--- /dev/null
+From a7f45c358a6fe98f1a9dc8e528e4eff0353021b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 13:08:20 +0100
+Subject: ALSA: hda: cs35l41: Possible null pointer dereference in
+ cs35l41_hda_unbind()
+
+From: Simon Trimmer <simont@opensource.cirrus.com>
+
+[ Upstream commit 6386682cdc8b41319c92fbbe421953e33a28840c ]
+
+The cs35l41_hda_unbind() function clears the hda_component entry
+matching it's index and then dereferences the codec pointer held in the
+first element of the hda_component array, this is an issue when the
+device index was 0.
+
+Instead use the codec pointer stashed in the cs35l41_hda structure as it
+will still be valid.
+
+Fixes: 7cf5ce66dfda ("ALSA: hda: cs35l41: Add device_link between HDA and cs35l41_hda")
+Signed-off-by: Simon Trimmer <simont@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20240531120820.35367-1-simont@opensource.cirrus.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/cs35l41_hda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/cs35l41_hda.c b/sound/pci/hda/cs35l41_hda.c
+index 3c157b006a5a2..b437beae9b516 100644
+--- a/sound/pci/hda/cs35l41_hda.c
++++ b/sound/pci/hda/cs35l41_hda.c
+@@ -1187,7 +1187,7 @@ static void cs35l41_hda_unbind(struct device *dev, struct device *master, void *
+ if (comps[cs35l41->index].dev == dev) {
+ memset(&comps[cs35l41->index], 0, sizeof(*comps));
+ sleep_flags = lock_system_sleep();
+- device_link_remove(&comps->codec->core.dev, cs35l41->dev);
++ device_link_remove(&cs35l41->codec->core.dev, cs35l41->dev);
+ unlock_system_sleep(sleep_flags);
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 01f31a0a304d6054013493713e7728ae66fc20a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 14:37:11 +0100
+Subject: ALSA: hda: cs35l56: Component should be unbound before deconstruction
+
+From: Simon Trimmer <simont@opensource.cirrus.com>
+
+[ Upstream commit 721f2e6653f5ab0cc52b3a459c4a2158b92fcf80 ]
+
+The interface associated with the hda_component should be deactivated
+before the driver is deconstructed during removal.
+
+Fixes: 73cfbfa9caea ("ALSA: hda/cs35l56: Add driver for Cirrus Logic CS35L56 amplifier")
+Signed-off-by: Simon Trimmer <simont@opensource.cirrus.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20240613133713.75550-2-simont@opensource.cirrus.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/cs35l56_hda.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/cs35l56_hda.c b/sound/pci/hda/cs35l56_hda.c
+index 15e20d9261393..78e2eeba49345 100644
+--- a/sound/pci/hda/cs35l56_hda.c
++++ b/sound/pci/hda/cs35l56_hda.c
+@@ -1021,12 +1021,12 @@ void cs35l56_hda_remove(struct device *dev)
+ {
+ struct cs35l56_hda *cs35l56 = dev_get_drvdata(dev);
+
++ component_del(cs35l56->base.dev, &cs35l56_hda_comp_ops);
++
+ pm_runtime_dont_use_autosuspend(cs35l56->base.dev);
+ pm_runtime_get_sync(cs35l56->base.dev);
+ pm_runtime_disable(cs35l56->base.dev);
+
+- component_del(cs35l56->base.dev, &cs35l56_hda_comp_ops);
+-
+ cs_dsp_remove(&cs35l56->cs_dsp);
+
+ kfree(cs35l56->system_name);
+--
+2.43.0
+
--- /dev/null
+From 7eeffdfac71967aee27a2638facef1069ddc70b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 09:00:21 +0300
+Subject: ALSA/hda: intel-dsp-config: Document AVS as dsp_driver option
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+[ Upstream commit 2646b43910c0e6d7f4ad535919b44b88f98c688d ]
+
+dsp_driver=4 will force the AVS driver stack to be used, it is better to
+docuement this.
+
+Fixes: 1affc44ea5dd ("ASoC: Intel: avs: PCI driver implementation")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://lore.kernel.org/r/20240607060021.11503-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/intel-dsp-config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c
+index d1f6cdcf1866e..e7c2ef6c6b4cb 100644
+--- a/sound/hda/intel-dsp-config.c
++++ b/sound/hda/intel-dsp-config.c
+@@ -16,7 +16,7 @@
+ static int dsp_driver;
+
+ module_param(dsp_driver, int, 0444);
+-MODULE_PARM_DESC(dsp_driver, "Force the DSP driver for Intel DSP (0=auto, 1=legacy, 2=SST, 3=SOF)");
++MODULE_PARM_DESC(dsp_driver, "Force the DSP driver for Intel DSP (0=auto, 1=legacy, 2=SST, 3=SOF, 4=AVS)");
+
+ #define FLAG_SST BIT(0)
+ #define FLAG_SOF BIT(1)
+--
+2.43.0
+
--- /dev/null
+From 05fe4d513c66993f8f58c6abdf2d637b96580b05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 15:54:57 +0300
+Subject: ALSA: hda/realtek: Enable headset mic on IdeaPad 330-17IKB 81DM
+
+From: Ajrat Makhmutov <rautyrauty@gmail.com>
+
+[ Upstream commit b1fd0d1285b1eae8b99af36fb26ed2512b809af6 ]
+
+Headset microphone do not work out of the box with this laptop. This
+quirk fixes it. Zihao Wang specified the wrong subsystem id in his patch.
+
+Link: https://lore.kernel.org/all/20220424084120.74125-1-wzhd@ustc.edu/
+Fixes: 3b79954fd00d ("ALSA: hda/realtek: Add quirk for Yoga Duet 7 13ITL6 speakers")
+Signed-off-by: Ajrat Makhmutov <rauty@altlinux.org>
+Link: https://lore.kernel.org/r/20240615125457.167844-1-rauty@altlinux.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 8e6574c07c975..d17209e2d4372 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10246,7 +10246,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x3813, "Legion 7i 15IMHG05", ALC287_FIXUP_LEGION_15IMHG05_SPEAKERS),
+ SND_PCI_QUIRK(0x17aa, 0x3818, "Lenovo C940 / Yoga Duet 7", ALC298_FIXUP_LENOVO_C940_DUET7),
+ SND_PCI_QUIRK(0x17aa, 0x3819, "Lenovo 13s Gen2 ITL", ALC287_FIXUP_13S_GEN2_SPEAKERS),
+- SND_PCI_QUIRK(0x17aa, 0x3820, "Yoga Duet 7 13ITL6", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
++ SND_PCI_QUIRK(0x17aa, 0x3820, "IdeaPad 330-17IKB 81DM", ALC269_FIXUP_ASPIRE_HEADSET_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x3824, "Legion Y9000X 2020", ALC285_FIXUP_LEGION_Y9000X_SPEAKERS),
+ SND_PCI_QUIRK(0x17aa, 0x3827, "Ideapad S740", ALC285_FIXUP_IDEAPAD_S740_COEF),
+ SND_PCI_QUIRK(0x17aa, 0x3834, "Lenovo IdeaPad Slim 9i 14ITL5", ALC287_FIXUP_YOGA7_14ITL_SPEAKERS),
+--
+2.43.0
+
--- /dev/null
+From d0d0e8b2d04068180027bce040a4f5e598d7a93e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jun 2024 12:01:32 -0500
+Subject: ALSA: hda/realtek: Remove Framework Laptop 16 from quirks
+
+From: Dustin L. Howett <dustin@howett.net>
+
+[ Upstream commit e799bdf51d54bebaf939fdb655aad424e624c1b1 ]
+
+The Framework Laptop 16 does not have a combination headphone/headset
+3.5mm jack; however, applying the pincfg from the Laptop 13 (nid=0x19)
+erroneously informs hda that the node is present.
+
+Fixes: 8804fa04a492 ("ALSA: hda/realtek: Add Framework laptop 16 to quirks")
+Signed-off-by: Dustin L. Howett <dustin@howett.net>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20240605-alsa-hda-realtek-remove-framework-laptop-16-from-quirks-v1-1-11d47fe8ec4d@howett.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 44478e0af1e41..8e6574c07c975 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10336,7 +10336,6 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", ALC256_FIXUP_INTEL_NUC10),
+ SND_PCI_QUIRK(0x8086, 0x3038, "Intel NUC 13", ALC295_FIXUP_CHROME_BOOK),
+ SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+- SND_PCI_QUIRK(0xf111, 0x0005, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0xf111, 0x0006, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+
+ #if 0
+--
+2.43.0
+
--- /dev/null
+From ffb256a32568923a6c76ddb40625a50d22871606 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 14:37:13 +0100
+Subject: ALSA: hda: tas2781: Component should be unbound before deconstruction
+
+From: Simon Trimmer <simont@opensource.cirrus.com>
+
+[ Upstream commit d832b5a03e94a2a9f866dab3d04937a0f84ea116 ]
+
+The interface associated with the hda_component should be deactivated
+before the driver is deconstructed during removal.
+
+Fixes: 4e7914eb1dae ("ALSA: hda/tas2781: remove sound controls in unbind")
+Signed-off-by: Simon Trimmer <simont@opensource.cirrus.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20240613133713.75550-4-simont@opensource.cirrus.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/tas2781_hda_i2c.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/tas2781_hda_i2c.c b/sound/pci/hda/tas2781_hda_i2c.c
+index a3dec624132d4..75cc3676c1b92 100644
+--- a/sound/pci/hda/tas2781_hda_i2c.c
++++ b/sound/pci/hda/tas2781_hda_i2c.c
+@@ -683,11 +683,11 @@ static void tas2781_hda_remove(struct device *dev)
+ {
+ struct tas2781_hda *tas_hda = dev_get_drvdata(dev);
+
++ component_del(tas_hda->dev, &tas2781_hda_comp_ops);
++
+ pm_runtime_get_sync(tas_hda->dev);
+ pm_runtime_disable(tas_hda->dev);
+
+- component_del(tas_hda->dev, &tas2781_hda_comp_ops);
+-
+ pm_runtime_put_noidle(tas_hda->dev);
+
+ tasdevice_remove(tas_hda->priv);
+--
+2.43.0
+
--- /dev/null
+From 98ff66fe888749d2878e17b5b4f8b7742c82cd03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 14:37:17 +0200
+Subject: ALSA: seq: ump: Fix missing System Reset message handling
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 55fac50ea46f46a22a92e2139b92afaa3822ad19 ]
+
+The conversion from System Reset event to UMP was missing.
+Add the entry for a conversion to a proper UMP System message.
+
+Fixes: e9e02819a98a ("ALSA: seq: Automatic conversion of UMP events")
+Link: https://lore.kernel.org/r/20240531123718.13420-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_ump_convert.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/core/seq/seq_ump_convert.c b/sound/core/seq/seq_ump_convert.c
+index 171fb75267afa..d81f776a4c3dd 100644
+--- a/sound/core/seq/seq_ump_convert.c
++++ b/sound/core/seq/seq_ump_convert.c
+@@ -1075,6 +1075,8 @@ static const struct seq_ev_to_ump seq_ev_ump_encoders[] = {
+ system_ev_to_ump_midi1, system_ev_to_ump_midi2 },
+ { SNDRV_SEQ_EVENT_SENSING, UMP_SYSTEM_STATUS_ACTIVE_SENSING,
+ system_ev_to_ump_midi1, system_ev_to_ump_midi2 },
++ { SNDRV_SEQ_EVENT_RESET, UMP_SYSTEM_STATUS_RESET,
++ system_ev_to_ump_midi1, system_ev_to_ump_midi2 },
+ };
+
+ static const struct seq_ev_to_ump *find_ump_encoder(int type)
+--
+2.43.0
+
--- /dev/null
+From e30159629d8b595216ee6ecbd2ef7460de43bfbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Jun 2024 14:53:13 -0700
+Subject: bnxt_en: Restore PTP tx_avail count in case of skb_pad() error
+
+From: Pavan Chebbi <pavan.chebbi@broadcom.com>
+
+[ Upstream commit 1e7962114c10957fe4d10a15eb714578a394e90b ]
+
+The current code only restores PTP tx_avail count when we get DMA
+mapping errors. Fix it so that the PTP tx_avail count will be
+restored for both DMA mapping errors and skb_pad() errors.
+Otherwise PTP TX timestamp will not be available after a PTP
+packet hits the skb_pad() error.
+
+Fixes: 83bb623c968e ("bnxt_en: Transmit and retrieve packet timestamps")
+Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
+Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240618215313.29631-4-michael.chan@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 724624737d095..58a7bb75506a3 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -656,9 +656,6 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ return NETDEV_TX_OK;
+
+ tx_dma_error:
+- if (BNXT_TX_PTP_IS_SET(lflags))
+- atomic_inc(&bp->ptp_cfg->tx_avail);
+-
+ last_frag = i;
+
+ /* start back at beginning and unmap skb */
+@@ -680,6 +677,8 @@ static netdev_tx_t bnxt_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ tx_free:
+ dev_kfree_skb_any(skb);
+ tx_kick_pending:
++ if (BNXT_TX_PTP_IS_SET(lflags))
++ atomic_inc(&bp->ptp_cfg->tx_avail);
+ if (txr->kick_pending)
+ bnxt_txr_db_kick(bp, txr, txr->tx_prod);
+ txr->tx_buf_ring[txr->tx_prod].skb = NULL;
+--
+2.43.0
+
--- /dev/null
+From a559fdf6df0eaf1aec89b263321cfa52c64be419 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2024 12:17:33 +0200
+Subject: bpf: Avoid splat in pskb_pull_reason
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 2bbe3e5a2f4ef69d13be54f1cf895b4658287080 ]
+
+syzkaller builds (CONFIG_DEBUG_NET=y) frequently trigger a debug
+hint in pskb_may_pull.
+
+We'd like to retain this debug check because it might hint at integer
+overflows and other issues (kernel code should pull headers, not huge
+value).
+
+In bpf case, this splat isn't interesting at all: such (nonsensical)
+bpf programs are typically generated by a fuzzer anyway.
+
+Do what Eric suggested and suppress such warning.
+
+For CONFIG_DEBUG_NET=n we don't need the extra check because
+pskb_may_pull will do the right thing: return an error without the
+WARN() backtrace.
+
+Fixes: 219eee9c0d16 ("net: skbuff: add overflow debug check to pull/push helpers")
+Reported-by: syzbot+0c4150bff9fff3bf023c@syzkaller.appspotmail.com
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Closes: https://syzkaller.appspot.com/bug?extid=0c4150bff9fff3bf023c
+Link: https://lore.kernel.org/netdev/9f254c96-54f2-4457-b7ab-1d9f6187939c@gmail.com/
+Link: https://lore.kernel.org/bpf/20240614101801.9496-1-fw@strlen.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index df4578219e82c..afe38b8dee024 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1657,6 +1657,11 @@ static DEFINE_PER_CPU(struct bpf_scratchpad, bpf_sp);
+ static inline int __bpf_try_make_writable(struct sk_buff *skb,
+ unsigned int write_len)
+ {
++#ifdef CONFIG_DEBUG_NET
++ /* Avoid a splat in pskb_may_pull_reason() */
++ if (write_len > INT_MAX)
++ return -EINVAL;
++#endif
+ return skb_ensure_writable(skb, write_len);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 2b5fe2cacac2d81993d3cf1cd090a7e979371c52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 13:27:48 +0200
+Subject: btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+[ Upstream commit cebae292e0c32a228e8f2219c270a7237be24a6a ]
+
+Shin'ichiro reported that when he's running fstests' test-case
+btrfs/167 on emulated zoned devices, he's seeing the following NULL
+pointer dereference in 'btrfs_zone_finish_endio()':
+
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]
+ CPU: 4 PID: 2332440 Comm: kworker/u80:15 Tainted: G W 6.10.0-rc2-kts+ #4
+ Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020
+ Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]
+ RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]
+
+ RSP: 0018:ffff88867f107a90 EFLAGS: 00010206
+ RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff893e5534
+ RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088
+ RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed1081696028
+ R10: ffff88840b4b0143 R11: ffff88834dfff600 R12: ffff88840b4b0000
+ R13: 0000000000020000 R14: 0000000000000000 R15: ffff888530ad5210
+ FS: 0000000000000000(0000) GS:ffff888e3f800000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f87223fff38 CR3: 00000007a7c6a002 CR4: 00000000007706f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ ? __die_body.cold+0x19/0x27
+ ? die_addr+0x46/0x70
+ ? exc_general_protection+0x14f/0x250
+ ? asm_exc_general_protection+0x26/0x30
+ ? do_raw_read_unlock+0x44/0x70
+ ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]
+ btrfs_finish_one_ordered+0x5d9/0x19a0 [btrfs]
+ ? __pfx_lock_release+0x10/0x10
+ ? do_raw_write_lock+0x90/0x260
+ ? __pfx_do_raw_write_lock+0x10/0x10
+ ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs]
+ ? _raw_write_unlock+0x23/0x40
+ ? btrfs_finish_ordered_zoned+0x5a9/0x850 [btrfs]
+ ? lock_acquire+0x435/0x500
+ btrfs_work_helper+0x1b1/0xa70 [btrfs]
+ ? __schedule+0x10a8/0x60b0
+ ? __pfx___might_resched+0x10/0x10
+ process_one_work+0x862/0x1410
+ ? __pfx_lock_acquire+0x10/0x10
+ ? __pfx_process_one_work+0x10/0x10
+ ? assign_work+0x16c/0x240
+ worker_thread+0x5e6/0x1010
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x2c3/0x3a0
+ ? trace_irq_enable.constprop.0+0xce/0x110
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x31/0x70
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+Enabling CONFIG_BTRFS_ASSERT revealed the following assertion to
+trigger:
+
+ assertion failed: !list_empty(&ordered->list), in fs/btrfs/zoned.c:1815
+
+This indicates, that we're missing the checksums list on the
+ordered_extent. As btrfs/167 is doing a NOCOW write this is to be
+expected.
+
+Further analysis with drgn confirmed the assumption:
+
+ >>> inode = prog.crashed_thread().stack_trace()[11]['ordered'].inode
+ >>> btrfs_inode = drgn.container_of(inode, "struct btrfs_inode", \
+ "vfs_inode")
+ >>> print(btrfs_inode.flags)
+ (u32)1
+
+As zoned emulation mode simulates conventional zones on regular devices,
+we cannot use zone-append for writing. But we're only attaching dummy
+checksums if we're doing a zone-append write.
+
+So for NOCOW zoned data writes on conventional zones, also attach a
+dummy checksum.
+
+Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Fixes: cbfce4c7fbde ("btrfs: optimize the logical to physical mapping for zoned writes")
+CC: Naohiro Aota <Naohiro.Aota@wdc.com> # 6.6+
+Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/bio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/bio.c b/fs/btrfs/bio.c
+index 12b12443efaab..e47eb248309f8 100644
+--- a/fs/btrfs/bio.c
++++ b/fs/btrfs/bio.c
+@@ -705,7 +705,9 @@ static bool btrfs_submit_chunk(struct btrfs_bio *bbio, int mirror_num)
+ ret = btrfs_bio_csum(bbio);
+ if (ret)
+ goto fail_put_bio;
+- } else if (use_append) {
++ } else if (use_append ||
++ (btrfs_is_zoned(fs_info) && inode &&
++ inode->flags & BTRFS_INODE_NODATASUM)) {
+ ret = btrfs_alloc_dummy_sum(bbio);
+ if (ret)
+ goto fail_put_bio;
+--
+2.43.0
+
--- /dev/null
+From e7e47c9c6b421769ef7b96117bf3d3d4a19765ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 18:07:52 +0200
+Subject: cipso: fix total option length computation
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+[ Upstream commit 9f36169912331fa035d7b73a91252d7c2512eb1a ]
+
+As evident from the definition of ip_options_get(), the IP option
+IPOPT_END is used to pad the IP option data array, not IPOPT_NOP. Yet
+the loop that walks the IP options to determine the total IP options
+length in cipso_v4_delopt() doesn't take IPOPT_END into account.
+
+Fix it by recognizing the IPOPT_END value as the end of actual options.
+
+Fixes: 014ab19a69c3 ("selinux: Set socket NetLabel based on connection endpoint")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/cipso_ipv4.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index d048aa8332938..685474ef11c40 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -2015,12 +2015,16 @@ static int cipso_v4_delopt(struct ip_options_rcu __rcu **opt_ptr)
+ * from there we can determine the new total option length */
+ iter = 0;
+ optlen_new = 0;
+- while (iter < opt->opt.optlen)
+- if (opt->opt.__data[iter] != IPOPT_NOP) {
++ while (iter < opt->opt.optlen) {
++ if (opt->opt.__data[iter] == IPOPT_END) {
++ break;
++ } else if (opt->opt.__data[iter] == IPOPT_NOP) {
++ iter++;
++ } else {
+ iter += opt->opt.__data[iter + 1];
+ optlen_new = iter;
+- } else
+- iter++;
++ }
++ }
+ hdr_delta = opt->opt.optlen;
+ opt->opt.optlen = (optlen_new + 3) & ~3;
+ hdr_delta -= opt->opt.optlen;
+--
+2.43.0
+
--- /dev/null
+From a744d13ef6d3c7c68e16265e704821d63d3ecf10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 May 2024 22:21:31 +0800
+Subject: ice: avoid IRQ collision to fix init failure on ACPI S3 resume
+
+From: En-Wei Wu <en-wei.wu@canonical.com>
+
+[ Upstream commit bc69ad74867dba1377abe14356c94a946d9837a3 ]
+
+A bug in https://bugzilla.kernel.org/show_bug.cgi?id=218906 describes
+that irdma would break and report hardware initialization failed after
+suspend/resume with Intel E810 NIC (tested on 6.9.0-rc5).
+
+The problem is caused due to the collision between the irq numbers
+requested in irdma and the irq numbers requested in other drivers
+after suspend/resume.
+
+The irq numbers used by irdma are derived from ice's ice_pf->msix_entries
+which stores mappings between MSI-X index and Linux interrupt number.
+It's supposed to be cleaned up when suspend and rebuilt in resume but
+it's not, causing irdma using the old irq numbers stored in the old
+ice_pf->msix_entries to request_irq() when resume. And eventually
+collide with other drivers.
+
+This patch fixes this problem. On suspend, we call ice_deinit_rdma() to
+clean up the ice_pf->msix_entries (and free the MSI-X vectors used by
+irdma if we've dynamically allocated them). On resume, we call
+ice_init_rdma() to rebuild the ice_pf->msix_entries (and allocate the
+MSI-X vectors if we would like to dynamically allocate them).
+
+Fixes: f9f5301e7e2d ("ice: Register auxiliary device to provide RDMA")
+Tested-by: Cyrus Lien <cyrus.lien@canonical.com>
+Signed-off-by: En-Wei Wu <en-wei.wu@canonical.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 5d71febdcd4dd..26ef8aec4cfdf 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -5348,7 +5348,7 @@ static int __maybe_unused ice_suspend(struct device *dev)
+ */
+ disabled = ice_service_task_stop(pf);
+
+- ice_unplug_aux_dev(pf);
++ ice_deinit_rdma(pf);
+
+ /* Already suspended?, then there is nothing to do */
+ if (test_and_set_bit(ICE_SUSPENDED, pf->state)) {
+@@ -5428,6 +5428,11 @@ static int __maybe_unused ice_resume(struct device *dev)
+ if (ret)
+ dev_err(dev, "Cannot restore interrupt scheme: %d\n", ret);
+
++ ret = ice_init_rdma(pf);
++ if (ret)
++ dev_err(dev, "Reinitialize RDMA during resume failed: %d\n",
++ ret);
++
+ clear_bit(ICE_DOWN, pf->state);
+ /* Now perform PF reset and rebuild */
+ reset_type = ICE_RESET_PFR;
+--
+2.43.0
+
--- /dev/null
+From 44255470540dd6af9dac367a076d785f40f4332a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Jun 2024 14:02:05 -0700
+Subject: ice: Fix VSI list rule with ICE_SW_LKUP_LAST type
+
+From: Marcin Szycik <marcin.szycik@linux.intel.com>
+
+[ Upstream commit 74382aebc9035470ec4c789bdb0d09d8c14f261e ]
+
+Adding/updating VSI list rule, as well as allocating/freeing VSI list
+resource are called several times with type ICE_SW_LKUP_LAST, which fails
+because ice_update_vsi_list_rule() and ice_aq_alloc_free_vsi_list()
+consider it invalid. Allow calling these functions with ICE_SW_LKUP_LAST.
+
+This fixes at least one issue in switchdev mode, where the same rule with
+different action cannot be added, e.g.:
+
+ tc filter add dev $PF1 ingress protocol arp prio 0 flower skip_sw \
+ dst_mac ff:ff:ff:ff:ff:ff action mirred egress redirect dev $VF1_PR
+ tc filter add dev $PF1 ingress protocol arp prio 0 flower skip_sw \
+ dst_mac ff:ff:ff:ff:ff:ff action mirred egress redirect dev $VF2_PR
+
+Fixes: 0f94570d0cae ("ice: allow adding advanced rules")
+Suggested-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Marcin Szycik <marcin.szycik@linux.intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Sujai Buvaneswaran <sujai.buvaneswaran@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://lore.kernel.org/r/20240618210206.981885-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_switch.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_switch.c b/drivers/net/ethernet/intel/ice/ice_switch.c
+index 4c6d58bb2690d..d2a2388d4fa0a 100644
+--- a/drivers/net/ethernet/intel/ice/ice_switch.c
++++ b/drivers/net/ethernet/intel/ice/ice_switch.c
+@@ -1829,7 +1829,8 @@ ice_aq_alloc_free_vsi_list(struct ice_hw *hw, u16 *vsi_list_id,
+ lkup_type == ICE_SW_LKUP_ETHERTYPE_MAC ||
+ lkup_type == ICE_SW_LKUP_PROMISC ||
+ lkup_type == ICE_SW_LKUP_PROMISC_VLAN ||
+- lkup_type == ICE_SW_LKUP_DFLT) {
++ lkup_type == ICE_SW_LKUP_DFLT ||
++ lkup_type == ICE_SW_LKUP_LAST) {
+ sw_buf->res_type = cpu_to_le16(ICE_AQC_RES_TYPE_VSI_LIST_REP);
+ } else if (lkup_type == ICE_SW_LKUP_VLAN) {
+ if (opc == ice_aqc_opc_alloc_res)
+@@ -2775,7 +2776,8 @@ ice_update_vsi_list_rule(struct ice_hw *hw, u16 *vsi_handle_arr, u16 num_vsi,
+ lkup_type == ICE_SW_LKUP_ETHERTYPE_MAC ||
+ lkup_type == ICE_SW_LKUP_PROMISC ||
+ lkup_type == ICE_SW_LKUP_PROMISC_VLAN ||
+- lkup_type == ICE_SW_LKUP_DFLT)
++ lkup_type == ICE_SW_LKUP_DFLT ||
++ lkup_type == ICE_SW_LKUP_LAST)
+ rule_type = remove ? ICE_AQC_SW_RULES_T_VSI_LIST_CLEAR :
+ ICE_AQC_SW_RULES_T_VSI_LIST_SET;
+ else if (lkup_type == ICE_SW_LKUP_VLAN)
+--
+2.43.0
+
--- /dev/null
+From d8d1e70dc526b87426e9a9b37971918d8433e45c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2024 08:20:02 +0000
+Subject: ipv6: prevent possible NULL deref in fib6_nh_init()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2eab4543a2204092c3a7af81d7d6c506e59a03a6 ]
+
+syzbot reminds us that in6_dev_get() can return NULL.
+
+fib6_nh_init()
+ ip6_validate_gw( &idev )
+ ip6_route_check_nh( idev )
+ *idev = in6_dev_get(dev); // can be NULL
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]
+CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
+ RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606
+Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b
+RSP: 0018:ffffc900032775a0 EFLAGS: 00010202
+RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000
+RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8
+RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000
+R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8
+R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000
+FS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809
+ ip6_route_add+0x28/0x160 net/ipv6/route.c:3853
+ ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483
+ inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579
+ sock_do_ioctl+0x158/0x460 net/socket.c:1222
+ sock_ioctl+0x629/0x8e0 net/socket.c:1341
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f940f07cea9
+
+Fixes: 428604fb118f ("ipv6: do not set routes if disable_ipv6 has been enabled")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20240614082002.26407-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 29fa2ca07b46a..e40d05caf9550 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3593,7 +3593,7 @@ int fib6_nh_init(struct net *net, struct fib6_nh *fib6_nh,
+ if (!dev)
+ goto out;
+
+- if (idev->cnf.disable_ipv6) {
++ if (!idev || idev->cnf.disable_ipv6) {
+ NL_SET_ERR_MSG(extack, "IPv6 is disabled on nexthop device");
+ err = -EACCES;
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From 4b2cf977b90ed66638d057ed159bf943b6a97469 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 15:14:54 +0000
+Subject: ipv6: prevent possible NULL dereference in rt6_probe()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b86762dbe19a62e785c189f313cda5b989931f37 ]
+
+syzbot caught a NULL dereference in rt6_probe() [1]
+
+Bail out if __in6_dev_get() returns NULL.
+
+[1]
+Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]
+CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
+ RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]
+ RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758
+Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19
+RSP: 0018:ffffc900034af070 EFLAGS: 00010203
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000
+RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c
+RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a
+R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000
+FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784
+ nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496
+ __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825
+ find_rr_leaf net/ipv6/route.c:853 [inline]
+ rt6_select net/ipv6/route.c:897 [inline]
+ fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195
+ ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231
+ pol_lookup_func include/net/ip6_fib.h:616 [inline]
+ fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121
+ ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]
+ ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651
+ ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147
+ ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250
+ rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898
+ inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ sock_write_iter+0x4b8/0x5c0 net/socket.c:1160
+ new_sync_write fs/read_write.c:497 [inline]
+ vfs_write+0x6b6/0x1140 fs/read_write.c:590
+ ksys_write+0x1f8/0x260 fs/read_write.c:643
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 52e1635631b3 ("[IPV6]: ROUTE: Add router_probe_interval sysctl.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20240615151454.166404-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index e40d05caf9550..eb3afaee62e8f 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -638,6 +638,8 @@ static void rt6_probe(struct fib6_nh *fib6_nh)
+ rcu_read_lock();
+ last_probe = READ_ONCE(fib6_nh->last_probe);
+ idev = __in6_dev_get(dev);
++ if (!idev)
++ goto out;
+ neigh = __ipv6_neigh_lookup_noref(dev, nh_gw);
+ if (neigh) {
+ if (READ_ONCE(neigh->nud_state) & NUD_VALID)
+--
+2.43.0
+
--- /dev/null
+From 122b0f7ff370add1a170ce010f20d55e7d2bcaca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jun 2024 13:35:33 +0200
+Subject: mips: bmips: BCM6358: make sure CBR is correctly set
+
+From: Christian Marangi <ansuelsmth@gmail.com>
+
+[ Upstream commit ce5cdd3b05216b704a704f466fb4c2dff3778caf ]
+
+It was discovered that some device have CBR address set to 0 causing
+kernel panic when arch_sync_dma_for_cpu_all is called.
+
+This was notice in situation where the system is booted from TP1 and
+BMIPS_GET_CBR() returns 0 instead of a valid address and
+!!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.
+
+The current check whether RAC flush should be disabled or not are not
+enough hence lets check if CBR is a valid address or not.
+
+Fixes: ab327f8acdf8 ("mips: bmips: BCM6358: disable RAC flush for TP1")
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/bmips/setup.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/bmips/setup.c b/arch/mips/bmips/setup.c
+index ec180ab92eaa8..66a8ba19c2872 100644
+--- a/arch/mips/bmips/setup.c
++++ b/arch/mips/bmips/setup.c
+@@ -110,7 +110,8 @@ static void bcm6358_quirks(void)
+ * RAC flush causes kernel panics on BCM6358 when booting from TP1
+ * because the bootloader is not initializing it properly.
+ */
+- bmips_rac_flush_disable = !!(read_c0_brcm_cmt_local() & (1 << 31));
++ bmips_rac_flush_disable = !!(read_c0_brcm_cmt_local() & (1 << 31)) ||
++ !!BMIPS_GET_CBR();
+ }
+
+ static void bcm6368_quirks(void)
+--
+2.43.0
+
--- /dev/null
+From ad4c6eb85984263b690a78cc1d75c9fa8482fc04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 15:07:00 +0300
+Subject: MIPS: Routerboard 532: Fix vendor retry check code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit ae9daffd9028f2500c9ac1517e46d4f2b57efb80 ]
+
+read_config_dword() contains strange condition checking ret for a
+number of values. The ret variable, however, is always zero because
+config_access() never returns anything else. Thus, the retry is always
+taken until number of tries is exceeded.
+
+The code looks like it wants to check *val instead of ret to see if the
+read gave an error response.
+
+Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system")
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/pci/ops-rc32434.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/pci/ops-rc32434.c b/arch/mips/pci/ops-rc32434.c
+index 874ed6df97683..34b9323bdabb0 100644
+--- a/arch/mips/pci/ops-rc32434.c
++++ b/arch/mips/pci/ops-rc32434.c
+@@ -112,8 +112,8 @@ static int read_config_dword(struct pci_bus *bus, unsigned int devfn,
+ * gives them time to settle
+ */
+ if (where == PCI_VENDOR_ID) {
+- if (ret == 0xffffffff || ret == 0x00000000 ||
+- ret == 0x0000ffff || ret == 0xffff0000) {
++ if (*val == 0xffffffff || *val == 0x00000000 ||
++ *val == 0x0000ffff || *val == 0xffff0000) {
+ if (delay > 4)
+ return 0;
+ delay *= 2;
+--
+2.43.0
+
--- /dev/null
+From 754781b4afeaaa1340908cadb4c6d1477ec15e61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2024 22:41:55 +0530
+Subject: net: lan743x: disable WOL upon resume to restore full data path
+ operation
+
+From: Raju Lakkaraju <Raju.Lakkaraju@microchip.com>
+
+[ Upstream commit 7725363936a88351b71495774c1e0e852ae4cdca ]
+
+When Wake-on-LAN (WoL) is active and the system is in suspend mode, triggering
+a system event can wake the system from sleep, which may block the data path.
+To restore normal data path functionality after waking, disable all wake-up
+events. Furthermore, clear all Write 1 to Clear (W1C) status bits by writing
+1's to them.
+
+Fixes: 4d94282afd95 ("lan743x: Add power management support")
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Signed-off-by: Raju Lakkaraju <Raju.Lakkaraju@microchip.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/lan743x_main.c | 30 ++++++++++++++++---
+ drivers/net/ethernet/microchip/lan743x_main.h | 24 +++++++++++++++
+ 2 files changed, 50 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
+index 0b6174748d2b4..e5d9d9983c7f5 100644
+--- a/drivers/net/ethernet/microchip/lan743x_main.c
++++ b/drivers/net/ethernet/microchip/lan743x_main.c
+@@ -3519,7 +3519,7 @@ static void lan743x_pm_set_wol(struct lan743x_adapter *adapter)
+
+ /* clear wake settings */
+ pmtctl = lan743x_csr_read(adapter, PMT_CTL);
+- pmtctl |= PMT_CTL_WUPS_MASK_;
++ pmtctl |= PMT_CTL_WUPS_MASK_ | PMT_CTL_RES_CLR_WKP_MASK_;
+ pmtctl &= ~(PMT_CTL_GPIO_WAKEUP_EN_ | PMT_CTL_EEE_WAKEUP_EN_ |
+ PMT_CTL_WOL_EN_ | PMT_CTL_MAC_D3_RX_CLK_OVR_ |
+ PMT_CTL_RX_FCT_RFE_D3_CLK_OVR_ | PMT_CTL_ETH_PHY_WAKE_EN_);
+@@ -3654,6 +3654,7 @@ static int lan743x_pm_resume(struct device *dev)
+ struct pci_dev *pdev = to_pci_dev(dev);
+ struct net_device *netdev = pci_get_drvdata(pdev);
+ struct lan743x_adapter *adapter = netdev_priv(netdev);
++ u32 data;
+ int ret;
+
+ pci_set_power_state(pdev, PCI_D0);
+@@ -3672,6 +3673,30 @@ static int lan743x_pm_resume(struct device *dev)
+ return ret;
+ }
+
++ ret = lan743x_csr_read(adapter, MAC_WK_SRC);
++ netif_dbg(adapter, drv, adapter->netdev,
++ "Wakeup source : 0x%08X\n", ret);
++
++ /* Clear the wol configuration and status bits. Note that
++ * the status bits are "Write One to Clear (W1C)"
++ */
++ data = MAC_WUCSR_EEE_TX_WAKE_ | MAC_WUCSR_EEE_RX_WAKE_ |
++ MAC_WUCSR_RFE_WAKE_FR_ | MAC_WUCSR_PFDA_FR_ | MAC_WUCSR_WUFR_ |
++ MAC_WUCSR_MPR_ | MAC_WUCSR_BCAST_FR_;
++ lan743x_csr_write(adapter, MAC_WUCSR, data);
++
++ data = MAC_WUCSR2_NS_RCD_ | MAC_WUCSR2_ARP_RCD_ |
++ MAC_WUCSR2_IPV6_TCPSYN_RCD_ | MAC_WUCSR2_IPV4_TCPSYN_RCD_;
++ lan743x_csr_write(adapter, MAC_WUCSR2, data);
++
++ data = MAC_WK_SRC_ETH_PHY_WK_ | MAC_WK_SRC_IPV6_TCPSYN_RCD_WK_ |
++ MAC_WK_SRC_IPV4_TCPSYN_RCD_WK_ | MAC_WK_SRC_EEE_TX_WK_ |
++ MAC_WK_SRC_EEE_RX_WK_ | MAC_WK_SRC_RFE_FR_WK_ |
++ MAC_WK_SRC_PFDA_FR_WK_ | MAC_WK_SRC_MP_FR_WK_ |
++ MAC_WK_SRC_BCAST_FR_WK_ | MAC_WK_SRC_WU_FR_WK_ |
++ MAC_WK_SRC_WK_FR_SAVED_;
++ lan743x_csr_write(adapter, MAC_WK_SRC, data);
++
+ /* open netdev when netdev is at running state while resume.
+ * For instance, it is true when system wakesup after pm-suspend
+ * However, it is false when system wakes up after suspend GUI menu
+@@ -3680,9 +3705,6 @@ static int lan743x_pm_resume(struct device *dev)
+ lan743x_netdev_open(netdev);
+
+ netif_device_attach(netdev);
+- ret = lan743x_csr_read(adapter, MAC_WK_SRC);
+- netif_info(adapter, drv, adapter->netdev,
+- "Wakeup source : 0x%08X\n", ret);
+
+ return 0;
+ }
+diff --git a/drivers/net/ethernet/microchip/lan743x_main.h b/drivers/net/ethernet/microchip/lan743x_main.h
+index f0b486f85450e..ee6de01d89bcc 100644
+--- a/drivers/net/ethernet/microchip/lan743x_main.h
++++ b/drivers/net/ethernet/microchip/lan743x_main.h
+@@ -61,6 +61,7 @@
+ #define PMT_CTL_RX_FCT_RFE_D3_CLK_OVR_ BIT(18)
+ #define PMT_CTL_GPIO_WAKEUP_EN_ BIT(15)
+ #define PMT_CTL_EEE_WAKEUP_EN_ BIT(13)
++#define PMT_CTL_RES_CLR_WKP_MASK_ GENMASK(9, 8)
+ #define PMT_CTL_READY_ BIT(7)
+ #define PMT_CTL_ETH_PHY_RST_ BIT(4)
+ #define PMT_CTL_WOL_EN_ BIT(3)
+@@ -227,12 +228,31 @@
+ #define MAC_WUCSR (0x140)
+ #define MAC_MP_SO_EN_ BIT(21)
+ #define MAC_WUCSR_RFE_WAKE_EN_ BIT(14)
++#define MAC_WUCSR_EEE_TX_WAKE_ BIT(13)
++#define MAC_WUCSR_EEE_RX_WAKE_ BIT(11)
++#define MAC_WUCSR_RFE_WAKE_FR_ BIT(9)
++#define MAC_WUCSR_PFDA_FR_ BIT(7)
++#define MAC_WUCSR_WUFR_ BIT(6)
++#define MAC_WUCSR_MPR_ BIT(5)
++#define MAC_WUCSR_BCAST_FR_ BIT(4)
+ #define MAC_WUCSR_PFDA_EN_ BIT(3)
+ #define MAC_WUCSR_WAKE_EN_ BIT(2)
+ #define MAC_WUCSR_MPEN_ BIT(1)
+ #define MAC_WUCSR_BCST_EN_ BIT(0)
+
+ #define MAC_WK_SRC (0x144)
++#define MAC_WK_SRC_ETH_PHY_WK_ BIT(17)
++#define MAC_WK_SRC_IPV6_TCPSYN_RCD_WK_ BIT(16)
++#define MAC_WK_SRC_IPV4_TCPSYN_RCD_WK_ BIT(15)
++#define MAC_WK_SRC_EEE_TX_WK_ BIT(14)
++#define MAC_WK_SRC_EEE_RX_WK_ BIT(13)
++#define MAC_WK_SRC_RFE_FR_WK_ BIT(12)
++#define MAC_WK_SRC_PFDA_FR_WK_ BIT(11)
++#define MAC_WK_SRC_MP_FR_WK_ BIT(10)
++#define MAC_WK_SRC_BCAST_FR_WK_ BIT(9)
++#define MAC_WK_SRC_WU_FR_WK_ BIT(8)
++#define MAC_WK_SRC_WK_FR_SAVED_ BIT(7)
++
+ #define MAC_MP_SO_HI (0x148)
+ #define MAC_MP_SO_LO (0x14C)
+
+@@ -295,6 +315,10 @@
+ #define RFE_INDX(index) (0x580 + (index << 2))
+
+ #define MAC_WUCSR2 (0x600)
++#define MAC_WUCSR2_NS_RCD_ BIT(7)
++#define MAC_WUCSR2_ARP_RCD_ BIT(6)
++#define MAC_WUCSR2_IPV6_TCPSYN_RCD_ BIT(5)
++#define MAC_WUCSR2_IPV4_TCPSYN_RCD_ BIT(4)
+
+ #define SGMII_ACC (0x720)
+ #define SGMII_ACC_SGMII_BZY_ BIT(31)
+--
+2.43.0
+
--- /dev/null
+From c825111236ae842bc53875644d41fd16e7b86e3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2024 22:41:56 +0530
+Subject: net: lan743x: Support WOL at both the PHY and MAC appropriately
+
+From: Raju Lakkaraju <Raju.Lakkaraju@microchip.com>
+
+[ Upstream commit 8c248cd836014339498486f14f435c0e344183a7 ]
+
+Prevent options not supported by the PHY from being requested to it by the MAC
+Whenever a WOL option is supported by both, the PHY is given priority
+since that usually leads to better power savings.
+
+Fixes: e9e13b6adc33 ("lan743x: fix for potential NULL pointer dereference with bare card")
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Signed-off-by: Raju Lakkaraju <Raju.Lakkaraju@microchip.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/microchip/lan743x_ethtool.c | 44 +++++++++++++++++--
+ drivers/net/ethernet/microchip/lan743x_main.c | 18 ++++++--
+ drivers/net/ethernet/microchip/lan743x_main.h | 4 ++
+ 3 files changed, 58 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/lan743x_ethtool.c b/drivers/net/ethernet/microchip/lan743x_ethtool.c
+index 2db5949b4c7e4..72b3092d35f71 100644
+--- a/drivers/net/ethernet/microchip/lan743x_ethtool.c
++++ b/drivers/net/ethernet/microchip/lan743x_ethtool.c
+@@ -1146,8 +1146,12 @@ static void lan743x_ethtool_get_wol(struct net_device *netdev,
+ if (netdev->phydev)
+ phy_ethtool_get_wol(netdev->phydev, wol);
+
+- wol->supported |= WAKE_BCAST | WAKE_UCAST | WAKE_MCAST |
+- WAKE_MAGIC | WAKE_PHY | WAKE_ARP;
++ if (wol->supported != adapter->phy_wol_supported)
++ netif_warn(adapter, drv, adapter->netdev,
++ "PHY changed its supported WOL! old=%x, new=%x\n",
++ adapter->phy_wol_supported, wol->supported);
++
++ wol->supported |= MAC_SUPPORTED_WAKES;
+
+ if (adapter->is_pci11x1x)
+ wol->supported |= WAKE_MAGICSECURE;
+@@ -1162,7 +1166,39 @@ static int lan743x_ethtool_set_wol(struct net_device *netdev,
+ {
+ struct lan743x_adapter *adapter = netdev_priv(netdev);
+
++ /* WAKE_MAGICSEGURE is a modifier of and only valid together with
++ * WAKE_MAGIC
++ */
++ if ((wol->wolopts & WAKE_MAGICSECURE) && !(wol->wolopts & WAKE_MAGIC))
++ return -EINVAL;
++
++ if (netdev->phydev) {
++ struct ethtool_wolinfo phy_wol;
++ int ret;
++
++ phy_wol.wolopts = wol->wolopts & adapter->phy_wol_supported;
++
++ /* If WAKE_MAGICSECURE was requested, filter out WAKE_MAGIC
++ * for PHYs that do not support WAKE_MAGICSECURE
++ */
++ if (wol->wolopts & WAKE_MAGICSECURE &&
++ !(adapter->phy_wol_supported & WAKE_MAGICSECURE))
++ phy_wol.wolopts &= ~WAKE_MAGIC;
++
++ ret = phy_ethtool_set_wol(netdev->phydev, &phy_wol);
++ if (ret && (ret != -EOPNOTSUPP))
++ return ret;
++
++ if (ret == -EOPNOTSUPP)
++ adapter->phy_wolopts = 0;
++ else
++ adapter->phy_wolopts = phy_wol.wolopts;
++ } else {
++ adapter->phy_wolopts = 0;
++ }
++
+ adapter->wolopts = 0;
++ wol->wolopts &= ~adapter->phy_wolopts;
+ if (wol->wolopts & WAKE_UCAST)
+ adapter->wolopts |= WAKE_UCAST;
+ if (wol->wolopts & WAKE_MCAST)
+@@ -1183,10 +1219,10 @@ static int lan743x_ethtool_set_wol(struct net_device *netdev,
+ memset(adapter->sopass, 0, sizeof(u8) * SOPASS_MAX);
+ }
+
++ wol->wolopts = adapter->wolopts | adapter->phy_wolopts;
+ device_set_wakeup_enable(&adapter->pdev->dev, (bool)wol->wolopts);
+
+- return netdev->phydev ? phy_ethtool_set_wol(netdev->phydev, wol)
+- : -ENETDOWN;
++ return 0;
+ }
+ #endif /* CONFIG_PM */
+
+diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
+index e5d9d9983c7f5..92010bfe5e413 100644
+--- a/drivers/net/ethernet/microchip/lan743x_main.c
++++ b/drivers/net/ethernet/microchip/lan743x_main.c
+@@ -3062,6 +3062,17 @@ static int lan743x_netdev_open(struct net_device *netdev)
+ if (ret)
+ goto close_tx;
+ }
++
++#ifdef CONFIG_PM
++ if (adapter->netdev->phydev) {
++ struct ethtool_wolinfo wol = { .cmd = ETHTOOL_GWOL };
++
++ phy_ethtool_get_wol(netdev->phydev, &wol);
++ adapter->phy_wol_supported = wol.supported;
++ adapter->phy_wolopts = wol.wolopts;
++ }
++#endif
++
+ return 0;
+
+ close_tx:
+@@ -3531,10 +3542,9 @@ static void lan743x_pm_set_wol(struct lan743x_adapter *adapter)
+
+ pmtctl |= PMT_CTL_ETH_PHY_D3_COLD_OVR_ | PMT_CTL_ETH_PHY_D3_OVR_;
+
+- if (adapter->wolopts & WAKE_PHY) {
+- pmtctl |= PMT_CTL_ETH_PHY_EDPD_PLL_CTL_;
++ if (adapter->phy_wolopts)
+ pmtctl |= PMT_CTL_ETH_PHY_WAKE_EN_;
+- }
++
+ if (adapter->wolopts & WAKE_MAGIC) {
+ wucsr |= MAC_WUCSR_MPEN_;
+ macrx |= MAC_RX_RXEN_;
+@@ -3630,7 +3640,7 @@ static int lan743x_pm_suspend(struct device *dev)
+ lan743x_csr_write(adapter, MAC_WUCSR2, 0);
+ lan743x_csr_write(adapter, MAC_WK_SRC, 0xFFFFFFFF);
+
+- if (adapter->wolopts)
++ if (adapter->wolopts || adapter->phy_wolopts)
+ lan743x_pm_set_wol(adapter);
+
+ if (adapter->is_pci11x1x) {
+diff --git a/drivers/net/ethernet/microchip/lan743x_main.h b/drivers/net/ethernet/microchip/lan743x_main.h
+index ee6de01d89bcc..3b2c6046eb3ad 100644
+--- a/drivers/net/ethernet/microchip/lan743x_main.h
++++ b/drivers/net/ethernet/microchip/lan743x_main.h
+@@ -1034,6 +1034,8 @@ enum lan743x_sgmii_lsd {
+ LINK_2500_SLAVE
+ };
+
++#define MAC_SUPPORTED_WAKES (WAKE_BCAST | WAKE_UCAST | WAKE_MCAST | \
++ WAKE_MAGIC | WAKE_ARP)
+ struct lan743x_adapter {
+ struct net_device *netdev;
+ struct mii_bus *mdiobus;
+@@ -1041,6 +1043,8 @@ struct lan743x_adapter {
+ #ifdef CONFIG_PM
+ u32 wolopts;
+ u8 sopass[SOPASS_MAX];
++ u32 phy_wolopts;
++ u32 phy_wol_supported;
+ #endif
+ struct pci_dev *pdev;
+ struct lan743x_csr csr;
+--
+2.43.0
+
--- /dev/null
+From 148f88a7f79ec46f7531ea9e9a8236990a095c0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 14:49:00 +1200
+Subject: net: mvpp2: use slab_build_skb for oversized frames
+
+From: Aryan Srivastava <aryan.srivastava@alliedtelesis.co.nz>
+
+[ Upstream commit 4467c09bc7a66a17ffd84d6262d48279b26106ea ]
+
+Setting frag_size to 0 to indicate kmalloc has been deprecated,
+use slab_build_skb directly.
+
+Fixes: ce098da1497c ("skbuff: Introduce slab_build_skb()")
+Signed-off-by: Aryan Srivastava <aryan.srivastava@alliedtelesis.co.nz>
+Reviewed-by: Kees Cook <kees@kernel.org>
+Link: https://lore.kernel.org/r/20240613024900.3842238-1-aryan.srivastava@alliedtelesis.co.nz
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index aca17082b9eca..05f4aa11b95c3 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -4001,7 +4001,10 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
+ }
+ }
+
+- skb = build_skb(data, frag_size);
++ if (frag_size)
++ skb = build_skb(data, frag_size);
++ else
++ skb = slab_build_skb(data);
+ if (!skb) {
+ netdev_warn(port->dev, "skb build failed\n");
+ goto err_drop_frame;
+--
+2.43.0
+
--- /dev/null
+From c680ba967a607deef11816f2ef2aca784359aa91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2024 22:41:57 +0530
+Subject: net: phy: mxl-gpy: Remove interrupt mask clearing from config_init
+
+From: Raju Lakkaraju <Raju.Lakkaraju@microchip.com>
+
+[ Upstream commit c44d3ffd85db03ebcc3090e55589e10d5af9f3a9 ]
+
+When the system resumes from sleep, the phy_init_hw() function invokes
+config_init(), which clears all interrupt masks and causes wake events to be
+lost in subsequent wake sequences. Remove interrupt mask clearing from
+config_init() and preserve relevant masks in config_intr().
+
+Fixes: 7d901a1e878a ("net: phy: add Maxlinear GPY115/21x/24x driver")
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Signed-off-by: Raju Lakkaraju <Raju.Lakkaraju@microchip.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mxl-gpy.c | 58 +++++++++++++++++++++++++--------------
+ 1 file changed, 38 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/net/phy/mxl-gpy.c b/drivers/net/phy/mxl-gpy.c
+index ea1073adc5a16..034f5c4d03377 100644
+--- a/drivers/net/phy/mxl-gpy.c
++++ b/drivers/net/phy/mxl-gpy.c
+@@ -107,6 +107,7 @@ struct gpy_priv {
+
+ u8 fw_major;
+ u8 fw_minor;
++ u32 wolopts;
+
+ /* It takes 3 seconds to fully switch out of loopback mode before
+ * it can safely re-enter loopback mode. Record the time when
+@@ -221,6 +222,15 @@ static int gpy_hwmon_register(struct phy_device *phydev)
+ }
+ #endif
+
++static int gpy_ack_interrupt(struct phy_device *phydev)
++{
++ int ret;
++
++ /* Clear all pending interrupts */
++ ret = phy_read(phydev, PHY_ISTAT);
++ return ret < 0 ? ret : 0;
++}
++
+ static int gpy_mbox_read(struct phy_device *phydev, u32 addr)
+ {
+ struct gpy_priv *priv = phydev->priv;
+@@ -262,16 +272,8 @@ static int gpy_mbox_read(struct phy_device *phydev, u32 addr)
+
+ static int gpy_config_init(struct phy_device *phydev)
+ {
+- int ret;
+-
+- /* Mask all interrupts */
+- ret = phy_write(phydev, PHY_IMASK, 0);
+- if (ret)
+- return ret;
+-
+- /* Clear all pending interrupts */
+- ret = phy_read(phydev, PHY_ISTAT);
+- return ret < 0 ? ret : 0;
++ /* Nothing to configure. Configuration Requirement Placeholder */
++ return 0;
+ }
+
+ static int gpy_probe(struct phy_device *phydev)
+@@ -619,11 +621,23 @@ static int gpy_read_status(struct phy_device *phydev)
+
+ static int gpy_config_intr(struct phy_device *phydev)
+ {
++ struct gpy_priv *priv = phydev->priv;
+ u16 mask = 0;
++ int ret;
++
++ ret = gpy_ack_interrupt(phydev);
++ if (ret)
++ return ret;
+
+ if (phydev->interrupts == PHY_INTERRUPT_ENABLED)
+ mask = PHY_IMASK_MASK;
+
++ if (priv->wolopts & WAKE_MAGIC)
++ mask |= PHY_IMASK_WOL;
++
++ if (priv->wolopts & WAKE_PHY)
++ mask |= PHY_IMASK_LSTC;
++
+ return phy_write(phydev, PHY_IMASK, mask);
+ }
+
+@@ -670,6 +684,7 @@ static int gpy_set_wol(struct phy_device *phydev,
+ struct ethtool_wolinfo *wol)
+ {
+ struct net_device *attach_dev = phydev->attached_dev;
++ struct gpy_priv *priv = phydev->priv;
+ int ret;
+
+ if (wol->wolopts & WAKE_MAGIC) {
+@@ -717,6 +732,8 @@ static int gpy_set_wol(struct phy_device *phydev,
+ ret = phy_read(phydev, PHY_ISTAT);
+ if (ret < 0)
+ return ret;
++
++ priv->wolopts |= WAKE_MAGIC;
+ } else {
+ /* Disable magic packet matching */
+ ret = phy_clear_bits_mmd(phydev, MDIO_MMD_VEND2,
+@@ -724,6 +741,13 @@ static int gpy_set_wol(struct phy_device *phydev,
+ WOL_EN);
+ if (ret < 0)
+ return ret;
++
++ /* Disable the WOL interrupt */
++ ret = phy_clear_bits(phydev, PHY_IMASK, PHY_IMASK_WOL);
++ if (ret < 0)
++ return ret;
++
++ priv->wolopts &= ~WAKE_MAGIC;
+ }
+
+ if (wol->wolopts & WAKE_PHY) {
+@@ -740,9 +764,11 @@ static int gpy_set_wol(struct phy_device *phydev,
+ if (ret & (PHY_IMASK_MASK & ~PHY_IMASK_LSTC))
+ phy_trigger_machine(phydev);
+
++ priv->wolopts |= WAKE_PHY;
+ return 0;
+ }
+
++ priv->wolopts &= ~WAKE_PHY;
+ /* Disable the link state change interrupt */
+ return phy_clear_bits(phydev, PHY_IMASK, PHY_IMASK_LSTC);
+ }
+@@ -750,18 +776,10 @@ static int gpy_set_wol(struct phy_device *phydev,
+ static void gpy_get_wol(struct phy_device *phydev,
+ struct ethtool_wolinfo *wol)
+ {
+- int ret;
++ struct gpy_priv *priv = phydev->priv;
+
+ wol->supported = WAKE_MAGIC | WAKE_PHY;
+- wol->wolopts = 0;
+-
+- ret = phy_read_mmd(phydev, MDIO_MMD_VEND2, VPSPEC2_WOL_CTL);
+- if (ret & WOL_EN)
+- wol->wolopts |= WAKE_MAGIC;
+-
+- ret = phy_read(phydev, PHY_IMASK);
+- if (ret & PHY_IMASK_LSTC)
+- wol->wolopts |= WAKE_PHY;
++ wol->wolopts = priv->wolopts;
+ }
+
+ static int gpy_loopback(struct phy_device *phydev, bool enable)
+--
+2.43.0
+
--- /dev/null
+From ef5eeb203eeb2fa58203da255f9286293e828310 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2024 19:03:26 +0000
+Subject: net/sched: act_api: fix possible infinite loop in
+ tcf_idr_check_alloc()
+
+From: David Ruth <druth@chromium.org>
+
+[ Upstream commit d864319871b05fadd153e0aede4811ca7008f5d6 ]
+
+syzbot found hanging tasks waiting on rtnl_lock [1]
+
+A reproducer is available in the syzbot bug.
+
+When a request to add multiple actions with the same index is sent, the
+second request will block forever on the first request. This holds
+rtnl_lock, and causes tasks to hang.
+
+Return -EAGAIN to prevent infinite looping, while keeping documented
+behavior.
+
+[1]
+
+INFO: task kworker/1:0:5088 blocked for more than 143 seconds.
+Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000
+Workqueue: events_power_efficient reg_check_chans_work
+Call Trace:
+<TASK>
+context_switch kernel/sched/core.c:5409 [inline]
+__schedule+0xf15/0x5d00 kernel/sched/core.c:6746
+__schedule_loop kernel/sched/core.c:6823 [inline]
+schedule+0xe7/0x350 kernel/sched/core.c:6838
+schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895
+__mutex_lock_common kernel/locking/mutex.c:684 [inline]
+__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
+wiphy_lock include/net/cfg80211.h:5953 [inline]
+reg_leave_invalid_chans net/wireless/reg.c:2466 [inline]
+reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481
+
+Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action")
+Reported-by: syzbot+b87c222546179f4513a7@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b87c222546179f4513a7
+Signed-off-by: David Ruth <druth@chromium.org>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20240614190326.1349786-1-druth@chromium.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_api.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/sched/act_api.c b/net/sched/act_api.c
+index 5d34852ca5003..2d6d58e1b278a 100644
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -830,7 +830,6 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
+ u32 max;
+
+ if (*index) {
+-again:
+ rcu_read_lock();
+ p = idr_find(&idrinfo->action_idr, *index);
+
+@@ -839,7 +838,7 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
+ * index but did not assign the pointer yet.
+ */
+ rcu_read_unlock();
+- goto again;
++ return -EAGAIN;
+ }
+
+ if (!p) {
+--
+2.43.0
+
--- /dev/null
+From fe686d51ea898c2c8ed7d9f3d6cf862e216dcfb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 15:18:06 -0300
+Subject: net/sched: act_api: rely on rcu in tcf_idr_check_alloc
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+[ Upstream commit 4b55e86736d5b492cf689125da2600f59c7d2c39 ]
+
+Instead of relying only on the idrinfo->lock mutex for
+bind/alloc logic, rely on a combination of rcu + mutex + atomics
+to better scale the case where multiple rtnl-less filters are
+binding to the same action object.
+
+Action binding happens when an action index is specified explicitly and
+an action exists which such index exists. Example:
+ tc actions add action drop index 1
+ tc filter add ... matchall action drop index 1
+ tc filter add ... matchall action drop index 1
+ tc filter add ... matchall action drop index 1
+ tc filter ls ...
+ filter protocol all pref 49150 matchall chain 0 filter protocol all pref 49150 matchall chain 0 handle 0x1
+ not_in_hw
+ action order 1: gact action drop
+ random type none pass val 0
+ index 1 ref 4 bind 3
+
+ filter protocol all pref 49151 matchall chain 0 filter protocol all pref 49151 matchall chain 0 handle 0x1
+ not_in_hw
+ action order 1: gact action drop
+ random type none pass val 0
+ index 1 ref 4 bind 3
+
+ filter protocol all pref 49152 matchall chain 0 filter protocol all pref 49152 matchall chain 0 handle 0x1
+ not_in_hw
+ action order 1: gact action drop
+ random type none pass val 0
+ index 1 ref 4 bind 3
+
+When no index is specified, as before, grab the mutex and allocate
+in the idr the next available id. In this version, as opposed to before,
+it's simplified to store the -EBUSY pointer instead of the previous
+alloc + replace combination.
+
+When an index is specified, rely on rcu to find if there's an object in
+such index. If there's none, fallback to the above, serializing on the
+mutex and reserving the specified id. If there's one, it can be an -EBUSY
+pointer, in which case we just try again until it's an action, or an action.
+Given the rcu guarantees, the action found could be dead and therefore
+we need to bump the refcount if it's not 0, handling the case it's
+in fact 0.
+
+As bind and the action refcount are already atomics, these increments can
+happen without the mutex protection while many tcf_idr_check_alloc race
+to bind to the same action instance.
+
+In case binding encounters a parallel delete or add, it will return
+-EAGAIN in order to try again. Both filter and action apis already
+have the retry machinery in-place. In case it's an unlocked filter it
+retries under the rtnl lock.
+
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
+Link: https://lore.kernel.org/r/20231211181807.96028-2-pctammela@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: d864319871b0 ("net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_api.c | 65 ++++++++++++++++++++++++++++++---------------
+ 1 file changed, 43 insertions(+), 22 deletions(-)
+
+diff --git a/net/sched/act_api.c b/net/sched/act_api.c
+index 9d3f26bf0440d..5d34852ca5003 100644
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -816,6 +816,9 @@ EXPORT_SYMBOL(tcf_idr_cleanup);
+ * its reference and bind counters, and return 1. Otherwise insert temporary
+ * error pointer (to prevent concurrent users from inserting actions with same
+ * index) and return 0.
++ *
++ * May return -EAGAIN for binding actions in case of a parallel add/delete on
++ * the requested index.
+ */
+
+ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
+@@ -824,43 +827,61 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
+ struct tcf_idrinfo *idrinfo = tn->idrinfo;
+ struct tc_action *p;
+ int ret;
++ u32 max;
+
+-again:
+- mutex_lock(&idrinfo->lock);
+ if (*index) {
++again:
++ rcu_read_lock();
+ p = idr_find(&idrinfo->action_idr, *index);
++
+ if (IS_ERR(p)) {
+ /* This means that another process allocated
+ * index but did not assign the pointer yet.
+ */
+- mutex_unlock(&idrinfo->lock);
++ rcu_read_unlock();
+ goto again;
+ }
+
+- if (p) {
+- refcount_inc(&p->tcfa_refcnt);
+- if (bind)
+- atomic_inc(&p->tcfa_bindcnt);
+- *a = p;
+- ret = 1;
+- } else {
+- *a = NULL;
+- ret = idr_alloc_u32(&idrinfo->action_idr, NULL, index,
+- *index, GFP_KERNEL);
+- if (!ret)
+- idr_replace(&idrinfo->action_idr,
+- ERR_PTR(-EBUSY), *index);
++ if (!p) {
++ /* Empty slot, try to allocate it */
++ max = *index;
++ rcu_read_unlock();
++ goto new;
++ }
++
++ if (!refcount_inc_not_zero(&p->tcfa_refcnt)) {
++ /* Action was deleted in parallel */
++ rcu_read_unlock();
++ return -EAGAIN;
+ }
++
++ if (bind)
++ atomic_inc(&p->tcfa_bindcnt);
++ *a = p;
++
++ rcu_read_unlock();
++
++ return 1;
+ } else {
++ /* Find a slot */
+ *index = 1;
+- *a = NULL;
+- ret = idr_alloc_u32(&idrinfo->action_idr, NULL, index,
+- UINT_MAX, GFP_KERNEL);
+- if (!ret)
+- idr_replace(&idrinfo->action_idr, ERR_PTR(-EBUSY),
+- *index);
++ max = UINT_MAX;
+ }
++
++new:
++ *a = NULL;
++
++ mutex_lock(&idrinfo->lock);
++ ret = idr_alloc_u32(&idrinfo->action_idr, ERR_PTR(-EBUSY), index, max,
++ GFP_KERNEL);
+ mutex_unlock(&idrinfo->lock);
++
++ /* N binds raced for action allocation,
++ * retry for all the ones that failed.
++ */
++ if (ret == -ENOSPC && *index == max)
++ ret = -EAGAIN;
++
+ return ret;
+ }
+ EXPORT_SYMBOL(tcf_idr_check_alloc);
+--
+2.43.0
+
--- /dev/null
+From 7c8afbdbc71678a90659d95ff8ec3209588b0e18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 09:39:22 +0800
+Subject: net: stmmac: No need to calculate speed divider when offload is
+ disabled
+
+From: Xiaolei Wang <xiaolei.wang@windriver.com>
+
+[ Upstream commit b8c43360f6e424131fa81d3ba8792ad8ff25a09e ]
+
+commit be27b8965297 ("net: stmmac: replace priv->speed with
+the portTransmitRate from the tc-cbs parameters") introduced
+a problem. When deleting, it prompts "Invalid portTransmitRate
+0 (idleSlope - sendSlope)" and exits. Add judgment on cbs.enable.
+Only when offload is enabled, speed divider needs to be calculated.
+
+Fixes: be27b8965297 ("net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters")
+Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240617013922.1035854-1-xiaolei.wang@windriver.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_tc.c | 40 ++++++++++---------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+index 2467598f9d92f..77245f856dd0e 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+@@ -358,24 +358,28 @@ static int tc_setup_cbs(struct stmmac_priv *priv,
+
+ port_transmit_rate_kbps = qopt->idleslope - qopt->sendslope;
+
+- /* Port Transmit Rate and Speed Divider */
+- switch (div_s64(port_transmit_rate_kbps, 1000)) {
+- case SPEED_10000:
+- case SPEED_5000:
+- ptr = 32;
+- break;
+- case SPEED_2500:
+- case SPEED_1000:
+- ptr = 8;
+- break;
+- case SPEED_100:
+- ptr = 4;
+- break;
+- default:
+- netdev_err(priv->dev,
+- "Invalid portTransmitRate %lld (idleSlope - sendSlope)\n",
+- port_transmit_rate_kbps);
+- return -EINVAL;
++ if (qopt->enable) {
++ /* Port Transmit Rate and Speed Divider */
++ switch (div_s64(port_transmit_rate_kbps, 1000)) {
++ case SPEED_10000:
++ case SPEED_5000:
++ ptr = 32;
++ break;
++ case SPEED_2500:
++ case SPEED_1000:
++ ptr = 8;
++ break;
++ case SPEED_100:
++ ptr = 4;
++ break;
++ default:
++ netdev_err(priv->dev,
++ "Invalid portTransmitRate %lld (idleSlope - sendSlope)\n",
++ port_transmit_rate_kbps);
++ return -EINVAL;
++ }
++ } else {
++ ptr = 0;
+ }
+
+ mode_to_use = priv->plat->tx_queues_cfg[queue].mode_to_use;
+--
+2.43.0
+
--- /dev/null
+From 27dec3ec936b8faf630f49c32aef5bbffbe88d18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Jun 2024 15:28:03 +0200
+Subject: net: usb: rtl8150 fix unintiatilzed variables in
+ rtl8150_get_link_ksettings
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit fba383985354e83474f95f36d7c65feb75dba19d ]
+
+This functions retrieves values by passing a pointer. As the function
+that retrieves them can fail before touching the pointers, the variables
+must be initialized.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+5186630949e3c55f0799@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20240619132816.11526-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/rtl8150.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
+index 97afd7335d868..01a3b2417a540 100644
+--- a/drivers/net/usb/rtl8150.c
++++ b/drivers/net/usb/rtl8150.c
+@@ -778,7 +778,8 @@ static int rtl8150_get_link_ksettings(struct net_device *netdev,
+ struct ethtool_link_ksettings *ecmd)
+ {
+ rtl8150_t *dev = netdev_priv(netdev);
+- short lpa, bmcr;
++ short lpa = 0;
++ short bmcr = 0;
+ u32 supported;
+
+ supported = (SUPPORTED_10baseT_Half |
+--
+2.43.0
+
--- /dev/null
+From fd3e3ea0d9025b135f57ab8a1384e697496a1778 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 11:18:15 +0200
+Subject: netfilter: ipset: Fix suspicious rcu_dereference_protected()
+
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+
+[ Upstream commit 8ecd06277a7664f4ef018abae3abd3451d64e7a6 ]
+
+When destroying all sets, we are either in pernet exit phase or
+are executing a "destroy all sets command" from userspace. The latter
+was taken into account in ip_set_dereference() (nfnetlink mutex is held),
+but the former was not. The patch adds the required check to
+rcu_dereference_protected() in ip_set_dereference().
+
+Fixes: 4e7aaa6b82d6 ("netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type")
+Reported-by: syzbot+b62c37cdd58103293a5a@syzkaller.appspotmail.com
+Reported-by: syzbot+cfbe1da5fdfc39efc293@syzkaller.appspotmail.com
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202406141556.e0b6f17e-lkp@intel.com
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_core.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index c7ae4d9bf3d24..61431690cbd5f 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -53,12 +53,13 @@ MODULE_DESCRIPTION("core IP set support");
+ MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
+
+ /* When the nfnl mutex or ip_set_ref_lock is held: */
+-#define ip_set_dereference(p) \
+- rcu_dereference_protected(p, \
++#define ip_set_dereference(inst) \
++ rcu_dereference_protected((inst)->ip_set_list, \
+ lockdep_nfnl_is_held(NFNL_SUBSYS_IPSET) || \
+- lockdep_is_held(&ip_set_ref_lock))
++ lockdep_is_held(&ip_set_ref_lock) || \
++ (inst)->is_deleted)
+ #define ip_set(inst, id) \
+- ip_set_dereference((inst)->ip_set_list)[id]
++ ip_set_dereference(inst)[id]
+ #define ip_set_ref_netlink(inst,id) \
+ rcu_dereference_raw((inst)->ip_set_list)[id]
+ #define ip_set_dereference_nfnl(p) \
+@@ -1133,7 +1134,7 @@ static int ip_set_create(struct sk_buff *skb, const struct nfnl_info *info,
+ if (!list)
+ goto cleanup;
+ /* nfnl mutex is held, both lists are valid */
+- tmp = ip_set_dereference(inst->ip_set_list);
++ tmp = ip_set_dereference(inst);
+ memcpy(list, tmp, sizeof(struct ip_set *) * inst->ip_set_max);
+ rcu_assign_pointer(inst->ip_set_list, list);
+ /* Make sure all current packets have passed through */
+--
+2.43.0
+
--- /dev/null
+From b87f50c1ebfa76eacfb1e5a94bedc60574cc026e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 17:42:47 +0800
+Subject: netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core
+
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+
+[ Upstream commit a2225e0250c5fa397dcebf6ce65a9f05a114e0cf ]
+
+Currently, the sysctl net.netfilter.nf_hooks_lwtunnel depends on the
+nf_conntrack module, but the nf_conntrack module is not always loaded.
+Therefore, accessing net.netfilter.nf_hooks_lwtunnel may have an error.
+
+Move sysctl nf_hooks_lwtunnel into the netfilter core.
+
+Fixes: 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane")
+Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netns/netfilter.h | 3 ++
+ net/netfilter/core.c | 13 ++++-
+ net/netfilter/nf_conntrack_standalone.c | 15 ------
+ net/netfilter/nf_hooks_lwtunnel.c | 67 +++++++++++++++++++++++++
+ net/netfilter/nf_internals.h | 6 +++
+ 5 files changed, 87 insertions(+), 17 deletions(-)
+
+diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h
+index 02bbdc577f8e2..a6a0bf4a247e5 100644
+--- a/include/net/netns/netfilter.h
++++ b/include/net/netns/netfilter.h
+@@ -15,6 +15,9 @@ struct netns_nf {
+ const struct nf_logger __rcu *nf_loggers[NFPROTO_NUMPROTO];
+ #ifdef CONFIG_SYSCTL
+ struct ctl_table_header *nf_log_dir_header;
++#ifdef CONFIG_LWTUNNEL
++ struct ctl_table_header *nf_lwtnl_dir_header;
++#endif
+ #endif
+ struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS];
+ struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS];
+diff --git a/net/netfilter/core.c b/net/netfilter/core.c
+index ef4e76e5aef9f..7bae43b00ebbe 100644
+--- a/net/netfilter/core.c
++++ b/net/netfilter/core.c
+@@ -815,12 +815,21 @@ int __init netfilter_init(void)
+ if (ret < 0)
+ goto err;
+
++#ifdef CONFIG_LWTUNNEL
++ ret = netfilter_lwtunnel_init();
++ if (ret < 0)
++ goto err_lwtunnel_pernet;
++#endif
+ ret = netfilter_log_init();
+ if (ret < 0)
+- goto err_pernet;
++ goto err_log_pernet;
+
+ return 0;
+-err_pernet:
++err_log_pernet:
++#ifdef CONFIG_LWTUNNEL
++ netfilter_lwtunnel_fini();
++err_lwtunnel_pernet:
++#endif
+ unregister_pernet_subsys(&netfilter_net_ops);
+ err:
+ return ret;
+diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
+index 2f226cfb32d04..f713df823daaf 100644
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -22,9 +22,6 @@
+ #include <net/netfilter/nf_conntrack_acct.h>
+ #include <net/netfilter/nf_conntrack_zones.h>
+ #include <net/netfilter/nf_conntrack_timestamp.h>
+-#ifdef CONFIG_LWTUNNEL
+-#include <net/netfilter/nf_hooks_lwtunnel.h>
+-#endif
+ #include <linux/rculist_nulls.h>
+
+ static bool enable_hooks __read_mostly;
+@@ -612,9 +609,6 @@ enum nf_ct_sysctl_index {
+ NF_SYSCTL_CT_PROTO_TIMEOUT_GRE,
+ NF_SYSCTL_CT_PROTO_TIMEOUT_GRE_STREAM,
+ #endif
+-#ifdef CONFIG_LWTUNNEL
+- NF_SYSCTL_CT_LWTUNNEL,
+-#endif
+
+ NF_SYSCTL_CT_LAST_SYSCTL,
+ };
+@@ -946,15 +940,6 @@ static struct ctl_table nf_ct_sysctl_table[] = {
+ .proc_handler = proc_dointvec_jiffies,
+ },
+ #endif
+-#ifdef CONFIG_LWTUNNEL
+- [NF_SYSCTL_CT_LWTUNNEL] = {
+- .procname = "nf_hooks_lwtunnel",
+- .data = NULL,
+- .maxlen = sizeof(int),
+- .mode = 0644,
+- .proc_handler = nf_hooks_lwtunnel_sysctl_handler,
+- },
+-#endif
+ };
+
+ static struct ctl_table nf_ct_netfilter_table[] = {
+diff --git a/net/netfilter/nf_hooks_lwtunnel.c b/net/netfilter/nf_hooks_lwtunnel.c
+index 00e89ffd78f69..7cdb59bb4459f 100644
+--- a/net/netfilter/nf_hooks_lwtunnel.c
++++ b/net/netfilter/nf_hooks_lwtunnel.c
+@@ -3,6 +3,9 @@
+ #include <linux/sysctl.h>
+ #include <net/lwtunnel.h>
+ #include <net/netfilter/nf_hooks_lwtunnel.h>
++#include <linux/netfilter.h>
++
++#include "nf_internals.h"
+
+ static inline int nf_hooks_lwtunnel_get(void)
+ {
+@@ -50,4 +53,68 @@ int nf_hooks_lwtunnel_sysctl_handler(struct ctl_table *table, int write,
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(nf_hooks_lwtunnel_sysctl_handler);
++
++static struct ctl_table nf_lwtunnel_sysctl_table[] = {
++ {
++ .procname = "nf_hooks_lwtunnel",
++ .data = NULL,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = nf_hooks_lwtunnel_sysctl_handler,
++ },
++};
++
++static int __net_init nf_lwtunnel_net_init(struct net *net)
++{
++ struct ctl_table_header *hdr;
++ struct ctl_table *table;
++
++ table = nf_lwtunnel_sysctl_table;
++ if (!net_eq(net, &init_net)) {
++ table = kmemdup(nf_lwtunnel_sysctl_table,
++ sizeof(nf_lwtunnel_sysctl_table),
++ GFP_KERNEL);
++ if (!table)
++ goto err_alloc;
++ }
++
++ hdr = register_net_sysctl_sz(net, "net/netfilter", table,
++ ARRAY_SIZE(nf_lwtunnel_sysctl_table));
++ if (!hdr)
++ goto err_reg;
++
++ net->nf.nf_lwtnl_dir_header = hdr;
++
++ return 0;
++err_reg:
++ if (!net_eq(net, &init_net))
++ kfree(table);
++err_alloc:
++ return -ENOMEM;
++}
++
++static void __net_exit nf_lwtunnel_net_exit(struct net *net)
++{
++ const struct ctl_table *table;
++
++ table = net->nf.nf_lwtnl_dir_header->ctl_table_arg;
++ unregister_net_sysctl_table(net->nf.nf_lwtnl_dir_header);
++ if (!net_eq(net, &init_net))
++ kfree(table);
++}
++
++static struct pernet_operations nf_lwtunnel_net_ops = {
++ .init = nf_lwtunnel_net_init,
++ .exit = nf_lwtunnel_net_exit,
++};
++
++int __init netfilter_lwtunnel_init(void)
++{
++ return register_pernet_subsys(&nf_lwtunnel_net_ops);
++}
++
++void netfilter_lwtunnel_fini(void)
++{
++ unregister_pernet_subsys(&nf_lwtunnel_net_ops);
++}
+ #endif /* CONFIG_SYSCTL */
+diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h
+index 832ae64179f0f..25403023060b6 100644
+--- a/net/netfilter/nf_internals.h
++++ b/net/netfilter/nf_internals.h
+@@ -29,6 +29,12 @@ void nf_queue_nf_hook_drop(struct net *net);
+ /* nf_log.c */
+ int __init netfilter_log_init(void);
+
++#ifdef CONFIG_LWTUNNEL
++/* nf_hooks_lwtunnel.c */
++int __init netfilter_lwtunnel_init(void);
++void netfilter_lwtunnel_fini(void);
++#endif
++
+ /* core.c */
+ void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
+ const struct nf_hook_ops *reg);
+--
+2.43.0
+
--- /dev/null
+From acebfc7a8b83df4199a3a8c7c5c109a844754f97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 May 2024 11:29:30 +0200
+Subject: netfilter: Remove the now superfluous sentinel elements from
+ ctl_table array
+
+From: Joel Granados <j.granados@samsung.com>
+
+[ Upstream commit 635470eb0aa71ba41c47593c66f65ac1e5d59dd7 ]
+
+This commit comes at the tail end of a greater effort to remove the
+empty elements at the end of the ctl_table arrays (sentinels) which will
+reduce the overall build time size of the kernel and run time memory
+bloat by ~64 bytes per sentinel (further information Link :
+https://lore.kernel.org/all/ZO5Yx5JFogGi%2FcBo@bombadil.infradead.org/)
+
+* Remove sentinel elements from ctl_table structs
+* Remove instances where an array element is zeroed out to make it look
+ like a sentinel. This is not longer needed and is safe after commit
+ c899710fe7f9 ("networking: Update to register_net_sysctl_sz") added
+ the array size to the ctl_table registration
+* Remove the need for having __NF_SYSCTL_CT_LAST_SYSCTL as the
+ sysctl array size is now in NF_SYSCTL_CT_LAST_SYSCTL
+* Remove extra element in ctl_table arrays declarations
+
+Acked-by: Kees Cook <keescook@chromium.org> # loadpin & yama
+Signed-off-by: Joel Granados <j.granados@samsung.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: a2225e0250c5 ("netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 1 -
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 1 -
+ net/netfilter/ipvs/ip_vs_ctl.c | 5 +----
+ net/netfilter/ipvs/ip_vs_lblc.c | 5 +----
+ net/netfilter/ipvs/ip_vs_lblcr.c | 5 +----
+ net/netfilter/nf_conntrack_standalone.c | 6 +-----
+ net/netfilter/nf_log.c | 3 +--
+ 7 files changed, 5 insertions(+), 21 deletions(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index d848c84ed030d..9a875329d4193 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -1229,7 +1229,6 @@ static struct ctl_table brnf_table[] = {
+ .mode = 0644,
+ .proc_handler = brnf_sysctl_call_tables,
+ },
+- { }
+ };
+
+ static inline void br_netfilter_sysctl_default(struct brnf_net *brnf)
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index efbec7ee27d0a..2379d8edbb175 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -62,7 +62,6 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_doulongvec_minmax,
+ },
+- { }
+ };
+
+ static int nf_ct_frag6_sysctl_register(struct net *net)
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 143a341bbc0a4..50b5dbe40eb85 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2263,7 +2263,6 @@ static struct ctl_table vs_vars[] = {
+ .proc_handler = proc_dointvec,
+ },
+ #endif
+- { }
+ };
+
+ #endif
+@@ -4286,10 +4285,8 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
+ return -ENOMEM;
+
+ /* Don't export sysctls to unprivileged users */
+- if (net->user_ns != &init_user_ns) {
+- tbl[0].procname = NULL;
++ if (net->user_ns != &init_user_ns)
+ ctl_table_size = 0;
+- }
+ } else
+ tbl = vs_vars;
+ /* Initialize sysctl defaults */
+diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
+index cf78ba4ce5ffd..86c50234241fb 100644
+--- a/net/netfilter/ipvs/ip_vs_lblc.c
++++ b/net/netfilter/ipvs/ip_vs_lblc.c
+@@ -123,7 +123,6 @@ static struct ctl_table vs_vars_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_jiffies,
+ },
+- { }
+ };
+ #endif
+
+@@ -563,10 +562,8 @@ static int __net_init __ip_vs_lblc_init(struct net *net)
+ return -ENOMEM;
+
+ /* Don't export sysctls to unprivileged users */
+- if (net->user_ns != &init_user_ns) {
+- ipvs->lblc_ctl_table[0].procname = NULL;
++ if (net->user_ns != &init_user_ns)
+ vars_table_size = 0;
+- }
+
+ } else
+ ipvs->lblc_ctl_table = vs_vars_table;
+diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
+index 9eddf118b40ec..150849f1fb351 100644
+--- a/net/netfilter/ipvs/ip_vs_lblcr.c
++++ b/net/netfilter/ipvs/ip_vs_lblcr.c
+@@ -294,7 +294,6 @@ static struct ctl_table vs_vars_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_jiffies,
+ },
+- { }
+ };
+ #endif
+
+@@ -749,10 +748,8 @@ static int __net_init __ip_vs_lblcr_init(struct net *net)
+ return -ENOMEM;
+
+ /* Don't export sysctls to unprivileged users */
+- if (net->user_ns != &init_user_ns) {
+- ipvs->lblcr_ctl_table[0].procname = NULL;
++ if (net->user_ns != &init_user_ns)
+ vars_table_size = 0;
+- }
+ } else
+ ipvs->lblcr_ctl_table = vs_vars_table;
+ ipvs->sysctl_lblcr_expiration = DEFAULT_EXPIRATION;
+diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
+index 0ee98ce5b8165..2f226cfb32d04 100644
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -616,11 +616,9 @@ enum nf_ct_sysctl_index {
+ NF_SYSCTL_CT_LWTUNNEL,
+ #endif
+
+- __NF_SYSCTL_CT_LAST_SYSCTL,
++ NF_SYSCTL_CT_LAST_SYSCTL,
+ };
+
+-#define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1)
+-
+ static struct ctl_table nf_ct_sysctl_table[] = {
+ [NF_SYSCTL_CT_MAX] = {
+ .procname = "nf_conntrack_max",
+@@ -957,7 +955,6 @@ static struct ctl_table nf_ct_sysctl_table[] = {
+ .proc_handler = nf_hooks_lwtunnel_sysctl_handler,
+ },
+ #endif
+- {}
+ };
+
+ static struct ctl_table nf_ct_netfilter_table[] = {
+@@ -968,7 +965,6 @@ static struct ctl_table nf_ct_netfilter_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+- { }
+ };
+
+ static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net,
+diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
+index e16f158388bbe..0870a0e067a84 100644
+--- a/net/netfilter/nf_log.c
++++ b/net/netfilter/nf_log.c
+@@ -390,7 +390,7 @@ static const struct seq_operations nflog_seq_ops = {
+
+ #ifdef CONFIG_SYSCTL
+ static char nf_log_sysctl_fnames[NFPROTO_NUMPROTO-NFPROTO_UNSPEC][3];
+-static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1];
++static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO];
+ static struct ctl_table_header *nf_log_sysctl_fhdr;
+
+ static struct ctl_table nf_log_sysctl_ftable[] = {
+@@ -401,7 +401,6 @@ static struct ctl_table nf_log_sysctl_ftable[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+- { }
+ };
+
+ static int nf_log_proc_dostring(struct ctl_table *table, int write,
+--
+2.43.0
+
--- /dev/null
+From 446b4597a26f90cfe7f949af3ee8e79d02fdd8fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2024 21:13:02 +0800
+Subject: netns: Make get_net_ns() handle zero refcount net
+
+From: Yue Haibing <yuehaibing@huawei.com>
+
+[ Upstream commit ff960f9d3edbe08a736b5a224d91a305ccc946b0 ]
+
+Syzkaller hit a warning:
+refcount_t: addition on 0; use-after-free.
+WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0
+Modules linked in:
+CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:refcount_warn_saturate+0xdf/0x1d0
+Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1
+RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac
+RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001
+RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139
+R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4
+R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040
+FS: 00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ? show_regs+0xa3/0xc0
+ ? __warn+0xa5/0x1c0
+ ? refcount_warn_saturate+0xdf/0x1d0
+ ? report_bug+0x1fc/0x2d0
+ ? refcount_warn_saturate+0xdf/0x1d0
+ ? handle_bug+0xa1/0x110
+ ? exc_invalid_op+0x3c/0xb0
+ ? asm_exc_invalid_op+0x1f/0x30
+ ? __warn_printk+0xcc/0x140
+ ? __warn_printk+0xd5/0x140
+ ? refcount_warn_saturate+0xdf/0x1d0
+ get_net_ns+0xa4/0xc0
+ ? __pfx_get_net_ns+0x10/0x10
+ open_related_ns+0x5a/0x130
+ __tun_chr_ioctl+0x1616/0x2370
+ ? __sanitizer_cov_trace_switch+0x58/0xa0
+ ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30
+ ? __pfx_tun_chr_ioctl+0x10/0x10
+ tun_chr_ioctl+0x2f/0x40
+ __x64_sys_ioctl+0x11b/0x160
+ x64_sys_call+0x1211/0x20d0
+ do_syscall_64+0x9e/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f5b28f165d7
+Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8
+RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7
+RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003
+RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0
+R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730
+R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+Kernel panic - not syncing: kernel: panic_on_warn set ...
+
+This is trigger as below:
+ ns0 ns1
+tun_set_iff() //dev is tun0
+ tun->dev = dev
+//ip link set tun0 netns ns1
+ put_net() //ref is 0
+__tun_chr_ioctl() //TUNGETDEVNETNS
+ net = dev_net(tun->dev);
+ open_related_ns(&net->ns, get_net_ns); //ns1
+ get_net_ns()
+ get_net() //addition on 0
+
+Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this
+
+Fixes: 0c3e0e3bb623 ("tun: Add ioctl() TUNGETDEVNETNS cmd to allow obtaining real net ns of tun device")
+Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20240614131302.2698509-1-yuehaibing@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/net_namespace.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
+index ebea4fa69976a..018e213185a17 100644
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -670,11 +670,16 @@ EXPORT_SYMBOL_GPL(__put_net);
+ * get_net_ns - increment the refcount of the network namespace
+ * @ns: common namespace (net)
+ *
+- * Returns the net's common namespace.
++ * Returns the net's common namespace or ERR_PTR() if ref is zero.
+ */
+ struct ns_common *get_net_ns(struct ns_common *ns)
+ {
+- return &get_net(container_of(ns, struct net, ns))->ns;
++ struct net *net;
++
++ net = maybe_get_net(container_of(ns, struct net, ns));
++ if (net)
++ return &net->ns;
++ return ERR_PTR(-EINVAL);
+ }
+ EXPORT_SYMBOL_GPL(get_net_ns);
+
+--
+2.43.0
+
--- /dev/null
+From 201528c3caa57038bbec82e40cdc8ed555e51e66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 08:23:00 +0000
+Subject: netrom: Fix a memory leak in nr_heartbeat_expiry()
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit 0b9130247f3b6a1122478471ff0e014ea96bb735 ]
+
+syzbot reported a memory leak in nr_create() [0].
+
+Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
+added sock_hold() to the nr_heartbeat_expiry() function, where
+a) a socket has a SOCK_DESTROY flag or
+b) a listening socket has a SOCK_DEAD flag.
+
+But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
+has already been closed and the nr_release() function has been called.
+So it makes no sense to hold the reference count because no one will
+call another nr_destroy_socket() and put it as in the case "b."
+
+nr_connect
+ nr_establish_data_link
+ nr_start_heartbeat
+
+nr_release
+ switch (nr->state)
+ case NR_STATE_3
+ nr->state = NR_STATE_2
+ sock_set_flag(sk, SOCK_DESTROY);
+
+ nr_rx_frame
+ nr_process_rx_frame
+ switch (nr->state)
+ case NR_STATE_2
+ nr_state2_machine()
+ nr_disconnect()
+ nr_sk(sk)->state = NR_STATE_0
+ sock_set_flag(sk, SOCK_DEAD)
+
+ nr_heartbeat_expiry
+ switch (nr->state)
+ case NR_STATE_0
+ if (sock_flag(sk, SOCK_DESTROY) ||
+ (sk->sk_state == TCP_LISTEN
+ && sock_flag(sk, SOCK_DEAD)))
+ sock_hold() // ( !!! )
+ nr_destroy_socket()
+
+To fix the memory leak, let's call sock_hold() only for a listening socket.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with Syzkaller.
+
+[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
+
+Reported-by: syzbot+d327a1f3b12e1e206c16@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
+Fixes: 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_timer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c
+index 4e7c968cde2dc..5e3ca068f04e0 100644
+--- a/net/netrom/nr_timer.c
++++ b/net/netrom/nr_timer.c
+@@ -121,7 +121,8 @@ static void nr_heartbeat_expiry(struct timer_list *t)
+ is accepted() it isn't 'dead' so doesn't get removed. */
+ if (sock_flag(sk, SOCK_DESTROY) ||
+ (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) {
+- sock_hold(sk);
++ if (sk->sk_state == TCP_LISTEN)
++ sock_hold(sk);
+ bh_unlock_sock(sk);
+ nr_destroy_socket(sk);
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From c63753e59b3c35f373976ea8ea625b47bfb36bc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 17:50:26 +0100
+Subject: octeontx2-pf: Add error handling to VLAN unoffload handling
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit b95a4afe2defd6f46891985f9436a568cd35a31c ]
+
+otx2_sq_append_skb makes used of __vlan_hwaccel_push_inside()
+to unoffload VLANs - push them from skb meta data into skb data.
+However, it omitts a check for __vlan_hwaccel_push_inside()
+returning NULL.
+
+Found by inspection based on [1] and [2].
+Compile tested only.
+
+[1] Re: [PATCH net-next v1] net: stmmac: Enable TSO on VLANs
+ https://lore.kernel.org/all/ZmrN2W8Fye450TKs@shell.armlinux.org.uk/
+[2] Re: [PATCH net-next v2] net: stmmac: Enable TSO on VLANs
+ https://lore.kernel.org/all/CANn89i+11L5=tKsa7V7Aeyxaj6nYGRwy35PAbCRYJ73G+b25sg@mail.gmail.com/
+
+Fixes: fd9d7859db6c ("octeontx2-pf: Implement ingress/egress VLAN offload")
+Signed-off-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
+index f828d32737af0..04a49b9b545f3 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
+@@ -1171,8 +1171,11 @@ bool otx2_sq_append_skb(struct net_device *netdev, struct otx2_snd_queue *sq,
+
+ if (skb_shinfo(skb)->gso_size && !is_hw_tso_supported(pfvf, skb)) {
+ /* Insert vlan tag before giving pkt to tso */
+- if (skb_vlan_tag_present(skb))
++ if (skb_vlan_tag_present(skb)) {
+ skb = __vlan_hwaccel_push_inside(skb);
++ if (!skb)
++ return true;
++ }
+ otx2_sq_append_tso(pfvf, sq, skb, qidx);
+ return true;
+ }
+--
+2.43.0
+
--- /dev/null
+From e10f4fd18d079676bfb0f3518639088f5fcb54c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Jun 2024 11:41:22 +0530
+Subject: octeontx2-pf: Fix linking objects into multiple modules
+
+From: Geetha sowjanya <gakula@marvell.com>
+
+[ Upstream commit 1062d03827b78614259b3b4b992deb27ee6aa84d ]
+
+This patch fixes the below build warning messages that are
+caused due to linking same files to multiple modules by
+exporting the required symbols.
+
+"scripts/Makefile.build:244: drivers/net/ethernet/marvell/octeontx2/nic/Makefile:
+otx2_devlink.o is added to multiple modules: rvu_nicpf rvu_nicvf
+
+scripts/Makefile.build:244: drivers/net/ethernet/marvell/octeontx2/nic/Makefile:
+otx2_dcbnl.o is added to multiple modules: rvu_nicpf rvu_nicvf"
+
+Fixes: 8e67558177f8 ("octeontx2-pf: PFC config support with DCBx").
+Signed-off-by: Geetha sowjanya <gakula@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/Makefile | 3 +--
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 7 +++++++
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c | 2 ++
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/Makefile b/drivers/net/ethernet/marvell/octeontx2/nic/Makefile
+index 5664f768cb0cd..64a97a0a10ed6 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/Makefile
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/Makefile
+@@ -9,10 +9,9 @@ obj-$(CONFIG_OCTEONTX2_VF) += rvu_nicvf.o otx2_ptp.o
+ rvu_nicpf-y := otx2_pf.o otx2_common.o otx2_txrx.o otx2_ethtool.o \
+ otx2_flows.o otx2_tc.o cn10k.o otx2_dmac_flt.o \
+ otx2_devlink.o qos_sq.o qos.o
+-rvu_nicvf-y := otx2_vf.o otx2_devlink.o
++rvu_nicvf-y := otx2_vf.o
+
+ rvu_nicpf-$(CONFIG_DCB) += otx2_dcbnl.o
+-rvu_nicvf-$(CONFIG_DCB) += otx2_dcbnl.o
+ rvu_nicpf-$(CONFIG_MACSEC) += cn10k_macsec.o
+
+ ccflags-y += -I$(srctree)/drivers/net/ethernet/marvell/octeontx2/af
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
+index 28fb643d2917f..aa01110f04a33 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
+@@ -54,6 +54,7 @@ int otx2_pfc_txschq_config(struct otx2_nic *pfvf)
+
+ return 0;
+ }
++EXPORT_SYMBOL(otx2_pfc_txschq_config);
+
+ static int otx2_pfc_txschq_alloc_one(struct otx2_nic *pfvf, u8 prio)
+ {
+@@ -122,6 +123,7 @@ int otx2_pfc_txschq_alloc(struct otx2_nic *pfvf)
+
+ return 0;
+ }
++EXPORT_SYMBOL(otx2_pfc_txschq_alloc);
+
+ static int otx2_pfc_txschq_stop_one(struct otx2_nic *pfvf, u8 prio)
+ {
+@@ -260,6 +262,7 @@ int otx2_pfc_txschq_update(struct otx2_nic *pfvf)
+
+ return 0;
+ }
++EXPORT_SYMBOL(otx2_pfc_txschq_update);
+
+ int otx2_pfc_txschq_stop(struct otx2_nic *pfvf)
+ {
+@@ -282,6 +285,7 @@ int otx2_pfc_txschq_stop(struct otx2_nic *pfvf)
+
+ return 0;
+ }
++EXPORT_SYMBOL(otx2_pfc_txschq_stop);
+
+ int otx2_config_priority_flow_ctrl(struct otx2_nic *pfvf)
+ {
+@@ -321,6 +325,7 @@ int otx2_config_priority_flow_ctrl(struct otx2_nic *pfvf)
+ mutex_unlock(&pfvf->mbox.lock);
+ return err;
+ }
++EXPORT_SYMBOL(otx2_config_priority_flow_ctrl);
+
+ void otx2_update_bpid_in_rqctx(struct otx2_nic *pfvf, int vlan_prio, int qidx,
+ bool pfc_enable)
+@@ -385,6 +390,7 @@ void otx2_update_bpid_in_rqctx(struct otx2_nic *pfvf, int vlan_prio, int qidx,
+ "Updating BPIDs in CQ and Aura contexts of RQ%d failed with err %d\n",
+ qidx, err);
+ }
++EXPORT_SYMBOL(otx2_update_bpid_in_rqctx);
+
+ static int otx2_dcbnl_ieee_getpfc(struct net_device *dev, struct ieee_pfc *pfc)
+ {
+@@ -472,3 +478,4 @@ int otx2_dcbnl_set_ops(struct net_device *dev)
+
+ return 0;
+ }
++EXPORT_SYMBOL(otx2_dcbnl_set_ops);
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c
+index 4e1130496573e..05956bf03c05d 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c
+@@ -112,6 +112,7 @@ int otx2_register_dl(struct otx2_nic *pfvf)
+ devlink_free(dl);
+ return err;
+ }
++EXPORT_SYMBOL(otx2_register_dl);
+
+ void otx2_unregister_dl(struct otx2_nic *pfvf)
+ {
+@@ -123,3 +124,4 @@ void otx2_unregister_dl(struct otx2_nic *pfvf)
+ ARRAY_SIZE(otx2_dl_params));
+ devlink_free(dl);
+ }
++EXPORT_SYMBOL(otx2_unregister_dl);
+--
+2.43.0
+
--- /dev/null
+From b86c46df18bbeb2c901cd7a177cd39fd63929ffe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 12:34:32 +0300
+Subject: ptp: fix integer overflow in max_vclocks_store
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 81d23d2a24012e448f651e007fac2cfd20a45ce0 ]
+
+On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc()
+to do the allocation to prevent this.
+
+Fixes: 44c494c8e30e ("ptp: track available ptp vclocks information")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Heng Qi <hengqi@linux.alibaba.com>
+Link: https://lore.kernel.org/r/ee8110ed-6619-4bd7-9024-28c1f2ac24f4@moroto.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_sysfs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
+index 34ea5c16123a1..aefc06ae5d099 100644
+--- a/drivers/ptp/ptp_sysfs.c
++++ b/drivers/ptp/ptp_sysfs.c
+@@ -294,8 +294,7 @@ static ssize_t max_vclocks_store(struct device *dev,
+ if (max < ptp->n_vclocks)
+ goto out;
+
+- size = sizeof(int) * max;
+- vclock_index = kzalloc(size, GFP_KERNEL);
++ vclock_index = kcalloc(max, sizeof(int), GFP_KERNEL);
+ if (!vclock_index) {
+ err = -ENOMEM;
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From bf291220d375f938efe5142d7c2c6f2090098c39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2024 16:50:30 +0200
+Subject: qca_spi: Make interrupt remembering atomic
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit 2d7198278ece01818cd95a3beffbdf8b2a353fa0 ]
+
+The whole mechanism to remember occurred SPI interrupts is not atomic,
+which could lead to unexpected behavior. So fix this by using atomic bit
+operations instead.
+
+Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Link: https://lore.kernel.org/r/20240614145030.7781-1-wahrenst@gmx.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/qca_debug.c | 6 ++----
+ drivers/net/ethernet/qualcomm/qca_spi.c | 16 ++++++++--------
+ drivers/net/ethernet/qualcomm/qca_spi.h | 3 +--
+ 3 files changed, 11 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/qualcomm/qca_debug.c b/drivers/net/ethernet/qualcomm/qca_debug.c
+index 1822f2ad8f0dd..2ac1b1b96e6a4 100644
+--- a/drivers/net/ethernet/qualcomm/qca_debug.c
++++ b/drivers/net/ethernet/qualcomm/qca_debug.c
+@@ -111,10 +111,8 @@ qcaspi_info_show(struct seq_file *s, void *what)
+
+ seq_printf(s, "IRQ : %d\n",
+ qca->spi_dev->irq);
+- seq_printf(s, "INTR REQ : %u\n",
+- qca->intr_req);
+- seq_printf(s, "INTR SVC : %u\n",
+- qca->intr_svc);
++ seq_printf(s, "INTR : %lx\n",
++ qca->intr);
+
+ seq_printf(s, "SPI max speed : %lu\n",
+ (unsigned long)qca->spi_dev->max_speed_hz);
+diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
+index 5f3c11fb3fa27..b697a9e6face6 100644
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -48,6 +48,8 @@
+
+ #define MAX_DMA_BURST_LEN 5000
+
++#define SPI_INTR 0
++
+ /* Modules parameters */
+ #define QCASPI_CLK_SPEED_MIN 1000000
+ #define QCASPI_CLK_SPEED_MAX 16000000
+@@ -592,14 +594,14 @@ qcaspi_spi_thread(void *data)
+ continue;
+ }
+
+- if ((qca->intr_req == qca->intr_svc) &&
++ if (!test_bit(SPI_INTR, &qca->intr) &&
+ !qca->txr.skb[qca->txr.head])
+ schedule();
+
+ set_current_state(TASK_RUNNING);
+
+- netdev_dbg(qca->net_dev, "have work to do. int: %d, tx_skb: %p\n",
+- qca->intr_req - qca->intr_svc,
++ netdev_dbg(qca->net_dev, "have work to do. int: %lu, tx_skb: %p\n",
++ qca->intr,
+ qca->txr.skb[qca->txr.head]);
+
+ qcaspi_qca7k_sync(qca, QCASPI_EVENT_UPDATE);
+@@ -613,8 +615,7 @@ qcaspi_spi_thread(void *data)
+ msleep(QCASPI_QCA7K_REBOOT_TIME_MS);
+ }
+
+- if (qca->intr_svc != qca->intr_req) {
+- qca->intr_svc = qca->intr_req;
++ if (test_and_clear_bit(SPI_INTR, &qca->intr)) {
+ start_spi_intr_handling(qca, &intr_cause);
+
+ if (intr_cause & SPI_INT_CPU_ON) {
+@@ -676,7 +677,7 @@ qcaspi_intr_handler(int irq, void *data)
+ {
+ struct qcaspi *qca = data;
+
+- qca->intr_req++;
++ set_bit(SPI_INTR, &qca->intr);
+ if (qca->spi_thread)
+ wake_up_process(qca->spi_thread);
+
+@@ -692,8 +693,7 @@ qcaspi_netdev_open(struct net_device *dev)
+ if (!qca)
+ return -EINVAL;
+
+- qca->intr_req = 1;
+- qca->intr_svc = 0;
++ set_bit(SPI_INTR, &qca->intr);
+ qca->sync = QCASPI_SYNC_UNKNOWN;
+ qcafrm_fsm_init_spi(&qca->frm_handle);
+
+diff --git a/drivers/net/ethernet/qualcomm/qca_spi.h b/drivers/net/ethernet/qualcomm/qca_spi.h
+index 3067356106f0b..58ad910068d4b 100644
+--- a/drivers/net/ethernet/qualcomm/qca_spi.h
++++ b/drivers/net/ethernet/qualcomm/qca_spi.h
+@@ -93,8 +93,7 @@ struct qcaspi {
+ struct qcafrm_handle frm_handle;
+ struct sk_buff *rx_skb;
+
+- unsigned int intr_req;
+- unsigned int intr_svc;
++ unsigned long intr;
+ u16 reset_count;
+
+ #ifdef CONFIG_DEBUG_FS
+--
+2.43.0
+
--- /dev/null
+From 09dc5645bdf4c616f2df55d4a2a383a693b42eb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 17:47:30 -0400
+Subject: sched: act_ct: add netns into the key of tcf_ct_flow_table
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 88c67aeb14070bab61d3dd8be96c8b42ebcaf53a ]
+
+zones_ht is a global hashtable for flow_table with zone as key. However,
+it does not consider netns when getting a flow_table from zones_ht in
+tcf_ct_init(), and it means an act_ct action in netns A may get a
+flow_table that belongs to netns B if it has the same zone value.
+
+In Shuang's test with the TOPO:
+
+ tcf2_c <---> tcf2_sw1 <---> tcf2_sw2 <---> tcf2_s
+
+tcf2_sw1 and tcf2_sw2 saw the same flow and used the same flow table,
+which caused their ct entries entering unexpected states and the
+TCP connection not able to end normally.
+
+This patch fixes the issue simply by adding netns into the key of
+tcf_ct_flow_table so that an act_ct action gets a flow_table that
+belongs to its own netns in tcf_ct_init().
+
+Note that for easy coding we don't use tcf_ct_flow_table.nf_ft.net,
+as the ct_ft is initialized after inserting it to the hashtable in
+tcf_ct_flow_table_get() and also it requires to implement several
+functions in rhashtable_params including hashfn, obj_hashfn and
+obj_cmpfn.
+
+Fixes: 64ff70b80fd4 ("net/sched: act_ct: Offload established connections to flow table")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/1db5b6cc6902c5fc6f8c6cbd85494a2008087be5.1718488050.git.lucien.xin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_ct.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
+index a7b3f60dd0a8d..1bd86868726bf 100644
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -41,21 +41,26 @@ static struct workqueue_struct *act_ct_wq;
+ static struct rhashtable zones_ht;
+ static DEFINE_MUTEX(zones_mutex);
+
++struct zones_ht_key {
++ struct net *net;
++ u16 zone;
++};
++
+ struct tcf_ct_flow_table {
+ struct rhash_head node; /* In zones tables */
+
+ struct rcu_work rwork;
+ struct nf_flowtable nf_ft;
+ refcount_t ref;
+- u16 zone;
++ struct zones_ht_key key;
+
+ bool dying;
+ };
+
+ static const struct rhashtable_params zones_params = {
+ .head_offset = offsetof(struct tcf_ct_flow_table, node),
+- .key_offset = offsetof(struct tcf_ct_flow_table, zone),
+- .key_len = sizeof_field(struct tcf_ct_flow_table, zone),
++ .key_offset = offsetof(struct tcf_ct_flow_table, key),
++ .key_len = sizeof_field(struct tcf_ct_flow_table, key),
+ .automatic_shrinking = true,
+ };
+
+@@ -316,11 +321,12 @@ static struct nf_flowtable_type flowtable_ct = {
+
+ static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
+ {
++ struct zones_ht_key key = { .net = net, .zone = params->zone };
+ struct tcf_ct_flow_table *ct_ft;
+ int err = -ENOMEM;
+
+ mutex_lock(&zones_mutex);
+- ct_ft = rhashtable_lookup_fast(&zones_ht, ¶ms->zone, zones_params);
++ ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params);
+ if (ct_ft && refcount_inc_not_zero(&ct_ft->ref))
+ goto out_unlock;
+
+@@ -329,7 +335,7 @@ static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
+ goto err_alloc;
+ refcount_set(&ct_ft->ref, 1);
+
+- ct_ft->zone = params->zone;
++ ct_ft->key = key;
+ err = rhashtable_insert_fast(&zones_ht, &ct_ft->node, zones_params);
+ if (err)
+ goto err_insert;
+--
+2.43.0
+
--- /dev/null
+From 602378c3c5e318333d0ce18e5416ff27f5faa7df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 17:42:46 +0800
+Subject: seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and
+ End.DX6 behaviors
+
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+
+[ Upstream commit 9a3bc8d16e0aacd65c31aaf23a2bced3288a7779 ]
+
+input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for
+PREROUTING hook, in PREROUTING hook, we should passing a valid indev,
+and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer
+dereference, as below:
+
+ [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090
+ [74830.655633] #PF: supervisor read access in kernel mode
+ [74830.657888] #PF: error_code(0x0000) - not-present page
+ [74830.659500] PGD 0 P4D 0
+ [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI
+ ...
+ [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]
+ ...
+ [74830.689725] Call Trace:
+ [74830.690402] <IRQ>
+ [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df
+ [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df
+ [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]
+ [74830.694275] ? __die_body.cold+0x8/0xd
+ [74830.695205] ? page_fault_oops+0xac/0x140
+ [74830.696244] ? exc_page_fault+0x62/0x150
+ [74830.697225] ? asm_exc_page_fault+0x22/0x30
+ [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]
+ [74830.699540] ipt_do_table+0x286/0x710 [ip_tables]
+ [74830.700758] ? ip6_route_input+0x19d/0x240
+ [74830.701752] nf_hook_slow+0x3f/0xb0
+ [74830.702678] input_action_end_dx4+0x19b/0x1e0
+ [74830.703735] ? input_action_end_t+0xe0/0xe0
+ [74830.704734] seg6_local_input_core+0x2d/0x60
+ [74830.705782] lwtunnel_input+0x5b/0xb0
+ [74830.706690] __netif_receive_skb_one_core+0x63/0xa0
+ [74830.707825] process_backlog+0x99/0x140
+ [74830.709538] __napi_poll+0x2c/0x160
+ [74830.710673] net_rx_action+0x296/0x350
+ [74830.711860] __do_softirq+0xcb/0x2ac
+ [74830.713049] do_softirq+0x63/0x90
+
+input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally
+trigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():
+
+ static bool
+ rpfilter_is_loopback(const struct sk_buff *skb,
+ const struct net_device *in)
+ {
+ // in is NULL
+ return skb->pkt_type == PACKET_LOOPBACK ||
+ in->flags & IFF_LOOPBACK;
+ }
+
+Fixes: 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane")
+Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/seg6_local.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
+index 24e2b4b494cb0..c434940131b1d 100644
+--- a/net/ipv6/seg6_local.c
++++ b/net/ipv6/seg6_local.c
+@@ -941,8 +941,8 @@ static int input_action_end_dx6(struct sk_buff *skb,
+
+ if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled))
+ return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING,
+- dev_net(skb->dev), NULL, skb, NULL,
+- skb_dst(skb)->dev, input_action_end_dx6_finish);
++ dev_net(skb->dev), NULL, skb, skb->dev,
++ NULL, input_action_end_dx6_finish);
+
+ return input_action_end_dx6_finish(dev_net(skb->dev), NULL, skb);
+ drop:
+@@ -991,8 +991,8 @@ static int input_action_end_dx4(struct sk_buff *skb,
+
+ if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled))
+ return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING,
+- dev_net(skb->dev), NULL, skb, NULL,
+- skb_dst(skb)->dev, input_action_end_dx4_finish);
++ dev_net(skb->dev), NULL, skb, skb->dev,
++ NULL, input_action_end_dx4_finish);
+
+ return input_action_end_dx4_finish(dev_net(skb->dev), NULL, skb);
+ drop:
+--
+2.43.0
+
--- /dev/null
+From 70d45ea111f3cf35390b5b069dfab74eb294e26a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 09:28:33 +0100
+Subject: selftests: openvswitch: Use bash as interpreter
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit e2b447c9a1bba718f9c07513a1e8958209e862a1 ]
+
+openvswitch.sh makes use of substitutions of the form ${ns:0:1}, to
+obtain the first character of $ns. Empirically, this is works with bash
+but not dash. When run with dash these evaluate to an empty string and
+printing an error to stdout.
+
+ # dash -c 'ns=client; echo "${ns:0:1}"' 2>error
+ # cat error
+ dash: 1: Bad substitution
+ # bash -c 'ns=client; echo "${ns:0:1}"' 2>error
+ c
+ # cat error
+
+This leads to tests that neither pass nor fail.
+F.e.
+
+ TEST: arp_ping [START]
+ adding sandbox 'test_arp_ping'
+ Adding DP/Bridge IF: sbx:test_arp_ping dp:arpping {, , }
+ create namespaces
+ ./openvswitch.sh: 282: eval: Bad substitution
+ TEST: ct_connect_v4 [START]
+ adding sandbox 'test_ct_connect_v4'
+ Adding DP/Bridge IF: sbx:test_ct_connect_v4 dp:ct4 {, , }
+ ./openvswitch.sh: 322: eval: Bad substitution
+ create namespaces
+
+Resolve this by making openvswitch.sh a bash script.
+
+Fixes: 918423fda910 ("selftests: openvswitch: add an initial flow programming case")
+Signed-off-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Link: https://lore.kernel.org/r/20240617-ovs-selftest-bash-v1-1-7ae6ccd3617b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/openvswitch/openvswitch.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/openvswitch/openvswitch.sh b/tools/testing/selftests/net/openvswitch/openvswitch.sh
+index 36e40256ab92a..bab7436c68348 100755
+--- a/tools/testing/selftests/net/openvswitch/openvswitch.sh
++++ b/tools/testing/selftests/net/openvswitch/openvswitch.sh
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+ #
+ # OVS kernel module self tests
+--
+2.43.0
+
cpufreq-amd-pstate-fix-memory-leak-on-cpu-epp-exit.patch
acpi-ec-install-address-space-handler-at-the-namespa.patch
pci-do-not-wait-for-disconnected-devices-when-resumi.patch
+alsa-hda-cs35l41-possible-null-pointer-dereference-i.patch
+alsa-seq-ump-fix-missing-system-reset-message-handli.patch
+mips-routerboard-532-fix-vendor-retry-check-code.patch
+mips-bmips-bcm6358-make-sure-cbr-is-correctly-set.patch
+tracing-build-event-generation-tests-only-as-modules.patch
+alsa-hda-realtek-remove-framework-laptop-16-from-qui.patch
+alsa-hda-intel-dsp-config-document-avs-as-dsp_driver.patch
+ice-avoid-irq-collision-to-fix-init-failure-on-acpi-.patch
+btrfs-zoned-allocate-dummy-checksums-for-zoned-nodat.patch
+net-mvpp2-use-slab_build_skb-for-oversized-frames.patch
+cipso-fix-total-option-length-computation.patch
+alsa-hda-cs35l56-component-should-be-unbound-before-.patch
+alsa-hda-tas2781-component-should-be-unbound-before-.patch
+bpf-avoid-splat-in-pskb_pull_reason.patch
+alsa-hda-realtek-enable-headset-mic-on-ideapad-330-1.patch
+netrom-fix-a-memory-leak-in-nr_heartbeat_expiry.patch
+ipv6-prevent-possible-null-deref-in-fib6_nh_init.patch
+ipv6-prevent-possible-null-dereference-in-rt6_probe.patch
+xfrm6-check-ip6_dst_idev-return-value-in-xfrm6_get_s.patch
+netns-make-get_net_ns-handle-zero-refcount-net.patch
+qca_spi-make-interrupt-remembering-atomic.patch
+net-lan743x-disable-wol-upon-resume-to-restore-full-.patch
+net-lan743x-support-wol-at-both-the-phy-and-mac-appr.patch
+net-phy-mxl-gpy-remove-interrupt-mask-clearing-from-.patch
+net-sched-act_api-rely-on-rcu-in-tcf_idr_check_alloc.patch
+net-sched-act_api-fix-possible-infinite-loop-in-tcf_.patch
+tipc-force-a-dst-refcount-before-doing-decryption.patch
+sched-act_ct-add-netns-into-the-key-of-tcf_ct_flow_t.patch
+ptp-fix-integer-overflow-in-max_vclocks_store.patch
+selftests-openvswitch-use-bash-as-interpreter.patch
+net-stmmac-no-need-to-calculate-speed-divider-when-o.patch
+virtio_net-checksum-offloading-handling-fix.patch
+virtio_net-fixing-xdp-for-fully-checksummed-packets-.patch
+octeontx2-pf-add-error-handling-to-vlan-unoffload-ha.patch
+octeontx2-pf-fix-linking-objects-into-multiple-modul.patch
+netfilter-ipset-fix-suspicious-rcu_dereference_prote.patch
+seg6-fix-parameter-passing-when-calling-nf_hook-in-e.patch
+netfilter-remove-the-now-superfluous-sentinel-elemen.patch
+netfilter-move-the-sysctl-nf_hooks_lwtunnel-into-the.patch
+ice-fix-vsi-list-rule-with-ice_sw_lkup_last-type.patch
+bnxt_en-restore-ptp-tx_avail-count-in-case-of-skb_pa.patch
+net-usb-rtl8150-fix-unintiatilzed-variables-in-rtl81.patch
--- /dev/null
+From 07e349aeb77c060fa40e2830f52599b65aa1f919 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 14:27:20 -0400
+Subject: tipc: force a dst refcount before doing decryption
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 2ebe8f840c7450ecbfca9d18ac92e9ce9155e269 ]
+
+As it says in commit 3bc07321ccc2 ("xfrm: Force a dst refcount before
+entering the xfrm type handlers"):
+
+"Crypto requests might return asynchronous. In this case we leave the
+ rcu protected region, so force a refcount on the skb's destination
+ entry before we enter the xfrm type input/output handlers."
+
+On TIPC decryption path it has the same problem, and skb_dst_force()
+should be called before doing decryption to avoid a possible crash.
+
+Shuang reported this issue when this warning is triggered:
+
+ [] WARNING: include/net/dst.h:337 tipc_sk_rcv+0x1055/0x1ea0 [tipc]
+ [] Kdump: loaded Tainted: G W --------- - - 4.18.0-496.el8.x86_64+debug
+ [] Workqueue: crypto cryptd_queue_worker
+ [] RIP: 0010:tipc_sk_rcv+0x1055/0x1ea0 [tipc]
+ [] Call Trace:
+ [] tipc_sk_mcast_rcv+0x548/0xea0 [tipc]
+ [] tipc_rcv+0xcf5/0x1060 [tipc]
+ [] tipc_aead_decrypt_done+0x215/0x2e0 [tipc]
+ [] cryptd_aead_crypt+0xdb/0x190
+ [] cryptd_queue_worker+0xed/0x190
+ [] process_one_work+0x93d/0x17e0
+
+Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/fbe3195fad6997a4eec62d9bf076b2ad03ac336b.1718476040.git.lucien.xin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/node.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/tipc/node.c b/net/tipc/node.c
+index 3105abe97bb9c..69053c0398252 100644
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -2107,6 +2107,7 @@ void tipc_rcv(struct net *net, struct sk_buff *skb, struct tipc_bearer *b)
+ } else {
+ n = tipc_node_find_by_id(net, ehdr->id);
+ }
++ skb_dst_force(skb);
+ tipc_crypto_rcv(net, (n) ? n->crypto_rx : NULL, &skb, b);
+ if (!skb)
+ return;
+--
+2.43.0
+
--- /dev/null
+From 2fce8e5dcc86e9cdb54ab668d22bbcc59a528ae4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jun 2024 22:30:37 +0900
+Subject: tracing: Build event generation tests only as modules
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+[ Upstream commit 3572bd5689b0812b161b40279e39ca5b66d73e88 ]
+
+The kprobes and synth event generation test modules add events and lock
+(get a reference) those event file reference in module init function,
+and unlock and delete it in module exit function. This is because those
+are designed for playing as modules.
+
+If we make those modules as built-in, those events are left locked in the
+kernel, and never be removed. This causes kprobe event self-test failure
+as below.
+
+[ 97.349708] ------------[ cut here ]------------
+[ 97.353453] WARNING: CPU: 3 PID: 1 at kernel/trace/trace_kprobe.c:2133 kprobe_trace_self_tests_init+0x3f1/0x480
+[ 97.357106] Modules linked in:
+[ 97.358488] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 6.9.0-g699646734ab5-dirty #14
+[ 97.361556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+[ 97.363880] RIP: 0010:kprobe_trace_self_tests_init+0x3f1/0x480
+[ 97.365538] Code: a8 24 08 82 e9 ae fd ff ff 90 0f 0b 90 48 c7 c7 e5 aa 0b 82 e9 ee fc ff ff 90 0f 0b 90 48 c7 c7 2d 61 06 82 e9 8e fd ff ff 90 <0f> 0b 90 48 c7 c7 33 0b 0c 82 89 c6 e8 6e 03 1f ff 41 ff c7 e9 90
+[ 97.370429] RSP: 0000:ffffc90000013b50 EFLAGS: 00010286
+[ 97.371852] RAX: 00000000fffffff0 RBX: ffff888005919c00 RCX: 0000000000000000
+[ 97.373829] RDX: ffff888003f40000 RSI: ffffffff8236a598 RDI: ffff888003f40a68
+[ 97.375715] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
+[ 97.377675] R10: ffffffff811c9ae5 R11: ffffffff8120c4e0 R12: 0000000000000000
+[ 97.379591] R13: 0000000000000001 R14: 0000000000000015 R15: 0000000000000000
+[ 97.381536] FS: 0000000000000000(0000) GS:ffff88807dcc0000(0000) knlGS:0000000000000000
+[ 97.383813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 97.385449] CR2: 0000000000000000 CR3: 0000000002244000 CR4: 00000000000006b0
+[ 97.387347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 97.389277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 97.391196] Call Trace:
+[ 97.391967] <TASK>
+[ 97.392647] ? __warn+0xcc/0x180
+[ 97.393640] ? kprobe_trace_self_tests_init+0x3f1/0x480
+[ 97.395181] ? report_bug+0xbd/0x150
+[ 97.396234] ? handle_bug+0x3e/0x60
+[ 97.397311] ? exc_invalid_op+0x1a/0x50
+[ 97.398434] ? asm_exc_invalid_op+0x1a/0x20
+[ 97.399652] ? trace_kprobe_is_busy+0x20/0x20
+[ 97.400904] ? tracing_reset_all_online_cpus+0x15/0x90
+[ 97.402304] ? kprobe_trace_self_tests_init+0x3f1/0x480
+[ 97.403773] ? init_kprobe_trace+0x50/0x50
+[ 97.404972] do_one_initcall+0x112/0x240
+[ 97.406113] do_initcall_level+0x95/0xb0
+[ 97.407286] ? kernel_init+0x1a/0x1a0
+[ 97.408401] do_initcalls+0x3f/0x70
+[ 97.409452] kernel_init_freeable+0x16f/0x1e0
+[ 97.410662] ? rest_init+0x1f0/0x1f0
+[ 97.411738] kernel_init+0x1a/0x1a0
+[ 97.412788] ret_from_fork+0x39/0x50
+[ 97.413817] ? rest_init+0x1f0/0x1f0
+[ 97.414844] ret_from_fork_asm+0x11/0x20
+[ 97.416285] </TASK>
+[ 97.417134] irq event stamp: 13437323
+[ 97.418376] hardirqs last enabled at (13437337): [<ffffffff8110bc0c>] console_unlock+0x11c/0x150
+[ 97.421285] hardirqs last disabled at (13437370): [<ffffffff8110bbf1>] console_unlock+0x101/0x150
+[ 97.423838] softirqs last enabled at (13437366): [<ffffffff8108e17f>] handle_softirqs+0x23f/0x2a0
+[ 97.426450] softirqs last disabled at (13437393): [<ffffffff8108e346>] __irq_exit_rcu+0x66/0xd0
+[ 97.428850] ---[ end trace 0000000000000000 ]---
+
+And also, since we can not cleanup dynamic_event file, ftracetest are
+failed too.
+
+To avoid these issues, build these tests only as modules.
+
+Link: https://lore.kernel.org/all/171811263754.85078.5877446624311852525.stgit@devnote2/
+
+Fixes: 9fe41efaca08 ("tracing: Add synth event generation test module")
+Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig
+index 61c541c36596d..bcc97f1bd3833 100644
+--- a/kernel/trace/Kconfig
++++ b/kernel/trace/Kconfig
+@@ -1123,7 +1123,7 @@ config PREEMPTIRQ_DELAY_TEST
+
+ config SYNTH_EVENT_GEN_TEST
+ tristate "Test module for in-kernel synthetic event generation"
+- depends on SYNTH_EVENTS
++ depends on SYNTH_EVENTS && m
+ help
+ This option creates a test module to check the base
+ functionality of in-kernel synthetic event definition and
+@@ -1136,7 +1136,7 @@ config SYNTH_EVENT_GEN_TEST
+
+ config KPROBE_EVENT_GEN_TEST
+ tristate "Test module for in-kernel kprobe event generation"
+- depends on KPROBE_EVENTS
++ depends on KPROBE_EVENTS && m
+ help
+ This option creates a test module to check the base
+ functionality of in-kernel kprobe event definition.
+--
+2.43.0
+
--- /dev/null
+From c18400a405f1ebc0e041206ebe855285cb715485 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 21:15:23 +0800
+Subject: virtio_net: checksum offloading handling fix
+
+From: Heng Qi <hengqi@linux.alibaba.com>
+
+[ Upstream commit 604141c036e1b636e2a71cf6e1aa09d1e45f40c2 ]
+
+In virtio spec 0.95, VIRTIO_NET_F_GUEST_CSUM was designed to handle
+partially checksummed packets, and the validation of fully checksummed
+packets by the device is independent of VIRTIO_NET_F_GUEST_CSUM
+negotiation. However, the specification erroneously stated:
+
+ "If VIRTIO_NET_F_GUEST_CSUM is not negotiated, the device MUST set flags
+ to zero and SHOULD supply a fully checksummed packet to the driver."
+
+This statement is inaccurate because even without VIRTIO_NET_F_GUEST_CSUM
+negotiation, the device can still set the VIRTIO_NET_HDR_F_DATA_VALID flag.
+Essentially, the device can facilitate the validation of these packets'
+checksums - a process known as RX checksum offloading - removing the need
+for the driver to do so.
+
+This scenario is currently not implemented in the driver and requires
+correction. The necessary specification correction[1] has been made and
+approved in the virtio TC vote.
+[1] https://lists.oasis-open.org/archives/virtio-comment/202401/msg00011.html
+
+Fixes: 4f49129be6fa ("virtio-net: Set RXCSUM feature if GUEST_CSUM is available")
+Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 56cbe00126bb1..32867e7637ad4 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -4453,8 +4453,16 @@ static int virtnet_probe(struct virtio_device *vdev)
+ dev->features |= dev->hw_features & NETIF_F_ALL_TSO;
+ /* (!csum && gso) case will be fixed by register_netdev() */
+ }
+- if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM))
+- dev->features |= NETIF_F_RXCSUM;
++
++ /* 1. With VIRTIO_NET_F_GUEST_CSUM negotiation, the driver doesn't
++ * need to calculate checksums for partially checksummed packets,
++ * as they're considered valid by the upper layer.
++ * 2. Without VIRTIO_NET_F_GUEST_CSUM negotiation, the driver only
++ * receives fully checksummed packets. The device may assist in
++ * validating these packets' checksums, so the driver won't have to.
++ */
++ dev->features |= NETIF_F_RXCSUM;
++
+ if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) ||
+ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6))
+ dev->features |= NETIF_F_GRO_HW;
+--
+2.43.0
+
--- /dev/null
+From 7b3d3234057836ad387c13ea892b14b6220140a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 21:15:24 +0800
+Subject: virtio_net: fixing XDP for fully checksummed packets handling
+
+From: Heng Qi <hengqi@linux.alibaba.com>
+
+[ Upstream commit 703eec1b242276f2d97d98f04790ddad319ddde4 ]
+
+The XDP program can't correctly handle partially checksummed
+packets, but works fine with fully checksummed packets. If the
+device has already validated fully checksummed packets, then
+the driver doesn't need to re-validate them, saving CPU resources.
+
+Additionally, the driver does not drop all partially checksummed
+packets when VIRTIO_NET_F_GUEST_CSUM is not negotiated. This is
+not a bug, as the driver has always done this.
+
+Fixes: 436c9453a1ac ("virtio-net: keep vnet header zeroed after processing XDP")
+Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 32867e7637ad4..51ade909c84f0 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1190,6 +1190,10 @@ static struct sk_buff *receive_small_xdp(struct net_device *dev,
+ if (unlikely(hdr->hdr.gso_type))
+ goto err_xdp;
+
++ /* Partially checksummed packets must be dropped. */
++ if (unlikely(hdr->hdr.flags & VIRTIO_NET_HDR_F_NEEDS_CSUM))
++ goto err_xdp;
++
+ buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+
+@@ -1507,6 +1511,10 @@ static void *mergeable_xdp_get_buf(struct virtnet_info *vi,
+ if (unlikely(hdr->hdr.gso_type))
+ return NULL;
+
++ /* Partially checksummed packets must be dropped. */
++ if (unlikely(hdr->hdr.flags & VIRTIO_NET_HDR_F_NEEDS_CSUM))
++ return NULL;
++
+ /* Now XDP core assumes frag size is PAGE_SIZE, but buffers
+ * with headroom may add hole in truesize, which
+ * make their length exceed PAGE_SIZE. So we disabled the
+@@ -1773,6 +1781,7 @@ static void receive_buf(struct virtnet_info *vi, struct receive_queue *rq,
+ struct net_device *dev = vi->dev;
+ struct sk_buff *skb;
+ struct virtio_net_common_hdr *hdr;
++ u8 flags;
+
+ if (unlikely(len < vi->hdr_len + ETH_HLEN)) {
+ pr_debug("%s: short packet %i\n", dev->name, len);
+@@ -1781,6 +1790,15 @@ static void receive_buf(struct virtnet_info *vi, struct receive_queue *rq,
+ return;
+ }
+
++ /* 1. Save the flags early, as the XDP program might overwrite them.
++ * These flags ensure packets marked as VIRTIO_NET_HDR_F_DATA_VALID
++ * stay valid after XDP processing.
++ * 2. XDP doesn't work with partially checksummed packets (refer to
++ * virtnet_xdp_set()), so packets marked as
++ * VIRTIO_NET_HDR_F_NEEDS_CSUM get dropped during XDP processing.
++ */
++ flags = ((struct virtio_net_common_hdr *)buf)->hdr.flags;
++
+ if (vi->mergeable_rx_bufs)
+ skb = receive_mergeable(dev, vi, rq, buf, ctx, len, xdp_xmit,
+ stats);
+@@ -1796,7 +1814,7 @@ static void receive_buf(struct virtnet_info *vi, struct receive_queue *rq,
+ if (dev->features & NETIF_F_RXHASH && vi->has_rss_hash_report)
+ virtio_skb_set_hash(&hdr->hash_v1_hdr, skb);
+
+- if (hdr->hdr.flags & VIRTIO_NET_HDR_F_DATA_VALID)
++ if (flags & VIRTIO_NET_HDR_F_DATA_VALID)
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+ if (virtio_net_hdr_to_skb(skb, &hdr->hdr,
+--
+2.43.0
+
--- /dev/null
+From 512aba5a43912515dcda9d7974f9d25bb1ca78ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 15:42:31 +0000
+Subject: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d46401052c2d5614da8efea5788532f0401cb164 ]
+
+ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.
+
+syzbot reported:
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
+Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker
+ RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64
+Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00
+RSP: 0018:ffffc90000117378 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7
+RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98
+RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000
+R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]
+ xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]
+ xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541
+ xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835
+ xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]
+ xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201
+ xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]
+ xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309
+ ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256
+ send6+0x611/0xd20 drivers/net/wireguard/socket.c:139
+ wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178
+ wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200
+ wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40
+ wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51
+ process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
+ process_scheduled_works kernel/workqueue.c:3312 [inline]
+ worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
+ kthread+0x2c1/0x3a0 kernel/kthread.c:389
+ ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20240615154231.234442-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/xfrm6_policy.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
+index 42fb6996b0777..444b0b4469a49 100644
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -56,12 +56,18 @@ static int xfrm6_get_saddr(struct net *net, int oif,
+ {
+ struct dst_entry *dst;
+ struct net_device *dev;
++ struct inet6_dev *idev;
+
+ dst = xfrm6_dst_lookup(net, 0, oif, NULL, daddr, mark);
+ if (IS_ERR(dst))
+ return -EHOSTUNREACH;
+
+- dev = ip6_dst_idev(dst)->dev;
++ idev = ip6_dst_idev(dst);
++ if (!idev) {
++ dst_release(dst);
++ return -EHOSTUNREACH;
++ }
++ dev = idev->dev;
+ ipv6_dev_get_saddr(dev_net(dev), dev, &daddr->in6, 0, &saddr->in6);
+ dst_release(dst);
+ return 0;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
