--- /dev/null
+From 5af91831385fa66738cd4dd403b92254242b0f90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 15:08:57 +0000
+Subject: afs: Fix the dynamic root's d_delete to always delete unused dentries
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 71f8b55bc30e82d6355e07811213d847981a32e2 ]
+
+Fix the afs dynamic root's d_delete function to always delete unused
+dentries rather than only deleting them if they're positive. With things
+as they stand upstream, negative dentries stemming from failed DNS lookups
+stick around preventing retries.
+
+Fixes: 66c7e1d319a5 ("afs: Split the dynroot stuff out and give it its own ops tables")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index fc6c42eeb659c..ff21ce511f47c 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -172,20 +172,9 @@ static int afs_dynroot_d_revalidate(struct dentry *dentry, unsigned int flags)
+ return 1;
+ }
+
+-/*
+- * Allow the VFS to enquire as to whether a dentry should be unhashed (mustn't
+- * sleep)
+- * - called from dput() when d_count is going to 0.
+- * - return 1 to request dentry be unhashed, 0 otherwise
+- */
+-static int afs_dynroot_d_delete(const struct dentry *dentry)
+-{
+- return d_really_is_positive(dentry);
+-}
+-
+ const struct dentry_operations afs_dynroot_dentry_operations = {
+ .d_revalidate = afs_dynroot_d_revalidate,
+- .d_delete = afs_dynroot_d_delete,
++ .d_delete = always_delete_dentry,
+ .d_release = afs_d_release,
+ .d_automount = afs_d_automount,
+ };
+--
+2.43.0
+
--- /dev/null
+From 1e7506b85d2b096f74cd9f544f8502410472cc7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Nov 2023 22:52:37 +0800
+Subject: ARM: OMAP2+: Fix null pointer dereference and memory leak in
+ omap_soc_device_init
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit c72b9c33ef9695ad7ce7a6eb39a9df8a01b70796 ]
+
+kasprintf() returns a pointer to dynamically allocated memory which can
+be NULL upon failure. When 'soc_dev_attr->family' is NULL,it'll trigger
+the null pointer dereference issue, such as in 'soc_info_show'.
+
+And when 'soc_device_register' fails, it's necessary to release
+'soc_dev_attr->family' to avoid memory leaks.
+
+Fixes: 6770b2114325 ("ARM: OMAP2+: Export SoC information to userspace")
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Message-ID: <20231123145237.609442-1-chentao@kylinos.cn>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/id.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm/mach-omap2/id.c b/arch/arm/mach-omap2/id.c
+index 859c71c4e9324..df8a9dda67a01 100644
+--- a/arch/arm/mach-omap2/id.c
++++ b/arch/arm/mach-omap2/id.c
+@@ -800,10 +800,15 @@ void __init omap_soc_device_init(void)
+
+ soc_dev_attr->machine = soc_name;
+ soc_dev_attr->family = omap_get_family();
++ if (!soc_dev_attr->family) {
++ kfree(soc_dev_attr);
++ return;
++ }
+ soc_dev_attr->revision = soc_rev;
+
+ soc_dev = soc_device_register(soc_dev_attr);
+ if (IS_ERR(soc_dev)) {
++ kfree(soc_dev_attr->family);
+ kfree(soc_dev_attr);
+ return;
+ }
+--
+2.43.0
+
--- /dev/null
+From 5ca99893751b891069707981482c473648bf62bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 21:04:04 +0800
+Subject: ethernet: atheros: fix a memleak in atl1e_setup_ring_resources
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 309fdb1c33fe726d92d0030481346f24e1b01f07 ]
+
+In the error handling of 'offset > adapter->ring_size', the
+tx_ring->tx_buffer allocated by kzalloc should be freed,
+instead of 'goto failed' instantly.
+
+Fixes: a6a5325239c2 ("atl1e: Atheros L1E Gigabit Ethernet driver")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Reviewed-by: Suman Ghosh <sumang@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+index e4d58c7aeaf82..c72ba133072fb 100644
+--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+@@ -881,10 +881,13 @@ static int atl1e_setup_ring_resources(struct atl1e_adapter *adapter)
+ netdev_err(adapter->netdev, "offset(%d) > ring size(%d) !!\n",
+ offset, adapter->ring_size);
+ err = -1;
+- goto failed;
++ goto free_buffer;
+ }
+
+ return 0;
++free_buffer:
++ kfree(tx_ring->tx_buffer);
++ tx_ring->tx_buffer = NULL;
+ failed:
+ if (adapter->ring_vir_addr != NULL) {
+ pci_free_consistent(pdev, adapter->ring_size,
+--
+2.43.0
+
--- /dev/null
+From e1a790bbacc9e84bb63df53fb8f0048727b4490f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 12:53:31 +0000
+Subject: net: check dev->gso_max_size in gso_features_check()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ]
+
+Some drivers might misbehave if TSO packets get too big.
+
+GVE for instance uses a 16bit field in its TX descriptor,
+and will do bad things if a packet is bigger than 2^16 bytes.
+
+Linux TCP stack honors dev->gso_max_size, but there are
+other ways for too big packets to reach an ndo_start_xmit()
+handler : virtio_net, af_packet, GRO...
+
+Add a generic check in gso_features_check() and fallback
+to GSO when needed.
+
+gso_max_size was added in the blamed commit.
+
+Fixes: 82cc1a7a5687 ("[NET]: Add per-connection option to set max TSO frame size")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index ea05db68aa95a..b5c9648c2192f 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3200,6 +3200,9 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
+ if (gso_segs > dev->gso_max_segs)
+ return features & ~NETIF_F_GSO_MASK;
+
++ if (unlikely(skb->len >= READ_ONCE(dev->gso_max_size)))
++ return features & ~NETIF_F_GSO_MASK;
++
+ if (!skb_shinfo(skb)->gso_type) {
+ skb_warn_bad_offload(skb);
+ return features & ~NETIF_F_GSO_MASK;
+--
+2.43.0
+
--- /dev/null
+From e4ba74bf4526e7ca34db519ecd7d017357fabcff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Dec 2023 15:52:18 +0800
+Subject: net: check vlan filter feature in vlan_vids_add_by_dev() and
+ vlan_vids_del_by_dev()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 01a564bab4876007ce35f312e16797dfe40e4823 ]
+
+I got the below warning trace:
+
+WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify
+CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0
+Call Trace:
+ rtnl_dellink
+ rtnetlink_rcv_msg
+ netlink_rcv_skb
+ netlink_unicast
+ netlink_sendmsg
+ __sock_sendmsg
+ ____sys_sendmsg
+ ___sys_sendmsg
+ __sys_sendmsg
+ do_syscall_64
+ entry_SYSCALL_64_after_hwframe
+
+It can be repoduced via:
+
+ ip netns add ns1
+ ip netns exec ns1 ip link add bond0 type bond mode 0
+ ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2
+ ip netns exec ns1 ip link set bond_slave_1 master bond0
+[1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off
+[2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0
+[3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0
+[4] ip netns exec ns1 ip link set bond_slave_1 nomaster
+[5] ip netns exec ns1 ip link del veth2
+ ip netns del ns1
+
+This is all caused by command [1] turning off the rx-vlan-filter function
+of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix
+incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands
+[2] [3] add the same vid to slave and master respectively, causing
+command [4] to empty slave->vlan_info. The following command [5] triggers
+this problem.
+
+To fix this problem, we should add VLAN_FILTER feature checks in
+vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect
+addition or deletion of vlan_vid information.
+
+Fixes: 348a1443cc43 ("vlan: introduce functions to do mass addition/deletion of vids by another device")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/8021q/vlan_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
+index 4f60e86f4b8d3..e92c914316cbd 100644
+--- a/net/8021q/vlan_core.c
++++ b/net/8021q/vlan_core.c
+@@ -380,6 +380,8 @@ int vlan_vids_add_by_dev(struct net_device *dev,
+ return 0;
+
+ list_for_each_entry(vid_info, &vlan_info->vid_list, list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ err = vlan_vid_add(dev, vid_info->proto, vid_info->vid);
+ if (err)
+ goto unwind;
+@@ -390,6 +392,8 @@ int vlan_vids_add_by_dev(struct net_device *dev,
+ list_for_each_entry_continue_reverse(vid_info,
+ &vlan_info->vid_list,
+ list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
+ }
+
+@@ -409,8 +413,11 @@ void vlan_vids_del_by_dev(struct net_device *dev,
+ if (!vlan_info)
+ return;
+
+- list_for_each_entry(vid_info, &vlan_info->vid_list, list)
++ list_for_each_entry(vid_info, &vlan_info->vid_list, list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
++ }
+ }
+ EXPORT_SYMBOL(vlan_vids_del_by_dev);
+
+--
+2.43.0
+
--- /dev/null
+From 1869e35a601a1c20a8a23f32605a5bb3b38f3ccd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 11:30:34 +0200
+Subject: net/mlx5: Fix fw tracer first block check
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit 4261edf11cb7c9224af713a102e5616329306932 ]
+
+While handling new traces, to verify it is not the first block being
+written, last_timestamp is checked. But instead of checking it is non
+zero it is verified to be zero. Fix to verify last_timestamp is not
+zero.
+
+Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling")
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Feras Daoud <ferasda@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+index 21dbb25552140..24e9699434e36 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -652,7 +652,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work)
+
+ while (block_timestamp > tracer->last_timestamp) {
+ /* Check block override if it's not the first block */
+- if (!tracer->last_timestamp) {
++ if (tracer->last_timestamp) {
+ u64 *ts_event;
+ /* To avoid block override be the HW in case of buffer
+ * wraparound, the time stamp of the previous block
+--
+2.43.0
+
--- /dev/null
+From 291ebd0d02ffe0378d7a830293256da879cc1836 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Apr 2020 20:57:20 +0800
+Subject: net/mlx5: improve some comments
+
+From: Hu Haowen <xianfengting221@163.com>
+
+[ Upstream commit 6533380dfd003ea7636cb5672f4f85124b56328b ]
+
+Replaced "its" with "it's".
+
+Signed-off-by: Hu Haowen <xianfengting221@163.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Stable-dep-of: 4261edf11cb7 ("net/mlx5: Fix fw tracer first block check")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+index 97e6b06b1bff3..21dbb25552140 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -651,7 +651,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work)
+ get_block_timestamp(tracer, &tmp_trace_block[TRACES_PER_BLOCK - 1]);
+
+ while (block_timestamp > tracer->last_timestamp) {
+- /* Check block override if its not the first block */
++ /* Check block override if it's not the first block */
+ if (!tracer->last_timestamp) {
+ u64 *ts_event;
+ /* To avoid block override be the HW in case of buffer
+--
+2.43.0
+
--- /dev/null
+From 1a9f980e764e6b7beac5c2f17b73a1ab8282e89c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 15:27:47 +0000
+Subject: net/rose: fix races in rose_kill_by_device()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be ]
+
+syzbot found an interesting netdev refcounting issue in
+net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1]
+
+Problem is that rose_kill_by_device() can change rose->device
+while other threads do not expect the pointer to be changed.
+
+We have to first collect sockets in a temporary array,
+then perform the changes while holding the socket
+lock and rose_list_lock spinlock (in this order)
+
+Change rose_release() to also acquire rose_list_lock
+before releasing the netdev refcount.
+
+[1]
+
+[ 1185.055088][ T7889] ref_tracker: reference already released.
+[ 1185.061476][ T7889] ref_tracker: allocated in:
+[ 1185.066081][ T7889] rose_bind+0x4ab/0xd10
+[ 1185.070446][ T7889] __sys_bind+0x1ec/0x220
+[ 1185.074818][ T7889] __x64_sys_bind+0x72/0xb0
+[ 1185.079356][ T7889] do_syscall_64+0x40/0x110
+[ 1185.083897][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
+[ 1185.089835][ T7889] ref_tracker: freed in:
+[ 1185.094088][ T7889] rose_release+0x2f5/0x570
+[ 1185.098629][ T7889] __sock_release+0xae/0x260
+[ 1185.103262][ T7889] sock_close+0x1c/0x20
+[ 1185.107453][ T7889] __fput+0x270/0xbb0
+[ 1185.111467][ T7889] task_work_run+0x14d/0x240
+[ 1185.116085][ T7889] get_signal+0x106f/0x2790
+[ 1185.120622][ T7889] arch_do_signal_or_restart+0x90/0x7f0
+[ 1185.126205][ T7889] exit_to_user_mode_prepare+0x121/0x240
+[ 1185.131846][ T7889] syscall_exit_to_user_mode+0x1e/0x60
+[ 1185.137293][ T7889] do_syscall_64+0x4d/0x110
+[ 1185.141783][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
+[ 1185.148085][ T7889] ------------[ cut here ]------------
+
+WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
+Modules linked in:
+CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78917e #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
+RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
+Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44
+RSP: 0018:ffffc90004917850 EFLAGS: 00010202
+RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000
+RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001
+RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6
+R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c
+R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff
+FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+netdev_tracker_free include/linux/netdevice.h:4127 [inline]
+netdev_put include/linux/netdevice.h:4144 [inline]
+netdev_put include/linux/netdevice.h:4140 [inline]
+rose_kill_by_device net/rose/af_rose.c:195 [inline]
+rose_device_event+0x25d/0x330 net/rose/af_rose.c:218
+notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
+call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967
+call_netdevice_notifiers_extack net/core/dev.c:2005 [inline]
+call_netdevice_notifiers net/core/dev.c:2019 [inline]
+__dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646
+dev_change_flags+0x122/0x170 net/core/dev.c:8682
+dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529
+dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786
+sock_do_ioctl+0x198/0x270 net/socket.c:1234
+sock_ioctl+0x22e/0x6b0 net/socket.c:1339
+vfs_ioctl fs/ioctl.c:51 [inline]
+__do_sys_ioctl fs/ioctl.c:871 [inline]
+__se_sys_ioctl fs/ioctl.c:857 [inline]
+__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
+do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+RIP: 0033:0x7f0a7147cba9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9
+RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004
+RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8
+</TASK>
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Bernard Pidoux <f6bvp@free.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 39 ++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 5 deletions(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index d32fb40650a75..015e475f5554b 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -184,21 +184,47 @@ void rose_kill_by_neigh(struct rose_neigh *neigh)
+ */
+ static void rose_kill_by_device(struct net_device *dev)
+ {
+- struct sock *s;
++ struct sock *sk, *array[16];
++ struct rose_sock *rose;
++ bool rescan;
++ int i, cnt;
+
++start:
++ rescan = false;
++ cnt = 0;
+ spin_lock_bh(&rose_list_lock);
+- sk_for_each(s, &rose_list) {
+- struct rose_sock *rose = rose_sk(s);
++ sk_for_each(sk, &rose_list) {
++ rose = rose_sk(sk);
++ if (rose->device == dev) {
++ if (cnt == ARRAY_SIZE(array)) {
++ rescan = true;
++ break;
++ }
++ sock_hold(sk);
++ array[cnt++] = sk;
++ }
++ }
++ spin_unlock_bh(&rose_list_lock);
+
++ for (i = 0; i < cnt; i++) {
++ sk = array[cnt];
++ rose = rose_sk(sk);
++ lock_sock(sk);
++ spin_lock_bh(&rose_list_lock);
+ if (rose->device == dev) {
+- rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
++ rose_disconnect(sk, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
+ if (rose->neighbour)
+ rose->neighbour->use--;
+ dev_put(rose->device);
+ rose->device = NULL;
+ }
++ spin_unlock_bh(&rose_list_lock);
++ release_sock(sk);
++ sock_put(sk);
++ cond_resched();
+ }
+- spin_unlock_bh(&rose_list_lock);
++ if (rescan)
++ goto start;
+ }
+
+ /*
+@@ -658,7 +684,10 @@ static int rose_release(struct socket *sock)
+ break;
+ }
+
++ spin_lock_bh(&rose_list_lock);
+ dev_put(rose->device);
++ rose->device = NULL;
++ spin_unlock_bh(&rose_list_lock);
+ sock->sk = NULL;
+ release_sock(sk);
+ sock_put(sk);
+--
+2.43.0
+
--- /dev/null
+From 91b0f15112a3b66f4aa316ce634ff169060aa78e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 11:30:38 +0000
+Subject: net: sched: ife: fix potential use-after-free
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 19391a2ca98baa7b80279306cdf7dd43f81fa595 ]
+
+ife_decode() calls pskb_may_pull() two times, we need to reload
+ifehdr after the second one, or risk use-after-free as reported
+by syzbot:
+
+BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline]
+BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
+Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323
+
+CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d5b95 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
+Call Trace:
+<TASK>
+__dump_stack lib/dump_stack.c:88 [inline]
+dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
+print_address_description mm/kasan/report.c:364 [inline]
+print_report+0xc4/0x620 mm/kasan/report.c:475
+kasan_report+0xda/0x110 mm/kasan/report.c:588
+__ife_tlv_meta_valid net/ife/ife.c:108 [inline]
+ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
+tcf_ife_decode net/sched/act_ife.c:739 [inline]
+tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879
+tc_act include/net/tc_wrapper.h:221 [inline]
+tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
+tcf_exts_exec include/net/pkt_cls.h:344 [inline]
+mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
+tc_classify include/net/tc_wrapper.h:227 [inline]
+__tcf_classify net/sched/cls_api.c:1703 [inline]
+tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
+hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
+hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
+dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
+__dev_xmit_skb net/core/dev.c:3828 [inline]
+__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
+dev_queue_xmit include/linux/netdevice.h:3165 [inline]
+packet_xmit+0x237/0x350 net/packet/af_packet.c:276
+packet_snd net/packet/af_packet.c:3081 [inline]
+packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+RIP: 0033:0x7fe9acc7cae9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9
+RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003
+RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014
+R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78
+</TASK>
+
+Allocated by task 22323:
+kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
+kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+____kasan_kmalloc mm/kasan/common.c:374 [inline]
+__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
+kasan_kmalloc include/linux/kasan.h:198 [inline]
+__do_kmalloc_node mm/slab_common.c:1007 [inline]
+__kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027
+kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
+__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
+alloc_skb include/linux/skbuff.h:1298 [inline]
+alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
+sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
+packet_alloc_skb net/packet/af_packet.c:2930 [inline]
+packet_snd net/packet/af_packet.c:3024 [inline]
+packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Freed by task 22323:
+kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
+kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
+____kasan_slab_free mm/kasan/common.c:236 [inline]
+____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
+kasan_slab_free include/linux/kasan.h:164 [inline]
+slab_free_hook mm/slub.c:1800 [inline]
+slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
+slab_free mm/slub.c:3809 [inline]
+__kmem_cache_free+0xc0/0x180 mm/slub.c:3822
+skb_kfree_head net/core/skbuff.c:950 [inline]
+skb_free_head+0x110/0x1b0 net/core/skbuff.c:962
+pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130
+__pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655
+pskb_may_pull_reason include/linux/skbuff.h:2685 [inline]
+pskb_may_pull include/linux/skbuff.h:2693 [inline]
+ife_decode+0x394/0x4f0 net/ife/ife.c:82
+tcf_ife_decode net/sched/act_ife.c:727 [inline]
+tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879
+tc_act include/net/tc_wrapper.h:221 [inline]
+tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
+tcf_exts_exec include/net/pkt_cls.h:344 [inline]
+mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
+tc_classify include/net/tc_wrapper.h:227 [inline]
+__tcf_classify net/sched/cls_api.c:1703 [inline]
+tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
+hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
+hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
+dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
+__dev_xmit_skb net/core/dev.c:3828 [inline]
+__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
+dev_queue_xmit include/linux/netdevice.h:3165 [inline]
+packet_xmit+0x237/0x350 net/packet/af_packet.c:276
+packet_snd net/packet/af_packet.c:3081 [inline]
+packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+The buggy address belongs to the object at ffff88802d730000
+which belongs to the cache kmalloc-8k of size 8192
+The buggy address is located 164 bytes inside of
+freed 8192-byte region [ffff88802d730000, ffff88802d732000)
+
+The buggy address belongs to the physical page:
+page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730
+head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
+page_type: 0xffffffff()
+raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000
+raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461
+set_page_owner include/linux/page_owner.h:31 [inline]
+post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544
+prep_new_page mm/page_alloc.c:1551 [inline]
+get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319
+__alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575
+alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
+alloc_slab_page mm/slub.c:1870 [inline]
+allocate_slab mm/slub.c:2017 [inline]
+new_slab+0x283/0x3c0 mm/slub.c:2070
+___slab_alloc+0x979/0x1500 mm/slub.c:3223
+__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
+__slab_alloc_node mm/slub.c:3375 [inline]
+slab_alloc_node mm/slub.c:3468 [inline]
+__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517
+__do_kmalloc_node mm/slab_common.c:1006 [inline]
+__kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027
+kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
+__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
+alloc_skb include/linux/skbuff.h:1298 [inline]
+alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
+sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
+packet_alloc_skb net/packet/af_packet.c:2930 [inline]
+packet_snd net/packet/af_packet.c:3024 [inline]
+packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+page last free stack trace:
+reset_page_owner include/linux/page_owner.h:24 [inline]
+free_pages_prepare mm/page_alloc.c:1144 [inline]
+free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354
+free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494
+__unfreeze_partials+0x226/0x240 mm/slub.c:2655
+qlink_free mm/kasan/quarantine.c:168 [inline]
+qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
+kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
+__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
+kasan_slab_alloc include/linux/kasan.h:188 [inline]
+slab_post_alloc_hook mm/slab.h:763 [inline]
+slab_alloc_node mm/slub.c:3478 [inline]
+slab_alloc mm/slub.c:3486 [inline]
+__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
+kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509
+alloc_inode_sb include/linux/fs.h:2937 [inline]
+ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408
+alloc_inode+0x5d/0x220 fs/inode.c:261
+new_inode_pseudo fs/inode.c:1006 [inline]
+new_inode+0x22/0x260 fs/inode.c:1032
+__ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958
+ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398
+vfs_symlink fs/namei.c:4464 [inline]
+vfs_symlink+0x3e5/0x620 fs/namei.c:4448
+do_symlinkat+0x25f/0x310 fs/namei.c:4490
+__do_sys_symlinkat fs/namei.c:4506 [inline]
+__se_sys_symlinkat fs/namei.c:4503 [inline]
+__x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+
+Fixes: d57493d6d1be ("net: sched: ife: check on metadata length")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Alexander Aring <aahringo@redhat.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ife/ife.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ife/ife.c b/net/ife/ife.c
+index 13bbf8cb6a396..be05b690b9ef2 100644
+--- a/net/ife/ife.c
++++ b/net/ife/ife.c
+@@ -82,6 +82,7 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen)
+ if (unlikely(!pskb_may_pull(skb, total_pull)))
+ return NULL;
+
++ ifehdr = (struct ifeheadr *)(skb->data + skb->dev->hard_header_len);
+ skb_set_mac_header(skb, total_pull);
+ __skb_pull(skb, total_pull);
+ *metalen = ifehdrln - IFE_METAHDRLEN;
+--
+2.43.0
+
--- /dev/null
+From 682d37842719da6758569bf59701d52a015fd500 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Nov 2020 00:22:20 +0100
+Subject: net: warn if gso_type isn't set for a GSO SKB
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 1d155dfdf50efc2b0793bce93c06d1a5b23d0877 ]
+
+In bug report [0] a warning in r8169 driver was reported that was
+caused by an invalid GSO SKB (gso_type was 0). See [1] for a discussion
+about this issue. Still the origin of the invalid GSO SKB isn't clear.
+
+It shouldn't be a network drivers task to check for invalid GSO SKB's.
+Also, even if issue [0] can be fixed, we can't be sure that a
+similar issue doesn't pop up again at another place.
+Therefore let gso_features_check() check for such invalid GSO SKB's.
+
+[0] https://bugzilla.kernel.org/show_bug.cgi?id=209423
+[1] https://www.spinics.net/lists/netdev/msg690794.html
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://lore.kernel.org/r/97c78d21-7f0b-d843-df17-3589f224d2cf@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 24ab059d2ebd ("net: check dev->gso_max_size in gso_features_check()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 0f9214fb36e01..ea05db68aa95a 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3200,6 +3200,11 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
+ if (gso_segs > dev->gso_max_segs)
+ return features & ~NETIF_F_GSO_MASK;
+
++ if (!skb_shinfo(skb)->gso_type) {
++ skb_warn_bad_offload(skb);
++ return features & ~NETIF_F_GSO_MASK;
++ }
++
+ /* Support for GSO partial features requires software
+ * intervention before we can actually process the packets
+ * so we need to strip support for any partial features now
+--
+2.43.0
+
--- /dev/null
+From ee854c1285102b29dbfab8d1cf2c4cc6c87f5bee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 17:55:33 +0100
+Subject: reset: Fix crash when freeing non-existent optional resets
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 4a6756f56bcf8e64c87144a626ce53aea4899c0e ]
+
+When obtaining one or more optional resets, non-existent resets are
+stored as NULL pointers, and all related error and cleanup paths need to
+take this into account.
+
+Currently only reset_control_put() and reset_control_bulk_put()
+get this right. All of __reset_control_bulk_get(),
+of_reset_control_array_get(), and reset_control_array_put() lack the
+proper checking, causing NULL pointer dereferences on failure or
+release.
+
+Fix this by moving the existing check from reset_control_bulk_put() to
+__reset_control_put_internal(), so it applies to all callers.
+The double check in reset_control_put() doesn't hurt.
+
+Fixes: 17c82e206d2a3cd8 ("reset: Add APIs to manage array of resets")
+Fixes: 48d71395896d54ee ("reset: Add reset_control_bulk API")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/2440edae7ca8534628cdbaf559ded288f2998178.1701276806.git.geert+renesas@glider.be
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/reset/core.c b/drivers/reset/core.c
+index ccb97f4e31c38..1680d27040c9b 100644
+--- a/drivers/reset/core.c
++++ b/drivers/reset/core.c
+@@ -459,6 +459,9 @@ static void __reset_control_put_internal(struct reset_control *rstc)
+ {
+ lockdep_assert_held(&reset_list_mutex);
+
++ if (IS_ERR_OR_NULL(rstc))
++ return;
++
+ kref_put(&rstc->refcnt, __reset_control_release);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 2f746850fb93801721d44a9ec905ec019397d129 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Dec 2023 15:03:15 +0100
+Subject: s390/vx: fix save/restore of fpu kernel context
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit e6b2dab41888332bf83f592131e7ea07756770a4 ]
+
+The KERNEL_FPR mask only contains a flag for the first eight vector
+registers. However floating point registers overlay parts of the first
+sixteen vector registers.
+
+This could lead to vector register corruption if a kernel fpu context uses
+any of the vector registers 8 to 15 and is interrupted or calls a
+KERNEL_FPR context. If that context uses also vector registers 8 to 15,
+their contents will be corrupted on return.
+
+Luckily this is currently not a real bug, since the kernel has only one
+KERNEL_FPR user with s390_adjust_jiffies() and it is only using floating
+point registers 0 to 2.
+
+Fix this by using the correct bits for KERNEL_FPR.
+
+Fixes: 7f79695cc1b6 ("s390/fpu: improve kernel_fpu_[begin|end]")
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/fpu/api.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/include/asm/fpu/api.h b/arch/s390/include/asm/fpu/api.h
+index 34a7ae68485c6..be16a6c0f1276 100644
+--- a/arch/s390/include/asm/fpu/api.h
++++ b/arch/s390/include/asm/fpu/api.h
+@@ -76,7 +76,7 @@ static inline int test_fp_ctl(u32 fpc)
+ #define KERNEL_VXR_HIGH (KERNEL_VXR_V16V23|KERNEL_VXR_V24V31)
+
+ #define KERNEL_VXR (KERNEL_VXR_LOW|KERNEL_VXR_HIGH)
+-#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_V0V7)
++#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_LOW)
+
+ struct kernel_fpu;
+
+--
+2.43.0
+
alsa-hda-realtek-enable-headset-onlenovo-m70-m90.patch
alsa-hda-realtek-enable-headset-on-lenovo-m90-gen5.patch
ksmbd-fix-wrong-name-of-smb2_create_allocation_size.patch
+arm-omap2-fix-null-pointer-dereference-and-memory-le.patch
+reset-fix-crash-when-freeing-non-existent-optional-r.patch
+s390-vx-fix-save-restore-of-fpu-kernel-context.patch
+wifi-mac80211-mesh_plink-fix-matches_local-logic.patch
+net-mlx5-improve-some-comments.patch
+net-mlx5-fix-fw-tracer-first-block-check.patch
+net-sched-ife-fix-potential-use-after-free.patch
+ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch
+net-rose-fix-races-in-rose_kill_by_device.patch
+net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch
+afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch
+net-warn-if-gso_type-isn-t-set-for-a-gso-skb.patch
+net-check-dev-gso_max_size-in-gso_features_check.patch
--- /dev/null
+From 0aed0e5ef71e0d16fd1cda8a20a7afddb292f4b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 09:05:31 +0200
+Subject: wifi: mac80211: mesh_plink: fix matches_local logic
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 8c386b166e2517cf3a123018e77941ec22625d0f ]
+
+During refactoring the "else" here got lost, add it back.
+
+Fixes: c99a89edb106 ("mac80211: factor out plink event gathering")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20231211085121.795480fa0e0b.I017d501196a5bbdcd9afd33338d342d6fe1edd79@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_plink.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
+index 5b5b0f95ffd13..c7f47dba884e8 100644
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -1022,8 +1022,8 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata,
+ case WLAN_SP_MESH_PEERING_OPEN:
+ if (!matches_local)
+ event = OPN_RJCT;
+- if (!mesh_plink_free_count(sdata) ||
+- (sta->mesh->plid && sta->mesh->plid != plid))
++ else if (!mesh_plink_free_count(sdata) ||
++ (sta->mesh->plid && sta->mesh->plid != plid))
+ event = OPN_IGNR;
+ else
+ event = OPN_ACPT;
+@@ -1031,9 +1031,9 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata,
+ case WLAN_SP_MESH_PEERING_CONFIRM:
+ if (!matches_local)
+ event = CNF_RJCT;
+- if (!mesh_plink_free_count(sdata) ||
+- sta->mesh->llid != llid ||
+- (sta->mesh->plid && sta->mesh->plid != plid))
++ else if (!mesh_plink_free_count(sdata) ||
++ sta->mesh->llid != llid ||
++ (sta->mesh->plid && sta->mesh->plid != plid))
+ event = CNF_IGNR;
+ else
+ event = CNF_ACPT;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
