--- /dev/null
+From 7ed25226f8623326e19c4249ebc741e9feb06de1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Feb 2023 17:14:11 +0800
+Subject: ARM: dts: rockchip: fix a typo error for rk3288 spdif node
+
+From: Jianqun Xu <jay.xu@rock-chips.com>
+
+[ Upstream commit 02c84f91adb9a64b75ec97d772675c02a3e65ed7 ]
+
+Fix the address in the spdif node name.
+
+Fixes: 874e568e500a ("ARM: dts: rockchip: Add SPDIF transceiver for RK3288")
+Signed-off-by: Jianqun Xu <jay.xu@rock-chips.com>
+Reviewed-by: Sjoerd Simons <sjoerd@collabora.com>
+Link: https://lore.kernel.org/r/20230208091411.1603142-1-jay.xu@rock-chips.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3288.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi
+index 8670c948ca8da..2e6138eeacd15 100644
+--- a/arch/arm/boot/dts/rk3288.dtsi
++++ b/arch/arm/boot/dts/rk3288.dtsi
+@@ -940,7 +940,7 @@
+ status = "disabled";
+ };
+
+- spdif: sound@ff88b0000 {
++ spdif: sound@ff8b0000 {
+ compatible = "rockchip,rk3288-spdif", "rockchip,rk3066-spdif";
+ reg = <0x0 0xff8b0000 0x0 0x10000>;
+ #sound-dai-cells = <0>;
+--
+2.39.2
+
--- /dev/null
+From 6a9b5ebb3bc7169b61ab24abcdb60e903a65437a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Mar 2023 18:03:21 +0800
+Subject: arm64: dts: imx8mm-evk: correct pmic clock source
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 85af7ffd24da38e416a14bd6bf207154d94faa83 ]
+
+The osc_32k supports #clock-cells as 0, using an id is wrong, drop it.
+
+Fixes: a6a355ede574 ("arm64: dts: imx8mm-evk: Add 32.768 kHz clock to PMIC")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Marco Felsch <m.felsch@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-evk.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-evk.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-evk.dtsi
+index e033d0257b5a1..ff5324e94ee82 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-evk.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-evk.dtsi
+@@ -136,7 +136,7 @@
+ rohm,reset-snvs-powered;
+
+ #clock-cells = <0>;
+- clocks = <&osc_32k 0>;
++ clocks = <&osc_32k>;
+ clock-output-names = "clk-32k-out";
+
+ regulators {
+--
+2.39.2
+
--- /dev/null
+From ed51201e1d995b0b72ac41cd3962a38d853016a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Mar 2023 14:09:30 +0200
+Subject: arm64: dts: meson-g12-common: specify full DMC range
+
+From: Marc Gonzalez <mgonzalez@freebox.fr>
+
+[ Upstream commit aec4353114a408b3a831a22ba34942d05943e462 ]
+
+According to S905X2 Datasheet - Revision 07:
+DRAM Memory Controller (DMC) register area spans ff638000-ff63a000.
+
+According to DeviceTree Specification - Release v0.4-rc1:
+simple-bus nodes do not require reg property.
+
+Fixes: 1499218c80c99a ("arm64: dts: move common G12A & G12B modes to meson-g12-common.dtsi")
+Signed-off-by: Marc Gonzalez <mgonzalez@freebox.fr>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://lore.kernel.org/r/20230327120932.2158389-2-mgonzalez@freebox.fr
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi
+index 899cfe416aef4..369334076467a 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi
+@@ -1610,10 +1610,9 @@
+
+ dmc: bus@38000 {
+ compatible = "simple-bus";
+- reg = <0x0 0x38000 0x0 0x400>;
+ #address-cells = <2>;
+ #size-cells = <2>;
+- ranges = <0x0 0x0 0x0 0x38000 0x0 0x400>;
++ ranges = <0x0 0x0 0x0 0x38000 0x0 0x2000>;
+
+ canvas: video-lut@48 {
+ compatible = "amlogic,canvas";
+--
+2.39.2
+
--- /dev/null
+From 64b1597c9c73def55361df49d516fa190b9e9560 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 05:16:50 +0300
+Subject: arm64: dts: qcom: ipq8074-hk01: enable QMP device, not the PHY node
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 72630ba422b70ea0874fc90d526353cf71c72488 ]
+
+Correct PCIe PHY enablement to refer the QMP device nodes rather than
+PHY device nodes. QMP nodes have 'status = "disabled"' property in the
+ipq8074.dtsi, while PHY nodes do not correspond to the actual device and
+do not have the status property.
+
+Fixes: e8a7fdc505bb ("arm64: dts: ipq8074: qcom: Re-arrange dts nodes based on address")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230324021651.1799969-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/ipq8074-hk01.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts b/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts
+index cc08dc4eb56a5..68698cdf56c46 100644
+--- a/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts
++++ b/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts
+@@ -60,11 +60,11 @@
+ perst-gpio = <&tlmm 58 0x1>;
+ };
+
+-&pcie_phy0 {
++&pcie_qmp0 {
+ status = "okay";
+ };
+
+-&pcie_phy1 {
++&pcie_qmp1 {
+ status = "okay";
+ };
+
+--
+2.39.2
+
--- /dev/null
+From e1bf318661065ea1f7a5d64ed25555c33874b6b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Apr 2023 23:58:18 -0700
+Subject: bnxt_en: Do not initialize PTP on older P3/P4 chips
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit e8b51a1a15d5a3cce231e0669f6a161dc5bb9b75 ]
+
+The driver does not support PTP on these older chips and it is assuming
+that firmware on these older chips will not return the
+PORT_MAC_PTP_QCFG_RESP_FLAGS_HWRM_ACCESS flag in __bnxt_hwrm_ptp_qcfg(),
+causing the function to abort quietly.
+
+But newer firmware now sets this flag and so __bnxt_hwrm_ptp_qcfg()
+will proceed further. Eventually it will fail in bnxt_ptp_init() ->
+bnxt_map_ptp_regs() because there is no code to support the older chips.
+The driver will then complain:
+
+"PTP initialization failed.\n"
+
+Fix it so that we abort quietly earlier without going through the
+unnecessary steps and alarming the user with the warning log.
+
+Fixes: ae5c42f0b92c ("bnxt_en: Get PTP hardware capability from firmware")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 4ef90e0cb8f8e..38fc2286f7cbd 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -7437,7 +7437,7 @@ static int __bnxt_hwrm_ptp_qcfg(struct bnxt *bp)
+ u8 flags;
+ int rc;
+
+- if (bp->hwrm_spec_code < 0x10801) {
++ if (bp->hwrm_spec_code < 0x10801 || !BNXT_CHIP_P5_THOR(bp)) {
+ rc = -ENODEV;
+ goto no_ptp;
+ }
+--
+2.39.2
+
--- /dev/null
+From 5319215de5e7c1f7f41ebf98533a2542ebb0074f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 09:12:16 +0300
+Subject: bonding: Fix memory leak when changing bond type to Ethernet
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit c484fcc058bada604d7e4e5228d4affb646ddbc2 ]
+
+When a net device is put administratively up, its 'IFF_UP' flag is set
+(if not set already) and a 'NETDEV_UP' notification is emitted, which
+causes the 8021q driver to add VLAN ID 0 on the device. The reverse
+happens when a net device is put administratively down.
+
+When changing the type of a bond to Ethernet, its 'IFF_UP' flag is
+incorrectly cleared, resulting in the kernel skipping the above process
+and VLAN ID 0 being leaked [1].
+
+Fix by restoring the flag when changing the type to Ethernet, in a
+similar fashion to the restoration of the 'IFF_SLAVE' flag.
+
+The issue can be reproduced using the script in [2], with example out
+before and after the fix in [3].
+
+[1]
+unreferenced object 0xffff888103479900 (size 256):
+ comm "ip", pid 329, jiffies 4294775225 (age 28.561s)
+ hex dump (first 32 bytes):
+ 00 a0 0c 15 81 88 ff ff 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff81a6051a>] kmalloc_trace+0x2a/0xe0
+ [<ffffffff8406426c>] vlan_vid_add+0x30c/0x790
+ [<ffffffff84068e21>] vlan_device_event+0x1491/0x21a0
+ [<ffffffff81440c8e>] notifier_call_chain+0xbe/0x1f0
+ [<ffffffff8372383a>] call_netdevice_notifiers_info+0xba/0x150
+ [<ffffffff837590f2>] __dev_notify_flags+0x132/0x2e0
+ [<ffffffff8375ad9f>] dev_change_flags+0x11f/0x180
+ [<ffffffff8379af36>] do_setlink+0xb96/0x4060
+ [<ffffffff837adf6a>] __rtnl_newlink+0xc0a/0x18a0
+ [<ffffffff837aec6c>] rtnl_newlink+0x6c/0xa0
+ [<ffffffff837ac64e>] rtnetlink_rcv_msg+0x43e/0xe00
+ [<ffffffff839a99e0>] netlink_rcv_skb+0x170/0x440
+ [<ffffffff839a738f>] netlink_unicast+0x53f/0x810
+ [<ffffffff839a7fcb>] netlink_sendmsg+0x96b/0xe90
+ [<ffffffff8369d12f>] ____sys_sendmsg+0x30f/0xa70
+ [<ffffffff836a6d7a>] ___sys_sendmsg+0x13a/0x1e0
+unreferenced object 0xffff88810f6a83e0 (size 32):
+ comm "ip", pid 329, jiffies 4294775225 (age 28.561s)
+ hex dump (first 32 bytes):
+ a0 99 47 03 81 88 ff ff a0 99 47 03 81 88 ff ff ..G.......G.....
+ 81 00 00 00 01 00 00 00 cc cc cc cc cc cc cc cc ................
+ backtrace:
+ [<ffffffff81a6051a>] kmalloc_trace+0x2a/0xe0
+ [<ffffffff84064369>] vlan_vid_add+0x409/0x790
+ [<ffffffff84068e21>] vlan_device_event+0x1491/0x21a0
+ [<ffffffff81440c8e>] notifier_call_chain+0xbe/0x1f0
+ [<ffffffff8372383a>] call_netdevice_notifiers_info+0xba/0x150
+ [<ffffffff837590f2>] __dev_notify_flags+0x132/0x2e0
+ [<ffffffff8375ad9f>] dev_change_flags+0x11f/0x180
+ [<ffffffff8379af36>] do_setlink+0xb96/0x4060
+ [<ffffffff837adf6a>] __rtnl_newlink+0xc0a/0x18a0
+ [<ffffffff837aec6c>] rtnl_newlink+0x6c/0xa0
+ [<ffffffff837ac64e>] rtnetlink_rcv_msg+0x43e/0xe00
+ [<ffffffff839a99e0>] netlink_rcv_skb+0x170/0x440
+ [<ffffffff839a738f>] netlink_unicast+0x53f/0x810
+ [<ffffffff839a7fcb>] netlink_sendmsg+0x96b/0xe90
+ [<ffffffff8369d12f>] ____sys_sendmsg+0x30f/0xa70
+ [<ffffffff836a6d7a>] ___sys_sendmsg+0x13a/0x1e0
+
+[2]
+ip link add name t-nlmon type nlmon
+ip link add name t-dummy type dummy
+ip link add name t-bond type bond mode active-backup
+
+ip link set dev t-bond up
+ip link set dev t-nlmon master t-bond
+ip link set dev t-nlmon nomaster
+ip link show dev t-bond
+ip link set dev t-dummy master t-bond
+ip link show dev t-bond
+
+ip link del dev t-bond
+ip link del dev t-dummy
+ip link del dev t-nlmon
+
+[3]
+Before:
+
+12: t-bond: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
+ link/netlink
+12: t-bond: <BROADCAST,MULTICAST,MASTER,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
+ link/ether 46:57:39:a4:46:a2 brd ff:ff:ff:ff:ff:ff
+
+After:
+
+12: t-bond: <NO-CARRIER,BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
+ link/netlink
+12: t-bond: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
+ link/ether 66:48:7b:74:b6:8a brd ff:ff:ff:ff:ff:ff
+
+Fixes: e36b9d16c6a6 ("bonding: clean muticast addresses when device changes type")
+Fixes: 75c78500ddad ("bonding: remap muticast addresses without using dev_close() and dev_open()")
+Fixes: 9ec7eb60dcbc ("bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change")
+Reported-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Link: https://lore.kernel.org/netdev/78a8a03b-6070-3e6b-5042-f848dab16fb8@alu.unizg.hr/
+Tested-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index e1dc94f01cb5a..2816b6fc17392 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1746,14 +1746,15 @@ void bond_lower_state_changed(struct slave *slave)
+
+ /* The bonding driver uses ether_setup() to convert a master bond device
+ * to ARPHRD_ETHER, that resets the target netdevice's flags so we always
+- * have to restore the IFF_MASTER flag, and only restore IFF_SLAVE if it was set
++ * have to restore the IFF_MASTER flag, and only restore IFF_SLAVE and IFF_UP
++ * if they were set
+ */
+ static void bond_ether_setup(struct net_device *bond_dev)
+ {
+- unsigned int slave_flag = bond_dev->flags & IFF_SLAVE;
++ unsigned int flags = bond_dev->flags & (IFF_SLAVE | IFF_UP);
+
+ ether_setup(bond_dev);
+- bond_dev->flags |= IFF_MASTER | slave_flag;
++ bond_dev->flags |= IFF_MASTER | flags;
+ bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From ff17592c271f1d1142ec94211bb53575696949be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Apr 2023 15:24:13 +0000
+Subject: bpf: Fix incorrect verifier pruning due to missing register precision
+ taints
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 71b547f561247897a0a14f3082730156c0533fed ]
+
+Juan Jose et al reported an issue found via fuzzing where the verifier's
+pruning logic prematurely marks a program path as safe.
+
+Consider the following program:
+
+ 0: (b7) r6 = 1024
+ 1: (b7) r7 = 0
+ 2: (b7) r8 = 0
+ 3: (b7) r9 = -2147483648
+ 4: (97) r6 %= 1025
+ 5: (05) goto pc+0
+ 6: (bd) if r6 <= r9 goto pc+2
+ 7: (97) r6 %= 1
+ 8: (b7) r9 = 0
+ 9: (bd) if r6 <= r9 goto pc+1
+ 10: (b7) r6 = 0
+ 11: (b7) r0 = 0
+ 12: (63) *(u32 *)(r10 -4) = r0
+ 13: (18) r4 = 0xffff888103693400 // map_ptr(ks=4,vs=48)
+ 15: (bf) r1 = r4
+ 16: (bf) r2 = r10
+ 17: (07) r2 += -4
+ 18: (85) call bpf_map_lookup_elem#1
+ 19: (55) if r0 != 0x0 goto pc+1
+ 20: (95) exit
+ 21: (77) r6 >>= 10
+ 22: (27) r6 *= 8192
+ 23: (bf) r1 = r0
+ 24: (0f) r0 += r6
+ 25: (79) r3 = *(u64 *)(r0 +0)
+ 26: (7b) *(u64 *)(r1 +0) = r3
+ 27: (95) exit
+
+The verifier treats this as safe, leading to oob read/write access due
+to an incorrect verifier conclusion:
+
+ func#0 @0
+ 0: R1=ctx(off=0,imm=0) R10=fp0
+ 0: (b7) r6 = 1024 ; R6_w=1024
+ 1: (b7) r7 = 0 ; R7_w=0
+ 2: (b7) r8 = 0 ; R8_w=0
+ 3: (b7) r9 = -2147483648 ; R9_w=-2147483648
+ 4: (97) r6 %= 1025 ; R6_w=scalar()
+ 5: (05) goto pc+0
+ 6: (bd) if r6 <= r9 goto pc+2 ; R6_w=scalar(umin=18446744071562067969,var_off=(0xffffffff00000000; 0xffffffff)) R9_w=-2147483648
+ 7: (97) r6 %= 1 ; R6_w=scalar()
+ 8: (b7) r9 = 0 ; R9=0
+ 9: (bd) if r6 <= r9 goto pc+1 ; R6=scalar(umin=1) R9=0
+ 10: (b7) r6 = 0 ; R6_w=0
+ 11: (b7) r0 = 0 ; R0_w=0
+ 12: (63) *(u32 *)(r10 -4) = r0
+ last_idx 12 first_idx 9
+ regs=1 stack=0 before 11: (b7) r0 = 0
+ 13: R0_w=0 R10=fp0 fp-8=0000????
+ 13: (18) r4 = 0xffff8ad3886c2a00 ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
+ 15: (bf) r1 = r4 ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
+ 16: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
+ 17: (07) r2 += -4 ; R2_w=fp-4
+ 18: (85) call bpf_map_lookup_elem#1 ; R0=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0)
+ 19: (55) if r0 != 0x0 goto pc+1 ; R0=0
+ 20: (95) exit
+
+ from 19 to 21: R0=map_value(off=0,ks=4,vs=48,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm????
+ 21: (77) r6 >>= 10 ; R6_w=0
+ 22: (27) r6 *= 8192 ; R6_w=0
+ 23: (bf) r1 = r0 ; R0=map_value(off=0,ks=4,vs=48,imm=0) R1_w=map_value(off=0,ks=4,vs=48,imm=0)
+ 24: (0f) r0 += r6
+ last_idx 24 first_idx 19
+ regs=40 stack=0 before 23: (bf) r1 = r0
+ regs=40 stack=0 before 22: (27) r6 *= 8192
+ regs=40 stack=0 before 21: (77) r6 >>= 10
+ regs=40 stack=0 before 19: (55) if r0 != 0x0 goto pc+1
+ parent didn't have regs=40 stack=0 marks: R0_rw=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0) R6_rw=P0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm????
+ last_idx 18 first_idx 9
+ regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1
+ regs=40 stack=0 before 17: (07) r2 += -4
+ regs=40 stack=0 before 16: (bf) r2 = r10
+ regs=40 stack=0 before 15: (bf) r1 = r4
+ regs=40 stack=0 before 13: (18) r4 = 0xffff8ad3886c2a00
+ regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0
+ regs=40 stack=0 before 11: (b7) r0 = 0
+ regs=40 stack=0 before 10: (b7) r6 = 0
+ 25: (79) r3 = *(u64 *)(r0 +0) ; R0_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar()
+ 26: (7b) *(u64 *)(r1 +0) = r3 ; R1_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar()
+ 27: (95) exit
+
+ from 9 to 11: R1=ctx(off=0,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0
+ 11: (b7) r0 = 0 ; R0_w=0
+ 12: (63) *(u32 *)(r10 -4) = r0
+ last_idx 12 first_idx 11
+ regs=1 stack=0 before 11: (b7) r0 = 0
+ 13: R0_w=0 R10=fp0 fp-8=0000????
+ 13: (18) r4 = 0xffff8ad3886c2a00 ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
+ 15: (bf) r1 = r4 ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
+ 16: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
+ 17: (07) r2 += -4 ; R2_w=fp-4
+ 18: (85) call bpf_map_lookup_elem#1
+ frame 0: propagating r6
+ last_idx 19 first_idx 11
+ regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1
+ regs=40 stack=0 before 17: (07) r2 += -4
+ regs=40 stack=0 before 16: (bf) r2 = r10
+ regs=40 stack=0 before 15: (bf) r1 = r4
+ regs=40 stack=0 before 13: (18) r4 = 0xffff8ad3886c2a00
+ regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0
+ regs=40 stack=0 before 11: (b7) r0 = 0
+ parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_r=P0 R7=0 R8=0 R9=0 R10=fp0
+ last_idx 9 first_idx 9
+ regs=40 stack=0 before 9: (bd) if r6 <= r9 goto pc+1
+ parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_rw=Pscalar() R7_w=0 R8_w=0 R9_rw=0 R10=fp0
+ last_idx 8 first_idx 0
+ regs=40 stack=0 before 8: (b7) r9 = 0
+ regs=40 stack=0 before 7: (97) r6 %= 1
+ regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
+ regs=40 stack=0 before 5: (05) goto pc+0
+ regs=40 stack=0 before 4: (97) r6 %= 1025
+ regs=40 stack=0 before 3: (b7) r9 = -2147483648
+ regs=40 stack=0 before 2: (b7) r8 = 0
+ regs=40 stack=0 before 1: (b7) r7 = 0
+ regs=40 stack=0 before 0: (b7) r6 = 1024
+ 19: safe
+ frame 0: propagating r6
+ last_idx 9 first_idx 0
+ regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
+ regs=40 stack=0 before 5: (05) goto pc+0
+ regs=40 stack=0 before 4: (97) r6 %= 1025
+ regs=40 stack=0 before 3: (b7) r9 = -2147483648
+ regs=40 stack=0 before 2: (b7) r8 = 0
+ regs=40 stack=0 before 1: (b7) r7 = 0
+ regs=40 stack=0 before 0: (b7) r6 = 1024
+
+ from 6 to 9: safe
+ verification time 110 usec
+ stack depth 4
+ processed 36 insns (limit 1000000) max_states_per_insn 0 total_states 3 peak_states 3 mark_read 2
+
+The verifier considers this program as safe by mistakenly pruning unsafe
+code paths. In the above func#0, code lines 0-10 are of interest. In line
+0-3 registers r6 to r9 are initialized with known scalar values. In line 4
+the register r6 is reset to an unknown scalar given the verifier does not
+track modulo operations. Due to this, the verifier can also not determine
+precisely which branches in line 6 and 9 are taken, therefore it needs to
+explore them both.
+
+As can be seen, the verifier starts with exploring the false/fall-through
+paths first. The 'from 19 to 21' path has both r6=0 and r9=0 and the pointer
+arithmetic on r0 += r6 is therefore considered safe. Given the arithmetic,
+r6 is correctly marked for precision tracking where backtracking kicks in
+where it walks back the current path all the way where r6 was set to 0 in
+the fall-through branch.
+
+Next, the pruning logics pops the path 'from 9 to 11' from the stack. Also
+here, the state of the registers is the same, that is, r6=0 and r9=0, so
+that at line 19 the path can be pruned as it is considered safe. It is
+interesting to note that the conditional in line 9 turned r6 into a more
+precise state, that is, in the fall-through path at the beginning of line
+10, it is R6=scalar(umin=1), and in the branch-taken path (which is analyzed
+here) at the beginning of line 11, r6 turned into a known const r6=0 as
+r9=0 prior to that and therefore (unsigned) r6 <= 0 concludes that r6 must
+be 0 (**):
+
+ [...] ; R6_w=scalar()
+ 9: (bd) if r6 <= r9 goto pc+1 ; R6=scalar(umin=1) R9=0
+ [...]
+
+ from 9 to 11: R1=ctx(off=0,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0
+ [...]
+
+The next path is 'from 6 to 9'. The verifier considers the old and current
+state equivalent, and therefore prunes the search incorrectly. Looking into
+the two states which are being compared by the pruning logic at line 9, the
+old state consists of R6_rwD=Pscalar() R9_rwD=0 R10=fp0 and the new state
+consists of R1=ctx(off=0,imm=0) R6_w=scalar(umax=18446744071562067968)
+R7_w=0 R8_w=0 R9_w=-2147483648 R10=fp0. While r6 had the reg->precise flag
+correctly set in the old state, r9 did not. Both r6'es are considered as
+equivalent given the old one is a superset of the current, more precise one,
+however, r9's actual values (0 vs 0x80000000) mismatch. Given the old r9
+did not have reg->precise flag set, the verifier does not consider the
+register as contributing to the precision state of r6, and therefore it
+considered both r9 states as equivalent. However, for this specific pruned
+path (which is also the actual path taken at runtime), register r6 will be
+0x400 and r9 0x80000000 when reaching line 21, thus oob-accessing the map.
+
+The purpose of precision tracking is to initially mark registers (including
+spilled ones) as imprecise to help verifier's pruning logic finding equivalent
+states it can then prune if they don't contribute to the program's safety
+aspects. For example, if registers are used for pointer arithmetic or to pass
+constant length to a helper, then the verifier sets reg->precise flag and
+backtracks the BPF program instruction sequence and chain of verifier states
+to ensure that the given register or stack slot including their dependencies
+are marked as precisely tracked scalar. This also includes any other registers
+and slots that contribute to a tracked state of given registers/stack slot.
+This backtracking relies on recorded jmp_history and is able to traverse
+entire chain of parent states. This process ends only when all the necessary
+registers/slots and their transitive dependencies are marked as precise.
+
+The backtrack_insn() is called from the current instruction up to the first
+instruction, and its purpose is to compute a bitmask of registers and stack
+slots that need precision tracking in the parent's verifier state. For example,
+if a current instruction is r6 = r7, then r6 needs precision after this
+instruction and r7 needs precision before this instruction, that is, in the
+parent state. Hence for the latter r7 is marked and r6 unmarked.
+
+For the class of jmp/jmp32 instructions, backtrack_insn() today only looks
+at call and exit instructions and for all other conditionals the masks
+remain as-is. However, in the given situation register r6 has a dependency
+on r9 (as described above in **), so also that one needs to be marked for
+precision tracking. In other words, if an imprecise register influences a
+precise one, then the imprecise register should also be marked precise.
+Meaning, in the parent state both dest and src register need to be tracked
+for precision and therefore the marking must be more conservative by setting
+reg->precise flag for both. The precision propagation needs to cover both
+for the conditional: if the src reg was marked but not the dst reg and vice
+versa.
+
+After the fix the program is correctly rejected:
+
+ func#0 @0
+ 0: R1=ctx(off=0,imm=0) R10=fp0
+ 0: (b7) r6 = 1024 ; R6_w=1024
+ 1: (b7) r7 = 0 ; R7_w=0
+ 2: (b7) r8 = 0 ; R8_w=0
+ 3: (b7) r9 = -2147483648 ; R9_w=-2147483648
+ 4: (97) r6 %= 1025 ; R6_w=scalar()
+ 5: (05) goto pc+0
+ 6: (bd) if r6 <= r9 goto pc+2 ; R6_w=scalar(umin=18446744071562067969,var_off=(0xffffffff80000000; 0x7fffffff),u32_min=-2147483648) R9_w=-2147483648
+ 7: (97) r6 %= 1 ; R6_w=scalar()
+ 8: (b7) r9 = 0 ; R9=0
+ 9: (bd) if r6 <= r9 goto pc+1 ; R6=scalar(umin=1) R9=0
+ 10: (b7) r6 = 0 ; R6_w=0
+ 11: (b7) r0 = 0 ; R0_w=0
+ 12: (63) *(u32 *)(r10 -4) = r0
+ last_idx 12 first_idx 9
+ regs=1 stack=0 before 11: (b7) r0 = 0
+ 13: R0_w=0 R10=fp0 fp-8=0000????
+ 13: (18) r4 = 0xffff9290dc5bfe00 ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
+ 15: (bf) r1 = r4 ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
+ 16: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
+ 17: (07) r2 += -4 ; R2_w=fp-4
+ 18: (85) call bpf_map_lookup_elem#1 ; R0=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0)
+ 19: (55) if r0 != 0x0 goto pc+1 ; R0=0
+ 20: (95) exit
+
+ from 19 to 21: R0=map_value(off=0,ks=4,vs=48,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm????
+ 21: (77) r6 >>= 10 ; R6_w=0
+ 22: (27) r6 *= 8192 ; R6_w=0
+ 23: (bf) r1 = r0 ; R0=map_value(off=0,ks=4,vs=48,imm=0) R1_w=map_value(off=0,ks=4,vs=48,imm=0)
+ 24: (0f) r0 += r6
+ last_idx 24 first_idx 19
+ regs=40 stack=0 before 23: (bf) r1 = r0
+ regs=40 stack=0 before 22: (27) r6 *= 8192
+ regs=40 stack=0 before 21: (77) r6 >>= 10
+ regs=40 stack=0 before 19: (55) if r0 != 0x0 goto pc+1
+ parent didn't have regs=40 stack=0 marks: R0_rw=map_value_or_null(id=1,off=0,ks=4,vs=48,imm=0) R6_rw=P0 R7=0 R8=0 R9=0 R10=fp0 fp-8=mmmm????
+ last_idx 18 first_idx 9
+ regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1
+ regs=40 stack=0 before 17: (07) r2 += -4
+ regs=40 stack=0 before 16: (bf) r2 = r10
+ regs=40 stack=0 before 15: (bf) r1 = r4
+ regs=40 stack=0 before 13: (18) r4 = 0xffff9290dc5bfe00
+ regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0
+ regs=40 stack=0 before 11: (b7) r0 = 0
+ regs=40 stack=0 before 10: (b7) r6 = 0
+ 25: (79) r3 = *(u64 *)(r0 +0) ; R0_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar()
+ 26: (7b) *(u64 *)(r1 +0) = r3 ; R1_w=map_value(off=0,ks=4,vs=48,imm=0) R3_w=scalar()
+ 27: (95) exit
+
+ from 9 to 11: R1=ctx(off=0,imm=0) R6=0 R7=0 R8=0 R9=0 R10=fp0
+ 11: (b7) r0 = 0 ; R0_w=0
+ 12: (63) *(u32 *)(r10 -4) = r0
+ last_idx 12 first_idx 11
+ regs=1 stack=0 before 11: (b7) r0 = 0
+ 13: R0_w=0 R10=fp0 fp-8=0000????
+ 13: (18) r4 = 0xffff9290dc5bfe00 ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
+ 15: (bf) r1 = r4 ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
+ 16: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
+ 17: (07) r2 += -4 ; R2_w=fp-4
+ 18: (85) call bpf_map_lookup_elem#1
+ frame 0: propagating r6
+ last_idx 19 first_idx 11
+ regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1
+ regs=40 stack=0 before 17: (07) r2 += -4
+ regs=40 stack=0 before 16: (bf) r2 = r10
+ regs=40 stack=0 before 15: (bf) r1 = r4
+ regs=40 stack=0 before 13: (18) r4 = 0xffff9290dc5bfe00
+ regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0
+ regs=40 stack=0 before 11: (b7) r0 = 0
+ parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_r=P0 R7=0 R8=0 R9=0 R10=fp0
+ last_idx 9 first_idx 9
+ regs=40 stack=0 before 9: (bd) if r6 <= r9 goto pc+1
+ parent didn't have regs=240 stack=0 marks: R1=ctx(off=0,imm=0) R6_rw=Pscalar() R7_w=0 R8_w=0 R9_rw=P0 R10=fp0
+ last_idx 8 first_idx 0
+ regs=240 stack=0 before 8: (b7) r9 = 0
+ regs=40 stack=0 before 7: (97) r6 %= 1
+ regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
+ regs=240 stack=0 before 5: (05) goto pc+0
+ regs=240 stack=0 before 4: (97) r6 %= 1025
+ regs=240 stack=0 before 3: (b7) r9 = -2147483648
+ regs=40 stack=0 before 2: (b7) r8 = 0
+ regs=40 stack=0 before 1: (b7) r7 = 0
+ regs=40 stack=0 before 0: (b7) r6 = 1024
+ 19: safe
+
+ from 6 to 9: R1=ctx(off=0,imm=0) R6_w=scalar(umax=18446744071562067968) R7_w=0 R8_w=0 R9_w=-2147483648 R10=fp0
+ 9: (bd) if r6 <= r9 goto pc+1
+ last_idx 9 first_idx 0
+ regs=40 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
+ regs=240 stack=0 before 5: (05) goto pc+0
+ regs=240 stack=0 before 4: (97) r6 %= 1025
+ regs=240 stack=0 before 3: (b7) r9 = -2147483648
+ regs=40 stack=0 before 2: (b7) r8 = 0
+ regs=40 stack=0 before 1: (b7) r7 = 0
+ regs=40 stack=0 before 0: (b7) r6 = 1024
+ last_idx 9 first_idx 0
+ regs=200 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
+ regs=240 stack=0 before 5: (05) goto pc+0
+ regs=240 stack=0 before 4: (97) r6 %= 1025
+ regs=240 stack=0 before 3: (b7) r9 = -2147483648
+ regs=40 stack=0 before 2: (b7) r8 = 0
+ regs=40 stack=0 before 1: (b7) r7 = 0
+ regs=40 stack=0 before 0: (b7) r6 = 1024
+ 11: R6=scalar(umax=18446744071562067968) R9=-2147483648
+ 11: (b7) r0 = 0 ; R0_w=0
+ 12: (63) *(u32 *)(r10 -4) = r0
+ last_idx 12 first_idx 11
+ regs=1 stack=0 before 11: (b7) r0 = 0
+ 13: R0_w=0 R10=fp0 fp-8=0000????
+ 13: (18) r4 = 0xffff9290dc5bfe00 ; R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
+ 15: (bf) r1 = r4 ; R1_w=map_ptr(off=0,ks=4,vs=48,imm=0) R4_w=map_ptr(off=0,ks=4,vs=48,imm=0)
+ 16: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
+ 17: (07) r2 += -4 ; R2_w=fp-4
+ 18: (85) call bpf_map_lookup_elem#1 ; R0_w=map_value_or_null(id=3,off=0,ks=4,vs=48,imm=0)
+ 19: (55) if r0 != 0x0 goto pc+1 ; R0_w=0
+ 20: (95) exit
+
+ from 19 to 21: R0=map_value(off=0,ks=4,vs=48,imm=0) R6=scalar(umax=18446744071562067968) R7=0 R8=0 R9=-2147483648 R10=fp0 fp-8=mmmm????
+ 21: (77) r6 >>= 10 ; R6_w=scalar(umax=18014398507384832,var_off=(0x0; 0x3fffffffffffff))
+ 22: (27) r6 *= 8192 ; R6_w=scalar(smax=9223372036854767616,umax=18446744073709543424,var_off=(0x0; 0xffffffffffffe000),s32_max=2147475456,u32_max=-8192)
+ 23: (bf) r1 = r0 ; R0=map_value(off=0,ks=4,vs=48,imm=0) R1_w=map_value(off=0,ks=4,vs=48,imm=0)
+ 24: (0f) r0 += r6
+ last_idx 24 first_idx 21
+ regs=40 stack=0 before 23: (bf) r1 = r0
+ regs=40 stack=0 before 22: (27) r6 *= 8192
+ regs=40 stack=0 before 21: (77) r6 >>= 10
+ parent didn't have regs=40 stack=0 marks: R0_rw=map_value(off=0,ks=4,vs=48,imm=0) R6_r=Pscalar(umax=18446744071562067968) R7=0 R8=0 R9=-2147483648 R10=fp0 fp-8=mmmm????
+ last_idx 19 first_idx 11
+ regs=40 stack=0 before 19: (55) if r0 != 0x0 goto pc+1
+ regs=40 stack=0 before 18: (85) call bpf_map_lookup_elem#1
+ regs=40 stack=0 before 17: (07) r2 += -4
+ regs=40 stack=0 before 16: (bf) r2 = r10
+ regs=40 stack=0 before 15: (bf) r1 = r4
+ regs=40 stack=0 before 13: (18) r4 = 0xffff9290dc5bfe00
+ regs=40 stack=0 before 12: (63) *(u32 *)(r10 -4) = r0
+ regs=40 stack=0 before 11: (b7) r0 = 0
+ parent didn't have regs=40 stack=0 marks: R1=ctx(off=0,imm=0) R6_rw=Pscalar(umax=18446744071562067968) R7_w=0 R8_w=0 R9_w=-2147483648 R10=fp0
+ last_idx 9 first_idx 0
+ regs=40 stack=0 before 9: (bd) if r6 <= r9 goto pc+1
+ regs=240 stack=0 before 6: (bd) if r6 <= r9 goto pc+2
+ regs=240 stack=0 before 5: (05) goto pc+0
+ regs=240 stack=0 before 4: (97) r6 %= 1025
+ regs=240 stack=0 before 3: (b7) r9 = -2147483648
+ regs=40 stack=0 before 2: (b7) r8 = 0
+ regs=40 stack=0 before 1: (b7) r7 = 0
+ regs=40 stack=0 before 0: (b7) r6 = 1024
+ math between map_value pointer and register with unbounded min value is not allowed
+ verification time 886 usec
+ stack depth 4
+ processed 49 insns (limit 1000000) max_states_per_insn 1 total_states 5 peak_states 5 mark_read 2
+
+Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking")
+Reported-by: Juan Jose Lopez Jaimez <jjlopezjaimez@google.com>
+Reported-by: Meador Inge <meadori@google.com>
+Reported-by: Simon Scannell <simonscannell@google.com>
+Reported-by: Nenad Stojanovski <thenenadx@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Co-developed-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Reviewed-by: Juan Jose Lopez Jaimez <jjlopezjaimez@google.com>
+Reviewed-by: Meador Inge <meadori@google.com>
+Reviewed-by: Simon Scannell <simonscannell@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 1c95d97e7aa53..37d4b5f5ec0c3 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2279,6 +2279,21 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx,
+ }
+ } else if (opcode == BPF_EXIT) {
+ return -ENOTSUPP;
++ } else if (BPF_SRC(insn->code) == BPF_X) {
++ if (!(*reg_mask & (dreg | sreg)))
++ return 0;
++ /* dreg <cond> sreg
++ * Both dreg and sreg need precision before
++ * this insn. If only sreg was marked precise
++ * before it would be equally necessary to
++ * propagate it to dreg.
++ */
++ *reg_mask |= (sreg | dreg);
++ /* else dreg <cond> K
++ * Only dreg still needs precision before
++ * this insn, so for the K-based conditional
++ * there is nothing new to be marked.
++ */
+ }
+ } else if (class == BPF_LD) {
+ if (!(*reg_mask & dreg))
+--
+2.39.2
+
--- /dev/null
+From 72a8cf5c8725399007ee64023dbe6a033bef9719 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 13:53:45 -0700
+Subject: e1000e: Disable TSO on i219-LM card to increase speed
+
+From: Sebastian Basierski <sebastianx.basierski@intel.com>
+
+[ Upstream commit 67d47b95119ad589b0a0b16b88b1dd9a04061ced ]
+
+While using i219-LM card currently it was only possible to achieve
+about 60% of maximum speed due to regression introduced in Linux 5.8.
+This was caused by TSO not being disabled by default despite commit
+f29801030ac6 ("e1000e: Disable TSO for buffer overrun workaround").
+Fix that by disabling TSO during driver probe.
+
+Fixes: f29801030ac6 ("e1000e: Disable TSO for buffer overrun workaround")
+Signed-off-by: Sebastian Basierski <sebastianx.basierski@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230417205345.1030801-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 51 +++++++++++-----------
+ 1 file changed, 26 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index 7e41ce188cc6a..6b7d162af3e5e 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -5298,31 +5298,6 @@ static void e1000_watchdog_task(struct work_struct *work)
+ ew32(TARC(0), tarc0);
+ }
+
+- /* disable TSO for pcie and 10/100 speeds, to avoid
+- * some hardware issues
+- */
+- if (!(adapter->flags & FLAG_TSO_FORCE)) {
+- switch (adapter->link_speed) {
+- case SPEED_10:
+- case SPEED_100:
+- e_info("10/100 speed: disabling TSO\n");
+- netdev->features &= ~NETIF_F_TSO;
+- netdev->features &= ~NETIF_F_TSO6;
+- break;
+- case SPEED_1000:
+- netdev->features |= NETIF_F_TSO;
+- netdev->features |= NETIF_F_TSO6;
+- break;
+- default:
+- /* oops */
+- break;
+- }
+- if (hw->mac.type == e1000_pch_spt) {
+- netdev->features &= ~NETIF_F_TSO;
+- netdev->features &= ~NETIF_F_TSO6;
+- }
+- }
+-
+ /* enable transmits in the hardware, need to do this
+ * after setting TARC(0)
+ */
+@@ -7543,6 +7518,32 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ NETIF_F_RXCSUM |
+ NETIF_F_HW_CSUM);
+
++ /* disable TSO for pcie and 10/100 speeds to avoid
++ * some hardware issues and for i219 to fix transfer
++ * speed being capped at 60%
++ */
++ if (!(adapter->flags & FLAG_TSO_FORCE)) {
++ switch (adapter->link_speed) {
++ case SPEED_10:
++ case SPEED_100:
++ e_info("10/100 speed: disabling TSO\n");
++ netdev->features &= ~NETIF_F_TSO;
++ netdev->features &= ~NETIF_F_TSO6;
++ break;
++ case SPEED_1000:
++ netdev->features |= NETIF_F_TSO;
++ netdev->features |= NETIF_F_TSO6;
++ break;
++ default:
++ /* oops */
++ break;
++ }
++ if (hw->mac.type == e1000_pch_spt) {
++ netdev->features &= ~NETIF_F_TSO;
++ netdev->features &= ~NETIF_F_TSO6;
++ }
++ }
++
+ /* Set user-changeable features (subset of all device features) */
+ netdev->hw_features = netdev->features;
+ netdev->hw_features |= NETIF_F_RXFCS;
+--
+2.39.2
+
--- /dev/null
+From 6cbcd3800857b5e73a98275794a04aea4511e578 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 12:25:49 +0000
+Subject: f2fs: Fix f2fs_truncate_partial_nodes ftrace event
+
+From: Douglas Raillard <douglas.raillard@arm.com>
+
+[ Upstream commit 0b04d4c0542e8573a837b1d81b94209e48723b25 ]
+
+Fix the nid_t field so that its size is correctly reported in the text
+format embedded in trace.dat files. As it stands, it is reported as
+being of size 4:
+
+ field:nid_t nid[3]; offset:24; size:4; signed:0;
+
+Instead of 12:
+
+ field:nid_t nid[3]; offset:24; size:12; signed:0;
+
+This also fixes the reported offset of subsequent fields so that they
+match with the actual struct layout.
+
+Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
+Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/f2fs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h
+index 4cb055af1ec0b..f5dcf7c9b7076 100644
+--- a/include/trace/events/f2fs.h
++++ b/include/trace/events/f2fs.h
+@@ -513,7 +513,7 @@ TRACE_EVENT(f2fs_truncate_partial_nodes,
+ TP_STRUCT__entry(
+ __field(dev_t, dev)
+ __field(ino_t, ino)
+- __field(nid_t, nid[3])
++ __array(nid_t, nid, 3)
+ __field(int, depth)
+ __field(int, err)
+ ),
+--
+2.39.2
+
--- /dev/null
+From 11c5823aa3beb0ed5461f915cb9dbe7a571a5321 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 18:16:38 +0100
+Subject: i40e: fix accessing vsi->active_filters without holding lock
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit 8485d093b076e59baff424552e8aecfc5bd2d261 ]
+
+Fix accessing vsi->active_filters without holding the mac_filter_hash_lock.
+Move vsi->active_filters = 0 inside critical section and
+move clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state) after the critical
+section to ensure the new filters from other threads can be added only after
+filters cleaning in the critical section is finished.
+
+Fixes: 278e7d0b9d68 ("i40e: store MAC/VLAN filters in a hash with the MAC Address as key")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 85d48efce1d00..cafbabc687565 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -13945,15 +13945,15 @@ static int i40e_add_vsi(struct i40e_vsi *vsi)
+ vsi->id = ctxt.vsi_number;
+ }
+
+- vsi->active_filters = 0;
+- clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state);
+ spin_lock_bh(&vsi->mac_filter_hash_lock);
++ vsi->active_filters = 0;
+ /* If macvlan filters already exist, force them to get loaded */
+ hash_for_each_safe(vsi->mac_filter_hash, bkt, h, f, hlist) {
+ f->state = I40E_FILTER_NEW;
+ f_count++;
+ }
+ spin_unlock_bh(&vsi->mac_filter_hash_lock);
++ clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state);
+
+ if (f_count) {
+ vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
+--
+2.39.2
+
--- /dev/null
+From c456a4369de28e324a178fd24759fd13f40223b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Apr 2023 07:13:18 +0200
+Subject: i40e: fix i40e_setup_misc_vector() error handling
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit c86c00c6935505929cc9adb29ddb85e48c71f828 ]
+
+Add error handling of i40e_setup_misc_vector() in i40e_rebuild().
+In case interrupt vectors setup fails do not re-open vsi-s and
+do not bring up vf-s, we have no interrupts to serve a traffic
+anyway.
+
+Fixes: 41c445ff0f48 ("i40e: main driver core")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index cafbabc687565..3ebd589e56b5b 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -10923,8 +10923,11 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired)
+ pf->hw.aq.asq_last_status));
+ }
+ /* reinit the misc interrupt */
+- if (pf->flags & I40E_FLAG_MSIX_ENABLED)
++ if (pf->flags & I40E_FLAG_MSIX_ENABLED) {
+ ret = i40e_setup_misc_vector(pf);
++ if (ret)
++ goto end_unlock;
++ }
+
+ /* Add a filter to drop all Flow control frames from any VSI from being
+ * transmitted. By doing so we stop a malicious VF from sending out
+--
+2.39.2
+
--- /dev/null
+From 8cec3dc672450479c92653d482b147a662bf9ba5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 03:19:51 -0700
+Subject: Input: i8042 - add quirk for Fujitsu Lifebook A574/H
+
+From: Jonathan Denose <jdenose@chromium.org>
+
+[ Upstream commit f5bad62f9107b701a6def7cac1f5f65862219b83 ]
+
+Fujitsu Lifebook A574/H requires the nomux option to properly
+probe the touchpad, especially when waking from sleep.
+
+Signed-off-by: Jonathan Denose <jdenose@google.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230303152623.45859-1-jdenose@google.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/serio/i8042-x86ia64io.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
+index 239c777f8271c..339e765bcf5ae 100644
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -601,6 +601,14 @@ static const struct dmi_system_id i8042_dmi_quirk_table[] __initconst = {
+ },
+ .driver_data = (void *)(SERIO_QUIRK_NOMUX)
+ },
++ {
++ /* Fujitsu Lifebook A574/H */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "FMVA0501PZ"),
++ },
++ .driver_data = (void *)(SERIO_QUIRK_NOMUX)
++ },
+ {
+ /* Gigabyte M912 */
+ .matches = {
+--
+2.39.2
+
--- /dev/null
+From 9d0b3684b07e7ee673a4a2835ceb4aa3c49ed2bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 05:07:18 -0700
+Subject: mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit c0e73276f0fcbbd3d4736ba975d7dc7a48791b0c ]
+
+Function mlxfw_mfa2_tlv_multi_get() returns NULL if 'tlv' in
+question does not pass checks in mlxfw_mfa2_tlv_payload_get(). This
+behaviour may lead to NULL pointer dereference in 'multi->total_len'.
+Fix this issue by testing mlxfw_mfa2_tlv_multi_get()'s return value
+against NULL.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 410ed13cae39 ("Add the mlxfw module for Mellanox firmware flash process")
+Co-developed-by: Natalia Petrova <n.petrova@fintech.ru>
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://lore.kernel.org/r/20230417120718.52325-1-n.zhandarovich@fintech.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c
+index 017d68f1e1232..972c571b41587 100644
+--- a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c
++++ b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c
+@@ -31,6 +31,8 @@ mlxfw_mfa2_tlv_next(const struct mlxfw_mfa2_file *mfa2_file,
+
+ if (tlv->type == MLXFW_MFA2_TLV_MULTI_PART) {
+ multi = mlxfw_mfa2_tlv_multi_get(mfa2_file, tlv);
++ if (!multi)
++ return NULL;
+ tlv_len = NLA_ALIGN(tlv_len + be16_to_cpu(multi->total_len));
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 85b0d123568ed71df7aa0b9ce128118f1068162c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 18:52:51 +0200
+Subject: mlxsw: pci: Fix possible crash during initialization
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 1f64757ee2bb22a93ec89b4c71707297e8cca0ba ]
+
+During initialization the driver issues a reset command via its command
+interface in order to remove previous configuration from the device.
+
+After issuing the reset, the driver waits for 200ms before polling on
+the "system_status" register using memory-mapped IO until the device
+reaches a ready state (0x5E). The wait is necessary because the reset
+command only triggers the reset, but the reset itself happens
+asynchronously. If the driver starts polling too soon, the read of the
+"system_status" register will never return and the system will crash
+[1].
+
+The issue was discovered when the device was flashed with a development
+firmware version where the reset routine took longer to complete. The
+issue was fixed in the firmware, but it exposed the fact that the
+current wait time is borderline.
+
+Fix by increasing the wait time from 200ms to 400ms. With this patch and
+the buggy firmware version, the issue did not reproduce in 10 reboots
+whereas without the patch the issue is reproduced quite consistently.
+
+[1]
+mce: CPUs not responding to MCE broadcast (may include false positives): 0,4
+mce: CPUs not responding to MCE broadcast (may include false positives): 0,4
+Kernel panic - not syncing: Timeout: Not all CPUs entered broadcast exception handler
+Shutting down cpus with NMI
+Kernel Offset: 0x12000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+
+Fixes: ac004e84164e ("mlxsw: pci: Wait longer before accessing the device after reset")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/pci_hw.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h b/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h
+index 7b531228d6c0f..25e9f47db2a62 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h
+@@ -26,7 +26,7 @@
+ #define MLXSW_PCI_CIR_TIMEOUT_MSECS 1000
+
+ #define MLXSW_PCI_SW_RESET_TIMEOUT_MSECS 900000
+-#define MLXSW_PCI_SW_RESET_WAIT_MSECS 200
++#define MLXSW_PCI_SW_RESET_WAIT_MSECS 400
+ #define MLXSW_PCI_FW_READY 0xA1844
+ #define MLXSW_PCI_FW_READY_MASK 0xFFFF
+ #define MLXSW_PCI_FW_READY_MAGIC 0x5E
+--
+2.39.2
+
--- /dev/null
+From 5b610bf45860983d0c8aaa5ed082fb1e50af5eb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Mar 2023 20:48:41 +0100
+Subject: net: dsa: b53: mmap: add phy ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 45977e58ce65ed0459edc9a0466d9dfea09463f5 ]
+
+Implement phy_read16() and phy_write16() ops for B53 MMAP to avoid accessing
+B53_PORT_MII_PAGE registers which hangs the device.
+This access should be done through the MDIO Mux bus controller.
+
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_mmap.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_mmap.c b/drivers/net/dsa/b53/b53_mmap.c
+index 3388f620fac99..ca6f53c630676 100644
+--- a/drivers/net/dsa/b53/b53_mmap.c
++++ b/drivers/net/dsa/b53/b53_mmap.c
+@@ -216,6 +216,18 @@ static int b53_mmap_write64(struct b53_device *dev, u8 page, u8 reg,
+ return 0;
+ }
+
++static int b53_mmap_phy_read16(struct b53_device *dev, int addr, int reg,
++ u16 *value)
++{
++ return -EIO;
++}
++
++static int b53_mmap_phy_write16(struct b53_device *dev, int addr, int reg,
++ u16 value)
++{
++ return -EIO;
++}
++
+ static const struct b53_io_ops b53_mmap_ops = {
+ .read8 = b53_mmap_read8,
+ .read16 = b53_mmap_read16,
+@@ -227,6 +239,8 @@ static const struct b53_io_ops b53_mmap_ops = {
+ .write32 = b53_mmap_write32,
+ .write48 = b53_mmap_write48,
+ .write64 = b53_mmap_write64,
++ .phy_read16 = b53_mmap_phy_read16,
++ .phy_write16 = b53_mmap_phy_write16,
+ };
+
+ static int b53_mmap_probe_of(struct platform_device *pdev,
+--
+2.39.2
+
--- /dev/null
+From e7c669de15cfddad768898860e3604a93de3c0bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 09:00:52 -0400
+Subject: net: rpl: fix rpl header size calculation
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 4e006c7a6dac0ead4c1bf606000aa90a372fc253 ]
+
+This patch fixes a missing 8 byte for the header size calculation. The
+ipv6_rpl_srh_size() is used to check a skb_pull() on skb->data which
+points to skb_transport_header(). Currently we only check on the
+calculated addresses fields using CmprI and CmprE fields, see:
+
+https://www.rfc-editor.org/rfc/rfc6554#section-3
+
+there is however a missing 8 byte inside the calculation which stands
+for the fields before the addresses field. Those 8 bytes are represented
+by sizeof(struct ipv6_rpl_sr_hdr) expression.
+
+Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Reported-by: maxpl0it <maxpl0it@protonmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/rpl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/rpl.c b/net/ipv6/rpl.c
+index 488aec9e1a74f..d1876f1922255 100644
+--- a/net/ipv6/rpl.c
++++ b/net/ipv6/rpl.c
+@@ -32,7 +32,8 @@ static void *ipv6_rpl_segdata_pos(const struct ipv6_rpl_sr_hdr *hdr, int i)
+ size_t ipv6_rpl_srh_size(unsigned char n, unsigned char cmpri,
+ unsigned char cmpre)
+ {
+- return (n * IPV6_PFXTAIL_LEN(cmpri)) + IPV6_PFXTAIL_LEN(cmpre);
++ return sizeof(struct ipv6_rpl_sr_hdr) + (n * IPV6_PFXTAIL_LEN(cmpri)) +
++ IPV6_PFXTAIL_LEN(cmpre);
+ }
+
+ void ipv6_rpl_srh_decompress(struct ipv6_rpl_sr_hdr *outhdr,
+--
+2.39.2
+
--- /dev/null
+From ec20b4edbe0b9661fb702412a9c06a27009789c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 19:35:54 +0900
+Subject: net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg
+
+From: Gwangun Jung <exsociety@gmail.com>
+
+[ Upstream commit 3037933448f60f9acb705997eae62013ecb81e0d ]
+
+If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device.
+The MTU of the loopback device can be set up to 2^31-1.
+As a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX.
+
+Due to the invalid lmax value, an index is generated that exceeds the QFQ_MAX_INDEX(=24) value, causing out-of-bounds read/write errors.
+
+The following reports a oob access:
+
+[ 84.582666] BUG: KASAN: slab-out-of-bounds in qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313)
+[ 84.583267] Read of size 4 at addr ffff88810f676948 by task ping/301
+[ 84.583686]
+[ 84.583797] CPU: 3 PID: 301 Comm: ping Not tainted 6.3.0-rc5 #1
+[ 84.584164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+[ 84.584644] Call Trace:
+[ 84.584787] <TASK>
+[ 84.584906] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
+[ 84.585108] print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
+[ 84.585570] kasan_report (mm/kasan/report.c:538)
+[ 84.585988] qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313)
+[ 84.586599] qfq_enqueue (net/sched/sch_qfq.c:1255)
+[ 84.587607] dev_qdisc_enqueue (net/core/dev.c:3776)
+[ 84.587749] __dev_queue_xmit (./include/net/sch_generic.h:186 net/core/dev.c:3865 net/core/dev.c:4212)
+[ 84.588763] ip_finish_output2 (./include/net/neighbour.h:546 net/ipv4/ip_output.c:228)
+[ 84.589460] ip_output (net/ipv4/ip_output.c:430)
+[ 84.590132] ip_push_pending_frames (./include/net/dst.h:444 net/ipv4/ip_output.c:126 net/ipv4/ip_output.c:1586 net/ipv4/ip_output.c:1606)
+[ 84.590285] raw_sendmsg (net/ipv4/raw.c:649)
+[ 84.591960] sock_sendmsg (net/socket.c:724 net/socket.c:747)
+[ 84.592084] __sys_sendto (net/socket.c:2142)
+[ 84.593306] __x64_sys_sendto (net/socket.c:2150)
+[ 84.593779] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+[ 84.593902] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+[ 84.594070] RIP: 0033:0x7fe568032066
+[ 84.594192] Code: 0e 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c09[ 84.594796] RSP: 002b:00007ffce388b4e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+
+Code starting with the faulting instruction
+===========================================
+[ 84.595047] RAX: ffffffffffffffda RBX: 00007ffce388cc70 RCX: 00007fe568032066
+[ 84.595281] RDX: 0000000000000040 RSI: 00005605fdad6d10 RDI: 0000000000000003
+[ 84.595515] RBP: 00005605fdad6d10 R08: 00007ffce388eeec R09: 0000000000000010
+[ 84.595749] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
+[ 84.595984] R13: 00007ffce388cc30 R14: 00007ffce388b4f0 R15: 0000001d00000001
+[ 84.596218] </TASK>
+[ 84.596295]
+[ 84.596351] Allocated by task 291:
+[ 84.596467] kasan_save_stack (mm/kasan/common.c:46)
+[ 84.596597] kasan_set_track (mm/kasan/common.c:52)
+[ 84.596725] __kasan_kmalloc (mm/kasan/common.c:384)
+[ 84.596852] __kmalloc_node (./include/linux/kasan.h:196 mm/slab_common.c:967 mm/slab_common.c:974)
+[ 84.596979] qdisc_alloc (./include/linux/slab.h:610 ./include/linux/slab.h:731 net/sched/sch_generic.c:938)
+[ 84.597100] qdisc_create (net/sched/sch_api.c:1244)
+[ 84.597222] tc_modify_qdisc (net/sched/sch_api.c:1680)
+[ 84.597357] rtnetlink_rcv_msg (net/core/rtnetlink.c:6174)
+[ 84.597495] netlink_rcv_skb (net/netlink/af_netlink.c:2574)
+[ 84.597627] netlink_unicast (net/netlink/af_netlink.c:1340 net/netlink/af_netlink.c:1365)
+[ 84.597759] netlink_sendmsg (net/netlink/af_netlink.c:1942)
+[ 84.597891] sock_sendmsg (net/socket.c:724 net/socket.c:747)
+[ 84.598016] ____sys_sendmsg (net/socket.c:2501)
+[ 84.598147] ___sys_sendmsg (net/socket.c:2557)
+[ 84.598275] __sys_sendmsg (./include/linux/file.h:31 net/socket.c:2586)
+[ 84.598399] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+[ 84.598520] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+[ 84.598688]
+[ 84.598744] The buggy address belongs to the object at ffff88810f674000
+[ 84.598744] which belongs to the cache kmalloc-8k of size 8192
+[ 84.599135] The buggy address is located 2664 bytes to the right of
+[ 84.599135] allocated 7904-byte region [ffff88810f674000, ffff88810f675ee0)
+[ 84.599544]
+[ 84.599598] The buggy address belongs to the physical page:
+[ 84.599777] page:00000000e638567f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f670
+[ 84.600074] head:00000000e638567f order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+[ 84.600330] flags: 0x200000000010200(slab|head|node=0|zone=2)
+[ 84.600517] raw: 0200000000010200 ffff888100043180 dead000000000122 0000000000000000
+[ 84.600764] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
+[ 84.601009] page dumped because: kasan: bad access detected
+[ 84.601187]
+[ 84.601241] Memory state around the buggy address:
+[ 84.601396] ffff88810f676800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 84.601620] ffff88810f676880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 84.601845] >ffff88810f676900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 84.602069] ^
+[ 84.602243] ffff88810f676980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 84.602468] ffff88810f676a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 84.602693] ==================================================================
+[ 84.602924] Disabling lock debugging due to kernel taint
+
+Fixes: 3015f3d2a3cd ("pkt_sched: enable QFQ to support TSO/GSO")
+Reported-by: Gwangun Jung <exsociety@gmail.com>
+Signed-off-by: Gwangun Jung <exsociety@gmail.com>
+Acked-by: Jamal Hadi Salim<jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 50e51c1322fc1..4c51aeb78f141 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -421,15 +421,16 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+ } else
+ weight = 1;
+
+- if (tb[TCA_QFQ_LMAX]) {
++ if (tb[TCA_QFQ_LMAX])
+ lmax = nla_get_u32(tb[TCA_QFQ_LMAX]);
+- if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) {
+- pr_notice("qfq: invalid max length %u\n", lmax);
+- return -EINVAL;
+- }
+- } else
++ else
+ lmax = psched_mtu(qdisc_dev(sch));
+
++ if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) {
++ pr_notice("qfq: invalid max length %u\n", lmax);
++ return -EINVAL;
++ }
++
+ inv_w = ONE_FP / weight;
+ weight = ONE_FP / inv_w;
+
+--
+2.39.2
+
--- /dev/null
+From 77200266a1a3d4a28104e3e5d15afda15cf29b89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Apr 2023 13:54:37 +0200
+Subject: netfilter: br_netfilter: fix recent physdev match breakage
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 94623f579ce338b5fa61b5acaa5beb8aa657fb9e ]
+
+Recent attempt to ensure PREROUTING hook is executed again when a
+decrypted ipsec packet received on a bridge passes through the network
+stack a second time broke the physdev match in INPUT hook.
+
+We can't discard the nf_bridge info strct from sabotage_in hook, as
+this is needed by the physdev match.
+
+Keep the struct around and handle this with another conditional instead.
+
+Fixes: 2b272bb558f1 ("netfilter: br_netfilter: disable sabotage_in hook after first suppression")
+Reported-and-tested-by: Farid BENAMROUCHE <fariouche@yahoo.fr>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skbuff.h | 1 +
+ net/bridge/br_netfilter_hooks.c | 17 +++++++++++------
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index 19e595cab23ac..ef00dd3108362 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -259,6 +259,7 @@ struct nf_bridge_info {
+ u8 pkt_otherhost:1;
+ u8 in_prerouting:1;
+ u8 bridged_dnat:1;
++ u8 sabotage_in_done:1;
+ __u16 frag_max_size;
+ struct net_device *physindev;
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index f3c7cfba31e1b..f14beb9a62edb 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -868,12 +868,17 @@ static unsigned int ip_sabotage_in(void *priv,
+ {
+ struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
+
+- if (nf_bridge && !nf_bridge->in_prerouting &&
+- !netif_is_l3_master(skb->dev) &&
+- !netif_is_l3_slave(skb->dev)) {
+- nf_bridge_info_free(skb);
+- state->okfn(state->net, state->sk, skb);
+- return NF_STOLEN;
++ if (nf_bridge) {
++ if (nf_bridge->sabotage_in_done)
++ return NF_ACCEPT;
++
++ if (!nf_bridge->in_prerouting &&
++ !netif_is_l3_master(skb->dev) &&
++ !netif_is_l3_slave(skb->dev)) {
++ nf_bridge->sabotage_in_done = 1;
++ state->okfn(state->net, state->sk, skb);
++ return NF_STOLEN;
++ }
+ }
+
+ return NF_ACCEPT;
+--
+2.39.2
+
--- /dev/null
+From 011b8536b26b06d30fbc21e9c82b8d3d21bf7d72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 10:21:36 +0200
+Subject: netfilter: nf_tables: fix ifdef to also consider nf_tables=m
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit c55c0e91c813589dc55bea6bf9a9fbfaa10ae41d ]
+
+nftables can be built as a module, so fix the preprocessor conditional
+accordingly.
+
+Fixes: 478b360a47b7 ("netfilter: nf_tables: fix nf_trace always-on with XT_TRACE=n")
+Reported-by: Florian Fainelli <f.fainelli@gmail.com>
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skbuff.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index ef00dd3108362..7ed1d4472c0c8 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -4462,7 +4462,7 @@ static inline void nf_reset_ct(struct sk_buff *skb)
+
+ static inline void nf_reset_trace(struct sk_buff *skb)
+ {
+-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
++#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || IS_ENABLED(CONFIG_NF_TABLES)
+ skb->nf_trace = 0;
+ #endif
+ }
+@@ -4482,7 +4482,7 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src,
+ dst->_nfct = src->_nfct;
+ nf_conntrack_get(skb_nfct(src));
+ #endif
+-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
++#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || IS_ENABLED(CONFIG_NF_TABLES)
+ if (copy)
+ dst->nf_trace = src->nf_trace;
+ #endif
+--
+2.39.2
+
--- /dev/null
+From 0014ae979950dfe10c4fc58ea26bba6406664658 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 17:50:28 +0200
+Subject: netfilter: nf_tables: tighten netlink attribute requirements for
+ catch-all elements
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d4eb7e39929a3b1ff30fb751b4859fc2410702a0 ]
+
+If NFT_SET_ELEM_CATCHALL is set on, then userspace provides no set element
+key. Otherwise, bail out with -EINVAL.
+
+Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index aecb2f1e7af10..d950041364d5f 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5895,7 +5895,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ if (err < 0)
+ return err;
+
+- if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
++ if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
++ (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
+ return -EINVAL;
+
+ if (flags != 0) {
+--
+2.39.2
+
--- /dev/null
+From eb75a588db16ed3aef28e2fa25b0d4f4bf755780 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 12:14:29 +0200
+Subject: netfilter: nf_tables: validate catch-all set elements
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d46fc894147cf98dd6e8210aa99ed46854191840 ]
+
+catch-all set element might jump/goto to chain that uses expressions
+that require validation.
+
+Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 4 ++
+ net/netfilter/nf_tables_api.c | 64 ++++++++++++++++++++++++++++---
+ net/netfilter/nft_lookup.c | 36 ++---------------
+ 3 files changed, 66 insertions(+), 38 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 80df8ff5e6752..8def00a04541e 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -1030,6 +1030,10 @@ struct nft_chain {
+ };
+
+ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);
++int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
++ const struct nft_set_iter *iter,
++ struct nft_set_elem *elem);
++int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set);
+
+ enum nft_chain_types {
+ NFT_CHAIN_T_DEFAULT = 0,
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index dc276b6802ca9..aecb2f1e7af10 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3294,6 +3294,64 @@ static int nft_table_validate(struct net *net, const struct nft_table *table)
+ return 0;
+ }
+
++int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
++ const struct nft_set_iter *iter,
++ struct nft_set_elem *elem)
++{
++ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
++ struct nft_ctx *pctx = (struct nft_ctx *)ctx;
++ const struct nft_data *data;
++ int err;
++
++ if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
++ *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
++ return 0;
++
++ data = nft_set_ext_data(ext);
++ switch (data->verdict.code) {
++ case NFT_JUMP:
++ case NFT_GOTO:
++ pctx->level++;
++ err = nft_chain_validate(ctx, data->verdict.chain);
++ if (err < 0)
++ return err;
++ pctx->level--;
++ break;
++ default:
++ break;
++ }
++
++ return 0;
++}
++
++struct nft_set_elem_catchall {
++ struct list_head list;
++ struct rcu_head rcu;
++ void *elem;
++};
++
++int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
++{
++ u8 genmask = nft_genmask_next(ctx->net);
++ struct nft_set_elem_catchall *catchall;
++ struct nft_set_elem elem;
++ struct nft_set_ext *ext;
++ int ret = 0;
++
++ list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
++ ext = nft_set_elem_ext(set, catchall->elem);
++ if (!nft_set_elem_active(ext, genmask))
++ continue;
++
++ elem.priv = catchall->elem;
++ ret = nft_setelem_validate(ctx, set, NULL, &elem);
++ if (ret < 0)
++ return ret;
++ }
++
++ return ret;
++}
++
+ static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
+ const struct nft_chain *chain,
+ const struct nlattr *nla);
+@@ -4598,12 +4656,6 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
+ return err;
+ }
+
+-struct nft_set_elem_catchall {
+- struct list_head list;
+- struct rcu_head rcu;
+- void *elem;
+-};
+-
+ static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
+ struct nft_set *set)
+ {
+diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
+index 90becbf5bff3d..bd3485dd930f5 100644
+--- a/net/netfilter/nft_lookup.c
++++ b/net/netfilter/nft_lookup.c
+@@ -198,37 +198,6 @@ static int nft_lookup_dump(struct sk_buff *skb, const struct nft_expr *expr)
+ return -1;
+ }
+
+-static int nft_lookup_validate_setelem(const struct nft_ctx *ctx,
+- struct nft_set *set,
+- const struct nft_set_iter *iter,
+- struct nft_set_elem *elem)
+-{
+- const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+- struct nft_ctx *pctx = (struct nft_ctx *)ctx;
+- const struct nft_data *data;
+- int err;
+-
+- if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
+- *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
+- return 0;
+-
+- data = nft_set_ext_data(ext);
+- switch (data->verdict.code) {
+- case NFT_JUMP:
+- case NFT_GOTO:
+- pctx->level++;
+- err = nft_chain_validate(ctx, data->verdict.chain);
+- if (err < 0)
+- return err;
+- pctx->level--;
+- break;
+- default:
+- break;
+- }
+-
+- return 0;
+-}
+-
+ static int nft_lookup_validate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nft_data **d)
+@@ -244,9 +213,12 @@ static int nft_lookup_validate(const struct nft_ctx *ctx,
+ iter.skip = 0;
+ iter.count = 0;
+ iter.err = 0;
+- iter.fn = nft_lookup_validate_setelem;
++ iter.fn = nft_setelem_validate;
+
+ priv->set->ops->walk(ctx, priv->set, &iter);
++ if (!iter.err)
++ iter.err = nft_set_catchall_validate(ctx, priv->set);
++
+ if (iter.err < 0)
+ return iter.err;
+
+--
+2.39.2
+
--- /dev/null
+From a15e1c9b0952fa102318dc14ecdcf598fea78c10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 15:33:34 +0200
+Subject: nvme-tcp: fix a possible UAF when failing to allocate an io queue
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 88eaba80328b31ef81813a1207b4056efd7006a6 ]
+
+When we allocate a nvme-tcp queue, we set the data_ready callback before
+we actually need to use it. This creates the potential that if a stray
+controller sends us data on the socket before we connect, we can trigger
+the io_work and start consuming the socket.
+
+In this case reported: we failed to allocate one of the io queues, and
+as we start releasing the queues that we already allocated, we get
+a UAF [1] from the io_work which is running before it should really.
+
+Fix this by setting the socket ops callbacks only before we start the
+queue, so that we can't accidentally schedule the io_work in the
+initialization phase before the queue started. While we are at it,
+rename nvme_tcp_restore_sock_calls to pair with nvme_tcp_setup_sock_ops.
+
+[1]:
+[16802.107284] nvme nvme4: starting error recovery
+[16802.109166] nvme nvme4: Reconnecting in 10 seconds...
+[16812.173535] nvme nvme4: failed to connect socket: -111
+[16812.173745] nvme nvme4: Failed reconnect attempt 1
+[16812.173747] nvme nvme4: Reconnecting in 10 seconds...
+[16822.413555] nvme nvme4: failed to connect socket: -111
+[16822.413762] nvme nvme4: Failed reconnect attempt 2
+[16822.413765] nvme nvme4: Reconnecting in 10 seconds...
+[16832.661274] nvme nvme4: creating 32 I/O queues.
+[16833.919887] BUG: kernel NULL pointer dereference, address: 0000000000000088
+[16833.920068] nvme nvme4: Failed reconnect attempt 3
+[16833.920094] #PF: supervisor write access in kernel mode
+[16833.920261] nvme nvme4: Reconnecting in 10 seconds...
+[16833.920368] #PF: error_code(0x0002) - not-present page
+[16833.921086] Workqueue: nvme_tcp_wq nvme_tcp_io_work [nvme_tcp]
+[16833.921191] RIP: 0010:_raw_spin_lock_bh+0x17/0x30
+...
+[16833.923138] Call Trace:
+[16833.923271] <TASK>
+[16833.923402] lock_sock_nested+0x1e/0x50
+[16833.923545] nvme_tcp_try_recv+0x40/0xa0 [nvme_tcp]
+[16833.923685] nvme_tcp_io_work+0x68/0xa0 [nvme_tcp]
+[16833.923824] process_one_work+0x1e8/0x390
+[16833.923969] worker_thread+0x53/0x3d0
+[16833.924104] ? process_one_work+0x390/0x390
+[16833.924240] kthread+0x124/0x150
+[16833.924376] ? set_kthread_struct+0x50/0x50
+[16833.924518] ret_from_fork+0x1f/0x30
+[16833.924655] </TASK>
+
+Reported-by: Yanjun Zhang <zhangyanjun@cestc.cn>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Tested-by: Yanjun Zhang <zhangyanjun@cestc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 46 +++++++++++++++++++++++------------------
+ 1 file changed, 26 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index 96d8d7844e846..fb47d0603e051 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -1563,22 +1563,7 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nctrl,
+ if (ret)
+ goto err_init_connect;
+
+- queue->rd_enabled = true;
+ set_bit(NVME_TCP_Q_ALLOCATED, &queue->flags);
+- nvme_tcp_init_recv_ctx(queue);
+-
+- write_lock_bh(&queue->sock->sk->sk_callback_lock);
+- queue->sock->sk->sk_user_data = queue;
+- queue->state_change = queue->sock->sk->sk_state_change;
+- queue->data_ready = queue->sock->sk->sk_data_ready;
+- queue->write_space = queue->sock->sk->sk_write_space;
+- queue->sock->sk->sk_data_ready = nvme_tcp_data_ready;
+- queue->sock->sk->sk_state_change = nvme_tcp_state_change;
+- queue->sock->sk->sk_write_space = nvme_tcp_write_space;
+-#ifdef CONFIG_NET_RX_BUSY_POLL
+- queue->sock->sk->sk_ll_usec = 1;
+-#endif
+- write_unlock_bh(&queue->sock->sk->sk_callback_lock);
+
+ return 0;
+
+@@ -1598,7 +1583,7 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nctrl,
+ return ret;
+ }
+
+-static void nvme_tcp_restore_sock_calls(struct nvme_tcp_queue *queue)
++static void nvme_tcp_restore_sock_ops(struct nvme_tcp_queue *queue)
+ {
+ struct socket *sock = queue->sock;
+
+@@ -1613,7 +1598,7 @@ static void nvme_tcp_restore_sock_calls(struct nvme_tcp_queue *queue)
+ static void __nvme_tcp_stop_queue(struct nvme_tcp_queue *queue)
+ {
+ kernel_sock_shutdown(queue->sock, SHUT_RDWR);
+- nvme_tcp_restore_sock_calls(queue);
++ nvme_tcp_restore_sock_ops(queue);
+ cancel_work_sync(&queue->io_work);
+ }
+
+@@ -1628,21 +1613,42 @@ static void nvme_tcp_stop_queue(struct nvme_ctrl *nctrl, int qid)
+ mutex_unlock(&queue->queue_lock);
+ }
+
++static void nvme_tcp_setup_sock_ops(struct nvme_tcp_queue *queue)
++{
++ write_lock_bh(&queue->sock->sk->sk_callback_lock);
++ queue->sock->sk->sk_user_data = queue;
++ queue->state_change = queue->sock->sk->sk_state_change;
++ queue->data_ready = queue->sock->sk->sk_data_ready;
++ queue->write_space = queue->sock->sk->sk_write_space;
++ queue->sock->sk->sk_data_ready = nvme_tcp_data_ready;
++ queue->sock->sk->sk_state_change = nvme_tcp_state_change;
++ queue->sock->sk->sk_write_space = nvme_tcp_write_space;
++#ifdef CONFIG_NET_RX_BUSY_POLL
++ queue->sock->sk->sk_ll_usec = 1;
++#endif
++ write_unlock_bh(&queue->sock->sk->sk_callback_lock);
++}
++
+ static int nvme_tcp_start_queue(struct nvme_ctrl *nctrl, int idx)
+ {
+ struct nvme_tcp_ctrl *ctrl = to_tcp_ctrl(nctrl);
++ struct nvme_tcp_queue *queue = &ctrl->queues[idx];
+ int ret;
+
++ queue->rd_enabled = true;
++ nvme_tcp_init_recv_ctx(queue);
++ nvme_tcp_setup_sock_ops(queue);
++
+ if (idx)
+ ret = nvmf_connect_io_queue(nctrl, idx);
+ else
+ ret = nvmf_connect_admin_queue(nctrl);
+
+ if (!ret) {
+- set_bit(NVME_TCP_Q_LIVE, &ctrl->queues[idx].flags);
++ set_bit(NVME_TCP_Q_LIVE, &queue->flags);
+ } else {
+- if (test_bit(NVME_TCP_Q_ALLOCATED, &ctrl->queues[idx].flags))
+- __nvme_tcp_stop_queue(&ctrl->queues[idx]);
++ if (test_bit(NVME_TCP_Q_ALLOCATED, &queue->flags))
++ __nvme_tcp_stop_queue(queue);
+ dev_err(nctrl->device,
+ "failed to connect queue: %d ret=%d\n", idx, ret);
+ }
+--
+2.39.2
+
--- /dev/null
+From 8a082a7052ab23e73802b751950458a6352cb897 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Mar 2023 20:14:41 +1100
+Subject: platform/x86 (gigabyte-wmi): Add support for A320M-S2H V2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frank Crawford <frank@crawford.emu.id.au>
+
+[ Upstream commit b7c994f8c35e916e27c60803bb21457bc1373500 ]
+
+Add support for A320M-S2H V2. Tested using module force_load option.
+
+Signed-off-by: Frank Crawford <frank@crawford.emu.id.au>
+Acked-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lore.kernel.org/r/20230318091441.1240921-1-frank@crawford.emu.id.au
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/gigabyte-wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/gigabyte-wmi.c b/drivers/platform/x86/gigabyte-wmi.c
+index 0163e912fafec..aea4f3144b68f 100644
+--- a/drivers/platform/x86/gigabyte-wmi.c
++++ b/drivers/platform/x86/gigabyte-wmi.c
+@@ -140,6 +140,7 @@ static u8 gigabyte_wmi_detect_sensor_usability(struct wmi_device *wdev)
+ }}
+
+ static const struct dmi_system_id gigabyte_wmi_known_working_platforms[] = {
++ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("A320M-S2H V2-CF"),
+ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B450M DS3H-CF"),
+ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B450M DS3H WIFI-CF"),
+ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B450M S2H V2"),
+--
+2.39.2
+
--- /dev/null
+From 09add911cfc35ad6cff6f9c846c95341d3a40e22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Mar 2023 19:31:48 +0200
+Subject: platform/x86: gigabyte-wmi: add support for X570S AORUS ELITE
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 52f91e51944808d83dfe2d5582601b5e84e472cc ]
+
+Add "X570S AORUS ELITE" to known working boards
+
+Reported-by: Brandon Nielsen <nielsenb@jetfuse.net>
+Link: https://lore.kernel.org/r/20230331014902.7864-1-nielsenb@jetfuse.net
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/gigabyte-wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/gigabyte-wmi.c b/drivers/platform/x86/gigabyte-wmi.c
+index aea4f3144b68f..bf1b98dd00b99 100644
+--- a/drivers/platform/x86/gigabyte-wmi.c
++++ b/drivers/platform/x86/gigabyte-wmi.c
+@@ -156,6 +156,7 @@ static const struct dmi_system_id gigabyte_wmi_known_working_platforms[] = {
+ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("X570 GAMING X"),
+ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("X570 I AORUS PRO WIFI"),
+ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("X570 UD"),
++ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("X570S AORUS ELITE"),
+ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("Z690M AORUS ELITE AX DDR4"),
+ { }
+ };
+--
+2.39.2
+
--- /dev/null
+From ca816a51050f58a0fa02fcf7bdb9c3a3b3358247 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Apr 2023 20:18:00 +0300
+Subject: regulator: fan53555: Explicitly include bits header
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+[ Upstream commit 4fb9a5060f73627303bc531ceaab1b19d0a24aef ]
+
+Since commit f2a9eb975ab2 ("regulator: fan53555: Add support for
+FAN53526") the driver makes use of the BIT() macro, but relies on the
+bits header being implicitly included.
+
+Explicitly pull the header in to avoid potential build failures in some
+configurations.
+
+While here, reorder include directives alphabetically.
+
+Fixes: f2a9eb975ab2 ("regulator: fan53555: Add support for FAN53526")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Link: https://lore.kernel.org/r/20230406171806.948290-3-cristian.ciocaltea@collabora.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/fan53555.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/regulator/fan53555.c b/drivers/regulator/fan53555.c
+index dac1fb584fa35..df53464afe3a0 100644
+--- a/drivers/regulator/fan53555.c
++++ b/drivers/regulator/fan53555.c
+@@ -8,18 +8,19 @@
+ // Copyright (c) 2012 Marvell Technology Ltd.
+ // Yunfan Zhang <yfzhang@marvell.com>
+
++#include <linux/bits.h>
++#include <linux/err.h>
++#include <linux/i2c.h>
+ #include <linux/module.h>
++#include <linux/of_device.h>
+ #include <linux/param.h>
+-#include <linux/err.h>
+ #include <linux/platform_device.h>
++#include <linux/regmap.h>
+ #include <linux/regulator/driver.h>
++#include <linux/regulator/fan53555.h>
+ #include <linux/regulator/machine.h>
+ #include <linux/regulator/of_regulator.h>
+-#include <linux/of_device.h>
+-#include <linux/i2c.h>
+ #include <linux/slab.h>
+-#include <linux/regmap.h>
+-#include <linux/regulator/fan53555.h>
+
+ /* Voltage setting */
+ #define FAN53555_VSEL0 0x00
+--
+2.39.2
+
--- /dev/null
+From 8523ac4ba2b89abe305c9cb2d927279f449fbc27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Apr 2023 20:18:01 +0300
+Subject: regulator: fan53555: Fix wrong TCS_SLEW_MASK
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+[ Upstream commit c5d5b55b3c1a314137a251efc1001dfd435c6242 ]
+
+The support for TCS4525 regulator has been introduced with a wrong
+ramp-rate mask, which has been defined as a logical expression instead
+of a bit shift operation.
+
+For clarity, fix it using GENMASK() macro.
+
+Fixes: 914df8faa7d6 ("regulator: fan53555: Add TCS4525 DCDC support")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Link: https://lore.kernel.org/r/20230406171806.948290-4-cristian.ciocaltea@collabora.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/fan53555.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/fan53555.c b/drivers/regulator/fan53555.c
+index df53464afe3a0..ecd5a50c61660 100644
+--- a/drivers/regulator/fan53555.c
++++ b/drivers/regulator/fan53555.c
+@@ -61,7 +61,7 @@
+ #define TCS_VSEL1_MODE (1 << 6)
+
+ #define TCS_SLEW_SHIFT 3
+-#define TCS_SLEW_MASK (0x3 < 3)
++#define TCS_SLEW_MASK GENMASK(4, 3)
+
+ enum fan53555_vendor {
+ FAN53526_VENDOR_FAIRCHILD = 0,
+--
+2.39.2
+
--- /dev/null
+From 02c08bcafba77f5edd29f1e541a9768bacfcf1e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 12:31:30 +0100
+Subject: s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit f9bbf25e7b2b74b52b2f269216a92657774f239c ]
+
+Return -EFAULT if put_user() for the PTRACE_GET_LAST_BREAK
+request fails, instead of silently ignoring it.
+
+Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/ptrace.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
+index 0ea3d02b378de..516c21baf3ad3 100644
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -481,9 +481,7 @@ long arch_ptrace(struct task_struct *child, long request,
+ }
+ return 0;
+ case PTRACE_GET_LAST_BREAK:
+- put_user(child->thread.last_break,
+- (unsigned long __user *) data);
+- return 0;
++ return put_user(child->thread.last_break, (unsigned long __user *)data);
+ case PTRACE_ENABLE_TE:
+ if (!MACHINE_HAS_TE)
+ return -EIO;
+@@ -837,9 +835,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+ }
+ return 0;
+ case PTRACE_GET_LAST_BREAK:
+- put_user(child->thread.last_break,
+- (unsigned int __user *) data);
+- return 0;
++ return put_user(child->thread.last_break, (unsigned int __user *)data);
+ }
+ return compat_ptrace_request(child, request, addr, data);
+ }
+--
+2.39.2
+
--- /dev/null
+From 7c31e20b5ef9ab5cf7dc79456abe14874af916b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Mar 2023 11:22:11 +0900
+Subject: scsi: core: Improve scsi_vpd_inquiry() checks
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+[ Upstream commit f0aa59a33d2ac2267d260fe21eaf92500df8e7b4 ]
+
+Some USB-SATA adapters have broken behavior when an unsupported VPD page is
+probed: Depending on the VPD page number, a 4-byte header with a valid VPD
+page number but with a 0 length is returned. Currently, scsi_vpd_inquiry()
+only checks that the page number is valid to determine if the page is
+valid, which results in receiving only the 4-byte header for the
+non-existent page. This error manifests itself very often with page 0xb9
+for the Concurrent Positioning Ranges detection done by sd_read_cpr(),
+resulting in the following error message:
+
+sd 0:0:0:0: [sda] Invalid Concurrent Positioning Ranges VPD page
+
+Prevent such misleading error message by adding a check in
+scsi_vpd_inquiry() to verify that the page length is not 0.
+
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Link: https://lore.kernel.org/r/20230322022211.116327-1-damien.lemoal@opensource.wdc.com
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
+index 4fc9466d820a7..a499a57150720 100644
+--- a/drivers/scsi/scsi.c
++++ b/drivers/scsi/scsi.c
+@@ -323,11 +323,18 @@ static int scsi_vpd_inquiry(struct scsi_device *sdev, unsigned char *buffer,
+ if (result)
+ return -EIO;
+
+- /* Sanity check that we got the page back that we asked for */
++ /*
++ * Sanity check that we got the page back that we asked for and that
++ * the page size is not 0.
++ */
+ if (buffer[1] != page)
+ return -EIO;
+
+- return get_unaligned_be16(&buffer[2]) + 4;
++ result = get_unaligned_be16(&buffer[2]);
++ if (!result)
++ return -EIO;
++
++ return result + 4;
+ }
+
+ /**
+--
+2.39.2
+
--- /dev/null
+From 11b385aa4070f65e5e1b5c9135835ec266a540a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 14:52:49 +0100
+Subject: scsi: megaraid_sas: Fix fw_crash_buffer_show()
+
+From: Tomas Henzl <thenzl@redhat.com>
+
+[ Upstream commit 0808ed6ebbc292222ca069d339744870f6d801da ]
+
+If crash_dump_buf is not allocated then crash dump can't be available.
+Replace logical 'and' with 'or'.
+
+Signed-off-by: Tomas Henzl <thenzl@redhat.com>
+Link: https://lore.kernel.org/r/20230324135249.9733-1-thenzl@redhat.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
+index 88e164e3d2eac..f7da1876e7a38 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -3302,7 +3302,7 @@ fw_crash_buffer_show(struct device *cdev,
+
+ spin_lock_irqsave(&instance->crashdump_lock, flags);
+ buff_offset = instance->fw_crash_buffer_offset;
+- if (!instance->crash_dump_buf &&
++ if (!instance->crash_dump_buf ||
+ !((instance->fw_crash_state == AVAILABLE) ||
+ (instance->fw_crash_state == COPYING))) {
+ dev_err(&instance->pdev->dev,
+--
+2.39.2
+
--- /dev/null
+From 526982fa01c80fc47a592e373b71e5f6e78aaa1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 11:59:33 -0800
+Subject: selftests: sigaltstack: fix -Wuninitialized
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+[ Upstream commit 05107edc910135d27fe557267dc45be9630bf3dd ]
+
+Building sigaltstack with clang via:
+$ ARCH=x86 make LLVM=1 -C tools/testing/selftests/sigaltstack/
+
+produces the following warning:
+ warning: variable 'sp' is uninitialized when used here [-Wuninitialized]
+ if (sp < (unsigned long)sstack ||
+ ^~
+
+Clang expects these to be declared at global scope; we've fixed this in
+the kernel proper by using the macro `current_stack_pointer`. This is
+defined in different headers for different target architectures, so just
+create a new header that defines the arch-specific register names for
+the stack pointer register, and define it for more targets (at least the
+ones that support current_stack_pointer/ARCH_HAS_CURRENT_STACK_POINTER).
+
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Link: https://lore.kernel.org/lkml/CA+G9fYsi3OOu7yCsMutpzKDnBMAzJBCPimBp86LhGBa0eCnEpA@mail.gmail.com/
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Tested-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../sigaltstack/current_stack_pointer.h | 23 +++++++++++++++++++
+ tools/testing/selftests/sigaltstack/sas.c | 7 +-----
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+ create mode 100644 tools/testing/selftests/sigaltstack/current_stack_pointer.h
+
+diff --git a/tools/testing/selftests/sigaltstack/current_stack_pointer.h b/tools/testing/selftests/sigaltstack/current_stack_pointer.h
+new file mode 100644
+index 0000000000000..ea9bdf3a90b16
+--- /dev/null
++++ b/tools/testing/selftests/sigaltstack/current_stack_pointer.h
+@@ -0,0 +1,23 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++
++#if __alpha__
++register unsigned long sp asm("$30");
++#elif __arm__ || __aarch64__ || __csky__ || __m68k__ || __mips__ || __riscv
++register unsigned long sp asm("sp");
++#elif __i386__
++register unsigned long sp asm("esp");
++#elif __loongarch64
++register unsigned long sp asm("$sp");
++#elif __ppc__
++register unsigned long sp asm("r1");
++#elif __s390x__
++register unsigned long sp asm("%15");
++#elif __sh__
++register unsigned long sp asm("r15");
++#elif __x86_64__
++register unsigned long sp asm("rsp");
++#elif __XTENSA__
++register unsigned long sp asm("a1");
++#else
++#error "implement current_stack_pointer equivalent"
++#endif
+diff --git a/tools/testing/selftests/sigaltstack/sas.c b/tools/testing/selftests/sigaltstack/sas.c
+index c53b070755b65..98d37cb744fb2 100644
+--- a/tools/testing/selftests/sigaltstack/sas.c
++++ b/tools/testing/selftests/sigaltstack/sas.c
+@@ -20,6 +20,7 @@
+ #include <sys/auxv.h>
+
+ #include "../kselftest.h"
++#include "current_stack_pointer.h"
+
+ #ifndef SS_AUTODISARM
+ #define SS_AUTODISARM (1U << 31)
+@@ -46,12 +47,6 @@ void my_usr1(int sig, siginfo_t *si, void *u)
+ stack_t stk;
+ struct stk_data *p;
+
+-#if __s390x__
+- register unsigned long sp asm("%15");
+-#else
+- register unsigned long sp asm("sp");
+-#endif
+-
+ if (sp < (unsigned long)sstack ||
+ sp >= (unsigned long)sstack + stack_size) {
+ ksft_exit_fail_msg("SP is not on sigaltstack\n");
+--
+2.39.2
+
--- /dev/null
+arm-dts-rockchip-fix-a-typo-error-for-rk3288-spdif-n.patch
+arm64-dts-qcom-ipq8074-hk01-enable-qmp-device-not-th.patch
+arm64-dts-meson-g12-common-specify-full-dmc-range.patch
+arm64-dts-imx8mm-evk-correct-pmic-clock-source.patch
+netfilter-br_netfilter-fix-recent-physdev-match-brea.patch
+regulator-fan53555-explicitly-include-bits-header.patch
+regulator-fan53555-fix-wrong-tcs_slew_mask.patch
+net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch
+virtio_net-bugfix-overflow-inside-xdp_linearize_page.patch
+sfc-split-state_ready-in-to-state_net_down-and-state.patch
+sfc-fix-use-after-free-due-to-selftest_work.patch
+netfilter-nf_tables-fix-ifdef-to-also-consider-nf_ta.patch
+i40e-fix-accessing-vsi-active_filters-without-holdin.patch
+i40e-fix-i40e_setup_misc_vector-error-handling.patch
+netfilter-nf_tables-validate-catch-all-set-elements.patch
+netfilter-nf_tables-tighten-netlink-attribute-requir.patch
+bnxt_en-do-not-initialize-ptp-on-older-p3-p4-chips.patch
+mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch
+bonding-fix-memory-leak-when-changing-bond-type-to-e.patch
+net-rpl-fix-rpl-header-size-calculation.patch
+mlxsw-pci-fix-possible-crash-during-initialization.patch
+spi-spi-rockchip-fix-missing-unwind-goto-in-rockchip.patch
+bpf-fix-incorrect-verifier-pruning-due-to-missing-re.patch
+e1000e-disable-tso-on-i219-lm-card-to-increase-speed.patch
+f2fs-fix-f2fs_truncate_partial_nodes-ftrace-event.patch
+input-i8042-add-quirk-for-fujitsu-lifebook-a574-h.patch
+platform-x86-gigabyte-wmi-add-support-for-a320m-s2h-.patch
+selftests-sigaltstack-fix-wuninitialized.patch
+scsi-megaraid_sas-fix-fw_crash_buffer_show.patch
+scsi-core-improve-scsi_vpd_inquiry-checks.patch
+net-dsa-b53-mmap-add-phy-ops.patch
+s390-ptrace-fix-ptrace_get_last_break-error-handling.patch
+nvme-tcp-fix-a-possible-uaf-when-failing-to-allocate.patch
+xen-netback-use-same-error-messages-for-same-errors.patch
+platform-x86-gigabyte-wmi-add-support-for-x570s-aoru.patch
--- /dev/null
+From 2c710f5fe2cb7fe1d542e54a9c9a5ff7b82aad2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Apr 2023 23:23:06 +0800
+Subject: sfc: Fix use-after-free due to selftest_work
+
+From: Ding Hui <dinghui@sangfor.com.cn>
+
+[ Upstream commit a80bb8e7233b2ad6ff119646b6e33fb3edcec37b ]
+
+There is a use-after-free scenario that is:
+
+When the NIC is down, user set mac address or vlan tag to VF,
+the xxx_set_vf_mac() or xxx_set_vf_vlan() will invoke efx_net_stop()
+and efx_net_open(), since netif_running() is false, the port will not
+start and keep port_enabled false, but selftest_work is scheduled
+in efx_net_open().
+
+If we remove the device before selftest_work run, the efx_stop_port()
+will not be called since the NIC is down, and then efx is freed,
+we will soon get a UAF in run_timer_softirq() like this:
+
+[ 1178.907941] ==================================================================
+[ 1178.907948] BUG: KASAN: use-after-free in run_timer_softirq+0xdea/0xe90
+[ 1178.907950] Write of size 8 at addr ff11001f449cdc80 by task swapper/47/0
+[ 1178.907950]
+[ 1178.907953] CPU: 47 PID: 0 Comm: swapper/47 Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1
+[ 1178.907954] Hardware name: SANGFOR X620G40/WI2HG-208T1061A, BIOS SPYH051032-U01 04/01/2022
+[ 1178.907955] Call Trace:
+[ 1178.907956] <IRQ>
+[ 1178.907960] dump_stack+0x71/0xab
+[ 1178.907963] print_address_description+0x6b/0x290
+[ 1178.907965] ? run_timer_softirq+0xdea/0xe90
+[ 1178.907967] kasan_report+0x14a/0x2b0
+[ 1178.907968] run_timer_softirq+0xdea/0xe90
+[ 1178.907971] ? init_timer_key+0x170/0x170
+[ 1178.907973] ? hrtimer_cancel+0x20/0x20
+[ 1178.907976] ? sched_clock+0x5/0x10
+[ 1178.907978] ? sched_clock_cpu+0x18/0x170
+[ 1178.907981] __do_softirq+0x1c8/0x5fa
+[ 1178.907985] irq_exit+0x213/0x240
+[ 1178.907987] smp_apic_timer_interrupt+0xd0/0x330
+[ 1178.907989] apic_timer_interrupt+0xf/0x20
+[ 1178.907990] </IRQ>
+[ 1178.907991] RIP: 0010:mwait_idle+0xae/0x370
+
+If the NIC is not actually brought up, there is no need to schedule
+selftest_work, so let's move invoking efx_selftest_async_start()
+into efx_start_all(), and it will be canceled by broughting down.
+
+Fixes: dd40781e3a4e ("sfc: Run event/IRQ self-test asynchronously when interface is brought up")
+Fixes: e340be923012 ("sfc: add ndo_set_vf_mac() function for EF10")
+Debugged-by: Huang Cun <huangcun@sangfor.com.cn>
+Cc: Donglin Peng <pengdonglin@sangfor.com.cn>
+Suggested-by: Martin Habets <habetsm.xilinx@gmail.com>
+Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/efx.c | 1 -
+ drivers/net/ethernet/sfc/efx_common.c | 2 ++
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sfc/efx.c b/drivers/net/ethernet/sfc/efx.c
+index 7ab592844df83..41eb6f9f5596e 100644
+--- a/drivers/net/ethernet/sfc/efx.c
++++ b/drivers/net/ethernet/sfc/efx.c
+@@ -540,7 +540,6 @@ int efx_net_open(struct net_device *net_dev)
+ else
+ efx->state = STATE_NET_UP;
+
+- efx_selftest_async_start(efx);
+ return 0;
+ }
+
+diff --git a/drivers/net/ethernet/sfc/efx_common.c b/drivers/net/ethernet/sfc/efx_common.c
+index 7c90e1e2d161b..6038b7e3e8236 100644
+--- a/drivers/net/ethernet/sfc/efx_common.c
++++ b/drivers/net/ethernet/sfc/efx_common.c
+@@ -542,6 +542,8 @@ void efx_start_all(struct efx_nic *efx)
+ /* Start the hardware monitor if there is one */
+ efx_start_monitor(efx);
+
++ efx_selftest_async_start(efx);
++
+ /* Link state detection is normally event-driven; we have
+ * to poll now because we could have missed a change
+ */
+--
+2.39.2
+
--- /dev/null
+From 823187051285a59011874fde27ede909d213cfec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jun 2022 14:58:55 +0100
+Subject: sfc: Split STATE_READY in to STATE_NET_DOWN and STATE_NET_UP.
+
+From: Jonathan Cooper <jonathan.s.cooper@amd.com>
+
+[ Upstream commit 813cf9d1e753e1e0a247d3d685212a06141b483e ]
+
+This patch splits the READY state in to NET_UP and NET_DOWN. This
+is to prepare for future work to delay resource allocation until
+interface up so that we can use resources more efficiently in
+SRIOV environments, and also to lay the ground work for an extra
+PROBED state where we don't create a network interface,
+for VDPA operation.
+
+Signed-off-by: Jonathan Cooper <jonathan.s.cooper@amd.com>
+Acked-by: Martin Habets <habetsm.xilinx@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: a80bb8e7233b ("sfc: Fix use-after-free due to selftest_work")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef100_netdev.c | 6 ++-
+ drivers/net/ethernet/sfc/efx.c | 29 ++++++-------
+ drivers/net/ethernet/sfc/efx_common.c | 10 ++---
+ drivers/net/ethernet/sfc/efx_common.h | 6 +--
+ drivers/net/ethernet/sfc/ethtool_common.c | 2 +-
+ drivers/net/ethernet/sfc/net_driver.h | 50 +++++++++++++++++++++--
+ 6 files changed, 72 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/ef100_netdev.c b/drivers/net/ethernet/sfc/ef100_netdev.c
+index 63a44ee763be7..b9429e8faba1e 100644
+--- a/drivers/net/ethernet/sfc/ef100_netdev.c
++++ b/drivers/net/ethernet/sfc/ef100_netdev.c
+@@ -96,6 +96,8 @@ static int ef100_net_stop(struct net_device *net_dev)
+ efx_mcdi_free_vis(efx);
+ efx_remove_interrupts(efx);
+
++ efx->state = STATE_NET_DOWN;
++
+ return 0;
+ }
+
+@@ -172,6 +174,8 @@ static int ef100_net_open(struct net_device *net_dev)
+ efx_link_status_changed(efx);
+ mutex_unlock(&efx->mac_lock);
+
++ efx->state = STATE_NET_UP;
++
+ return 0;
+
+ fail:
+@@ -272,7 +276,7 @@ int ef100_register_netdev(struct efx_nic *efx)
+ /* Always start with carrier off; PHY events will detect the link */
+ netif_carrier_off(net_dev);
+
+- efx->state = STATE_READY;
++ efx->state = STATE_NET_DOWN;
+ rtnl_unlock();
+ efx_init_mcdi_logging(efx);
+
+diff --git a/drivers/net/ethernet/sfc/efx.c b/drivers/net/ethernet/sfc/efx.c
+index 16a896360f3fb..7ab592844df83 100644
+--- a/drivers/net/ethernet/sfc/efx.c
++++ b/drivers/net/ethernet/sfc/efx.c
+@@ -105,14 +105,6 @@ static int efx_xdp(struct net_device *dev, struct netdev_bpf *xdp);
+ static int efx_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **xdpfs,
+ u32 flags);
+
+-#define EFX_ASSERT_RESET_SERIALISED(efx) \
+- do { \
+- if ((efx->state == STATE_READY) || \
+- (efx->state == STATE_RECOVERY) || \
+- (efx->state == STATE_DISABLED)) \
+- ASSERT_RTNL(); \
+- } while (0)
+-
+ /**************************************************************************
+ *
+ * Port handling
+@@ -377,6 +369,8 @@ static int efx_probe_all(struct efx_nic *efx)
+ if (rc)
+ goto fail5;
+
++ efx->state = STATE_NET_DOWN;
++
+ return 0;
+
+ fail5:
+@@ -543,6 +537,9 @@ int efx_net_open(struct net_device *net_dev)
+ efx_start_all(efx);
+ if (efx->state == STATE_DISABLED || efx->reset_pending)
+ netif_device_detach(efx->net_dev);
++ else
++ efx->state = STATE_NET_UP;
++
+ efx_selftest_async_start(efx);
+ return 0;
+ }
+@@ -719,8 +716,6 @@ static int efx_register_netdev(struct efx_nic *efx)
+ * already requested. If so, the NIC is probably hosed so we
+ * abort.
+ */
+- efx->state = STATE_READY;
+- smp_mb(); /* ensure we change state before checking reset_pending */
+ if (efx->reset_pending) {
+ pci_err(efx->pci_dev, "aborting probe due to scheduled reset\n");
+ rc = -EIO;
+@@ -747,6 +742,8 @@ static int efx_register_netdev(struct efx_nic *efx)
+
+ efx_associate(efx);
+
++ efx->state = STATE_NET_DOWN;
++
+ rtnl_unlock();
+
+ rc = device_create_file(&efx->pci_dev->dev, &dev_attr_phy_type);
+@@ -848,7 +845,7 @@ static void efx_pci_remove_main(struct efx_nic *efx)
+ /* Flush reset_work. It can no longer be scheduled since we
+ * are not READY.
+ */
+- BUG_ON(efx->state == STATE_READY);
++ WARN_ON(efx_net_active(efx->state));
+ efx_flush_reset_workqueue(efx);
+
+ efx_disable_interrupts(efx);
+@@ -1153,13 +1150,13 @@ static int efx_pm_freeze(struct device *dev)
+
+ rtnl_lock();
+
+- if (efx->state != STATE_DISABLED) {
+- efx->state = STATE_UNINIT;
+-
++ if (efx_net_active(efx->state)) {
+ efx_device_detach_sync(efx);
+
+ efx_stop_all(efx);
+ efx_disable_interrupts(efx);
++
++ efx->state = efx_freeze(efx->state);
+ }
+
+ rtnl_unlock();
+@@ -1174,7 +1171,7 @@ static int efx_pm_thaw(struct device *dev)
+
+ rtnl_lock();
+
+- if (efx->state != STATE_DISABLED) {
++ if (efx_frozen(efx->state)) {
+ rc = efx_enable_interrupts(efx);
+ if (rc)
+ goto fail;
+@@ -1187,7 +1184,7 @@ static int efx_pm_thaw(struct device *dev)
+
+ efx_device_attach_if_not_resetting(efx);
+
+- efx->state = STATE_READY;
++ efx->state = efx_thaw(efx->state);
+
+ efx->type->resume_wol(efx);
+ }
+diff --git a/drivers/net/ethernet/sfc/efx_common.c b/drivers/net/ethernet/sfc/efx_common.c
+index 896b592531972..7c90e1e2d161b 100644
+--- a/drivers/net/ethernet/sfc/efx_common.c
++++ b/drivers/net/ethernet/sfc/efx_common.c
+@@ -897,7 +897,7 @@ static void efx_reset_work(struct work_struct *data)
+ * have changed by now. Now that we have the RTNL lock,
+ * it cannot change again.
+ */
+- if (efx->state == STATE_READY)
++ if (efx_net_active(efx->state))
+ (void)efx_reset(efx, method);
+
+ rtnl_unlock();
+@@ -907,7 +907,7 @@ void efx_schedule_reset(struct efx_nic *efx, enum reset_type type)
+ {
+ enum reset_type method;
+
+- if (efx->state == STATE_RECOVERY) {
++ if (efx_recovering(efx->state)) {
+ netif_dbg(efx, drv, efx->net_dev,
+ "recovering: skip scheduling %s reset\n",
+ RESET_TYPE(type));
+@@ -942,7 +942,7 @@ void efx_schedule_reset(struct efx_nic *efx, enum reset_type type)
+ /* If we're not READY then just leave the flags set as the cue
+ * to abort probing or reschedule the reset later.
+ */
+- if (READ_ONCE(efx->state) != STATE_READY)
++ if (!efx_net_active(READ_ONCE(efx->state)))
+ return;
+
+ /* efx_process_channel() will no longer read events once a
+@@ -1216,7 +1216,7 @@ static pci_ers_result_t efx_io_error_detected(struct pci_dev *pdev,
+ rtnl_lock();
+
+ if (efx->state != STATE_DISABLED) {
+- efx->state = STATE_RECOVERY;
++ efx->state = efx_recover(efx->state);
+ efx->reset_pending = 0;
+
+ efx_device_detach_sync(efx);
+@@ -1270,7 +1270,7 @@ static void efx_io_resume(struct pci_dev *pdev)
+ netif_err(efx, hw, efx->net_dev,
+ "efx_reset failed after PCI error (%d)\n", rc);
+ } else {
+- efx->state = STATE_READY;
++ efx->state = efx_recovered(efx->state);
+ netif_dbg(efx, hw, efx->net_dev,
+ "Done resetting and resuming IO after PCI error.\n");
+ }
+diff --git a/drivers/net/ethernet/sfc/efx_common.h b/drivers/net/ethernet/sfc/efx_common.h
+index 65513fd0cf6c4..c72e819da8fd3 100644
+--- a/drivers/net/ethernet/sfc/efx_common.h
++++ b/drivers/net/ethernet/sfc/efx_common.h
+@@ -45,9 +45,7 @@ int efx_reconfigure_port(struct efx_nic *efx);
+
+ #define EFX_ASSERT_RESET_SERIALISED(efx) \
+ do { \
+- if ((efx->state == STATE_READY) || \
+- (efx->state == STATE_RECOVERY) || \
+- (efx->state == STATE_DISABLED)) \
++ if (efx->state != STATE_UNINIT) \
+ ASSERT_RTNL(); \
+ } while (0)
+
+@@ -64,7 +62,7 @@ void efx_port_dummy_op_void(struct efx_nic *efx);
+
+ static inline int efx_check_disabled(struct efx_nic *efx)
+ {
+- if (efx->state == STATE_DISABLED || efx->state == STATE_RECOVERY) {
++ if (efx->state == STATE_DISABLED || efx_recovering(efx->state)) {
+ netif_err(efx, drv, efx->net_dev,
+ "device is disabled due to earlier errors\n");
+ return -EIO;
+diff --git a/drivers/net/ethernet/sfc/ethtool_common.c b/drivers/net/ethernet/sfc/ethtool_common.c
+index bd552c7dffcb1..3846b76b89720 100644
+--- a/drivers/net/ethernet/sfc/ethtool_common.c
++++ b/drivers/net/ethernet/sfc/ethtool_common.c
+@@ -137,7 +137,7 @@ void efx_ethtool_self_test(struct net_device *net_dev,
+ if (!efx_tests)
+ goto fail;
+
+- if (efx->state != STATE_READY) {
++ if (!efx_net_active(efx->state)) {
+ rc = -EBUSY;
+ goto out;
+ }
+diff --git a/drivers/net/ethernet/sfc/net_driver.h b/drivers/net/ethernet/sfc/net_driver.h
+index bf097264d8fbe..6df500dbb6b7f 100644
+--- a/drivers/net/ethernet/sfc/net_driver.h
++++ b/drivers/net/ethernet/sfc/net_driver.h
+@@ -627,12 +627,54 @@ enum efx_int_mode {
+ #define EFX_INT_MODE_USE_MSI(x) (((x)->interrupt_mode) <= EFX_INT_MODE_MSI)
+
+ enum nic_state {
+- STATE_UNINIT = 0, /* device being probed/removed or is frozen */
+- STATE_READY = 1, /* hardware ready and netdev registered */
+- STATE_DISABLED = 2, /* device disabled due to hardware errors */
+- STATE_RECOVERY = 3, /* device recovering from PCI error */
++ STATE_UNINIT = 0, /* device being probed/removed */
++ STATE_NET_DOWN, /* hardware probed and netdev registered */
++ STATE_NET_UP, /* ready for traffic */
++ STATE_DISABLED, /* device disabled due to hardware errors */
++
++ STATE_RECOVERY = 0x100,/* recovering from PCI error */
++ STATE_FROZEN = 0x200, /* frozen by power management */
+ };
+
++static inline bool efx_net_active(enum nic_state state)
++{
++ return state == STATE_NET_DOWN || state == STATE_NET_UP;
++}
++
++static inline bool efx_frozen(enum nic_state state)
++{
++ return state & STATE_FROZEN;
++}
++
++static inline bool efx_recovering(enum nic_state state)
++{
++ return state & STATE_RECOVERY;
++}
++
++static inline enum nic_state efx_freeze(enum nic_state state)
++{
++ WARN_ON(!efx_net_active(state));
++ return state | STATE_FROZEN;
++}
++
++static inline enum nic_state efx_thaw(enum nic_state state)
++{
++ WARN_ON(!efx_frozen(state));
++ return state & ~STATE_FROZEN;
++}
++
++static inline enum nic_state efx_recover(enum nic_state state)
++{
++ WARN_ON(!efx_net_active(state));
++ return state | STATE_RECOVERY;
++}
++
++static inline enum nic_state efx_recovered(enum nic_state state)
++{
++ WARN_ON(!efx_recovering(state));
++ return state & ~STATE_RECOVERY;
++}
++
+ /* Forward declaration */
+ struct efx_nic;
+
+--
+2.39.2
+
--- /dev/null
+From c8c4d529b469df17a27ed73d5e81479b402cb0e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Apr 2023 07:50:29 -0400
+Subject: spi: spi-rockchip: Fix missing unwind goto in rockchip_sfc_probe()
+
+From: Li Lanzhe <u202212060@hust.edu.cn>
+
+[ Upstream commit 359f5b0d4e26b7a7bcc574d6148b31a17cefe47d ]
+
+If devm_request_irq() fails, then we are directly return 'ret' without
+clk_disable_unprepare(sfc->clk) and clk_disable_unprepare(sfc->hclk).
+
+Fix this by changing direct return to a goto 'err_irq'.
+
+Fixes: 0b89fc0a367e ("spi: rockchip-sfc: add rockchip serial flash controller")
+Signed-off-by: Li Lanzhe <u202212060@hust.edu.cn>
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Link: https://lore.kernel.org/r/20230419115030.6029-1-u202212060@hust.edu.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-rockchip-sfc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-rockchip-sfc.c b/drivers/spi/spi-rockchip-sfc.c
+index a46b385440273..014106f8f978c 100644
+--- a/drivers/spi/spi-rockchip-sfc.c
++++ b/drivers/spi/spi-rockchip-sfc.c
+@@ -634,7 +634,7 @@ static int rockchip_sfc_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_err(dev, "Failed to request irq\n");
+
+- return ret;
++ goto err_irq;
+ }
+
+ ret = rockchip_sfc_init(sfc);
+--
+2.39.2
+
--- /dev/null
+From c2cc6b1c8d4e0addab770956ef43e9331054d709 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Apr 2023 14:08:35 +0800
+Subject: virtio_net: bugfix overflow inside xdp_linearize_page()
+
+From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+
+[ Upstream commit 853618d5886bf94812f31228091cd37d308230f7 ]
+
+Here we copy the data from the original buf to the new page. But we
+not check that it may be overflow.
+
+As long as the size received(including vnethdr) is greater than 3840
+(PAGE_SIZE -VIRTIO_XDP_HEADROOM). Then the memcpy will overflow.
+
+And this is completely possible, as long as the MTU is large, such
+as 4096. In our test environment, this will cause crash. Since crash is
+caused by the written memory, it is meaningless, so I do not include it.
+
+Fixes: 72979a6c3590 ("virtio_net: xdp, add slowpath case for non contiguous buffers")
+Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 66ca2ea19ba60..8a380086ac257 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -679,8 +679,13 @@ static struct page *xdp_linearize_page(struct receive_queue *rq,
+ int page_off,
+ unsigned int *len)
+ {
+- struct page *page = alloc_page(GFP_ATOMIC);
++ int tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
++ struct page *page;
+
++ if (page_off + *len + tailroom > PAGE_SIZE)
++ return NULL;
++
++ page = alloc_page(GFP_ATOMIC);
+ if (!page)
+ return NULL;
+
+@@ -688,7 +693,6 @@ static struct page *xdp_linearize_page(struct receive_queue *rq,
+ page_off += *len;
+
+ while (--*num_buf) {
+- int tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+ unsigned int buflen;
+ void *buf;
+ int off;
+--
+2.39.2
+
--- /dev/null
+From 875fca353793e8c878c12c3c11083ac149eb46c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Mar 2023 10:02:59 +0200
+Subject: xen/netback: use same error messages for same errors
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 2eca98e5b24d01c02b46c67be05a5f98cc9789b1 ]
+
+Issue the same error message in case an illegal page boundary crossing
+has been detected in both cases where this is tested.
+
+Suggested-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Link: https://lore.kernel.org/r/20230329080259.14823-1-jgross@suse.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netback/netback.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
+index 303d8ebbaafc4..63118b56c5289 100644
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -996,10 +996,8 @@ static void xenvif_tx_build_gops(struct xenvif_queue *queue,
+
+ /* No crossing a page as the payload mustn't fragment. */
+ if (unlikely((txreq.offset + txreq.size) > XEN_PAGE_SIZE)) {
+- netdev_err(queue->vif->dev,
+- "txreq.offset: %u, size: %u, end: %lu\n",
+- txreq.offset, txreq.size,
+- (unsigned long)(txreq.offset&~XEN_PAGE_MASK) + txreq.size);
++ netdev_err(queue->vif->dev, "Cross page boundary, txreq.offset: %u, size: %u\n",
++ txreq.offset, txreq.size);
+ xenvif_fatal_tx_err(queue->vif);
+ break;
+ }
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
