--- /dev/null
+From 01f4fd27087078c90a0e22860d1dfa2cd0510791 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 2 Aug 2023 19:43:20 +0800
+Subject: bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 01f4fd27087078c90a0e22860d1dfa2cd0510791 upstream.
+
+BUG_ON(!vlan_info) is triggered in unregister_vlan_dev() with
+following testcase:
+
+ # ip netns add ns1
+ # ip netns exec ns1 ip link add bond0 type bond mode 0
+ # ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2
+ # ip netns exec ns1 ip link set bond_slave_1 master bond0
+ # ip netns exec ns1 ip link add link bond_slave_1 name vlan10 type vlan id 10 protocol 802.1ad
+ # ip netns exec ns1 ip link add link bond0 name bond0_vlan10 type vlan id 10 protocol 802.1ad
+ # ip netns exec ns1 ip link set bond_slave_1 nomaster
+ # ip netns del ns1
+
+The logical analysis of the problem is as follows:
+
+1. create ETH_P_8021AD protocol vlan10 for bond_slave_1:
+register_vlan_dev()
+ vlan_vid_add()
+ vlan_info_alloc()
+ __vlan_vid_add() // add [ETH_P_8021AD, 10] vid to bond_slave_1
+
+2. create ETH_P_8021AD protocol bond0_vlan10 for bond0:
+register_vlan_dev()
+ vlan_vid_add()
+ __vlan_vid_add()
+ vlan_add_rx_filter_info()
+ if (!vlan_hw_filter_capable(dev, proto)) // condition established because bond0 without NETIF_F_HW_VLAN_STAG_FILTER
+ return 0;
+
+ if (netif_device_present(dev))
+ return dev->netdev_ops->ndo_vlan_rx_add_vid(dev, proto, vid); // will be never called
+ // The slaves of bond0 will not refer to the [ETH_P_8021AD, 10] vid.
+
+3. detach bond_slave_1 from bond0:
+__bond_release_one()
+ vlan_vids_del_by_dev()
+ list_for_each_entry(vid_info, &vlan_info->vid_list, list)
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
+ // bond_slave_1 [ETH_P_8021AD, 10] vid will be deleted.
+ // bond_slave_1->vlan_info will be assigned NULL.
+
+4. delete vlan10 during delete ns1:
+default_device_exit_batch()
+ dev->rtnl_link_ops->dellink() // unregister_vlan_dev() for vlan10
+ vlan_info = rtnl_dereference(real_dev->vlan_info); // real_dev of vlan10 is bond_slave_1
+ BUG_ON(!vlan_info); // bond_slave_1->vlan_info is NULL now, bug is triggered!!!
+
+Add S-VLAN tag related features support to bond driver. So the bond driver
+will always propagate the VLAN info to its slaves.
+
+Fixes: 8ad227ff89a7 ("net: vlan: add 802.1ad support")
+Suggested-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://lore.kernel.org/r/20230802114320.4156068-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -5898,7 +5898,9 @@ void bond_setup(struct net_device *bond_
+
+ bond_dev->hw_features = BOND_VLAN_FEATURES |
+ NETIF_F_HW_VLAN_CTAG_RX |
+- NETIF_F_HW_VLAN_CTAG_FILTER;
++ NETIF_F_HW_VLAN_CTAG_FILTER |
++ NETIF_F_HW_VLAN_STAG_RX |
++ NETIF_F_HW_VLAN_STAG_FILTER;
+
+ bond_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL;
+ bond_dev->features |= bond_dev->hw_features;
--- /dev/null
+From a47e598fbd8617967e49d85c49c22f9fc642704c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 3 Aug 2023 16:30:21 +0000
+Subject: dccp: fix data-race around dp->dccps_mss_cache
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit a47e598fbd8617967e49d85c49c22f9fc642704c upstream.
+
+dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket.
+Same thing in do_dccp_getsockopt().
+
+Add READ_ONCE()/WRITE_ONCE() annotations,
+and change dccp_sendmsg() to check again dccps_mss_cache
+after socket is locked.
+
+Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230803163021.2958262-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/output.c | 2 +-
+ net/dccp/proto.c | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/dccp/output.c
++++ b/net/dccp/output.c
+@@ -187,7 +187,7 @@ unsigned int dccp_sync_mss(struct sock *
+
+ /* And store cached results */
+ icsk->icsk_pmtu_cookie = pmtu;
+- dp->dccps_mss_cache = cur_mps;
++ WRITE_ONCE(dp->dccps_mss_cache, cur_mps);
+
+ return cur_mps;
+ }
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -630,7 +630,7 @@ static int do_dccp_getsockopt(struct soc
+ return dccp_getsockopt_service(sk, len,
+ (__be32 __user *)optval, optlen);
+ case DCCP_SOCKOPT_GET_CUR_MPS:
+- val = dp->dccps_mss_cache;
++ val = READ_ONCE(dp->dccps_mss_cache);
+ break;
+ case DCCP_SOCKOPT_AVAILABLE_CCIDS:
+ return ccid_getsockopt_builtin_ccids(sk, len, optval, optlen);
+@@ -739,7 +739,7 @@ int dccp_sendmsg(struct sock *sk, struct
+
+ trace_dccp_probe(sk, len);
+
+- if (len > dp->dccps_mss_cache)
++ if (len > READ_ONCE(dp->dccps_mss_cache))
+ return -EMSGSIZE;
+
+ lock_sock(sk);
+@@ -772,6 +772,12 @@ int dccp_sendmsg(struct sock *sk, struct
+ goto out_discard;
+ }
+
++ /* We need to check dccps_mss_cache after socket is locked. */
++ if (len > dp->dccps_mss_cache) {
++ rc = -EMSGSIZE;
++ goto out_discard;
++ }
++
+ skb_reserve(skb, sk->sk_prot->max_header);
+ rc = memcpy_from_msg(skb_put(skb, len), msg, len);
+ if (rc != 0)
--- /dev/null
+From 59eeb232940515590de513b997539ef495faca9a Mon Sep 17 00:00:00 2001
+From: Andrew Kanner <andrew.kanner@gmail.com>
+Date: Thu, 3 Aug 2023 20:59:48 +0200
+Subject: drivers: net: prevent tun_build_skb() to exceed the packet size limit
+
+From: Andrew Kanner <andrew.kanner@gmail.com>
+
+commit 59eeb232940515590de513b997539ef495faca9a upstream.
+
+Using the syzkaller repro with reduced packet size it was discovered
+that XDP_PACKET_HEADROOM is not checked in tun_can_build_skb(),
+although pad may be incremented in tun_build_skb(). This may end up
+with exceeding the PAGE_SIZE limit in tun_build_skb().
+
+Jason Wang <jasowang@redhat.com> proposed to count XDP_PACKET_HEADROOM
+always (e.g. without rcu_access_pointer(tun->xdp_prog)) in
+tun_can_build_skb() since there's a window during which XDP program
+might be attached between tun_can_build_skb() and tun_build_skb().
+
+Fixes: 7df13219d757 ("tun: reserve extra headroom only when XDP is set")
+Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a
+Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com>
+Link: https://lore.kernel.org/r/20230803185947.2379988-1-andrew.kanner@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1594,7 +1594,7 @@ static bool tun_can_build_skb(struct tun
+ if (zerocopy)
+ return false;
+
+- if (SKB_DATA_ALIGN(len + TUN_RX_PAD) +
++ if (SKB_DATA_ALIGN(len + TUN_RX_PAD + XDP_PACKET_HEADROOM) +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE)
+ return false;
+
--- /dev/null
+From b1c936e9af5dd08636d568736fc6075ed9d1d529 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Fri, 4 Aug 2023 18:53:36 +0300
+Subject: drivers: vxlan: vnifilter: free percpu vni stats on error path
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit b1c936e9af5dd08636d568736fc6075ed9d1d529 upstream.
+
+In case rhashtable_lookup_insert_fast() fails inside vxlan_vni_add(), the
+allocated percpu vni stats are not freed on the error path.
+
+Introduce vxlan_vni_free() which would work as a nice wrapper to free
+vxlan_vni_node resources properly.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: 4095e0e1328a ("drivers: vxlan: vnifilter: per vni stats")
+Suggested-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan/vxlan_vnifilter.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/vxlan/vxlan_vnifilter.c
++++ b/drivers/net/vxlan/vxlan_vnifilter.c
+@@ -713,6 +713,12 @@ static struct vxlan_vni_node *vxlan_vni_
+ return vninode;
+ }
+
++static void vxlan_vni_free(struct vxlan_vni_node *vninode)
++{
++ free_percpu(vninode->stats);
++ kfree(vninode);
++}
++
+ static int vxlan_vni_add(struct vxlan_dev *vxlan,
+ struct vxlan_vni_group *vg,
+ u32 vni, union vxlan_addr *group,
+@@ -740,7 +746,7 @@ static int vxlan_vni_add(struct vxlan_de
+ &vninode->vnode,
+ vxlan_vni_rht_params);
+ if (err) {
+- kfree(vninode);
++ vxlan_vni_free(vninode);
+ return err;
+ }
+
+@@ -763,8 +769,7 @@ static void vxlan_vni_node_rcu_free(stru
+ struct vxlan_vni_node *v;
+
+ v = container_of(rcu, struct vxlan_vni_node, rcu);
+- free_percpu(v->stats);
+- kfree(v);
++ vxlan_vni_free(v);
+ }
+
+ static int vxlan_vni_del(struct vxlan_dev *vxlan,
--- /dev/null
+From 7ad1dfc144cbf62702fd07838da8fd8a77921083 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Mon, 31 Jul 2023 09:22:05 -0500
+Subject: drm/amd/display: Don't show stack trace for missing eDP
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 7ad1dfc144cbf62702fd07838da8fd8a77921083 upstream.
+
+Some systems are only connected by HDMI or DP, so warning related to
+missing eDP is unnecessary. Downgrade to debug instead.
+
+Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Fixes: 6d9b6dceaa51 ("drm/amd/display: only warn once in dce110_edp_wait_for_hpd_ready()")
+Reported-by: Mastan.Katragadda@amd.com
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
++++ b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
+@@ -780,7 +780,8 @@ void dce110_edp_wait_for_hpd_ready(
+ dal_gpio_destroy_irq(&hpd);
+
+ /* ensure that the panel is detected */
+- ASSERT(edp_hpd_high);
++ if (!edp_hpd_high)
++ DC_LOG_DC("%s: wait timed out!\n", __func__);
+ }
+
+ void dce110_edp_power_control(
--- /dev/null
+From e9d699af3f65d62cf195f0e7a039400093ab2af2 Mon Sep 17 00:00:00 2001
+From: Pin-yen Lin <treapking@chromium.org>
+Date: Thu, 27 Jul 2023 18:01:10 +0800
+Subject: drm/bridge: it6505: Check power state with it6505->powered in IRQ handler
+
+From: Pin-yen Lin <treapking@chromium.org>
+
+commit e9d699af3f65d62cf195f0e7a039400093ab2af2 upstream.
+
+On system resume, the driver might call it6505_poweron directly if the
+runtime PM hasn't been enabled. In such case, pm_runtime_get_if_in_use
+will always return 0 because dev->power.runtime_status stays at
+RPM_SUSPENDED, and the IRQ will never be handled.
+
+Use it6505->powered from the driver struct fixes this because it always
+gets updated when it6505_poweron is called.
+
+Fixes: 5eb9a4314053 ("drm/bridge: it6505: Guard bridge power in IRQ handler")
+Signed-off-by: Pin-yen Lin <treapking@chromium.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230727100131.2338127-1-treapking@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/ite-it6505.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c
+index 504d51c42f79..aadb396508c5 100644
+--- a/drivers/gpu/drm/bridge/ite-it6505.c
++++ b/drivers/gpu/drm/bridge/ite-it6505.c
+@@ -2517,9 +2517,11 @@ static irqreturn_t it6505_int_threaded_handler(int unused, void *data)
+ };
+ int int_status[3], i;
+
+- if (it6505->enable_drv_hold || pm_runtime_get_if_in_use(dev) <= 0)
++ if (it6505->enable_drv_hold || !it6505->powered)
+ return IRQ_HANDLED;
+
++ pm_runtime_get_sync(dev);
++
+ int_status[0] = it6505_read(it6505, INT_STATUS_01);
+ int_status[1] = it6505_read(it6505, INT_STATUS_02);
+ int_status[2] = it6505_read(it6505, INT_STATUS_03);
+--
+2.41.0
+
--- /dev/null
+From 421dabcad1c69e02a41c0d601aefbc29ee3f5368 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 3 Aug 2023 16:33:48 +0200
+Subject: drm/nouveau: remove unused tu102_gr_load() function
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 421dabcad1c69e02a41c0d601aefbc29ee3f5368 upstream.
+
+tu102_gr_load() is completely unused and can be removed to address
+this warning:
+
+drivers/gpu/drm/nouveau/dispnv50/disp.c:2517:1: error: no previous prototype for 'nv50_display_create'
+
+Another patch was sent in the meantime to mark the function static but
+that would just cause a different warning about an unused function.
+
+Fixes: 1cd97b5490c8 ("drm/nouveau/gr/tu102-: use sw_veid_bundle_init from firmware")
+Link: https://lore.kernel.org/all/CACO55tuaNOYphHyB9+ygi9AnXVuF49etsW7x2X5K5iEtFNAAyw@mail.gmail.com/
+Link: https://lore.kernel.org/all/20230417210310.2443152-1-arnd@kernel.org/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Karol Herbst <kherbst@redhat.com>
+Signed-off-by: Karol Herbst <kherbst@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230803143358.13563-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/engine/gr/tu102.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/gr/tu102.c b/drivers/gpu/drm/nouveau/nvkm/engine/gr/tu102.c
+index 3b6c8100a242..a7775aa18541 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/tu102.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/tu102.c
+@@ -206,19 +206,6 @@ tu102_gr_av_to_init_veid(struct nvkm_blob *blob, struct gf100_gr_pack **ppack)
+ return gk20a_gr_av_to_init_(blob, 64, 0x00100000, ppack);
+ }
+
+-int
+-tu102_gr_load(struct gf100_gr *gr, int ver, const struct gf100_gr_fwif *fwif)
+-{
+- int ret;
+-
+- ret = gm200_gr_load(gr, ver, fwif);
+- if (ret)
+- return ret;
+-
+- return gk20a_gr_load_net(gr, "gr/", "sw_veid_bundle_init", ver, tu102_gr_av_to_init_veid,
+- &gr->bundle_veid);
+-}
+-
+ static const struct gf100_gr_fwif
+ tu102_gr_fwif[] = {
+ { 0, gm200_gr_load, &tu102_gr, &gp108_gr_fecs_acr, &gp108_gr_gpccs_acr },
+--
+2.41.0
+
--- /dev/null
+From 43dae319b50fac075ad864f84501c703ef20eb2b Mon Sep 17 00:00:00 2001
+From: Daniel Stone <daniels@collabora.com>
+Date: Tue, 8 Aug 2023 11:44:05 +0100
+Subject: drm/rockchip: Don't spam logs in atomic check
+
+From: Daniel Stone <daniels@collabora.com>
+
+commit 43dae319b50fac075ad864f84501c703ef20eb2b upstream.
+
+Userspace should not be able to trigger DRM_ERROR messages to spam the
+logs; especially not through atomic commit parameters which are
+completely legitimate for userspace to attempt.
+
+Signed-off-by: Daniel Stone <daniels@collabora.com>
+Fixes: 7707f7227f09 ("drm/rockchip: Add support for afbc")
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230808104405.522493-1-daniels@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+@@ -833,12 +833,12 @@ static int vop_plane_atomic_check(struct
+ * need align with 2 pixel.
+ */
+ if (fb->format->is_yuv && ((new_plane_state->src.x1 >> 16) % 2)) {
+- DRM_ERROR("Invalid Source: Yuv format not support odd xpos\n");
++ DRM_DEBUG_KMS("Invalid Source: Yuv format not support odd xpos\n");
+ return -EINVAL;
+ }
+
+ if (fb->format->is_yuv && new_plane_state->rotation & DRM_MODE_REFLECT_Y) {
+- DRM_ERROR("Invalid Source: Yuv format does not support this rotation\n");
++ DRM_DEBUG_KMS("Invalid Source: Yuv format does not support this rotation\n");
+ return -EINVAL;
+ }
+
+@@ -846,7 +846,7 @@ static int vop_plane_atomic_check(struct
+ struct vop *vop = to_vop(crtc);
+
+ if (!vop->data->afbc) {
+- DRM_ERROR("vop does not support AFBC\n");
++ DRM_DEBUG_KMS("vop does not support AFBC\n");
+ return -EINVAL;
+ }
+
+@@ -855,15 +855,16 @@ static int vop_plane_atomic_check(struct
+ return ret;
+
+ if (new_plane_state->src.x1 || new_plane_state->src.y1) {
+- DRM_ERROR("AFBC does not support offset display, xpos=%d, ypos=%d, offset=%d\n",
+- new_plane_state->src.x1,
+- new_plane_state->src.y1, fb->offsets[0]);
++ DRM_DEBUG_KMS("AFBC does not support offset display, " \
++ "xpos=%d, ypos=%d, offset=%d\n",
++ new_plane_state->src.x1, new_plane_state->src.y1,
++ fb->offsets[0]);
+ return -EINVAL;
+ }
+
+ if (new_plane_state->rotation && new_plane_state->rotation != DRM_MODE_ROTATE_0) {
+- DRM_ERROR("No rotation support in AFBC, rotation=%d\n",
+- new_plane_state->rotation);
++ DRM_DEBUG_KMS("No rotation support in AFBC, rotation=%d\n",
++ new_plane_state->rotation);
+ return -EINVAL;
+ }
+ }
--- /dev/null
+From 0fb1d8eb234b6979d4981d2d385780dd7d8d9771 Mon Sep 17 00:00:00 2001
+From: Piotr Gardocki <piotrx.gardocki@intel.com>
+Date: Mon, 7 Aug 2023 13:50:11 -0700
+Subject: iavf: fix potential races for FDIR filters
+
+From: Piotr Gardocki <piotrx.gardocki@intel.com>
+
+commit 0fb1d8eb234b6979d4981d2d385780dd7d8d9771 upstream.
+
+Add fdir_fltr_lock locking in unprotected places.
+
+The change in iavf_fdir_is_dup_fltr adds a spinlock around a loop which
+iterates over all filters and looks for a duplicate. The filter can be
+removed from list and freed from memory at the same time it's being
+compared. All other places where filters are deleted are already
+protected with spinlock.
+
+The remaining changes protect adapter->fdir_active_fltr variable so now
+all its uses are under a spinlock.
+
+Fixes: 527691bf0682 ("iavf: Support IPv4 Flow Director filters")
+Signed-off-by: Piotr Gardocki <piotrx.gardocki@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230807205011.3129224-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 5 ++++-
+ drivers/net/ethernet/intel/iavf/iavf_fdir.c | 11 ++++++++---
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
+@@ -1401,14 +1401,15 @@ static int iavf_add_fdir_ethtool(struct
+ if (fsp->flow_type & FLOW_MAC_EXT)
+ return -EINVAL;
+
++ spin_lock_bh(&adapter->fdir_fltr_lock);
+ if (adapter->fdir_active_fltr >= IAVF_MAX_FDIR_FILTERS) {
++ spin_unlock_bh(&adapter->fdir_fltr_lock);
+ dev_err(&adapter->pdev->dev,
+ "Unable to add Flow Director filter because VF reached the limit of max allowed filters (%u)\n",
+ IAVF_MAX_FDIR_FILTERS);
+ return -ENOSPC;
+ }
+
+- spin_lock_bh(&adapter->fdir_fltr_lock);
+ if (iavf_find_fdir_fltr_by_loc(adapter, fsp->location)) {
+ dev_err(&adapter->pdev->dev, "Failed to add Flow Director filter, it already exists\n");
+ spin_unlock_bh(&adapter->fdir_fltr_lock);
+@@ -1781,7 +1782,9 @@ static int iavf_get_rxnfc(struct net_dev
+ case ETHTOOL_GRXCLSRLCNT:
+ if (!FDIR_FLTR_SUPPORT(adapter))
+ break;
++ spin_lock_bh(&adapter->fdir_fltr_lock);
+ cmd->rule_cnt = adapter->fdir_active_fltr;
++ spin_unlock_bh(&adapter->fdir_fltr_lock);
+ cmd->data = IAVF_MAX_FDIR_FILTERS;
+ ret = 0;
+ break;
+--- a/drivers/net/ethernet/intel/iavf/iavf_fdir.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_fdir.c
+@@ -722,7 +722,9 @@ void iavf_print_fdir_fltr(struct iavf_ad
+ bool iavf_fdir_is_dup_fltr(struct iavf_adapter *adapter, struct iavf_fdir_fltr *fltr)
+ {
+ struct iavf_fdir_fltr *tmp;
++ bool ret = false;
+
++ spin_lock_bh(&adapter->fdir_fltr_lock);
+ list_for_each_entry(tmp, &adapter->fdir_list_head, list) {
+ if (tmp->flow_type != fltr->flow_type)
+ continue;
+@@ -732,11 +734,14 @@ bool iavf_fdir_is_dup_fltr(struct iavf_a
+ !memcmp(&tmp->ip_data, &fltr->ip_data,
+ sizeof(fltr->ip_data)) &&
+ !memcmp(&tmp->ext_data, &fltr->ext_data,
+- sizeof(fltr->ext_data)))
+- return true;
++ sizeof(fltr->ext_data))) {
++ ret = true;
++ break;
++ }
+ }
++ spin_unlock_bh(&adapter->fdir_fltr_lock);
+
+- return false;
++ return ret;
+ }
+
+ /**
--- /dev/null
+From 4fdfaef71fced490835145631a795497646f4555 Mon Sep 17 00:00:00 2001
+From: Douglas Miller <doug.miller@cornelisnetworks.com>
+Date: Wed, 2 Aug 2023 13:32:41 -0400
+Subject: IB/hfi1: Fix possible panic during hotplug remove
+
+From: Douglas Miller <doug.miller@cornelisnetworks.com>
+
+commit 4fdfaef71fced490835145631a795497646f4555 upstream.
+
+During hotplug remove it is possible that the update counters work
+might be pending, and may run after memory has been freed.
+Cancel the update counters work before freeing memory.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Signed-off-by: Douglas Miller <doug.miller@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/169099756100.3927190.15284930454106475280.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/chip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/hw/hfi1/chip.c
++++ b/drivers/infiniband/hw/hfi1/chip.c
+@@ -12307,6 +12307,7 @@ static void free_cntrs(struct hfi1_devda
+
+ if (dd->synth_stats_timer.function)
+ del_timer_sync(&dd->synth_stats_timer);
++ cancel_work_sync(&dd->update_cntr_work);
+ ppd = (struct hfi1_pportdata *)(dd + 1);
+ for (i = 0; i < dd->num_pports; i++, ppd++) {
+ kfree(ppd->cntrs);
--- /dev/null
+From 06b412589eef780b792e73df131d35dc43cc4a49 Mon Sep 17 00:00:00 2001
+From: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Date: Mon, 7 Aug 2023 13:51:29 -0700
+Subject: igc: Add lock to safeguard global Qbv variables
+
+From: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+
+commit 06b412589eef780b792e73df131d35dc43cc4a49 upstream.
+
+Access to shared variables through hrtimer requires locking in order
+to protect the variables because actions to write into these variables
+(oper_gate_closed, admin_gate_closed, and qbv_transition) might potentially
+occur simultaneously. This patch provides a locking mechanisms to avoid
+such scenarios.
+
+Fixes: 175c241288c0 ("igc: Fix TX Hang issue when QBV Gate is closed")
+Suggested-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://lore.kernel.org/r/20230807205129.3129346-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 4 +++
+ drivers/net/ethernet/intel/igc/igc_main.c | 34 ++++++++++++++++++++++++++++--
+ 2 files changed, 36 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -195,6 +195,10 @@ struct igc_adapter {
+ u32 qbv_config_change_errors;
+ bool qbv_transition;
+ unsigned int qbv_count;
++ /* Access to oper_gate_closed, admin_gate_closed and qbv_transition
++ * are protected by the qbv_tx_lock.
++ */
++ spinlock_t qbv_tx_lock;
+
+ /* OS defined structs */
+ struct pci_dev *pdev;
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -4799,6 +4799,7 @@ static int igc_sw_init(struct igc_adapte
+ adapter->nfc_rule_count = 0;
+
+ spin_lock_init(&adapter->stats64_lock);
++ spin_lock_init(&adapter->qbv_tx_lock);
+ /* Assume MSI-X interrupts, will be checked during IRQ allocation */
+ adapter->flags |= IGC_FLAG_HAS_MSIX;
+
+@@ -6117,15 +6118,15 @@ static int igc_tsn_enable_launchtime(str
+ return igc_tsn_offload_apply(adapter);
+ }
+
+-static int igc_tsn_clear_schedule(struct igc_adapter *adapter)
++static int igc_qbv_clear_schedule(struct igc_adapter *adapter)
+ {
++ unsigned long flags;
+ int i;
+
+ adapter->base_time = 0;
+ adapter->cycle_time = NSEC_PER_SEC;
+ adapter->taprio_offload_enable = false;
+ adapter->qbv_config_change_errors = 0;
+- adapter->qbv_transition = false;
+ adapter->qbv_count = 0;
+
+ for (i = 0; i < adapter->num_tx_queues; i++) {
+@@ -6134,10 +6135,28 @@ static int igc_tsn_clear_schedule(struct
+ ring->start_time = 0;
+ ring->end_time = NSEC_PER_SEC;
+ ring->max_sdu = 0;
++ }
++
++ spin_lock_irqsave(&adapter->qbv_tx_lock, flags);
++
++ adapter->qbv_transition = false;
++
++ for (i = 0; i < adapter->num_tx_queues; i++) {
++ struct igc_ring *ring = adapter->tx_ring[i];
++
+ ring->oper_gate_closed = false;
+ ring->admin_gate_closed = false;
+ }
+
++ spin_unlock_irqrestore(&adapter->qbv_tx_lock, flags);
++
++ return 0;
++}
++
++static int igc_tsn_clear_schedule(struct igc_adapter *adapter)
++{
++ igc_qbv_clear_schedule(adapter);
++
+ return 0;
+ }
+
+@@ -6148,6 +6167,7 @@ static int igc_save_qbv_schedule(struct
+ struct igc_hw *hw = &adapter->hw;
+ u32 start_time = 0, end_time = 0;
+ struct timespec64 now;
++ unsigned long flags;
+ size_t n;
+ int i;
+
+@@ -6215,6 +6235,8 @@ static int igc_save_qbv_schedule(struct
+ start_time += e->interval;
+ }
+
++ spin_lock_irqsave(&adapter->qbv_tx_lock, flags);
++
+ /* Check whether a queue gets configured.
+ * If not, set the start and end time to be end time.
+ */
+@@ -6239,6 +6261,8 @@ static int igc_save_qbv_schedule(struct
+ }
+ }
+
++ spin_unlock_irqrestore(&adapter->qbv_tx_lock, flags);
++
+ for (i = 0; i < adapter->num_tx_queues; i++) {
+ struct igc_ring *ring = adapter->tx_ring[i];
+ struct net_device *dev = adapter->netdev;
+@@ -6603,8 +6627,11 @@ static enum hrtimer_restart igc_qbv_sche
+ {
+ struct igc_adapter *adapter = container_of(timer, struct igc_adapter,
+ hrtimer);
++ unsigned long flags;
+ unsigned int i;
+
++ spin_lock_irqsave(&adapter->qbv_tx_lock, flags);
++
+ adapter->qbv_transition = true;
+ for (i = 0; i < adapter->num_tx_queues; i++) {
+ struct igc_ring *tx_ring = adapter->tx_ring[i];
+@@ -6617,6 +6644,9 @@ static enum hrtimer_restart igc_qbv_sche
+ }
+ }
+ adapter->qbv_transition = false;
++
++ spin_unlock_irqrestore(&adapter->qbv_tx_lock, flags);
++
+ return HRTIMER_NORESTART;
+ }
+
--- /dev/null
+From 52417a95ff2d810dc31a68ae71102e741efea772 Mon Sep 17 00:00:00 2001
+From: Nitya Sunkad <nitya.sunkad@amd.com>
+Date: Fri, 4 Aug 2023 13:56:22 -0700
+Subject: ionic: Add missing err handling for queue reconfig
+
+From: Nitya Sunkad <nitya.sunkad@amd.com>
+
+commit 52417a95ff2d810dc31a68ae71102e741efea772 upstream.
+
+ionic_start_queues_reconfig returns an error code if txrx_init fails.
+Handle this error code in the relevant places.
+
+This fixes a corner case where the device could get left in a detached
+state if the CMB reconfig fails and the attempt to clean up the mess
+also fails. Note that calling netif_device_attach when the netdev is
+already attached does not lead to unexpected behavior.
+
+Change goto name "errout" to "err_out" to maintain consistency across
+goto statements.
+
+Fixes: 40bc471dc714 ("ionic: add tx/rx-push support with device Component Memory Buffers")
+Fixes: 6f7d6f0fd7a3 ("ionic: pull reset_queues into tx_timeout handler")
+Signed-off-by: Nitya Sunkad <nitya.sunkad@amd.com>
+Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_lif.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+@@ -1816,6 +1816,7 @@ static int ionic_change_mtu(struct net_d
+ static void ionic_tx_timeout_work(struct work_struct *ws)
+ {
+ struct ionic_lif *lif = container_of(ws, struct ionic_lif, tx_timeout_work);
++ int err;
+
+ if (test_bit(IONIC_LIF_F_FW_RESET, lif->state))
+ return;
+@@ -1828,8 +1829,11 @@ static void ionic_tx_timeout_work(struct
+
+ mutex_lock(&lif->queue_lock);
+ ionic_stop_queues_reconfig(lif);
+- ionic_start_queues_reconfig(lif);
++ err = ionic_start_queues_reconfig(lif);
+ mutex_unlock(&lif->queue_lock);
++
++ if (err)
++ dev_err(lif->ionic->dev, "%s: Restarting queues failed\n", __func__);
+ }
+
+ static void ionic_tx_timeout(struct net_device *netdev, unsigned int txqueue)
+@@ -2799,17 +2803,22 @@ static int ionic_cmb_reconfig(struct ion
+ if (err) {
+ dev_err(lif->ionic->dev,
+ "CMB restore failed: %d\n", err);
+- goto errout;
++ goto err_out;
+ }
+ }
+
+- ionic_start_queues_reconfig(lif);
+- } else {
+- /* This was detached in ionic_stop_queues_reconfig() */
+- netif_device_attach(lif->netdev);
++ err = ionic_start_queues_reconfig(lif);
++ if (err) {
++ dev_err(lif->ionic->dev,
++ "CMB reconfig failed: %d\n", err);
++ goto err_out;
++ }
+ }
+
+-errout:
++err_out:
++ /* This was detached in ionic_stop_queues_reconfig() */
++ netif_device_attach(lif->netdev);
++
+ return err;
+ }
+
--- /dev/null
+From 17ebf8a4c38b5481c29623f5e003fdf7583947f9 Mon Sep 17 00:00:00 2001
+From: Xiang Yang <xiangyang3@huawei.com>
+Date: Thu, 3 Aug 2023 07:24:38 +0000
+Subject: mptcp: fix the incorrect judgment for msk->cb_flags
+
+From: Xiang Yang <xiangyang3@huawei.com>
+
+commit 17ebf8a4c38b5481c29623f5e003fdf7583947f9 upstream.
+
+Coccicheck reports the error below:
+net/mptcp/protocol.c:3330:15-28: ERROR: test of a variable/field address
+
+Since the address of msk->cb_flags is used in __test_and_clear_bit, the
+address should not be NULL. The judgment for if (unlikely(msk->cb_flags))
+will always be true, we should check the real value of msk->cb_flags here.
+
+Fixes: 65a569b03ca8 ("mptcp: optimize release_cb for the common case")
+Signed-off-by: Xiang Yang <xiangyang3@huawei.com>
+Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Link: https://lore.kernel.org/r/20230803072438.1847500-1-xiangyang3@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -3321,7 +3321,7 @@ static void mptcp_release_cb(struct sock
+
+ if (__test_and_clear_bit(MPTCP_CLEAN_UNA, &msk->cb_flags))
+ __mptcp_clean_una_wakeup(sk);
+- if (unlikely(&msk->cb_flags)) {
++ if (unlikely(msk->cb_flags)) {
+ /* be sure to set the current sk state before tacking actions
+ * depending on sk_state, that is processing MPTCP_ERROR_REPORT
+ */
--- /dev/null
+From 8a9896177784063d01068293caea3f74f6830ff6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 3 Aug 2023 14:56:00 +0000
+Subject: net/packet: annotate data-races around tp->status
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 8a9896177784063d01068293caea3f74f6830ff6 upstream.
+
+Another syzbot report [1] is about tp->status lockless reads
+from __packet_get_status()
+
+[1]
+BUG: KCSAN: data-race in __packet_rcv_has_room / __packet_set_status
+
+write to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 0:
+__packet_set_status+0x78/0xa0 net/packet/af_packet.c:407
+tpacket_rcv+0x18bb/0x1a60 net/packet/af_packet.c:2483
+deliver_skb net/core/dev.c:2173 [inline]
+__netif_receive_skb_core+0x408/0x1e80 net/core/dev.c:5337
+__netif_receive_skb_one_core net/core/dev.c:5491 [inline]
+__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5607
+process_backlog+0x21f/0x380 net/core/dev.c:5935
+__napi_poll+0x60/0x3b0 net/core/dev.c:6498
+napi_poll net/core/dev.c:6565 [inline]
+net_rx_action+0x32b/0x750 net/core/dev.c:6698
+__do_softirq+0xc1/0x265 kernel/softirq.c:571
+invoke_softirq kernel/softirq.c:445 [inline]
+__irq_exit_rcu+0x57/0xa0 kernel/softirq.c:650
+sysvec_apic_timer_interrupt+0x6d/0x80 arch/x86/kernel/apic/apic.c:1106
+asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
+smpboot_thread_fn+0x33c/0x4a0 kernel/smpboot.c:112
+kthread+0x1d7/0x210 kernel/kthread.c:379
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+
+read to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 1:
+__packet_get_status net/packet/af_packet.c:436 [inline]
+packet_lookup_frame net/packet/af_packet.c:524 [inline]
+__tpacket_has_room net/packet/af_packet.c:1255 [inline]
+__packet_rcv_has_room+0x3f9/0x450 net/packet/af_packet.c:1298
+tpacket_rcv+0x275/0x1a60 net/packet/af_packet.c:2285
+deliver_skb net/core/dev.c:2173 [inline]
+dev_queue_xmit_nit+0x38a/0x5e0 net/core/dev.c:2243
+xmit_one net/core/dev.c:3574 [inline]
+dev_hard_start_xmit+0xcf/0x3f0 net/core/dev.c:3594
+__dev_queue_xmit+0xefb/0x1d10 net/core/dev.c:4244
+dev_queue_xmit include/linux/netdevice.h:3088 [inline]
+can_send+0x4eb/0x5d0 net/can/af_can.c:276
+bcm_can_tx+0x314/0x410 net/can/bcm.c:302
+bcm_tx_timeout_handler+0xdb/0x260
+__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
+__hrtimer_run_queues+0x217/0x700 kernel/time/hrtimer.c:1749
+hrtimer_run_softirq+0xd6/0x120 kernel/time/hrtimer.c:1766
+__do_softirq+0xc1/0x265 kernel/softirq.c:571
+run_ksoftirqd+0x17/0x20 kernel/softirq.c:939
+smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
+kthread+0x1d7/0x210 kernel/kthread.c:379
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+
+value changed: 0x0000000000000000 -> 0x0000000020000081
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 6.4.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
+
+Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230803145600.2937518-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -401,18 +401,20 @@ static void __packet_set_status(struct p
+ {
+ union tpacket_uhdr h;
+
++ /* WRITE_ONCE() are paired with READ_ONCE() in __packet_get_status */
++
+ h.raw = frame;
+ switch (po->tp_version) {
+ case TPACKET_V1:
+- h.h1->tp_status = status;
++ WRITE_ONCE(h.h1->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h1->tp_status));
+ break;
+ case TPACKET_V2:
+- h.h2->tp_status = status;
++ WRITE_ONCE(h.h2->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h2->tp_status));
+ break;
+ case TPACKET_V3:
+- h.h3->tp_status = status;
++ WRITE_ONCE(h.h3->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h3->tp_status));
+ break;
+ default:
+@@ -429,17 +431,19 @@ static int __packet_get_status(const str
+
+ smp_rmb();
+
++ /* READ_ONCE() are paired with WRITE_ONCE() in __packet_set_status */
++
+ h.raw = frame;
+ switch (po->tp_version) {
+ case TPACKET_V1:
+ flush_dcache_page(pgv_to_page(&h.h1->tp_status));
+- return h.h1->tp_status;
++ return READ_ONCE(h.h1->tp_status);
+ case TPACKET_V2:
+ flush_dcache_page(pgv_to_page(&h.h2->tp_status));
+- return h.h2->tp_status;
++ return READ_ONCE(h.h2->tp_status);
+ case TPACKET_V3:
+ flush_dcache_page(pgv_to_page(&h.h3->tp_status));
+- return h.h3->tp_status;
++ return READ_ONCE(h.h3->tp_status);
+ default:
+ WARN(1, "TPACKET version not supported.\n");
+ BUG();
--- /dev/null
+From 833bac7ec392bf75053c8a4fa4c36d4148dac77d Mon Sep 17 00:00:00 2001
+From: Gerd Bayer <gbayer@linux.ibm.com>
+Date: Fri, 4 Aug 2023 19:06:23 +0200
+Subject: net/smc: Fix setsockopt and sysctl to specify same buffer size again
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gerd Bayer <gbayer@linux.ibm.com>
+
+commit 833bac7ec392bf75053c8a4fa4c36d4148dac77d upstream.
+
+Commit 0227f058aa29 ("net/smc: Unbind r/w buffer size from clcsock
+and make them tunable") introduced the net.smc.rmem and net.smc.wmem
+sysctls to specify the size of buffers to be used for SMC type
+connections. This created a regression for users that specified the
+buffer size via setsockopt() as the effective buffer size was now
+doubled.
+
+Re-introduce the division by 2 in the SMC buffer create code and level
+this out by duplicating the net.smc.[rw]mem values used for initializing
+sk_rcvbuf/sk_sndbuf at socket creation time. This gives users of both
+methods (setsockopt or sysctl) the effective buffer size that they
+expect.
+
+Initialize net.smc.[rw]mem from its own constant of 64kB, respectively.
+Internal performance tests show that this value is a good compromise
+between throughput/latency and memory consumption. Also, this decouples
+it from any tuning that was done to net.ipv4.tcp_[rw]mem[1] before the
+module for SMC protocol was loaded. Check that no more than INT_MAX / 2
+is assigned to net.smc.[rw]mem, in order to avoid any overflow condition
+when that is doubled for use in sk_sndbuf or sk_rcvbuf.
+
+While at it, drop the confusing sk_buf_size variable from
+__smc_buf_create and name "compressed" buffer size variables more
+consistently.
+
+Background:
+
+Before the commit mentioned above, SMC's buffer allocator in
+__smc_buf_create() always used half of the sockets' sk_rcvbuf/sk_sndbuf
+value as initial value to search for appropriate buffers. If the search
+resorted to using a bigger buffer when all buffers of the specified
+size were busy, the duplicate of the used effective buffer size is
+stored back to sk_rcvbuf/sk_sndbuf.
+
+When available, buffers of exactly the size that a user had specified as
+input to setsockopt() were used, despite setsockopt()'s documentation in
+"man 7 socket" talking of a mandatory duplication:
+
+[...]
+ SO_SNDBUF
+ Sets or gets the maximum socket send buffer in bytes.
+ The kernel doubles this value (to allow space for book‐
+ keeping overhead) when it is set using setsockopt(2),
+ and this doubled value is returned by getsockopt(2).
+ The default value is set by the
+ /proc/sys/net/core/wmem_default file and the maximum
+ allowed value is set by the /proc/sys/net/core/wmem_max
+ file. The minimum (doubled) value for this option is
+ 2048.
+[...]
+
+Fixes: 0227f058aa29 ("net/smc: Unbind r/w buffer size from clcsock and make them tunable")
+Co-developed-by: Jan Karcher <jaka@linux.ibm.com>
+Signed-off-by: Jan Karcher <jaka@linux.ibm.com>
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Signed-off-by: Gerd Bayer <gbayer@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c | 4 ++--
+ net/smc/smc.h | 2 +-
+ net/smc/smc_clc.c | 4 ++--
+ net/smc/smc_core.c | 25 ++++++++++++-------------
+ net/smc/smc_sysctl.c | 10 ++++++++--
+ 5 files changed, 25 insertions(+), 20 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -378,8 +378,8 @@ static struct sock *smc_sock_alloc(struc
+ sk->sk_state = SMC_INIT;
+ sk->sk_destruct = smc_destruct;
+ sk->sk_protocol = protocol;
+- WRITE_ONCE(sk->sk_sndbuf, READ_ONCE(net->smc.sysctl_wmem));
+- WRITE_ONCE(sk->sk_rcvbuf, READ_ONCE(net->smc.sysctl_rmem));
++ WRITE_ONCE(sk->sk_sndbuf, 2 * READ_ONCE(net->smc.sysctl_wmem));
++ WRITE_ONCE(sk->sk_rcvbuf, 2 * READ_ONCE(net->smc.sysctl_rmem));
+ smc = smc_sk(sk);
+ INIT_WORK(&smc->tcp_listen_work, smc_tcp_listen_work);
+ INIT_WORK(&smc->connect_work, smc_connect_work);
+--- a/net/smc/smc.h
++++ b/net/smc/smc.h
+@@ -161,7 +161,7 @@ struct smc_connection {
+
+ struct smc_buf_desc *sndbuf_desc; /* send buffer descriptor */
+ struct smc_buf_desc *rmb_desc; /* RMBE descriptor */
+- int rmbe_size_short;/* compressed notation */
++ int rmbe_size_comp; /* compressed notation */
+ int rmbe_update_limit;
+ /* lower limit for consumer
+ * cursor update
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -1007,7 +1007,7 @@ static int smc_clc_send_confirm_accept(s
+ clc->d0.gid =
+ conn->lgr->smcd->ops->get_local_gid(conn->lgr->smcd);
+ clc->d0.token = conn->rmb_desc->token;
+- clc->d0.dmbe_size = conn->rmbe_size_short;
++ clc->d0.dmbe_size = conn->rmbe_size_comp;
+ clc->d0.dmbe_idx = 0;
+ memcpy(&clc->d0.linkid, conn->lgr->id, SMC_LGR_ID_SIZE);
+ if (version == SMC_V1) {
+@@ -1050,7 +1050,7 @@ static int smc_clc_send_confirm_accept(s
+ clc->r0.qp_mtu = min(link->path_mtu, link->peer_mtu);
+ break;
+ }
+- clc->r0.rmbe_size = conn->rmbe_size_short;
++ clc->r0.rmbe_size = conn->rmbe_size_comp;
+ clc->r0.rmb_dma_addr = conn->rmb_desc->is_vm ?
+ cpu_to_be64((uintptr_t)conn->rmb_desc->cpu_addr) :
+ cpu_to_be64((u64)sg_dma_address
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -2309,31 +2309,30 @@ static int __smc_buf_create(struct smc_s
+ struct smc_connection *conn = &smc->conn;
+ struct smc_link_group *lgr = conn->lgr;
+ struct list_head *buf_list;
+- int bufsize, bufsize_short;
++ int bufsize, bufsize_comp;
+ struct rw_semaphore *lock; /* lock buffer list */
+ bool is_dgraded = false;
+- int sk_buf_size;
+
+ if (is_rmb)
+ /* use socket recv buffer size (w/o overhead) as start value */
+- sk_buf_size = smc->sk.sk_rcvbuf;
++ bufsize = smc->sk.sk_rcvbuf / 2;
+ else
+ /* use socket send buffer size (w/o overhead) as start value */
+- sk_buf_size = smc->sk.sk_sndbuf;
++ bufsize = smc->sk.sk_sndbuf / 2;
+
+- for (bufsize_short = smc_compress_bufsize(sk_buf_size, is_smcd, is_rmb);
+- bufsize_short >= 0; bufsize_short--) {
++ for (bufsize_comp = smc_compress_bufsize(bufsize, is_smcd, is_rmb);
++ bufsize_comp >= 0; bufsize_comp--) {
+ if (is_rmb) {
+ lock = &lgr->rmbs_lock;
+- buf_list = &lgr->rmbs[bufsize_short];
++ buf_list = &lgr->rmbs[bufsize_comp];
+ } else {
+ lock = &lgr->sndbufs_lock;
+- buf_list = &lgr->sndbufs[bufsize_short];
++ buf_list = &lgr->sndbufs[bufsize_comp];
+ }
+- bufsize = smc_uncompress_bufsize(bufsize_short);
++ bufsize = smc_uncompress_bufsize(bufsize_comp);
+
+ /* check for reusable slot in the link group */
+- buf_desc = smc_buf_get_slot(bufsize_short, lock, buf_list);
++ buf_desc = smc_buf_get_slot(bufsize_comp, lock, buf_list);
+ if (buf_desc) {
+ buf_desc->is_dma_need_sync = 0;
+ SMC_STAT_RMB_SIZE(smc, is_smcd, is_rmb, bufsize);
+@@ -2377,8 +2376,8 @@ static int __smc_buf_create(struct smc_s
+
+ if (is_rmb) {
+ conn->rmb_desc = buf_desc;
+- conn->rmbe_size_short = bufsize_short;
+- smc->sk.sk_rcvbuf = bufsize;
++ conn->rmbe_size_comp = bufsize_comp;
++ smc->sk.sk_rcvbuf = bufsize * 2;
+ atomic_set(&conn->bytes_to_rcv, 0);
+ conn->rmbe_update_limit =
+ smc_rmb_wnd_update_limit(buf_desc->len);
+@@ -2386,7 +2385,7 @@ static int __smc_buf_create(struct smc_s
+ smc_ism_set_conn(conn); /* map RMB/smcd_dev to conn */
+ } else {
+ conn->sndbuf_desc = buf_desc;
+- smc->sk.sk_sndbuf = bufsize;
++ smc->sk.sk_sndbuf = bufsize * 2;
+ atomic_set(&conn->sndbuf_space, bufsize);
+ }
+ return 0;
+--- a/net/smc/smc_sysctl.c
++++ b/net/smc/smc_sysctl.c
+@@ -21,6 +21,10 @@
+
+ static int min_sndbuf = SMC_BUF_MIN_SIZE;
+ static int min_rcvbuf = SMC_BUF_MIN_SIZE;
++static int max_sndbuf = INT_MAX / 2;
++static int max_rcvbuf = INT_MAX / 2;
++static const int net_smc_wmem_init = (64 * 1024);
++static const int net_smc_rmem_init = (64 * 1024);
+
+ static struct ctl_table smc_table[] = {
+ {
+@@ -53,6 +57,7 @@ static struct ctl_table smc_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &min_sndbuf,
++ .extra2 = &max_sndbuf,
+ },
+ {
+ .procname = "rmem",
+@@ -61,6 +66,7 @@ static struct ctl_table smc_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &min_rcvbuf,
++ .extra2 = &max_rcvbuf,
+ },
+ { }
+ };
+@@ -88,8 +94,8 @@ int __net_init smc_sysctl_net_init(struc
+ net->smc.sysctl_autocorking_size = SMC_AUTOCORKING_DEFAULT_SIZE;
+ net->smc.sysctl_smcr_buf_type = SMCR_PHYS_CONT_BUFS;
+ net->smc.sysctl_smcr_testlink_time = SMC_LLC_TESTLINK_DEFAULT_TIME;
+- WRITE_ONCE(net->smc.sysctl_wmem, READ_ONCE(net->ipv4.sysctl_tcp_wmem[1]));
+- WRITE_ONCE(net->smc.sysctl_rmem, READ_ONCE(net->ipv4.sysctl_tcp_rmem[1]));
++ WRITE_ONCE(net->smc.sysctl_wmem, net_smc_wmem_init);
++ WRITE_ONCE(net->smc.sysctl_rmem, net_smc_rmem_init);
+
+ return 0;
+
--- /dev/null
+From 30c3c4a4497c3765bf6b298f5072c8165aeaf7cc Mon Sep 17 00:00:00 2001
+From: Gerd Bayer <gbayer@linux.ibm.com>
+Date: Fri, 4 Aug 2023 19:06:24 +0200
+Subject: net/smc: Use correct buffer sizes when switching between TCP and SMC
+
+From: Gerd Bayer <gbayer@linux.ibm.com>
+
+commit 30c3c4a4497c3765bf6b298f5072c8165aeaf7cc upstream.
+
+Tuning of the effective buffer size through setsockopts was working for
+SMC traffic only but not for TCP fall-back connections even before
+commit 0227f058aa29 ("net/smc: Unbind r/w buffer size from clcsock and
+make them tunable"). That change made it apparent that TCP fall-back
+connections would use net.smc.[rw]mem as buffer size instead of
+net.ipv4_tcp_[rw]mem.
+
+Amend the code that copies attributes between the (TCP) clcsock and the
+SMC socket and adjust buffer sizes appropriately:
+- Copy over sk_userlocks so that both sockets agree on whether tuning
+ via setsockopt is active.
+- When falling back to TCP use sk_sndbuf or sk_rcvbuf as specified with
+ setsockopt. Otherwise, use the sysctl value for TCP/IPv4.
+- Likewise, use either values from setsockopt or from sysctl for SMC
+ (duplicated) on successful SMC connect.
+
+In smc_tcp_listen_work() drop the explicit copy of buffer sizes as that
+is taken care of by the attribute copy.
+
+Fixes: 0227f058aa29 ("net/smc: Unbind r/w buffer size from clcsock and make them tunable")
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Signed-off-by: Gerd Bayer <gbayer@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c | 73 ++++++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 51 insertions(+), 22 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -436,13 +436,60 @@ out:
+ return rc;
+ }
+
++/* copy only relevant settings and flags of SOL_SOCKET level from smc to
++ * clc socket (since smc is not called for these options from net/core)
++ */
++
++#define SK_FLAGS_SMC_TO_CLC ((1UL << SOCK_URGINLINE) | \
++ (1UL << SOCK_KEEPOPEN) | \
++ (1UL << SOCK_LINGER) | \
++ (1UL << SOCK_BROADCAST) | \
++ (1UL << SOCK_TIMESTAMP) | \
++ (1UL << SOCK_DBG) | \
++ (1UL << SOCK_RCVTSTAMP) | \
++ (1UL << SOCK_RCVTSTAMPNS) | \
++ (1UL << SOCK_LOCALROUTE) | \
++ (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE) | \
++ (1UL << SOCK_RXQ_OVFL) | \
++ (1UL << SOCK_WIFI_STATUS) | \
++ (1UL << SOCK_NOFCS) | \
++ (1UL << SOCK_FILTER_LOCKED) | \
++ (1UL << SOCK_TSTAMP_NEW))
++
++/* if set, use value set by setsockopt() - else use IPv4 or SMC sysctl value */
++static void smc_adjust_sock_bufsizes(struct sock *nsk, struct sock *osk,
++ unsigned long mask)
++{
++ struct net *nnet = sock_net(nsk);
++
++ nsk->sk_userlocks = osk->sk_userlocks;
++ if (osk->sk_userlocks & SOCK_SNDBUF_LOCK) {
++ nsk->sk_sndbuf = osk->sk_sndbuf;
++ } else {
++ if (mask == SK_FLAGS_SMC_TO_CLC)
++ WRITE_ONCE(nsk->sk_sndbuf,
++ READ_ONCE(nnet->ipv4.sysctl_tcp_wmem[1]));
++ else
++ WRITE_ONCE(nsk->sk_sndbuf,
++ 2 * READ_ONCE(nnet->smc.sysctl_wmem));
++ }
++ if (osk->sk_userlocks & SOCK_RCVBUF_LOCK) {
++ nsk->sk_rcvbuf = osk->sk_rcvbuf;
++ } else {
++ if (mask == SK_FLAGS_SMC_TO_CLC)
++ WRITE_ONCE(nsk->sk_rcvbuf,
++ READ_ONCE(nnet->ipv4.sysctl_tcp_rmem[1]));
++ else
++ WRITE_ONCE(nsk->sk_rcvbuf,
++ 2 * READ_ONCE(nnet->smc.sysctl_rmem));
++ }
++}
++
+ static void smc_copy_sock_settings(struct sock *nsk, struct sock *osk,
+ unsigned long mask)
+ {
+ /* options we don't get control via setsockopt for */
+ nsk->sk_type = osk->sk_type;
+- nsk->sk_sndbuf = osk->sk_sndbuf;
+- nsk->sk_rcvbuf = osk->sk_rcvbuf;
+ nsk->sk_sndtimeo = osk->sk_sndtimeo;
+ nsk->sk_rcvtimeo = osk->sk_rcvtimeo;
+ nsk->sk_mark = READ_ONCE(osk->sk_mark);
+@@ -453,26 +500,10 @@ static void smc_copy_sock_settings(struc
+
+ nsk->sk_flags &= ~mask;
+ nsk->sk_flags |= osk->sk_flags & mask;
++
++ smc_adjust_sock_bufsizes(nsk, osk, mask);
+ }
+
+-#define SK_FLAGS_SMC_TO_CLC ((1UL << SOCK_URGINLINE) | \
+- (1UL << SOCK_KEEPOPEN) | \
+- (1UL << SOCK_LINGER) | \
+- (1UL << SOCK_BROADCAST) | \
+- (1UL << SOCK_TIMESTAMP) | \
+- (1UL << SOCK_DBG) | \
+- (1UL << SOCK_RCVTSTAMP) | \
+- (1UL << SOCK_RCVTSTAMPNS) | \
+- (1UL << SOCK_LOCALROUTE) | \
+- (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE) | \
+- (1UL << SOCK_RXQ_OVFL) | \
+- (1UL << SOCK_WIFI_STATUS) | \
+- (1UL << SOCK_NOFCS) | \
+- (1UL << SOCK_FILTER_LOCKED) | \
+- (1UL << SOCK_TSTAMP_NEW))
+-/* copy only relevant settings and flags of SOL_SOCKET level from smc to
+- * clc socket (since smc is not called for these options from net/core)
+- */
+ static void smc_copy_sock_settings_to_clc(struct smc_sock *smc)
+ {
+ smc_copy_sock_settings(smc->clcsock->sk, &smc->sk, SK_FLAGS_SMC_TO_CLC);
+@@ -2479,8 +2510,6 @@ static void smc_tcp_listen_work(struct w
+ sock_hold(lsk); /* sock_put in smc_listen_work */
+ INIT_WORK(&new_smc->smc_listen_work, smc_listen_work);
+ smc_copy_sock_settings_to_smc(new_smc);
+- new_smc->sk.sk_sndbuf = lsmc->sk.sk_sndbuf;
+- new_smc->sk.sk_rcvbuf = lsmc->sk.sk_rcvbuf;
+ sock_hold(&new_smc->sk); /* sock_put in passive closing */
+ if (!queue_work(smc_hs_wq, &new_smc->smc_listen_work))
+ sock_put(&new_smc->sk);
--- /dev/null
+From 1a8c251cff2052b60009a070173308322e9600d3 Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Thu, 3 Aug 2023 16:58:56 +0300
+Subject: PCI: move OF status = "disabled" detection to dev->match_driver
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit 1a8c251cff2052b60009a070173308322e9600d3 upstream.
+
+The blamed commit has broken probing on
+arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi when &enetc_port0
+(PCI function 0) has status = "disabled".
+
+Background: pci_scan_slot() has logic to say that if the function 0 of a
+device is absent, the entire device is absent and we can skip the other
+functions entirely. Traditionally, this has meant that
+pci_bus_read_dev_vendor_id() returns an error code for that function.
+
+However, since the blamed commit, there is an extra confounding
+condition: function 0 of the device exists and has a valid vendor id,
+but it is disabled in the device tree. In that case, pci_scan_slot()
+would incorrectly skip the entire device instead of just that function.
+
+In the case of NXP LS1028A, status = "disabled" does not mean that the
+PCI function's config space is not available for reading. It is, but the
+Ethernet port is just not functionally useful with a particular SerDes
+protocol configuration (0x9999) due to pinmuxing constraints of the Soc.
+So, pci_scan_slot() skips all other functions on the ENETC ECAM
+(enetc_port1, enetc_port2, enetc_mdio_pf3 etc) when just enetc_port0 had
+to not be probed.
+
+There is an additional regression introduced by the change, caused by
+its fundamental premise. The enetc driver needs to run code for all PCI
+functions, regardless of whether they're enabled or not in the device
+tree. That is no longer possible if the driver's probe function is no
+longer called. But Rob recommends that we move the of_device_is_available()
+detection to dev->match_driver, and this makes the PCI fixups still run
+on all functions, while just probing drivers for those functions that
+are enabled. So, a separate change in the enetc driver will have to move
+the workarounds to a PCI fixup.
+
+Fixes: 6fffbc7ae137 ("PCI: Honor firmware's device disabled status")
+Link: https://lore.kernel.org/netdev/CAL_JsqLsVYiPLx2kcHkDQ4t=hQVCR7NHziDwi9cCFUFhx48Qow@mail.gmail.com/
+Suggested-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/bus.c | 4 +++-
+ drivers/pci/of.c | 5 -----
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/pci/bus.c
++++ b/drivers/pci/bus.c
+@@ -11,6 +11,7 @@
+ #include <linux/pci.h>
+ #include <linux/errno.h>
+ #include <linux/ioport.h>
++#include <linux/of.h>
+ #include <linux/proc_fs.h>
+ #include <linux/slab.h>
+
+@@ -332,6 +333,7 @@ void __weak pcibios_bus_add_device(struc
+ */
+ void pci_bus_add_device(struct pci_dev *dev)
+ {
++ struct device_node *dn = dev->dev.of_node;
+ int retval;
+
+ /*
+@@ -344,7 +346,7 @@ void pci_bus_add_device(struct pci_dev *
+ pci_proc_attach_device(dev);
+ pci_bridge_d3_update(dev);
+
+- dev->match_driver = true;
++ dev->match_driver = !dn || of_device_is_available(dn);
+ retval = device_attach(&dev->dev);
+ if (retval < 0 && retval != -EPROBE_DEFER)
+ pci_warn(dev, "device attach failed (%d)\n", retval);
+--- a/drivers/pci/of.c
++++ b/drivers/pci/of.c
+@@ -34,11 +34,6 @@ int pci_set_of_node(struct pci_dev *dev)
+ if (!node)
+ return 0;
+
+- if (!of_device_is_available(node)) {
+- of_node_put(node);
+- return -ENODEV;
+- }
+-
+ dev->dev.of_node = node;
+ dev->dev.fwnode = &node->fwnode;
+ return 0;
hwmon-aquacomputer_d5next-add-selective-200ms-delay-after-sending-ctrl-report.patch
misdn-update-parameter-type-of-dsp_cmx_send.patch
macsec-use-dev_stats_inc.patch
+mptcp-fix-the-incorrect-judgment-for-msk-cb_flags.patch
+igc-add-lock-to-safeguard-global-qbv-variables.patch
+ionic-add-missing-err-handling-for-queue-reconfig.patch
+net-packet-annotate-data-races-around-tp-status.patch
+net-smc-fix-setsockopt-and-sysctl-to-specify-same-buffer-size-again.patch
+net-smc-use-correct-buffer-sizes-when-switching-between-tcp-and-smc.patch
+pci-move-of-status-disabled-detection-to-dev-match_driver.patch
+tcp-add-missing-family-to-tcp_set_ca_state-tracepoint.patch
+tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch
+vlan-fix-vlan-0-memory-leak.patch
+xsk-fix-refcount-underflow-in-error-path.patch
+bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch
+dccp-fix-data-race-around-dp-dccps_mss_cache.patch
+drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch
+drivers-vxlan-vnifilter-free-percpu-vni-stats-on-error-path.patch
+iavf-fix-potential-races-for-fdir-filters.patch
+ib-hfi1-fix-possible-panic-during-hotplug-remove.patch
+drm-amd-display-don-t-show-stack-trace-for-missing-edp.patch
+drm-bridge-it6505-check-power-state-with-it6505-powered-in-irq-handler.patch
+drm-nouveau-remove-unused-tu102_gr_load-function.patch
+drm-rockchip-don-t-spam-logs-in-atomic-check.patch
+wifi-brcm80211-handle-params_v1-allocation-failure.patch
+wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch
--- /dev/null
+From 8a70ed9520c5fafaac91053cacdd44625c39e188 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 8 Aug 2023 08:49:23 +0000
+Subject: tcp: add missing family to tcp_set_ca_state() tracepoint
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 8a70ed9520c5fafaac91053cacdd44625c39e188 upstream.
+
+Before this code is copied, add the missing family, as we did in
+commit 3dd344ea84e1 ("net: tracepoint: exposing sk_family in all tcp:tracepoints")
+
+Fixes: 15fcdf6ae116 ("tcp: Add tracepoint for tcp_set_ca_state")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Ping Gan <jacky_gam_2001@163.com>
+Cc: Manjusaka <me@manjusaka.me>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230808084923.2239142-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/trace/events/tcp.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/include/trace/events/tcp.h
++++ b/include/trace/events/tcp.h
+@@ -381,6 +381,7 @@ TRACE_EVENT(tcp_cong_state_set,
+ __field(const void *, skaddr)
+ __field(__u16, sport)
+ __field(__u16, dport)
++ __field(__u16, family)
+ __array(__u8, saddr, 4)
+ __array(__u8, daddr, 4)
+ __array(__u8, saddr_v6, 16)
+@@ -396,6 +397,7 @@ TRACE_EVENT(tcp_cong_state_set,
+
+ __entry->sport = ntohs(inet->inet_sport);
+ __entry->dport = ntohs(inet->inet_dport);
++ __entry->family = sk->sk_family;
+
+ p32 = (__be32 *) __entry->saddr;
+ *p32 = inet->inet_saddr;
+@@ -409,7 +411,8 @@ TRACE_EVENT(tcp_cong_state_set,
+ __entry->cong_state = ca_state;
+ ),
+
+- TP_printk("sport=%hu dport=%hu saddr=%pI4 daddr=%pI4 saddrv6=%pI6c daddrv6=%pI6c cong_state=%u",
++ TP_printk("family=%s sport=%hu dport=%hu saddr=%pI4 daddr=%pI4 saddrv6=%pI6c daddrv6=%pI6c cong_state=%u",
++ show_family_name(__entry->family),
+ __entry->sport, __entry->dport,
+ __entry->saddr, __entry->daddr,
+ __entry->saddr_v6, __entry->daddr_v6,
--- /dev/null
+From 6a7ac3d20593865209dceb554d8b3f094c6bd940 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 3 Aug 2023 17:26:49 +0200
+Subject: tunnels: fix kasan splat when generating ipv4 pmtu error
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 6a7ac3d20593865209dceb554d8b3f094c6bd940 upstream.
+
+If we try to emit an icmp error in response to a nonliner skb, we get
+
+BUG: KASAN: slab-out-of-bounds in ip_compute_csum+0x134/0x220
+Read of size 4 at addr ffff88811c50db00 by task iperf3/1691
+CPU: 2 PID: 1691 Comm: iperf3 Not tainted 6.5.0-rc3+ #309
+[..]
+ kasan_report+0x105/0x140
+ ip_compute_csum+0x134/0x220
+ iptunnel_pmtud_build_icmp+0x554/0x1020
+ skb_tunnel_check_pmtu+0x513/0xb80
+ vxlan_xmit_one+0x139e/0x2ef0
+ vxlan_xmit+0x1867/0x2760
+ dev_hard_start_xmit+0x1ee/0x4f0
+ br_dev_queue_push_xmit+0x4d1/0x660
+ [..]
+
+ip_compute_csum() cannot deal with nonlinear skbs, so avoid it.
+After this change, splat is gone and iperf3 is no longer stuck.
+
+Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/r/20230803152653.29535-2-fw@strlen.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_tunnel_core.c
++++ b/net/ipv4/ip_tunnel_core.c
+@@ -224,7 +224,7 @@ static int iptunnel_pmtud_build_icmp(str
+ .un.frag.__unused = 0,
+ .un.frag.mtu = htons(mtu),
+ };
+- icmph->checksum = ip_compute_csum(icmph, len);
++ icmph->checksum = csum_fold(skb_checksum(skb, 0, len, 0));
+ skb_reset_transport_header(skb);
+
+ niph = skb_push(skb, sizeof(*niph));
--- /dev/null
+From 718cb09aaa6fa78cc8124e9517efbc6c92665384 Mon Sep 17 00:00:00 2001
+From: Vlad Buslov <vladbu@nvidia.com>
+Date: Tue, 8 Aug 2023 11:35:21 +0200
+Subject: vlan: Fix VLAN 0 memory leak
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+commit 718cb09aaa6fa78cc8124e9517efbc6c92665384 upstream.
+
+The referenced commit intended to fix memleak of VLAN 0 that is implicitly
+created on devices with NETIF_F_HW_VLAN_CTAG_FILTER feature. However, it
+doesn't take into account that the feature can be re-set during the
+netdevice lifetime which will cause memory leak if feature is disabled
+during the device deletion as illustrated by [0]. Fix the leak by
+unconditionally deleting VLAN 0 on NETDEV_DOWN event.
+
+[0]:
+> modprobe 8021q
+> ip l set dev eth2 up
+> ethtool -K eth2 rx-vlan-filter off
+> modprobe -r mlx5_ib
+> modprobe -r mlx5_core
+> cat /sys/kernel/debug/kmemleak
+unreferenced object 0xffff888103dcd900 (size 256):
+ comm "ip", pid 1490, jiffies 4294907305 (age 325.364s)
+ hex dump (first 32 bytes):
+ 00 80 5d 03 81 88 ff ff 00 00 00 00 00 00 00 00 ..].............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000899f3bb9>] kmalloc_trace+0x25/0x80
+ [<000000002889a7a2>] vlan_vid_add+0xa0/0x210
+ [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q]
+ [<000000009a0716b1>] notifier_call_chain+0x35/0xb0
+ [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0
+ [<0000000053d2b05d>] dev_change_flags+0x4d/0x60
+ [<00000000982807e9>] do_setlink+0x28d/0x10a0
+ [<0000000058c1be00>] __rtnl_newlink+0x545/0x980
+ [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70
+ [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390
+ [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100
+ [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0
+ [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0
+ [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60
+ [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200
+ [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0
+unreferenced object 0xffff88813354fde0 (size 32):
+ comm "ip", pid 1490, jiffies 4294907305 (age 325.364s)
+ hex dump (first 32 bytes):
+ a0 d9 dc 03 81 88 ff ff a0 d9 dc 03 81 88 ff ff ................
+ 81 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000899f3bb9>] kmalloc_trace+0x25/0x80
+ [<000000002da64724>] vlan_vid_add+0xdf/0x210
+ [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q]
+ [<000000009a0716b1>] notifier_call_chain+0x35/0xb0
+ [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0
+ [<0000000053d2b05d>] dev_change_flags+0x4d/0x60
+ [<00000000982807e9>] do_setlink+0x28d/0x10a0
+ [<0000000058c1be00>] __rtnl_newlink+0x545/0x980
+ [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70
+ [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390
+ [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100
+ [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0
+ [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0
+ [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60
+ [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200
+ [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0
+
+Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Link: https://lore.kernel.org/r/20230808093521.1468929-1-vladbu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -384,8 +384,7 @@ static int vlan_device_event(struct noti
+ dev->name);
+ vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
+ }
+- if (event == NETDEV_DOWN &&
+- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
++ if (event == NETDEV_DOWN)
+ vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+
+ vlan_info = rtnl_dereference(dev->vlan_info);
--- /dev/null
+From 07d698324110339b420deebab7a7805815340b4f Mon Sep 17 00:00:00 2001
+From: Petr Tesarik <petr.tesarik.ext@huawei.com>
+Date: Wed, 2 Aug 2023 18:34:30 +0200
+Subject: wifi: brcm80211: handle params_v1 allocation failure
+
+From: Petr Tesarik <petr.tesarik.ext@huawei.com>
+
+commit 07d698324110339b420deebab7a7805815340b4f upstream.
+
+Return -ENOMEM from brcmf_run_escan() if kzalloc() fails for v1 params.
+
+Fixes: 398ce273d6b1 ("wifi: brcmfmac: cfg80211: Add support for scan params v2")
+Signed-off-by: Petr Tesarik <petr.tesarik.ext@huawei.com>
+Link: https://lore.kernel.org/r/20230802163430.1656-1-petrtesarik@huaweicloud.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index de8a2e27f49c..2a90bb24ba77 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -1456,6 +1456,10 @@ brcmf_run_escan(struct brcmf_cfg80211_info *cfg, struct brcmf_if *ifp,
+ params_size -= BRCMF_SCAN_PARAMS_V2_FIXED_SIZE;
+ params_size += BRCMF_SCAN_PARAMS_FIXED_SIZE;
+ params_v1 = kzalloc(params_size, GFP_KERNEL);
++ if (!params_v1) {
++ err = -ENOMEM;
++ goto exit_params;
++ }
+ params_v1->version = cpu_to_le32(BRCMF_ESCAN_REQ_VERSION);
+ brcmf_scan_params_v2_to_v1(¶ms->params_v2_le, ¶ms_v1->params_le);
+ kfree(params);
+@@ -1473,6 +1477,7 @@ brcmf_run_escan(struct brcmf_cfg80211_info *cfg, struct brcmf_if *ifp,
+ bphy_err(drvr, "error (%d)\n", err);
+ }
+
++exit_params:
+ kfree(params);
+ exit:
+ return err;
+--
+2.41.0
+
--- /dev/null
+From 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 22 Jun 2023 18:59:19 +0200
+Subject: wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 upstream.
+
+AP_VLAN interfaces are virtual, so doesn't really exist as a type for
+capabilities. When passed in as a type, AP is the one that's really intended.
+
+Fixes: c4cbaf7973a7 ("cfg80211: Add support for HE")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230622165919.46841-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cfg80211.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -562,6 +562,9 @@ ieee80211_get_sband_iftype_data(const st
+ if (WARN_ON(iftype >= NL80211_IFTYPE_MAX))
+ return NULL;
+
++ if (iftype == NL80211_IFTYPE_AP_VLAN)
++ iftype = NL80211_IFTYPE_AP;
++
+ for (i = 0; i < sband->n_iftype_data; i++) {
+ const struct ieee80211_sband_iftype_data *data =
+ &sband->iftype_data[i];
--- /dev/null
+From 85c2c79a07302fe68a1ad5cc449458cc559e314d Mon Sep 17 00:00:00 2001
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+Date: Wed, 9 Aug 2023 16:28:43 +0200
+Subject: xsk: fix refcount underflow in error path
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+commit 85c2c79a07302fe68a1ad5cc449458cc559e314d upstream.
+
+Fix a refcount underflow problem reported by syzbot that can happen
+when a system is running out of memory. If xp_alloc_tx_descs() fails,
+and it can only fail due to not having enough memory, then the error
+path is triggered. In this error path, the refcount of the pool is
+decremented as it has incremented before. However, the reference to
+the pool in the socket was not nulled. This means that when the socket
+is closed later, the socket teardown logic will think that there is a
+pool attached to the socket and try to decrease the refcount again,
+leading to a refcount underflow.
+
+I chose this fix as it involved adding just a single line. Another
+option would have been to move xp_get_pool() and the assignment of
+xs->pool to after the if-statement and using xs_umem->pool instead of
+xs->pool in the whole if-statement resulting in somewhat simpler code,
+but this would have led to much more churn in the code base perhaps
+making it harder to backport.
+
+Fixes: ba3beec2ec1d ("xsk: Fix possible crash when multiple sockets are created")
+Reported-by: syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Link: https://lore.kernel.org/r/20230809142843.13944-1-magnus.karlsson@gmail.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xdp/xsk.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -994,6 +994,7 @@ static int xsk_bind(struct socket *sock,
+ err = xp_alloc_tx_descs(xs->pool, xs);
+ if (err) {
+ xp_put_pool(xs->pool);
++ xs->pool = NULL;
+ sockfd_put(sock);
+ goto out_unlock;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
