x4d/0x60
+ [<00000000982807e9>] do_setlink+0x28d/0x10a0
+ [<0000000058c1be00>] __rtnl_newlink+0x545/0x980
+ [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70
+ [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390
+ [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100
+ [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0
+ [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0
+ [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60
+ [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200
+ [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0
+unreferenced object 0xffff88813354fde0 (size 32):
+ comm "ip", pid 1490, jiffies 4294907305 (age 325.364s)
+ hex dump (first 32 bytes):
+ a0 d9 dc 03 81 88 ff ff a0 d9 dc 03 81 88 ff ff ................
+ 81 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000899f3bb9>] kmalloc_trace+0x25/0x80
+ [<000000002da64724>] vlan_vid_add+0xdf/0x210
+ [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q]
+ [<000000009a0716b1>] notifier_call_chain+0x35/0xb0
+ [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0
+ [<0000000053d2b05d>] dev_change_flags+0x4d/0x60
+ [<00000000982807e9>] do_setlink+0x28d/0x10a0
+ [<0000000058c1be00>] __rtnl_newlink+0x545/0x980
+ [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70
+ [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390
+ [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100
+ [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0
+ [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0
+ [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60
+ [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200
+ [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0
+
+Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Link: https://lore.kernel.org/r/20230808093521.1468929-1-vladbu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -384,8 +384,7 @@ static int vlan_device_event(struct noti
+ dev->name);
+ vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
+ }
+- if (event == NETDEV_DOWN &&
+- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
++ if (event == NETDEV_DOWN)
+ vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+
+ vlan_info = rtnl_dereference(dev->vlan_info);
--- /dev/null
+From 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 22 Jun 2023 18:59:19 +0200
+Subject: wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 upstream.
+
+AP_VLAN interfaces are virtual, so doesn't really exist as a type for
+capabilities. When passed in as a type, AP is the one that's really intended.
+
+Fixes: c4cbaf7973a7 ("cfg80211: Add support for HE")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230622165919.46841-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cfg80211.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -562,6 +562,9 @@ ieee80211_get_sband_iftype_data(const st
+ if (WARN_ON(iftype >= NL80211_IFTYPE_MAX))
+ return NULL;
+
++ if (iftype == NL80211_IFTYPE_AP_VLAN)
++ iftype = NL80211_IFTYPE_AP;
++
+ for (i = 0; i < sband->n_iftype_data; i++) {
+ const struct ieee80211_sband_iftype_data *data =
+ &sband->iftype_data[i];
--- /dev/null
+From 85c2c79a07302fe68a1ad5cc449458cc559e314d Mon Sep 17 00:00:00 2001
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+Date: Wed, 9 Aug 2023 16:28:43 +0200
+Subject: xsk: fix refcount underflow in error path
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+commit 85c2c79a07302fe68a1ad5cc449458cc559e314d upstream.
+
+Fix a refcount underflow problem reported by syzbot that can happen
+when a system is running out of memory. If xp_alloc_tx_descs() fails,
+and it can only fail due to not having enough memory, then the error
+path is triggered. In this error path, the refcount of the pool is
+decremented as it has incremented before. However, the reference to
+the pool in the socket was not nulled. This means that when the socket
+is closed later, the socket teardown logic will think that there is a
+pool attached to the socket and try to decrease the refcount again,
+leading to a refcount underflow.
+
+I chose this fix as it involved adding just a single line. Another
+option would have been to move xp_get_pool() and the assignment of
+xs->pool to after the if-statement and using xs_umem->pool instead of
+xs->pool in the whole if-statement resulting in somewhat simpler code,
+but this would have led to much more churn in the code base perhaps
+making it harder to backport.
+
+Fixes: ba3beec2ec1d ("xsk: Fix possible crash when multiple sockets are created")
+Reported-by: syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Link: https://lore.kernel.org/r/20230809142843.13944-1-magnus.karlsson@gmail.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xdp/xsk.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -994,6 +994,7 @@ static int xsk_bind(struct socket *sock,
+ err = xp_alloc_tx_descs(xs->pool, xs);
+ if (err) {
+ xp_put_pool(xs->pool);
++ xs->pool = NULL;
+ sockfd_put(sock);
+ goto out_unlock;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
