Fixes for 5.10

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.10/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch b/queue-5.10/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch
new file mode 100644 (file)
index 0000000..3844d22
--- /dev/null
+++ b/queue-5.10/af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch
@@ -0,0 +1,149 @@
+From 0e76e6895463300c884fea2468855df76006087f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 16:10:04 +0000
+Subject: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f91a5b8089389eb408501af2762f168c3aaa7b79 ]
+
+Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found
+by syzbot.
+
+Rework vlan_get_protocol_dgram() to not touch skb at all,
+so that it can be used from many cpus on the same skb.
+
+Add a const qualifier to skb argument.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev:<NULL>
+------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:206 !
+Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+ RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
+ RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
+Code: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
+RSP: 0018:ffffc900038d7638 EFLAGS: 00010282
+RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600
+RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
+RBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60
+R10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140
+R13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011
+FS:  00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+  skb_push+0xe5/0x100 net/core/skbuff.c:2636
+  vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585
+  packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552
+  sock_recvmsg_nosec net/socket.c:1033 [inline]
+  sock_recvmsg+0x22f/0x280 net/socket.c:1055
+  ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803
+  ___sys_recvmsg net/socket.c:2845 [inline]
+  do_recvmmsg+0x426/0xab0 net/socket.c:2940
+  __sys_recvmmsg net/socket.c:3014 [inline]
+  __do_sys_recvmmsg net/socket.c:3037 [inline]
+  __se_sys_recvmmsg net/socket.c:3030 [inline]
+  __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030
+  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading")
+Reported-by: syzbot+74f70bb1cb968bf09e4f@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c5.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Chengen Du <chengen.du@canonical.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20241230161004.2681892-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/if_vlan.h | 16 +++++++++++++---
+ net/packet/af_packet.c  | 16 ++++------------
+ 2 files changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
+index ce6714bec65f..64cfe7cd292c 100644
+--- a/include/linux/if_vlan.h
++++ b/include/linux/if_vlan.h
+@@ -582,13 +582,16 @@ static inline int vlan_get_tag(const struct sk_buff *skb, u16 *vlan_tci)
+  * vlan_get_protocol - get protocol EtherType.
+  * @skb: skbuff to query
+  * @type: first vlan protocol
++ * @mac_offset: MAC offset
+  * @depth: buffer to store length of eth and vlan tags in bytes
+  *
+  * Returns the EtherType of the packet, regardless of whether it is
+  * vlan encapsulated (normal or hardware accelerated) or not.
+  */
+-static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type,
+-                                       int *depth)
++static inline __be16 __vlan_get_protocol_offset(const struct sk_buff *skb,
++                                              __be16 type,
++                                              int mac_offset,
++                                              int *depth)
+ {
+       unsigned int vlan_depth = skb->mac_len, parse_depth = VLAN_MAX_DEPTH;
+ 
+@@ -607,7 +610,8 @@ static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type,
+               do {
+                       struct vlan_hdr vhdr, *vh;
+ 
+-                      vh = skb_header_pointer(skb, vlan_depth, sizeof(vhdr), &vhdr);
++                      vh = skb_header_pointer(skb, mac_offset + vlan_depth,
++                                              sizeof(vhdr), &vhdr);
+                       if (unlikely(!vh || !--parse_depth))
+                               return 0;
+ 
+@@ -622,6 +626,12 @@ static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type,
+       return type;
+ }
+ 
++static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type,
++                                       int *depth)
++{
++      return __vlan_get_protocol_offset(skb, type, 0, depth);
++}
++
+ /**
+  * vlan_get_protocol - get protocol EtherType.
+  * @skb: skbuff to query
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 49baa5924d74..2f69cf5270db 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -533,21 +533,13 @@ static u16 vlan_get_tci(const struct sk_buff *skb, struct net_device *dev)
+       return ntohs(vh->h_vlan_TCI);
+ }
+ 
+-static __be16 vlan_get_protocol_dgram(struct sk_buff *skb)
++static __be16 vlan_get_protocol_dgram(const struct sk_buff *skb)
+ {
+       __be16 proto = skb->protocol;
+ 
+-      if (unlikely(eth_type_vlan(proto))) {
+-              u8 *skb_orig_data = skb->data;
+-              int skb_orig_len = skb->len;
+-
+-              skb_push(skb, skb->data - skb_mac_header(skb));
+-              proto = __vlan_get_protocol(skb, proto, NULL);
+-              if (skb_orig_data != skb->data) {
+-                      skb->data = skb_orig_data;
+-                      skb->len = skb_orig_len;
+-              }
+-      }
++      if (unlikely(eth_type_vlan(proto)))
++              proto = __vlan_get_protocol_offset(skb, proto,
++                                                 skb_mac_offset(skb), NULL);
+ 
+       return proto;
+ }
+-- 
+2.39.5
+

diff --git a/queue-5.10/af_packet-fix-vlan_get_tci-vs-msg_peek.patch b/queue-5.10/af_packet-fix-vlan_get_tci-vs-msg_peek.patch
new file mode 100644 (file)
index 0000000..abf17a3
--- /dev/null
+++ b/queue-5.10/af_packet-fix-vlan_get_tci-vs-msg_peek.patch
@@ -0,0 +1,102 @@
+From b11aeb156ac942c6a64e791b6d0d2b623c90a811 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 16:10:03 +0000
+Subject: af_packet: fix vlan_get_tci() vs MSG_PEEK
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 77ee7a6d16b6ec07b5c3ae2b6b60a24c1afbed09 ]
+
+Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found
+by syzbot.
+
+Rework vlan_get_tci() to not touch skb at all,
+so that it can be used from many cpus on the same skb.
+
+Add a const qualifier to skb argument.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff8a8da482 len:32 put:14 head:ffff88807a1d5800 data:ffff88807a1d5810 tail:0x14 end:0x140 dev:<NULL>
+------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:206 !
+Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 0 UID: 0 PID: 5880 Comm: syz-executor172 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+ RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
+ RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
+Code: 0b 8d 48 c7 c6 9e 6c 26 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 3a 5a 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
+RSP: 0018:ffffc90003baf5b8 EFLAGS: 00010286
+RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 8565c1eec37aa000
+RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
+RBP: ffff88802616fb50 R08: ffffffff817f0a4c R09: 1ffff92000775e50
+R10: dffffc0000000000 R11: fffff52000775e51 R12: 0000000000000140
+R13: ffff88807a1d5800 R14: ffff88807a1d5810 R15: 0000000000000014
+FS:  00007fa03261f6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd65753000 CR3: 0000000031720000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+  skb_push+0xe5/0x100 net/core/skbuff.c:2636
+  vlan_get_tci+0x272/0x550 net/packet/af_packet.c:565
+  packet_recvmsg+0x13c9/0x1ef0 net/packet/af_packet.c:3616
+  sock_recvmsg_nosec net/socket.c:1044 [inline]
+  sock_recvmsg+0x22f/0x280 net/socket.c:1066
+  ____sys_recvmsg+0x1c6/0x480 net/socket.c:2814
+  ___sys_recvmsg net/socket.c:2856 [inline]
+  do_recvmmsg+0x426/0xab0 net/socket.c:2951
+  __sys_recvmmsg net/socket.c:3025 [inline]
+  __do_sys_recvmmsg net/socket.c:3048 [inline]
+  __se_sys_recvmmsg net/socket.c:3041 [inline]
+  __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3041
+  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+
+Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading")
+Reported-by: syzbot+8400677f3fd43f37d3bc@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c6.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Chengen Du <chengen.du@canonical.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20241230161004.2681892-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 01a191c8194b..49baa5924d74 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -503,10 +503,8 @@ static void *packet_current_frame(struct packet_sock *po,
+       return packet_lookup_frame(po, rb, rb->head, status);
+ }
+ 
+-static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev)
++static u16 vlan_get_tci(const struct sk_buff *skb, struct net_device *dev)
+ {
+-      u8 *skb_orig_data = skb->data;
+-      int skb_orig_len = skb->len;
+       struct vlan_hdr vhdr, *vh;
+       unsigned int header_len;
+ 
+@@ -527,12 +525,8 @@ static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev)
+       else
+               return 0;
+ 
+-      skb_push(skb, skb->data - skb_mac_header(skb));
+-      vh = skb_header_pointer(skb, header_len, sizeof(vhdr), &vhdr);
+-      if (skb_orig_data != skb->data) {
+-              skb->data = skb_orig_data;
+-              skb->len = skb_orig_len;
+-      }
++      vh = skb_header_pointer(skb, skb_mac_offset(skb) + header_len,
++                              sizeof(vhdr), &vhdr);
+       if (unlikely(!vh))
+               return 0;
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.10/alsa-usb-audio-us16x08-initialize-array-before-use.patch b/queue-5.10/alsa-usb-audio-us16x08-initialize-array-before-use.patch
new file mode 100644 (file)
index 0000000..8679c66
--- /dev/null
+++ b/queue-5.10/alsa-usb-audio-us16x08-initialize-array-before-use.patch
@@ -0,0 +1,43 @@
+From 17b431a78a8923d9c0725a239a994b5e1f17115a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Dec 2024 11:32:42 +0530
+Subject: ALSA: usb-audio: US16x08: Initialize array before use
+
+From: Tanya Agarwal <tanyaagarwal25699@gmail.com>
+
+[ Upstream commit b06a6187ef983f501e93faa56209169752d3bde3 ]
+
+Initialize meter_urb array before use in mixer_us16x08.c.
+
+CID 1410197: (#1 of 1): Uninitialized scalar variable (UNINIT)
+uninit_use_in_call: Using uninitialized value *meter_urb when
+calling get_meter_levels_from_urb.
+
+Coverity Link:
+https://scan7.scan.coverity.com/#/project-view/52849/11354?selectedIssue=1410197
+
+Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
+Signed-off-by: Tanya Agarwal <tanyaagarwal25699@gmail.com>
+Link: https://patch.msgid.link/20241229060240.1642-1-tanyaagarwal25699@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_us16x08.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c
+index bd63a9ce6a70..3959bbad0c4f 100644
+--- a/sound/usb/mixer_us16x08.c
++++ b/sound/usb/mixer_us16x08.c
+@@ -687,7 +687,7 @@ static int snd_us16x08_meter_get(struct snd_kcontrol *kcontrol,
+       struct usb_mixer_elem_info *elem = kcontrol->private_data;
+       struct snd_usb_audio *chip = elem->head.mixer->chip;
+       struct snd_us16x08_meter_store *store = elem->private_data;
+-      u8 meter_urb[64];
++      u8 meter_urb[64] = {0};
+ 
+       switch (kcontrol->private_value) {
+       case 0: {
+-- 
+2.39.5
+

diff --git a/queue-5.10/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch b/queue-5.10/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch
new file mode 100644 (file)
index 0000000..40c27fd
--- /dev/null
+++ b/queue-5.10/drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch
@@ -0,0 +1,74 @@
+From 0a2f3322800d860bae6766cc2001cf04b9d590ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Nov 2024 08:40:29 +0100
+Subject: drm/bridge: adv7511_audio: Update Audio InfoFrame properly
+
+From: Stefan Ekenberg <stefan.ekenberg@axis.com>
+
+[ Upstream commit 902806baf3c1e8383c1fe3ff0b6042b8cb5c2707 ]
+
+AUDIO_UPDATE bit (Bit 5 of MAIN register 0x4A) needs to be set to 1
+while updating Audio InfoFrame information and then set to 0 when done.
+Otherwise partially updated Audio InfoFrames could be sent out. Two
+cases where this rule were not followed are fixed:
+ - In adv7511_hdmi_hw_params() make sure AUDIO_UPDATE bit is updated
+   before/after setting ADV7511_REG_AUDIO_INFOFRAME.
+ - In audio_startup() use the correct register for clearing
+   AUDIO_UPDATE bit.
+
+The problem with corrupted audio infoframes were discovered by letting
+a HDMI logic analyser check the output of ADV7535.
+
+Note that this patchs replaces writing REG_GC(1) with
+REG_INFOFRAME_UPDATE. Bit 5 of REG_GC(1) is positioned within field
+GC_PP[3:0] and that field doesn't control audio infoframe and is read-
+only. My conclusion therefore was that the author if this code meant to
+clear bit 5 of REG_INFOFRAME_UPDATE from the very beginning.
+
+Tested-by: Biju Das <biju.das.jz@bp.renesas.com>
+Fixes: 53c515befe28 ("drm/bridge: adv7511: Add Audio support")
+Signed-off-by: Stefan Ekenberg <stefan.ekenberg@axis.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241119-adv7511-audio-info-frame-v4-1-4ae68e76c89c@axis.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
+index f101dd2819b5..0a1ac11e2e4f 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
+@@ -147,7 +147,16 @@ int adv7511_hdmi_hw_params(struct device *dev, void *data,
+                          ADV7511_AUDIO_CFG3_LEN_MASK, len);
+       regmap_update_bits(adv7511->regmap, ADV7511_REG_I2C_FREQ_ID_CFG,
+                          ADV7511_I2C_FREQ_ID_CFG_RATE_MASK, rate << 4);
+-      regmap_write(adv7511->regmap, 0x73, 0x1);
++
++      /* send current Audio infoframe values while updating */
++      regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE,
++                         BIT(5), BIT(5));
++
++      regmap_write(adv7511->regmap, ADV7511_REG_AUDIO_INFOFRAME(0), 0x1);
++
++      /* use Audio infoframe updated info */
++      regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE,
++                         BIT(5), 0);
+ 
+       return 0;
+ }
+@@ -178,8 +187,9 @@ static int audio_startup(struct device *dev, void *data)
+       regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(0),
+                               BIT(7) | BIT(6), BIT(7));
+       /* use Audio infoframe updated info */
+-      regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(1),
++      regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE,
+                               BIT(5), 0);
++
+       /* enable SPDIF receiver */
+       if (adv7511->audio_source == ADV7511_AUDIO_SOURCE_SPDIF)
+               regmap_update_bits(adv7511->regmap, ADV7511_REG_AUDIO_CONFIG,
+-- 
+2.39.5
+

diff --git a/queue-5.10/eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch b/queue-5.10/eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch
new file mode 100644 (file)
index 0000000..ad9128c
--- /dev/null
+++ b/queue-5.10/eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch
@@ -0,0 +1,82 @@
+From ade6a3a28bd13f0e15cdc88d77fbc8f784e8fe83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Dec 2024 15:30:07 +0300
+Subject: eth: bcmsysport: fix call balance of priv->clk handling routines
+
+From: Vitalii Mordan <mordan@ispras.ru>
+
+[ Upstream commit b255ef45fcc2141c1bf98456796abb956d843a27 ]
+
+Check the return value of clk_prepare_enable to ensure that priv->clk has
+been successfully enabled.
+
+If priv->clk was not enabled during bcm_sysport_probe, bcm_sysport_resume,
+or bcm_sysport_open, it must not be disabled in any subsequent execution
+paths.
+
+Fixes: 31bc72d97656 ("net: systemport: fetch and use clock resources")
+Signed-off-by: Vitalii Mordan <mordan@ispras.ru>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20241227123007.2333397-1-mordan@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
+index ae1cf2ead9a9..1c6b7808a100 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -1951,7 +1951,11 @@ static int bcm_sysport_open(struct net_device *dev)
+       unsigned int i;
+       int ret;
+ 
+-      clk_prepare_enable(priv->clk);
++      ret = clk_prepare_enable(priv->clk);
++      if (ret) {
++              netdev_err(dev, "could not enable priv clock\n");
++              return ret;
++      }
+ 
+       /* Reset UniMAC */
+       umac_reset(priv);
+@@ -2622,7 +2626,11 @@ static int bcm_sysport_probe(struct platform_device *pdev)
+               goto err_deregister_notifier;
+       }
+ 
+-      clk_prepare_enable(priv->clk);
++      ret = clk_prepare_enable(priv->clk);
++      if (ret) {
++              dev_err(&pdev->dev, "could not enable priv clock\n");
++              goto err_deregister_netdev;
++      }
+ 
+       priv->rev = topctrl_readl(priv, REV_CNTL) & REV_MASK;
+       dev_info(&pdev->dev,
+@@ -2636,6 +2644,8 @@ static int bcm_sysport_probe(struct platform_device *pdev)
+ 
+       return 0;
+ 
++err_deregister_netdev:
++      unregister_netdev(dev);
+ err_deregister_notifier:
+       unregister_dsa_notifier(&priv->dsa_notifier);
+ err_deregister_fixed_link:
+@@ -2807,7 +2817,12 @@ static int __maybe_unused bcm_sysport_resume(struct device *d)
+       if (!netif_running(dev))
+               return 0;
+ 
+-      clk_prepare_enable(priv->clk);
++      ret = clk_prepare_enable(priv->clk);
++      if (ret) {
++              netdev_err(dev, "could not enable priv clock\n");
++              return ret;
++      }
++
+       if (priv->wolopts)
+               clk_disable_unprepare(priv->wol_clk);
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.10/ila-serialize-calls-to-nf_register_net_hooks.patch b/queue-5.10/ila-serialize-calls-to-nf_register_net_hooks.patch
new file mode 100644 (file)
index 0000000..ead6d2b
--- /dev/null
+++ b/queue-5.10/ila-serialize-calls-to-nf_register_net_hooks.patch
@@ -0,0 +1,113 @@
+From 56dc1fdf836a0425196a2efdd8f32957fabfa475 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 16:28:49 +0000
+Subject: ila: serialize calls to nf_register_net_hooks()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 260466b576bca0081a7d4acecc8e93687aa22d0e ]
+
+syzbot found a race in ila_add_mapping() [1]
+
+commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner")
+attempted to fix a similar issue.
+
+Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.
+
+Add a mutex to make sure at most one thread is calling nf_register_net_hooks().
+
+[1]
+ BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
+ BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
+Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501
+
+CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Call Trace:
+ <IRQ>
+  __dump_stack lib/dump_stack.c:94 [inline]
+  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+  print_address_description mm/kasan/report.c:378 [inline]
+  print_report+0xc3/0x620 mm/kasan/report.c:489
+  kasan_report+0xd9/0x110 mm/kasan/report.c:602
+  rht_key_hashfn include/linux/rhashtable.h:159 [inline]
+  __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
+  rhashtable_lookup include/linux/rhashtable.h:646 [inline]
+  rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
+  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]
+  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
+  ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185
+  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+  nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
+  nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
+  NF_HOOK include/linux/netfilter.h:312 [inline]
+  ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
+  __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672
+  __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785
+  process_backlog+0x443/0x15f0 net/core/dev.c:6117
+  __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883
+  napi_poll net/core/dev.c:6952 [inline]
+  net_rx_action+0xa94/0x1010 net/core/dev.c:7074
+  handle_softirqs+0x213/0x8f0 kernel/softirq.c:561
+  __do_softirq kernel/softirq.c:595 [inline]
+  invoke_softirq kernel/softirq.c:435 [inline]
+  __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662
+  irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
+  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
+  sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
+
+Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility")
+Reported-by: syzbot+47e761d22ecf745f72b9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6772c9ae.050a0220.2f3838.04c7.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Florian Westphal <fw@strlen.de>
+Cc: Tom Herbert <tom@herbertland.com>
+Link: https://patch.msgid.link/20241230162849.2795486-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ila/ila_xlat.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv6/ila/ila_xlat.c b/net/ipv6/ila/ila_xlat.c
+index 1f7b674b7c58..31ad5ac74ee7 100644
+--- a/net/ipv6/ila/ila_xlat.c
++++ b/net/ipv6/ila/ila_xlat.c
+@@ -201,6 +201,8 @@ static const struct nf_hook_ops ila_nf_hook_ops[] = {
+       },
+ };
+ 
++static DEFINE_MUTEX(ila_mutex);
++
+ static int ila_add_mapping(struct net *net, struct ila_xlat_params *xp)
+ {
+       struct ila_net *ilan = net_generic(net, ila_net_id);
+@@ -208,16 +210,20 @@ static int ila_add_mapping(struct net *net, struct ila_xlat_params *xp)
+       spinlock_t *lock = ila_get_lock(ilan, xp->ip.locator_match);
+       int err = 0, order;
+ 
+-      if (!ilan->xlat.hooks_registered) {
++      if (!READ_ONCE(ilan->xlat.hooks_registered)) {
+               /* We defer registering net hooks in the namespace until the
+                * first mapping is added.
+                */
+-              err = nf_register_net_hooks(net, ila_nf_hook_ops,
+-                                          ARRAY_SIZE(ila_nf_hook_ops));
++              mutex_lock(&ila_mutex);
++              if (!ilan->xlat.hooks_registered) {
++                      err = nf_register_net_hooks(net, ila_nf_hook_ops,
++                                              ARRAY_SIZE(ila_nf_hook_ops));
++                      if (!err)
++                              WRITE_ONCE(ilan->xlat.hooks_registered, true);
++              }
++              mutex_unlock(&ila_mutex);
+               if (err)
+                       return err;
+-
+-              ilan->xlat.hooks_registered = true;
+       }
+ 
+       ila = kzalloc(sizeof(*ila), GFP_KERNEL);
+-- 
+2.39.5
+

diff --git a/queue-5.10/net-llc-reset-skb-transport_header.patch b/queue-5.10/net-llc-reset-skb-transport_header.patch
new file mode 100644 (file)
index 0000000..960d5d9
--- /dev/null
+++ b/queue-5.10/net-llc-reset-skb-transport_header.patch
@@ -0,0 +1,62 @@
+From 3bbfe2f211d5187c69ad62a15511a3b4275ef837 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Dec 2024 20:07:20 -0500
+Subject: net: llc: reset skb->transport_header
+
+From: Antonio Pastor <antonio.pastor@gmail.com>
+
+[ Upstream commit a024e377efed31ecfb39210bed562932321345b3 ]
+
+802.2+LLC+SNAP frames received by napi_complete_done with GRO and DSA
+have skb->transport_header set two bytes short, or pointing 2 bytes
+before network_header & skb->data. As snap_rcv expects transport_header
+to point to SNAP header (OID:PID) after LLC processing advances offset
+over LLC header (llc_rcv & llc_fixup_skb), code doesn't find a match
+and packet is dropped.
+
+Between napi_complete_done and snap_rcv, transport_header is not used
+until __netif_receive_skb_core, where originally it was being reset.
+Commit fda55eca5a33 ("net: introduce skb_transport_header_was_set()")
+only does so if not set, on the assumption the value was set correctly
+by GRO (and also on assumption that "network stacks usually reset the
+transport header anyway"). Afterwards it is moved forward by
+llc_fixup_skb.
+
+Locally generated traffic shows up at __netif_receive_skb_core with no
+transport_header set and is processed without issue. On a setup with
+GRO but no DSA, transport_header and network_header are both set to
+point to skb->data which is also correct.
+
+As issue is LLC specific, to avoid impacting non-LLC traffic, and to
+follow up on original assumption made on previous code change,
+llc_fixup_skb to reset the offset after skb pull. llc_fixup_skb
+assumes the LLC header is at skb->data, and by definition SNAP header
+immediately follows.
+
+Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()")
+Signed-off-by: Antonio Pastor <antonio.pastor@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241225010723.2830290-1-antonio.pastor@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/llc/llc_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
+index 51bccfb00a9c..61b0159b2fbe 100644
+--- a/net/llc/llc_input.c
++++ b/net/llc/llc_input.c
+@@ -124,8 +124,8 @@ static inline int llc_fixup_skb(struct sk_buff *skb)
+       if (unlikely(!pskb_may_pull(skb, llc_len)))
+               return 0;
+ 
+-      skb->transport_header += llc_len;
+       skb_pull(skb, llc_len);
++      skb_reset_transport_header(skb);
+       if (skb->protocol == htons(ETH_P_802_2)) {
+               __be16 pdulen;
+               s32 data_size;
+-- 
+2.39.5
+

diff --git a/queue-5.10/net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch b/queue-5.10/net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch
new file mode 100644 (file)
index 0000000..fb0828e
--- /dev/null
+++ b/queue-5.10/net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch
@@ -0,0 +1,37 @@
+From 584443e294603b69318be0dc26b648204daf1c23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Nov 2020 15:03:36 -0800
+Subject: net/mlx5: Make API mlx5_core_is_ecpf accept const pointer
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit 3b1e58aa832ed537289be6a51a2015309688a90c ]
+
+Subsequent patch implements helper API which has mlx5_core_dev
+as const pointer, make its caller API too const *.
+
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Reviewed-by: Bodong Wang <bodong@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Stable-dep-of: e05feab22fd7 ("RDMA/mlx5: Enforce same type port association for multiport RoCE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/mlx5/driver.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 2cd89af4dbf6..30d7716675b4 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -1142,7 +1142,7 @@ static inline bool mlx5_core_is_vf(const struct mlx5_core_dev *dev)
+       return dev->coredev_type == MLX5_COREDEV_VF;
+ }
+ 
+-static inline bool mlx5_core_is_ecpf(struct mlx5_core_dev *dev)
++static inline bool mlx5_core_is_ecpf(const struct mlx5_core_dev *dev)
+ {
+       return dev->caps.embedded_cpu;
+ }
+-- 
+2.39.5
+

diff --git a/queue-5.10/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch b/queue-5.10/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch
new file mode 100644 (file)
index 0000000..ba270c4
--- /dev/null
+++ b/queue-5.10/netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch
@@ -0,0 +1,96 @@
+From e022a983442f60205fcc5d9fbd78e32c5c411e13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Dec 2024 00:29:20 +0100
+Subject: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 542ed8145e6f9392e3d0a86a0e9027d2ffd183e4 ]
+
+Access to genmask field in struct nft_set_ext results in unaligned
+atomic read:
+
+[   72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c
+[   72.131036] Mem abort info:
+[   72.131213]   ESR = 0x0000000096000021
+[   72.131446]   EC = 0x25: DABT (current EL), IL = 32 bits
+[   72.132209]   SET = 0, FnV = 0
+[   72.133216]   EA = 0, S1PTW = 0
+[   72.134080]   FSC = 0x21: alignment fault
+[   72.135593] Data abort info:
+[   72.137194]   ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000
+[   72.142351]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[   72.145989]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[   72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000
+[   72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403,
++pte=0068000102bb7707
+[   72.163021] Internal error: Oops: 0000000096000021 [#1] SMP
+[...]
+[   72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G            E      6.13.0-rc3+ #2
+[   72.170509] Tainted: [E]=UNSIGNED_MODULE
+[   72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023
+[   72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
+[   72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+[   72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables]
+[   72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables]
+[   72.172546] sp : ffff800081f2bce0
+[   72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038
+[   72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78
+[   72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78
+[   72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000
+[   72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978
+[   72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0
+[   72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000
+[   72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000
+[   72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000
+[   72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004
+[   72.176207] Call trace:
+[   72.176316]  nft_rhash_gc+0x200/0x2d8 [nf_tables] (P)
+[   72.176653]  process_one_work+0x178/0x3d0
+[   72.176831]  worker_thread+0x200/0x3f0
+[   72.176995]  kthread+0xe8/0xf8
+[   72.177130]  ret_from_fork+0x10/0x20
+[   72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f)
+[   72.177557] ---[ end trace 0000000000000000 ]---
+
+Align struct nft_set_ext to word size to address this and
+documentation it.
+
+pahole reports that this increases the size of elements for rhash and
+pipapo in 8 bytes on x86_64.
+
+Fixes: 7ffc7481153b ("netfilter: nft_set_hash: skip duplicated elements pending gc run")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 484f9cdf2dd0..31edeafeda77 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -609,15 +609,18 @@ struct nft_set_ext_tmpl {
+ /**
+  *    struct nft_set_ext - set extensions
+  *
+- *    @genmask: generation mask
++ *    @genmask: generation mask, but also flags (see NFT_SET_ELEM_DEAD_BIT)
+  *    @offset: offsets of individual extension types
+  *    @data: beginning of extension data
++ *
++ *    This structure must be aligned to word size, otherwise atomic bitops
++ *    on genmask field can cause alignment failure on some archs.
+  */
+ struct nft_set_ext {
+       u8      genmask;
+       u8      offset[NFT_SET_EXT_NUM];
+       char    data[];
+-};
++} __aligned(BITS_PER_LONG / 8);
+ 
+ static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
+ {
+-- 
+2.39.5
+

diff --git a/queue-5.10/netrom-check-buffer-length-before-accessing-it.patch b/queue-5.10/netrom-check-buffer-length-before-accessing-it.patch
new file mode 100644 (file)
index 0000000..0888c0c
--- /dev/null
+++ b/queue-5.10/netrom-check-buffer-length-before-accessing-it.patch
@@ -0,0 +1,105 @@
+From be049cbe5de406ec1cca91dd1d687f2b60dd4b01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2024 08:23:07 +0000
+Subject: netrom: check buffer length before accessing it
+
+From: Ilya Shchipletsov <rabbelkin@mail.ru>
+
+[ Upstream commit a4fd163aed2edd967a244499754dec991d8b4c7d ]
+
+Syzkaller reports an uninit value read from ax25cmp when sending raw message
+through ieee802154 implementation.
+
+=====================================================
+BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119
+ ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119
+ nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601
+ nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774
+ nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144
+ __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4954 [inline]
+ xmit_one net/core/dev.c:3548 [inline]
+ dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
+ __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
+ dev_queue_xmit include/linux/netdevice.h:3134 [inline]
+ raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299
+ ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
+ __sys_sendmsg net/socket.c:2667 [inline]
+ __do_sys_sendmsg net/socket.c:2676 [inline]
+ __se_sys_sendmsg net/socket.c:2674 [inline]
+ __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Uninit was created at:
+ slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
+ slab_alloc_node mm/slub.c:3478 [inline]
+ kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
+ __alloc_skb+0x318/0x740 net/core/skbuff.c:651
+ alloc_skb include/linux/skbuff.h:1286 [inline]
+ alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334
+ sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780
+ sock_alloc_send_skb include/net/sock.h:1884 [inline]
+ raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282
+ ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
+ __sys_sendmsg net/socket.c:2667 [inline]
+ __do_sys_sendmsg net/socket.c:2676 [inline]
+ __se_sys_sendmsg net/socket.c:2674 [inline]
+ __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
+=====================================================
+
+This issue occurs because the skb buffer is too small, and it's actual
+allocation is aligned. This hides an actual issue, which is that nr_route_frame
+does not validate the buffer size before using it.
+
+Fix this issue by checking skb->len before accessing any fields in skb->data.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Co-developed-by: Nikita Marushkin <hfggklm@gmail.com>
+Signed-off-by: Nikita Marushkin <hfggklm@gmail.com>
+Signed-off-by: Ilya Shchipletsov <rabbelkin@mail.ru>
+Link: https://patch.msgid.link/20241219082308.3942-1-rabbelkin@mail.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_route.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
+index 9269b5e69b9a..8e15a0c96614 100644
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -751,6 +751,12 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+       int ret;
+       struct sk_buff *skbn;
+ 
++      /*
++       * Reject malformed packets early. Check that it contains at least 2
++       * addresses and 1 byte more for Time-To-Live
++       */
++      if (skb->len < 2 * sizeof(ax25_address) + 1)
++              return 0;
+ 
+       nr_src  = (ax25_address *)(skb->data + 0);
+       nr_dest = (ax25_address *)(skb->data + 7);
+-- 
+2.39.5
+

diff --git a/queue-5.10/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch b/queue-5.10/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch
new file mode 100644 (file)
index 0000000..3975ff2
--- /dev/null
+++ b/queue-5.10/rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch
@@ -0,0 +1,64 @@
+From a0dbd3462999c223166d1c7bb895966e2e97bcdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 14:09:28 +0530
+Subject: RDMA/bnxt_re: Add check for path mtu in modify_qp
+
+From: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+
+[ Upstream commit 798653a0ee30d3cd495099282751c0f248614ae7 ]
+
+When RDMA app configures path MTU, add a check in modify_qp verb
+to make sure that it doesn't go beyond interface MTU. If this
+check fails, driver will fail the modify_qp verb.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://patch.msgid.link/20241211083931.968831-3-kalesh-anakkur.purayil@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 26 +++++++++++++-----------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index 9ffd28ab526a..ea03da8056af 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -1938,18 +1938,20 @@ int bnxt_re_modify_qp(struct ib_qp *ib_qp, struct ib_qp_attr *qp_attr,
+               }
+       }
+ 
+-      if (qp_attr_mask & IB_QP_PATH_MTU) {
+-              qp->qplib_qp.modify_flags |=
+-                              CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU;
+-              qp->qplib_qp.path_mtu = __from_ib_mtu(qp_attr->path_mtu);
+-              qp->qplib_qp.mtu = ib_mtu_enum_to_int(qp_attr->path_mtu);
+-      } else if (qp_attr->qp_state == IB_QPS_RTR) {
+-              qp->qplib_qp.modify_flags |=
+-                      CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU;
+-              qp->qplib_qp.path_mtu =
+-                      __from_ib_mtu(iboe_get_mtu(rdev->netdev->mtu));
+-              qp->qplib_qp.mtu =
+-                      ib_mtu_enum_to_int(iboe_get_mtu(rdev->netdev->mtu));
++      if (qp_attr->qp_state == IB_QPS_RTR) {
++              enum ib_mtu qpmtu;
++
++              qpmtu = iboe_get_mtu(rdev->netdev->mtu);
++              if (qp_attr_mask & IB_QP_PATH_MTU) {
++                      if (ib_mtu_enum_to_int(qp_attr->path_mtu) >
++                          ib_mtu_enum_to_int(qpmtu))
++                              return -EINVAL;
++                      qpmtu = qp_attr->path_mtu;
++              }
++
++              qp->qplib_qp.modify_flags |= CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU;
++              qp->qplib_qp.path_mtu = __from_ib_mtu(qpmtu);
++              qp->qplib_qp.mtu = ib_mtu_enum_to_int(qpmtu);
+       }
+ 
+       if (qp_attr_mask & IB_QP_TIMEOUT) {
+-- 
+2.39.5
+

diff --git a/queue-5.10/rdma-bnxt_re-fix-max_qp_wrs-reported.patch b/queue-5.10/rdma-bnxt_re-fix-max_qp_wrs-reported.patch
new file mode 100644 (file)
index 0000000..82e4b4f
--- /dev/null
+++ b/queue-5.10/rdma-bnxt_re-fix-max_qp_wrs-reported.patch
@@ -0,0 +1,40 @@
+From cfd08b0d61c0557812a07bfb2dd96171fd1cd8ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Nov 2020 05:13:06 -0800
+Subject: RDMA/bnxt_re: Fix max_qp_wrs reported
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit c63e1c4dfc33d1bdae395ee8fbcbfad4830b12c0 ]
+
+While creating qps, the driver adds one extra entry to the sq size passed
+by the ULPs in order to avoid queue full condition.  When ULPs creates QPs
+with max_qp_wr reported, driver creates QP with 1 more than the max_wqes
+supported by HW. Create QP fails in this case. To avoid this error, reduce
+1 entry in max_qp_wqes and report it to the stack.
+
+Link: https://lore.kernel.org/r/1606741986-16477-1-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+index f53d94c812ec..f9ceb19dc993 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -118,7 +118,7 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw,
+        * 128 WQEs needs to be reserved for the HW (8916). Prevent
+        * reporting the max number
+        */
+-      attr->max_qp_wqes -= BNXT_QPLIB_RESERVED_QP_WRS;
++      attr->max_qp_wqes -= BNXT_QPLIB_RESERVED_QP_WRS + 1;
+       attr->max_qp_sges = bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx) ?
+                           6 : sb->max_sge;
+       attr->max_cq = le32_to_cpu(sb->max_cq);
+-- 
+2.39.5
+

diff --git a/queue-5.10/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch b/queue-5.10/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch
new file mode 100644 (file)
index 0000000..b72315d
--- /dev/null
+++ b/queue-5.10/rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch
@@ -0,0 +1,41 @@
+From 8f04682e21bb989ad8fed8bccc87949838072809 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 14:09:31 +0530
+Subject: RDMA/bnxt_re: Fix reporting hw_ver in query_device
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 7179fe0074a3c962e43a9e51169304c4911989ed ]
+
+Driver currently populates subsystem_device id in the
+"hw_ver" field of ib_attr structure in query_device.
+
+Updated to populate PCI revision ID.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Reviewed-by: Preethi G <preethi.gurusiddalingeswaraswamy@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://patch.msgid.link/20241211083931.968831-6-kalesh-anakkur.purayil@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index ea03da8056af..089d7de829a0 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -137,7 +137,7 @@ int bnxt_re_query_device(struct ib_device *ibdev,
+ 
+       ib_attr->vendor_id = rdev->en_dev->pdev->vendor;
+       ib_attr->vendor_part_id = rdev->en_dev->pdev->device;
+-      ib_attr->hw_ver = rdev->en_dev->pdev->subsystem_device;
++      ib_attr->hw_ver = rdev->en_dev->pdev->revision;
+       ib_attr->max_qp = dev_attr->max_qp;
+       ib_attr->max_qp_wr = dev_attr->max_qp_wqes;
+       ib_attr->device_cap_flags =
+-- 
+2.39.5
+

diff --git a/queue-5.10/rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch b/queue-5.10/rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch
new file mode 100644 (file)
index 0000000..5bfb0eb
--- /dev/null
+++ b/queue-5.10/rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch
@@ -0,0 +1,43 @@
+From c0b045f06789b12491a14a2231015bbb0549543b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2024 15:56:49 +0530
+Subject: RDMA/bnxt_re: Fix the locking while accessing the QP table
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit 9272cba0ded71b5a2084da3004ec7806b8cb7fd2 ]
+
+QP table handling is synchronized with destroy QP and Async
+event from the HW. The same needs to be synchronized
+during create_qp also. Use the same lock in create_qp also.
+
+Fixes: 76d3ddff7153 ("RDMA/bnxt_re: synchronize the qp-handle table array")
+Fixes: f218d67ef004 ("RDMA/bnxt_re: Allow posting when QPs are in error")
+Fixes: 84cf229f4001 ("RDMA/bnxt_re: Fix the qp table indexing")
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://patch.msgid.link/20241217102649.1377704-6-kalesh-anakkur.purayil@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+index 5f79371a1386..4ed78d25b6e9 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -1126,9 +1126,11 @@ int bnxt_qplib_create_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp)
+               rq->dbinfo.db = qp->dpi->dbr;
+               rq->dbinfo.max_slot = bnxt_qplib_set_rq_max_slot(rq->wqe_size);
+       }
++      spin_lock_bh(&rcfw->tbl_lock);
+       tbl_indx = map_qp_id_to_tbl_indx(qp->id, rcfw);
+       rcfw->qp_tbl[tbl_indx].qp_id = qp->id;
+       rcfw->qp_tbl[tbl_indx].qp_handle = (void *)qp;
++      spin_unlock_bh(&rcfw->tbl_lock);
+ 
+       return 0;
+ fail:
+-- 
+2.39.5
+

diff --git a/queue-5.10/rdma-mlx5-enforce-same-type-port-association-for-mul.patch b/queue-5.10/rdma-mlx5-enforce-same-type-port-association-for-mul.patch
new file mode 100644 (file)
index 0000000..72f4f23
--- /dev/null
+++ b/queue-5.10/rdma-mlx5-enforce-same-type-port-association-for-mul.patch
@@ -0,0 +1,69 @@
+From 693213fdbc77bf655b7b465e1a38e79c9448eb5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 15:45:37 +0200
+Subject: RDMA/mlx5: Enforce same type port association for multiport RoCE
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit e05feab22fd7dabcd6d272c4e2401ec1acdfdb9b ]
+
+Different core device types such as PFs and VFs shouldn't be affiliated
+together since they have different capabilities, fix that by enforcing
+type check before doing the affiliation.
+
+Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE")
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Link: https://patch.msgid.link/88699500f690dff1c1852c1ddb71f8a1cc8b956e.1733233480.git.leonro@nvidia.com
+Reviewed-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 6 ++++--
+ include/linux/mlx5/driver.h       | 6 ++++++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index d36436d4277a..1800cea46b2d 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -3565,7 +3565,8 @@ static int mlx5_ib_init_multiport_master(struct mlx5_ib_dev *dev)
+               list_for_each_entry(mpi, &mlx5_ib_unaffiliated_port_list,
+                                   list) {
+                       if (dev->sys_image_guid == mpi->sys_image_guid &&
+-                          (mlx5_core_native_port_num(mpi->mdev) - 1) == i) {
++                          (mlx5_core_native_port_num(mpi->mdev) - 1) == i &&
++                          mlx5_core_same_coredev_type(dev->mdev, mpi->mdev)) {
+                               bound = mlx5_ib_bind_slave_port(dev, mpi);
+                       }
+ 
+@@ -4766,7 +4767,8 @@ static void *mlx5_ib_add_slave_port(struct mlx5_core_dev *mdev)
+ 
+       mutex_lock(&mlx5_ib_multiport_mutex);
+       list_for_each_entry(dev, &mlx5_ib_dev_list, ib_dev_list) {
+-              if (dev->sys_image_guid == mpi->sys_image_guid)
++              if (dev->sys_image_guid == mpi->sys_image_guid &&
++                  mlx5_core_same_coredev_type(dev->mdev, mpi->mdev))
+                       bound = mlx5_ib_bind_slave_port(dev, mpi);
+ 
+               if (bound) {
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 30d7716675b4..68a12caf5eb1 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -1142,6 +1142,12 @@ static inline bool mlx5_core_is_vf(const struct mlx5_core_dev *dev)
+       return dev->coredev_type == MLX5_COREDEV_VF;
+ }
+ 
++static inline bool mlx5_core_same_coredev_type(const struct mlx5_core_dev *dev1,
++                                             const struct mlx5_core_dev *dev2)
++{
++      return dev1->coredev_type == dev2->coredev_type;
++}
++
+ static inline bool mlx5_core_is_ecpf(const struct mlx5_core_dev *dev)
+ {
+       return dev->caps.embedded_cpu;
+-- 
+2.39.5
+

diff --git a/queue-5.10/rdma-rtrs-ensure-ib_sge-list-is-accessible.patch b/queue-5.10/rdma-rtrs-ensure-ib_sge-list-is-accessible.patch
new file mode 100644 (file)
index 0000000..5f4297a
--- /dev/null
+++ b/queue-5.10/rdma-rtrs-ensure-ib_sge-list-is-accessible.patch
@@ -0,0 +1,71 @@
+From 53054b95e956464c7b9c4f099ddfe783c87319c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Dec 2024 09:34:16 +0800
+Subject: RDMA/rtrs: Ensure 'ib_sge list' is accessible
+
+From: Li Zhijian <lizhijian@fujitsu.com>
+
+[ Upstream commit fb514b31395946022f13a08e06a435f53cf9e8b3 ]
+
+Move the declaration of the 'ib_sge list' variable outside the
+'always_invalidate' block to ensure it remains accessible for use
+throughout the function.
+
+Previously, 'ib_sge list' was declared within the 'always_invalidate'
+block, limiting its accessibility, then caused a
+'BUG: kernel NULL pointer dereference'[1].
+ ? __die_body.cold+0x19/0x27
+ ? page_fault_oops+0x15a/0x2d0
+ ? search_module_extables+0x19/0x60
+ ? search_bpf_extables+0x5f/0x80
+ ? exc_page_fault+0x7e/0x180
+ ? asm_exc_page_fault+0x26/0x30
+ ? memcpy_orig+0xd5/0x140
+ rxe_mr_copy+0x1c3/0x200 [rdma_rxe]
+ ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe]
+ copy_data+0xa5/0x230 [rdma_rxe]
+ rxe_requester+0xd9b/0xf70 [rdma_rxe]
+ ? finish_task_switch.isra.0+0x99/0x2e0
+ rxe_sender+0x13/0x40 [rdma_rxe]
+ do_task+0x68/0x1e0 [rdma_rxe]
+ process_one_work+0x177/0x330
+ worker_thread+0x252/0x390
+ ? __pfx_worker_thread+0x10/0x10
+
+This change ensures the variable is available for subsequent operations
+that require it.
+
+[1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/
+
+Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality")
+Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
+Link: https://patch.msgid.link/20241231013416.1290920-1-lizhijian@fujitsu.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+index b152a742cd3c..2b315974f478 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+@@ -381,6 +381,7 @@ static int send_io_resp_imm(struct rtrs_srv_con *con, struct rtrs_srv_op *id,
+       struct rtrs_srv_mr *srv_mr;
+       bool need_inval = false;
+       enum ib_send_flags flags;
++      struct ib_sge list;
+       u32 imm;
+       int err;
+ 
+@@ -431,7 +432,6 @@ static int send_io_resp_imm(struct rtrs_srv_con *con, struct rtrs_srv_op *id,
+       imm = rtrs_to_io_rsp_imm(id->msg_id, errno, need_inval);
+       imm_wr.wr.next = NULL;
+       if (always_invalidate) {
+-              struct ib_sge list;
+               struct rtrs_msg_rkey_rsp *msg;
+ 
+               srv_mr = &sess->mrs[id->msg_id];
+-- 
+2.39.5
+

diff --git a/queue-5.10/series b/queue-5.10/series
index d10bf037de4ccb028a7a14484f8738c922f90589..2a28c20c804a72a8e4bba95757c5e11d04f96540 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -96,3 +96,19 @@ block-remove-the-update_bdev-parameter-to-set_capaci.patch
 zram-use-set_capacity_and_notify.patch
 drivers-block-zram-zram_drv.c-do-not-keep-dangling-z.patch
 zram-fix-uninitialized-zram-not-releasing-backing-de.patch
+net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch
+rdma-mlx5-enforce-same-type-port-association-for-mul.patch
+rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch
+rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch
+rdma-bnxt_re-fix-max_qp_wrs-reported.patch
+rdma-bnxt_re-fix-the-locking-while-accessing-the-qp-.patch
+drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch
+netrom-check-buffer-length-before-accessing-it.patch
+netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch
+net-llc-reset-skb-transport_header.patch
+alsa-usb-audio-us16x08-initialize-array-before-use.patch
+eth-bcmsysport-fix-call-balance-of-priv-clk-handling.patch
+rdma-rtrs-ensure-ib_sge-list-is-accessible.patch
+af_packet-fix-vlan_get_tci-vs-msg_peek.patch
+af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch
+ila-serialize-calls-to-nf_register_net_hooks.patch