--- /dev/null
+From e764e3f7685ecc11a2c8e1a3a26cf7c28c6bea86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 15:15:02 +0000
+Subject: afs: Fix dynamic root lookup DNS check
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 74cef6872ceaefb5b6c5c60641371ea28702d358 ]
+
+In the afs dynamic root directory, the ->lookup() function does a DNS check
+on the cell being asked for and if the DNS upcall reports an error it will
+report an error back to userspace (typically ENOENT).
+
+However, if a failed DNS upcall returns a new-style result, it will return
+a valid result, with the status field set appropriately to indicate the
+type of failure - and in that case, dns_query() doesn't return an error and
+we let stat() complete with no error - which can cause confusion in
+userspace as subsequent calls that trigger d_automount then fail with
+ENOENT.
+
+Fix this by checking the status result from a valid dns_query() and
+returning an error if it indicates a failure.
+
+Fixes: bbb4c4323a4d ("dns: Allow the dns resolver to retrieve a server set")
+Reported-by: Markus Suvanto <markus.suvanto@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216637
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index 910c8a7a685ce..9937993cf29dc 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -114,6 +114,7 @@ static int afs_probe_cell_name(struct dentry *dentry)
+ struct afs_net *net = afs_d2net(dentry);
+ const char *name = dentry->d_name.name;
+ size_t len = dentry->d_name.len;
++ char *result = NULL;
+ int ret;
+
+ /* Names prefixed with a dot are R/W mounts. */
+@@ -131,9 +132,22 @@ static int afs_probe_cell_name(struct dentry *dentry)
+ }
+
+ ret = dns_query(net->net, "afsdb", name, len, "srv=1",
+- NULL, NULL, false);
+- if (ret == -ENODATA || ret == -ENOKEY)
++ &result, NULL, false);
++ if (ret == -ENODATA || ret == -ENOKEY || ret == 0)
+ ret = -ENOENT;
++ if (ret > 0 && ret >= sizeof(struct dns_server_list_v1_header)) {
++ struct dns_server_list_v1_header *v1 = (void *)result;
++
++ if (v1->hdr.zero == 0 &&
++ v1->hdr.content == DNS_PAYLOAD_IS_SERVER_LIST &&
++ v1->hdr.version == 1 &&
++ (v1->status != DNS_LOOKUP_GOOD &&
++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD))
++ return -ENOENT;
++
++ }
++
++ kfree(result);
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 0f0eae27bcdaff7e295417bc757966b3e6ed193b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Dec 2023 15:09:31 +0000
+Subject: afs: Fix overwriting of result of DNS query
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit a9e01ac8c5ff32669119c40dfdc9e80eb0b7d7aa ]
+
+In afs_update_cell(), ret is the result of the DNS lookup and the errors
+are to be handled by a switch - however, the value gets clobbered in
+between by setting it to -ENOMEM in case afs_alloc_vlserver_list()
+fails.
+
+Fix this by moving the setting of -ENOMEM into the error handling for
+OOM failure. Further, only do it if we don't have an alternative error
+to return.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE. Based
+on a patch from Anastasia Belova [1].
+
+Fixes: d5c32c89b208 ("afs: Fix cell DNS lookup")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+cc: Anastasia Belova <abelova@astralinux.ru>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+cc: lvc-project@linuxtesting.org
+Link: https://lore.kernel.org/r/20231221085849.1463-1-abelova@astralinux.ru/ [1]
+Link: https://lore.kernel.org/r/1700862.1703168632@warthog.procyon.org.uk/ # v1
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/cell.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/cell.c b/fs/afs/cell.c
+index 988c2ac7cecec..926cb1188eba6 100644
+--- a/fs/afs/cell.c
++++ b/fs/afs/cell.c
+@@ -409,10 +409,12 @@ static int afs_update_cell(struct afs_cell *cell)
+ if (ret == -ENOMEM)
+ goto out_wake;
+
+- ret = -ENOMEM;
+ vllist = afs_alloc_vlserver_list(0);
+- if (!vllist)
++ if (!vllist) {
++ if (ret >= 0)
++ ret = -ENOMEM;
+ goto out_wake;
++ }
+
+ switch (ret) {
+ case -ENODATA:
+--
+2.43.0
+
--- /dev/null
+From 1d4ab22498e9b04a6f9bfbb6718f4b42e1432949 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 15:08:57 +0000
+Subject: afs: Fix the dynamic root's d_delete to always delete unused dentries
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 71f8b55bc30e82d6355e07811213d847981a32e2 ]
+
+Fix the afs dynamic root's d_delete function to always delete unused
+dentries rather than only deleting them if they're positive. With things
+as they stand upstream, negative dentries stemming from failed DNS lookups
+stick around preventing retries.
+
+Fixes: 66c7e1d319a5 ("afs: Split the dynroot stuff out and give it its own ops tables")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index 91e804c70dd0a..910c8a7a685ce 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -252,20 +252,9 @@ static int afs_dynroot_d_revalidate(struct dentry *dentry, unsigned int flags)
+ return 1;
+ }
+
+-/*
+- * Allow the VFS to enquire as to whether a dentry should be unhashed (mustn't
+- * sleep)
+- * - called from dput() when d_count is going to 0.
+- * - return 1 to request dentry be unhashed, 0 otherwise
+- */
+-static int afs_dynroot_d_delete(const struct dentry *dentry)
+-{
+- return d_really_is_positive(dentry);
+-}
+-
+ const struct dentry_operations afs_dynroot_dentry_operations = {
+ .d_revalidate = afs_dynroot_d_revalidate,
+- .d_delete = afs_dynroot_d_delete,
++ .d_delete = always_delete_dentry,
+ .d_release = afs_d_release,
+ .d_automount = afs_d_automount,
+ };
+--
+2.43.0
+
--- /dev/null
+From 7a8d7d64a37240605efb45bed4a90ce8aaff70a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Dec 2023 13:57:31 +0000
+Subject: afs: Fix use-after-free due to get/remove race in volume tree
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 9a6b294ab496650e9f270123730df37030911b55 ]
+
+When an afs_volume struct is put, its refcount is reduced to 0 before
+the cell->volume_lock is taken and the volume removed from the
+cell->volumes tree.
+
+Unfortunately, this means that the lookup code can race and see a volume
+with a zero ref in the tree, resulting in a use-after-free:
+
+ refcount_t: addition on 0; use-after-free.
+ WARNING: CPU: 3 PID: 130782 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0xda
+ ...
+ RIP: 0010:refcount_warn_saturate+0x7a/0xda
+ ...
+ Call Trace:
+ afs_get_volume+0x3d/0x55
+ afs_create_volume+0x126/0x1de
+ afs_validate_fc+0xfe/0x130
+ afs_get_tree+0x20/0x2e5
+ vfs_get_tree+0x1d/0xc9
+ do_new_mount+0x13b/0x22e
+ do_mount+0x5d/0x8a
+ __do_sys_mount+0x100/0x12a
+ do_syscall_64+0x3a/0x94
+ entry_SYSCALL_64_after_hwframe+0x62/0x6a
+
+Fix this by:
+
+ (1) When putting, use a flag to indicate if the volume has been removed
+ from the tree and skip the rb_erase if it has.
+
+ (2) When looking up, use a conditional ref increment and if it fails
+ because the refcount is 0, replace the node in the tree and set the
+ removal flag.
+
+Fixes: 20325960f875 ("afs: Reorganise volume and server trees to be rooted on the cell")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/internal.h | 2 ++
+ fs/afs/volume.c | 26 +++++++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/fs/afs/internal.h b/fs/afs/internal.h
+index c2d70fc1698c0..fcbb598d8c85d 100644
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -585,6 +585,7 @@ struct afs_volume {
+ #define AFS_VOLUME_OFFLINE 4 /* - T if volume offline notice given */
+ #define AFS_VOLUME_BUSY 5 /* - T if volume busy notice given */
+ #define AFS_VOLUME_MAYBE_NO_IBULK 6 /* - T if some servers don't have InlineBulkStatus */
++#define AFS_VOLUME_RM_TREE 7 /* - Set if volume removed from cell->volumes */
+ #ifdef CONFIG_AFS_FSCACHE
+ struct fscache_volume *cache; /* Caching cookie */
+ #endif
+@@ -1517,6 +1518,7 @@ extern struct afs_vlserver_list *afs_extract_vlserver_list(struct afs_cell *,
+ extern struct afs_volume *afs_create_volume(struct afs_fs_context *);
+ extern int afs_activate_volume(struct afs_volume *);
+ extern void afs_deactivate_volume(struct afs_volume *);
++bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason);
+ extern struct afs_volume *afs_get_volume(struct afs_volume *, enum afs_volume_trace);
+ extern void afs_put_volume(struct afs_net *, struct afs_volume *, enum afs_volume_trace);
+ extern int afs_check_volume_status(struct afs_volume *, struct afs_operation *);
+diff --git a/fs/afs/volume.c b/fs/afs/volume.c
+index f4937029dcd72..1c9144e3e83ac 100644
+--- a/fs/afs/volume.c
++++ b/fs/afs/volume.c
+@@ -32,8 +32,13 @@ static struct afs_volume *afs_insert_volume_into_cell(struct afs_cell *cell,
+ } else if (p->vid > volume->vid) {
+ pp = &(*pp)->rb_right;
+ } else {
+- volume = afs_get_volume(p, afs_volume_trace_get_cell_insert);
+- goto found;
++ if (afs_try_get_volume(p, afs_volume_trace_get_cell_insert)) {
++ volume = p;
++ goto found;
++ }
++
++ set_bit(AFS_VOLUME_RM_TREE, &volume->flags);
++ rb_replace_node_rcu(&p->cell_node, &volume->cell_node, &cell->volumes);
+ }
+ }
+
+@@ -56,7 +61,8 @@ static void afs_remove_volume_from_cell(struct afs_volume *volume)
+ afs_volume_trace_remove);
+ write_seqlock(&cell->volume_lock);
+ hlist_del_rcu(&volume->proc_link);
+- rb_erase(&volume->cell_node, &cell->volumes);
++ if (!test_and_set_bit(AFS_VOLUME_RM_TREE, &volume->flags))
++ rb_erase(&volume->cell_node, &cell->volumes);
+ write_sequnlock(&cell->volume_lock);
+ }
+ }
+@@ -235,6 +241,20 @@ static void afs_destroy_volume(struct afs_net *net, struct afs_volume *volume)
+ _leave(" [destroyed]");
+ }
+
++/*
++ * Try to get a reference on a volume record.
++ */
++bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason)
++{
++ int r;
++
++ if (__refcount_inc_not_zero(&volume->ref, &r)) {
++ trace_afs_volume(volume->vid, r + 1, reason);
++ return true;
++ }
++ return false;
++}
++
+ /*
+ * Get a reference on a volume record.
+ */
+--
+2.43.0
+
--- /dev/null
+From a0cf7e6a807e3f85c91ba114e895bd3c6c03e289 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Nov 2023 12:16:04 -0600
+Subject: ARM: dts: dra7: Fix DRA7 L3 NoC node register size
+
+From: Andrew Davis <afd@ti.com>
+
+[ Upstream commit 1e5caee2ba8f1426e8098afb4ca38dc40a0ca71b ]
+
+This node can access any part of the L3 configuration registers space,
+including CLK1 and CLK2 which are 0x800000 offset. Restore this area
+size to include these areas.
+
+Fixes: 7f2659ce657e ("ARM: dts: Move dra7 l3 noc to a separate node")
+Signed-off-by: Andrew Davis <afd@ti.com>
+Message-ID: <20231113181604.546444-1-afd@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/dra7.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/dra7.dtsi b/arch/arm/boot/dts/dra7.dtsi
+index 97ce0c4f1df7e..a79920ec461f0 100644
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -144,7 +144,7 @@
+
+ l3-noc@44000000 {
+ compatible = "ti,dra7-l3-noc";
+- reg = <0x44000000 0x1000>,
++ reg = <0x44000000 0x1000000>,
+ <0x45000000 0x1000>;
+ interrupts-extended = <&crossbar_mpu GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>,
+ <&wakeupgen GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>;
+--
+2.43.0
+
--- /dev/null
+From c205d41e85f9981dea115739bae12f1463da7ecb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Nov 2023 22:52:37 +0800
+Subject: ARM: OMAP2+: Fix null pointer dereference and memory leak in
+ omap_soc_device_init
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit c72b9c33ef9695ad7ce7a6eb39a9df8a01b70796 ]
+
+kasprintf() returns a pointer to dynamically allocated memory which can
+be NULL upon failure. When 'soc_dev_attr->family' is NULL,it'll trigger
+the null pointer dereference issue, such as in 'soc_info_show'.
+
+And when 'soc_device_register' fails, it's necessary to release
+'soc_dev_attr->family' to avoid memory leaks.
+
+Fixes: 6770b2114325 ("ARM: OMAP2+: Export SoC information to userspace")
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Message-ID: <20231123145237.609442-1-chentao@kylinos.cn>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/id.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm/mach-omap2/id.c b/arch/arm/mach-omap2/id.c
+index 59755b5a1ad7a..75091aa7269ae 100644
+--- a/arch/arm/mach-omap2/id.c
++++ b/arch/arm/mach-omap2/id.c
+@@ -793,11 +793,16 @@ void __init omap_soc_device_init(void)
+
+ soc_dev_attr->machine = soc_name;
+ soc_dev_attr->family = omap_get_family();
++ if (!soc_dev_attr->family) {
++ kfree(soc_dev_attr);
++ return;
++ }
+ soc_dev_attr->revision = soc_rev;
+ soc_dev_attr->custom_attr_group = omap_soc_groups[0];
+
+ soc_dev = soc_device_register(soc_dev_attr);
+ if (IS_ERR(soc_dev)) {
++ kfree(soc_dev_attr->family);
+ kfree(soc_dev_attr);
+ return;
+ }
+--
+2.43.0
+
--- /dev/null
+From 0339b3b0ffdd44f585eaf9fdf67001361a3278bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Nov 2023 01:46:05 +0000
+Subject: Bluetooth: Fix deadlock in vhci_send_frame
+
+From: Ying Hsu <yinghsu@chromium.org>
+
+[ Upstream commit 769bf60e17ee1a56a81e7c031192c3928312c52e ]
+
+syzbot found a potential circular dependency leading to a deadlock:
+ -> #3 (&hdev->req_lock){+.+.}-{3:3}:
+ __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
+ __mutex_lock kernel/locking/mutex.c:732 [inline]
+ mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
+ hci_dev_do_close+0x3f/0x9f net/bluetooth/hci_core.c:551
+ hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935
+ rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345
+ rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274
+ vfs_write+0x277/0xcf5 fs/read_write.c:594
+ ksys_write+0x19b/0x2bd fs/read_write.c:650
+ do_syscall_x64 arch/x86/entry/common.c:55 [inline]
+ do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+
+ -> #2 (rfkill_global_mutex){+.+.}-{3:3}:
+ __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
+ __mutex_lock kernel/locking/mutex.c:732 [inline]
+ mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
+ rfkill_register+0x30/0x7e3 net/rfkill/core.c:1045
+ hci_register_dev+0x48f/0x96d net/bluetooth/hci_core.c:2622
+ __vhci_create_device drivers/bluetooth/hci_vhci.c:341 [inline]
+ vhci_create_device+0x3ad/0x68f drivers/bluetooth/hci_vhci.c:374
+ vhci_get_user drivers/bluetooth/hci_vhci.c:431 [inline]
+ vhci_write+0x37b/0x429 drivers/bluetooth/hci_vhci.c:511
+ call_write_iter include/linux/fs.h:2109 [inline]
+ new_sync_write fs/read_write.c:509 [inline]
+ vfs_write+0xaa8/0xcf5 fs/read_write.c:596
+ ksys_write+0x19b/0x2bd fs/read_write.c:650
+ do_syscall_x64 arch/x86/entry/common.c:55 [inline]
+ do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+
+ -> #1 (&data->open_mutex){+.+.}-{3:3}:
+ __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
+ __mutex_lock kernel/locking/mutex.c:732 [inline]
+ mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
+ vhci_send_frame+0x68/0x9c drivers/bluetooth/hci_vhci.c:75
+ hci_send_frame+0x1cc/0x2ff net/bluetooth/hci_core.c:2989
+ hci_sched_acl_pkt net/bluetooth/hci_core.c:3498 [inline]
+ hci_sched_acl net/bluetooth/hci_core.c:3583 [inline]
+ hci_tx_work+0xb94/0x1a60 net/bluetooth/hci_core.c:3654
+ process_one_work+0x901/0xfb8 kernel/workqueue.c:2310
+ worker_thread+0xa67/0x1003 kernel/workqueue.c:2457
+ kthread+0x36a/0x430 kernel/kthread.c:319
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
+
+ -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}:
+ check_prev_add kernel/locking/lockdep.c:3053 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3172 [inline]
+ validate_chain kernel/locking/lockdep.c:3787 [inline]
+ __lock_acquire+0x2d32/0x77fa kernel/locking/lockdep.c:5011
+ lock_acquire+0x273/0x4d5 kernel/locking/lockdep.c:5622
+ __flush_work+0xee/0x19f kernel/workqueue.c:3090
+ hci_dev_close_sync+0x32f/0x1113 net/bluetooth/hci_sync.c:4352
+ hci_dev_do_close+0x47/0x9f net/bluetooth/hci_core.c:553
+ hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935
+ rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345
+ rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274
+ vfs_write+0x277/0xcf5 fs/read_write.c:594
+ ksys_write+0x19b/0x2bd fs/read_write.c:650
+ do_syscall_x64 arch/x86/entry/common.c:55 [inline]
+ do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+
+This change removes the need for acquiring the open_mutex in
+vhci_send_frame, thus eliminating the potential deadlock while
+maintaining the required packet ordering.
+
+Fixes: 92d4abd66f70 ("Bluetooth: vhci: Fix race when opening vhci device")
+Signed-off-by: Ying Hsu <yinghsu@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_vhci.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
+index 4415d850d698b..44dc91555aa00 100644
+--- a/drivers/bluetooth/hci_vhci.c
++++ b/drivers/bluetooth/hci_vhci.c
+@@ -11,6 +11,7 @@
+ #include <linux/module.h>
+ #include <asm/unaligned.h>
+
++#include <linux/atomic.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+ #include <linux/slab.h>
+@@ -44,6 +45,7 @@ struct vhci_data {
+ bool wakeup;
+ __u16 msft_opcode;
+ bool aosp_capable;
++ atomic_t initialized;
+ };
+
+ static int vhci_open_dev(struct hci_dev *hdev)
+@@ -75,11 +77,10 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
+
+ memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
+
+- mutex_lock(&data->open_mutex);
+ skb_queue_tail(&data->readq, skb);
+- mutex_unlock(&data->open_mutex);
+
+- wake_up_interruptible(&data->read_wait);
++ if (atomic_read(&data->initialized))
++ wake_up_interruptible(&data->read_wait);
+ return 0;
+ }
+
+@@ -363,7 +364,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
+ skb_put_u8(skb, 0xff);
+ skb_put_u8(skb, opcode);
+ put_unaligned_le16(hdev->id, skb_put(skb, 2));
+- skb_queue_tail(&data->readq, skb);
++ skb_queue_head(&data->readq, skb);
++ atomic_inc(&data->initialized);
+
+ wake_up_interruptible(&data->read_wait);
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 4b4870b16776a4abede8b33c9caf6d35901d94d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 23:17:44 +0100
+Subject: Bluetooth: hci_event: shut up a false-positive warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit a5812c68d849505ea657f653446512b85887f813 ]
+
+Turning on -Wstringop-overflow globally exposed a misleading compiler
+warning in bluetooth:
+
+net/bluetooth/hci_event.c: In function 'hci_cc_read_class_of_dev':
+net/bluetooth/hci_event.c:524:9: error: 'memcpy' writing 3 bytes into a
+region of size 0 overflows the destination [-Werror=stringop-overflow=]
+ 524 | memcpy(hdev->dev_class, rp->dev_class, 3);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The problem here is the check for hdev being NULL in bt_dev_dbg() that
+leads the compiler to conclude that hdev->dev_class might be an invalid
+pointer access.
+
+Add another explicit check for the same condition to make sure gcc sees
+this cannot happen.
+
+Fixes: a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only opcodes")
+Fixes: 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index c86a45344fe28..5e406e8716a0e 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -515,6 +515,9 @@ static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
+ {
+ struct hci_rp_read_class_of_dev *rp = data;
+
++ if (WARN_ON(!hdev))
++ return HCI_ERROR_UNSPECIFIED;
++
+ bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
+
+ if (rp->status)
+--
+2.43.0
+
--- /dev/null
+From dc43bbffaae138f7a058c82af8b72768d69a2d8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 21:04:04 +0800
+Subject: ethernet: atheros: fix a memleak in atl1e_setup_ring_resources
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 309fdb1c33fe726d92d0030481346f24e1b01f07 ]
+
+In the error handling of 'offset > adapter->ring_size', the
+tx_ring->tx_buffer allocated by kzalloc should be freed,
+instead of 'goto failed' instantly.
+
+Fixes: a6a5325239c2 ("atl1e: Atheros L1E Gigabit Ethernet driver")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Reviewed-by: Suman Ghosh <sumang@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+index 5935be190b9e2..5f2a6fcba9670 100644
+--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+@@ -866,10 +866,13 @@ static int atl1e_setup_ring_resources(struct atl1e_adapter *adapter)
+ netdev_err(adapter->netdev, "offset(%d) > ring size(%d) !!\n",
+ offset, adapter->ring_size);
+ err = -1;
+- goto failed;
++ goto free_buffer;
+ }
+
+ return 0;
++free_buffer:
++ kfree(tx_ring->tx_buffer);
++ tx_ring->tx_buffer = NULL;
+ failed:
+ if (adapter->ring_vir_addr != NULL) {
+ dma_free_coherent(&pdev->dev, adapter->ring_size,
+--
+2.43.0
+
--- /dev/null
+From b6fb72f2f996ecead19058839a0c666272e2915d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Dec 2023 00:41:55 +0000
+Subject: keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on
+ expiry
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 39299bdd2546688d92ed9db4948f6219ca1b9542 ]
+
+If a key has an expiration time, then when that time passes, the key is
+left around for a certain amount of time before being collected (5 mins by
+default) so that EKEYEXPIRED can be returned instead of ENOKEY. This is a
+problem for DNS keys because we want to redo the DNS lookup immediately at
+that point.
+
+Fix this by allowing key types to be marked such that keys of that type
+don't have this extra period, but are reclaimed as soon as they expire and
+turn this on for dns_resolver-type keys. To make this easier to handle,
+key->expiry is changed to be permanent if TIME64_MAX rather than 0.
+
+Furthermore, give such new-style negative DNS results a 1s default expiry
+if no other expiry time is set rather than allowing it to stick around
+indefinitely. This shouldn't be zero as ls will follow a failing stat call
+immediately with a second with AT_SYMLINK_NOFOLLOW added.
+
+Fixes: 1a4240f4764a ("DNS: Separate out CIFS DNS Resolver code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
+cc: Wang Lei <wang840925@gmail.com>
+cc: Jeff Layton <jlayton@redhat.com>
+cc: Steve French <smfrench@gmail.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jarkko Sakkinen <jarkko@kernel.org>
+cc: "David S. Miller" <davem@davemloft.net>
+cc: Eric Dumazet <edumazet@google.com>
+cc: Jakub Kicinski <kuba@kernel.org>
+cc: Paolo Abeni <pabeni@redhat.com>
+cc: linux-afs@lists.infradead.org
+cc: linux-cifs@vger.kernel.org
+cc: linux-nfs@vger.kernel.org
+cc: ceph-devel@vger.kernel.org
+cc: keyrings@vger.kernel.org
+cc: netdev@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/key-type.h | 1 +
+ net/dns_resolver/dns_key.c | 10 +++++++++-
+ security/keys/gc.c | 31 +++++++++++++++++++++----------
+ security/keys/internal.h | 11 ++++++++++-
+ security/keys/key.c | 15 +++++----------
+ security/keys/proc.c | 2 +-
+ 6 files changed, 47 insertions(+), 23 deletions(-)
+
+diff --git a/include/linux/key-type.h b/include/linux/key-type.h
+index 7d985a1dfe4af..5caf3ce823733 100644
+--- a/include/linux/key-type.h
++++ b/include/linux/key-type.h
+@@ -73,6 +73,7 @@ struct key_type {
+
+ unsigned int flags;
+ #define KEY_TYPE_NET_DOMAIN 0x00000001 /* Keys of this type have a net namespace domain */
++#define KEY_TYPE_INSTANT_REAP 0x00000002 /* Keys of this type don't have a delay after expiring */
+
+ /* vet a description */
+ int (*vet_description)(const char *description);
+diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
+index 3aced951d5ab8..03f8f33dc134c 100644
+--- a/net/dns_resolver/dns_key.c
++++ b/net/dns_resolver/dns_key.c
+@@ -91,6 +91,7 @@ const struct cred *dns_resolver_cache;
+ static int
+ dns_resolver_preparse(struct key_preparsed_payload *prep)
+ {
++ const struct dns_server_list_v1_header *v1;
+ const struct dns_payload_header *bin;
+ struct user_key_payload *upayload;
+ unsigned long derrno;
+@@ -122,6 +123,13 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
+ return -EINVAL;
+ }
+
++ v1 = (const struct dns_server_list_v1_header *)bin;
++ if ((v1->status != DNS_LOOKUP_GOOD &&
++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) {
++ if (prep->expiry == TIME64_MAX)
++ prep->expiry = ktime_get_real_seconds() + 1;
++ }
++
+ result_len = datalen;
+ goto store_result;
+ }
+@@ -314,7 +322,7 @@ static long dns_resolver_read(const struct key *key,
+
+ struct key_type key_type_dns_resolver = {
+ .name = "dns_resolver",
+- .flags = KEY_TYPE_NET_DOMAIN,
++ .flags = KEY_TYPE_NET_DOMAIN | KEY_TYPE_INSTANT_REAP,
+ .preparse = dns_resolver_preparse,
+ .free_preparse = dns_resolver_free_preparse,
+ .instantiate = generic_key_instantiate,
+diff --git a/security/keys/gc.c b/security/keys/gc.c
+index 3c90807476eb0..eaddaceda14ea 100644
+--- a/security/keys/gc.c
++++ b/security/keys/gc.c
+@@ -66,6 +66,19 @@ void key_schedule_gc(time64_t gc_at)
+ }
+ }
+
++/*
++ * Set the expiration time on a key.
++ */
++void key_set_expiry(struct key *key, time64_t expiry)
++{
++ key->expiry = expiry;
++ if (expiry != TIME64_MAX) {
++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
++ expiry += key_gc_delay;
++ key_schedule_gc(expiry);
++ }
++}
++
+ /*
+ * Schedule a dead links collection run.
+ */
+@@ -176,7 +189,6 @@ static void key_garbage_collector(struct work_struct *work)
+ static u8 gc_state; /* Internal persistent state */
+ #define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */
+ #define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */
+-#define KEY_GC_SET_TIMER 0x04 /* - We need to restart the timer */
+ #define KEY_GC_REAPING_DEAD_1 0x10 /* - We need to mark dead keys */
+ #define KEY_GC_REAPING_DEAD_2 0x20 /* - We need to reap dead key links */
+ #define KEY_GC_REAPING_DEAD_3 0x40 /* - We need to reap dead keys */
+@@ -184,21 +196,17 @@ static void key_garbage_collector(struct work_struct *work)
+
+ struct rb_node *cursor;
+ struct key *key;
+- time64_t new_timer, limit;
++ time64_t new_timer, limit, expiry;
+
+ kenter("[%lx,%x]", key_gc_flags, gc_state);
+
+ limit = ktime_get_real_seconds();
+- if (limit > key_gc_delay)
+- limit -= key_gc_delay;
+- else
+- limit = key_gc_delay;
+
+ /* Work out what we're going to be doing in this pass */
+ gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2;
+ gc_state <<= 1;
+ if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags))
+- gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER;
++ gc_state |= KEY_GC_REAPING_LINKS;
+
+ if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags))
+ gc_state |= KEY_GC_REAPING_DEAD_1;
+@@ -233,8 +241,11 @@ static void key_garbage_collector(struct work_struct *work)
+ }
+ }
+
+- if (gc_state & KEY_GC_SET_TIMER) {
+- if (key->expiry > limit && key->expiry < new_timer) {
++ expiry = key->expiry;
++ if (expiry != TIME64_MAX) {
++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
++ expiry += key_gc_delay;
++ if (expiry > limit && expiry < new_timer) {
+ kdebug("will expire %x in %lld",
+ key_serial(key), key->expiry - limit);
+ new_timer = key->expiry;
+@@ -276,7 +287,7 @@ static void key_garbage_collector(struct work_struct *work)
+ */
+ kdebug("pass complete");
+
+- if (gc_state & KEY_GC_SET_TIMER && new_timer != (time64_t)TIME64_MAX) {
++ if (new_timer != TIME64_MAX) {
+ new_timer += key_gc_delay;
+ key_schedule_gc(new_timer);
+ }
+diff --git a/security/keys/internal.h b/security/keys/internal.h
+index 3c1e7122076b9..ec2ec335b6133 100644
+--- a/security/keys/internal.h
++++ b/security/keys/internal.h
+@@ -174,6 +174,7 @@ extern unsigned key_gc_delay;
+ extern void keyring_gc(struct key *keyring, time64_t limit);
+ extern void keyring_restriction_gc(struct key *keyring,
+ struct key_type *dead_type);
++void key_set_expiry(struct key *key, time64_t expiry);
+ extern void key_schedule_gc(time64_t gc_at);
+ extern void key_schedule_gc_links(void);
+ extern void key_gc_keytype(struct key_type *ktype);
+@@ -222,10 +223,18 @@ extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
+ */
+ static inline bool key_is_dead(const struct key *key, time64_t limit)
+ {
++ time64_t expiry = key->expiry;
++
++ if (expiry != TIME64_MAX) {
++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
++ expiry += key_gc_delay;
++ if (expiry <= limit)
++ return true;
++ }
++
+ return
+ key->flags & ((1 << KEY_FLAG_DEAD) |
+ (1 << KEY_FLAG_INVALIDATED)) ||
+- (key->expiry > 0 && key->expiry <= limit) ||
+ key->domain_tag->removed;
+ }
+
+diff --git a/security/keys/key.c b/security/keys/key.c
+index c45afdd1dfbb4..e65240641ca57 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -294,6 +294,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
+ key->uid = uid;
+ key->gid = gid;
+ key->perm = perm;
++ key->expiry = TIME64_MAX;
+ key->restrict_link = restrict_link;
+ key->last_used_at = ktime_get_real_seconds();
+
+@@ -463,10 +464,7 @@ static int __key_instantiate_and_link(struct key *key,
+ if (authkey)
+ key_invalidate(authkey);
+
+- if (prep->expiry != TIME64_MAX) {
+- key->expiry = prep->expiry;
+- key_schedule_gc(prep->expiry + key_gc_delay);
+- }
++ key_set_expiry(key, prep->expiry);
+ }
+ }
+
+@@ -606,8 +604,7 @@ int key_reject_and_link(struct key *key,
+ atomic_inc(&key->user->nikeys);
+ mark_key_instantiated(key, -error);
+ notify_key(key, NOTIFY_KEY_INSTANTIATED, -error);
+- key->expiry = ktime_get_real_seconds() + timeout;
+- key_schedule_gc(key->expiry + key_gc_delay);
++ key_set_expiry(key, ktime_get_real_seconds() + timeout);
+
+ if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
+ awaken = 1;
+@@ -722,16 +719,14 @@ struct key_type *key_type_lookup(const char *type)
+
+ void key_set_timeout(struct key *key, unsigned timeout)
+ {
+- time64_t expiry = 0;
++ time64_t expiry = TIME64_MAX;
+
+ /* make the changes with the locks held to prevent races */
+ down_write(&key->sem);
+
+ if (timeout > 0)
+ expiry = ktime_get_real_seconds() + timeout;
+-
+- key->expiry = expiry;
+- key_schedule_gc(key->expiry + key_gc_delay);
++ key_set_expiry(key, expiry);
+
+ up_write(&key->sem);
+ }
+diff --git a/security/keys/proc.c b/security/keys/proc.c
+index d0cde6685627f..4f4e2c1824f18 100644
+--- a/security/keys/proc.c
++++ b/security/keys/proc.c
+@@ -198,7 +198,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
+
+ /* come up with a suitable timeout value */
+ expiry = READ_ONCE(key->expiry);
+- if (expiry == 0) {
++ if (expiry == TIME64_MAX) {
+ memcpy(xbuf, "perm", 5);
+ } else if (now >= expiry) {
+ memcpy(xbuf, "expd", 5);
+--
+2.43.0
+
--- /dev/null
+From 49aa05537cf207288821bf6f16f4cc5888554670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 12:53:31 +0000
+Subject: net: check dev->gso_max_size in gso_features_check()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ]
+
+Some drivers might misbehave if TSO packets get too big.
+
+GVE for instance uses a 16bit field in its TX descriptor,
+and will do bad things if a packet is bigger than 2^16 bytes.
+
+Linux TCP stack honors dev->gso_max_size, but there are
+other ways for too big packets to reach an ndo_start_xmit()
+handler : virtio_net, af_packet, GRO...
+
+Add a generic check in gso_features_check() and fallback
+to GSO when needed.
+
+gso_max_size was added in the blamed commit.
+
+Fixes: 82cc1a7a5687 ("[NET]: Add per-connection option to set max TSO frame size")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 0d5aa820fd830..0a5566b6f8a25 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3551,6 +3551,9 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
+ if (gso_segs > READ_ONCE(dev->gso_max_segs))
+ return features & ~NETIF_F_GSO_MASK;
+
++ if (unlikely(skb->len >= READ_ONCE(dev->gso_max_size)))
++ return features & ~NETIF_F_GSO_MASK;
++
+ if (!skb_shinfo(skb)->gso_type) {
+ skb_warn_bad_offload(skb);
+ return features & ~NETIF_F_GSO_MASK;
+--
+2.43.0
+
--- /dev/null
+From d5b572757848b7157e7567154d0e97ee21095db3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Dec 2023 15:52:18 +0800
+Subject: net: check vlan filter feature in vlan_vids_add_by_dev() and
+ vlan_vids_del_by_dev()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 01a564bab4876007ce35f312e16797dfe40e4823 ]
+
+I got the below warning trace:
+
+WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify
+CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0
+Call Trace:
+ rtnl_dellink
+ rtnetlink_rcv_msg
+ netlink_rcv_skb
+ netlink_unicast
+ netlink_sendmsg
+ __sock_sendmsg
+ ____sys_sendmsg
+ ___sys_sendmsg
+ __sys_sendmsg
+ do_syscall_64
+ entry_SYSCALL_64_after_hwframe
+
+It can be repoduced via:
+
+ ip netns add ns1
+ ip netns exec ns1 ip link add bond0 type bond mode 0
+ ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2
+ ip netns exec ns1 ip link set bond_slave_1 master bond0
+[1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off
+[2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0
+[3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0
+[4] ip netns exec ns1 ip link set bond_slave_1 nomaster
+[5] ip netns exec ns1 ip link del veth2
+ ip netns del ns1
+
+This is all caused by command [1] turning off the rx-vlan-filter function
+of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix
+incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands
+[2] [3] add the same vid to slave and master respectively, causing
+command [4] to empty slave->vlan_info. The following command [5] triggers
+this problem.
+
+To fix this problem, we should add VLAN_FILTER feature checks in
+vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect
+addition or deletion of vlan_vid information.
+
+Fixes: 348a1443cc43 ("vlan: introduce functions to do mass addition/deletion of vids by another device")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/8021q/vlan_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
+index 0beb44f2fe1f0..f001582345052 100644
+--- a/net/8021q/vlan_core.c
++++ b/net/8021q/vlan_core.c
+@@ -407,6 +407,8 @@ int vlan_vids_add_by_dev(struct net_device *dev,
+ return 0;
+
+ list_for_each_entry(vid_info, &vlan_info->vid_list, list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ err = vlan_vid_add(dev, vid_info->proto, vid_info->vid);
+ if (err)
+ goto unwind;
+@@ -417,6 +419,8 @@ int vlan_vids_add_by_dev(struct net_device *dev,
+ list_for_each_entry_continue_reverse(vid_info,
+ &vlan_info->vid_list,
+ list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
+ }
+
+@@ -436,8 +440,11 @@ void vlan_vids_del_by_dev(struct net_device *dev,
+ if (!vlan_info)
+ return;
+
+- list_for_each_entry(vid_info, &vlan_info->vid_list, list)
++ list_for_each_entry(vid_info, &vlan_info->vid_list, list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
++ }
+ }
+ EXPORT_SYMBOL(vlan_vids_del_by_dev);
+
+--
+2.43.0
+
--- /dev/null
+From 1220617da92a464c1931b2264e795590ee6da7ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Dec 2023 12:33:53 -0800
+Subject: net: mana: select PAGE_POOL
+
+From: Yury Norov <yury.norov@gmail.com>
+
+[ Upstream commit 340943fbff3d8faa44d2223ca04917df28786a07 ]
+
+Mana uses PAGE_POOL API. x86_64 defconfig doesn't select it:
+
+ld: vmlinux.o: in function `mana_create_page_pool.isra.0':
+mana_en.c:(.text+0x9ae36f): undefined reference to `page_pool_create'
+ld: vmlinux.o: in function `mana_get_rxfrag':
+mana_en.c:(.text+0x9afed1): undefined reference to `page_pool_alloc_pages'
+make[3]: *** [/home/yury/work/linux/scripts/Makefile.vmlinux:37: vmlinux] Error 1
+make[2]: *** [/home/yury/work/linux/Makefile:1154: vmlinux] Error 2
+make[1]: *** [/home/yury/work/linux/Makefile:234: __sub-make] Error 2
+make[1]: Leaving directory '/home/yury/work/build-linux-x86_64'
+make: *** [Makefile:234: __sub-make] Error 2
+
+So we need to select it explicitly.
+
+Signed-off-by: Yury Norov <yury.norov@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org> # build-tested
+Fixes: ca9c54d2 ("net: mana: Add a driver for Microsoft Azure Network Adapter")
+Link: https://lore.kernel.org/r/20231215203353.635379-1-yury.norov@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/microsoft/Kconfig b/drivers/net/ethernet/microsoft/Kconfig
+index fe4e7a7d9c0b5..8b6c4cc37c53c 100644
+--- a/drivers/net/ethernet/microsoft/Kconfig
++++ b/drivers/net/ethernet/microsoft/Kconfig
+@@ -19,6 +19,7 @@ config MICROSOFT_MANA
+ tristate "Microsoft Azure Network Adapter (MANA) support"
+ depends on PCI_MSI && X86_64
+ depends on PCI_HYPERV
++ select PAGE_POOL
+ help
+ This driver supports Microsoft Azure Network Adapter (MANA).
+ So far, the driver is only supported on X86_64.
+--
+2.43.0
+
--- /dev/null
+From 84fb9bf3970ef052523a042eec33b9b32014a669 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 11:30:34 +0200
+Subject: net/mlx5: Fix fw tracer first block check
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit 4261edf11cb7c9224af713a102e5616329306932 ]
+
+While handling new traces, to verify it is not the first block being
+written, last_timestamp is checked. But instead of checking it is non
+zero it is verified to be zero. Fix to verify last_timestamp is not
+zero.
+
+Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling")
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Feras Daoud <ferasda@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+index 374c0011a127b..3ba54ffa54bfe 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -691,7 +691,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work)
+
+ while (block_timestamp > tracer->last_timestamp) {
+ /* Check block override if it's not the first block */
+- if (!tracer->last_timestamp) {
++ if (tracer->last_timestamp) {
+ u64 *ts_event;
+ /* To avoid block override be the HW in case of buffer
+ * wraparound, the time stamp of the previous block
+--
+2.43.0
+
--- /dev/null
+From a289d942f7e007f32be8d984a513bde37f5c384a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jan 2023 09:45:24 +0200
+Subject: net/mlx5: Introduce and use opcode getter in command interface
+
+From: Tariq Toukan <tariqt@nvidia.com>
+
+[ Upstream commit 7cb5eb937231663d11f7817e366f6f86a142d6d3 ]
+
+Introduce an opcode getter in the FW command interface, and use it.
+Initialize the entry's opcode field early in cmd_alloc_ent() and use it
+when possible.
+
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Stable-dep-of: 8f5100da56b3 ("net/mlx5e: Fix a race in command alloc flow")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 88 +++++++++----------
+ 1 file changed, 42 insertions(+), 46 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index b3253e263ebc8..edc42f0b3e74d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -48,6 +48,25 @@
+ #define CREATE_TRACE_POINTS
+ #include "diag/cmd_tracepoint.h"
+
++struct mlx5_ifc_mbox_out_bits {
++ u8 status[0x8];
++ u8 reserved_at_8[0x18];
++
++ u8 syndrome[0x20];
++
++ u8 reserved_at_40[0x40];
++};
++
++struct mlx5_ifc_mbox_in_bits {
++ u8 opcode[0x10];
++ u8 uid[0x10];
++
++ u8 reserved_at_20[0x10];
++ u8 op_mod[0x10];
++
++ u8 reserved_at_40[0x40];
++};
++
+ enum {
+ CMD_IF_REV = 5,
+ };
+@@ -71,6 +90,11 @@ enum {
+ MLX5_CMD_DELIVERY_STAT_CMD_DESCR_ERR = 0x10,
+ };
+
++static u16 in_to_opcode(void *in)
++{
++ return MLX5_GET(mbox_in, in, opcode);
++}
++
+ static struct mlx5_cmd_work_ent *
+ cmd_alloc_ent(struct mlx5_cmd *cmd, struct mlx5_cmd_msg *in,
+ struct mlx5_cmd_msg *out, void *uout, int uout_size,
+@@ -92,6 +116,7 @@ cmd_alloc_ent(struct mlx5_cmd *cmd, struct mlx5_cmd_msg *in,
+ ent->context = context;
+ ent->cmd = cmd;
+ ent->page_queue = page_queue;
++ ent->op = in_to_opcode(in->first.data);
+ refcount_set(&ent->refcnt, 1);
+
+ return ent;
+@@ -753,25 +778,6 @@ static int cmd_status_to_err(u8 status)
+ }
+ }
+
+-struct mlx5_ifc_mbox_out_bits {
+- u8 status[0x8];
+- u8 reserved_at_8[0x18];
+-
+- u8 syndrome[0x20];
+-
+- u8 reserved_at_40[0x40];
+-};
+-
+-struct mlx5_ifc_mbox_in_bits {
+- u8 opcode[0x10];
+- u8 uid[0x10];
+-
+- u8 reserved_at_20[0x10];
+- u8 op_mod[0x10];
+-
+- u8 reserved_at_40[0x40];
+-};
+-
+ void mlx5_cmd_out_err(struct mlx5_core_dev *dev, u16 opcode, u16 op_mod, void *out)
+ {
+ u32 syndrome = MLX5_GET(mbox_out, out, syndrome);
+@@ -789,7 +795,7 @@ static void cmd_status_print(struct mlx5_core_dev *dev, void *in, void *out)
+ u16 opcode, op_mod;
+ u16 uid;
+
+- opcode = MLX5_GET(mbox_in, in, opcode);
++ opcode = in_to_opcode(in);
+ op_mod = MLX5_GET(mbox_in, in, op_mod);
+ uid = MLX5_GET(mbox_in, in, uid);
+
+@@ -801,7 +807,7 @@ int mlx5_cmd_check(struct mlx5_core_dev *dev, int err, void *in, void *out)
+ {
+ /* aborted due to PCI error or via reset flow mlx5_cmd_trigger_completions() */
+ if (err == -ENXIO) {
+- u16 opcode = MLX5_GET(mbox_in, in, opcode);
++ u16 opcode = in_to_opcode(in);
+ u32 syndrome;
+ u8 status;
+
+@@ -830,9 +836,9 @@ static void dump_command(struct mlx5_core_dev *dev,
+ struct mlx5_cmd_work_ent *ent, int input)
+ {
+ struct mlx5_cmd_msg *msg = input ? ent->in : ent->out;
+- u16 op = MLX5_GET(mbox_in, ent->lay->in, opcode);
+ struct mlx5_cmd_mailbox *next = msg->next;
+ int n = mlx5_calc_cmd_blocks(msg);
++ u16 op = ent->op;
+ int data_only;
+ u32 offset = 0;
+ int dump_len;
+@@ -884,11 +890,6 @@ static void dump_command(struct mlx5_core_dev *dev,
+ mlx5_core_dbg(dev, "cmd[%d]: end dump\n", ent->idx);
+ }
+
+-static u16 msg_to_opcode(struct mlx5_cmd_msg *in)
+-{
+- return MLX5_GET(mbox_in, in->first.data, opcode);
+-}
+-
+ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool forced);
+
+ static void cb_timeout_handler(struct work_struct *work)
+@@ -906,13 +907,13 @@ static void cb_timeout_handler(struct work_struct *work)
+ /* Maybe got handled by eq recover ? */
+ if (!test_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state)) {
+ mlx5_core_warn(dev, "cmd[%d]: %s(0x%x) Async, recovered after timeout\n", ent->idx,
+- mlx5_command_str(msg_to_opcode(ent->in)), msg_to_opcode(ent->in));
++ mlx5_command_str(ent->op), ent->op);
+ goto out; /* phew, already handled */
+ }
+
+ ent->ret = -ETIMEDOUT;
+ mlx5_core_warn(dev, "cmd[%d]: %s(0x%x) Async, timeout. Will cause a leak of a command resource\n",
+- ent->idx, mlx5_command_str(msg_to_opcode(ent->in)), msg_to_opcode(ent->in));
++ ent->idx, mlx5_command_str(ent->op), ent->op);
+ mlx5_cmd_comp_handler(dev, 1ULL << ent->idx, true);
+
+ out:
+@@ -986,7 +987,6 @@ static void cmd_work_handler(struct work_struct *work)
+ ent->lay = lay;
+ memset(lay, 0, sizeof(*lay));
+ memcpy(lay->in, ent->in->first.data, sizeof(lay->in));
+- ent->op = be32_to_cpu(lay->in[0]) >> 16;
+ if (ent->in->next)
+ lay->in_ptr = cpu_to_be64(ent->in->next->dma);
+ lay->inlen = cpu_to_be32(ent->in->len);
+@@ -1099,12 +1099,12 @@ static void wait_func_handle_exec_timeout(struct mlx5_core_dev *dev,
+ */
+ if (wait_for_completion_timeout(&ent->done, timeout)) {
+ mlx5_core_warn(dev, "cmd[%d]: %s(0x%x) recovered after timeout\n", ent->idx,
+- mlx5_command_str(msg_to_opcode(ent->in)), msg_to_opcode(ent->in));
++ mlx5_command_str(ent->op), ent->op);
+ return;
+ }
+
+ mlx5_core_warn(dev, "cmd[%d]: %s(0x%x) No done completion\n", ent->idx,
+- mlx5_command_str(msg_to_opcode(ent->in)), msg_to_opcode(ent->in));
++ mlx5_command_str(ent->op), ent->op);
+
+ ent->ret = -ETIMEDOUT;
+ mlx5_cmd_comp_handler(dev, 1ULL << ent->idx, true);
+@@ -1131,12 +1131,10 @@ static int wait_func(struct mlx5_core_dev *dev, struct mlx5_cmd_work_ent *ent)
+
+ if (err == -ETIMEDOUT) {
+ mlx5_core_warn(dev, "%s(0x%x) timeout. Will cause a leak of a command resource\n",
+- mlx5_command_str(msg_to_opcode(ent->in)),
+- msg_to_opcode(ent->in));
++ mlx5_command_str(ent->op), ent->op);
+ } else if (err == -ECANCELED) {
+ mlx5_core_warn(dev, "%s(0x%x) canceled on out of queue timeout.\n",
+- mlx5_command_str(msg_to_opcode(ent->in)),
+- msg_to_opcode(ent->in));
++ mlx5_command_str(ent->op), ent->op);
+ }
+ mlx5_core_dbg(dev, "err %d, delivery status %s(%d)\n",
+ err, deliv_status_to_str(ent->status), ent->status);
+@@ -1170,7 +1168,6 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in,
+ u8 status = 0;
+ int err = 0;
+ s64 ds;
+- u16 op;
+
+ if (callback && page_queue)
+ return -EINVAL;
+@@ -1210,9 +1207,8 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in,
+ goto out_free;
+
+ ds = ent->ts2 - ent->ts1;
+- op = MLX5_GET(mbox_in, in->first.data, opcode);
+- if (op < MLX5_CMD_OP_MAX) {
+- stats = &cmd->stats[op];
++ if (ent->op < MLX5_CMD_OP_MAX) {
++ stats = &cmd->stats[ent->op];
+ spin_lock_irq(&stats->lock);
+ stats->sum += ds;
+ ++stats->n;
+@@ -1220,7 +1216,7 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in,
+ }
+ mlx5_core_dbg_mask(dev, 1 << MLX5_CMD_TIME,
+ "fw exec time for %s is %lld nsec\n",
+- mlx5_command_str(op), ds);
++ mlx5_command_str(ent->op), ds);
+
+ out_free:
+ status = ent->status;
+@@ -1817,7 +1813,7 @@ static struct mlx5_cmd_msg *alloc_msg(struct mlx5_core_dev *dev, int in_size,
+
+ static int is_manage_pages(void *in)
+ {
+- return MLX5_GET(mbox_in, in, opcode) == MLX5_CMD_OP_MANAGE_PAGES;
++ return in_to_opcode(in) == MLX5_CMD_OP_MANAGE_PAGES;
+ }
+
+ /* Notes:
+@@ -1828,8 +1824,8 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out,
+ int out_size, mlx5_cmd_cbk_t callback, void *context,
+ bool force_polling)
+ {
+- u16 opcode = MLX5_GET(mbox_in, in, opcode);
+ struct mlx5_cmd_msg *inb, *outb;
++ u16 opcode = in_to_opcode(in);
+ int pages_queue;
+ gfp_t gfp;
+ u8 token;
+@@ -1952,8 +1948,8 @@ static int cmd_status_err(struct mlx5_core_dev *dev, int err, u16 opcode, u16 op
+ int mlx5_cmd_do(struct mlx5_core_dev *dev, void *in, int in_size, void *out, int out_size)
+ {
+ int err = cmd_exec(dev, in, in_size, out, out_size, NULL, NULL, false);
+- u16 opcode = MLX5_GET(mbox_in, in, opcode);
+ u16 op_mod = MLX5_GET(mbox_in, in, op_mod);
++ u16 opcode = in_to_opcode(in);
+
+ return cmd_status_err(dev, err, opcode, op_mod, out);
+ }
+@@ -1998,8 +1994,8 @@ int mlx5_cmd_exec_polling(struct mlx5_core_dev *dev, void *in, int in_size,
+ void *out, int out_size)
+ {
+ int err = cmd_exec(dev, in, in_size, out, out_size, NULL, NULL, true);
+- u16 opcode = MLX5_GET(mbox_in, in, opcode);
+ u16 op_mod = MLX5_GET(mbox_in, in, op_mod);
++ u16 opcode = in_to_opcode(in);
+
+ err = cmd_status_err(dev, err, opcode, op_mod, out);
+ return mlx5_cmd_check(dev, err, in, out);
+@@ -2051,7 +2047,7 @@ int mlx5_cmd_exec_cb(struct mlx5_async_ctx *ctx, void *in, int in_size,
+
+ work->ctx = ctx;
+ work->user_callback = callback;
+- work->opcode = MLX5_GET(mbox_in, in, opcode);
++ work->opcode = in_to_opcode(in);
+ work->op_mod = MLX5_GET(mbox_in, in, op_mod);
+ work->out = out;
+ if (WARN_ON(!atomic_inc_not_zero(&ctx->num_inflight)))
+--
+2.43.0
+
--- /dev/null
+From 318ffb90aa14004ffe47744138af6dcce4452d7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Aug 2022 14:47:30 +0300
+Subject: net/mlx5: Prevent high-rate FW commands from populating all slots
+
+From: Tariq Toukan <tariqt@nvidia.com>
+
+[ Upstream commit 63fbae0a74c3e1df7c20c81e04353ced050d9887 ]
+
+Certain connection-based device-offload protocols (like TLS) use
+per-connection HW objects to track the state, maintain the context, and
+perform the offload properly. Some of these objects are created,
+modified, and destroyed via FW commands. Under high connection rate,
+this type of FW commands might continuously populate all slots of the FW
+command interface and throttle it, while starving other critical control
+FW commands.
+
+Limit these throttle commands to using only up to a portion (half) of
+the FW command interface slots. FW commands maximal rate is not hit, and
+the same high rate is still reached when applying this limitation.
+
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Stable-dep-of: 8f5100da56b3 ("net/mlx5e: Fix a race in command alloc flow")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 30 ++++++++++++++++++-
+ include/linux/mlx5/driver.h | 1 +
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index edc42f0b3e74d..84f926064cf7b 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -95,6 +95,21 @@ static u16 in_to_opcode(void *in)
+ return MLX5_GET(mbox_in, in, opcode);
+ }
+
++/* Returns true for opcodes that might be triggered very frequently and throttle
++ * the command interface. Limit their command slots usage.
++ */
++static bool mlx5_cmd_is_throttle_opcode(u16 op)
++{
++ switch (op) {
++ case MLX5_CMD_OP_CREATE_GENERAL_OBJECT:
++ case MLX5_CMD_OP_DESTROY_GENERAL_OBJECT:
++ case MLX5_CMD_OP_MODIFY_GENERAL_OBJECT:
++ case MLX5_CMD_OP_QUERY_GENERAL_OBJECT:
++ return true;
++ }
++ return false;
++}
++
+ static struct mlx5_cmd_work_ent *
+ cmd_alloc_ent(struct mlx5_cmd *cmd, struct mlx5_cmd_msg *in,
+ struct mlx5_cmd_msg *out, void *uout, int uout_size,
+@@ -1826,6 +1841,7 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out,
+ {
+ struct mlx5_cmd_msg *inb, *outb;
+ u16 opcode = in_to_opcode(in);
++ bool throttle_op;
+ int pages_queue;
+ gfp_t gfp;
+ u8 token;
+@@ -1834,13 +1850,21 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out,
+ if (mlx5_cmd_is_down(dev) || !opcode_allowed(&dev->cmd, opcode))
+ return -ENXIO;
+
++ throttle_op = mlx5_cmd_is_throttle_opcode(opcode);
++ if (throttle_op) {
++ /* atomic context may not sleep */
++ if (callback)
++ return -EINVAL;
++ down(&dev->cmd.throttle_sem);
++ }
++
+ pages_queue = is_manage_pages(in);
+ gfp = callback ? GFP_ATOMIC : GFP_KERNEL;
+
+ inb = alloc_msg(dev, in_size, gfp);
+ if (IS_ERR(inb)) {
+ err = PTR_ERR(inb);
+- return err;
++ goto out_up;
+ }
+
+ token = alloc_token(&dev->cmd);
+@@ -1874,6 +1898,9 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out,
+ mlx5_free_cmd_msg(dev, outb);
+ out_in:
+ free_msg(dev, inb);
++out_up:
++ if (throttle_op)
++ up(&dev->cmd.throttle_sem);
+ return err;
+ }
+
+@@ -2218,6 +2245,7 @@ int mlx5_cmd_init(struct mlx5_core_dev *dev)
+
+ sema_init(&cmd->sem, cmd->max_reg_cmds);
+ sema_init(&cmd->pages_sem, 1);
++ sema_init(&cmd->throttle_sem, DIV_ROUND_UP(cmd->max_reg_cmds, 2));
+
+ cmd_h = (u32)((u64)(cmd->dma) >> 32);
+ cmd_l = (u32)(cmd->dma);
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 3660ce6a93496..ce019c337f67f 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -308,6 +308,7 @@ struct mlx5_cmd {
+ struct workqueue_struct *wq;
+ struct semaphore sem;
+ struct semaphore pages_sem;
++ struct semaphore throttle_sem;
+ int mode;
+ u16 allowed_opcode;
+ struct mlx5_cmd_work_ent *ent_arr[MLX5_MAX_COMMANDS];
+--
+2.43.0
+
--- /dev/null
+From 99ab2af911689d2c12eea3f7977a983e6a76e64b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jan 2023 16:52:17 +0200
+Subject: net/mlx5: Re-organize mlx5_cmd struct
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 58db72869a9f8e01910844ca145efc2ea91bbbf9 ]
+
+Downstream patch will split mlx5_cmd_init() to probe and reload
+routines. As a preparation, organize mlx5_cmd struct so that any
+field that will be used in the reload routine are grouped at new
+nested struct.
+
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Stable-dep-of: 8f5100da56b3 ("net/mlx5e: Fix a race in command alloc flow")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 94 +++++++++----------
+ .../net/ethernet/mellanox/mlx5/core/debugfs.c | 4 +-
+ include/linux/mlx5/driver.h | 21 +++--
+ 3 files changed, 60 insertions(+), 59 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 84f926064cf7b..e89d4fb7774bb 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -162,18 +162,18 @@ static int cmd_alloc_index(struct mlx5_cmd *cmd)
+ int ret;
+
+ spin_lock_irqsave(&cmd->alloc_lock, flags);
+- ret = find_first_bit(&cmd->bitmask, cmd->max_reg_cmds);
+- if (ret < cmd->max_reg_cmds)
+- clear_bit(ret, &cmd->bitmask);
++ ret = find_first_bit(&cmd->vars.bitmask, cmd->vars.max_reg_cmds);
++ if (ret < cmd->vars.max_reg_cmds)
++ clear_bit(ret, &cmd->vars.bitmask);
+ spin_unlock_irqrestore(&cmd->alloc_lock, flags);
+
+- return ret < cmd->max_reg_cmds ? ret : -ENOMEM;
++ return ret < cmd->vars.max_reg_cmds ? ret : -ENOMEM;
+ }
+
+ static void cmd_free_index(struct mlx5_cmd *cmd, int idx)
+ {
+ lockdep_assert_held(&cmd->alloc_lock);
+- set_bit(idx, &cmd->bitmask);
++ set_bit(idx, &cmd->vars.bitmask);
+ }
+
+ static void cmd_ent_get(struct mlx5_cmd_work_ent *ent)
+@@ -192,7 +192,7 @@ static void cmd_ent_put(struct mlx5_cmd_work_ent *ent)
+
+ if (ent->idx >= 0) {
+ cmd_free_index(cmd, ent->idx);
+- up(ent->page_queue ? &cmd->pages_sem : &cmd->sem);
++ up(ent->page_queue ? &cmd->vars.pages_sem : &cmd->vars.sem);
+ }
+
+ cmd_free_ent(ent);
+@@ -202,7 +202,7 @@ static void cmd_ent_put(struct mlx5_cmd_work_ent *ent)
+
+ static struct mlx5_cmd_layout *get_inst(struct mlx5_cmd *cmd, int idx)
+ {
+- return cmd->cmd_buf + (idx << cmd->log_stride);
++ return cmd->cmd_buf + (idx << cmd->vars.log_stride);
+ }
+
+ static int mlx5_calc_cmd_blocks(struct mlx5_cmd_msg *msg)
+@@ -971,7 +971,7 @@ static void cmd_work_handler(struct work_struct *work)
+ cb_timeout = msecs_to_jiffies(mlx5_tout_ms(dev, CMD));
+
+ complete(&ent->handling);
+- sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem;
++ sem = ent->page_queue ? &cmd->vars.pages_sem : &cmd->vars.sem;
+ down(sem);
+ if (!ent->page_queue) {
+ alloc_ret = cmd_alloc_index(cmd);
+@@ -991,9 +991,9 @@ static void cmd_work_handler(struct work_struct *work)
+ }
+ ent->idx = alloc_ret;
+ } else {
+- ent->idx = cmd->max_reg_cmds;
++ ent->idx = cmd->vars.max_reg_cmds;
+ spin_lock_irqsave(&cmd->alloc_lock, flags);
+- clear_bit(ent->idx, &cmd->bitmask);
++ clear_bit(ent->idx, &cmd->vars.bitmask);
+ spin_unlock_irqrestore(&cmd->alloc_lock, flags);
+ }
+
+@@ -1569,15 +1569,15 @@ void mlx5_cmd_allowed_opcode(struct mlx5_core_dev *dev, u16 opcode)
+ struct mlx5_cmd *cmd = &dev->cmd;
+ int i;
+
+- for (i = 0; i < cmd->max_reg_cmds; i++)
+- down(&cmd->sem);
+- down(&cmd->pages_sem);
++ for (i = 0; i < cmd->vars.max_reg_cmds; i++)
++ down(&cmd->vars.sem);
++ down(&cmd->vars.pages_sem);
+
+ cmd->allowed_opcode = opcode;
+
+- up(&cmd->pages_sem);
+- for (i = 0; i < cmd->max_reg_cmds; i++)
+- up(&cmd->sem);
++ up(&cmd->vars.pages_sem);
++ for (i = 0; i < cmd->vars.max_reg_cmds; i++)
++ up(&cmd->vars.sem);
+ }
+
+ static void mlx5_cmd_change_mod(struct mlx5_core_dev *dev, int mode)
+@@ -1585,15 +1585,15 @@ static void mlx5_cmd_change_mod(struct mlx5_core_dev *dev, int mode)
+ struct mlx5_cmd *cmd = &dev->cmd;
+ int i;
+
+- for (i = 0; i < cmd->max_reg_cmds; i++)
+- down(&cmd->sem);
+- down(&cmd->pages_sem);
++ for (i = 0; i < cmd->vars.max_reg_cmds; i++)
++ down(&cmd->vars.sem);
++ down(&cmd->vars.pages_sem);
+
+ cmd->mode = mode;
+
+- up(&cmd->pages_sem);
+- for (i = 0; i < cmd->max_reg_cmds; i++)
+- up(&cmd->sem);
++ up(&cmd->vars.pages_sem);
++ for (i = 0; i < cmd->vars.max_reg_cmds; i++)
++ up(&cmd->vars.sem);
+ }
+
+ static int cmd_comp_notifier(struct notifier_block *nb,
+@@ -1652,7 +1652,7 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force
+
+ /* there can be at most 32 command queues */
+ vector = vec & 0xffffffff;
+- for (i = 0; i < (1 << cmd->log_sz); i++) {
++ for (i = 0; i < (1 << cmd->vars.log_sz); i++) {
+ if (test_bit(i, &vector)) {
+ ent = cmd->ent_arr[i];
+
+@@ -1741,7 +1741,7 @@ static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev)
+ /* wait for pending handlers to complete */
+ mlx5_eq_synchronize_cmd_irq(dev);
+ spin_lock_irqsave(&dev->cmd.alloc_lock, flags);
+- vector = ~dev->cmd.bitmask & ((1ul << (1 << dev->cmd.log_sz)) - 1);
++ vector = ~dev->cmd.vars.bitmask & ((1ul << (1 << dev->cmd.vars.log_sz)) - 1);
+ if (!vector)
+ goto no_trig;
+
+@@ -1750,14 +1750,14 @@ static void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev)
+ * to guarantee pending commands will not get freed in the meanwhile.
+ * For that reason, it also has to be done inside the alloc_lock.
+ */
+- for_each_set_bit(i, &bitmask, (1 << cmd->log_sz))
++ for_each_set_bit(i, &bitmask, (1 << cmd->vars.log_sz))
+ cmd_ent_get(cmd->ent_arr[i]);
+ vector |= MLX5_TRIGGERED_CMD_COMP;
+ spin_unlock_irqrestore(&dev->cmd.alloc_lock, flags);
+
+ mlx5_core_dbg(dev, "vector 0x%llx\n", vector);
+ mlx5_cmd_comp_handler(dev, vector, true);
+- for_each_set_bit(i, &bitmask, (1 << cmd->log_sz))
++ for_each_set_bit(i, &bitmask, (1 << cmd->vars.log_sz))
+ cmd_ent_put(cmd->ent_arr[i]);
+ return;
+
+@@ -1770,22 +1770,22 @@ void mlx5_cmd_flush(struct mlx5_core_dev *dev)
+ struct mlx5_cmd *cmd = &dev->cmd;
+ int i;
+
+- for (i = 0; i < cmd->max_reg_cmds; i++) {
+- while (down_trylock(&cmd->sem)) {
++ for (i = 0; i < cmd->vars.max_reg_cmds; i++) {
++ while (down_trylock(&cmd->vars.sem)) {
+ mlx5_cmd_trigger_completions(dev);
+ cond_resched();
+ }
+ }
+
+- while (down_trylock(&cmd->pages_sem)) {
++ while (down_trylock(&cmd->vars.pages_sem)) {
+ mlx5_cmd_trigger_completions(dev);
+ cond_resched();
+ }
+
+ /* Unlock cmdif */
+- up(&cmd->pages_sem);
+- for (i = 0; i < cmd->max_reg_cmds; i++)
+- up(&cmd->sem);
++ up(&cmd->vars.pages_sem);
++ for (i = 0; i < cmd->vars.max_reg_cmds; i++)
++ up(&cmd->vars.sem);
+ }
+
+ static struct mlx5_cmd_msg *alloc_msg(struct mlx5_core_dev *dev, int in_size,
+@@ -1855,7 +1855,7 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out,
+ /* atomic context may not sleep */
+ if (callback)
+ return -EINVAL;
+- down(&dev->cmd.throttle_sem);
++ down(&dev->cmd.vars.throttle_sem);
+ }
+
+ pages_queue = is_manage_pages(in);
+@@ -1900,7 +1900,7 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out,
+ free_msg(dev, inb);
+ out_up:
+ if (throttle_op)
+- up(&dev->cmd.throttle_sem);
++ up(&dev->cmd.vars.throttle_sem);
+ return err;
+ }
+
+@@ -2210,16 +2210,16 @@ int mlx5_cmd_init(struct mlx5_core_dev *dev)
+ goto err_free_pool;
+
+ cmd_l = ioread32be(&dev->iseg->cmdq_addr_l_sz) & 0xff;
+- cmd->log_sz = cmd_l >> 4 & 0xf;
+- cmd->log_stride = cmd_l & 0xf;
+- if (1 << cmd->log_sz > MLX5_MAX_COMMANDS) {
++ cmd->vars.log_sz = cmd_l >> 4 & 0xf;
++ cmd->vars.log_stride = cmd_l & 0xf;
++ if (1 << cmd->vars.log_sz > MLX5_MAX_COMMANDS) {
+ mlx5_core_err(dev, "firmware reports too many outstanding commands %d\n",
+- 1 << cmd->log_sz);
++ 1 << cmd->vars.log_sz);
+ err = -EINVAL;
+ goto err_free_page;
+ }
+
+- if (cmd->log_sz + cmd->log_stride > MLX5_ADAPTER_PAGE_SHIFT) {
++ if (cmd->vars.log_sz + cmd->vars.log_stride > MLX5_ADAPTER_PAGE_SHIFT) {
+ mlx5_core_err(dev, "command queue size overflow\n");
+ err = -EINVAL;
+ goto err_free_page;
+@@ -2227,13 +2227,13 @@ int mlx5_cmd_init(struct mlx5_core_dev *dev)
+
+ cmd->state = MLX5_CMDIF_STATE_DOWN;
+ cmd->checksum_disabled = 1;
+- cmd->max_reg_cmds = (1 << cmd->log_sz) - 1;
+- cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1;
++ cmd->vars.max_reg_cmds = (1 << cmd->vars.log_sz) - 1;
++ cmd->vars.bitmask = (1UL << cmd->vars.max_reg_cmds) - 1;
+
+- cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16;
+- if (cmd->cmdif_rev > CMD_IF_REV) {
++ cmd->vars.cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16;
++ if (cmd->vars.cmdif_rev > CMD_IF_REV) {
+ mlx5_core_err(dev, "driver does not support command interface version. driver %d, firmware %d\n",
+- CMD_IF_REV, cmd->cmdif_rev);
++ CMD_IF_REV, cmd->vars.cmdif_rev);
+ err = -EOPNOTSUPP;
+ goto err_free_page;
+ }
+@@ -2243,9 +2243,9 @@ int mlx5_cmd_init(struct mlx5_core_dev *dev)
+ for (i = 0; i < MLX5_CMD_OP_MAX; i++)
+ spin_lock_init(&cmd->stats[i].lock);
+
+- sema_init(&cmd->sem, cmd->max_reg_cmds);
+- sema_init(&cmd->pages_sem, 1);
+- sema_init(&cmd->throttle_sem, DIV_ROUND_UP(cmd->max_reg_cmds, 2));
++ sema_init(&cmd->vars.sem, cmd->vars.max_reg_cmds);
++ sema_init(&cmd->vars.pages_sem, 1);
++ sema_init(&cmd->vars.throttle_sem, DIV_ROUND_UP(cmd->vars.max_reg_cmds, 2));
+
+ cmd_h = (u32)((u64)(cmd->dma) >> 32);
+ cmd_l = (u32)(cmd->dma);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
+index bb95b40d25eb5..e0b0729e238c1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
+@@ -176,8 +176,8 @@ static ssize_t slots_read(struct file *filp, char __user *buf, size_t count,
+ int ret;
+
+ cmd = filp->private_data;
+- weight = bitmap_weight(&cmd->bitmask, cmd->max_reg_cmds);
+- field = cmd->max_reg_cmds - weight;
++ weight = bitmap_weight(&cmd->vars.bitmask, cmd->vars.max_reg_cmds);
++ field = cmd->vars.max_reg_cmds - weight;
+ ret = snprintf(tbuf, sizeof(tbuf), "%d\n", field);
+ return simple_read_from_buffer(buf, count, pos, tbuf, ret);
+ }
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index ce019c337f67f..93ec34a94b724 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -282,18 +282,23 @@ struct mlx5_cmd_stats {
+ struct mlx5_cmd {
+ struct mlx5_nb nb;
+
++ /* members which needs to be queried or reinitialized each reload */
++ struct {
++ u16 cmdif_rev;
++ u8 log_sz;
++ u8 log_stride;
++ int max_reg_cmds;
++ unsigned long bitmask;
++ struct semaphore sem;
++ struct semaphore pages_sem;
++ struct semaphore throttle_sem;
++ } vars;
+ enum mlx5_cmdif_state state;
+ void *cmd_alloc_buf;
+ dma_addr_t alloc_dma;
+ int alloc_size;
+ void *cmd_buf;
+ dma_addr_t dma;
+- u16 cmdif_rev;
+- u8 log_sz;
+- u8 log_stride;
+- int max_reg_cmds;
+- int events;
+- u32 __iomem *vector;
+
+ /* protect command queue allocations
+ */
+@@ -303,12 +308,8 @@ struct mlx5_cmd {
+ */
+ spinlock_t token_lock;
+ u8 token;
+- unsigned long bitmask;
+ char wq_name[MLX5_CMD_WQ_MAX_NAME];
+ struct workqueue_struct *wq;
+- struct semaphore sem;
+- struct semaphore pages_sem;
+- struct semaphore throttle_sem;
+ int mode;
+ u16 allowed_opcode;
+ struct mlx5_cmd_work_ent *ent_arr[MLX5_MAX_COMMANDS];
+--
+2.43.0
+
--- /dev/null
+From 0cb9b7db6ec63a8876d9ff6840827cf88981b910 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 15:00:21 -0800
+Subject: net/mlx5e: Correct snprintf truncation handling for fw_version buffer
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+[ Upstream commit ad436b9c1270c40554e274f067f1b78fcc06a004 ]
+
+snprintf returns the length of the formatted string, excluding the trailing
+null, without accounting for truncation. This means that is the return
+value is greater than or equal to the size parameter, the fw_version string
+was truncated.
+
+Reported-by: David Laight <David.Laight@ACULAB.COM>
+Closes: https://lore.kernel.org/netdev/81cae734ee1b4cde9b380a9a31006c1a@AcuMS.aculab.com/
+Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf
+Fixes: 41e63c2baa11 ("net/mlx5e: Check return value of snprintf writing to fw_version buffer")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+index eeba91d9c5211..ceeb23f478e15 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -49,7 +49,7 @@ void mlx5e_ethtool_get_drvinfo(struct mlx5e_priv *priv,
+ count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d (%.16s)", fw_rev_maj(mdev),
+ fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id);
+- if (count == sizeof(drvinfo->fw_version))
++ if (count >= sizeof(drvinfo->fw_version))
+ snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d", fw_rev_maj(mdev),
+ fw_rev_min(mdev), fw_rev_sub(mdev));
+--
+2.43.0
+
--- /dev/null
+From 035b759314b101cb25e0fe11411bc74cb54b59ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 15:00:22 -0800
+Subject: net/mlx5e: Correct snprintf truncation handling for fw_version buffer
+ used by representors
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+[ Upstream commit b13559b76157de9d74f04d3ca0e49d69de3b5675 ]
+
+snprintf returns the length of the formatted string, excluding the trailing
+null, without accounting for truncation. This means that is the return
+value is greater than or equal to the size parameter, the fw_version string
+was truncated.
+
+Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf
+Fixes: 1b2bd0c0264f ("net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index 2653cb96c3105..5aeca9534f15a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -76,7 +76,7 @@ static void mlx5e_rep_get_drvinfo(struct net_device *dev,
+ count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d (%.16s)", fw_rev_maj(mdev),
+ fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id);
+- if (count == sizeof(drvinfo->fw_version))
++ if (count >= sizeof(drvinfo->fw_version))
+ snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d", fw_rev_maj(mdev),
+ fw_rev_min(mdev), fw_rev_sub(mdev));
+--
+2.43.0
+
--- /dev/null
+From a163131bada996e1331ec0989d538cd1e3e87fbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 17:40:53 +0800
+Subject: net/mlx5e: fix a potential double-free in fs_udp_create_groups
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit e75efc6466ae289e599fb12a5a86545dff245c65 ]
+
+When kcalloc() for ft->g succeeds but kvzalloc() for in fails,
+fs_udp_create_groups() will free ft->g. However, its caller
+fs_udp_create_table() will free ft->g again through calling
+mlx5e_destroy_flow_table(), which will lead to a double-free.
+Fix this by setting ft->g to NULL in fs_udp_create_groups().
+
+Fixes: 1c80bd684388 ("net/mlx5e: Introduce Flow Steering UDP API")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
+index be83ad9db82a4..e1283531e0b81 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
+@@ -154,6 +154,7 @@ static int fs_udp_create_groups(struct mlx5e_flow_table *ft, enum fs_udp_type ty
+ in = kvzalloc(inlen, GFP_KERNEL);
+ if (!in || !ft->g) {
+ kfree(ft->g);
++ ft->g = NULL;
+ kvfree(in);
+ return -ENOMEM;
+ }
+--
+2.43.0
+
--- /dev/null
+From 14ebb4aefc49774d05508c5dc1df1de47f17d276 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Dec 2023 00:01:26 -0800
+Subject: net/mlx5e: Fix a race in command alloc flow
+
+From: Shifeng Li <lishifeng@sangfor.com.cn>
+
+[ Upstream commit 8f5100da56b3980276234e812ce98d8f075194cd ]
+
+Fix a cmd->ent use after free due to a race on command entry.
+Such race occurs when one of the commands releases its last refcount and
+frees its index and entry while another process running command flush
+flow takes refcount to this command entry. The process which handles
+commands flush may see this command as needed to be flushed if the other
+process allocated a ent->idx but didn't set ent to cmd->ent_arr in
+cmd_work_handler(). Fix it by moving the assignment of cmd->ent_arr into
+the spin lock.
+
+[70013.081955] BUG: KASAN: use-after-free in mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core]
+[70013.081967] Write of size 4 at addr ffff88880b1510b4 by task kworker/26:1/1433361
+[70013.081968]
+[70013.082028] Workqueue: events aer_isr
+[70013.082053] Call Trace:
+[70013.082067] dump_stack+0x8b/0xbb
+[70013.082086] print_address_description+0x6a/0x270
+[70013.082102] kasan_report+0x179/0x2c0
+[70013.082173] mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core]
+[70013.082267] mlx5_cmd_flush+0x80/0x180 [mlx5_core]
+[70013.082304] mlx5_enter_error_state+0x106/0x1d0 [mlx5_core]
+[70013.082338] mlx5_try_fast_unload+0x2ea/0x4d0 [mlx5_core]
+[70013.082377] remove_one+0x200/0x2b0 [mlx5_core]
+[70013.082409] pci_device_remove+0xf3/0x280
+[70013.082439] device_release_driver_internal+0x1c3/0x470
+[70013.082453] pci_stop_bus_device+0x109/0x160
+[70013.082468] pci_stop_and_remove_bus_device+0xe/0x20
+[70013.082485] pcie_do_fatal_recovery+0x167/0x550
+[70013.082493] aer_isr+0x7d2/0x960
+[70013.082543] process_one_work+0x65f/0x12d0
+[70013.082556] worker_thread+0x87/0xb50
+[70013.082571] kthread+0x2e9/0x3a0
+[70013.082592] ret_from_fork+0x1f/0x40
+
+The logical relationship of this error is as follows:
+
+ aer_recover_work | ent->work
+-------------------------------------------+------------------------------
+aer_recover_work_func |
+|- pcie_do_recovery |
+ |- report_error_detected |
+ |- mlx5_pci_err_detected |cmd_work_handler
+ |- mlx5_enter_error_state | |- cmd_alloc_index
+ |- enter_error_state | |- lock cmd->alloc_lock
+ |- mlx5_cmd_flush | |- clear_bit
+ |- mlx5_cmd_trigger_completions| |- unlock cmd->alloc_lock
+ |- lock cmd->alloc_lock |
+ |- vector = ~dev->cmd.vars.bitmask
+ |- for_each_set_bit |
+ |- cmd_ent_get(cmd->ent_arr[i]) (UAF)
+ |- unlock cmd->alloc_lock | |- cmd->ent_arr[ent->idx]=ent
+
+The cmd->ent_arr[ent->idx] assignment and the bit clearing are not
+protected by the cmd->alloc_lock in cmd_work_handler().
+
+Fixes: 50b2412b7e78 ("net/mlx5: Avoid possible free of command entry while timeout comp handler")
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Shifeng Li <lishifeng@sangfor.com.cn>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index e89d4fb7774bb..ac6a0785b10d8 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -156,15 +156,18 @@ static u8 alloc_token(struct mlx5_cmd *cmd)
+ return token;
+ }
+
+-static int cmd_alloc_index(struct mlx5_cmd *cmd)
++static int cmd_alloc_index(struct mlx5_cmd *cmd, struct mlx5_cmd_work_ent *ent)
+ {
+ unsigned long flags;
+ int ret;
+
+ spin_lock_irqsave(&cmd->alloc_lock, flags);
+ ret = find_first_bit(&cmd->vars.bitmask, cmd->vars.max_reg_cmds);
+- if (ret < cmd->vars.max_reg_cmds)
++ if (ret < cmd->vars.max_reg_cmds) {
+ clear_bit(ret, &cmd->vars.bitmask);
++ ent->idx = ret;
++ cmd->ent_arr[ent->idx] = ent;
++ }
+ spin_unlock_irqrestore(&cmd->alloc_lock, flags);
+
+ return ret < cmd->vars.max_reg_cmds ? ret : -ENOMEM;
+@@ -974,7 +977,7 @@ static void cmd_work_handler(struct work_struct *work)
+ sem = ent->page_queue ? &cmd->vars.pages_sem : &cmd->vars.sem;
+ down(sem);
+ if (!ent->page_queue) {
+- alloc_ret = cmd_alloc_index(cmd);
++ alloc_ret = cmd_alloc_index(cmd, ent);
+ if (alloc_ret < 0) {
+ mlx5_core_err_rl(dev, "failed to allocate command entry\n");
+ if (ent->callback) {
+@@ -989,15 +992,14 @@ static void cmd_work_handler(struct work_struct *work)
+ up(sem);
+ return;
+ }
+- ent->idx = alloc_ret;
+ } else {
+ ent->idx = cmd->vars.max_reg_cmds;
+ spin_lock_irqsave(&cmd->alloc_lock, flags);
+ clear_bit(ent->idx, &cmd->vars.bitmask);
++ cmd->ent_arr[ent->idx] = ent;
+ spin_unlock_irqrestore(&cmd->alloc_lock, flags);
+ }
+
+- cmd->ent_arr[ent->idx] = ent;
+ lay = get_inst(cmd, ent->idx);
+ ent->lay = lay;
+ memset(lay, 0, sizeof(*lay));
+--
+2.43.0
+
--- /dev/null
+From 771fac0449d12ae93ed2c4b2ad66aea253073d32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 01:46:56 -0800
+Subject: net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list()
+
+From: Shifeng Li <lishifeng@sangfor.com.cn>
+
+[ Upstream commit ddb38ddff9c71026bad481b791a94d446ee37603 ]
+
+Out_sz that the size of out buffer is calculated using query_nic_vport
+_context_in structure when driver query the MAC list. However query_nic
+_vport_context_in structure is smaller than query_nic_vport_context_out.
+When allowed_list_size is greater than 96, calling ether_addr_copy() will
+trigger an slab-out-of-bounds.
+
+[ 1170.055866] BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core]
+[ 1170.055869] Read of size 4 at addr ffff88bdbc57d912 by task kworker/u128:1/461
+[ 1170.055870]
+[ 1170.055932] Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core]
+[ 1170.055936] Call Trace:
+[ 1170.055949] dump_stack+0x8b/0xbb
+[ 1170.055958] print_address_description+0x6a/0x270
+[ 1170.055961] kasan_report+0x179/0x2c0
+[ 1170.056061] mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core]
+[ 1170.056162] esw_update_vport_addr_list+0x2c5/0xcd0 [mlx5_core]
+[ 1170.056257] esw_vport_change_handle_locked+0xd08/0x1a20 [mlx5_core]
+[ 1170.056377] esw_vport_change_handler+0x6b/0x90 [mlx5_core]
+[ 1170.056381] process_one_work+0x65f/0x12d0
+[ 1170.056383] worker_thread+0x87/0xb50
+[ 1170.056390] kthread+0x2e9/0x3a0
+[ 1170.056394] ret_from_fork+0x1f/0x40
+
+Fixes: e16aea2744ab ("net/mlx5: Introduce access functions to modify/query vport mac lists")
+Cc: Ding Hui <dinghui@sangfor.com.cn>
+Signed-off-by: Shifeng Li <lishifeng@sangfor.com.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/vport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
+index d5c3173250309..3f68e3198aa64 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
+@@ -277,7 +277,7 @@ int mlx5_query_nic_vport_mac_list(struct mlx5_core_dev *dev,
+ req_list_size = max_list_size;
+ }
+
+- out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_in) +
++ out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_out) +
+ req_list_size * MLX5_ST_SZ_BYTES(mac_address_layout);
+
+ out = kvzalloc(out_sz, GFP_KERNEL);
+--
+2.43.0
+
--- /dev/null
+From 9098134c886607b2d5660f07ed5e5849024b72b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 02:09:01 +0200
+Subject: net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and
+ above
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 52eda4641d041667fa059f4855c5f88dcebd8afe ]
+
+There is a typo in the driver due to which we report incorrect TX RMON
+counters for the 256-511 octet bucket and all the other buckets larger
+than that.
+
+Bug found with the selftest at
+https://patchwork.kernel.org/project/netdevbpf/patch/20231211223346.2497157-9-tobias@waldekranz.com/
+
+Fixes: e32036e1ae7b ("net: mscc: ocelot: add support for all sorts of standardized counters present in DSA")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20231214000902.545625-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot_stats.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_stats.c b/drivers/net/ethernet/mscc/ocelot_stats.c
+index 0066219bb0e89..6b95262dad904 100644
+--- a/drivers/net/ethernet/mscc/ocelot_stats.c
++++ b/drivers/net/ethernet/mscc/ocelot_stats.c
+@@ -216,10 +216,10 @@ static void ocelot_port_rmon_stats_cb(struct ocelot *ocelot, int port, void *pri
+ rmon_stats->hist_tx[0] = s[OCELOT_STAT_TX_64];
+ rmon_stats->hist_tx[1] = s[OCELOT_STAT_TX_65_127];
+ rmon_stats->hist_tx[2] = s[OCELOT_STAT_TX_128_255];
+- rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_128_255];
+- rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_256_511];
+- rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_512_1023];
+- rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_1024_1526];
++ rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_256_511];
++ rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_512_1023];
++ rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_1024_1526];
++ rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_1527_MAX];
+ }
+
+ void ocelot_port_get_rmon_stats(struct ocelot *ocelot, int port,
+--
+2.43.0
+
--- /dev/null
+From c949678dfd745d62e2a9442d6b05a4549b8b50e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 14:09:22 +0900
+Subject: net: Return error from sk_stream_wait_connect() if sk_wait_event()
+ fails
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit cac23b7d7627915d967ce25436d7aae26e88ed06 ]
+
+The following NULL pointer dereference issue occurred:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+<...>
+RIP: 0010:ccid_hc_tx_send_packet net/dccp/ccid.h:166 [inline]
+RIP: 0010:dccp_write_xmit+0x49/0x140 net/dccp/output.c:356
+<...>
+Call Trace:
+ <TASK>
+ dccp_sendmsg+0x642/0x7e0 net/dccp/proto.c:801
+ inet_sendmsg+0x63/0x90 net/ipv4/af_inet.c:846
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x83/0xe0 net/socket.c:745
+ ____sys_sendmsg+0x443/0x510 net/socket.c:2558
+ ___sys_sendmsg+0xe5/0x150 net/socket.c:2612
+ __sys_sendmsg+0xa6/0x120 net/socket.c:2641
+ __do_sys_sendmsg net/socket.c:2650 [inline]
+ __se_sys_sendmsg net/socket.c:2648 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2648
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x43/0x110 arch/x86/entry/common.c:82
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+sk_wait_event() returns an error (-EPIPE) if disconnect() is called on the
+socket waiting for the event. However, sk_stream_wait_connect() returns
+success, i.e. zero, even if sk_wait_event() returns -EPIPE, so a function
+that waits for a connection with sk_stream_wait_connect() may misbehave.
+
+In the case of the above DCCP issue, dccp_sendmsg() is waiting for the
+connection. If disconnect() is called in concurrently, the above issue
+occurs.
+
+This patch fixes the issue by returning error from sk_stream_wait_connect()
+if sk_wait_event() fails.
+
+Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/stream.c b/net/core/stream.c
+index 051aa71a8ad0f..30e7deff4c551 100644
+--- a/net/core/stream.c
++++ b/net/core/stream.c
+@@ -79,7 +79,7 @@ int sk_stream_wait_connect(struct sock *sk, long *timeo_p)
+ remove_wait_queue(sk_sleep(sk), &wait);
+ sk->sk_write_pending--;
+ } while (!done);
+- return 0;
++ return done < 0 ? done : 0;
+ }
+ EXPORT_SYMBOL(sk_stream_wait_connect);
+
+--
+2.43.0
+
--- /dev/null
+From a10826494b4bcf12f6b5507e7a7d45aeab16fc16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 15:27:47 +0000
+Subject: net/rose: fix races in rose_kill_by_device()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be ]
+
+syzbot found an interesting netdev refcounting issue in
+net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1]
+
+Problem is that rose_kill_by_device() can change rose->device
+while other threads do not expect the pointer to be changed.
+
+We have to first collect sockets in a temporary array,
+then perform the changes while holding the socket
+lock and rose_list_lock spinlock (in this order)
+
+Change rose_release() to also acquire rose_list_lock
+before releasing the netdev refcount.
+
+[1]
+
+[ 1185.055088][ T7889] ref_tracker: reference already released.
+[ 1185.061476][ T7889] ref_tracker: allocated in:
+[ 1185.066081][ T7889] rose_bind+0x4ab/0xd10
+[ 1185.070446][ T7889] __sys_bind+0x1ec/0x220
+[ 1185.074818][ T7889] __x64_sys_bind+0x72/0xb0
+[ 1185.079356][ T7889] do_syscall_64+0x40/0x110
+[ 1185.083897][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
+[ 1185.089835][ T7889] ref_tracker: freed in:
+[ 1185.094088][ T7889] rose_release+0x2f5/0x570
+[ 1185.098629][ T7889] __sock_release+0xae/0x260
+[ 1185.103262][ T7889] sock_close+0x1c/0x20
+[ 1185.107453][ T7889] __fput+0x270/0xbb0
+[ 1185.111467][ T7889] task_work_run+0x14d/0x240
+[ 1185.116085][ T7889] get_signal+0x106f/0x2790
+[ 1185.120622][ T7889] arch_do_signal_or_restart+0x90/0x7f0
+[ 1185.126205][ T7889] exit_to_user_mode_prepare+0x121/0x240
+[ 1185.131846][ T7889] syscall_exit_to_user_mode+0x1e/0x60
+[ 1185.137293][ T7889] do_syscall_64+0x4d/0x110
+[ 1185.141783][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
+[ 1185.148085][ T7889] ------------[ cut here ]------------
+
+WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
+Modules linked in:
+CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78917e #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
+RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
+Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44
+RSP: 0018:ffffc90004917850 EFLAGS: 00010202
+RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000
+RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001
+RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6
+R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c
+R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff
+FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+netdev_tracker_free include/linux/netdevice.h:4127 [inline]
+netdev_put include/linux/netdevice.h:4144 [inline]
+netdev_put include/linux/netdevice.h:4140 [inline]
+rose_kill_by_device net/rose/af_rose.c:195 [inline]
+rose_device_event+0x25d/0x330 net/rose/af_rose.c:218
+notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
+call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967
+call_netdevice_notifiers_extack net/core/dev.c:2005 [inline]
+call_netdevice_notifiers net/core/dev.c:2019 [inline]
+__dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646
+dev_change_flags+0x122/0x170 net/core/dev.c:8682
+dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529
+dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786
+sock_do_ioctl+0x198/0x270 net/socket.c:1234
+sock_ioctl+0x22e/0x6b0 net/socket.c:1339
+vfs_ioctl fs/ioctl.c:51 [inline]
+__do_sys_ioctl fs/ioctl.c:871 [inline]
+__se_sys_ioctl fs/ioctl.c:857 [inline]
+__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
+do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+RIP: 0033:0x7f0a7147cba9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9
+RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004
+RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8
+</TASK>
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Bernard Pidoux <f6bvp@free.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 39 ++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 5 deletions(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 674937284b8d2..29b74a569e0b0 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -182,21 +182,47 @@ void rose_kill_by_neigh(struct rose_neigh *neigh)
+ */
+ static void rose_kill_by_device(struct net_device *dev)
+ {
+- struct sock *s;
++ struct sock *sk, *array[16];
++ struct rose_sock *rose;
++ bool rescan;
++ int i, cnt;
+
++start:
++ rescan = false;
++ cnt = 0;
+ spin_lock_bh(&rose_list_lock);
+- sk_for_each(s, &rose_list) {
+- struct rose_sock *rose = rose_sk(s);
++ sk_for_each(sk, &rose_list) {
++ rose = rose_sk(sk);
++ if (rose->device == dev) {
++ if (cnt == ARRAY_SIZE(array)) {
++ rescan = true;
++ break;
++ }
++ sock_hold(sk);
++ array[cnt++] = sk;
++ }
++ }
++ spin_unlock_bh(&rose_list_lock);
+
++ for (i = 0; i < cnt; i++) {
++ sk = array[cnt];
++ rose = rose_sk(sk);
++ lock_sock(sk);
++ spin_lock_bh(&rose_list_lock);
+ if (rose->device == dev) {
+- rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
++ rose_disconnect(sk, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
+ if (rose->neighbour)
+ rose->neighbour->use--;
+ netdev_put(rose->device, &rose->dev_tracker);
+ rose->device = NULL;
+ }
++ spin_unlock_bh(&rose_list_lock);
++ release_sock(sk);
++ sock_put(sk);
++ cond_resched();
+ }
+- spin_unlock_bh(&rose_list_lock);
++ if (rescan)
++ goto start;
+ }
+
+ /*
+@@ -656,7 +682,10 @@ static int rose_release(struct socket *sock)
+ break;
+ }
+
++ spin_lock_bh(&rose_list_lock);
+ netdev_put(rose->device, &rose->dev_tracker);
++ rose->device = NULL;
++ spin_unlock_bh(&rose_list_lock);
+ sock->sk = NULL;
+ release_sock(sk);
+ sock_put(sk);
+--
+2.43.0
+
--- /dev/null
+From dd65252c3bb286c6537db87b20cbad97b5ec1344 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 11:30:38 +0000
+Subject: net: sched: ife: fix potential use-after-free
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 19391a2ca98baa7b80279306cdf7dd43f81fa595 ]
+
+ife_decode() calls pskb_may_pull() two times, we need to reload
+ifehdr after the second one, or risk use-after-free as reported
+by syzbot:
+
+BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline]
+BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
+Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323
+
+CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d5b95 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
+Call Trace:
+<TASK>
+__dump_stack lib/dump_stack.c:88 [inline]
+dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
+print_address_description mm/kasan/report.c:364 [inline]
+print_report+0xc4/0x620 mm/kasan/report.c:475
+kasan_report+0xda/0x110 mm/kasan/report.c:588
+__ife_tlv_meta_valid net/ife/ife.c:108 [inline]
+ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
+tcf_ife_decode net/sched/act_ife.c:739 [inline]
+tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879
+tc_act include/net/tc_wrapper.h:221 [inline]
+tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
+tcf_exts_exec include/net/pkt_cls.h:344 [inline]
+mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
+tc_classify include/net/tc_wrapper.h:227 [inline]
+__tcf_classify net/sched/cls_api.c:1703 [inline]
+tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
+hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
+hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
+dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
+__dev_xmit_skb net/core/dev.c:3828 [inline]
+__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
+dev_queue_xmit include/linux/netdevice.h:3165 [inline]
+packet_xmit+0x237/0x350 net/packet/af_packet.c:276
+packet_snd net/packet/af_packet.c:3081 [inline]
+packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+RIP: 0033:0x7fe9acc7cae9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9
+RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003
+RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014
+R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78
+</TASK>
+
+Allocated by task 22323:
+kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
+kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+____kasan_kmalloc mm/kasan/common.c:374 [inline]
+__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
+kasan_kmalloc include/linux/kasan.h:198 [inline]
+__do_kmalloc_node mm/slab_common.c:1007 [inline]
+__kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027
+kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
+__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
+alloc_skb include/linux/skbuff.h:1298 [inline]
+alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
+sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
+packet_alloc_skb net/packet/af_packet.c:2930 [inline]
+packet_snd net/packet/af_packet.c:3024 [inline]
+packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Freed by task 22323:
+kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
+kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
+____kasan_slab_free mm/kasan/common.c:236 [inline]
+____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
+kasan_slab_free include/linux/kasan.h:164 [inline]
+slab_free_hook mm/slub.c:1800 [inline]
+slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
+slab_free mm/slub.c:3809 [inline]
+__kmem_cache_free+0xc0/0x180 mm/slub.c:3822
+skb_kfree_head net/core/skbuff.c:950 [inline]
+skb_free_head+0x110/0x1b0 net/core/skbuff.c:962
+pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130
+__pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655
+pskb_may_pull_reason include/linux/skbuff.h:2685 [inline]
+pskb_may_pull include/linux/skbuff.h:2693 [inline]
+ife_decode+0x394/0x4f0 net/ife/ife.c:82
+tcf_ife_decode net/sched/act_ife.c:727 [inline]
+tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879
+tc_act include/net/tc_wrapper.h:221 [inline]
+tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
+tcf_exts_exec include/net/pkt_cls.h:344 [inline]
+mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
+tc_classify include/net/tc_wrapper.h:227 [inline]
+__tcf_classify net/sched/cls_api.c:1703 [inline]
+tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
+hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
+hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
+dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
+__dev_xmit_skb net/core/dev.c:3828 [inline]
+__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
+dev_queue_xmit include/linux/netdevice.h:3165 [inline]
+packet_xmit+0x237/0x350 net/packet/af_packet.c:276
+packet_snd net/packet/af_packet.c:3081 [inline]
+packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+The buggy address belongs to the object at ffff88802d730000
+which belongs to the cache kmalloc-8k of size 8192
+The buggy address is located 164 bytes inside of
+freed 8192-byte region [ffff88802d730000, ffff88802d732000)
+
+The buggy address belongs to the physical page:
+page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730
+head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
+page_type: 0xffffffff()
+raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000
+raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461
+set_page_owner include/linux/page_owner.h:31 [inline]
+post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544
+prep_new_page mm/page_alloc.c:1551 [inline]
+get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319
+__alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575
+alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
+alloc_slab_page mm/slub.c:1870 [inline]
+allocate_slab mm/slub.c:2017 [inline]
+new_slab+0x283/0x3c0 mm/slub.c:2070
+___slab_alloc+0x979/0x1500 mm/slub.c:3223
+__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
+__slab_alloc_node mm/slub.c:3375 [inline]
+slab_alloc_node mm/slub.c:3468 [inline]
+__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517
+__do_kmalloc_node mm/slab_common.c:1006 [inline]
+__kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027
+kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
+__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
+alloc_skb include/linux/skbuff.h:1298 [inline]
+alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
+sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
+packet_alloc_skb net/packet/af_packet.c:2930 [inline]
+packet_snd net/packet/af_packet.c:3024 [inline]
+packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+page last free stack trace:
+reset_page_owner include/linux/page_owner.h:24 [inline]
+free_pages_prepare mm/page_alloc.c:1144 [inline]
+free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354
+free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494
+__unfreeze_partials+0x226/0x240 mm/slub.c:2655
+qlink_free mm/kasan/quarantine.c:168 [inline]
+qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
+kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
+__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
+kasan_slab_alloc include/linux/kasan.h:188 [inline]
+slab_post_alloc_hook mm/slab.h:763 [inline]
+slab_alloc_node mm/slub.c:3478 [inline]
+slab_alloc mm/slub.c:3486 [inline]
+__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
+kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509
+alloc_inode_sb include/linux/fs.h:2937 [inline]
+ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408
+alloc_inode+0x5d/0x220 fs/inode.c:261
+new_inode_pseudo fs/inode.c:1006 [inline]
+new_inode+0x22/0x260 fs/inode.c:1032
+__ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958
+ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398
+vfs_symlink fs/namei.c:4464 [inline]
+vfs_symlink+0x3e5/0x620 fs/namei.c:4448
+do_symlinkat+0x25f/0x310 fs/namei.c:4490
+__do_sys_symlinkat fs/namei.c:4506 [inline]
+__se_sys_symlinkat fs/namei.c:4503 [inline]
+__x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+
+Fixes: d57493d6d1be ("net: sched: ife: check on metadata length")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Alexander Aring <aahringo@redhat.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ife/ife.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ife/ife.c b/net/ife/ife.c
+index 13bbf8cb6a396..be05b690b9ef2 100644
+--- a/net/ife/ife.c
++++ b/net/ife/ife.c
+@@ -82,6 +82,7 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen)
+ if (unlikely(!pskb_may_pull(skb, total_pull)))
+ return NULL;
+
++ ifehdr = (struct ifeheadr *)(skb->data + skb->dev->hard_header_len);
+ skb_set_mac_header(skb, total_pull);
+ __skb_pull(skb, total_pull);
+ *metalen = ifehdrln - IFE_METAHDRLEN;
+--
+2.43.0
+
--- /dev/null
+From 2be773b0d48e591a62bf46f7c3cd05672905e632 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 23:40:44 +0530
+Subject: octeontx2-pf: Fix graceful exit during PFC configuration failure
+
+From: Suman Ghosh <sumang@marvell.com>
+
+[ Upstream commit 8c97ab5448f2096daba11edf8d18a44e1eb6f31d ]
+
+During PFC configuration failure the code was not handling a graceful
+exit. This patch fixes the same and add proper code for a graceful exit.
+
+Fixes: 99c969a83d82 ("octeontx2-pf: Add egress PFC support")
+Signed-off-by: Suman Ghosh <sumang@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
+index bfddbff7bcdfb..28fb643d2917f 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
+@@ -399,9 +399,10 @@ static int otx2_dcbnl_ieee_getpfc(struct net_device *dev, struct ieee_pfc *pfc)
+ static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc)
+ {
+ struct otx2_nic *pfvf = netdev_priv(dev);
++ u8 old_pfc_en;
+ int err;
+
+- /* Save PFC configuration to interface */
++ old_pfc_en = pfvf->pfc_en;
+ pfvf->pfc_en = pfc->pfc_en;
+
+ if (pfvf->hw.tx_queues >= NIX_PF_PFC_PRIO_MAX)
+@@ -411,13 +412,17 @@ static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc)
+ * supported by the tx queue configuration
+ */
+ err = otx2_check_pfc_config(pfvf);
+- if (err)
++ if (err) {
++ pfvf->pfc_en = old_pfc_en;
+ return err;
++ }
+
+ process_pfc:
+ err = otx2_config_priority_flow_ctrl(pfvf);
+- if (err)
++ if (err) {
++ pfvf->pfc_en = old_pfc_en;
+ return err;
++ }
+
+ /* Request Per channel Bpids */
+ if (pfc->pfc_en)
+@@ -425,6 +430,12 @@ static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc)
+
+ err = otx2_pfc_txschq_update(pfvf);
+ if (err) {
++ if (pfc->pfc_en)
++ otx2_nix_config_bp(pfvf, false);
++
++ otx2_pfc_txschq_stop(pfvf);
++ pfvf->pfc_en = old_pfc_en;
++ otx2_config_priority_flow_ctrl(pfvf);
+ dev_err(pfvf->dev, "%s failed to update TX schedulers\n", __func__);
+ return err;
+ }
+--
+2.43.0
+
--- /dev/null
+From 99162aeab6be0fb51aba886a9097e63a052edc92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 17:55:33 +0100
+Subject: reset: Fix crash when freeing non-existent optional resets
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 4a6756f56bcf8e64c87144a626ce53aea4899c0e ]
+
+When obtaining one or more optional resets, non-existent resets are
+stored as NULL pointers, and all related error and cleanup paths need to
+take this into account.
+
+Currently only reset_control_put() and reset_control_bulk_put()
+get this right. All of __reset_control_bulk_get(),
+of_reset_control_array_get(), and reset_control_array_put() lack the
+proper checking, causing NULL pointer dereferences on failure or
+release.
+
+Fix this by moving the existing check from reset_control_bulk_put() to
+__reset_control_put_internal(), so it applies to all callers.
+The double check in reset_control_put() doesn't hurt.
+
+Fixes: 17c82e206d2a3cd8 ("reset: Add APIs to manage array of resets")
+Fixes: 48d71395896d54ee ("reset: Add reset_control_bulk API")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/2440edae7ca8534628cdbaf559ded288f2998178.1701276806.git.geert+renesas@glider.be
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/reset/core.c b/drivers/reset/core.c
+index f0a076e94118f..92cc13ef3e566 100644
+--- a/drivers/reset/core.c
++++ b/drivers/reset/core.c
+@@ -807,6 +807,9 @@ static void __reset_control_put_internal(struct reset_control *rstc)
+ {
+ lockdep_assert_held(&reset_list_mutex);
+
++ if (IS_ERR_OR_NULL(rstc))
++ return;
++
+ kref_put(&rstc->refcnt, __reset_control_release);
+ }
+
+@@ -1017,11 +1020,8 @@ EXPORT_SYMBOL_GPL(reset_control_put);
+ void reset_control_bulk_put(int num_rstcs, struct reset_control_bulk_data *rstcs)
+ {
+ mutex_lock(&reset_list_mutex);
+- while (num_rstcs--) {
+- if (IS_ERR_OR_NULL(rstcs[num_rstcs].rstc))
+- continue;
++ while (num_rstcs--)
+ __reset_control_put_internal(rstcs[num_rstcs].rstc);
+- }
+ mutex_unlock(&reset_list_mutex);
+ }
+ EXPORT_SYMBOL_GPL(reset_control_bulk_put);
+--
+2.43.0
+
--- /dev/null
+From 65bdac116c25ab5948b2c0870283594cebf172e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 13:51:52 +0100
+Subject: Revert "net/mlx5e: fix double free of encap_header in update funcs"
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+[ Upstream commit 66ca8d4deca09bce3fc7bcf8ea7997fa1a51c33c ]
+
+This reverts commit 3a4aa3cb83563df942be49d145ee3b7ddf17d6bb.
+
+This patch is causing a null ptr issue, the proper fix is in the next
+patch.
+
+Fixes: 3a4aa3cb8356 ("net/mlx5e: fix double free of encap_header in update funcs")
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlx5/core/en/tc_tun.c | 20 +++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+index 4db0483c066a8..ccfc626c37d48 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+@@ -403,12 +403,16 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *priv,
+ if (err)
+ goto free_encap;
+
++ e->encap_size = ipv4_encap_size;
++ kfree(e->encap_header);
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+ * and not used before that.
+ */
+- goto free_encap;
++ goto release_neigh;
+ }
+
+ memset(&reformat_params, 0, sizeof(reformat_params));
+@@ -422,10 +426,6 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *priv,
+ goto free_encap;
+ }
+
+- e->encap_size = ipv4_encap_size;
+- kfree(e->encap_header);
+- e->encap_header = encap_header;
+-
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv4_put(&attr);
+@@ -669,12 +669,16 @@ int mlx5e_tc_tun_update_header_ipv6(struct mlx5e_priv *priv,
+ if (err)
+ goto free_encap;
+
++ e->encap_size = ipv6_encap_size;
++ kfree(e->encap_header);
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+ * and not used before that.
+ */
+- goto free_encap;
++ goto release_neigh;
+ }
+
+ memset(&reformat_params, 0, sizeof(reformat_params));
+@@ -688,10 +692,6 @@ int mlx5e_tc_tun_update_header_ipv6(struct mlx5e_priv *priv,
+ goto free_encap;
+ }
+
+- e->encap_size = ipv6_encap_size;
+- kfree(e->encap_header);
+- e->encap_header = encap_header;
+-
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv6_put(&attr);
+--
+2.43.0
+
--- /dev/null
+From 895e918527edf22c4655ca6026a182b5d11432f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 13:52:28 +0100
+Subject: Revert "net/mlx5e: fix double free of encap_header"
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+[ Upstream commit 5d089684dc434a31e08d32f0530066d0025c52e4 ]
+
+This reverts commit 6f9b1a0731662648949a1c0587f6acb3b7f8acf1.
+
+This patch is causing a null ptr issue, the proper fix is in the next
+patch.
+
+Fixes: 6f9b1a073166 ("net/mlx5e: fix double free of encap_header")
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+index ccfc626c37d48..83bb0811e7741 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+@@ -300,6 +300,9 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv,
+ if (err)
+ goto destroy_neigh_entry;
+
++ e->encap_size = ipv4_encap_size;
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+@@ -319,8 +322,6 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv,
+ goto destroy_neigh_entry;
+ }
+
+- e->encap_size = ipv4_encap_size;
+- e->encap_header = encap_header;
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv4_put(&attr);
+@@ -567,6 +568,9 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv,
+ if (err)
+ goto destroy_neigh_entry;
+
++ e->encap_size = ipv6_encap_size;
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+@@ -586,8 +590,6 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv,
+ goto destroy_neigh_entry;
+ }
+
+- e->encap_size = ipv6_encap_size;
+- e->encap_header = encap_header;
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv6_put(&attr);
+--
+2.43.0
+
--- /dev/null
+From 1a9d9ec82a010cbc583e836615ba9085c0cfbaf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Dec 2023 15:03:15 +0100
+Subject: s390/vx: fix save/restore of fpu kernel context
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit e6b2dab41888332bf83f592131e7ea07756770a4 ]
+
+The KERNEL_FPR mask only contains a flag for the first eight vector
+registers. However floating point registers overlay parts of the first
+sixteen vector registers.
+
+This could lead to vector register corruption if a kernel fpu context uses
+any of the vector registers 8 to 15 and is interrupted or calls a
+KERNEL_FPR context. If that context uses also vector registers 8 to 15,
+their contents will be corrupted on return.
+
+Luckily this is currently not a real bug, since the kernel has only one
+KERNEL_FPR user with s390_adjust_jiffies() and it is only using floating
+point registers 0 to 2.
+
+Fix this by using the correct bits for KERNEL_FPR.
+
+Fixes: 7f79695cc1b6 ("s390/fpu: improve kernel_fpu_[begin|end]")
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/fpu/api.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/include/asm/fpu/api.h b/arch/s390/include/asm/fpu/api.h
+index b714ed0ef6885..9acf48e53a87f 100644
+--- a/arch/s390/include/asm/fpu/api.h
++++ b/arch/s390/include/asm/fpu/api.h
+@@ -79,7 +79,7 @@ static inline int test_fp_ctl(u32 fpc)
+ #define KERNEL_VXR_HIGH (KERNEL_VXR_V16V23|KERNEL_VXR_V24V31)
+
+ #define KERNEL_VXR (KERNEL_VXR_LOW|KERNEL_VXR_HIGH)
+-#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_V0V7)
++#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_LOW)
+
+ struct kernel_fpu;
+
+--
+2.43.0
+
hid-i2c-hid-acpi-unify-acpi-id-tables-format.patch
hid-i2c-hid-add-idea5002-to-i2c_hid_acpi_blacklist.patch
drm-amd-display-fix-hw-rotated-modes-when-psr-su-is-.patch
+arm-dts-dra7-fix-dra7-l3-noc-node-register-size.patch
+arm-omap2-fix-null-pointer-dereference-and-memory-le.patch
+reset-fix-crash-when-freeing-non-existent-optional-r.patch
+s390-vx-fix-save-restore-of-fpu-kernel-context.patch
+wifi-iwlwifi-pcie-add-another-missing-bh-disable-for.patch
+wifi-mac80211-check-if-the-existing-link-config-rema.patch
+wifi-mac80211-mesh-check-element-parsing-succeeded.patch
+wifi-mac80211-mesh_plink-fix-matches_local-logic.patch
+revert-net-mlx5e-fix-double-free-of-encap_header-in-.patch
+revert-net-mlx5e-fix-double-free-of-encap_header.patch
+net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch
+net-mlx5-introduce-and-use-opcode-getter-in-command-.patch
+net-mlx5-prevent-high-rate-fw-commands-from-populati.patch
+net-mlx5-re-organize-mlx5_cmd-struct.patch
+net-mlx5e-fix-a-race-in-command-alloc-flow.patch
+net-mlx5e-fix-a-potential-double-free-in-fs_udp_crea.patch
+net-mlx5-fix-fw-tracer-first-block-check.patch
+net-mlx5e-correct-snprintf-truncation-handling-for-f.patch
+net-mlx5e-correct-snprintf-truncation-handling-for-f.patch-17801
+net-mscc-ocelot-fix-emac-tx-rmon-stats-for-bucket-25.patch
+octeontx2-pf-fix-graceful-exit-during-pfc-configurat.patch
+net-return-error-from-sk_stream_wait_connect-if-sk_w.patch
+net-sched-ife-fix-potential-use-after-free.patch
+ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch
+net-rose-fix-races-in-rose_kill_by_device.patch
+bluetooth-fix-deadlock-in-vhci_send_frame.patch
+bluetooth-hci_event-shut-up-a-false-positive-warning.patch
+net-mana-select-page_pool.patch
+net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch
+afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch
+afs-fix-dynamic-root-lookup-dns-check.patch
+net-check-dev-gso_max_size-in-gso_features_check.patch
+keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch
+afs-fix-overwriting-of-result-of-dns-query.patch
+afs-fix-use-after-free-due-to-get-remove-race-in-vol.patch
--- /dev/null
+From 4c8044549a30288eed0c9a8710aea59a3e7e1cc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Dec 2023 18:32:02 +0200
+Subject: wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit a4754182dc936b97ec7e9f6b08cdf7ed97ef9069 ]
+
+Evidently I had only looked at all the ones in rx.c, and missed this.
+Add bh-disable to this use of the rxq->lock as well.
+
+Fixes: 25edc8f259c7 ("iwlwifi: pcie: properly implement NAPI")
+Reported-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20231208183100.e79ad3dae649.I8f19713c4383707f8be7fc20ff5cc1ecf12429bb@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+index 39ab6526e6b85..796972f224326 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -3034,7 +3034,7 @@ static u32 iwl_trans_pcie_dump_rbs(struct iwl_trans *trans,
+ struct iwl_rxq *rxq = &trans_pcie->rxq[0];
+ u32 i, r, j, rb_len = 0;
+
+- spin_lock(&rxq->lock);
++ spin_lock_bh(&rxq->lock);
+
+ r = le16_to_cpu(iwl_get_closed_rb_stts(trans, rxq)) & 0x0FFF;
+
+@@ -3058,7 +3058,7 @@ static u32 iwl_trans_pcie_dump_rbs(struct iwl_trans *trans,
+ *data = iwl_fw_error_next_data(*data);
+ }
+
+- spin_unlock(&rxq->lock);
++ spin_unlock_bh(&rxq->lock);
+
+ return rb_len;
+ }
+--
+2.43.0
+
--- /dev/null
+From 6cc06d483f6f7ccc5984fb8b114e63b878e29ee8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 20:17:47 +0800
+Subject: wifi: mac80211: check if the existing link config remains unchanged
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit c1393c132b906fbdf91f6d1c9eb2ef7a00cce64e ]
+
+[Syz report]
+WARNING: CPU: 1 PID: 5067 at net/mac80211/rate.c:48 rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
+Modules linked in:
+CPU: 1 PID: 5067 Comm: syz-executor413 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
+RIP: 0010:rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
+Code: 48 c7 c2 00 46 0c 8c be 08 03 00 00 48 c7 c7 c0 45 0c 8c c6 05 70 79 0b 05 01 e8 1b a0 6f f7 e9 e0 fd ff ff e8 61 b3 8f f7 90 <0f> 0b 90 e9 36 ff ff ff e8 53 b3 8f f7 e8 5e 0b 78 f7 31 ff 89 c3
+RSP: 0018:ffffc90003c57248 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffff888016bc4000 RCX: ffffffff89f7d519
+RDX: ffff888076d43b80 RSI: ffffffff89f7d6df RDI: 0000000000000005
+RBP: ffff88801daaae20 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000001
+R13: 0000000000000000 R14: ffff888020030e20 R15: ffff888078f08000
+FS: 0000555556b94380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000005fdeb8 CR3: 0000000076d22000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ sta_apply_auth_flags.constprop.0+0x4b7/0x510 net/mac80211/cfg.c:1674
+ sta_apply_parameters+0xaf1/0x16c0 net/mac80211/cfg.c:2002
+ ieee80211_add_station+0x3fa/0x6c0 net/mac80211/cfg.c:2068
+ rdev_add_station net/wireless/rdev-ops.h:201 [inline]
+ nl80211_new_station+0x13ba/0x1a70 net/wireless/nl80211.c:7603
+ genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972
+ genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
+ genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067
+ netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
+ netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
+ netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1368
+ netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0xd5/0x180 net/socket.c:745
+ ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
+ ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
+ __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+[Analysis]
+It is inappropriate to make a link configuration change judgment on an
+non-existent and non new link.
+
+[Fix]
+Quickly exit when there is a existent link and the link configuration has not
+changed.
+
+Fixes: b303835dabe0 ("wifi: mac80211: accept STA changes without link changes")
+Reported-and-tested-by: syzbot+62d7eef57b09bfebcd84@syzkaller.appspotmail.com
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Link: https://msgid.link/tencent_DE67FF86DB92ED465489A36ECD2EDDCC8C06@qq.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 2ca442f485132..a2c4866080bd7 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1694,10 +1694,10 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
+ lockdep_is_held(&local->sta_mtx));
+
+ /*
+- * If there are no changes, then accept a link that doesn't exist,
++ * If there are no changes, then accept a link that exist,
+ * unless it's a new link.
+ */
+- if (params->link_id < 0 && !new_link &&
++ if (params->link_id >= 0 && !new_link &&
+ !params->link_mac && !params->txpwr_set &&
+ !params->supported_rates_len &&
+ !params->ht_capa && !params->vht_capa &&
+--
+2.43.0
+
--- /dev/null
+From 69ba66e921220d1bffc9faf7d77018196d116323 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 09:05:32 +0200
+Subject: wifi: mac80211: mesh: check element parsing succeeded
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 1fc4a3eec50d726f4663ad3c0bb0158354d6647a ]
+
+ieee802_11_parse_elems() can return NULL, so we must
+check for the return value.
+
+Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20231211085121.93dea364f3d3.Ie87781c6c48979fb25a744b90af4a33dc2d83a28@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_plink.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
+index bd0b7c189adfa..c54acdc8d00ab 100644
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -1230,6 +1230,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
+ return;
+ }
+ elems = ieee802_11_parse_elems(baseaddr, len - baselen, true, NULL);
+- mesh_process_plink_frame(sdata, mgmt, elems, rx_status);
+- kfree(elems);
++ if (elems) {
++ mesh_process_plink_frame(sdata, mgmt, elems, rx_status);
++ kfree(elems);
++ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 317ee71f8752acc6b2d62d6c4355957f65ecf94e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 09:05:31 +0200
+Subject: wifi: mac80211: mesh_plink: fix matches_local logic
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 8c386b166e2517cf3a123018e77941ec22625d0f ]
+
+During refactoring the "else" here got lost, add it back.
+
+Fixes: c99a89edb106 ("mac80211: factor out plink event gathering")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20231211085121.795480fa0e0b.I017d501196a5bbdcd9afd33338d342d6fe1edd79@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_plink.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
+index c54acdc8d00ab..711c3377f428b 100644
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -1051,8 +1051,8 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata,
+ case WLAN_SP_MESH_PEERING_OPEN:
+ if (!matches_local)
+ event = OPN_RJCT;
+- if (!mesh_plink_free_count(sdata) ||
+- (sta->mesh->plid && sta->mesh->plid != plid))
++ else if (!mesh_plink_free_count(sdata) ||
++ (sta->mesh->plid && sta->mesh->plid != plid))
+ event = OPN_IGNR;
+ else
+ event = OPN_ACPT;
+@@ -1060,9 +1060,9 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata,
+ case WLAN_SP_MESH_PEERING_CONFIRM:
+ if (!matches_local)
+ event = CNF_RJCT;
+- if (!mesh_plink_free_count(sdata) ||
+- sta->mesh->llid != llid ||
+- (sta->mesh->plid && sta->mesh->plid != plid))
++ else if (!mesh_plink_free_count(sdata) ||
++ sta->mesh->llid != llid ||
++ (sta->mesh->plid && sta->mesh->plid != plid))
+ event = CNF_IGNR;
+ else
+ event = CNF_ACPT;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
