--- /dev/null
+From e190f387632bc37b4f1c2278c3fea3ac8e0143a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 17:37:26 +0800
+Subject: Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn()
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 747da1308bdd5021409974f9180f0d8ece53d142 ]
+
+hci_get_route() takes reference, we should use hci_dev_put() to release
+it when not need anymore.
+
+Fixes: 6b8d4a6a0314 ("Bluetooth: 6LoWPAN: Use connected oriented channel instead of fixed one")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/6lowpan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
+index 9a75f9b00b51..4530ffb2481a 100644
+--- a/net/bluetooth/6lowpan.c
++++ b/net/bluetooth/6lowpan.c
+@@ -1014,6 +1014,7 @@ static int get_l2cap_conn(char *buf, bdaddr_t *addr, u8 *addr_type,
+ hci_dev_lock(hdev);
+ hcon = hci_conn_hash_lookup_le(hdev, addr, *addr_type);
+ hci_dev_unlock(hdev);
++ hci_dev_put(hdev);
+
+ if (!hcon)
+ return -ENOENT;
+--
+2.35.1
+
--- /dev/null
+From 28dbc9089fbce762dce3be36e33d102e1430232e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 17:25:56 +0800
+Subject: Bluetooth: Fix not cleanup led when bt_init fails
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 2f3957c7eb4e07df944169a3e50a4d6790e1c744 ]
+
+bt_init() calls bt_leds_init() to register led, but if it fails later,
+bt_leds_cleanup() is not called to unregister it.
+
+This can cause panic if the argument "bluetooth-power" in text is freed
+and then another led_trigger_register() tries to access it:
+
+BUG: unable to handle page fault for address: ffffffffc06d3bc0
+RIP: 0010:strcmp+0xc/0x30
+ Call Trace:
+ <TASK>
+ led_trigger_register+0x10d/0x4f0
+ led_trigger_register_simple+0x7d/0x100
+ bt_init+0x39/0xf7 [bluetooth]
+ do_one_initcall+0xd0/0x4e0
+
+Fixes: e64c97b53bc6 ("Bluetooth: Add combined LED trigger for controller power")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/af_bluetooth.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
+index ee60c30f3be2..798f8f485e5a 100644
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -743,7 +743,7 @@ static int __init bt_init(void)
+
+ err = bt_sysfs_init();
+ if (err < 0)
+- return err;
++ goto cleanup_led;
+
+ err = sock_register(&bt_sock_family_ops);
+ if (err)
+@@ -779,6 +779,8 @@ static int __init bt_init(void)
+ sock_unregister(PF_BLUETOOTH);
+ cleanup_sysfs:
+ bt_sysfs_cleanup();
++cleanup_led:
++ bt_leds_cleanup();
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 4110e85a8fc2aee1614cb9079ca0339221b4a83d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 01:22:01 +0100
+Subject: ca8210: Fix crash by zero initializing data
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+[ Upstream commit 1e24c54da257ab93cff5826be8a793b014a5dc9c ]
+
+The struct cas_control embeds multiple generic SPI structures and we
+have to make sure these structures are initialized to default values.
+This driver does not set all attributes. When using kmalloc before some
+attributes were not initialized and contained random data which caused
+random crashes at bootup.
+
+Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Link: https://lore.kernel.org/r/20221121002201.1339636-1-hauke@hauke-m.de
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/ca8210.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
+index 7c5db4f73cce..917edb3d04b7 100644
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -925,7 +925,7 @@ static int ca8210_spi_transfer(
+
+ dev_dbg(&spi->dev, "%s called\n", __func__);
+
+- cas_ctl = kmalloc(sizeof(*cas_ctl), GFP_ATOMIC);
++ cas_ctl = kzalloc(sizeof(*cas_ctl), GFP_ATOMIC);
+ if (!cas_ctl)
+ return -ENOMEM;
+
+--
+2.35.1
+
--- /dev/null
+From 5850b09dddfe22b4fe6551ff6c8920a4e6c6d709 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 21:22:42 +0100
+Subject: can: esd_usb: Allow REC and TEC to return to zero
+
+From: Frank Jungclaus <frank.jungclaus@esd.eu>
+
+[ Upstream commit 918ee4911f7a41fb4505dff877c1d7f9f64eb43e ]
+
+We don't get any further EVENT from an esd CAN USB device for changes
+on REC or TEC while those counters converge to 0 (with ecc == 0). So
+when handling the "Back to Error Active"-event force txerr = rxerr =
+0, otherwise the berr-counters might stay on values like 95 forever.
+
+Also, to make life easier during the ongoing development a
+netdev_dbg() has been introduced to allow dumping error events send by
+an esd CAN USB device.
+
+Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
+Signed-off-by: Frank Jungclaus <frank.jungclaus@esd.eu>
+Link: https://lore.kernel.org/all/20221130202242.3998219-2-frank.jungclaus@esd.eu
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/esd_usb2.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c
+index d4e6b40f0ed4..ffdee5aeb8a9 100644
+--- a/drivers/net/can/usb/esd_usb2.c
++++ b/drivers/net/can/usb/esd_usb2.c
+@@ -239,6 +239,10 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv,
+ u8 rxerr = msg->msg.rx.data[2];
+ u8 txerr = msg->msg.rx.data[3];
+
++ netdev_dbg(priv->netdev,
++ "CAN_ERR_EV_EXT: dlc=%#02x state=%02x ecc=%02x rec=%02x tec=%02x\n",
++ msg->msg.rx.dlc, state, ecc, rxerr, txerr);
++
+ skb = alloc_can_err_skb(priv->netdev, &cf);
+ if (skb == NULL) {
+ stats->rx_dropped++;
+@@ -265,6 +269,8 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv,
+ break;
+ default:
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
++ txerr = 0;
++ rxerr = 0;
+ break;
+ }
+ } else {
+--
+2.35.1
+
--- /dev/null
+From f9fbccca4784a5b45957b6b77cdae54e36a12f63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 22:00:00 +0900
+Subject: e1000e: Fix TX dispatch condition
+
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+
+[ Upstream commit eed913f6919e253f35d454b2f115f2a4db2b741a ]
+
+e1000_xmit_frame is expected to stop the queue and dispatch frames to
+hardware if there is not sufficient space for the next frame in the
+buffer, but sometimes it failed to do so because the estimated maximum
+size of frame was wrong. As the consequence, the later invocation of
+e1000_xmit_frame failed with NETDEV_TX_BUSY, and the frame in the buffer
+remained forever, resulting in a watchdog failure.
+
+This change fixes the estimated size by making it match with the
+condition for NETDEV_TX_BUSY. Apparently, the old estimation failed to
+account for the following lines which determines the space requirement
+for not causing NETDEV_TX_BUSY:
+ ```
+ /* reserve a descriptor for the offload context */
+ if ((mss) || (skb->ip_summed == CHECKSUM_PARTIAL))
+ count++;
+ count++;
+
+ count += DIV_ROUND_UP(len, adapter->tx_fifo_limit);
+ ```
+
+This issue was found when running http-stress02 test included in Linux
+Test Project 20220930 on QEMU with the following commandline:
+```
+qemu-system-x86_64 -M q35,accel=kvm -m 8G -smp 8
+ -drive if=virtio,format=raw,file=root.img,file.locking=on
+ -device e1000e,netdev=netdev
+ -netdev tap,script=ifup,downscript=no,id=netdev
+```
+
+Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index 398f5951d11c..0629f87a20be 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -5877,9 +5877,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb,
+ e1000_tx_queue(tx_ring, tx_flags, count);
+ /* Make sure there is space in the ring for the next send. */
+ e1000_maybe_stop_tx(tx_ring,
+- (MAX_SKB_FRAGS *
++ ((MAX_SKB_FRAGS + 1) *
+ DIV_ROUND_UP(PAGE_SIZE,
+- adapter->tx_fifo_limit) + 2));
++ adapter->tx_fifo_limit) + 4));
+
+ if (!skb->xmit_more ||
+ netif_xmit_stopped(netdev_get_tx_queue(netdev, 0))) {
+--
+2.35.1
+
--- /dev/null
+From 177e03a2c1e3c62218543e459fe7ed710a53320e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Dec 2022 14:09:08 +0800
+Subject: ethernet: aeroflex: fix potential skb leak in greth_init_rings()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 063a932b64db3317ec020c94466fe52923a15f60 ]
+
+The greth_init_rings() function won't free the newly allocated skb when
+dma_mapping_error() returns error, so add dev_kfree_skb() to fix it.
+
+Compile tested only.
+
+Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/1670134149-29516-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aeroflex/greth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c
+index a20e95b39cf7..4df8da8f5e7e 100644
+--- a/drivers/net/ethernet/aeroflex/greth.c
++++ b/drivers/net/ethernet/aeroflex/greth.c
+@@ -262,6 +262,7 @@ static int greth_init_rings(struct greth_private *greth)
+ if (dma_mapping_error(greth->dev, dma_addr)) {
+ if (netif_msg_ifup(greth))
+ dev_err(greth->dev, "Could not create initial DMA mapping\n");
++ dev_kfree_skb(skb);
+ goto cleanup;
+ }
+ greth->rx_skbuff[i] = skb;
+--
+2.35.1
+
--- /dev/null
+From 616f1356260409933d622a39740cba36359a33de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 20:35:08 +0800
+Subject: gpio: amd8111: Fix PCI device reference count leak
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 45fecdb9f658d9c82960c98240bc0770ade19aca ]
+
+for_each_pci_dev() is implemented by pci_get_device(). The comment of
+pci_get_device() says that it will increase the reference count for the
+returned pci_dev and also decrease the reference count for the input
+pci_dev @from if it is not NULL.
+
+If we break for_each_pci_dev() loop with pdev not NULL, we need to call
+pci_dev_put() to decrease the reference count. Add the missing
+pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL
+input parameter, there is no problem for the 'Device not found' branch.
+For the normal path, add pci_dev_put() in amd_gpio_exit().
+
+Fixes: f942a7de047d ("gpio: add a driver for GPIO pins found on AMD-8111 south bridge chips")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-amd8111.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpio/gpio-amd8111.c b/drivers/gpio/gpio-amd8111.c
+index fdcebe59510d..68d95051dd0e 100644
+--- a/drivers/gpio/gpio-amd8111.c
++++ b/drivers/gpio/gpio-amd8111.c
+@@ -231,7 +231,10 @@ static int __init amd_gpio_init(void)
+ ioport_unmap(gp.pm);
+ goto out;
+ }
++ return 0;
++
+ out:
++ pci_dev_put(pdev);
+ return err;
+ }
+
+@@ -239,6 +242,7 @@ static void __exit amd_gpio_exit(void)
+ {
+ gpiochip_remove(&gp.chip);
+ ioport_unmap(gp.pm);
++ pci_dev_put(gp.pdev);
+ }
+
+ module_init(amd_gpio_init);
+--
+2.35.1
+
--- /dev/null
+From 6bbeac2b596bffd9e6d044b6f747f7ee3427f9d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 09:49:25 +0100
+Subject: i40e: Disallow ip4 and ip6 l4_4_bytes
+
+From: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+
+[ Upstream commit d64aaf3f7869f915fd120763d75f11d6b116424d ]
+
+Return -EOPNOTSUPP, when user requests l4_4_bytes for raw IP4 or
+IP6 flow director filters. Flow director does not support filtering
+on l4 bytes for PCTYPEs used by IP4 and IP6 filters.
+Without this patch, user could create filters with l4_4_bytes fields,
+which did not do any filtering on L4, but only on L3 fields.
+
+Fixes: 36777d9fa24c ("i40e: check current configured input set when adding ntuple filters")
+Signed-off-by: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+Signed-off-by: Kamil Maziarz <kamil.maziarz@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index 16adba824811..fbfd43a7e592 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -3850,11 +3850,7 @@ static int i40e_check_fdir_input_set(struct i40e_vsi *vsi,
+ return -EOPNOTSUPP;
+
+ /* First 4 bytes of L4 header */
+- if (usr_ip4_spec->l4_4_bytes == htonl(0xFFFFFFFF))
+- new_mask |= I40E_L4_SRC_MASK | I40E_L4_DST_MASK;
+- else if (!usr_ip4_spec->l4_4_bytes)
+- new_mask &= ~(I40E_L4_SRC_MASK | I40E_L4_DST_MASK);
+- else
++ if (usr_ip4_spec->l4_4_bytes)
+ return -EOPNOTSUPP;
+
+ /* Filtering on Type of Service is not supported. */
+--
+2.35.1
+
--- /dev/null
+From fa3033c0dcb3a93702ecc5ddea81986a1e699198 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 13:00:28 +0100
+Subject: i40e: Fix for VF MAC address 0
+
+From: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+
+[ Upstream commit 08501970472077ed5de346ad89943a37d1692e9b ]
+
+After spawning max VFs on a PF, some VFs were not getting resources and
+their MAC addresses were 0. This was caused by PF sleeping before flushing
+HW registers which caused VIRTCHNL_VFR_VFACTIVE to not be set in time for
+VF.
+
+Fix by adding a sleep after hw flush.
+
+Fixes: e4b433f4a741 ("i40e: reset all VFs in parallel when rebuilding PF")
+Signed-off-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+Signed-off-by: Jan Sokolowski <jan.sokolowski@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index e98e3af06cf8..240083201dbf 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -1269,6 +1269,7 @@ bool i40e_reset_vf(struct i40e_vf *vf, bool flr)
+ i40e_cleanup_reset_vf(vf);
+
+ i40e_flush(hw);
++ usleep_range(20000, 40000);
+ clear_bit(I40E_VF_STATE_RESETTING, &vf->vf_states);
+
+ return true;
+@@ -1392,6 +1393,7 @@ bool i40e_reset_all_vfs(struct i40e_pf *pf, bool flr)
+ }
+
+ i40e_flush(hw);
++ usleep_range(20000, 40000);
+ clear_bit(__I40E_VF_DISABLE, pf->state);
+
+ return true;
+--
+2.35.1
+
--- /dev/null
+From 06017660dc6b0d4b85ced18aedcc79f50741054a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 10:19:42 +0200
+Subject: i40e: Fix not setting default xps_cpus after reset
+
+From: Michal Jaron <michalx.jaron@intel.com>
+
+[ Upstream commit 82e0572b23029b380464fa9fdc125db9c1506d0a ]
+
+During tx rings configuration default XPS queue config is set and
+__I40E_TX_XPS_INIT_DONE is locked. __I40E_TX_XPS_INIT_DONE state is
+cleared and set again with default mapping only during queues build,
+it means after first setup or reset with queues rebuild. (i.e.
+ethtool -L <interface> combined <number>) After other resets (i.e.
+ethtool -t <interface>) XPS_INIT_DONE is not cleared and those default
+maps cannot be set again. It results in cleared xps_cpus mapping
+until queues are not rebuild or mapping is not set by user.
+
+Add clearing __I40E_TX_XPS_INIT_DONE state during reset to let
+the driver set xps_cpus to defaults again after it was cleared.
+
+Fixes: 6f853d4f8e93 ("i40e: allow XPS with QoS enabled")
+Signed-off-by: Michal Jaron <michalx.jaron@intel.com>
+Signed-off-by: Kamil Maziarz <kamil.maziarz@intel.com>
+Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 9669d8c8b6c7..8a5baaf403ae 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -9367,6 +9367,21 @@ static int i40e_rebuild_channels(struct i40e_vsi *vsi)
+ return 0;
+ }
+
++/**
++ * i40e_clean_xps_state - clean xps state for every tx_ring
++ * @vsi: ptr to the VSI
++ **/
++static void i40e_clean_xps_state(struct i40e_vsi *vsi)
++{
++ int i;
++
++ if (vsi->tx_rings)
++ for (i = 0; i < vsi->num_queue_pairs; i++)
++ if (vsi->tx_rings[i])
++ clear_bit(__I40E_TX_XPS_INIT_DONE,
++ vsi->tx_rings[i]->state);
++}
++
+ /**
+ * i40e_prep_for_reset - prep for the core to reset
+ * @pf: board private structure
+@@ -9398,8 +9413,10 @@ static void i40e_prep_for_reset(struct i40e_pf *pf, bool lock_acquired)
+ rtnl_unlock();
+
+ for (v = 0; v < pf->num_alloc_vsi; v++) {
+- if (pf->vsi[v])
++ if (pf->vsi[v]) {
++ i40e_clean_xps_state(pf->vsi[v]);
+ pf->vsi[v]->seid = 0;
++ }
+ }
+
+ i40e_shutdown_adminq(&pf->hw);
+--
+2.35.1
+
--- /dev/null
+From ed03dce188885427ba9b6789056e86574b694769 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 15:50:46 +0800
+Subject: ieee802154: cc2520: Fix error return code in cc2520_hw_init()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 4d002d6a2a00ac1c433899bd7625c6400a74cfba ]
+
+In cc2520_hw_init(), if oscillator start failed, the error code
+should be returned.
+
+Fixes: 0da6bc8cc341 ("ieee802154: cc2520: adds driver for TI CC2520 radio")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Link: https://lore.kernel.org/r/20221120075046.2213633-1-william.xuanziyang@huawei.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/cc2520.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/cc2520.c b/drivers/net/ieee802154/cc2520.c
+index fa3a4db517d6..57110246e71e 100644
+--- a/drivers/net/ieee802154/cc2520.c
++++ b/drivers/net/ieee802154/cc2520.c
+@@ -978,7 +978,7 @@ static int cc2520_hw_init(struct cc2520_private *priv)
+
+ if (timeout-- <= 0) {
+ dev_err(&priv->spi->dev, "oscillator start failed!\n");
+- return ret;
++ return -ETIMEDOUT;
+ }
+ udelay(1);
+ } while (!(status & CC2520_STATUS_XOSC32M_STABLE));
+--
+2.35.1
+
--- /dev/null
+From bd5b0b2623929cc9e89095e5094c66a6b5838366 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 22:30:31 +0900
+Subject: igb: Allocate MSI-X vector when testing
+
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+
+[ Upstream commit 28e96556baca7056d11d9fb3cdd0aba4483e00d8 ]
+
+Without this change, the interrupt test fail with MSI-X environment:
+
+$ sudo ethtool -t enp0s2 offline
+[ 43.921783] igb 0000:00:02.0: offline testing starting
+[ 44.855824] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Down
+[ 44.961249] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
+[ 51.272202] igb 0000:00:02.0: testing shared interrupt
+[ 56.996975] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
+The test result is FAIL
+The test extra info:
+Register test (offline) 0
+Eeprom test (offline) 0
+Interrupt test (offline) 4
+Loopback test (offline) 0
+Link test (on/offline) 0
+
+Here, "4" means an expected interrupt was not delivered.
+
+To fix this, route IRQs correctly to the first MSI-X vector by setting
+IVAR_MISC. Also, set bit 0 of EIMS so that the vector will not be
+masked. The interrupt test now runs properly with this change:
+
+$ sudo ethtool -t enp0s2 offline
+[ 42.762985] igb 0000:00:02.0: offline testing starting
+[ 50.141967] igb 0000:00:02.0: testing shared interrupt
+[ 56.163957] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
+The test result is PASS
+The test extra info:
+Register test (offline) 0
+Eeprom test (offline) 0
+Interrupt test (offline) 0
+Loopback test (offline) 0
+Link test (on/offline) 0
+
+Fixes: 4eefa8f01314 ("igb: add single vector msi-x testing to interrupt test")
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+index 2e17625e6c35..d0f5b92bead7 100644
+--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c
++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+@@ -1399,6 +1399,8 @@ static int igb_intr_test(struct igb_adapter *adapter, u64 *data)
+ *data = 1;
+ return -1;
+ }
++ wr32(E1000_IVAR_MISC, E1000_IVAR_VALID << 8);
++ wr32(E1000_EIMS, BIT(0));
+ } else if (adapter->flags & IGB_FLAG_HAS_MSI) {
+ shared_int = false;
+ if (request_irq(irq,
+--
+2.35.1
+
--- /dev/null
+From 43490e48fab844fc4a692b579f4ddb8d92c0a056 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 10:13:51 +0000
+Subject: ipv6: avoid use-after-free in ip6_fragment()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 803e84867de59a1e5d126666d25eb4860cfd2ebe ]
+
+Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.
+
+It seems to not be always true, at least for UDP stack.
+
+syzbot reported:
+
+BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]
+BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
+Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618
+
+CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:284 [inline]
+ print_report+0x15e/0x45d mm/kasan/report.c:395
+ kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
+ ip6_dst_idev include/net/ip6_fib.h:245 [inline]
+ ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
+ __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
+ ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
+ NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
+ dst_output include/net/dst.h:445 [inline]
+ ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
+ ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
+ udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
+ udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
+ udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
+ inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xd3/0x120 net/socket.c:734
+ sock_write_iter+0x295/0x3d0 net/socket.c:1108
+ call_write_iter include/linux/fs.h:2191 [inline]
+ new_sync_write fs/read_write.c:491 [inline]
+ vfs_write+0x9ed/0xdd0 fs/read_write.c:584
+ ksys_write+0x1ec/0x250 fs/read_write.c:637
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7fde3588c0d9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9
+RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a
+RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000
+ </TASK>
+
+Allocated by task 7618:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325
+ kasan_slab_alloc include/linux/kasan.h:201 [inline]
+ slab_post_alloc_hook mm/slab.h:737 [inline]
+ slab_alloc_node mm/slub.c:3398 [inline]
+ slab_alloc mm/slub.c:3406 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
+ kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422
+ dst_alloc+0x14a/0x1f0 net/core/dst.c:92
+ ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
+ ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]
+ rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]
+ ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254
+ pol_lookup_func include/net/ip6_fib.h:582 [inline]
+ fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121
+ ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625
+ ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638
+ ip6_route_output include/net/ip6_route.h:98 [inline]
+ ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092
+ ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222
+ ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260
+ udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554
+ inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xd3/0x120 net/socket.c:734
+ __sys_sendto+0x23a/0x340 net/socket.c:2117
+ __do_sys_sendto net/socket.c:2129 [inline]
+ __se_sys_sendto net/socket.c:2125 [inline]
+ __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Freed by task 7599:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:511
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
+ kasan_slab_free include/linux/kasan.h:177 [inline]
+ slab_free_hook mm/slub.c:1724 [inline]
+ slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750
+ slab_free mm/slub.c:3661 [inline]
+ kmem_cache_free+0xee/0x5c0 mm/slub.c:3683
+ dst_destroy+0x2ea/0x400 net/core/dst.c:127
+ rcu_do_batch kernel/rcu/tree.c:2250 [inline]
+ rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510
+ __do_softirq+0x1fb/0xadc kernel/softirq.c:571
+
+Last potentially related work creation:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
+ call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
+ dst_release net/core/dst.c:177 [inline]
+ dst_release+0x7d/0xe0 net/core/dst.c:167
+ refdst_drop include/net/dst.h:256 [inline]
+ skb_dst_drop include/net/dst.h:268 [inline]
+ skb_release_head_state+0x250/0x2a0 net/core/skbuff.c:838
+ skb_release_all net/core/skbuff.c:852 [inline]
+ __kfree_skb net/core/skbuff.c:868 [inline]
+ kfree_skb_reason+0x151/0x4b0 net/core/skbuff.c:891
+ kfree_skb_list_reason+0x4b/0x70 net/core/skbuff.c:901
+ kfree_skb_list include/linux/skbuff.h:1227 [inline]
+ ip6_fragment+0x2026/0x2770 net/ipv6/ip6_output.c:949
+ __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
+ ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
+ NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
+ dst_output include/net/dst.h:445 [inline]
+ ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
+ ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
+ udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
+ udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
+ udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
+ inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xd3/0x120 net/socket.c:734
+ sock_write_iter+0x295/0x3d0 net/socket.c:1108
+ call_write_iter include/linux/fs.h:2191 [inline]
+ new_sync_write fs/read_write.c:491 [inline]
+ vfs_write+0x9ed/0xdd0 fs/read_write.c:584
+ ksys_write+0x1ec/0x250 fs/read_write.c:637
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Second to last potentially related work creation:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
+ call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
+ dst_release net/core/dst.c:177 [inline]
+ dst_release+0x7d/0xe0 net/core/dst.c:167
+ refdst_drop include/net/dst.h:256 [inline]
+ skb_dst_drop include/net/dst.h:268 [inline]
+ __dev_queue_xmit+0x1b9d/0x3ba0 net/core/dev.c:4211
+ dev_queue_xmit include/linux/netdevice.h:3008 [inline]
+ neigh_resolve_output net/core/neighbour.c:1552 [inline]
+ neigh_resolve_output+0x51b/0x840 net/core/neighbour.c:1532
+ neigh_output include/net/neighbour.h:546 [inline]
+ ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134
+ __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
+ ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206
+ NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
+ dst_output include/net/dst.h:445 [inline]
+ NF_HOOK include/linux/netfilter.h:302 [inline]
+ NF_HOOK include/linux/netfilter.h:296 [inline]
+ mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820
+ mld_send_cr net/ipv6/mcast.c:2121 [inline]
+ mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653
+ process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
+ worker_thread+0x669/0x1090 kernel/workqueue.c:2436
+ kthread+0x2e8/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+
+The buggy address belongs to the object at ffff88801d403dc0
+ which belongs to the cache ip6_dst_cache of size 240
+The buggy address is located 192 bytes inside of
+ 240-byte region [ffff88801d403dc0, ffff88801d403eb0)
+
+The buggy address belongs to the physical page:
+page:ffffea00007500c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d403
+memcg:ffff888022f49c81
+flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
+raw: 00fff00000000200 ffffea0001ef6580 dead000000000002 ffff88814addf640
+raw: 0000000000000000 00000000800c000c 00000001ffffffff ffff888022f49c81
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 3719, tgid 3719 (kworker/0:6), ts 136223432244, free_ts 136222971441
+ prep_new_page mm/page_alloc.c:2539 [inline]
+ get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4288
+ __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5555
+ alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285
+ alloc_slab_page mm/slub.c:1794 [inline]
+ allocate_slab+0x213/0x300 mm/slub.c:1939
+ new_slab mm/slub.c:1992 [inline]
+ ___slab_alloc+0xa91/0x1400 mm/slub.c:3180
+ __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
+ slab_alloc_node mm/slub.c:3364 [inline]
+ slab_alloc mm/slub.c:3406 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
+ kmem_cache_alloc+0x31a/0x3d0 mm/slub.c:3422
+ dst_alloc+0x14a/0x1f0 net/core/dst.c:92
+ ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
+ icmp6_dst_alloc+0x71/0x680 net/ipv6/route.c:3261
+ mld_sendpack+0x5de/0xe70 net/ipv6/mcast.c:1809
+ mld_send_cr net/ipv6/mcast.c:2121 [inline]
+ mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653
+ process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
+ worker_thread+0x669/0x1090 kernel/workqueue.c:2436
+ kthread+0x2e8/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+page last free stack trace:
+ reset_page_owner include/linux/page_owner.h:24 [inline]
+ free_pages_prepare mm/page_alloc.c:1459 [inline]
+ free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509
+ free_unref_page_prepare mm/page_alloc.c:3387 [inline]
+ free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483
+ __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586
+ qlink_free mm/kasan/quarantine.c:168 [inline]
+ qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
+ kasan_quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:294
+ __kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302
+ kasan_slab_alloc include/linux/kasan.h:201 [inline]
+ slab_post_alloc_hook mm/slab.h:737 [inline]
+ slab_alloc_node mm/slub.c:3398 [inline]
+ kmem_cache_alloc_node+0x304/0x410 mm/slub.c:3443
+ __alloc_skb+0x214/0x300 net/core/skbuff.c:497
+ alloc_skb include/linux/skbuff.h:1267 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1191 [inline]
+ netlink_sendmsg+0x9a6/0xe10 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xd3/0x120 net/socket.c:734
+ __sys_sendto+0x23a/0x340 net/socket.c:2117
+ __do_sys_sendto net/socket.c:2129 [inline]
+ __se_sys_sendto net/socket.c:2125 [inline]
+ __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: 1758fd4688eb ("ipv6: remove unnecessary dst_hold() in ip6_fragment()")
+Reported-by: syzbot+8c0ac31aa9681abb9e2d@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Wei Wang <weiwan@google.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/r/20221206101351.2037285-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_output.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 6fd1a4b61747..70820d049b92 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -734,6 +734,9 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+ ipv6_hdr(skb)->payload_len = htons(first_len -
+ sizeof(struct ipv6hdr));
+
++ /* We prevent @rt from being freed. */
++ rcu_read_lock();
++
+ for (;;) {
+ /* Prepare header of the next frame,
+ * before previous one went down. */
+@@ -776,6 +779,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+ if (err == 0) {
+ IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
+ IPSTATS_MIB_FRAGOKS);
++ rcu_read_unlock();
+ return 0;
+ }
+
+@@ -783,6 +787,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+
+ IP6_INC_STATS(net, ip6_dst_idev(&rt->dst),
+ IPSTATS_MIB_FRAGFAILS);
++ rcu_read_unlock();
+ return err;
+
+ slow_path_clean:
+--
+2.35.1
+
--- /dev/null
+From c8409a2447b0b9954cf71d4b5c05fc89afa005a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 09:17:05 +0000
+Subject: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit b3d72d3135d2ef68296c1ee174436efd65386f04 ]
+
+Kernel fault injection test reports null-ptr-deref as follows:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000008
+RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114
+Call Trace:
+ <TASK>
+ raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87
+ call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944
+ unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982
+ unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879
+ register_netdevice+0x9a8/0xb90 net/core/dev.c:10083
+ ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659
+ ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229
+ mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316
+
+ieee802154_if_add() allocates wpan_dev as netdev's private data, but not
+init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage
+the list when device register/unregister, and may lead to null-ptr-deref.
+
+Use INIT_LIST_HEAD() on it to initialize it correctly.
+
+Fixes: fcf39e6e88e9 ("ieee802154: add wpan_dev_list")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+
+Link: https://lore.kernel.org/r/20221130091705.1831140-1-weiyongjun@huaweicloud.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac802154/iface.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
+index bd88a9b80773..8c2aedf3fa74 100644
+--- a/net/mac802154/iface.c
++++ b/net/mac802154/iface.c
+@@ -669,6 +669,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name,
+ sdata->dev = ndev;
+ sdata->wpan_dev.wpan_phy = local->hw.phy;
+ sdata->local = local;
++ INIT_LIST_HEAD(&sdata->wpan_dev.list);
+
+ /* setup type-dependent data */
+ ret = ieee802154_setup_sdata(sdata, type);
+--
+2.35.1
+
--- /dev/null
+From 69aefb62f46aec2234dba20842db29567eab341f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 20:34:07 +0300
+Subject: net: encx24j600: Add parentheses to fix precedence
+
+From: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+
+[ Upstream commit 167b3f2dcc62c271f3555b33df17e361bb1fa0ee ]
+
+In functions regmap_encx24j600_phy_reg_read() and
+regmap_encx24j600_phy_reg_write() in the conditions of the waiting
+cycles for filling the variable 'ret' it is necessary to add parentheses
+to prevent wrong assignment due to logical operations precedence.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: d70e53262f5c ("net: Microchip encx24j600 driver")
+Signed-off-by: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+index 46181559d1f1..4a3c0870c8e4 100644
+--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c
++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+@@ -367,7 +367,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+@@ -405,7 +405,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+--
+2.35.1
+
--- /dev/null
+From 7ecbb954547766fd19e16118da6fcf85afb9101d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 20:34:08 +0300
+Subject: net: encx24j600: Fix invalid logic in reading of MISTAT register
+
+From: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+
+[ Upstream commit 25f427ac7b8d89b0259f86c0c6407b329df742b2 ]
+
+A loop for reading MISTAT register continues while regmap_read() fails
+and (mistat & BUSY), but if regmap_read() fails a value of mistat is
+undefined.
+
+The patch proposes to check for BUSY flag only when regmap_read()
+succeed. Compile test only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: d70e53262f5c ("net: Microchip encx24j600 driver")
+Signed-off-by: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+index 4a3c0870c8e4..4a8d9633e082 100644
+--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c
++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+@@ -367,7 +367,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+@@ -405,7 +405,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+--
+2.35.1
+
--- /dev/null
+From 53966486778e56a4e78fb693cc66762d6cafc629 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 17:42:39 +0800
+Subject: net: hisilicon: Fix potential use-after-free in hisi_femac_rx()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 4640177049549de1a43e9bc49265f0cdfce08cfd ]
+
+The skb is delivered to napi_gro_receive() which may free it, after
+calling this, dereferencing skb may trigger use-after-free.
+
+Fixes: 542ae60af24f ("net: hisilicon: Add Fast Ethernet MAC driver")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Link: https://lore.kernel.org/r/20221203094240.1240211-1-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hisi_femac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hisi_femac.c b/drivers/net/ethernet/hisilicon/hisi_femac.c
+index 2c2808830e95..f29040520ca0 100644
+--- a/drivers/net/ethernet/hisilicon/hisi_femac.c
++++ b/drivers/net/ethernet/hisilicon/hisi_femac.c
+@@ -295,7 +295,7 @@ static int hisi_femac_rx(struct net_device *dev, int limit)
+ skb->protocol = eth_type_trans(skb, dev);
+ napi_gro_receive(&priv->napi, skb);
+ dev->stats.rx_packets++;
+- dev->stats.rx_bytes += skb->len;
++ dev->stats.rx_bytes += len;
+ next:
+ pos = (pos + 1) % rxq->num;
+ if (rx_pkts_num >= limit)
+--
+2.35.1
+
--- /dev/null
+From 4ab30b87d05a2b5b89f3770e366cd584310c24a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 17:42:40 +0800
+Subject: net: hisilicon: Fix potential use-after-free in hix5hd2_rx()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 433c07a13f59856e4585e89e86b7d4cc59348fab ]
+
+The skb is delivered to napi_gro_receive() which may free it, after
+calling this, dereferencing skb may trigger use-after-free.
+
+Fixes: 57c5bc9ad7d7 ("net: hisilicon: add hix5hd2 mac driver")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Link: https://lore.kernel.org/r/20221203094240.1240211-2-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hix5hd2_gmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c
+index b63871ef8a40..e69a64a50127 100644
+--- a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c
++++ b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c
+@@ -554,7 +554,7 @@ static int hix5hd2_rx(struct net_device *dev, int limit)
+ skb->protocol = eth_type_trans(skb, dev);
+ napi_gro_receive(&priv->napi, skb);
+ dev->stats.rx_packets++;
+- dev->stats.rx_bytes += skb->len;
++ dev->stats.rx_bytes += len;
+ next:
+ pos = dma_ring_incr(pos, RX_DESC_NUM);
+ }
+--
+2.35.1
+
--- /dev/null
+From 611c8e78018ec2e3cd5667c0e310d96389a7068b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 10:06:31 +0300
+Subject: net: mvneta: Fix an out of bounds check
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit cdd97383e19d4afe29adc3376025a15ae3bab3a3 ]
+
+In an earlier commit, I added a bounds check to prevent an out of bounds
+read and a WARN(). On further discussion and consideration that check
+was probably too aggressive. Instead of returning -EINVAL, a better fix
+would be to just prevent the out of bounds read but continue the process.
+
+Background: The value of "pp->rxq_def" is a number between 0-7 by default,
+or even higher depending on the value of "rxq_number", which is a module
+parameter. If the value is more than the number of available CPUs then
+it will trigger the WARN() in cpu_max_bits_warn().
+
+Fixes: e8b4fc13900b ("net: mvneta: Prevent out of bounds read in mvneta_config_rss()")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/Y5A7d1E5ccwHTYPf@kadam
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index 5107382cefb5..fd1311681200 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -3620,7 +3620,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp)
+ /* Use the cpu associated to the rxq when it is online, in all
+ * the other cases, use the cpu 0 which can't be offline.
+ */
+- if (cpu_online(pp->rxq_def))
++ if (pp->rxq_def < nr_cpu_ids && cpu_online(pp->rxq_def))
+ elected_cpu = pp->rxq_def;
+
+ max_cpu = num_present_cpus();
+@@ -4141,9 +4141,6 @@ static int mvneta_config_rss(struct mvneta_port *pp)
+ napi_disable(&pp->napi);
+ }
+
+- if (pp->indir[0] >= nr_cpu_ids)
+- return -EINVAL;
+-
+ pp->rxq_def = pp->indir[0];
+
+ /* Update unicast mapping */
+--
+2.35.1
+
--- /dev/null
+From a69532b7fea768a106ca824455757efe78dcd5ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 12:58:26 +0300
+Subject: net: mvneta: Prevent out of bounds read in mvneta_config_rss()
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit e8b4fc13900b8e8be48debffd0dfd391772501f7 ]
+
+The pp->indir[0] value comes from the user. It is passed to:
+
+ if (cpu_online(pp->rxq_def))
+
+inside the mvneta_percpu_elect() function. It needs bounds checkeding
+to ensure that it is not beyond the end of the cpu bitmap.
+
+Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index 382d010e1294..5107382cefb5 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -4141,6 +4141,9 @@ static int mvneta_config_rss(struct mvneta_port *pp)
+ napi_disable(&pp->napi);
+ }
+
++ if (pp->indir[0] >= nr_cpu_ids)
++ return -EINVAL;
++
+ pp->rxq_def = pp->indir[0];
+
+ /* Update unicast mapping */
+--
+2.35.1
+
--- /dev/null
+From db94045780989f35168b8d8f652819223dbb36bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 09:53:10 +0800
+Subject: net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7d8c19bfc8ff3f78e5337107ca9246327fcb6b45 ]
+
+It is not allowed to call kfree_skb() or consume_skb() from
+hardware interrupt context or with interrupts being disabled.
+So replace kfree_skb/dev_kfree_skb() with dev_kfree_skb_irq()
+and dev_consume_skb_irq() under spin_lock_irq().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20221207015310.2984909-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/plip/plip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/plip/plip.c b/drivers/net/plip/plip.c
+index feb92ecd1880..06d59e3af664 100644
+--- a/drivers/net/plip/plip.c
++++ b/drivers/net/plip/plip.c
+@@ -448,12 +448,12 @@ plip_bh_timeout_error(struct net_device *dev, struct net_local *nl,
+ }
+ rcv->state = PLIP_PK_DONE;
+ if (rcv->skb) {
+- kfree_skb(rcv->skb);
++ dev_kfree_skb_irq(rcv->skb);
+ rcv->skb = NULL;
+ }
+ snd->state = PLIP_PK_DONE;
+ if (snd->skb) {
+- dev_kfree_skb(snd->skb);
++ dev_consume_skb_irq(snd->skb);
+ snd->skb = NULL;
+ }
+ spin_unlock_irq(&nl->lock);
+--
+2.35.1
+
--- /dev/null
+From 6cf8504a81ca66792861faefa0c9d77fc10b0bf2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 00:17:39 +0800
+Subject: net: stmmac: fix "snps,axi-config" node property parsing
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+[ Upstream commit 61d4f140943c47c1386ed89f7260e00418dfad9d ]
+
+In dt-binding snps,dwmac.yaml, some properties under "snps,axi-config"
+node are named without "axi_" prefix, but the driver expects the
+prefix. Since the dt-binding has been there for a long time, we'd
+better make driver match the binding for compatibility.
+
+Fixes: afea03656add ("stmmac: rework DMA bus setting and introduce new platform AXI structure")
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Link: https://lore.kernel.org/r/20221202161739.2203-1-jszhang@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+index 9762e687fc73..9e040eb629ed 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+@@ -114,10 +114,10 @@ static struct stmmac_axi *stmmac_axi_setup(struct platform_device *pdev)
+
+ axi->axi_lpi_en = of_property_read_bool(np, "snps,lpi_en");
+ axi->axi_xit_frm = of_property_read_bool(np, "snps,xit_frm");
+- axi->axi_kbbe = of_property_read_bool(np, "snps,axi_kbbe");
+- axi->axi_fb = of_property_read_bool(np, "snps,axi_fb");
+- axi->axi_mb = of_property_read_bool(np, "snps,axi_mb");
+- axi->axi_rb = of_property_read_bool(np, "snps,axi_rb");
++ axi->axi_kbbe = of_property_read_bool(np, "snps,kbbe");
++ axi->axi_fb = of_property_read_bool(np, "snps,fb");
++ axi->axi_mb = of_property_read_bool(np, "snps,mb");
++ axi->axi_rb = of_property_read_bool(np, "snps,rb");
+
+ if (of_property_read_u32(np, "snps,wr_osr_lmt", &axi->axi_wr_osr_lmt))
+ axi->axi_wr_osr_lmt = 1;
+--
+2.35.1
+
--- /dev/null
+From 5bda0bb8c41b691e13704403495886eab131193d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 13:44:14 -0800
+Subject: NFC: nci: Bounds check struct nfc_target arrays
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit e329e71013c9b5a4535b099208493c7826ee4a64 ]
+
+While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported:
+
+ memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18)
+
+This appears to be a legitimate lack of bounds checking in
+nci_add_new_protocol(). Add the missing checks.
+
+Reported-by: syzbot+210e196cef4711b65139@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/lkml/0000000000001c590f05ee7b3ff4@google.com
+Fixes: 019c4fbaa790 ("NFC: Add NCI multiple targets support")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20221202214410.never.693-kees@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/ntf.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
+index 1e8c1a12aaec..4f75453c07aa 100644
+--- a/net/nfc/nci/ntf.c
++++ b/net/nfc/nci/ntf.c
+@@ -230,6 +230,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
+ target->sens_res = nfca_poll->sens_res;
+ target->sel_res = nfca_poll->sel_res;
+ target->nfcid1_len = nfca_poll->nfcid1_len;
++ if (target->nfcid1_len > ARRAY_SIZE(target->nfcid1))
++ return -EPROTO;
+ if (target->nfcid1_len > 0) {
+ memcpy(target->nfcid1, nfca_poll->nfcid1,
+ target->nfcid1_len);
+@@ -238,6 +240,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
+ nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params;
+
+ target->sensb_res_len = nfcb_poll->sensb_res_len;
++ if (target->sensb_res_len > ARRAY_SIZE(target->sensb_res))
++ return -EPROTO;
+ if (target->sensb_res_len > 0) {
+ memcpy(target->sensb_res, nfcb_poll->sensb_res,
+ target->sensb_res_len);
+@@ -246,6 +250,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
+ nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params;
+
+ target->sensf_res_len = nfcf_poll->sensf_res_len;
++ if (target->sensf_res_len > ARRAY_SIZE(target->sensf_res))
++ return -EPROTO;
+ if (target->sensf_res_len > 0) {
+ memcpy(target->sensf_res, nfcf_poll->sensf_res,
+ target->sensf_res_len);
+--
+2.35.1
+
--- /dev/null
+From e4d0a5bf13d2f6337a40c34811f71f6613a45726 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 13:52:34 +0100
+Subject: nvme initialize core quirks before calling nvme_init_subsystem
+
+From: Pankaj Raghav <p.raghav@samsung.com>
+
+[ Upstream commit 6f2d71524bcfdeb1fcbd22a4a92a5b7b161ab224 ]
+
+A device might have a core quirk for NVME_QUIRK_IGNORE_DEV_SUBNQN
+(such as Samsung X5) but it would still give a:
+
+ "missing or invalid SUBNQN field"
+
+warning as core quirks are filled after calling nvme_init_subnqn. Fill
+ctrl->quirks from struct core_quirks before calling nvme_init_subsystem
+to fix this.
+
+Tested on a Samsung X5.
+
+Fixes: ab9e00cc72fa ("nvme: track subsystems")
+Signed-off-by: Pankaj Raghav <p.raghav@samsung.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index f47f3b992161..6adff541282b 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2463,10 +2463,6 @@ int nvme_init_identify(struct nvme_ctrl *ctrl)
+ if (!ctrl->identified) {
+ int i;
+
+- ret = nvme_init_subsystem(ctrl, id);
+- if (ret)
+- goto out_free;
+-
+ /*
+ * Check for quirks. Quirk can depend on firmware version,
+ * so, in principle, the set of quirks present can change
+@@ -2479,6 +2475,10 @@ int nvme_init_identify(struct nvme_ctrl *ctrl)
+ if (quirk_matches(id, &core_quirks[i]))
+ ctrl->quirks |= core_quirks[i].quirks;
+ }
++
++ ret = nvme_init_subsystem(ctrl, id);
++ if (ret)
++ goto out_free;
+ }
+ memcpy(ctrl->subsys->firmware_rev, id->fr,
+ sizeof(ctrl->subsys->firmware_rev));
+--
+2.35.1
+
--- /dev/null
+From 1d9415ca506f238f859283a7769439ba77308688 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 16:22:46 +0800
+Subject: selftests: rtnetlink: correct xfrm policy rule in
+ kci_test_ipsec_offload
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 85a0506c073332a3057f5a9635fa0d4db5a8e03b ]
+
+When testing in kci_test_ipsec_offload, srcip is configured as $dstip,
+it should add xfrm policy rule in instead of out.
+The test result of this patch is as follows:
+PASS: ipsec_offload
+
+Fixes: 2766a11161cc ("selftests: rtnetlink: add ipsec offload API test")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Acked-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://lore.kernel.org/r/20221201082246.14131-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/rtnetlink.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
+index ff665de788ef..10733aae2b8d 100755
+--- a/tools/testing/selftests/net/rtnetlink.sh
++++ b/tools/testing/selftests/net/rtnetlink.sh
+@@ -681,7 +681,7 @@ kci_test_ipsec_offload()
+ tmpl proto esp src $srcip dst $dstip spi 9 \
+ mode transport reqid 42
+ check_err $?
+- ip x p add dir out src $dstip/24 dst $srcip/24 \
++ ip x p add dir in src $dstip/24 dst $srcip/24 \
+ tmpl proto esp src $dstip dst $srcip spi 9 \
+ mode transport reqid 42
+ check_err $?
+--
+2.35.1
+
kvm-s390-vsie-fix-the-initialization-of-the-epoch-extension-epdx-field.patch
hid-hid-lg4ff-add-check-for-empty-lbuf.patch
hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch
+ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch
+ca8210-fix-crash-by-zero-initializing-data.patch
+gpio-amd8111-fix-pci-device-reference-count-leak.patch
+e1000e-fix-tx-dispatch-condition.patch
+igb-allocate-msi-x-vector-when-testing.patch
+bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch
+bluetooth-fix-not-cleanup-led-when-bt_init-fails.patch
+selftests-rtnetlink-correct-xfrm-policy-rule-in-kci_.patch
+mac802154-fix-missing-init_list_head-in-ieee802154_i.patch
+net-encx24j600-add-parentheses-to-fix-precedence.patch
+net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch
+xen-netfront-fix-null-sring-after-live-migration.patch
+net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch
+i40e-fix-not-setting-default-xps_cpus-after-reset.patch
+i40e-fix-for-vf-mac-address-0.patch
+i40e-disallow-ip4-and-ip6-l4_4_bytes.patch
+nfc-nci-bounds-check-struct-nfc_target-arrays.patch
+nvme-initialize-core-quirks-before-calling-nvme_init.patch
+net-stmmac-fix-snps-axi-config-node-property-parsing.patch
+net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch
+net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch
+tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch
+ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch
+xen-netback-fix-build-warning.patch
+net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch
+ipv6-avoid-use-after-free-in-ip6_fragment.patch
+net-mvneta-fix-an-out-of-bounds-check.patch
+can-esd_usb-allow-rec-and-tec-to-return-to-zero.patch
--- /dev/null
+From f35b75f13306b72c621a9e8912fe46fb82669a54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 17:46:35 +0800
+Subject: tipc: Fix potential OOB in tipc_link_proto_rcv()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 743117a997bbd4840e827295c07e59bcd7f7caa3 ]
+
+Fix the potential risk of OOB if skb_linearize() fails in
+tipc_link_proto_rcv().
+
+Fixes: 5cbb28a4bf65 ("tipc: linearize arriving NAME_DISTR and LINK_PROTO buffers")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20221203094635.29024-1-yuehaibing@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/link.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/link.c b/net/tipc/link.c
+index 0d2ee4eb131f..ee4aca974622 100644
+--- a/net/tipc/link.c
++++ b/net/tipc/link.c
+@@ -1595,7 +1595,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
+ if (tipc_own_addr(l->net) > msg_prevnode(hdr))
+ l->net_plane = msg_net_plane(hdr);
+
+- skb_linearize(skb);
++ if (skb_linearize(skb))
++ goto exit;
++
+ hdr = buf_msg(skb);
+ data = msg_data(hdr);
+
+--
+2.35.1
+
--- /dev/null
+From bc14ef547097e4b29a4c101f2fa59b6f54614b18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 08:19:38 +0100
+Subject: xen/netback: fix build warning
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 7dfa764e0223a324366a2a1fc056d4d9d4e95491 ]
+
+Commit ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in
+the non-linear area") introduced a (valid) build warning. There have
+even been reports of this problem breaking networking of Xen guests.
+
+Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Tested-by: Jason Andryuk <jandryuk@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netback/netback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
+index 72379dae113a..fc389f2bba7a 100644
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -523,7 +523,7 @@ static int xenvif_tx_check_gop(struct xenvif_queue *queue,
+ const bool sharedslot = nr_frags &&
+ frag_get_pending_idx(&shinfo->frags[0]) ==
+ copy_pending_idx(skb, copy_count(skb) - 1);
+- int i, err;
++ int i, err = 0;
+
+ for (i = 0; i < copy_count(skb); i++) {
+ int newerr;
+--
+2.35.1
+
--- /dev/null
+From 9c0c2082cc9ce488bf253a0f3328e4ccf815d5f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 08:52:48 +0000
+Subject: xen-netfront: Fix NULL sring after live migration
+
+From: Lin Liu <lin.liu@citrix.com>
+
+[ Upstream commit d50b7914fae04d840ce36491d22133070b18cca9 ]
+
+A NAPI is setup for each network sring to poll data to kernel
+The sring with source host is destroyed before live migration and
+new sring with target host is setup after live migration.
+The NAPI for the old sring is not deleted until setup new sring
+with target host after migration. With busy_poll/busy_read enabled,
+the NAPI can be polled before got deleted when resume VM.
+
+BUG: unable to handle kernel NULL pointer dereference at
+0000000000000008
+IP: xennet_poll+0xae/0xd20
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP PTI
+Call Trace:
+ finish_task_switch+0x71/0x230
+ timerqueue_del+0x1d/0x40
+ hrtimer_try_to_cancel+0xb5/0x110
+ xennet_alloc_rx_buffers+0x2a0/0x2a0
+ napi_busy_loop+0xdb/0x270
+ sock_poll+0x87/0x90
+ do_sys_poll+0x26f/0x580
+ tracing_map_insert+0x1d4/0x2f0
+ event_hist_trigger+0x14a/0x260
+
+ finish_task_switch+0x71/0x230
+ __schedule+0x256/0x890
+ recalc_sigpending+0x1b/0x50
+ xen_sched_clock+0x15/0x20
+ __rb_reserve_next+0x12d/0x140
+ ring_buffer_lock_reserve+0x123/0x3d0
+ event_triggers_call+0x87/0xb0
+ trace_event_buffer_commit+0x1c4/0x210
+ xen_clocksource_get_cycles+0x15/0x20
+ ktime_get_ts64+0x51/0xf0
+ SyS_ppoll+0x160/0x1a0
+ SyS_ppoll+0x160/0x1a0
+ do_syscall_64+0x73/0x130
+ entry_SYSCALL_64_after_hwframe+0x41/0xa6
+...
+RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900
+CR2: 0000000000000008
+---[ end trace f8601785b354351c ]---
+
+xen frontend should remove the NAPIs for the old srings before live
+migration as the bond srings are destroyed
+
+There is a tiny window between the srings are set to NULL and
+the NAPIs are disabled, It is safe as the NAPI threads are still
+frozen at that time
+
+Signed-off-by: Lin Liu <lin.liu@citrix.com>
+Fixes: 4ec2411980d0 ([NET]: Do not check netif_running() and carrier state in ->poll())
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netfront.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 4b75ecb19d89..8c3f9f041594 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1624,6 +1624,12 @@ static int netfront_resume(struct xenbus_device *dev)
+ netif_tx_unlock_bh(info->netdev);
+
+ xennet_disconnect_backend(info);
++
++ rtnl_lock();
++ if (info->queues)
++ xennet_destroy_queues(info);
++ rtnl_unlock();
++
+ return 0;
+ }
+
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
