--- /dev/null
+From 01f4fd27087078c90a0e22860d1dfa2cd0510791 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 2 Aug 2023 19:43:20 +0800
+Subject: bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 01f4fd27087078c90a0e22860d1dfa2cd0510791 upstream.
+
+BUG_ON(!vlan_info) is triggered in unregister_vlan_dev() with
+following testcase:
+
+ # ip netns add ns1
+ # ip netns exec ns1 ip link add bond0 type bond mode 0
+ # ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2
+ # ip netns exec ns1 ip link set bond_slave_1 master bond0
+ # ip netns exec ns1 ip link add link bond_slave_1 name vlan10 type vlan id 10 protocol 802.1ad
+ # ip netns exec ns1 ip link add link bond0 name bond0_vlan10 type vlan id 10 protocol 802.1ad
+ # ip netns exec ns1 ip link set bond_slave_1 nomaster
+ # ip netns del ns1
+
+The logical analysis of the problem is as follows:
+
+1. create ETH_P_8021AD protocol vlan10 for bond_slave_1:
+register_vlan_dev()
+ vlan_vid_add()
+ vlan_info_alloc()
+ __vlan_vid_add() // add [ETH_P_8021AD, 10] vid to bond_slave_1
+
+2. create ETH_P_8021AD protocol bond0_vlan10 for bond0:
+register_vlan_dev()
+ vlan_vid_add()
+ __vlan_vid_add()
+ vlan_add_rx_filter_info()
+ if (!vlan_hw_filter_capable(dev, proto)) // condition established because bond0 without NETIF_F_HW_VLAN_STAG_FILTER
+ return 0;
+
+ if (netif_device_present(dev))
+ return dev->netdev_ops->ndo_vlan_rx_add_vid(dev, proto, vid); // will be never called
+ // The slaves of bond0 will not refer to the [ETH_P_8021AD, 10] vid.
+
+3. detach bond_slave_1 from bond0:
+__bond_release_one()
+ vlan_vids_del_by_dev()
+ list_for_each_entry(vid_info, &vlan_info->vid_list, list)
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
+ // bond_slave_1 [ETH_P_8021AD, 10] vid will be deleted.
+ // bond_slave_1->vlan_info will be assigned NULL.
+
+4. delete vlan10 during delete ns1:
+default_device_exit_batch()
+ dev->rtnl_link_ops->dellink() // unregister_vlan_dev() for vlan10
+ vlan_info = rtnl_dereference(real_dev->vlan_info); // real_dev of vlan10 is bond_slave_1
+ BUG_ON(!vlan_info); // bond_slave_1->vlan_info is NULL now, bug is triggered!!!
+
+Add S-VLAN tag related features support to bond driver. So the bond driver
+will always propagate the VLAN info to its slaves.
+
+Fixes: 8ad227ff89a7 ("net: vlan: add 802.1ad support")
+Suggested-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://lore.kernel.org/r/20230802114320.4156068-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -5491,7 +5491,9 @@ void bond_setup(struct net_device *bond_
+
+ bond_dev->hw_features = BOND_VLAN_FEATURES |
+ NETIF_F_HW_VLAN_CTAG_RX |
+- NETIF_F_HW_VLAN_CTAG_FILTER;
++ NETIF_F_HW_VLAN_CTAG_FILTER |
++ NETIF_F_HW_VLAN_STAG_RX |
++ NETIF_F_HW_VLAN_STAG_FILTER;
+
+ bond_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL;
+ bond_dev->features |= bond_dev->hw_features;
--- /dev/null
+From 809e4dc71a0f2b8d2836035d98603694fff11d5d Mon Sep 17 00:00:00 2001
+From: Xu Kuohai <xukuohai@huawei.com>
+Date: Fri, 4 Aug 2023 03:37:38 -0400
+Subject: bpf, sockmap: Fix bug that strp_done cannot be called
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+commit 809e4dc71a0f2b8d2836035d98603694fff11d5d upstream.
+
+strp_done is only called when psock->progs.stream_parser is not NULL,
+but stream_parser was set to NULL by sk_psock_stop_strp(), called
+by sk_psock_drop() earlier. So, strp_done can never be called.
+
+Introduce SK_PSOCK_RX_ENABLED to mark whether there is strp on psock.
+Change the condition for calling strp_done from judging whether
+stream_parser is set to judging whether this flag is set. This flag is
+only set once when strp_init() succeeds, and will never be cleared later.
+
+Fixes: c0d95d3380ee ("bpf, sockmap: Re-evaluate proto ops when psock is removed from sockmap")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20230804073740.194770-3-xukuohai@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skmsg.h | 1 +
+ net/core/skmsg.c | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -63,6 +63,7 @@ struct sk_psock_progs {
+
+ enum sk_psock_state_bits {
+ SK_PSOCK_TX_ENABLED,
++ SK_PSOCK_RX_STRP_ENABLED,
+ };
+
+ struct sk_psock_link {
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -1124,13 +1124,19 @@ static void sk_psock_strp_data_ready(str
+
+ int sk_psock_init_strp(struct sock *sk, struct sk_psock *psock)
+ {
++ int ret;
++
+ static const struct strp_callbacks cb = {
+ .rcv_msg = sk_psock_strp_read,
+ .read_sock_done = sk_psock_strp_read_done,
+ .parse_msg = sk_psock_strp_parse,
+ };
+
+- return strp_init(&psock->strp, sk, &cb);
++ ret = strp_init(&psock->strp, sk, &cb);
++ if (!ret)
++ sk_psock_set_state(psock, SK_PSOCK_RX_STRP_ENABLED);
++
++ return ret;
+ }
+
+ void sk_psock_start_strp(struct sock *sk, struct sk_psock *psock)
+@@ -1158,7 +1164,7 @@ void sk_psock_stop_strp(struct sock *sk,
+ static void sk_psock_done_strp(struct sk_psock *psock)
+ {
+ /* Parser has been stopped */
+- if (psock->progs.stream_parser)
++ if (sk_psock_test_state(psock, SK_PSOCK_RX_STRP_ENABLED))
+ strp_done(&psock->strp);
+ }
+ #else
--- /dev/null
+From 7e96ec0e6605b69bb21bbf6c0ff9051e656ec2b1 Mon Sep 17 00:00:00 2001
+From: Xu Kuohai <xukuohai@huawei.com>
+Date: Fri, 4 Aug 2023 03:37:37 -0400
+Subject: bpf, sockmap: Fix map type error in sock_map_del_link
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+commit 7e96ec0e6605b69bb21bbf6c0ff9051e656ec2b1 upstream.
+
+sock_map_del_link() operates on both SOCKMAP and SOCKHASH, although
+both types have member named "progs", the offset of "progs" member in
+these two types is different, so "progs" should be accessed with the
+real map type.
+
+Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20230804073740.194770-2-xukuohai@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock_map.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -148,13 +148,13 @@ static void sock_map_del_link(struct soc
+ list_for_each_entry_safe(link, tmp, &psock->link, list) {
+ if (link->link_raw == link_raw) {
+ struct bpf_map *map = link->map;
+- struct bpf_stab *stab = container_of(map, struct bpf_stab,
+- map);
+- if (psock->saved_data_ready && stab->progs.stream_parser)
++ struct sk_psock_progs *progs = sock_map_progs(map);
++
++ if (psock->saved_data_ready && progs->stream_parser)
+ strp_stop = true;
+- if (psock->saved_data_ready && stab->progs.stream_verdict)
++ if (psock->saved_data_ready && progs->stream_verdict)
+ verdict_stop = true;
+- if (psock->saved_data_ready && stab->progs.skb_verdict)
++ if (psock->saved_data_ready && progs->skb_verdict)
+ verdict_stop = true;
+ list_del(&link->list);
+ sk_psock_free_link(link);
--- /dev/null
+From a47e598fbd8617967e49d85c49c22f9fc642704c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 3 Aug 2023 16:30:21 +0000
+Subject: dccp: fix data-race around dp->dccps_mss_cache
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit a47e598fbd8617967e49d85c49c22f9fc642704c upstream.
+
+dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket.
+Same thing in do_dccp_getsockopt().
+
+Add READ_ONCE()/WRITE_ONCE() annotations,
+and change dccp_sendmsg() to check again dccps_mss_cache
+after socket is locked.
+
+Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230803163021.2958262-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/output.c | 2 +-
+ net/dccp/proto.c | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/dccp/output.c
++++ b/net/dccp/output.c
+@@ -187,7 +187,7 @@ unsigned int dccp_sync_mss(struct sock *
+
+ /* And store cached results */
+ icsk->icsk_pmtu_cookie = pmtu;
+- dp->dccps_mss_cache = cur_mps;
++ WRITE_ONCE(dp->dccps_mss_cache, cur_mps);
+
+ return cur_mps;
+ }
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -639,7 +639,7 @@ static int do_dccp_getsockopt(struct soc
+ return dccp_getsockopt_service(sk, len,
+ (__be32 __user *)optval, optlen);
+ case DCCP_SOCKOPT_GET_CUR_MPS:
+- val = dp->dccps_mss_cache;
++ val = READ_ONCE(dp->dccps_mss_cache);
+ break;
+ case DCCP_SOCKOPT_AVAILABLE_CCIDS:
+ return ccid_getsockopt_builtin_ccids(sk, len, optval, optlen);
+@@ -748,7 +748,7 @@ int dccp_sendmsg(struct sock *sk, struct
+
+ trace_dccp_probe(sk, len);
+
+- if (len > dp->dccps_mss_cache)
++ if (len > READ_ONCE(dp->dccps_mss_cache))
+ return -EMSGSIZE;
+
+ lock_sock(sk);
+@@ -781,6 +781,12 @@ int dccp_sendmsg(struct sock *sk, struct
+ goto out_discard;
+ }
+
++ /* We need to check dccps_mss_cache after socket is locked. */
++ if (len > dp->dccps_mss_cache) {
++ rc = -EMSGSIZE;
++ goto out_discard;
++ }
++
+ skb_reserve(skb, sk->sk_prot->max_header);
+ rc = memcpy_from_msg(skb_put(skb, len), msg, len);
+ if (rc != 0)
--- /dev/null
+From 59eeb232940515590de513b997539ef495faca9a Mon Sep 17 00:00:00 2001
+From: Andrew Kanner <andrew.kanner@gmail.com>
+Date: Thu, 3 Aug 2023 20:59:48 +0200
+Subject: drivers: net: prevent tun_build_skb() to exceed the packet size limit
+
+From: Andrew Kanner <andrew.kanner@gmail.com>
+
+commit 59eeb232940515590de513b997539ef495faca9a upstream.
+
+Using the syzkaller repro with reduced packet size it was discovered
+that XDP_PACKET_HEADROOM is not checked in tun_can_build_skb(),
+although pad may be incremented in tun_build_skb(). This may end up
+with exceeding the PAGE_SIZE limit in tun_build_skb().
+
+Jason Wang <jasowang@redhat.com> proposed to count XDP_PACKET_HEADROOM
+always (e.g. without rcu_access_pointer(tun->xdp_prog)) in
+tun_can_build_skb() since there's a window during which XDP program
+might be attached between tun_can_build_skb() and tun_build_skb().
+
+Fixes: 7df13219d757 ("tun: reserve extra headroom only when XDP is set")
+Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a
+Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com>
+Link: https://lore.kernel.org/r/20230803185947.2379988-1-andrew.kanner@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1574,7 +1574,7 @@ static bool tun_can_build_skb(struct tun
+ if (zerocopy)
+ return false;
+
+- if (SKB_DATA_ALIGN(len + TUN_RX_PAD) +
++ if (SKB_DATA_ALIGN(len + TUN_RX_PAD + XDP_PACKET_HEADROOM) +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE)
+ return false;
+
--- /dev/null
+From 43dae319b50fac075ad864f84501c703ef20eb2b Mon Sep 17 00:00:00 2001
+From: Daniel Stone <daniels@collabora.com>
+Date: Tue, 8 Aug 2023 11:44:05 +0100
+Subject: drm/rockchip: Don't spam logs in atomic check
+
+From: Daniel Stone <daniels@collabora.com>
+
+commit 43dae319b50fac075ad864f84501c703ef20eb2b upstream.
+
+Userspace should not be able to trigger DRM_ERROR messages to spam the
+logs; especially not through atomic commit parameters which are
+completely legitimate for userspace to attempt.
+
+Signed-off-by: Daniel Stone <daniels@collabora.com>
+Fixes: 7707f7227f09 ("drm/rockchip: Add support for afbc")
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230808104405.522493-1-daniels@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+@@ -820,12 +820,12 @@ static int vop_plane_atomic_check(struct
+ * need align with 2 pixel.
+ */
+ if (fb->format->is_yuv && ((new_plane_state->src.x1 >> 16) % 2)) {
+- DRM_ERROR("Invalid Source: Yuv format not support odd xpos\n");
++ DRM_DEBUG_KMS("Invalid Source: Yuv format not support odd xpos\n");
+ return -EINVAL;
+ }
+
+ if (fb->format->is_yuv && new_plane_state->rotation & DRM_MODE_REFLECT_Y) {
+- DRM_ERROR("Invalid Source: Yuv format does not support this rotation\n");
++ DRM_DEBUG_KMS("Invalid Source: Yuv format does not support this rotation\n");
+ return -EINVAL;
+ }
+
+@@ -833,7 +833,7 @@ static int vop_plane_atomic_check(struct
+ struct vop *vop = to_vop(crtc);
+
+ if (!vop->data->afbc) {
+- DRM_ERROR("vop does not support AFBC\n");
++ DRM_DEBUG_KMS("vop does not support AFBC\n");
+ return -EINVAL;
+ }
+
+@@ -842,15 +842,16 @@ static int vop_plane_atomic_check(struct
+ return ret;
+
+ if (new_plane_state->src.x1 || new_plane_state->src.y1) {
+- DRM_ERROR("AFBC does not support offset display, xpos=%d, ypos=%d, offset=%d\n",
+- new_plane_state->src.x1,
+- new_plane_state->src.y1, fb->offsets[0]);
++ DRM_DEBUG_KMS("AFBC does not support offset display, " \
++ "xpos=%d, ypos=%d, offset=%d\n",
++ new_plane_state->src.x1, new_plane_state->src.y1,
++ fb->offsets[0]);
+ return -EINVAL;
+ }
+
+ if (new_plane_state->rotation && new_plane_state->rotation != DRM_MODE_ROTATE_0) {
+- DRM_ERROR("No rotation support in AFBC, rotation=%d\n",
+- new_plane_state->rotation);
++ DRM_DEBUG_KMS("No rotation support in AFBC, rotation=%d\n",
++ new_plane_state->rotation);
+ return -EINVAL;
+ }
+ }
--- /dev/null
+From 0fb1d8eb234b6979d4981d2d385780dd7d8d9771 Mon Sep 17 00:00:00 2001
+From: Piotr Gardocki <piotrx.gardocki@intel.com>
+Date: Mon, 7 Aug 2023 13:50:11 -0700
+Subject: iavf: fix potential races for FDIR filters
+
+From: Piotr Gardocki <piotrx.gardocki@intel.com>
+
+commit 0fb1d8eb234b6979d4981d2d385780dd7d8d9771 upstream.
+
+Add fdir_fltr_lock locking in unprotected places.
+
+The change in iavf_fdir_is_dup_fltr adds a spinlock around a loop which
+iterates over all filters and looks for a duplicate. The filter can be
+removed from list and freed from memory at the same time it's being
+compared. All other places where filters are deleted are already
+protected with spinlock.
+
+The remaining changes protect adapter->fdir_active_fltr variable so now
+all its uses are under a spinlock.
+
+Fixes: 527691bf0682 ("iavf: Support IPv4 Flow Director filters")
+Signed-off-by: Piotr Gardocki <piotrx.gardocki@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230807205011.3129224-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 5 ++++-
+ drivers/net/ethernet/intel/iavf/iavf_fdir.c | 11 ++++++++---
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
+@@ -1387,14 +1387,15 @@ static int iavf_add_fdir_ethtool(struct
+ if (fsp->flow_type & FLOW_MAC_EXT)
+ return -EINVAL;
+
++ spin_lock_bh(&adapter->fdir_fltr_lock);
+ if (adapter->fdir_active_fltr >= IAVF_MAX_FDIR_FILTERS) {
++ spin_unlock_bh(&adapter->fdir_fltr_lock);
+ dev_err(&adapter->pdev->dev,
+ "Unable to add Flow Director filter because VF reached the limit of max allowed filters (%u)\n",
+ IAVF_MAX_FDIR_FILTERS);
+ return -ENOSPC;
+ }
+
+- spin_lock_bh(&adapter->fdir_fltr_lock);
+ if (iavf_find_fdir_fltr_by_loc(adapter, fsp->location)) {
+ dev_err(&adapter->pdev->dev, "Failed to add Flow Director filter, it already exists\n");
+ spin_unlock_bh(&adapter->fdir_fltr_lock);
+@@ -1767,7 +1768,9 @@ static int iavf_get_rxnfc(struct net_dev
+ case ETHTOOL_GRXCLSRLCNT:
+ if (!FDIR_FLTR_SUPPORT(adapter))
+ break;
++ spin_lock_bh(&adapter->fdir_fltr_lock);
+ cmd->rule_cnt = adapter->fdir_active_fltr;
++ spin_unlock_bh(&adapter->fdir_fltr_lock);
+ cmd->data = IAVF_MAX_FDIR_FILTERS;
+ ret = 0;
+ break;
+--- a/drivers/net/ethernet/intel/iavf/iavf_fdir.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_fdir.c
+@@ -722,7 +722,9 @@ void iavf_print_fdir_fltr(struct iavf_ad
+ bool iavf_fdir_is_dup_fltr(struct iavf_adapter *adapter, struct iavf_fdir_fltr *fltr)
+ {
+ struct iavf_fdir_fltr *tmp;
++ bool ret = false;
+
++ spin_lock_bh(&adapter->fdir_fltr_lock);
+ list_for_each_entry(tmp, &adapter->fdir_list_head, list) {
+ if (tmp->flow_type != fltr->flow_type)
+ continue;
+@@ -732,11 +734,14 @@ bool iavf_fdir_is_dup_fltr(struct iavf_a
+ !memcmp(&tmp->ip_data, &fltr->ip_data,
+ sizeof(fltr->ip_data)) &&
+ !memcmp(&tmp->ext_data, &fltr->ext_data,
+- sizeof(fltr->ext_data)))
+- return true;
++ sizeof(fltr->ext_data))) {
++ ret = true;
++ break;
++ }
+ }
++ spin_unlock_bh(&adapter->fdir_fltr_lock);
+
+- return false;
++ return ret;
+ }
+
+ /**
--- /dev/null
+From 4fdfaef71fced490835145631a795497646f4555 Mon Sep 17 00:00:00 2001
+From: Douglas Miller <doug.miller@cornelisnetworks.com>
+Date: Wed, 2 Aug 2023 13:32:41 -0400
+Subject: IB/hfi1: Fix possible panic during hotplug remove
+
+From: Douglas Miller <doug.miller@cornelisnetworks.com>
+
+commit 4fdfaef71fced490835145631a795497646f4555 upstream.
+
+During hotplug remove it is possible that the update counters work
+might be pending, and may run after memory has been freed.
+Cancel the update counters work before freeing memory.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Signed-off-by: Douglas Miller <doug.miller@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/169099756100.3927190.15284930454106475280.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/hfi1/chip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/hw/hfi1/chip.c
++++ b/drivers/infiniband/hw/hfi1/chip.c
+@@ -12306,6 +12306,7 @@ static void free_cntrs(struct hfi1_devda
+
+ if (dd->synth_stats_timer.function)
+ del_timer_sync(&dd->synth_stats_timer);
++ cancel_work_sync(&dd->update_cntr_work);
+ ppd = (struct hfi1_pportdata *)(dd + 1);
+ for (i = 0; i < dd->num_pports; i++, ppd++) {
+ kfree(ppd->cntrs);
--- /dev/null
+From 1696ec8654016dad3b1baf6c024303e584400453 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 2 Aug 2023 10:40:29 -0700
+Subject: mISDN: Update parameter type of dsp_cmx_send()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 1696ec8654016dad3b1baf6c024303e584400453 upstream.
+
+When booting a kernel with CONFIG_MISDN_DSP=y and CONFIG_CFI_CLANG=y,
+there is a failure when dsp_cmx_send() is called indirectly from
+call_timer_fn():
+
+ [ 0.371412] CFI failure at call_timer_fn+0x2f/0x150 (target: dsp_cmx_send+0x0/0x530; expected type: 0x92ada1e9)
+
+The function pointer prototype that call_timer_fn() expects is
+
+ void (*fn)(struct timer_list *)
+
+whereas dsp_cmx_send() has a parameter type of 'void *', which causes
+the control flow integrity checks to fail because the parameter types do
+not match.
+
+Change dsp_cmx_send()'s parameter type to be 'struct timer_list' to
+match the expected prototype. The argument is unused anyways, so this
+has no functional change, aside from avoiding the CFI failure.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202308020936.58787e6c-oliver.sang@intel.com
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Fixes: e313ac12eb13 ("mISDN: Convert timers to use timer_setup()")
+Link: https://lore.kernel.org/r/20230802-fix-dsp_cmx_send-cfi-failure-v1-1-2f2e79b0178d@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/mISDN/dsp.h | 2 +-
+ drivers/isdn/mISDN/dsp_cmx.c | 2 +-
+ drivers/isdn/mISDN/dsp_core.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/isdn/mISDN/dsp.h
++++ b/drivers/isdn/mISDN/dsp.h
+@@ -247,7 +247,7 @@ extern void dsp_cmx_hardware(struct dsp_
+ extern int dsp_cmx_conf(struct dsp *dsp, u32 conf_id);
+ extern void dsp_cmx_receive(struct dsp *dsp, struct sk_buff *skb);
+ extern void dsp_cmx_hdlc(struct dsp *dsp, struct sk_buff *skb);
+-extern void dsp_cmx_send(void *arg);
++extern void dsp_cmx_send(struct timer_list *arg);
+ extern void dsp_cmx_transmit(struct dsp *dsp, struct sk_buff *skb);
+ extern int dsp_cmx_del_conf_member(struct dsp *dsp);
+ extern int dsp_cmx_del_conf(struct dsp_conf *conf);
+--- a/drivers/isdn/mISDN/dsp_cmx.c
++++ b/drivers/isdn/mISDN/dsp_cmx.c
+@@ -1625,7 +1625,7 @@ static u16 dsp_count; /* last sample cou
+ static int dsp_count_valid; /* if we have last sample count */
+
+ void
+-dsp_cmx_send(void *arg)
++dsp_cmx_send(struct timer_list *arg)
+ {
+ struct dsp_conf *conf;
+ struct dsp_conf_member *member;
+--- a/drivers/isdn/mISDN/dsp_core.c
++++ b/drivers/isdn/mISDN/dsp_core.c
+@@ -1195,7 +1195,7 @@ static int __init dsp_init(void)
+ }
+
+ /* set sample timer */
+- timer_setup(&dsp_spl_tl, (void *)dsp_cmx_send, 0);
++ timer_setup(&dsp_spl_tl, dsp_cmx_send, 0);
+ dsp_spl_tl.expires = jiffies + dsp_tics;
+ dsp_spl_jiffies = dsp_spl_tl.expires;
+ add_timer(&dsp_spl_tl);
--- /dev/null
+From d14eea09edf427fa36bd446f4a3271f99164202f Mon Sep 17 00:00:00 2001
+From: Andrew Kanner <andrew.kanner@gmail.com>
+Date: Thu, 3 Aug 2023 21:03:18 +0200
+Subject: net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()
+
+From: Andrew Kanner <andrew.kanner@gmail.com>
+
+commit d14eea09edf427fa36bd446f4a3271f99164202f upstream.
+
+Syzkaller reported the following issue:
+=======================================
+Too BIG xdp->frame_sz = 131072
+WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121
+ ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline]
+WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121
+ bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103
+...
+Call Trace:
+ <TASK>
+ bpf_prog_4add87e5301a4105+0x1a/0x1c
+ __bpf_prog_run include/linux/filter.h:600 [inline]
+ bpf_prog_run_xdp include/linux/filter.h:775 [inline]
+ bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721
+ netif_receive_generic_xdp net/core/dev.c:4807 [inline]
+ do_xdp_generic+0x35c/0x770 net/core/dev.c:4866
+ tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919
+ tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043
+ call_write_iter include/linux/fs.h:1871 [inline]
+ new_sync_write fs/read_write.c:491 [inline]
+ vfs_write+0x650/0xe40 fs/read_write.c:584
+ ksys_write+0x12f/0x250 fs/read_write.c:637
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+xdp->frame_sz > PAGE_SIZE check was introduced in commit c8741e2bfe87
+("xdp: Allow bpf_xdp_adjust_tail() to grow packet size"). But Jesper
+Dangaard Brouer <jbrouer@redhat.com> noted that after introducing the
+xdp_init_buff() which all XDP driver use - it's safe to remove this
+check. The original intend was to catch cases where XDP drivers have
+not been updated to use xdp.frame_sz, but that is not longer a concern
+(since xdp_init_buff).
+
+Running the initial syzkaller repro it was discovered that the
+contiguous physical memory allocation is used for both xdp paths in
+tun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also
+stated by Jesper Dangaard Brouer <jbrouer@redhat.com> that XDP can
+work on higher order pages, as long as this is contiguous physical
+memory (e.g. a page).
+
+Reported-and-tested-by: syzbot+f817490f5bd20541b90a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000774b9205f1d8a80d@google.com/T/
+Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a
+Link: https://lore.kernel.org/all/20230725155403.796-1-andrew.kanner@gmail.com/T/
+Fixes: 43b5169d8355 ("net, xdp: Introduce xdp_init_buff utility routine")
+Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com>
+Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://lore.kernel.org/r/20230803190316.2380231-1-andrew.kanner@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/filter.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -3843,12 +3843,6 @@ BPF_CALL_2(bpf_xdp_adjust_tail, struct x
+ if (unlikely(data_end > data_hard_end))
+ return -EINVAL;
+
+- /* ALL drivers MUST init xdp->frame_sz, chicken check below */
+- if (unlikely(xdp->frame_sz > PAGE_SIZE)) {
+- WARN_ONCE(1, "Too BIG xdp->frame_sz = %d\n", xdp->frame_sz);
+- return -EINVAL;
+- }
+-
+ if (unlikely(data_end < xdp->data + ETH_HLEN))
+ return -EINVAL;
+
--- /dev/null
+From 8a9896177784063d01068293caea3f74f6830ff6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 3 Aug 2023 14:56:00 +0000
+Subject: net/packet: annotate data-races around tp->status
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 8a9896177784063d01068293caea3f74f6830ff6 upstream.
+
+Another syzbot report [1] is about tp->status lockless reads
+from __packet_get_status()
+
+[1]
+BUG: KCSAN: data-race in __packet_rcv_has_room / __packet_set_status
+
+write to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 0:
+__packet_set_status+0x78/0xa0 net/packet/af_packet.c:407
+tpacket_rcv+0x18bb/0x1a60 net/packet/af_packet.c:2483
+deliver_skb net/core/dev.c:2173 [inline]
+__netif_receive_skb_core+0x408/0x1e80 net/core/dev.c:5337
+__netif_receive_skb_one_core net/core/dev.c:5491 [inline]
+__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5607
+process_backlog+0x21f/0x380 net/core/dev.c:5935
+__napi_poll+0x60/0x3b0 net/core/dev.c:6498
+napi_poll net/core/dev.c:6565 [inline]
+net_rx_action+0x32b/0x750 net/core/dev.c:6698
+__do_softirq+0xc1/0x265 kernel/softirq.c:571
+invoke_softirq kernel/softirq.c:445 [inline]
+__irq_exit_rcu+0x57/0xa0 kernel/softirq.c:650
+sysvec_apic_timer_interrupt+0x6d/0x80 arch/x86/kernel/apic/apic.c:1106
+asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
+smpboot_thread_fn+0x33c/0x4a0 kernel/smpboot.c:112
+kthread+0x1d7/0x210 kernel/kthread.c:379
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+
+read to 0xffff888117d7c080 of 8 bytes by interrupt on cpu 1:
+__packet_get_status net/packet/af_packet.c:436 [inline]
+packet_lookup_frame net/packet/af_packet.c:524 [inline]
+__tpacket_has_room net/packet/af_packet.c:1255 [inline]
+__packet_rcv_has_room+0x3f9/0x450 net/packet/af_packet.c:1298
+tpacket_rcv+0x275/0x1a60 net/packet/af_packet.c:2285
+deliver_skb net/core/dev.c:2173 [inline]
+dev_queue_xmit_nit+0x38a/0x5e0 net/core/dev.c:2243
+xmit_one net/core/dev.c:3574 [inline]
+dev_hard_start_xmit+0xcf/0x3f0 net/core/dev.c:3594
+__dev_queue_xmit+0xefb/0x1d10 net/core/dev.c:4244
+dev_queue_xmit include/linux/netdevice.h:3088 [inline]
+can_send+0x4eb/0x5d0 net/can/af_can.c:276
+bcm_can_tx+0x314/0x410 net/can/bcm.c:302
+bcm_tx_timeout_handler+0xdb/0x260
+__run_hrtimer kernel/time/hrtimer.c:1685 [inline]
+__hrtimer_run_queues+0x217/0x700 kernel/time/hrtimer.c:1749
+hrtimer_run_softirq+0xd6/0x120 kernel/time/hrtimer.c:1766
+__do_softirq+0xc1/0x265 kernel/softirq.c:571
+run_ksoftirqd+0x17/0x20 kernel/softirq.c:939
+smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
+kthread+0x1d7/0x210 kernel/kthread.c:379
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+
+value changed: 0x0000000000000000 -> 0x0000000020000081
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 6.4.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
+
+Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230803145600.2937518-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -368,18 +368,20 @@ static void __packet_set_status(struct p
+ {
+ union tpacket_uhdr h;
+
++ /* WRITE_ONCE() are paired with READ_ONCE() in __packet_get_status */
++
+ h.raw = frame;
+ switch (po->tp_version) {
+ case TPACKET_V1:
+- h.h1->tp_status = status;
++ WRITE_ONCE(h.h1->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h1->tp_status));
+ break;
+ case TPACKET_V2:
+- h.h2->tp_status = status;
++ WRITE_ONCE(h.h2->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h2->tp_status));
+ break;
+ case TPACKET_V3:
+- h.h3->tp_status = status;
++ WRITE_ONCE(h.h3->tp_status, status);
+ flush_dcache_page(pgv_to_page(&h.h3->tp_status));
+ break;
+ default:
+@@ -396,17 +398,19 @@ static int __packet_get_status(const str
+
+ smp_rmb();
+
++ /* READ_ONCE() are paired with WRITE_ONCE() in __packet_set_status */
++
+ h.raw = frame;
+ switch (po->tp_version) {
+ case TPACKET_V1:
+ flush_dcache_page(pgv_to_page(&h.h1->tp_status));
+- return h.h1->tp_status;
++ return READ_ONCE(h.h1->tp_status);
+ case TPACKET_V2:
+ flush_dcache_page(pgv_to_page(&h.h2->tp_status));
+- return h.h2->tp_status;
++ return READ_ONCE(h.h2->tp_status);
+ case TPACKET_V3:
+ flush_dcache_page(pgv_to_page(&h.h3->tp_status));
+- return h.h3->tp_status;
++ return READ_ONCE(h.h3->tp_status);
+ default:
+ WARN(1, "TPACKET version not supported.\n");
+ BUG();
--- /dev/null
+From 5ac8480ae4d01f0ca5dfd561884424046df2478a Mon Sep 17 00:00:00 2001
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Date: Wed, 9 Aug 2023 21:44:36 -0700
+Subject: RDMA/bnxt_re: Fix error handling in probe failure path
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+commit 5ac8480ae4d01f0ca5dfd561884424046df2478a upstream.
+
+During bnxt_re_dev_init(), when bnxt_re_setup_chip_ctx() fails unregister
+with L2 first before bailing out probe.
+
+Fixes: ae8637e13185 ("RDMA/bnxt_re: Add chip context to identify 57500 series")
+Link: https://lore.kernel.org/r/1691642677-21369-3-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -1406,6 +1406,8 @@ static int bnxt_re_dev_init(struct bnxt_
+
+ rc = bnxt_re_setup_chip_ctx(rdev, wqe_mode);
+ if (rc) {
++ bnxt_unregister_dev(rdev->en_dev);
++ clear_bit(BNXT_RE_FLAG_NETDEV_REGISTERED, &rdev->flags);
+ ibdev_err(&rdev->ibdev, "Failed to get chip context\n");
+ return -EINVAL;
+ }
--- /dev/null
+From 186b169cf1e4be85aa212a893ea783a543400979 Mon Sep 17 00:00:00 2001
+From: Michael Guralnik <michaelgur@nvidia.com>
+Date: Wed, 19 Jul 2023 12:02:41 +0300
+Subject: RDMA/umem: Set iova in ODP flow
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+commit 186b169cf1e4be85aa212a893ea783a543400979 upstream.
+
+Fixing the ODP registration flow to set the iova correctly.
+The calculation in ib_umem_num_dma_blocks() function assumes the iova of
+the umem is set correctly.
+
+When iova is not set, the calculation in ib_umem_num_dma_blocks() is
+equivalent to length/page_size, which is true only when memory is aligned.
+For unaligned memory, iova must be set for the ALIGN() in the
+ib_umem_num_dma_blocks() to take effect and return a correct value.
+
+mlx5_ib uses ib_umem_num_dma_blocks() to decide the mkey size to use for
+the MR. Without this fix, when registering unaligned ODP MR, a wrong
+size mkey might be chosen and this might cause the UMR to fail.
+
+UMR would fail over insufficient size to update the mkey translation:
+infiniband mlx5_0: dump_cqe:273:(pid 0): dump error cqe
+00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+00000030: 00 00 00 00 0f 00 78 06 25 00 00 58 00 da ac d2
+infiniband mlx5_0: mlx5_ib_post_send_wait:806:(pid 20311): reg umr
+failed (6)
+infiniband mlx5_0: pagefault_real_mr:661:(pid 20311): Failed to update
+mkey page tables
+
+Fixes: f0093fb1a7cb ("RDMA/mlx5: Move mlx5_ib_cont_pages() to the creation of the mlx5_ib_mr")
+Fixes: a665aca89a41 ("RDMA/umem: Split ib_umem_num_pages() into ib_umem_num_dma_blocks()")
+Signed-off-by: Artemy Kovalyov <artemyko@nvidia.com>
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://lore.kernel.org/r/3d4be7ca2155bf239dd8c00a2d25974a92c26ab8.1689757344.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/umem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -85,6 +85,8 @@ unsigned long ib_umem_find_best_pgsz(str
+ dma_addr_t mask;
+ int i;
+
++ umem->iova = va = virt;
++
+ if (umem->is_odp) {
+ unsigned int page_size = BIT(to_ib_umem_odp(umem)->page_shift);
+
+@@ -100,7 +102,6 @@ unsigned long ib_umem_find_best_pgsz(str
+ */
+ pgsz_bitmap &= GENMASK(BITS_PER_LONG - 1, PAGE_SHIFT);
+
+- umem->iova = va = virt;
+ /* The best result is the smallest page size that results in the minimum
+ * number of required pages. Compute the largest page size that could
+ * work based on VA address bits that don't change.
--- /dev/null
+From 66e131861ab7bf754b50813216f5c6885cd32d63 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:52 +0300
+Subject: selftests: forwarding: Add a helper to skip test when using veth pairs
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 66e131861ab7bf754b50813216f5c6885cd32d63 upstream.
+
+A handful of tests require physical loopbacks to be used instead of veth
+pairs. Add a helper that these tests will invoke in order to be skipped
+when executed with veth pairs.
+
+Fixes: 64916b57c0b1 ("selftests: forwarding: Add speed and auto-negotiation test")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-7-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/lib.sh | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/tools/testing/selftests/net/forwarding/lib.sh
++++ b/tools/testing/selftests/net/forwarding/lib.sh
+@@ -122,6 +122,17 @@ check_ethtool_lanes_support()
+ fi
+ }
+
++skip_on_veth()
++{
++ local kind=$(ip -j -d link show dev ${NETIFS[p1]} |
++ jq -r '.[].linkinfo.info_kind')
++
++ if [[ $kind == veth ]]; then
++ echo "SKIP: Test cannot be run with veth pairs"
++ exit $ksft_skip
++ fi
++}
++
+ if [[ "$(id -u)" -ne 0 ]]; then
+ echo "SKIP: need root privileges"
+ exit $ksft_skip
--- /dev/null
+From 60a36e21915c31c0375d9427be9406aa8ce2ec34 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:53 +0300
+Subject: selftests: forwarding: ethtool: Skip when using veth pairs
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 60a36e21915c31c0375d9427be9406aa8ce2ec34 upstream.
+
+Auto-negotiation cannot be tested with veth pairs, resulting in
+failures:
+
+ # ./ethtool.sh
+ TEST: force of same speed autoneg off [FAIL]
+ error in configuration. swp1 speed Not autoneg off
+ [...]
+
+Fix by skipping the test when used with veth pairs.
+
+Fixes: 64916b57c0b1 ("selftests: forwarding: Add speed and auto-negotiation test")
+Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Closes: https://lore.kernel.org/netdev/adc5e40d-d040-a65e-eb26-edf47dac5b02@alu.unizg.hr/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-8-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/ethtool.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/testing/selftests/net/forwarding/ethtool.sh
++++ b/tools/testing/selftests/net/forwarding/ethtool.sh
+@@ -286,6 +286,8 @@ different_speeds_autoneg_on()
+ ethtool -s $h1 autoneg on
+ }
+
++skip_on_veth
++
+ trap cleanup EXIT
+
+ setup_prepare
--- /dev/null
+From b3d9305e60d121dac20a77b6847c4cf14a4c0001 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:54 +0300
+Subject: selftests: forwarding: ethtool_extended_state: Skip when using veth pairs
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit b3d9305e60d121dac20a77b6847c4cf14a4c0001 upstream.
+
+Ethtool extended state cannot be tested with veth pairs, resulting in
+failures:
+
+ # ./ethtool_extended_state.sh
+ TEST: Autoneg, No partner detected [FAIL]
+ Expected "Autoneg", got "Link detected: no"
+ [...]
+
+Fix by skipping the test when used with veth pairs.
+
+Fixes: 7d10bcce98cd ("selftests: forwarding: Add tests for ethtool extended state")
+Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Closes: https://lore.kernel.org/netdev/adc5e40d-d040-a65e-eb26-edf47dac5b02@alu.unizg.hr/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-9-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/ethtool_extended_state.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/testing/selftests/net/forwarding/ethtool_extended_state.sh
++++ b/tools/testing/selftests/net/forwarding/ethtool_extended_state.sh
+@@ -95,6 +95,8 @@ no_cable()
+ ip link set dev $swp3 down
+ }
+
++skip_on_veth
++
+ setup_prepare
+
+ tests_run
--- /dev/null
+From d72c83b1e4b4a36a38269c77a85ff52f95eb0d08 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:47 +0300
+Subject: selftests: forwarding: Skip test when no interfaces are specified
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit d72c83b1e4b4a36a38269c77a85ff52f95eb0d08 upstream.
+
+As explained in [1], the forwarding selftests are meant to be run with
+either physical loopbacks or veth pairs. The interfaces are expected to
+be specified in a user-provided forwarding.config file or as command
+line arguments. By default, this file is not present and the tests fail:
+
+ # make -C tools/testing/selftests TARGETS=net/forwarding run_tests
+ [...]
+ TAP version 13
+ 1..102
+ # timeout set to 45
+ # selftests: net/forwarding: bridge_igmp.sh
+ # Command line is not complete. Try option "help"
+ # Failed to create netif
+ not ok 1 selftests: net/forwarding: bridge_igmp.sh # exit=1
+ [...]
+
+Fix by skipping a test if interfaces are not provided either via the
+configuration file or command line arguments.
+
+ # make -C tools/testing/selftests TARGETS=net/forwarding run_tests
+ [...]
+ TAP version 13
+ 1..102
+ # timeout set to 45
+ # selftests: net/forwarding: bridge_igmp.sh
+ # SKIP: Cannot create interface. Name not specified
+ ok 1 selftests: net/forwarding: bridge_igmp.sh # SKIP
+
+[1] tools/testing/selftests/net/forwarding/README
+
+Fixes: 81573b18f26d ("selftests/net/forwarding: add Makefile to install tests")
+Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Closes: https://lore.kernel.org/netdev/856d454e-f83c-20cf-e166-6dc06cbc1543@alu.unizg.hr/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-2-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/lib.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/tools/testing/selftests/net/forwarding/lib.sh
++++ b/tools/testing/selftests/net/forwarding/lib.sh
+@@ -185,6 +185,11 @@ create_netif_veth()
+ for ((i = 1; i <= NUM_NETIFS; ++i)); do
+ local j=$((i+1))
+
++ if [ -z ${NETIFS[p$i]} ]; then
++ echo "SKIP: Cannot create interface. Name not specified"
++ exit $ksft_skip
++ fi
++
+ ip link show dev ${NETIFS[p$i]} &> /dev/null
+ if [[ $? -ne 0 ]]; then
+ ip link add ${NETIFS[p$i]} type veth \
--- /dev/null
+From 0529883ad102f6c04e19fb7018f31e1bda575bbe Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:48 +0300
+Subject: selftests: forwarding: Switch off timeout
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 0529883ad102f6c04e19fb7018f31e1bda575bbe upstream.
+
+The default timeout for selftests is 45 seconds, but it is not enough
+for forwarding selftests which can takes minutes to finish depending on
+the number of tests cases:
+
+ # make -C tools/testing/selftests TARGETS=net/forwarding run_tests
+ TAP version 13
+ 1..102
+ # timeout set to 45
+ # selftests: net/forwarding: bridge_igmp.sh
+ # TEST: IGMPv2 report 239.10.10.10 [ OK ]
+ # TEST: IGMPv2 leave 239.10.10.10 [ OK ]
+ # TEST: IGMPv3 report 239.10.10.10 is_include [ OK ]
+ # TEST: IGMPv3 report 239.10.10.10 include -> allow [ OK ]
+ #
+ not ok 1 selftests: net/forwarding: bridge_igmp.sh # TIMEOUT 45 seconds
+
+Fix by switching off the timeout and setting it to 0. A similar change
+was done for BPF selftests in commit 6fc5916cc256 ("selftests: bpf:
+Switch off timeout").
+
+Fixes: 81573b18f26d ("selftests/net/forwarding: add Makefile to install tests")
+Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Closes: https://lore.kernel.org/netdev/8d149f8c-818e-d141-a0ce-a6bae606bc22@alu.unizg.hr/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-3-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/settings | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 tools/testing/selftests/net/forwarding/settings
+
+--- /dev/null
++++ b/tools/testing/selftests/net/forwarding/settings
+@@ -0,0 +1 @@
++timeout=0
--- /dev/null
+From 9ee37e53e7687654b487fc94e82569377272a7a8 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 8 Aug 2023 17:14:58 +0300
+Subject: selftests: forwarding: tc_flower: Relax success criterion
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 9ee37e53e7687654b487fc94e82569377272a7a8 upstream.
+
+The test checks that filters that match on source or destination MAC
+were only hit once. A host can send more than one packet with a given
+source or destination MAC, resulting in failures.
+
+Fix by relaxing the success criterion and instead check that the filters
+were not hit zero times. Using tc_check_at_least_x_packets() is also an
+option, but it is not available in older kernels.
+
+Fixes: 07e5c75184a1 ("selftests: forwarding: Introduce tc flower matching tests")
+Reported-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Closes: https://lore.kernel.org/netdev/adc5e40d-d040-a65e-eb26-edf47dac5b02@alu.unizg.hr/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230808141503.4060661-13-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/tc_flower.sh | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/net/forwarding/tc_flower.sh
++++ b/tools/testing/selftests/net/forwarding/tc_flower.sh
+@@ -52,8 +52,8 @@ match_dst_mac_test()
+ tc_check_packets "dev $h2 ingress" 101 1
+ check_fail $? "Matched on a wrong filter"
+
+- tc_check_packets "dev $h2 ingress" 102 1
+- check_err $? "Did not match on correct filter"
++ tc_check_packets "dev $h2 ingress" 102 0
++ check_fail $? "Did not match on correct filter"
+
+ tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
+ tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
+@@ -78,8 +78,8 @@ match_src_mac_test()
+ tc_check_packets "dev $h2 ingress" 101 1
+ check_fail $? "Matched on a wrong filter"
+
+- tc_check_packets "dev $h2 ingress" 102 1
+- check_err $? "Did not match on correct filter"
++ tc_check_packets "dev $h2 ingress" 102 0
++ check_fail $? "Did not match on correct filter"
+
+ tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
+ tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
--- /dev/null
+From d5ad9aae13dcced333c1a7816ff0a4fbbb052466 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Fri, 4 Aug 2023 20:22:11 +0100
+Subject: selftests/rseq: Fix build with undefined __weak
+
+From: Mark Brown <broonie@kernel.org>
+
+commit d5ad9aae13dcced333c1a7816ff0a4fbbb052466 upstream.
+
+Commit 3bcbc20942db ("selftests/rseq: Play nice with binaries statically
+linked against glibc 2.35+") which is now in Linus' tree introduced uses
+of __weak but did nothing to ensure that a definition is provided for it
+resulting in build failures for the rseq tests:
+
+rseq.c:41:1: error: unknown type name '__weak'
+__weak ptrdiff_t __rseq_offset;
+^
+rseq.c:41:17: error: expected ';' after top level declarator
+__weak ptrdiff_t __rseq_offset;
+ ^
+ ;
+rseq.c:42:1: error: unknown type name '__weak'
+__weak unsigned int __rseq_size;
+^
+rseq.c:43:1: error: unknown type name '__weak'
+__weak unsigned int __rseq_flags;
+
+Fix this by using the definition from tools/include compiler.h.
+
+Fixes: 3bcbc20942db ("selftests/rseq: Play nice with binaries statically linked against glibc 2.35+")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Message-Id: <20230804-kselftest-rseq-build-v1-1-015830b66aa9@kernel.org>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/rseq/Makefile | 4 +++-
+ tools/testing/selftests/rseq/rseq.c | 2 ++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/rseq/Makefile
++++ b/tools/testing/selftests/rseq/Makefile
+@@ -4,8 +4,10 @@ ifneq ($(shell $(CC) --version 2>&1 | he
+ CLANG_FLAGS += -no-integrated-as
+ endif
+
++top_srcdir = ../../../..
++
+ CFLAGS += -O2 -Wall -g -I./ -I../../../../usr/include/ -L$(OUTPUT) -Wl,-rpath=./ \
+- $(CLANG_FLAGS)
++ $(CLANG_FLAGS) -I$(top_srcdir)/tools/include
+ LDLIBS += -lpthread -ldl
+
+ # Own dependencies because we only want to build against 1st prerequisite, but
+--- a/tools/testing/selftests/rseq/rseq.c
++++ b/tools/testing/selftests/rseq/rseq.c
+@@ -29,6 +29,8 @@
+ #include <dlfcn.h>
+ #include <stddef.h>
+
++#include <linux/compiler.h>
++
+ #include "../kselftest.h"
+ #include "rseq.h"
+
x86-move-gds_ucode_mitigated-declaration-to-header.patch
drm-nouveau-disp-revert-a-null-check-inside-nouveau_connector_get_modes.patch
netfilter-nf_tables-don-t-skip-expired-elements-during-walk.patch
+selftests-rseq-fix-build-with-undefined-__weak.patch
+selftests-forwarding-add-a-helper-to-skip-test-when-using-veth-pairs.patch
+selftests-forwarding-ethtool-skip-when-using-veth-pairs.patch
+selftests-forwarding-ethtool_extended_state-skip-when-using-veth-pairs.patch
+selftests-forwarding-skip-test-when-no-interfaces-are-specified.patch
+selftests-forwarding-switch-off-timeout.patch
+selftests-forwarding-tc_flower-relax-success-criterion.patch
+net-core-remove-unnecessary-frame_sz-check-in-bpf_xdp_adjust_tail.patch
+bpf-sockmap-fix-map-type-error-in-sock_map_del_link.patch
+bpf-sockmap-fix-bug-that-strp_done-cannot-be-called.patch
+misdn-update-parameter-type-of-dsp_cmx_send.patch
+net-packet-annotate-data-races-around-tp-status.patch
+tunnels-fix-kasan-splat-when-generating-ipv4-pmtu-error.patch
+vlan-fix-vlan-0-memory-leak.patch
+xsk-fix-refcount-underflow-in-error-path.patch
+bonding-fix-incorrect-deletion-of-eth_p_8021ad-protocol-vid-from-slaves.patch
+dccp-fix-data-race-around-dp-dccps_mss_cache.patch
+drivers-net-prevent-tun_build_skb-to-exceed-the-packet-size-limit.patch
+iavf-fix-potential-races-for-fdir-filters.patch
+ib-hfi1-fix-possible-panic-during-hotplug-remove.patch
+drm-rockchip-don-t-spam-logs-in-atomic-check.patch
+wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch
+rdma-umem-set-iova-in-odp-flow.patch
+rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch
--- /dev/null
+From 6a7ac3d20593865209dceb554d8b3f094c6bd940 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 3 Aug 2023 17:26:49 +0200
+Subject: tunnels: fix kasan splat when generating ipv4 pmtu error
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 6a7ac3d20593865209dceb554d8b3f094c6bd940 upstream.
+
+If we try to emit an icmp error in response to a nonliner skb, we get
+
+BUG: KASAN: slab-out-of-bounds in ip_compute_csum+0x134/0x220
+Read of size 4 at addr ffff88811c50db00 by task iperf3/1691
+CPU: 2 PID: 1691 Comm: iperf3 Not tainted 6.5.0-rc3+ #309
+[..]
+ kasan_report+0x105/0x140
+ ip_compute_csum+0x134/0x220
+ iptunnel_pmtud_build_icmp+0x554/0x1020
+ skb_tunnel_check_pmtu+0x513/0xb80
+ vxlan_xmit_one+0x139e/0x2ef0
+ vxlan_xmit+0x1867/0x2760
+ dev_hard_start_xmit+0x1ee/0x4f0
+ br_dev_queue_push_xmit+0x4d1/0x660
+ [..]
+
+ip_compute_csum() cannot deal with nonlinear skbs, so avoid it.
+After this change, splat is gone and iperf3 is no longer stuck.
+
+Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/r/20230803152653.29535-2-fw@strlen.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_tunnel_core.c
++++ b/net/ipv4/ip_tunnel_core.c
+@@ -224,7 +224,7 @@ static int iptunnel_pmtud_build_icmp(str
+ .un.frag.__unused = 0,
+ .un.frag.mtu = htons(mtu),
+ };
+- icmph->checksum = ip_compute_csum(icmph, len);
++ icmph->checksum = csum_fold(skb_checksum(skb, 0, len, 0));
+ skb_reset_transport_header(skb);
+
+ niph = skb_push(skb, sizeof(*niph));
--- /dev/null
+From 718cb09aaa6fa78cc8124e9517efbc6c92665384 Mon Sep 17 00:00:00 2001
+From: Vlad Buslov <vladbu@nvidia.com>
+Date: Tue, 8 Aug 2023 11:35:21 +0200
+Subject: vlan: Fix VLAN 0 memory leak
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+commit 718cb09aaa6fa78cc8124e9517efbc6c92665384 upstream.
+
+The referenced commit intended to fix memleak of VLAN 0 that is implicitly
+created on devices with NETIF_F_HW_VLAN_CTAG_FILTER feature. However, it
+doesn't take into account that the feature can be re-set during the
+netdevice lifetime which will cause memory leak if feature is disabled
+during the device deletion as illustrated by [0]. Fix the leak by
+unconditionally deleting VLAN 0 on NETDEV_DOWN event.
+
+[0]:
+> modprobe 8021q
+> ip l set dev eth2 up
+> ethtool -K eth2 rx-vlan-filter off
+> modprobe -r mlx5_ib
+> modprobe -r mlx5_core
+> cat /sys/kernel/debug/kmemleak
+unreferenced object 0xffff888103dcd900 (size 256):
+ comm "ip", pid 1490, jiffies 4294907305 (age 325.364s)
+ hex dump (first 32 bytes):
+ 00 80 5d 03 81 88 ff ff 00 00 00 00 00 00 00 00 ..].............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000899f3bb9>] kmalloc_trace+0x25/0x80
+ [<000000002889a7a2>] vlan_vid_add+0xa0/0x210
+ [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q]
+ [<000000009a0716b1>] notifier_call_chain+0x35/0xb0
+ [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0
+ [<0000000053d2b05d>] dev_change_flags+0x4d/0x60
+ [<00000000982807e9>] do_setlink+0x28d/0x10a0
+ [<0000000058c1be00>] __rtnl_newlink+0x545/0x980
+ [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70
+ [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390
+ [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100
+ [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0
+ [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0
+ [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60
+ [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200
+ [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0
+unreferenced object 0xffff88813354fde0 (size 32):
+ comm "ip", pid 1490, jiffies 4294907305 (age 325.364s)
+ hex dump (first 32 bytes):
+ a0 d9 dc 03 81 88 ff ff a0 d9 dc 03 81 88 ff ff ................
+ 81 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000899f3bb9>] kmalloc_trace+0x25/0x80
+ [<000000002da64724>] vlan_vid_add+0xdf/0x210
+ [<000000007177800e>] vlan_device_event+0x374/0x760 [8021q]
+ [<000000009a0716b1>] notifier_call_chain+0x35/0xb0
+ [<00000000bbf3d162>] __dev_notify_flags+0x58/0xf0
+ [<0000000053d2b05d>] dev_change_flags+0x4d/0x60
+ [<00000000982807e9>] do_setlink+0x28d/0x10a0
+ [<0000000058c1be00>] __rtnl_newlink+0x545/0x980
+ [<00000000e66c3bd9>] rtnl_newlink+0x44/0x70
+ [<00000000a2cc5970>] rtnetlink_rcv_msg+0x29c/0x390
+ [<00000000d307d1e4>] netlink_rcv_skb+0x54/0x100
+ [<00000000259d16f9>] netlink_unicast+0x1f6/0x2c0
+ [<000000007ce2afa1>] netlink_sendmsg+0x232/0x4a0
+ [<00000000f3f4bb39>] sock_sendmsg+0x38/0x60
+ [<000000002f9c0624>] ____sys_sendmsg+0x1e3/0x200
+ [<00000000d6ff5520>] ___sys_sendmsg+0x80/0xc0
+
+Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Link: https://lore.kernel.org/r/20230808093521.1468929-1-vladbu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -385,8 +385,7 @@ static int vlan_device_event(struct noti
+ dev->name);
+ vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
+ }
+- if (event == NETDEV_DOWN &&
+- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
++ if (event == NETDEV_DOWN)
+ vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+
+ vlan_info = rtnl_dereference(dev->vlan_info);
--- /dev/null
+From 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 22 Jun 2023 18:59:19 +0200
+Subject: wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 5fb9a9fb71a33be61d7d8e8ba4597bfb18d604d0 upstream.
+
+AP_VLAN interfaces are virtual, so doesn't really exist as a type for
+capabilities. When passed in as a type, AP is the one that's really intended.
+
+Fixes: c4cbaf7973a7 ("cfg80211: Add support for HE")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230622165919.46841-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cfg80211.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -510,6 +510,9 @@ ieee80211_get_sband_iftype_data(const st
+ if (WARN_ON(iftype >= NL80211_IFTYPE_MAX))
+ return NULL;
+
++ if (iftype == NL80211_IFTYPE_AP_VLAN)
++ iftype = NL80211_IFTYPE_AP;
++
+ for (i = 0; i < sband->n_iftype_data; i++) {
+ const struct ieee80211_sband_iftype_data *data =
+ &sband->iftype_data[i];
--- /dev/null
+From 85c2c79a07302fe68a1ad5cc449458cc559e314d Mon Sep 17 00:00:00 2001
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+Date: Wed, 9 Aug 2023 16:28:43 +0200
+Subject: xsk: fix refcount underflow in error path
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+commit 85c2c79a07302fe68a1ad5cc449458cc559e314d upstream.
+
+Fix a refcount underflow problem reported by syzbot that can happen
+when a system is running out of memory. If xp_alloc_tx_descs() fails,
+and it can only fail due to not having enough memory, then the error
+path is triggered. In this error path, the refcount of the pool is
+decremented as it has incremented before. However, the reference to
+the pool in the socket was not nulled. This means that when the socket
+is closed later, the socket teardown logic will think that there is a
+pool attached to the socket and try to decrease the refcount again,
+leading to a refcount underflow.
+
+I chose this fix as it involved adding just a single line. Another
+option would have been to move xp_get_pool() and the assignment of
+xs->pool to after the if-statement and using xs_umem->pool instead of
+xs->pool in the whole if-statement resulting in somewhat simpler code,
+but this would have led to much more churn in the code base perhaps
+making it harder to backport.
+
+Fixes: ba3beec2ec1d ("xsk: Fix possible crash when multiple sockets are created")
+Reported-by: syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Link: https://lore.kernel.org/r/20230809142843.13944-1-magnus.karlsson@gmail.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xdp/xsk.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -1001,6 +1001,7 @@ static int xsk_bind(struct socket *sock,
+ err = xp_alloc_tx_descs(xs->pool, xs);
+ if (err) {
+ xp_put_pool(xs->pool);
++ xs->pool = NULL;
+ sockfd_put(sock);
+ goto out_unlock;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
